💾 Archived View for mirrors.apple2.org.za › active › 4am › images › games › action › Paperboy%20(4am… captured on 2023-07-10 at 19:17:21.

View Raw

More Information

⬅️ Previous capture (2023-01-29)

-=-=-=-=-=-=-

----------------Paperboy---------------
A 4am crack                  2014-05-15
---------------------------------------

Paperboy is a 1988 arcade game
distributed by Mindscape, Inc.

COPYA fails immediately with a disk
read error. EDD 4 bit copy appears to
work, but the copy does not boot. It
loads ProDOS and displays a graphical
Mindscape logo, but then glitches out
and fills the screen with garbage and
crashes.

Turning to my trusty Copy ][+ sector
editor, I find the "DOS 3.3 PATCHED"
option (press "P" to go to the Sector
Editor Patcher) allows me to read every
sector on every track. The name of this
option is a misnomer; it works on
copy protected ProDOS disks like this
one, not just DOS 3.3 disks. What it
really means is "16-sector" (as opposed
to DOS 3.2, which was a 13-sector-per-
track format).

Based on my experience cracking other
disks, I would guess that this disk has

- Standard prologue bytes before the
  address and data fields [otherwise
  Copy ][+ sector editor would give
  read errors, even with the "DOS 3.3
  PATCHED" option]
- Non-standard epilogue bytes after the
  address and data fields [otherwise
  COPYA would work]
- Some secondary protection [otherwise
  the bit copy created with EDD 4 would
  work]

The easiest way to convert the disk to
standard epilogue bytes is to use COPYA
with a patched RWTS that accepts any
epilogue bytes on read but includes
standard epilogue bytes on write.

[S6D1=DOS 3.3 master disk]

]PR#6
...
]CALL -151
*B942:18
*3D0G
]RUN COPYA

[S6D1=original disk]
[S6D2=blank disk]

...read read read...
...grind grind grind...
...write write write...

OK, now I have a copy in standard disk
format that can be read by any tools.
i.e. I can copy the disk in drive 2
with COPYA without patching the RWTS
beforehand. I can sector edit the disk
without messing with the Sector Editor
Patcher.

There are two problems with this copy:

1. Depending on how the original disk
   was written, this copy may or may
   not be able to read itself. I may
   need to patch the disk's RWTS to
   deal with the fact that the disk is
   now in a standard format.

2. Even if it can read itself, it won't
   run, because it still has some sort
   of secondary protection checking if
   the disk is original. It's not,
   obviously. That's kind of the point.

Just by booting the copy, I can rule
out problem #1. The disk seems to read
itself just fine. It makes it exactly
as far as my unsuccessful bit copy:
ProDOS --> logo --> glitch --> crash.

On the bright side, now that it's in a
standard format, I can boot another
ProDOS disk with BASIC.SYSTEM and poke
around.

[S6D1=ProDOS disk]
[S6D2=my non-working copy]

]PR#6
...
            PRODOS BASIC 1.5
        COPYRIGHT APPLE  1983-92

]CAT,S6,D2

/P

 NAME           TYPE  BLOCKS  MODIFIED

 PRODOS          SYS      32  17-APR-87
 LOGO            BIN      17  17-FEB-88
 PBTITLE.PIC     BIN      21  25-MAR-88
 PBD.BIN         BIN      25  25-MAR-88
 PBCH2.BIN       BIN       8   2-MAR-88
 PBMAP.BIN       BIN      46   2-MAR-88
 PBC.BIN         BIN       9  25-MAR-88
 PBLOAD.SYSTEM   SYS       3  28-MAR-88
 PB.TSK          BIN      30  28-MAR-88
 PBSYS.TSK       BIN      17  25-MAR-88
 PBM.TSK         BIN      15  25-MAR-88
*,,,,,,    $AC   44032  <NO DATE>

BLOCKS FREE:   50     BLOCKS USED:  230

First of all, I have no idea what that
last "file" is. It's possible that the
disk catalog has been intentionally
corrupted, or my original disk was bad.
(Unlikely; the game itself plays fine.
But after 25 years, anything is
possible.)

ProDOS loads the first .SYSTEM file --
in this case, the only .SYSTEM file --
at address $2000 and runs it.

