💾 Archived View for mirrors.apple2.org.za › active › 4am › images › games › strategy › Ogre%20(4am%2… captured on 2024-07-09 at 00:35:27.
View Raw
More Information
⬅️ Previous capture (2023-01-29)
-=-=-=-=-=-=-
------------------Ogre-----------------
A 4am crack 2015-08-02
---------------------------------------
Name: Ogre
Genre: strategy
Year: 1986
Author: Steve Meuse
Publisher: Origin Systems
Media: single-sided 5.25-inch floppy
OS: ProDOS 1.1.1
Previous cracks: The Talisman / First
Class
Identical cracks:
Letters for You (crack no. 364)
Opposites Attract (crack no. 190)
This Land Is Your Land (no. 251)
~
Chapter 0
In Which Various Automated Tools Fail
In Interesting Ways
COPYA
immediate disk read error
Locksmith Fast Disk Backup
can't read any track
EDD 4 bit copy (no sync, no count)
no errors, but copy only boots as far
as ProDOS title screen, then gives
"RELOCATION / CONFIGURATION ERROR"
Copy ][+ nibble editor
modified address epilogue "AF AB AB"
odd-numbered tracks (1, 3, 5...) also
have a modified address prologue
("D4 AA 96")
Disk Fixer
["O" -> "Input/Output Control"]
set Address Epilogue to "AF AB AB"
-> even-numbered tracks readable
set Address Prologue to "D4 AA 96"
-> odd-numbered tracks also readable
T00 -> looks like ProDOS
Why didn't COPYA work?
modified prologue/epilogue bytes
Why didn't Locksmith FDB work?
modified prologue/epilogue bytes
Why didn't my EDD copy work?
I don't know. The error is a standard
ProDOS message, but it could easily
have been triggered manually after a
failed nibble check.
Converting the disk to a standard
format will be tricky. Super Demuffin
assumes all tracks share the same
prologue and epilogue bytes, but this
disk's address prologue alternates
between "D5 AA 96" and "D4 AA 96".
Advanced Demuffin requires a DOS 3.3-
shaped RWTS, but this disk uses ProDOS.
Next steps:
1. Build an RWTS that can read the
original disk
2. Convert it to a standard format
with Advanced Demuffin
3. Patch the bootloader and/or the
PRODOS file to be able to read
a standard format disk
4. Find the nibble check (or whatever
is triggering the relocation error
on the EDD copy) and bypass it
~
Chapter 1
Bit Math Is Best Math
[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]
]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
]BLOAD BOOT0,A$800
]CALL -151
.
. standard ProDOS bootloader, until...
.
0831- 85 40 STA $40
0833- 85 48 STA $48
0835- A0 63 LDY #$63
0837- B1 48 LDA ($48),Y
0839- 99 94 09 STA $0994,Y
083C- C8 INY
083D- C0 EB CPY #$EB
083F- D0 F6 BNE $0837
0841- A2 06 LDX #$06
0843- BC 1D 09 LDY $091D,X
0846- BD 24 09 LDA $0924,X
0849- 99 F2 09 STA $09F2,Y
084C- BD 2B 09 LDA $092B,X
084F- 20 48 09 JSR $0948 <- !
0852- CA DEX
0853- 10 EE BPL $0843
Standard ProDOS does have this memory
copy loop at $0841..$0854, but it does
not have any JSR in it. Normally, the
instruction at $084F is "STA $0A7F,X",
and $0948 is part of the routine that
displays the "UNABLE TO LOAD PRODOS"
message if something goes wrong during
early boot.
; ProDOS boot0 is sensitive to the
; value of the accumulator, so don't
; clobber it
96F8- 48 PHA
; set up callback after copy loop
96F9- A9 4C LDA #$4C
96FB- 8D 55 08 STA $0855
96FE- A9 0C LDA #$0C
9700- 8D 56 08 STA $0856
9703- A9 97 LDA #$97
9705- 8D 57 08 STA $0857
; restore accumulator
9708- 68 PLA
; start the boot
9709- 4C 01 08 JMP $0801
; callback is here -- save the entire
; bootloader to the hi-res graphics
; page so it will survive a reboot
970C- A2 03 LDX #$03
970E- A0 00 LDY #$00
9710- B9 00 08 LDA $0800,Y
9713- 99 00 28 STA $2800,Y
9716- C8 INY
9717- D0 F7 BNE $9710
9719- EE 12 97 INC $9712
971C- EE 15 97 INC $9715
971F- CA DEX
9720- D0 EE BNE $9710
; turn off the slot 6 drive motor
9722- AD E8 C0 LDA $C0E8
; reboot to my work disk
9725- 4C 00 C5 JMP $C500
- BSAVE TRACE,A$9600,L$128
- 9600G
...reboots slot 6...
