💾 Archived View for mirrors.apple2.org.za › active › 4am › images › games › action › Succession%20(4… captured on 2023-05-24 at 23:05:26.

View Raw

More Information

⬅️ Previous capture (2023-01-29)

-=-=-=-=-=-=-

---------------Succession--------------
A 4am crack                  2015-08-17
---------------------------------------

Name: Succession
Genre: arcade
Year: 1982
Authors: Chris Eisnaugle
Publisher: Piccadilly Software, Inc.
Media: single-sided 5.25-inch floppy
OS: custom with DOS 3.3 bootloader
Previous cracks:
  Super Pirates of Minneapolis ("short
  version from Black Bag")

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error, but it
  gets a participation medal just for
  showing up

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  T00-T08 -> modified address epilogue
    ("DE D5 EB" instead of "DE AA EB")
  T09+ unformatted

Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Epilogue to "DE D5 EB"
  Success! T00-T08 readable
  T00 -> looks like a DOS 3.3 RWTS
  No sign of the rest of DOS though
  No disk catalog on any track

Why didn't COPYA work?
  modified address epilogues

Why didn't Locksmith FDB work?
  modified address epilogues

EDD worked. What does that tell us?
  no half or quarter tracks
  probably no nibble check
  just structural changes (epilogue)

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin (tracks
     $00-$08 only)
  3. patch RWTS (if necessary)

                   ~

               Chapter 1
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself
And It Goes As Well As Can Be Expected


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

[press "Y" to change default values]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======================================


INPUT ALL VALUES IN HEX


SECTORS PER TRACK? (13/16) 16

START TRACK: $00
START SECTOR: $00

END TRACK: $08          <-- change this
END SECTOR: $0F         <-- change this

INCREMENT: 1

MAX # OF RETRIES: 0

COPY FROM DRIVE 1
TO DRIVE: 2
=======================================
16SC $00,$00-$08,$0F BY$01 S6,D1->S6,D2

                 --^--

[press RETURN to start conversion]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:.........
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:.........
SC1:.........
SC2:.........
SC3:.........
SC4:.........
SC5:.........
SC6:.........
SC7:.........
SC8:.........
SC9:.........
SCA:.........
SCB:.........
SCC:.........
SCD:.........
SCE:.........
SCF:.........
=======================================
16SC $00,$00-$08,$0F BY1.0 S6,D1->S6,D2

                 --^--

[S6,D1=demuffin'd copy]

]PR#6
...reboots endlessly...

Interesting. On the one hand, it would
not surprise me if the demuffin'd disk
couldn't read itself without patching.
But with a DOS 3.3-shaped RWTS, that
manifests itself as grinding (as the
RWTS assumes a disk read error can be
solved by resynchronizing to track $00
and back again).

Perhaps the RWTS has been modified to
immediately give up on any read error.
Or perhaps there is a nibble check
after all. But that would surprise me,
since my EDD bit copy worked.

                   ~

               Chapter 2
       In Which We Are Surprised


If the RWTS needs patching, my Post-
Demuffin Patcher can probably fix it
automatically. As I recall from my
investigations with a nibble editor,
there was only one change to the
address epilogue.

]PR#5
...
]BRUN PDP

T00,S03,$9B change D5 to AA

(As expected, PDP fixed the RWTS check
for address epilogue nibble #2.)

]PR#6
...loads title then beeps endlessly...

That is most definitely progress. A
minute ago, my copy didn't even load
the title screen.

Possible explanations:

- The disk has 2 RWTSs, and it switches
  to the second one after loading the
  title screen. (Up'N' Down does this.)
- I didn't convert all the tracks. I
  thought T09+ were unformatted, but
  maybe I missed one. If the game has
  some sort of checksum on the code, it
  would fail because some of the code
  is missing. (Spy Hunter does this.)
- There really is a nibble check, but
  it's weak enough that an EDD bit copy
  fools it.

When in doubt, trace the boot.

]PR#5
...
]BLOAD BOOT0,A$800
]CALL -151

...

Nothing stands out. In fact, boot0 is
identical to DOS 3.3.







; probably a standard RWTS parameter
; table
B700-   8E E6 B7    STX   $B7E6
B703-   8E F4 B7    STX   $B7F4

; turn on graphics page
B706-   AD 50 C0    LDA   $C050
B709-   AD 57 C0    LDA   $C057
B70C-   4C D0 BF    JMP   $BFD0



; not sure what these are for yet
BFD0-   A9 83       LDA   #$83
BFD2-   85 4E       STA   $4E
BFD4-   A9 B9       LDA   #$B9
BFD6-   85 4F       STA   $4F
BFD8-   4C 0F B7    JMP   $B70F



; set (probably nasty) reset vector
B70F-   A9 D8       LDA   #$D8
B711-   8D F2 03    STA   $03F2
B714-   A9 BF       LDA   #$BF
B716-   8D F3 03    STA   $03F3
B719-   49 A5       EOR   #$A5
B71B-   8D F4 03    STA   $03F4

; clear hi-res screen
B71E-   A9 00       LDA   #$00
B720-   85 00       STA   $00
B722-   A9 20       LDA   #$20
B724-   85 01       STA   $01
B726-   AA          TAX
B727-   A0 00       LDY   #$00
B729-   98          TYA
B72A-   91 00       STA   ($00),Y
B72C-   C8          INY
B72D-   D0 FB       BNE   $B72A
B72F-   E6 01       INC   $01
B731-   CA          DEX
B732-   D0 F6       BNE   $B72A

