-----------Pollution Control-----------
A 4am crack                  2021-01-30
---------------------------------------

Name: Pollution Control
Genre: educational
Year: 1989
Credits: Entrex Software
Publisher: Focus Media
Platform: Apple ][+ or later (64K)
Media: 5.25-inch disk
Sides: 3
OS: Apple Pascal
Previous cracks: none

This disk was automatically cracked by
Passport. Here is the transcript for
disk 1:

                 --v--

Reading from S6,D1
T00,S00 Found Pascal bootloader
T00,S0B Volume name is POL0
Using built-in RWTS
Writing to RAM disk
Writing to S6,D2

The disk was copied successfully, but
Passport did not apply any patches.

Possible reasons:
- The source disk is not copy protected.
- The target disk works without patches.
- The disk uses an unknown protection,
  and Passport can not help any further.

                 --^--

Wait, what?

It turns out that

  (1) this disk is heavily protected

      AND

  (2) Passport can crack it without
      changing a single byte

To understand why, we will look at the
deprotected disk and work backwards.
Like a crack write-up in reverse.

Here is the part of the RWTS that looks
for the address prologue:

                 --v--

T00,S0D
----------- DISASSEMBLY MODE ----------
; prologue nibble #1
0005:BD 8C C0       LDA   $C08C,X
0008:10 FB          BPL   $0005
000A:4A             LSR             <--
000B:C9 6A          CMP   #$6A      <--
000D:D0 EF          BNE   $FFFE     <--

; #2
000F:BD 8C C0       LDA   $C08C,X
0012:10 FB          BPL   $000F
0014:C9 AA          CMP   #$AA
0016:D0 F2          BNE   $000A
0018:A0 03          LDY   #$03

; #3
001A:BD 8C C0       LDA   $C08C,X
001D:10 FB          BPL   $001A
001F:C9 96          CMP   #$96
0021:D0 E7          BNE   $000A

                 --^--

The second and third nibble are normal,
but the code to find prologue nibble #1
has this non-standard LSR / CMP. It
does match the usual $D5 nibble:

In binary: $D5 = 1101 0101
After LSR:       0110 1010 = $6A

BUT! It would also match $D4:

In binary: $D4 = 1101 0100
After LSR:       0110 1010 = $6A

Looking at the original disk in the
Copy ][+ nibble editor, we see that it
uses... both. Even-numbered tracks use
the standard $D5 $AA $96 prologue, but
odd-numbered tracks use $D4 $AA $96!

                 --v--

   COPY ][ PLUS BIT COPY PROGRAM 8.4
(C) 1982-9 CENTRAL POINT SOFTWARE, INC.
---------------------------------------

TRACK: 01  START: 33AD  LENGTH: 108D

3398: FF FF FF FF FF FF FF FF   VIEW
33A0: FF FF FF FF FF FF FF FF
33A8: FF 92 92 FF FF FF FF FF
33B0: FF FF FF FF FF FF FF FF
33B8: FF FF FF FF FF D4 AA 96  <-33BD
                     ^^^^^^^^
                     prologue

33C0: AA AB AA AB AA AA AA AA
      ^^^^^ ^^^^^ ^^^^^ ^^^^^
      V=$01 T=$01 S=$00 chksm

33C8: AF AB AB FF FF FF FF FF
33D0: FF D5 AA AD F4 EB FC D7
33D8: B9 EB 9D FC FC BF A6 CD

                 --^--

Because of the LSR, this code will
match either prologue and work on both
odd and even tracks. Clever!

But wait, there's more! Only a few
instructions later, the RWTS does this
to match the address epilogue:

                 --v--

T00,S0D
----------- DISASSEMBLY MODE ----------
; find epilogue nibble #1
0041:BD 8C C0       LDA   $C08C,X
0044:10 FB          BPL   $0041
0046:C9 DE          CMP   #$DE

; if found $DE, immediately exit with
; a "success" status (clear carry bit)
0048:F0 0A          BEQ   $0054

; if not $DE, burn some CPU cycles
004A:48             PHA
004B:68             PLA

; Note: no BPL loop here! It only reads
; the data latch once.
004C:BD 8C C0       LDA   $C08C,X
004F:C9 08          CMP   #$08
0051:B0 A5          BCS   $FFF8
0053:EA             NOP
0054:18             CLC
0055:60             RTS

                 --^--

It's looking for a timing bit after the
first epilogue byte. It doesn't even
care what the first epilogue byte was,
as long as it wasn't $DE.

This RWTS will accept two different
address prologues, $D5 $AA $96 or
$D4 $AA $96. It will ALSO accept two
different address epilogues, $DE or
anything-other-than-$DE-followed-by-a-
timing-bit.

Looking at disk 1, every sector uses an
address epilogue of $AF followed by a
timing bit, so it will fall through to
the PHA / PLA code path, check for the
timing bit, find it, and succeed. Disks
2 and 3 are unprotected, so they will
match the CMP #$DE, branch over the
other logic, and succeed.

This also explains why the Passport-
converted disk can read itself. The
RWTS can read protected or unprotected
disks; in fact, it has to, because
disks 2 and 3 were shipped unprotected
in the first place! And now that disk 1
is unprotected, the same RWTS reads it
just as easily.

And that's the story of the zero-byte
crack.

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 2310
------------------EOF------------------