...reboots slot 5...
]BSAVE BOOT1 0800-0AFF,A$2800,L$300
]BLOAD BOOT1 0800-0AFF,A$800
]CALL -151
; this is the start of the routine that
; normally displays the "UNABLE TO LOAD
; PRODOS" message, but it's been
; shortened to just call $FF2D (beeps
; and prints "ERR") instead
093F- 20 58 FC JSR $FC58
0942- 20 2D FF JSR $FF2D
0945- 4C 45 09 JMP $0945
; this is the subroutine called from
; the copy loop at $084F, and the first
; instruction here is the one that was
; clobbered by the call to this
; subroutine
0948- 9D 7F 0A STA $0A7F,X
094B- BD 5C 09 LDA $095C,X
094E- 9D F7 09 STA $09F7,X
0951- BD 63 09 LDA $0963,X
0954- 9D FE 09 STA $09FE,X
0957- A9 AA LDA #$AA
0959- 85 31 STA $31
095B- 60 RTS
ProDOS normally boots by copying part
of the drive controller ROM routine (at
$C65C or wherever, depending on the
boot slot) into RAM and massaging it to
create a working RWTS. This is how it
can fit an entire bootloader in three
pages -- the hard part of reading the
disk is already taken care of.
But on this disk, there is some extra
massaging. For example, this snippet
gets dropped into the middle of the
RWTS code:
095C- 4A LSR
095D- C9 6A CMP #$6A
095F- D0 F3 BNE $0954
And this one:
0961- BD 8C C0 LDA $C08C,X
0964- 10 FB BPL $0961
0966- C9 AA CMP #$AA
0968- D0 EA BNE $0954
The upshot is that the final RWTS is
different than the drive controller ROM
routine. After all the memory massaging
is complete, this is the part of the
constructed RWTS that checks for the
address and data prologue:
09EF- 88 DEY
09F0- F0 F5 BEQ $09E7
; prologue nibble #1
09F2- BD 8C C0 LDA $C08C,X
09F5- 10 FB BPL $09F2
09F7- 4A LSR |dif
09F8- C9 6A CMP #$6A |fer
09FA- D0 F3 BNE $09EF |ent
; #2
09FC- BD 8C C0 LDA $C08C,X
09FF- 10 FB BPL $09FC
0A01- C9 AA CMP #$AA
0A03- D0 EA BNE $09EF
; #3
0A05- BD 8C C0 LDA $C08C,X
0A08- 10 FB BPL $0A05
0A0A- C9 96 CMP #$96
0A0C- F0 09 BEQ $0A17
The code to find prologue nibble #1
explains how this disk can read its
odd-numbered tracks (with non-standard
address prologue "D4 AA 96").
Normal address prologue byte 1 is $D5.
In binary: $D5 = 1101 0101
After LSR: 0110 1010 = $6A
Odd-numbered tracks use $D4 instead.
In binary: $D4 = 1101 0100
After LSR: 0110 1010 = $6A
So this code will match either prologue
and work on both odd and even tracks.
Clever!
Now let's trace further to capture the
entire PRODOS file. The bootloader uses
its funky RWTS to find and load the
PRODOS file at $2000, then jumps there
at $08FC:
08FC- 4C 00 20 JMP $2000
After that, the bootloader's RWTS is
never used again. The PRODOS file has
a full RWTS to read (and write) the
rest of the disk.
96F8- 48 PHA
96F9- A9 07 LDA #$07
96FB- 8D FD 08 STA $08FD
96FE- A9 97 LDA #$97
9700- 8D FE 08 STA $08FE
9703- 68 PLA
9704- 4C 01 08 JMP $0801
9707- AD E8 C0 LDA $C0E8
970A- 4C 00 C5 JMP $C500
- BSAVE TRACE.PRODOS,A$9600,L$10D
The only thing I don't know exactly is
how big the PRODOS file is. Different
versions are different sizes, and of
course many protected disks add their
own special code. So I'm going to clear
main memory with a special pattern so I
can see which pages are overwritten
after PRODOS is loaded.
