---------Air Raid Pearl Harbor---------
A 4am crack                  2017-07-12
---------------------------------------

Name: Air Raid Pearl Harbor
Genre: simulation
Year: 1990
Publisher: General Quarters Software
Platform: Apple ][+ or later (64K)
Media: double-sided 5.25-inch floppy
OS: Pronto-DOS
Previous cracks: none

                   ~

The disk itself is unprotected (COPYA
can copy it), but on boot it shows this
screen:

                 --v--

        APPLE IIE & IIC MACHINES
          ENGAGE CAPS LOCK KEY

      (PRESS RETURN TO CONTINUE)

                 --^--

Then this screen:

                 --v--

      **  AIR RAID PEARL HARBOR  **

         CODEWORD: ALPHA

         PASSWORD ?_

                 --^--

Entering the correct codeword from the
manual shows a third screen:

                 --v--

         INITIAL ANTHEM (Y/N) ?

                 --^--

According to the manual, there are five
possible codewords: ALPHA, BETA, GAMMA,
DELTA, and EPSILON. The correct answer
will give you full access to the game;
there doesn't appear to be any further
protection.

Obviously this is an unacceptable state
of affairs.

                   ~

Booting the disk and pressing <Ctrl-C>
gets me to a working prompt with DOS in
memory.

]PR#6
...
<Ctrl-C>

BREAK

]LIST

 5  IF  PEEK (978) = 157 THEN  PRINT
      CHR$ (4);"BRUN DOS-UP"
 10  PRINT  CHR$ (4);"BLOAD RUNTI
     ME" +  CHR$ (13) +  CHR$ (4)
      + "BRUN GS0" +  CHR$ (13)
 20  END

]CATALOG

PRONTO-DOS V254

*T 006 AFILE
*T 005 BFILE
*B 008 CEDRIVER
*B 007 DOS-UP
*B 018 GS0
*B 064 GS1
*B 085 GS2
*B 018 GS3
*B 073 GS4
*B 032 GS5
*B 008 GS6
*B 071 GS7
*A 002 HELLO
*B 033 MAP5
*B 012 PLAYERS
*B 017 RUNTIME
*B 033 STATDISPLAY
*B 018 USS

Turning to my trusty Disk Fixer sector
editor, I can see the entirety of GS0
in hex and ASCII. It is illuminating.

[Disk Fixer]
  ["D"irectory mode]
    [select "GS0"]

                 --v--

-------------- DISK EDIT --------------
TRACK $1B/SECTOR $01/VOLUME $FE/BYTE$00
---------------------------------------
$00:>00<60 1F 10 20 03 08 B5   @ _P CH5
     ^^^^^ ^^^^^
    address len (DOS 3.3 file header)

$08: 61 24 71 FF 5F FF 5F FF   !$1._._.
$10: 5F 1E 70 F2 70 24 71 00   _^0r0$1@
$18: 20 C8 6D 20 0C 70 4C 23    H- L0L#
$20: 60 05 41 4C 50 48 41 20    EALPHA
        ^^^^^^^^^^^^^^^^^
     length-prefixed string ("ALPHA")

$28: C5 0E 1D 60 20 6F 0C 20   EN]  /L
$30: DD 6D 20 0C 70 4C 39 60   ]- L0L9
$38: 04 42 45 54 41 20 C5 0E   DBETA EN
     ^^^^^^^^^^^^^^
         "BETA"

$40: 34 60 20 6F 0C 20 EF 6D   4  /L o-
$48: 20 0C 70 4C 50 60 05 47    L0LP EG
                       ^^^^^
$50: 41 4D 4D 41 20 C5 0E 4A   AMMA ENJ
     ^^^^^^^^^^^
       "GAMMA" and so on

