---------Swiss Family Robinson---------
A 4am crack                  2017-08-12
-------------------. updated 2021-08-27
                   |___________________

Name: Swiss Family Robinson
Genre: adventure
Year: 1984
Credits: Tom Snyder Productions
Publisher: Windham Classics
Platform: Apple ][+ or later
Media: single-sided 5.25-inch floppy
OS: custom

                   ~

               Chapter 0
   In Which The Tools Do Not Save Us


This disk was automatically cracked by
Passport. Here is the transcript:

                 --v--

READING FROM S6,D1
USING BUILT-IN RWTS
WRITING TO S5,D2
T10,S0F FOUND E7 BITSTREAM
T10,S0F,$A4: AC00AC00AC00AC00AC00AC00 ->
 78A8589C30C004A8589C58A8
CRACK COMPLETE.

                 --^--

[Narrator]
But the crack was not complete.

The copy that Passport produces is in a
standard format, fully readable by
third-party tools. But when I boot it,
the disk loads the title screen then
reboots when I press "G" to start the
game.

Disks generally do not reboot unless
someone tells them to.

                   ~

Turning to my trusty Disk Fixer sector
editor, I search for "BD 89 C0" (the
instruction to turn on the drive motor
manually) and find the protection check
on track $10.

                 --v--

T10,S0D
----------- DISASSEMBLY MODE ----------
0000:A9 0A          LDA   #$0A
0002:85 50          STA   $50

; turn on drive motor manually and
; reset the data latch
0004:A2 60          LDX   #$60
0006:BD 89 C0       LDA   $C089,X
0009:BD 8E C0       LDA   $C08E,X

; ($48) -> $BF7E
000C:A9 7E          LDA   #$7E
000E:85 48          STA   $48
0010:A9 BF          LDA   #$BF
0012:85 49          STA   $49

; Death Counter
0014:A9 80          LDA   #$80
0016:85 51          STA   $51
0018:C6 51          DEC   $51

; if Death Counter hits 0, fail
001A:F0 5C          BEQ   $0078

; based on my knowledge of similar
; protection checks, this subroutine
; almost certainly finds the next
; available address prologue and parses
; the address field into zero page
; (like $B944 in DOS 3.3)
001C:20 03 BE       JSR   $BE03

; if that fails for some reason, fail
001F:B0 57          BCS   $0078

; loop until we find the right sector
0021:A5 2D          LDA   $2D
0023:C9 0F          CMP   #$0F
0025:D0 F1          BNE   $0018

; and now we're positioned for the
; start of the E7 check
0027:A0 00          LDY   #$00
0029:BD 8C C0       LDA   $C08C,X
002C:10 FB          BPL   $0029
002E:88             DEY
002F:F0 47          BEQ   $0078
...

                 --^--

I stared at this code for a while but
could not see why the universal E7
patch (applied by Passport) would fail.
The code is functionally identical to
hundreds of other disks I've seen.

The real problem is in that subroutine
at $BE03. Take a look:

                 --v--

T10,S0C (loaded at $BE00)
----------- DISASSEMBLY MODE ----------
0003:A0 FC          LDY   #$FC
0005:84 26          STY   $26
0007:C8             INY
0008:D0 04          BNE   $000E
000A:E6 26          INC   $26
000C:F0 51          BEQ   $005F

; find "D5 AA 96" (standard address
; prologue)
000E:BD 8C C0       LDA   $C08C,X
0011:10 FB          BPL   $000E
0013:C9 D5          CMP   #$D5
0015:D0 F0          BNE   $0007
0017:EA             NOP
0018:BD 8C C0       LDA   $C08C,X
001B:10 FB          BPL   $0018
001D:C9 AA          CMP   #$AA
001F:D0 F2          BNE   $0013
0021:A0 03          LDY   #$03
0023:BD 8C C0       LDA   $C08C,X
0026:10 FB          BPL   $0023
0028:C9 96          CMP   #$96
002A:D0 E7          BNE   $0013

; parse address field (4-and-4 encoded
; values for disk volume number, track,
; sector, and a checksum)
002C:A9 00          LDA   #$00
002E:85 27          STA   $27
0030:BD 8C C0       LDA   $C08C,X
0033:10 FB          BPL   $0030
0035:2A             ROL
0036:85 26          STA   $26
0038:BD 8C C0       LDA   $C08C,X
003B:10 FB          BPL   $0038
003D:25 26          AND   $26
003F:99 2C 00       STA   $002C,Y
0042:45 27          EOR   $27
0044:88             DEY
0045:10 E7          BPL   $002E
0047:A8             TAY
0048:D0 15          BNE   $005F

; find address epil---oh dear now I see
; the problem
004A:BD 8C C0       LDA   $C08C,X
004D:10 FB          BPL   $004A
004F:C9 FF          CMP   #$FF
0051:D0 0C          BNE   $005F
0053:EA             NOP
0054:BD 8C C0       LDA   $C08C,X
0057:10 FB          BPL   $0054
0059:C9 FF          CMP   #$FF
005B:D0 02          BNE   $005F
005D:18             CLC
005E:60             RTS
005F:38             SEC
0060:60             RTS

                 --^--

The original disk uses "FF FF" for the
address epilogue, instead of the usual
"DE AA". No problem for Passport; it
read the disk with its built-in RWTS
and converted it to a standard format.
That's so basic, it didn't even bother
to mention it. And the original disk's
RWTS doesn't care what the epilogues
are -- the Passport copy was able to
read itself, no grinding, no problem.

Except for the copy protection, which
is coded separately and is more strict
in finding the address epilogues while
it's positioning itself to look for the
E7 bitstream.

Simple fix: change the #$FF at $BE50
and $BE5A to standard values.

T10,S0C,$50: FF -> DE
T10,S0C,$5A: FF -> AA

]PR#6
...works, and it is glorious...

Quod erat liberandum.

                   ~

               Changelog


2021-08-27

- re-cracked with latest Passport, new
  E7 patch improves compatibility on
  Apple //c and IIgs

2017-08-12

- initial release

---------------------------------------
A 4am crack                    No. 1360
------------------EOF------------------