💾 Archived View for mirrors.apple2.org.za › active › 4am › images › games › simulation › Baron%202.1… captured on 2023-01-29 at 07:06:00.
View Raw
More Information
-=-=-=-=-=-=-
-----------------Baron-----------------
A 4am crack 2015-12-27
---------------------------------------
Name: Baron: The Real Estate Simulation
Version: 2.1
Genre: simulation
Year: 1985
Author: Jim Zuber
Publisher: Blue Chip Software
Media: double-sided 5.25-inch floppy
OS: DOS 3.3
Previous cracks: none (of this version)
Identical cracks:
#506 Millionaire 2.0
Side B boots to a BASIC program that
clears the screen and displays the
error message "WRONG SIDE". So, uh, I
guess I'll start with side A.
~
Chapter 0
In Which Various Automated Tools Fail
In Interesting Ways
COPYA
No read errors on either side, but
the copy boots DOS, runs a startup
program, clears the screen, prints
"Apple ][", swings to a high track,
grinds the disk several times, then
crashes at $AA54.
/!\ Subsequent attempts to boot don't
ever get off track $00. Looking
at the copy in a sector editor,
T00,S00 has been overwritten with a
random chunk of memory.
An actively destructive protection
check. That's not something you see
every day.
Locksmith Fast Disk Backup
ditto
EDD 4 bit copy (no sync, no count)
ditto
Copy ][+ nibble editor
nothing suspicious
Disk Fixer
T00-T02 -> standard DOS 3.3
T11 -> standard disk catalog
T01,S09 -> startup program is "ENTRA"
Why didn't any of my copies work?
There is a runtime protection check
which actively destroys any copies it
doesn't like. (Hint: it doesn't like
any copies.)
Next steps:
1. Trace the startup program
2. Disable the protection check
3. Declare victory(*)
(*) take a nap
~
Chapter 1
In Which We Gain Unfettered Access
And Make The Most Of It
[S6,D1=original disk]
]PR#6
...
<Ctrl-C>
I break to a DOS prompt with unfettered
access.
]CATALOG
DISK VOLUME 254
A 002 ENTRA
B 003 CON
A 002 CDIINC
A 045 BARINIT.BAS
T 038 DATA.RND
T 026 SAVE
T 002 RANDOM.DTA
T 002 GCHAR.DTA
T 002 CHECK
T 004 PLAYER
T 007 MORTGAGE.RND
T 024 Y
]LIST
10 PRINT CHR$ (4);"BLOADCON"
20 CALL 16384
50 PRINT CHR$ (4);"RUNCDIINC"
]BLOAD CON
]CALL -151
AA72- 00 40
; clear screen and print "Apple ]["
4000- 18 CLC
4001- 20 58 FC JSR $FC58
4004- A9 C1 LDA #$C1
4006- 8D 0F 04 STA $040F
4009- A9 F0 LDA #$F0
400B- 8D 10 04 STA $0410
400E- 8D 11 04 STA $0411
4011- A9 EC LDA #$EC
4013- 8D 12 04 STA $0412
4016- A9 E5 LDA #$E5
4018- 8D 13 04 STA $0413
401B- A9 DD LDA #$DD
401D- 8D 15 04 STA $0415
4020- A9 DB LDA #$DB
4022- 8D 16 04 STA $0416
4025- 4C A0 40 JMP $40A0
; set up... something
40A0- A9 23 LDA #$23
40A2- 85 02 STA $02
40A4- A9 00 LDA #$00
40A6- 85 03 STA $03
40A8- A9 01 LDA #$01
40AA- 85 04 STA $04
40AC- 20 28 40 JSR $4028
; get the address of the RWTS parameter
; table
4028- 20 E3 03 JSR $03E3
402B- 84 00 STY $00
402D- 85 01 STA $01
; track = $23 (set at $40A2)
402F- A5 02 LDA $02
4031- A0 04 LDY #$04
4033- 91 00 STA ($00),Y
; sector = $00 (set at $40A6)
4035- A5 03 LDA $03
4037- C9 10 CMP #$10
4039- 90 04 BCC $403F
403B- A9 00 LDA #$00
403D- 85 03 STA $03
403F- A0 05 LDY #$05
4041- 91 00 STA ($00),Y
4043- A0 08 LDY #$08
4045- A9 00 LDA #$00
4047- 91 00 STA ($00),Y
4049- C8 INY
404A- A9 0A LDA #$0A
404C- 91 00 STA ($00),Y
; RWTS command = $01 (set at $40AA)
404E- A5 04 LDA $04
4050- A0 0C LDY #$0C
4052- 91 00 STA ($00),Y
4054- A9 00 LDA #$00
4056- A0 03 LDY #$03
4058- 91 00 STA ($00),Y
405A- 20 E3 03 JSR $03E3
; read it
405D- 20 D9 03 JSR $03D9
4060- A9 00 LDA #$00
4062- 85 48 STA $48
; if the read worked, branch forward
4064- 90 1B BCC $4081
; read failed, off to The Badlands!
