-----------Bouncing Kamungas-----------
A 4am crack                  2018-05-05
---------------------------------------

Name: Bouncing Kamungas
Genre: arcade
Year: 1983
Credits: Tom Becklund
Publisher: Penguin Software
Platform: Apple ][+ or later
Media: single-sided 5.25-inch floppy
OS: custom
Similar cracks:
  #1723 The Queen of Phobos
  #1697 Crime Wave
  #1676 Thunder Bombs

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error, but it
  gets a participation certificate that
  spells out "At Least You Tried"

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy to .nib file on CFFA3000
  read errors on T0B+
  copy fails to boot, hangs with the
  drive motor off

Copy ][+ nibble editor
  tracks $0B-$22 appear unformatted
  Lower tracks have modified epilogues
    ("DA AA EB" instead of "DE AA EB")
  Odd tracks also have custom prologue
    ("D4 AA 96" instead of "D5 AA 96")
  no sign of anything beyond track $0A
  no half or quarter tracks

Disk Fixer
  "O" for INPUT/OUTPUT CONTROL, set the
    epilogues to "DA AA EB"
  track 0 is readable
  boot sector is custom
  no sign of disk catalog on any track
  no sign of DOS or ProDOS or any OS
    whatsoever

Why didn't COPYA work?
  modified prologues/epilogues on
    every track

Why didn't Locksmith FDB work?
  ditto

Why didn't my .nib image work?
  This is a bit of a mystery. The
  alternating D4/D5 prologues shouldn't
  pose any problem for a nibble copier,
  so I'm assuming there is some sort of
  nibble check early in the boot.

Next steps:

  1. Run Passport to convert the disk
     to a standard format
  2. Patch the bootloader to read the
     newly standardized disk
  3. Find and disable the nibble check
  4. Declare victory (*)

                   ~

               Chapter 1
 In Which Our Automated Tools Take Us
     Just About As Far As They Can


The 2017-12-27 development version of
Passport successfully auto-converted
the disk to a standard format. The
built-in RWTS was designed to read this
kind of alternating D4/D5 prologue (it
was very common), and the adaptive RWTS
correctly determined the first epilogue
nibble (DA) and enforced it on the rest
of the sectors. All in all, I have high
confidence in the integrity of this
conversion.

More information and source code is
available at
https://archive.org/details/Passport4am

Here is the Passport transcript:

                 --v--

READING FROM S6,D1
USING BUILT-IN RWTS
T22 IS UNFORMATTED
WRITING TO RAM DISK
T21 IS UNFORMATTED
T20 IS UNFORMATTED
T1F IS UNFORMATTED
T1E IS UNFORMATTED
T1D IS UNFORMATTED
T1C IS UNFORMATTED
T1B IS UNFORMATTED
T1A IS UNFORMATTED
T19 IS UNFORMATTED
T18 IS UNFORMATTED
T17 IS UNFORMATTED
T16 IS UNFORMATTED
T15 IS UNFORMATTED
T14 IS UNFORMATTED
T13 IS UNFORMATTED
T12 IS UNFORMATTED
T11 IS UNFORMATTED
T10 IS UNFORMATTED
T0F IS UNFORMATTED
T0E IS UNFORMATTED
T0D IS UNFORMATTED
T0C IS UNFORMATTED
T0B IS UNFORMATTED
WRITING TO S5,D2

THE DISK WAS COPIED SUCCESSFULLY, BUT
PASSPORT DID NOT APPLY ANY PATCHES.

                 --^--

The copy that Passport produces can not
read itself, which is not entirely
unexpected. It is most likely enforcing
the custom "DA AA EB" epilogue, which
is now the standard "DE AA EB". A quick
sector search for "BD 8C C0" (the
standard opcode to read the data latch
from a drive indexed by the X register)
found a DOS-shaped RWTS on track $08,
which is interesting but not the code I
was looking for. (My failed copy never
gets off track 0.) So, putting a pin in
the fact that there is a secondary RWTS
that may be used later once the game is
loaded, I set off to trace the boot.