; set up standard RWTS parameter table
; except everything is shifted

; start address = $0C00
B734-   8D ED B7    STA   $B7ED
B737-   A9 0C       LDA   #$0C
B739-   8D EE B7    STA   $B7EE

; start track/sector = T01,S0F
B73C-   A9 01       LDA   #$01
B73E-   8D E9 B7    STA   $B7E9
B741-   A9 0F       LDA   #$0F
B743-   8D EA B7    STA   $B7EA

; call RWTS
B746-   A9 B7       LDA   #$B7
B748-   A0 E5       LDY   #$E5
B74A-   20 00 BD    JSR   $BD00

; any error is fatal (no retries)
B74D-   B0 35       BCS   $B784

; multi-sector read loop into
; consecutive memory
B74F-   AC EA B7    LDY   $B7EA
B752-   88          DEY
B753-   10 05       BPL   $B75A
B755-   A0 0F       LDY   #$0F
B757-   EE E9 B7    INC   $B7E9
B75A-   8C EA B7    STY   $B7EA
B75D-   EE EE B7    INC   $B7EE

; up to $8C00, so 8 full tracks
B760-   AD EE B7    LDA   $B7EE
B763-   C9 8C       CMP   #$8C
B765-   D0 DF       BNE   $B746
B767-   A9 00       LDA   #$00
B769-   8D F1 B7    STA   $B7F1

; hmm
B76C-   AD FF B7    LDA   $B7FF
B76F-   8D E9 B7    STA   $B7E9



B7FF- 19

OK, so we're seeking to track $19. Why?

B772-   A0 E5       LDY   #$E5
B774-   A9 B7       LDA   #$B7
B776-   20 00 BD    JSR   $BD00

; ah, here's why: a nibble check
B779-   AE E6 B7    LDX   $B7E6

; turn on drive motor manually
B77C-   BD 89 C0    LDA   $C089,X

; this seems important
B77F-   20 A1 B7    JSR   $B7A1

; carry clear = success, branch over
; the line that reboots the machine
B782-   90 03       BCC   $B787

; carry set = reboot the machine (we
; also ended up here if there were disk
; read errors earlier, from $B74D)
B784-   6C FC FF    JMP   ($FFFC)

; success path here -- set the reset
; vector to something else
B787-   A9 0C       LDA   #$0C
B789-   8D F3 03    STA   $03F3
B78C-   49 A5       EOR   #$A5
B78E-   8D F4 03    STA   $03F4
B791-   A9 00       LDA   #$00
B793-   8D F2 03    STA   $03F2
B796-   AE E6 B7    LDX   $B7E6

; turn off the drive motor
B799-   BD 88 C0    LDA   $C088,X

; start the game
B79C-   4C 00 0C    JMP   $0C00

OK, the routine at $B7A1 is definitely
the copy protection. I already know
that it should clear the carry bit on
success and set it on failure (a common
convention).

B79F-   38          SEC
B7A0-   60          RTS

; entry point is here --
; set up the Death Counter
B7A1-   A0 50       LDY   #$50
B7A3-   84 04       STY   $04
B7A5-   88          DEY
B7A6-   D0 04       BNE   $B7AC
B7A8-   C6 04       DEC   $04

; if Death Counter hits 0, branch back
; to set the carry and exit (this will
; end up rebooting, at $B784)
B7AA-   F0 F3       BEQ   $B79F

; look for standard epilogue "DE AA EB"
B7AC-   BD 8C C0    LDA   $C08C,X
B7AF-   10 FB       BPL   $B7AC
B7B1-   C9 DE       CMP   #$DE

; if not found, loop back and decrement
; the Death Counter
B7B3-   D0 F0       BNE   $B7A5
B7B5-   BD 8C C0    LDA   $C08C,X
B7B8-   10 FB       BPL   $B7B5
B7BA-   C9 AA       CMP   #$AA
B7BC-   D0 F3       BNE   $B7B1
B7BE-   EA          NOP
B7BF-   BD 8C C0    LDA   $C08C,X
B7C2-   10 FB       BPL   $B7BF
B7C4-   C9 EB       CMP   #$EB
B7C6-   D0 E9       BNE   $B7B1

; now look for a specific sequence of
; nibbles, "FC FC D5"
B7C8-   BD 8C C0    LDA   $C08C,X
B7CB-   10 FB       BPL   $B7C8
B7CD-   C9 FC       CMP   #$FC
B7CF-   D0 E0       BNE   $B7B1
B7D1-   BD 8C C0    LDA   $C08C,X
B7D4-   10 FB       BPL   $B7D1
B7D6-   C9 FC       CMP   #$FC
B7D8-   D0 D7       BNE   $B7B1
B7DA-   BD 8C C0    LDA   $C08C,X
B7DD-   10 FB       BPL   $B7DA
B7DF-   C9 D5       CMP   #$D5
B7E1-   D0 CE       BNE   $B7B1

; success path falls through to here --
; clear carry and exit
B7E3-   18          CLC
B7E4-   60          RTS

This explains why my EDD bit copy was
successful. It's looking for a nibble
sequence, but it doesn't care about
timing bits or desynchronized nibbles
or anything fancy. It just looks for
a specific nibble sequence on track $19
and fails if it can't find it. EDD
copied that sequence just fine, but
of course my demuffin'd copy doesn't
have anything like that on track $19.

After the multi-sector read loop, I can
unconditionally jump to the success
path at $B787, bypassing the track seek
and the nibble check altogether.

T00,S01,$67 change "A9 00" to "F0 18"

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 408
------------------EOF------------------