---------Marianas Turkey Shoot---------
A 4am crack                  2017-08-28
---------------------------------------

Name: Marianas Turkey Shoot
Genre: simulation
Year: 1990
Publisher: General Quarters Software
Platform: Apple ][+ or later (64K)
Media: double-sided 5.25-inch floppy
OS: Pronto-DOS
Previous cracks: none

                   ~

The disk itself is unprotected (COPYA
can copy it), but on boot it shows this
screen:

                 --v--

        APPLE IIE & IIC MACHINES
          ENGAGE CAPS LOCK KEY

      (PRESS RETURN TO CONTINUE)

                 --^--

Then this screen:

                 --v--

     **  MARIANAS TURKEY SHOOT  **

 CARRIER ACTION IN THE CENTRAL PACIFIC


         CODEWORD: EPSILON

         PASSWORD ?_

                 --^--

Entering the correct codeword from the
manual shows a third screen:

                 --v--

         INITIAL ANTHEM (Y/N) ?

                 --^--

According to the manual, there are five
possible codewords: ALPHA, BETA, GAMMA,
DELTA, and EPSILON. The correct answer
will give you full access to the game;
there doesn't appear to be any further
protection.

Obviously this is an unacceptable state
of affairs.

                   ~

Booting the disk and pressing <Ctrl-C>
gets me to a working prompt with DOS in
memory.

]PR#6
...
<Ctrl-C>

BREAK

]LIST

 5  IF  PEEK (978) = 157 THEN  PRINT
      CHR$ (4);"BRUN DOS-UP"
 10  PRINT  CHR$ (4);"BLOAD RUNTI
     ME" +  CHR$ (13) +  CHR$ (4)
      + "BRUN GS0" +  CHR$ (13)
 20  END

]CATALOG

PRONTO-DOS V254

*T 006 AFILE
*T 006 BFILE
*B 008 CEDRIVER
*B 007 DOS-UP
*B 017 GS0
*B 067 GS1
*B 083 GS2
*B 018 GS3
*B 073 GS4
*B 032 GS5
*B 009 GS6
*B 074 GS7
*A 002 HELLO
*B 033 MAP5
*B 012 PLAYERS
*B 017 RUNTIME
*B 033 STATDISPLAY
*B 013 USS

Turning to my trusty Disk Fixer sector
editor, I can see the entirety of GS0
in hex and ASCII. It is illuminating.

[Disk Fixer]
  ["D"irectory mode]
    [select "GS0"]

                 --v--

-------------- DISK EDIT --------------
TRACK $0E/SECTOR $0D/VOLUME $FE/BYTE$00
---------------------------------------
$00:>00<60 61 0F 20 03 08 B5   .`a. ..5
     ^^^^^ ^^^^^
    address len (DOS 3.3 file header)

$08: 61 61 70 FF 5F FF 5F FF   aap._._.
$10: 5F 60 6F 2F 70 61 70 00   _`o/pap.
$18: 20 5B 6D 20 4E 6F 4C 23    [m NoL#
$20: 60 05 41 4C 50 48 41 20   `.ALPHA
        ^^^^^^^^^^^^^^^^^
     length-prefixed string ("ALPHA")

$28: C5 0E 1D 60 20 6F 0C 20   E..` o.
$30: 79 6D 20 4E 6F 4C 39 60   ym NoL9`
$38: 04 42 45 54 41 20 C5 0E   .BETA E.
     ^^^^^^^^^^^^^^
         "BETA"

$40: 34 60 20 6F 0C 20 8B 6D   4` o. .m
$48: 20 4E 6F 4C 50 60 05 47    NoLP`.G
                       ^^^^^
$50: 41 4D 4D 41 20 C5 0E 4A   AMMA E.J
     ^^^^^^^^^^^
       "GAMMA" and so on

$58: 60 20 6F 0C 20 BE 6D 20   ` o. >m
$60: 4E 6F 4C 67 60 05 44 45   NoLg`.DE
$68: 4C 54 41 20 C5 0E 61 60   LTA E.a`
$70: 20 6F 0C 20 EE 6D 20 4E    o. nm N
$78: 6F 4C 80 60 07 45 50 53   oL.`.EPS
$80: 49 4C 4F 4E 20 C5 0E 78   ILON E.x
$88: 60 20 6F 0C 20 58 FC 20   ` o. X|
$90: 63 6E 20 A1 14 20 36 6E   cn !. 6n
$98: 20 AA 14 4C B3 60 18 41    *.L3`.A
                       ^^^^^
$A0: 50 50 4C 45 20 49 49 45   PPLE IIE
     ^^^^^^^^^^^^^^^^^^^^^^^
$A8: 20 26 20 49 49 43 20 4D    & IIC M
     ^^^^^^^^^^^^^^^^^^^^^^^
$B0: 41 43 48 49 4E 45 53 20   ACHINES
     ^^^^^^^^^^^^^^^^^^^^^^^
    I saw this string printed

$B8: C5 0E 9A 60 20 EE 0E 20   E..` n.
$C0: FB DA 20 5A 6E 20 AA 14   {Z Zn *.
$C8: 4C DC 60 14 45 4E 47 41   L\`.ENGA
              ^^^^^^^^^^^^^^
$D0: 47 45 20 43 41 50 53 20   GE CAPS
     ^^^^^^^^^^^^^^^^^^^^^^^
$D8: 4C 4F 43 4B 20 4B 45 59   LOCK KEY
     ^^^^^^^^^^^^^^^^^^^^^^^
  I saw this string printed also

                 --^--

Lots of interesting stuff going on, all
in the first sector of the file! The
standard 4-byte header tells me it's
loaded at address $6000. Almost
immediately I start seeing inline
strings that were printed on screen
when I ran the program.