                   ~

               Chapter 2
         Boot Trace and Chill


[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
...
]CALL -151

*9600<C600.C6FFM

; copy boot sector to higher memory so
; it survives a reboot to my work disk
96F8-   A0 00       LDY   #$00
96FA-   B9 00 08    LDA   $0800,Y
96FD-   99 00 28    STA   $2800,Y
9700-   C8          INY
9701-   D0 F7       BNE   $96FA

; turn off slot 6 drive motor
9703-   AD E8 C0    LDA   $C0E8

; reboot to my work disk
9706-   4C 00 C5    JMP   $C500

*BSAVE TRACE,A$9600,L$109
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE OBJ.0800-08FF,A$2800,L$100
]CALL -151

; move the boot sector back into place
*800<2800.28FFM
*801L

0801-   D8          CLD

; read ROM, write LC RAM bank 2
0802-   2C 81 C0    BIT   $C081

; check $FF58, a known location of an
; "RTS" opcode ($60) on all Apple II
; models
0805-   A9 60       LDA   #$60
0807-   4D 58 FF    EOR   $FF58

; if not found, hang forever (this is
; a defense against modified ROM chips
; that were popular in the Apple II
; underground)
080A-   D0 FE       BNE   $080A

; munge reset vector
080C-   8D F3 03    STA   $03F3

; disable interrupts
080F-   78          SEI

; re-use drive firmware at $Cx5C to
; read a few more sectors from track 0
0810-   AD 00 08    LDA   $0800
0813-   C9 06       CMP   #$06

; exit via $879 when all sectors have
; been read
0815-   B0 62       BCS   $0879
0817-   69 02       ADC   #$02
0819-   8D 00 08    STA   $0800
081C-   E6 3D       INC   $3D

; calculate re-entry point for calling
; the drive firmware, based on the boot
; slot
081E-   8A          TXA
081F-   4A          LSR
0820-   4A          LSR
0821-   4A          LSR
0822-   4A          LSR
0823-   09 C0       ORA   #$C0
0825-   8D 2A 08    STA   $082A

; call the drive firmware to read the
; next sector (exits via $0801, so this
; whole thing is a loop that only exits
; via the BCS at $0815)
0828-   4C 5C C6    JMP   $C65C

Execution continues at $087A once we've
read [...counts on fingers] three more
sectors into $0900..$0BFF.

*879L

; wipe zero page
0879-   98          TYA
087A-   99 00 00    STA   $0000,Y
087D-   C8          INY
087E-   D0 FA       BNE   $087A

; save boot slot (x16) to a custom zero
; page location
0880-   86 30       STX   $30

; clear both hi-res screens
0882-   A2 3F       LDX   #$3F
0884-   99 00 20    STA   $2000,Y
0887-   C8          INY
0888-   D0 FA       BNE   $0884
088A-   EE 86 08    INC   $0886
088D-   CA          DEX
088E-   10 F4       BPL   $0884

; reset stack
0890-   9A          TXS

; force 40-column text mode and do the
; standard IN#0, PR#0, TEXT, &c. to
; reset the machine to a known state
0891-   8E FB 04    STX   $04FB
0894-   8E 0C C0    STX   $C00C
0897-   8E 0E C0    STX   $C00E
089A-   8E 00 C0    STX   $C000
089D-   20 89 FE    JSR   $FE89
08A0-   20 93 FE    JSR   $FE93
08A3-   20 84 FE    JSR   $FE84
08A6-   20 2F FB    JSR   $FB2F

; show hi-res screen 2
08A9-   2C 57 C0    BIT   $C057
08AC-   2C 52 C0    BIT   $C052
08AF-   2C 50 C0    BIT   $C050
08B2-   2C 55 C0    BIT   $C055

; read ROM, write LC RAM bank 2
08B5-   2C 81 C0    BIT   $C081
08B8-   2C 81 C0    BIT   $C081

; wipe page 3 vectors
08BB-   A9 D8       LDA   #$D8
08BD-   A8          TAY
08BE-   99 00 03    STA   $0300,Y
08C1-   C8          INY
08C2-   D0 FA       BNE   $08BE

; wipe F8 ROM space in language card
; (defense against software-based
; boot tracers like Inspector)
08C4-   B9 00 F8    LDA   $F800,Y
08C7-   99 00 F8    STA   $F800,Y
08CA-   88          DEY
08CB-   D0 F7       BNE   $08C4
08CD-   EE C6 08    INC   $08C6
08D0-   EE C9 08    INC   $08C9
08D3-   D0 EF       BNE   $08C4
08D5-   A9 02       LDA   #$02
08D7-   8D 10 01    STA   $0110
08DA-   8D 00 BD    STA   $BD00

; set lots of page 3 vectors (NMI, BRK,
; reset) and some low-level vectors too
; so everything points to $0110
; (defense against NMI capture cards
; like Wildcard that had a button you
; could press to break to the monitor
; and capture the game in memory)
08DD-   A0 10       LDY   #$10
08DF-   A9 01       LDA   #$01
08E1-   8C F0 03    STY   $03F0
08E4-   8D F1 03    STA   $03F1
08E7-   8C FE 03    STY   $03FE
08EA-   8D FF 03    STA   $03FF
08ED-   8C F2 03    STY   $03F2
08F0-   8D F3 03    STA   $03F3
08F3-   8C FA FF    STY   $FFFA
08F6-   8D FB FF    STA   $FFFB
08F9-   8C FC FF    STY   $FFFC
08FC-   8D FD FF    STA   $FFFD

And that's the end of the first boot
sector. Execution continues at $0900,
but I don't have that in memory yet.