- 800:FD N 801<800.BEFEM
- BRUN TRACE.PRODOS
...reboots slot 6...
...reboots slot 5...
]CALL -151
[perusing memory, starting at $2000]
It looks like $5A00 is the first page
that still has repeated $FD bytes.
=3A
- BSAVE BOOT1.PRODOS,A$2000,L$3A00
Scanning through memory again, I found
the RWTS code at $5398.
; ProDOS only uses the bootloader RWTS
; to load the PRODOS file, which then
; has its own fuller, more robust RWTS.
; This code, which is later relocated
; to $D398 in the language card, checks
; the address prologue.
5398- A0 FC LDY #$FC
539A- 8C 6B D3 STY $D36B
539D- C8 INY
539E- D0 05 BNE $53A5
53A0- EE 6B D3 INC $D36B
53A3- F0 56 BEQ $53FB
; find prologue byte #1
; (matches $D4 or $D5)
53A5- BD 8C C0 LDA $C08C,X
53A8- 10 FB BPL $53A5
53AA- 4A LSR
53AB- C9 6A CMP #$6A
53AD- D0 EE BNE $539D
; #2
; (zero page $31 was initialized during
; boot to $AA)
53AF- BD 8C C0 LDA $C08C,X
53B2- 10 FB BPL $53AF
53B4- C5 31 CMP $31
53B6- D0 F2 BNE $53AA
53B8- A0 03 LDY #$03
; #3
53BA- BD 8C C0 LDA $C08C,X
53BD- 10 FB BPL $53BA
53BF- C9 96 CMP #$96
53C1- D0 E7 BNE $53AA
No surprises here. This is the same
logic as the bootloader's mini-RWTS.
But look at the address epilogue check,
a few lines further down:
; find epilogue byte #1
53E6- BD 8C C0 LDA $C08C,X
53E9- 10 FB BPL $53E6
53EB- C9 DE CMP #$DE
; if found $DE, immediately exit with
; a "success" status (clear carry bit)
53ED- F0 0A BEQ $53F9
; if not $DE, do... this thing
53EF- 48 PHA
53F0- 68 PLA
53F1- BD 8C C0 LDA $C08C,X
; Note: no BPL loop here! It only reads
; the data latch once.
53F4- C9 08 CMP #$08
53F6- B0 03 BCS $53FB
53F8- EA NOP
53F9- 18 CLC
53FA- 60 RTS
53FB- 38 SEC
53FC- 60 RTS
It's looking for a timing bit after the
first epilogue byte. It doesn't even
care what the first epilogue byte was,
as long as it wasn't $DE.
This RWTS will accept two different
address prologues, "D5 AA 96" or "D4 AA
96". It will also accept two different
address epilogues, "DE" or anything-
other-than-DE-followed-by-a-timing-bit.
My initial investigation with Copy ][+
was incomplete. The address epilogue
bytes are not actually relevant. The
only thing that matters is that the
first byte is followed by a timing bit.
(Looking back at the nibble editor, I
can see that Copy ][+ displayed half of
the byte in inverse, meaning that it is
followed by a timing bit. But I didn't
realize its significance.)
With this information, I can build a
flexible DOS 3.3-shaped RWTS that can
read this disk, complete with its even-
and odd-numbered tracks and its custom
address epilogue check.
~
Chapter 2
In Which We Use The Original Disk
As A Weapon Against Itself
And It Is Gloriously Effective
]PR#5
[press "Esc" during boot so Diversi-DOS
stays in main memory and doesn't
relocate to the language card]
...
]CALL -151
OK, I have a copy of a standard DOS 3.3
shaped RWTS.
- BLOAD BOOT1.PRODOS,A$2000
; copy address prologue byte checker #1
; from ProDOS
; fix one branch (EE -> EF)
1944- A0 FC LDY #$FC
1946- 84 26 STY $26
1948- C8 INY
1949- D0 04 BNE $194F
194B- E6 26 INC $26
194D- F0 F3 BEQ $1942
194F- BD 8C C0 LDA $C08C,X
1952- 10 FB BPL $194F
1954- 4A LSR
1955- C9 6A CMP #$6A
1957- D0 EF BNE $1948
; copy address epilogue byte checker
; fix one branch (03 -> 02)
198B- BD 8C C0 LDA $C08C,X
198E- 10 FB BPL $198B
1990- C9 DE CMP #$DE
1992- F0 0A BEQ $199E
1994- 48 PHA
1995- 68 PLA
1996- BD 8C C0 LDA $C08C,X
1999- C9 08 CMP #$08
199B- B0 02 BCS $199F
199D- EA NOP
199E- 18 CLC
199F- 60 RTS
Now I have a DOS 3.3-shaped RWTS that
can read this disk.
