------------Strange Odyssey------------ A 4am crack 2017-08-04 --------------------------------------- Name: Scott Adams Graphic Adventure #6: Strange Odyssey Version: 2.1/119 Genre: adventure Year: 1982 Credits: Scott Adams Publisher: Adventure International Platform: Apple ][+ or later Media: double-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none (of this version) ~ [write-up by an anonymous collaborator] I boot traced DOS but found nothing unusual, so after patching to retain a useful reset vector I followed the Basic loader which fills the lower 32k with a large assembly-language program, asks you to flip the disk, and jumps to it. That program is written in some sort of compiled language that generates long chains of JSRs, with occasional custom assembly embedded. I traced through it with patching and breakpoints until I located the main loop at $6B03, and found the protection check is called by a routine at $16BC under certain conditions (such as taking the shovel early in the game). The check is encrypted with a simple EOR key of $C9, starting at location $1EA4. It recalibrates the drive and seeks to track $22 which is not standard-formatted. The check proceeds to count nibble patterns of various sorts, and finally verifies the counts against magic values. Success path is $1FD8, failure at $1F67. The nibble counts don't in the end seem to be used for any side effects, but the success path does set a variable and do yet more JSRs. So my patch branches from the failure path to the success path: $1F67: JMP $1FE6 --> CLC; BCC $1FD8 in memory: 4C E6 1F --> 18 90 6E XOR $C9: 85 2F D6 --> D1 59 A7 So, final patch: T05,S0D,$6B: 85 2F D6 -> D1 59 A7 The patch could be 1 byte shorter by using a JMP. At the time I was hoping that by using a branch I could make it more portable to other instances. Tested with a complete game walkthrough I found online. ~ [update from 4am] Armed with this research, I scoured for other disks by Adventure International. And lo! I found the same encrypted protection check in several other Scott Adams graphic adventures. The location on disk varies, but they all use the same encryption key (XOR $C9). I also found that these disks share a unique RWTS quirk (ignoring the second data field epilogue, but in a specific way that no one else does). I've added support for this protection check to Passport, gated by an initial match on the RWTS quirk. I hope this suffices to crack other Scott Adams graphic adventures, several of which are still unpreserved. Here is the transcript for side B (the bootable side) in the development version of Passport: --v-- READING FROM S6,D1 T00,S00 FOUND DOS 3.3 BOOTLOADER USING DISK'S OWN RWTS WRITING TO S5,D2 T05,S0D FOUND ADVENTURE INTERNATIONAL PROTECTION CHECK T05,S0D,$6B: 852FD6 -> D159A7 CRACK COMPLETE. --^-- More information and source code is available at https://archive.org/details/Passport4am Side A is readable except track $22, which is a non-standard track used solely for the protection check that we just disabled. Quod erat liberandum. --------------------------------------- A 4am crack No. 1351 ------------------EOF------------------