Let's fix that.

*9600<C600.C6FFM

; set up a callback at $087A, after the
; boot sector reads additional sectors
; into $0900..$0BFF
96F8-   A9 4C       LDA   #$4C
96FA-   8D 7A 08    STA   $087A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 7B 08    STA   $087B
9702-   A9 97       LDA   #$97
9704-   8D 7C 08    STA   $087C

; start the boot
9707-   4C 01 08    JMP   $0801

; callback is here --
; copy all the boot sectors to higher
; memory
970A-   A2 04       LDX   #$04
970C-   A0 00       LDY   #$00
970E-   B9 00 08    LDA   $0800,Y
9711-   99 00 28    STA   $2800,Y
9714-   C8          INY
9715-   D0 F7       BNE   $970E
9717-   EE 10 97    INC   $9710
971A-   EE 13 97    INC   $9713
971D-   CA          DEX
971E-   D0 EE       BNE   $970E

; turn off drive motor and reboot to
; my work disk
9720-   AD E8 C0    LDA   $C0E8
9723-   4C 00 C5    JMP   $C500

*BSAVE TRACE2,A$9600,L$126
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE OBJ.0800-0BFF,A$2800,L$400
]CALL -151

; restore boot code to original address
*800<2800.2BFFM

Now we can continue with the listing,
right where we left off.

                   ~

               Chapter 3
        fdjklashfduishgfafdhhd


*8FFL

; vectors, vectors, vectors
08FF-   8C FE FF    STY   $FFFE
0902-   8D FF FF    STA   $FFFF

; read LC RAM bank 2, no write
; (this remains active, so any attempt
; to hit Ctrl-Reset will be directed
; through the low-level reset vector
; at $FFFC, which we just set)
0905-   2C 80 C0    BIT   $C080

; Q: What do you get when you cross a
;    mosquito with a rock climber?
; A: Nothing. You can't cross a vector
;    and a scalar.
0908-   49 A5       EOR   #$A5
090A-   8D F4 03    STA   $03F4
090D-   A9 4C       LDA   #$4C
090F-   8D EF 03    STA   $03EF
0912-   8D FD 03    STA   $03FD

; we literally just set the low-level
; reset vector (at $08F9), and now we
; are checking whether it's changed
0915-   CC FC FF    CPY   $FFFC

; no change, continue
0918-   F0 08       BEQ   $0922

; check if another known location is a
; known value ($E000, which is usually
; $4C, a JMP operation)
091A-   CD 00 E0    CMP   $E000

; yes, that checks out
091D-   F0 03       BEQ   $0922

; neither known value checked out,
; which probably means this machine
; only has 48K (no language card, so no
; upper 16K, so we've been storing
; values into thin air this whole time)
; so switch back to ROM and be happy
091F-   2C 81 C0    BIT   $C081

; execution continues here in any case
; (on machines with 64K, LC RAM bank 2
; is still active and the custom low-
; level reset vectors are in place) and
; OH GOD WHAT'S ALL THIS
0922-   A2 4B       LDX   #$4B
0924-   5D 2D 08    EOR   $082D,X
0927-   9D 10 01    STA   $0110,X
092A-   CA          DEX
092B-   10 F7       BPL   $0924

; OH GOD WHAT'S ALL THIS TOO
092D-   A0 03       LDY   #$03
092F-   AE 2B 08    LDX   $082B
0932-   5D 00 09    EOR   $0900,X
0935-   9D 00 05    STA   $0500,X
0938-   E8          INX
0939-   D0 F7       BNE   $0932
093B-   EE 34 09    INC   $0934
093E-   EE 37 09    INC   $0937
0941-   88          DEY
0942-   D0 EE       BNE   $0932

the rest of the bootloader is encrypted
fdjklashfduishgfafdhhd that's great DRM
is great grrrrrrrrrrrrrrrrrrrrrrrr okay
here we go

; set some stuff in the code we just
decrypted onto the stack
0944-   A5 30       LDA   $30
0946-   09 89       ORA   #$89
0948-   8D 11 01    STA   $0111
094B-   AD 2A 08    LDA   $082A
094E-   8D 57 01    STA   $0157

; and continue inside the decrypted
code on the text page
0951-   4C 87 07    JMP   $0787

I can't ignore it any longer. It's time
to decrypt the bootloader.

