Apple-2-SW/apple2_fantavision_reloaded
1
0
Fork 0
mirror of https://github.com/Michaelangel007/apple2_fantavision_reloaded.git synced 2024-12-27 17:29:17 +00:00
Code Issues Projects Releases Wiki Activity

Add Kracking section

Browse Source
This commit is contained in:
Michaelangel007 2017-03-25 01:39:24 -07:00
parent 88494be4d1
commit 91a405fb03
1 changed files with 209 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

209
README.md
View File

@ -2977,6 +2977,215 @@ Let's fire up `Copy ][` Sector Editor and make the _modifications_
to skip reading track 22.
## Kracking Fantavision
Back in the day all the kids pretending to be cool used to use "3l33t" (elite) speak.
The spelling of "cracked" -- kracked -- is simply part of this "culture"
or "warez scene" as it was (self) called.
"Cracking" is the (fine) art of removing copy protection.
How can we bypass the two nibble counts used?
Recall that Boot Stage 2 at $B500, reads in the 4&4 encypted Boot Stage 3
into $BC00 .. $BFFF. The code at $BC00 .. $BD26 is used by the Backup Utility
to write out $BE00 .. $BF00 onto track $22. Since our disk is normal
DOS3.3 / ProDOS format we don't care about these two pages $BC and $BD.
The only relevent code is $BE00 .. $BF5F
Now it seems silly to waste an entire track $22 just for two sectors worth of data
at $BE00 .. $BFFF. It turns out when we analyzed the `RWTS` that there
were two unused pages:
| Track | Sector | Address |
|:-----:|:------:|:-------:|
| $15 | $6 | $B600 |
| $15 | $7 | $B700 |
We can store the decoded $BE00 .. $BFFF @ $B600, have the boot sector move
them "up" in memory to their final (original) destination @ $BE00, by-pass
the second Nibble Count and Bob's our uncle.
We have a choice of where to put the memory mover:
* At $08E0 .. $08FF, the unused padding of the boot sector, or
* At $B500
I'm going to use $B500 since that keeps the "spirit" of $B500 "decoding"
Boot Stage 3 into $BE00. :-)
### Cracking in 3 Easy Payments, er Steps
These steps are quite detailed but should be rather straight-forward.
Just take your time and you'll do fine.
### Cracking Step 1: The Easy Stuff
If we want to keep the original code at $B500 (sentimental reasons, perhaps?)
we could stash this on the unused bytes on Track $15, Sector $5 @ $B580 -- but
we'd have to update the boot sector @ $087A:00 -> 80 to call our new mover:
From:
```asm
879:20 00 B5
```
To:
```asm
879:20 80 B5
```
Normally I like making the minimal number of changes possible
but let's keep the original code.
```asm
ORG $B580
Krack:
B580:A2 00 LDX #$00 ; Copy 256 bytes/page, 2x Pages
; We probably should also
; LDY #$00
CopyPages: ; restore $B600..$B7FF:00
B582:BD 00 B6 LDA $B600,X ; for completness via:
B585:9D 00 BE STA $BE00,X ; TAY
B588:BD 00 B7 LDA $B700,X ; STA $B600,X
B58B:9D 00 BF STA $BF00,X ; STA $B700,X
B58E:E8 INX
B58F:D0 F1 BNE CopyPages ;^ $B502
B591:18 CLC ; C=0 good "read" for $087C
B592:60 RTS ;
```
Hold off entering this in for now, we'll queue this up in a minute.
### Cracking Step 2: The Tedious Stuff
Since I'm lazy I don't feel like manually entering in T15S6 ($BE00)
and T15S7 ($BF00). Now we can't just do a manual sector copy off the
original Fantavision disk since Track $22 doesn't have any traditional sectors!