- BSAVE RWTS LIKE PRODOS,A$1800,L$800
[S6,D1=original disk]
[S6,D2=blank disk]
- BRUN ADVANCED DEMUFFIN 1.5
["5" to switch to slot 5]
["R" to load a new RWTS module]
--> At $B8, load "RWTS LIKE PRODOS"
from drive 1
["6" to switch to slot 6]
["C" to convert disk]
--v--
ADVANCED DEMUFFIN 1.5 (C) 1983, 2014
ORIGINAL BY THE STACK UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...................................
+.5:
0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:...................................
SC6:...................................
SC7:...................................
SC8:...................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2
--^--
[S7,D1=ProDOS hard drive]
]PR#7
]CAT,S6,D2
/OGRE
NAME TYPE BLOCKS MODIFIED
MI.SYSTEM SYS 5 9-JUN-86
MI.HELLO BIN 8 11-JUN-86
OTITLER BIN 7 9-JUN-86
OL BIN 13 11-JUN-86
OH BIN 46 11-JUN-86
ED BIN 13 11-JUN-86
P1 BIN 16 11-JUN-86
P2 BIN 4 11-JUN-86
U1 BIN 5 1-MAY-86
U2 BIN 5 1-MAY-86
U3 BIN 5 1-MAY-86
U4 BIN 5 1-MAY-86
U5 BIN 5 1-MAY-86
F1 BIN 5 1-MAY-86
F2 BIN 5 1-MAY-86
F3 BIN 5 1-MAY-86
F4 BIN 5 1-MAY-86
F5 BIN 5 1-MAY-86
G1 BIN 5 2-MAY-86
G2 BIN 5 1-MAY-86
G3 BIN 5 1-MAY-86
G4 BIN 5 1-MAY-86
G5 BIN 5 1-MAY-86
PR BIN 1 7-MAY-86
EA BIN 5 9-JUN-86
OGRE.PAC BIN 11 29-MAY-86
OGRE.ANMTBL BIN 13 28-MAY-86
CP.PAC BIN 10 9-JUN-86
CP.ANMTBL BIN 8 9-JUN-86
BLOCKS FREE: 8 BLOCKS USED: 272
~
Chapter 3
In Which Our Adventure Comes To
A Sudden But Satisfying Conclusion
[S6,D1=demuffin'd disk]
]PR#6
...program boots and runs...
Wait, what?
Why did the demuffin'd copy work?
Advanced Demuffin wrote out the data
from each sector onto a standard disk
that uses "D5 AA 96" prologue and "DE
AA EB" epilogue. The bootloader RWTS
always matches "D5 AA 96" and doesn't
care that it never sees a "D4 AA 96",
and it never checks epilogue bytes at
all. The RWTS within the PRODOS file
always matches "D5 AA 96", and its
epilogue checker always matches "DE"
and never checks the timing bit. Thus
no RWTS patches are necessary.
But then why didn't the EDD copy work?
The bootloader RWTS doesn't check
epilogue bytes at all, so it was able
to read the disk and load the PRODOS
file. Once control is transferred to
the PRODOS file, it switches to its
own RWTS to read the disk catalog and
find the first .SYSTEM file. But its
own RWTS can't read the disk, because
EDD preserved the original prologue
epilogue but not the timing bits.
The prologue checker (at $D398) finds
"D5 AA 96" even-numbered tracks) or
"D4 AA 96" (odd-numbered tracks). But
the epilogue checker's first compare
(at $D3EB) didn't match because the
first epilogue byte was still the
original value ($AF), and its second
compare (at $D3F4) didn't match
because there was no timing bit after
the first byte. ProDOS can't read the
disk catalog, so it displays the
"RELOCATION / CONFIGURATION ERROR"
and gives up. There was never any
nibble check; the very structure of
the disk itself is designed to foil
bit copiers.
Quod erat liberandum.
---------------------------------------
A 4am crack No. 386
------------------EOF------------------