; restore the original boot sector (the
; one in memory has my trace callback
; in it)
*BLOAD OBJ.0800-08FF,A$800

I can't modify the decryption loop,
because it forms the basis for the key
to decrypt later pages.

So that's great.

But I can move the decryption loop and
modify the copy.

; copy code to $2900
*2900<900.9FFM

; fix up the absolute addresses so we
; decrypt into $2100 instead of $0100
*2929:21

; $2500 instead of $0500
*2937:25

; and self-modify our loop at $2900
; instead of $0900
*293D:29
*2940:29

; the initial key is in the accumulator
; (set at $090D before some other stuff
; I don't want to run) so I'll manually
; set it here at the beginning of the
; decryption -- it's $4C
*291F:EA A9 4C

; fix up the post-decryption patchups
*2944:A9 60
*294A:21
*2950:21

; "RTS" instead of "JMP $0787"
*2951:60

The final patched decryption code looks
like this:

*291FL

291F-   EA          NOP
2920-   A9 4C       LDA   #$4C
2922-   A2 4B       LDX   #$4B
2924-   5D 2D 08    EOR   $082D,X
2927-   9D 10 21    STA   $2110,X
292A-   CA          DEX
292B-   10 F7       BPL   $2924
292D-   A0 03       LDY   #$03
292F-   AE 2B 08    LDX   $082B
2932-   5D 00 09    EOR   $0900,X
2935-   9D 00 25    STA   $2500,X
2938-   E8          INX
2939-   D0 F7       BNE   $2932
293B-   EE 34 29    INC   $2934
293E-   EE 37 29    INC   $2937
2941-   88          DEY
2942-   D0 EE       BNE   $2932
2944-   A9 60       LDA   #$60
2946-   09 89       ORA   #$89
2948-   8D 11 21    STA   $2111
294B-   AD 2A 08    LDA   $082A
294E-   8D 57 21    STA   $2157
2951-   60          RTS

Let's go!

*291FG

*2110L

; looks like a Badlands routine ends
; up at $0110 -- this is what all the
; reset and other vectors were pointing
; to
2110-   AC E9 C0    LDY   $C0E9

; force 40-column text mode and clear
; the screen
2113-   A9 FF       LDA   #$FF
2115-   8D FB 04    STA   $04FB
2118-   8D 0E C0    STA   $C00E
211B-   20 2F FB    JSR   $FB2F
211E-   2C 57 C0    BIT   $C057
2121-   2C 52 C0    BIT   $C052
2124-   2C 50 C0    BIT   $C050
2127-   20 58 FC    JSR   $FC58

; wipe every other byte of memory (by
; which I mean every alternating byte,
; because we increment the Y index
; twice, which is a little weird but
; whatever, if we end up here we've
; already lost)
212A-   A0 00       LDY   #$00
212C-   84 4E       STY   $4E
212E-   A9 02       LDA   #$02
2130-   A2 08       LDX   #$08
2132-   86 4F       STX   $4F
2134-   91 4E       STA   ($4E),Y
2136-   C8          INY
2137-   C8          INY
2138-   D0 FA       BNE   $2134
213A-   E8          INX

; skip hi-res screen 1 for some reason
213B-   E0 20       CPX   #$20
213D-   F0 19       BEQ   $2158

2158-   A2 40       LDX   #$40
215A-   D0 D6       BNE   $2132

213F-   E0 C0       CPX   #$C0
2141-   90 EF       BCC   $2132

; wipe wipe wipe your RAM,
; gently down the board
2143-   EC 81 C0    CPX   $C081
2146-   AC 81 C0    LDY   $C081
2149-   9D 00 03    STA   $0300,X
214C-   BD 00 FF    LDA   $FF00,X
214F-   9D 00 FF    STA   $FF00,X
2152-   E8          INX
2153-   D0 F4       BNE   $2149

; reboot from whence we came (this JMP
; address was actually modified by the
; post-decryption patchups at $093C,
; to maintain slot independence even in
; the face of catastrophic failure)
2155-   4C 00 C6    JMP   $C600

OK, let's not end up there.