]BLOAD PBLOAD.SYSTEM,A$2000,TSYS,S6,D2
]CALL -151
*2000L

; reset vector
2000-   A2 2D       LDX   #$2D
2002-   8E F3 03    STX   $03F3

; It turns out that $2117 is a wrapper
; around ProDOS file reads -- this call
; loads the graphical Mindscape logo.
; This call is harmless (as far as copy
; protection goes); it works just fine
; on my not-yet-working copy.
2005-   A0 23       LDY   #$23
2007-   20 17 21    JSR   $2117
200A-   8D 00 C0    STA   $C000

; and display the logo
200D-   AD 55 C0    LDA   $C055
2010-   AD 52 C0    LDA   $C052
2013-   AD 57 C0    LDA   $C057
2016-   AD 50 C0    LDA   $C050

; load more files
2019-   A2 57       LDX   #$57
201B-   A0 23       LDY   #$23
201D-   20 17 21    JSR   $2117

; Copy data from main memory to aux
; memory, using the built-in routine at
; $C311. See Apple II Technical Note #3
; "Double High-Resolution Graphics"
; pp. 15-16, "Using AUXMOVE."
; Anyway, this is harmless.
2020-   A9 00       LDA   #$00
2022-   85 3C       STA   $3C
2024-   85 42       STA   $42
2026-   A9 60       LDA   #$60
2028-   85 3D       STA   $3D
202A-   A9 A4       LDA   #$A4
202C-   85 43       STA   $43
202E-   A9 FF       LDA   #$FF
2030-   85 3E       STA   $3E
2032-   A9 7B       LDA   #$7B
2034-   85 3F       STA   $3F
2036-   38          SEC
2037-   20 11 C3    JSR   $C311

; don't know what this is yet
203A-   20 AA 21    JSR   $21AA

*21AAL

; save zero page state
21AA-   A2 F0       LDX   #$F0
21AC-   B5 00       LDA   $00,X
21AE-   9D AA 20    STA   $20AA,X
21B1-   E8          INX
21B2-   D0 F8       BNE   $21AC

; this does a disk read through ProDOS,
; presumably to position the drive head
; for an upcoming nibble check
21B4-   20 75 21    JSR   $2175
21B7-   A9 0A       LDA   #$0A
21B9-   85 F4       STA   $F4

; turning on the drive motor manually
; is a sure sign of something shady
; (and by "shady" I mean "copy-
; protection-related")
21BB-   A6 2B       LDX   $2B
21BD-   BD 89 C0    LDA   $C089,X
21C0-   BD 8E C0    LDA   $C08E,X
21C3-   A9 50       LDA   #$50
21C5-   85 F6       STA   $F6
21C7-   A9 22       LDA   #$22
21C9-   85 F7       STA   $F7
21CB-   A9 80       LDA   #$80
21CD-   85 F5       STA   $F5
21CF-   C6 F5       DEC   $F5
21D1-   F0 5C       BEQ   $222F
21D3-   20 5A 22    JSR   $225A

*225AL

; this subroutine finds the address
; prologue sequence ("D5 AA 96") and
; skips over the actual address field
; (8 bytes)
225A-   A0 FD       LDY   #$FD
225C-   84 F8       STY   $F8
225E-   C8          INY
225F-   D0 04       BNE   $2265
2261-   E6 F8       INC   $F8
2263-   F0 3D       BEQ   $22A2
2265-   BD 8C C0    LDA   $C08C,X
2268-   10 FB       BPL   $2265
226A-   C9 D5       CMP   #$D5
226C-   D0 F0       BNE   $225E
226E-   EA          NOP
226F-   BD 8C C0    LDA   $C08C,X
2272-   10 FB       BPL   $226F
2274-   C9 AA       CMP   #$AA
2276-   D0 F2       BNE   $226A
2278-   A0 03       LDY   #$03
227A-   BD 8C C0    LDA   $C08C,X
227D-   10 FB       BPL   $227A
227F-   C9 96       CMP   #$96
2281-   D0 E7       BNE   $226A
2283-   A9 00       LDA   #$00
2285-   85 F9       STA   $F9
2287-   BD 8C C0    LDA   $C08C,X
228A-   10 FB       BPL   $2287
228C-   2A          ROL
228D-   85 F8       STA   $F8
228F-   BD 8C C0    LDA   $C08C,X
2292-   10 FB       BPL   $228F
2294-   25 F8       AND   $F8
2296-   99 F0 00    STA   $00F0,Y
2299-   45 F9       EOR   $F9
229B-   88          DEY
229C-   10 E7       BPL   $2285
229E-   A8          TAY
229F-   EA          NOP
22A0-   18          CLC
22A1-   60          RTS
22A2-   38          SEC
22A3-   60          RTS

Popping the stack back to $21D6...

