----------Stickybear Opposites---------
A 4am crack                  2023-04-10
---------------------------------------

Name: Stickybear Opposites
Genre: educational
Year: 1989
Credits: Richard Hefter
  Janie Worthington
  Steve Worthington
Publisher: Optimum Resource
Platform: Apple ][ with 3.5-inch drive
Media: 3.5-inch disk
Sides: 1
OS: ProDOS 1.5

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


Copy ][+ 8.4 ("COPY" > "DISK")
  read errors on blocks $0054-$005F,
  copy loads ProDOS then crashes into
  the monitor

Next steps:

  1. Trace the startup program
  2. Find and disable the protection
     check
  3. Declare victory(*)

(*) touch grass

                   ~

               Chapter 1
    In Which It's Over Too Soon But
  At Least We Had Fun While It Lasted


The disk presents a standard ProDOS
directory with a single .SYSTEM file
that is probably the startup program.

]CAT,S5,D1

/OPPOSITES

 NAME           TYPE  BLOCKS  MODIFIED

 OPPOSITES       BIN     218   7-FEB-89
 LOADER.SYSTEM   SYS       3  13-JUL-89
 PRODOS          SYS      32  17-MAR-88
 SAY             BIN      16  13-JUL-89
 FINDER.DATA     $C9       1  13-JUL-89
 FINDER.ROOT     $C9       1  13-JUL-89

BLOCKS FREE: 1310     BLOCKS USED:  290

]BLOAD LOADER.SYSTEM,A$2000,TSYS
]CALL -151

*2000L

2000-   A9 00       LDA   #$00
2002-   85 50       STA   $50
2004-   A9 02       LDA   #$02
2006-   20 BD 21    JSR   $21BD
2009-   AD 98 BF    LDA   $BF98
200C-   29 30       AND   #$30
200E-   C9 30       CMP   #$30
2010-   D0 17       BNE   $2029
2012-   AD 05 C2    LDA   $C205
2015-   0D 07 C2    ORA   $C207
2018-   C9 38       CMP   #$38
201A-   D0 0A       BNE   $2026
201C-   AD 11 C2    LDA   $C211
201F-   F0 05       BEQ   $2026
2021-   20 E7 20    JSR   $20E7
2024-   90 03       BCC   $2029
2026-   20 29 21    JSR   $2129
2029-   20 E0 20    JSR   $20E0
202C-   D0 03       BNE   $2031
202E-   4C 00 00    JMP   $0000

Already I see a very suspicious jump at
$202E: JMP $0000. Theoretically, this
could be a placeholder for self-
modifying code, but I don't see any
instructions that modify it. And just
before the JMP, there is a JSR and a
branch over it. So I'm guessing that
the subroutine at $20E0 returns with
Z=1 on success and Z=0 on failure, and
the failure path jumps to $0000 and
crashes.

*20E0L

; MLI command $80 (raw block read)
; with parameter block at $2087
20E0-   20 00 BF    JSR   $BF00
20E3-  [80]
20E4-  [87 20]
20E6-   60          RTS

*2087.

2087- .. .. .. .. .. .. .. 03
                           ^^
                         params

2088- 50 00 BB 56 00
      ^^ ^^^^^ ^^^^^
     slot addr block

So we're reading block $0056 into $BB00
from slot 5, drive 1. The slot/drive
does not seem to be self-modified, so I
think you could successfully boot an
unauthorized copy by moving your drive
to another slot. I did not test this.

Anyway, that's it: a single read of a
block that is unformatted on the
original disk. If the read fails, the
accumulator will contain a non-zero
error code and the caller will branch
over the bogus JMP $0000 and start the
program. If the read succeeds, it means
this disk is an unauthorized copy and
the caller will crash on purpose.

I can change the JSR $20E0 to LDA $20E0
to unconditionally set the Z flag to 0
and branch to the success path. (The
byte at $20E0 is $20, the JSR opcode,
part of the MLI call.)

Block Warden ->
  Follow File "LOADER.SYSTEM"

finds this code on block $00ED.

Block $00ED, byte $029: 20 -> AD

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 3106
------------------EOF------------------