*2787L

2787-   A9 02       LDA   #$02
2789-   85 0A       STA   $0A
278B-   85 02       STA   $02
278D-   A9 AC       LDA   #$AC
278F-   85 05       STA   $05
2791-   20 14 07    JSR   $0714
2794-   AD 32 06    LDA   $0632
2797-   48          PHA
2798-   20 B6 06    JSR   $06B6
...

I don't know what that does yet, but it
sure does look like real code, so I
think the decryption was a success.

                   ~

               Chapter 4
     Oh Look You Made A Save Icon


Let's save what we have so far, since
someone went to all this trouble to
prevent us from seeing it.

*BSAVE OBJ.0100-01FF,A$2100,L$100
*BSAVE OBJ.0500-07FF,A$2500,L$300

What I really want is a disk with this
decrypted code on it, paired with a
bootloader that no longer tries to
decrypt it. Then I can start making the
rest of the changes to make it boot.

I have everything in memory -- the
unencrypted parts and the decrypted
parts -- but not all in one place. So
the next step is to combine them.

; copy decrypted code back to page 8
*82D<2110.215BM

; copy decrypted code back to page 9+
*954<2554.27FFM

; change "EOR" instructions to "LDA" --
; abracadabra! the decryption loops
; become copy loops
*924:BD
*932:BD

*BSAVE OBJ.0800-0BFF DECRYPTED,
 A$800,L$400

Now let's write that decrypted version
back to my copy.

; loop through all sectors on track 0,
; writing the ones we want and skipping
; the rest
28C0-   AC ED 28    LDY   $28ED
28C3-   B9 D8 28    LDA   $28D8,Y
28C6-   30 0A       BMI   $28D2
28C8-   8D F1 28    STA   $28F1
28CB-   A9 28       LDA   #$28
28CD-   A0 E8       LDY   #$E8
28CF-   20 D9 03    JSR   $03D9
28D2-   CE ED 28    DEC   $28ED
28D5-   10 E9       BPL   $28C0
28D7-   60          RTS

*28D8.28E7

; T00,S00 <- $0800
; T00,S0E <- $0900
; T00,S0D <- $0A00
; T00,S0C <- $0B00
28D8- 08 FF FF FF FF FF FF FF
28E0- FF FF FF FF 0B 0A 09 FF

*28E8.28FF

; standard RWTS parameter table
28E8- 01 60 01 00 00 0F FB 28
28F0- 00 00 00 00 02 00 FE 60
28F8- 01 00 00 00 01 EF D8 00

*BSAVE WRITE,A$28C0,L$40

[S6,D1=non-working copy]

*28C0G
...write write write...

Now we have a copy that is just as non-
functional as my previous copy, but at
least it's no longer encrypted.

                   ~

               Chapter 5
           Are We There Yet?


Now I get to normalize the newly
decrypted bootloader so my copy can
read itself. The code to match and
parse the address field starts at $0554
(in memory at $2554):

*2554L

; boot slot (x16)
2554-   A6 30       LDX   $30
2556-   BD 8C C0    LDA   $C08C,X
2559-   10 FB       BPL   $2556

; side effect -- stores $D4 or $D5 in
; zero page, might be relevant later
; [THIS LITERARY TECHNIQUE IS CALLED
;  4SHADOWING]
255B-   85 01       STA   $01
255D-   EA          NOP
255E-   EA          NOP

; match $D4 or $D5 (should be fine,
; since it will still match $D5 on my
; copy), then $AA $96 as normal
255F-   4A          LSR
2560-   49 6A       EOR   #$6A
2562-   D0 F2       BNE   $2556
2564-   BD 8C C0    LDA   $C08C,X
2567-   10 FB       BPL   $2564
2569-   C9 AA       CMP   #$AA
256B-   D0 E9       BNE   $2556
256D-   EA          NOP
256E-   BD 8C C0    LDA   $C08C,X
2571-   10 FB       BPL   $256E
2573-   49 96       EOR   #$96
2575-   D0 DF       BNE   $2556

; parse address field and store the
; disk volume, track, sector, and
; checksum in zero page $2C..$2F
2577-   A0 03       LDY   #$03
2579-   85 0C       STA   $0C
257B-   BD 8C C0    LDA   $C08C,X
257E-   10 FB       BPL   $257B
2580-   2A          ROL
2581-   85 0B       STA   $0B
2583-   BD 8C C0    LDA   $C08C,X
2586-   10 FB       BPL   $2583
2588-   25 0B       AND   $0B
258A-   99 2C 00    STA   $002C,Y
258D-   45 0C       EOR   $0C
258F-   88          DEY
2590-   10 E7       BPL   $2579
2592-   A8          TAY
2593-   D0 0B       BNE   $25A0

; match address epilogue (one nibble)
2595-   BD 8C C0    LDA   $C08C,X
2598-   10 FB       BPL   $2595
259A-   C9 DA       CMP   #$DA    <-- !
259C-   D0 02       BNE   $25A0
259E-   18          CLC
259F-   60          RTS
25A0-   38          SEC
25A1-   60          RTS

Now that the disk uses the standard
epilogue ($DE $AA $EB), we'll change
$DA to $DE.