$58: 60 20 6F 0C 20 22 6E 20     /L ".
$60: 0C 70 4C 67 60 05 44 45   L0L' EDE
$68: 4C 54 41 20 C5 0E 61 60   LTA EN!
$70: 20 6F 0C 20 61 6E 20 0C    /L !. L
$78: 70 4C 80 60 07 45 50 53   0L. GEPS
$80: 49 4C 4F 4E 20 C5 0E 78   ILON EN8
$88: 60 20 6F 0C 20 58 FC 20     /L X|
$90: 18 6F 20 A1 14 20 E2 6E   X/ !T b.
$98: 20 AA 14 4C B3 60 18 41    *TL3 XA
                       ^^^^^
$A0: 50 50 4C 45 20 49 49 45   PPLE IIE
     ^^^^^^^^^^^^^^^^^^^^^^^
$A8: 20 26 20 49 49 43 20 4D    & IIC M
     ^^^^^^^^^^^^^^^^^^^^^^^
$B0: 41 43 48 49 4E 45 53 20   ACHINES
     ^^^^^^^^^^^^^^^^^^^^^^^
    I saw this string printed

$B8: C5 0E 9A 60 20 EE 0E 20   EN.  nN
$C0: FB DA 20 0F 6F 20 AA 14   {Z O/ *T
$C8: 4C DC 60 14 45 4E 47 41   L\ TENGA
              ^^^^^^^^^^^^^^
$D0: 47 45 20 43 41 50 53 20   GE CAPS
     ^^^^^^^^^^^^^^^^^^^^^^^
$D8: 4C 4F 43 4B 20 4B 45 59   LOCK KEY
     ^^^^^^^^^^^^^^^^^^^^^^^
  I saw this string printed also

$E0: 20 C5 0E C7 60 20 EE 0E    ENG  nN
$E8: 20 FB DA 20 45 6F 20 41    {Z E/ A
$F0: 17 20 9B 6D 20 54 14 20   W .- TT
$F8: 96 6F 20 A1 14 20 27>16   ./ !T 'V
---------------------------------------
BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL
DOS3.3:GS0                         /$00
---------------------------------------
COMMAND : _

                 --^--

Lots of interesting stuff going on, all
in the first sector of the file! The
standard 4-byte header tells me it's
loaded at address $6000. Almost
immediately I start seeing inline
strings that were printed on screen
when I ran the program.

A few sectors later (press right arrow
to "follow" a file based on its track/
sector list), I see the text of the
codeword lookup screen:

                 --v--

-------------- DISK EDIT --------------
TRACK $02/SECTOR $0D/VOLUME $FE/BYTE$8E
---------------------------------------
$80: 70 20 58 FC 20 D0 6E 20   0 X| P.
$88: AA 14 4C A7 63 1D>2A<2A   *TL'#]**
                    ^^^^^^^^
$90: 20 20 41 49 52 20 52 41     AIR RA
     ^^^^^^^^^^^^^^^^^^^^^^^
$98: 49 44 20 50 45 41 52 4C   ID PEARL
     ^^^^^^^^^^^^^^^^^^^^^^^
$A0: 20 48 41 52 42 4F 52 20    HARBOR
     ^^^^^^^^^^^^^^^^^^^^^^^
     "AIR RAID PEARL HARBOR"

$A8: 20 2A 2A 20 C5 0E 89 63    ** EN.#
$B0: 20 EE 0E 20 FB DA 20 FD    nN {Z }
$B8: 6E 20 AA 14 20 FD 6E 20   . *T }.
$C0: A1 14 4C CC 63 0A 43 4F   !TLL#JCO
                    ^^^^^^^^
$C8: 44 45 57 4F 52 44 3A 20   DEWORD:
     ^^^^^^^^^^^^^^^^^^^^^^^
           "CODEWORD:"

