Protection: check for S/N of Happy enhancement This image is NOT the original disk which comes with the manual but the disk which must be created before using it. The creation process seems to query the drive for the serial number of its Happy 810 enhancement and then encrypts parts of the program using this serial number before is writes out the final disk. Cracked by: - decrypt with the expected serial number Routine in sector $55 (85) at offset $2a10: ---------------------------------------------------------- 401D: 20 78 4C JSR $4C78 # read the Happy 810 S/N to $4eb8 4020: AD B8 4E LDA $4EB8 # and store it zeropage 4023: 85 DD STA $DD 4025: AD B9 4E LDA $4EB9 4028: 85 DE STA $DE 402A: A0 00 LDY #$00 # initialize checksum to $0000 402C: 84 B3 STY $B3 402E: 84 B4 STY $B4 4030: B9 2E 61 LDA $612E,Y # decrypt $612e-$617d 4033: 45 DD EOR $DD # EOR even bytes with 1st byte of S/N ---------------------------------------------------------- 4033: 49 90 EOR #$90 # use 1st byte of expected S/N 4035: 99 6B 42 STA $426B,Y 4038: 18 CLC 4039: 65 B3 ADC $B3 # add byte to checksum 403B: 85 B3 STA $B3 403D: A5 B4 LDA $B4 403F: 69 00 ADC #$00 4041: 85 B4 STA $B4 4043: C8 INY 4044: B9 2E 61 LDA $612E,Y 4047: 45 DE EOR $DE # EOR odd bytes with 2nd byte of S/N ---------------------------------------------------------- 4047: 49 68 EOR #$68 # use 2nd byte of expected S/N 4049: 99 6B 42 STA $426B,Y 404C: 18 CLC 404D: 65 B3 ADC $B3 # add byte to checksum 404F: 85 B3 STA $B3 4051: A5 B4 LDA $B4 4053: 69 00 ADC #$00 4055: 85 B4 STA $B4 4057: C8 INY 4058: C0 50 CPY #$50 405A: D0 D4 BNE $4030 405C: C8 INY 405D: D9 2E 61 CMP $612E,Y # verify hi-byte of checksum ($617f=$1c) 4060: D0 44 BNE $40A6 # not OK => "wrong disk drive! ... cannot continue" 4062: 88 DEY 4063: A5 B3 LDA $B3 4065: D9 2E 61 CMP $612E,Y # verify lo-byte of checksum ($617e=$19) 4068: D0 3C BNE $40A6 # not OK => "wrong disk drive! ... cannot continue" 406A: A9 40 LDA #$40 # go ahead 406C: 85 0D STA DOSINI+1 406E: A9 D2 LDA #$D2 4070: 85 0C STA DOSINI 4072: 4C 80 41 JMP $4180 2nd check for S/N right before writing to a disk ---------------------------------------------------------- 4603: 20 78 4C JSR $4C78 # read the S/N to $4eb8 4606: A0 05 LDY #$05 4608: B9 D8 00 LDA $00D8,Y # $00dd (S/N from 1st query) 460B: CD B8 4E CMP $4EB8 # verify S/N again 460E: D0 09 BNE $4619 # different? => patch code 4610: C8 INY 4611: B9 D8 00 LDA $00D8,Y # $00de (S/N from 1st query) 4614: CD B9 4E CMP $4EB9 # verify S/N again 4617: F0 05 BEQ $461E # OK? => go ahead 4619: A9 A9 LDA #$A9 # patch code if S/N differs 461B: 8D AA 48 STA $48AA 461E: 20 DE 4D JSR $4DDE # go ahead Location patched if 2nd check for S/N fails ---------------------------------------------------------- 48AA: 09 54 ORA #$54 # original code ---------------------------------------------------------- 48AA: A9 54 LDA #$54 # patched code if S/N differs 48AC: 85 B1 STA $B1 DISKMAP - 40 TRACKS - 18 SECTORS 1 ********** **........ *......... .......... 2 ********** **........ .......... .......... 3 ********** **........ .......... .......... 4 ********** **........ .......... .......... 5 ********** **........ .......... .......... 6 ********** **........ .......... .......... 7 ********** **........ .......... .......... 8 ********** **........ .......... .......... 9 ********** **........ .......... .......... 10 ********** **........ .......... .......... 11 ********** *......... .......... .......... 12 ********** *......... .......... .......... 13 ********** *......... .......... .......... 14 ********** *......... .......... .......... 15 ********** *......... .......... .......... 16 ********** *......... .......... .......... 17 ********** *......... .......... .......... 18 ********** *........* .......... .......... * OK/DATA .,;: OK/EMPTY ($00, $1A, $FF, other) | MISSING d DELETED C BAD CRC l/L LONG/l+DELETED crack.rup NINJA1T raw 7c0e1dc0 b157c6591fe843f1e2419470086291e4 415093c421b4f83513cbe3029d263b7dd737f8da 2a49 4990 2a5d 4968 uncrack.rup NINJA1T raw 7fffffff 1083cd6e6eacc69556fb4e646b108419 ef4b480605bb751d8c4e66d6fe5eea36be8bbfad 2a49 45dd 2a5d 45de