4066- 4C D0 40 JMP $40D0
...
4081- 60 RTS
The protection check is reading track
$23 -- an extra track that is normally
unused. All of my copies stopped at
track $22, which explains why they all
failed.
; corrupt part of DOS in memory
40D0- A9 00 LDA #$00
40D2- 8D 00 A0 STA $A000
40D5- EE D3 40 INC $40D3
40D8- AD D3 40 LDA $40D3
40DB- C9 FF CMP #$FF
40DD- D0 F1 BNE $40D0
; track = $00
; sector = $00
; RWTS command = $02 (write!)
40DF- A9 00 LDA #$00
40E1- 85 02 STA $02
40E3- 85 03 STA $03
40E5- A9 02 LDA #$02
40E7- 85 04 STA $04
40E9- A9 F6 LDA #$F6
40EB- 8D 67 40 STA $4067
40EE- A9 10 LDA #$10
40F0- 8D 68 40 STA $4068
40F3- 20 28 40 JSR $4028
After the protection check fails, it
intentionally overwrites T00,S00.
; clear all of this out of memory
; (up to the previous instruction)
40F6- A9 00 LDA #$00
40F8- 8D 00 40 STA $4000
40FB- EE F9 40 INC $40F9
40FE- AD F9 40 LDA $40F9
4101- C9 F5 CMP #$F5
4103- D0 F1 BNE $40F6
; crash
4105- 4C 3E AA JMP $AA3E
That explains the behavior I saw on my
non-working copy.
Continuing from $40AF...
; check the data we actually read from
; track $23, sector $00
40AF- AD 00 0A LDA $0A00
40B2- C9 00 CMP #$00
40B4- F0 03 BEQ $40B9
; first byte doesn't match, off to
; The Badlands!
40B6- 4C D0 40 JMP $40D0
; execution continues here (from $40B4)
40B9- AD 01 0A LDA $0A01
40BC- C9 00 CMP #$00
40BE- F0 03 BEQ $40C3
; second byte doesn't match, off to
; The Badlands!
40C0- 4C D0 40 JMP $40D0
; execution continues here (from $40BE)
40C3- AD 02 0A LDA $0A02
40C6- C9 00 CMP #$00
40C8- F0 03 BEQ $40CD
; third byte doesn't match, off to
; The Badlands!
40CA- 4C D0 40 JMP $40D0
; execution continues here (from $40C8)
40CD- 4C 08 41 JMP $4108
...
; exit gracefully
4108- 60 RTS
So this entire routine is unnecessary.
Well, it clears the screen and prints
"Apple ][". But everything after the
the JMP at $4025 is just the protection
check.
[S6,D1=fresh (uncorrupted) copy]
[Disk Fixer]
["D" for directory mode]
[select "CON"]
T13,S0E,$29 change "4C" to "60"
Quod erat liberandum.
---------------------------------------
A 4am crack No. 542
------------------EOF------------------