$D0: 20 C5 0E C1 63 20 EE 0E    ENA# nN
$D8: 20 4A 6D 20 AA 10 20 0A    J- *P J
$E0: 70 20 EE 0E 20 FB DA 20   0 nN {Z
$E8: FD 6E 20 AA 14 20 18 6F   }. *T X/
$F0: 20 A1 14 20 27 16 4C 00    !T 'VL@
$F8: 64 0A 50 41 53 53 57 4F   $JPASSWO
        ^^^^^^^^^^^^^^^^^^^^
           "PASSWO[RD:]"
---------------------------------------
BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL
DOS3.3:GS0                         /$03
---------------------------------------
COMMAND : _

                 --^--

Just before the "AIR RAID PEARL HARBOR"
text, I see a familiar 3-byte opcode:
20 58 FC (at offset $81). This is 6502
code for "JSR $FC58", a standard entry
point in ROM, equivalent to the "HOME"
command in BASIC. It clears the screen
and resets a bunch of text parameters
in zero page so that subsequent "PRINT"
commands start printing at the top of
the screen.

Looking back at the first sector of the
file, I see the same 3-byte opcode at
offset $8C: 20 58 FC. This program is
not even attempting to hide what's
going on. It's straightforwardly
calling standard ROM routines to clear
the screen and printing inline strings
without any sort of encryption (not
even XOR).

It does not, however, have the actual
codeword answers embedded anywhere. But
I don't care about the answers; I want
to bypass the question.

Following the file to the very next
sector, I see the text of the third
screen, the one that's displayed after
you enter the correct codeword in the
second screen. And lo! The same call to
$FC58 immediately before the text.

                 --v--

-------------- DISK EDIT --------------
TRACK $02/SECTOR $0C/VOLUME $FE/BYTE$43
---------------------------------------
$00: 52 44 20 3F 20 C2 0E F5   RD ? BNu
$08: 63 20 8A 12 20 17 70 20   # .R W0
$10: 87 13 20 86 6D 20 D1 6D   .S .- Q-
$18: 20 83 6D 20 86 6D 20 F8    .- .- x
$20: 6D 20 19 15 D0 03 4C 2B   - YUPCL+
$28: 64 20 D8 F3 4C 63 13 20   $ XsL#S
$30: 4A 6D 20 AA 10 20 F5 6F   J- *P u/
$38: 20 15 70 20 B7 15 F0 03    U0 7UpC
$40: 4C B2 63>20<58 FC 20 18   L2# X| X
              ^^^^^^^^
          JSR $FC58 (HOME)

$48: 6F 20 A1 14 20 FD 6E 20   / !T }.
$50: AA 14 4C 68 64 16 49 4E   *TL($VIN
                    ^^^^^^^^
$58: 49 54 49 41 4C 20 41 4E   ITIAL AN
     ^^^^^^^^^^^^^^^^^^^^^^^
$60: 54 48 45 4D 20 28 59 2F   THEM (Y/
     ^^^^^^^^^^^^^^^^^^^^^^^
     "INITIAL ANTHEM? (Y/N)"

$68: 4E 29 20 3F 20 C5 0E 51   N) ? ENQ
$70: 64 20 EE 0E 20 CC 10 20   $ nN LP
$78: 02 70 20 EE 0E 20 FB DA   B0 nN {Z
---------------------------------------
BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL
DOS3.3:GS0                         /$04
---------------------------------------
COMMAND : _

                 --^--

Is it possible that I could bypass the
codeword lookup screen by jumping from
one "JSR $FC58" to the next?

After some quick calculations, and
taking into account the 4-byte offset
because of the DOS 3.3 file header,
it appears that the "JSR $FC58" for the
third screen (shown above at offset $43
in T02,S0C) is in memory at $643F.

Thus, to bypass the second screen
(which contains the codeword lookup),
I should change the "JSR $FC58" at
offset $81 of T02,S0D to "JMP $643F".

T02,S0D,$81: 2058FC -> 4C3F64

]PR#6
...works...

There don't appear to be any side
effects in the codeword lookup screen,
so there are no ill effects of skipping
it altogether.

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 1329
------------------EOF------------------