Instead, we'll want to save $BE00 .. $BFFF on our `Fanta.Work` disk -- but with
a twist. Due to DOS 3.3 retarded _amateur design_ it stores 4 bytes IN the binary file.
What we want is the DOS 3.3 file such that $BE00 is aligned on the
_start_ of a sector -- that way we can manually copy the two sectors.
All we need do is save a dummy $100-4 = $FC prefix to force the alignment.
If you already have `B3.FANTAVISION_T22_BC00` skip to step 7.
Otherwise, if you missed saving Boot Stage 3 here is a quick way to save it:
1. Remove any disk in Slot 6, Drive 1
2. Insert Fantavision in Slot 6, Drive 1
3. Enter in these instructions:
```
CALL-151
9600<C600.C6FFM
96FA:9F
9F00:60 60
9600G
FC58G
2B:60
801G
2000<B000.BFFFM
```
4. Replace disk in Slot 6, Drive 1, with `Fanta.Work`
5. `C600`
6. `BSAVE B3.FANTAVISION_T22_BC00,A$2C00,L$400`
Optional skip 7 :-)
7. `BLOAD B3.FANTAVISION_T22_BC00,A$2C00`
8. `BSAVE B3.KRACK_T22_B600,A$2B04,L$4FC`
Now move your `Fanta.Work` disk to Drive 2, and fire up Copy \]\[+ in Drive 1.
9. Now the hard part -- where was our $BC00 code saved on `Fanta.Work` ?
* `Track/Sector Map` > `Disk B`
* Make a note of which file it is, i.e. `K`
* `RETURN` to continue
* `RETURN` to see the files allocated. On my disk it was saved at Track $F, Sector $F .. Sector $A
* `RETURN` to return to the menu
10. `Sector Edit` > `Disk B`
11. Optional Read Track $11, Sector $F and/or Sector $E.
* Look for our filename: `B3.KRACK_T22_B600`, and move back 3 bytes
12. `R` to read Track T1, Sector S1 for the FTOC. At address $12 is the Track/Sector we want
13. `R` to read Track T2, Sector S2. i.e. Track $0F, Sector $B
14. Remove `Fanta.Work`
15. Replace with `Fanta.COPYA`
16. `W` to Track $15, Sector $6
17. Remove `Fanta.COPYA`
18. Replace with `Fanta.Work`
19. `R` to read Track T2, Sector S2-1. i.e. Track $0F, Sector $A
20. Remove `Fanta.Work`
21. Replace with `Fanta.COPYA`
22. `W` to write Track $15, Sector $7
Here is a little table to help:
| Disk | Read | Write |
|:----------|:-----:|:-----:|
|Fanta.Work | T0FSB | n/a |
|Fanta.COPYA| n/a | T15S6 |
|Fanta.Work | T0FSA | n/a |
|Fanta.COPYA| n/a | T15S7 |
Don't forgot we need to modify T15S5 with our `mini $BE00 loader`
23. `R` to read Track $15, Sector $5
24. `H` to enter in the bytes from Step 1,
```asm
B500:A2 00 BD 00 B6 9D 00 BE
B508:BD 00 B7 9D 00 BF E8 D0
B510:F1 18 60
```
25. `W` to write Track $15, Sector $5
26. Lastly, let's patch T00S0 to call our new mover.
* `R` Track $00, Sector $0
* `A` Address $7A
* `H` Hex: $80
27. And `W` to write it.
Whew! One more step.
### Cracking Step 3: Skip Nibble Count 2
The astute reader will notice this is titled "Skip Nibble Count 2".
What happened to Nibble Count 1? We already handled that in the
previous instructions. Pay attention! :-)
Seriously though, we just have one more tiny patch to make:
The code at $BE00 calls nibble check 2 @ $BEAA
```
BEAA:4C AD BE JMP DoNibbleCheck2
DoNibbleCheck2:
BEAD:A0 00 LDY #$00
```
This routine ends at $BF0F -- so let's jump there instead skipping the whole thing. :-)
1. `R` Track $15, Sector $6
2. `A` Address $AB
3. `H` Hex: $0F $BF
2. `W` Track $15, Sector $6
And now for the moment of truth ...
Put our `Fanta.COPYA` in Slot 6, Drive 1, and reboot.
* ![Main](pics/main.png)
Success!
## ProDOS Hybrid!?