This code is on sector $0E.

T00,S0E,$9B: DA -> DE

The data field parsing routine starts
immediately after, at $05A2 (in memory
now at $25A2):

*25A2L

25A2-   A6 30       LDX   $30
25A4-   A0 18       LDY   #$18
25A6-   88          DEY
25A7-   30 F7       BMI   $25A0

; match $D5 $AA $AD as normal
25A9-   BD 8C C0    LDA   $C08C,X
25AC-   10 FB       BPL   $25A9
25AE-   C9 D5       CMP   #$D5
25B0-   D0 F4       BNE   $25A6
25B2-   EA          NOP
25B3-   BD 8C C0    LDA   $C08C,X
25B6-   10 FB       BPL   $25B3
25B8-   C9 AA       CMP   #$AA
25BA-   D0 F2       BNE   $25AE
25BC-   A0 56       LDY   #$56
25BE-   BD 8C C0    LDA   $C08C,X
25C1-   10 FB       BPL   $25BE
25C3-   49 AD       EOR   #$AD
25C5-   D0 E7       BNE   $25AE

; ???
25C7-   08          PHP
25C8-   20 9E 05    JSR   $059E
25CB-   28          PLP

*259EL

259E-   18          CLC
259F-   60          RTS

Nothing. We're calling a subroutine to
do absolutely nothing except clear the
carry. And since we saved and restored
the status flags, we're not even doing
that.

Onward.

*25CCL

25CC-   88          DEY
25CD-   84 0B       STY   $0B
25CF-   BC 8C C0    LDY   $C08C,X
25D2-   10 FB       BPL   $25CF
25D4-   59 D6 02    EOR   $02D6,Y
25D7-   A4 0B       LDY   $0B
25D9-   99 00 03    STA   $0300,Y
25DC-   D0 EE       BNE   $25CC
25DE-   84 0B       STY   $0B
25E0-   BC 8C C0    LDY   $C08C,X
25E3-   10 FB       BPL   $25E0
25E5-   59 D6 02    EOR   $02D6,Y
25E8-   A4 0B       LDY   $0B
25EA-   99 00 02    STA   $0200,Y
25ED-   C8          INY
25EE-   D0 EE       BNE   $25DE
25F0-   BC 8C C0    LDY   $C08C,X
25F3-   10 FB       BPL   $25F0
25F5-   59 D6 02    EOR   $02D6,Y
25F8-   D0 A6       BNE   $25A0

; also extremely weird
25FA-   A1 00       LDA   ($00,X)

; match all three epilogue nibbles
25FC-   BD 8C C0    LDA   $C08C,X
25FF-   10 FB       BPL   $25FC
2601-   C9 DA       CMP   #$DA    <-- !
2603-   D0 9B       BNE   $25A0
2605-   EA          NOP
2606-   BD 8C C0    LDA   $C08C,X
2609-   10 FB       BPL   $2606
260B-   C9 AA       CMP   #$AA
260D-   D0 91       BNE   $25A0
260F-   A4 2F       LDY   $2F
2611-   BD 8C C0    LDA   $C08C,X
2614-   10 FB       BPL   $2611
2616-   C9 EB       CMP   #$EB
2618-   D0 86       BNE   $25A0

; finish decoding disk nibbles into
; bytes in memory
261A-   A2 56       LDX   #$56
261C-   CA          DEX
261D-   30 FB       BMI   $261A
261F-   B9 00 02    LDA   $0200,Y
2622-   5E 00 03    LSR   $0300,X
2625-   2A          ROL
2626-   5E 00 03    LSR   $0300,X
2629-   2A          ROL
262A-   91 04       STA   ($04),Y
262C-   C8          INY
262D-   D0 ED       BNE   $261C
262F-   18          CLC
2630-   60          RTS

OK, the most obvious patch is the first
data epilogue nibble, which is now $DE.

T00,S0D,$02: DA -> DE

]PR#6
...reboots endlessly...