A few sectors later (press right arrow
to "follow" a file based on its track/
sector list), I see the text of the
codeword lookup screen:

                 --v--

-------------- DISK EDIT --------------
TRACK $0A/SECTOR $0B/VOLUME $FE/BYTE$F8
---------------------------------------
$80: 6F 20 58 FC 20 09 6E 20   o X| .n
$88: AA 14 4C A7 63 1D 2A 2A   *.L'c.**
                    ^^^^^^^^
$90: 20 20 4D 41 52 49 41 4E     MARIAN
     ^^^^^^^^^^^^^^^^^^^^^^^
$98: 41 53 20 54 55 52 4B 45   AS TURKE
     ^^^^^^^^^^^^^^^^^^^^^^^
$A0: 59 20 53 48 4F 4F 54 20   Y SHOOT
     ^^^^^^^^^^^^^^^^^^^^^^^
     "MARIANAS TURKEY SHOOT"

-------------- DISK EDIT --------------
TRACK $0A/SECTOR $0A/VOLUME $FE/BYTE$00
---------------------------------------
$00:>09<64 0A 43 4F 44 45 57   .d.CODEW
           ^^^^^^^^^^^^^^^^^
$08: 4F 52 44 3A 20 20 C5 0E   ORD:  E.
     ^^^^^^^^^^^
     "CODEWORD:"

$10: FE 63 20 EE 0E 20 FB 6C   ~c n. {l
$18: 20 AA 10 20 4C 6F 20 EE    *. Lo n
$20: 0E 20 FB DA 20 48 6E 20   . {Z Hn
$28: AA 14 20 63 6E 20 A1 14   *. cn !.
$30: 20 27 16 4C 3D 64 0A 50    '.L=d.P
                       ^^^^^
$38: 41 53 53 57 4F 52 44 20   ASSWORD
     ^^^^^^^^^^^^^^^^^^^^
     "PASSWORD"

                 --^--

Just before the "MARIANAS TURKEY SHOOT"
text, I see a familiar 3-byte opcode:
20 58 FC (at offset $81). This is 6502
code for "JSR $FC58", a standard entry
point in ROM, equivalent to the "HOME"
command in BASIC. It clears the screen
and resets a bunch of text parameters
in zero page so that subsequent "PRINT"
commands start printing at the top of
the screen.

Looking back at the first sector of the
file, I see the same 3-byte opcode at
offset $8C: 20 58 FC. This program is
not even attempting to hide what's
going on. It's calling standard ROM
routines to clear the screen and
printing inline strings without any
sort of encryption (not even XOR).

It does not, however, have the actual
codeword answers embedded anywhere. But
I don't care about the answers; I want
to bypass the question.

Later in the same sector, I see the
text of the third screen, the one
that's displayed after you enter the
correct codeword in the second screen.
And lo! Another call to $FC58.

                 --v--

-------------- DISK EDIT --------------
TRACK $0A/SECTOR $0A/VOLUME $FE/BYTE$80
---------------------------------------
$80:>20<58 FC 20 63 6E 20 A1    X| cn !
     ^^^^^^^^
 JSR $FC58 (HOME)

$88: 14 20 48 6E 20 AA 14 4C   . Hn *.L
$90: A5 64 16 49 4E 49 54 49   %d.INITI
           ^^^^^^^^^^^^^^^^^
$98: 41 4C 20 41 4E 54 48 45   AL ANTHE
     ^^^^^^^^^^^^^^^^^^^^^^^
$A0: 4D 20 28 59 2F 4E 29 20   M (Y/N)
     ^^^^^^^^^^^^^^^^^^^^^^^
     "INITIAL ANTHEM? (Y/N)"

                 --^--

Is it possible that I could bypass the
codeword lookup screen by jumping from
one "JSR $FC58" to the next?

After some quick calculations, and
taking into account the 4-byte offset
because of the DOS 3.3 file header,
it appears that the "JSR $FC58" for the
third screen (shown above at offset $80
in T0A,S0A) is in memory at $647C.

Thus, to bypass the second screen
(which contains the codeword lookup),
I should change the "JSR $FC58" at
offset $81 of T0A,S0B to "JMP $647C".

T0A,S0B,$81: 2058FC -> 4C7C64

]PR#6
...works...

There don't appear to be any side
effects in the codeword lookup screen,
so there are no ill effects of skipping
it altogether.

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 1389
------------------EOF------------------