*21D6L

; address prologue not found? fail
21D6-   B0 57       BCS   $222F
21D8-   A5 F1       LDA   $F1
21DA-   C9 07       CMP   #$07
21DC-   D0 F1       BNE   $21CF

; actual nibble check starts here
21DE-   A0 00       LDY   #$00
21E0-   BD 8C C0    LDA   $C08C,X
21E3-   10 FB       BPL   $21E0
21E5-   88          DEY

; didn't find nibble? fail
21E6-   F0 47       BEQ   $222F
21E8-   C9 D5       CMP   #$D5
21EA-   D0 F4       BNE   $21E0
21EC-   A0 00       LDY   #$00
21EE-   BD 8C C0    LDA   $C08C,X
21F1-   10 FB       BPL   $21EE
21F3-   88          DEY

; didn't find nibble? fail
21F4-   F0 39       BEQ   $222F
21F6-   C9 E7       CMP   #$E7
21F8-   D0 F4       BNE   $21EE
21FA-   BD 8C C0    LDA   $C08C,X
21FD-   10 FB       BPL   $21FA
21FF-   C9 E7       CMP   #$E7

; didn't find the right nibbles in the
; right order? fail
2201-   D0 2C       BNE   $222F
2203-   BD 8C C0    LDA   $C08C,X
2206-   10 FB       BPL   $2203
2208-   C9 E7       CMP   #$E7

; (Actually, it's even worse than that,
; because the original disk is written
; with timing bits in specific non-
; standard places between the nibbles.
; This code not only requires the right
; nibbles in the right order, it reads
; them just slightly faster than it's
; supposed to. So the timing bits need
; to be in the right places too, or the
; disk will get out of sync and read
; the wrong nibble values. This will
; trip up even the best bit copiers.
; And you can forget about making a
; disk image for emulators -- those
; don't store timing bits at all.)
220A-   D0 23       BNE   $222F
220C-   BD 8D C0    LDA   $C08D,X
220F-   A0 10       LDY   #$10
2211-   24 06       BIT   $06
2213-   BD 8C C0    LDA   $C08C,X
2216-   10 FB       BPL   $2213
2218-   88          DEY
2219-   F0 14       BEQ   $222F
221B-   C9 EE       CMP   #$EE
221D-   D0 F4       BNE   $2213
221F-   A0 07       LDY   #$07
2221-   BD 8C C0    LDA   $C08C,X
2224-   10 FB       BPL   $2221
2226-   D1 F6       CMP   ($F6),Y
2228-   D0 05       BNE   $222F
222A-   88          DEY
222B-   10 F4       BPL   $2221
222D-   30 03       BMI   $2232
222F-   4C 47 22    JMP   $2247

; success path lands here --
; restore zero page
2232-   A0 F0       LDY   #$F0
2234-   B9 AA 20    LDA   $20AA,Y
2237-   99 00 00    STA   $0000,Y
223A-   C8          INY
223B-   D0 F7       BNE   $2234

; turn off drive motor
223D-   BD 88 C0    LDA   $C088,X

; don't know what this does but maybe
; it prevents the game from glitching
; and hanging?
2240-   A9 60       LDA   #$60
2242-   8D 50 23    STA   $2350

; clear carry flag and exit
2245-   18          CLC
2246-   60          RTS

; failure lands here -- set carry flag
; and exit
2247-   C6 F4       DEC   $F4
2249-   F0 03       BEQ   $224E
224B-   4C CB 21    JMP   $21CB
224E-   38          SEC
224F-   60          RTS

OK, a couple of side effects here.
Rather than trying to reproduce all of
them or worrying which ones are
relevant, the safest course of action
would be to change the caller at $203A
from JSR $211A (call nibble check) to
JSR $2240 (call the success path).

I'm afraid to BSAVE this file, given
the corruption I saw in the disk
catalog earlier. (Maybe that was the
point? Who knows.) But using my trusty
Copy ][+ sector editor, I searched for
the hex sequence "20 AA 21" and found
it on track 14, sector 05.

T14,S05,$3B change "AA 21" to "40 22"

Tada! The game boots and runs without
complaint.

Quod erat liberandum.

---------------------------------------
A 4am crack                      No. 34
------------------EOF------------------