Hmm. Maybe because it's enforcing the
third data epilogue nibble?

; change the branch to the next line so
; it effectively ignores the third
; data epilogue nibble
T00,S0D,$19: 86 -> 00

Nope, still reboots endlessly. (I'll
keep the patch anyway.)

Hmm.

It's not the address prologue matching;
the LSR/EOR code to match $D4 or $D5
is a common trick. It still matches $D5
on any track, so it shouldn't require
any change.

After staring at this code for longer
than I would like to admit, it finally
dawned on me what this weird code
immediately after the data prologue is
for:

; cycles counts in margin, because that
; is the most important part
25DE-   84 0B       STY   $0B
*25BEL

25BE-   BD 8C C0    LDA   $C08C,X   ; 4
25C1-   10 FB       BPL   $25BE     ; 2
25C3-   49 AD       EOR   #$AD      ; 2
25C5-   D0 E7       BNE   $25AE     ; 2
25C7-   08          PHP             ; 3
25C8-   20 9E 05    JSR   $059E     ; 6

259E-   18          CLC             ; 2
259F-   60          RTS             ; 6

25CB-   28          PLP             ; 4
25CC-   88          DEY             ; 2
25CD-   84 0B       STY   $0B       ; 3
25CF-   BC 8C C0    LDY   $C08C,X   ;*3

4+2+2+2+3+6+2+6+4+2+3+3 = 39, which is
too long. Each bit on disk takes 4 CPU
cycles to come around as the disk is
spinning.  That means we need to read
an 8-bit nibble every 32 cycles. The
data latch will hold the last value for
4 more cycles -- to compensate for the
fact that the read is actually done on
the third cycle of the 4-cycle LDA/LDY
instruction that hits the data latch
soft switch -- so we can spend an
absolute maximum of 36 cycles fetching
any one nibble. We've intentionally
wasted enough time that we'll miss the
first bit of the first nibble of the
data field.

Unless...

If the $AD, the third data prologue
nibble, has a timing bit after it, then
the data latch would hold that value
for 4 more cycles, and we would just
barely have enough time to catch the
first bit of the next nibble.

Turning back to the Copy II Plus nibble
editor, I can see it on the original
disk (originally shown in inverse,
which I converted to "+"):

                 --v--

   COPY ][ PLUS BIT COPY PROGRAM 8.4
(C) 1982-9 CENTRAL POINT SOFTWARE, INC.
---------------------------------------

TRACK: 01  START: 200D  LENGTH: 18C7

1FE8: ED BB FE FC ED FF FC ED   VIEW
1FF0: BB BB FC FC ED BB FE ED
1FF8: BB FC FC ED BB BB FC EC
2000: EC FC FC ED BB FC ED BB
2008: FC FE FF FF FF D5 AA 96
                     ^^^^^^^^
                 address prologue

2010: AA AA AA AB AA AA AA AB
2018: DA AA EB 99 FF+FF+FF+FB+
      ^^^^^^^^
  address epilogue

2020: FF+FF+FF+FF+D5 AA AD+A6
                  ^^^^^^^^
               data prologue
              with timing bit
              after the third
                   nibble

                 --^--

At $05C7, I can put a "BEQ" to branch
over the JSR, which will save enough
time to make this code work on my
normalized disk with no extra timing
bits.

T00,S0E,$C7: 0820 -> F003

]PR#6
...still reboots endlessly...

I. Am. Still. Missing. Something.

                   ~

               Chapter 6
    Secret Agent Double-O... Zero?


After staring at this bootloader for an
embarrassing amount of time, looking at
the original disk in both a nibble and
a sector editor, I found another subtle
difference: the disk volume number.

The original disk has a disk volume
number of 000 -- which, by the way, is
impossible to create with standard
tools. But as we've already seen, this
disk is anything but standard.

(My copy has a disk volume 254, the
default.)

But who cares? On an unprotected disk,
or even a protected disk with a
modified copy of DOS 3.3, the RWTS can
check and intentionally reject a disk
with the wrong disk volume number. This
bootloader does not contain that check.

Except...

At $060F, the custom RWTS is finishing
up matching the data field epilogue and
getting ready to finish decoding the
disk nibbles in the data field and
verifying the checksum before returning
a final boolean in the carry flag --
yes, this sector was read successfully,
or no, it wasn't.

``'-.,_,.-'``'-.,_,.='``'-.,_,.-'``'-.,
``'-.,_,.-'``'-.,_,.='``'-.,_,.-'``'-.,
``                                   .,
`` 260F-   A4 2F       LDY   $2F     .,
`` 2611-   BD 8C C0    LDA   $C08C,X .,
`` 2614-   10 FB       BPL   $2611   .,
`` 2616-   C9 EB       CMP   #$EB    .,
`` 2618-   D0 86       BNE   $25A0   .,
``                                   .,
``'-.,_,.-'``'-.,_,.='``'-.,_,.-'``'-.,
``'-.,_,.-'``'-.,_,.='``'-.,_,.-'``'-.,

Look how we're initializing the Y
register: with zero page $2F. What's in
$2F? Why, we just set that, while we
were parsing the address field. It's
the disk volume number.

The disk volume number has nothing to
do with this part of the RWTS. The Y
register is used to look up into the
nibble translation table. In a standard
DOS 3.3 RWTS, that register is always
initialized to 0. So this is a very,
very, very sneaky way of ensuring that
the disk volume number is 0.

Which, of course, mine isn't.

The patch is to make the code do what
DOS 3.3 does: always initialize the Y
register to 0 going into the final
nibble decoding.

T00,S0D,$0F: A42F -> A000

]PR#6
...hangs with the drive motor off...

This is definitely progress. I mean, I
don't get to play the game or anything,
but it's no longer rebooting endlessly.
That means I'm now hitting an entirely
different way that this copy protection
is telling me to go f--- myself.

                   ~

               Chapter 7
           The 4shadow Knows


The RWTS now works. It is successfully
reading sectors and returning to the
caller. Where is the caller? Searching
for references to $0554, it appears the
caller is at $0753.

]PR#5
]BLOAD OBJ.0800-0BFF DECRYPTED,A$800
]CALL -151

*2500<900.BFFM

Now $0753 is in memory at $2753.

*2753L

; read and parse address field
2753-   20 54 05    JSR   $0554

; endlessly loop on error
2756-   B0 FB       BCS   $2753

; check if we're on the right track
; (I mean literally whether the track
; number is the expected value)
2758-   A5 2E       LDA   $2E
275A-   85 0D       STA   $0D
275C-   C5 0F       CMP   $0F

; if not, branch back and recalibrate
; (not shown)
275E-   D0 EE       BNE   $274E

; get the physical sector number
; (just parsed from the address field)
2760-   A6 2D       LDX   $2D
2762-   8A          TXA

; XOR with the first nibble of the
; address prologue ($D4 or $D5, set at
; $055B)
2763-   45 01       EOR   $01     <-- !

; check the low bit
2765-   29 01       AND   #$01

; branch back if it doesn't match
2767-   F0 EA       BEQ   $2753

So even though the RWTS code itself
accepts a $D4 or $D5 for the first
address prologue nibble, the caller
then goes out of its way to check which
one it was. The even sectors need to be
$D5 $AA $96, and the odd sectors need
to be $D4 $AA $96.

Which, of course, is no longer true. On
my copy, every sector uses the standard
$D5 $AA $96.

I can fool this check by changing the
"EOR" instruction to an "LDA", which
will ensure the "BEQ" never branches,
so it will never loop back to retry a
sector that already succeeded.

T00,S0C,$65: 29 -> A9

Fun fact: the only time this bootloader
turns on the drive motor is in the
change track routine, which immediately
turn it off again. The rest of the RWTS
relies on the fact that the disk drive
won't actually turn off the motor when
it's told to. It lingers for about a
second -- long enough for the disk to
spin about 5 full revolutions. The code
assumes (correctly) that it can read
all the sectors on a track before the
drive motor actually turns off, at
which point it moves to the next track,
which turns the drive motor on again,
and the cycle repeats.

On my copy, the caller intentionally
rejects sectors based on the first
nibble of the address prologue, so it
keeps retrying the reads even though
they succeeded. Eventually the disk
drive motor really does turn off, at
which point nothing works, and we're
stuck in an endless loop of trying to
read a disk that is no longer spinning.

                   ~

               Chapter 8
   Chasing That Natural High (Score)


The game boots. The game loads. The
game plays. Then you get a high score,
you enter your initials, and they
appear in the high score list.

Except it doesn't actually save them.
After you reboot, the high score list
is empty again.

Because there is AN ENTIRELY OTHER RWTS
on the disk for the exclusive purpose
of writing out high scores. It's stored
in a weird order on track $08, but it
looks like it gets loaded into $B800 in
memory.

T08,S08,$35: DA -> DE
T08,S08,$91: DA -> DE
T08,S09,$9E: DA -> DE

]PR#6
...works, and it is glorious...

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 1748
------------------EOF------------------