Protection: $198 (408) physically damaged The damaged area cannot be magnetized anymore. The loader writes to sector 408 and verifies that it did NOT succeed after a defined number of still working bytes. The damage was done manually using a drill. Therefore the hole's physical location differs from disk to disk and every disk checks its own particular sector with its own number of non-damaged stable bytes at the beginning of the sector. Sector 649 contains the information about the damaged sector (all EORed with $FF): Byte $25=track, $45=sector-on-track-1, $65=stable-bytes, $7f=maybe-checksum Cracked by: - fake non-writable sector (fill buffer from the right point on with random data) - added code to do this - crack does not depend on the damaged sector's number or number of stable bytes Final check if copy protection succeeded ---------------------------------------------------------- 9586: AD FB 9F LDA $9FFB # (=$00 if protection failed) 9589: C9 10 CMP #$10 958B: F0 06 BEQ $9593 958D: A9 AF LDA #$AF # show SYNCROLOKED! screen 958F: 48 PHA 9590: A9 5A LDA #$5A # RTS to $af5b 9592: 48 PHA 9593: 60 RTS # run game (if protection OK) Stage 1 of loader: ---------------------------------------------------------- A9C3: A2 FF LDX #$FF A9C5: 9A TXS A9C6: 8E 44 02 STX COLDST A9C9: A9 A0 LDA #$A0 A9CB: 8D F4 02 STA CHBAS A9CE: 8D 09 D4 STA CHBASE A9D1: A9 00 LDA #$00 A9D3: 85 F3 STA INBUFF A9D5: A9 AB LDA #$AB A9D7: 85 F4 STA $F4 A9D9: A0 00 LDY #$00 A9DB: AD 0A D2 LDA RANDOM A9DE: 91 F3 STA (INBUFF),Y # random fill $ab00-$ceff A9E0: C8 INY A9E1: D0 F8 BNE $A9DB A9E3: E6 F4 INC $F4 A9E5: A5 F4 LDA $F4 A9E7: C9 CF CMP #$CF A9E9: 90 F0 BCC $A9DB A9EB: A2 05 LDX #$05 A9ED: BD FA FF LDA $FFFA,X # store INT/RESET vectors A9F0: 9D 00 01 STA $0100,X A9F3: CA DEX A9F4: 10 F7 BPL $A9ED A9F6: A2 00 LDX #$00 A9F8: 20 02 A9 JSR $A902 # check $c000,0 (?) A9FB: B0 B3 BCS $A9B0 A9FD: A2 06 LDX #$06 A9FF: 20 02 A9 JSR $A902 # check $c000,6 (?) AA02: B0 AC BCS $A9B0 AA04: A0 8E LDY #$8E # VVBLKI =$a88e AA06: A2 A8 LDX #$A8 # checks OS and CONSOL-keys AA08: A9 06 LDA #$06 AA0A: 20 5C E4 JSR SETVBV AA0D: A0 75 LDY #$75 # SDLSTL =$a975 AA0F: A2 A9 LDX #$A9 AA11: A9 0D LDA #$0D AA13: 20 5C E4 JSR SETVBV AA16: A9 0C LDA #$0C AA18: 8D C4 02 STA COLOR0 AA1B: A9 C4 LDA #$C4 AA1D: 8D C8 02 STA COLOR4 AA20: A5 14 LDA RTCLOK+2 AA22: C5 14 CMP RTCLOK+2 AA24: F0 FC BEQ $AA22 # wait for VBI AA26: 20 C2 A7 JSR $A7C2 # Check sectors $a001 and $800 AA29: A9 00 LDA #$00 # target address $ac00 for next load AA2B: 8D 29 A2 STA $A229 AA2E: A9 AC LDA #$AC AA30: 8D 2A A2 STA $A22A AA33: A9 C2 LDA #$C2 # "key" BF20: FF C2 B2 23 00 10 FF AA35: 8D 27 A2 STA $A227 # $10 sectors starting with track $23 sector 1 AA38: A9 B2 LDA #$B2 AA3A: 8D 28 A2 STA $A228 AA3D: 20 09 A2 JSR $A209 # =>$a6d3, read mapping table and sectors AA40: 90 E7 BCC $AA29 # C is set if last bytes of 703 =$59 $4c AA42: 4C 58 AF JMP $AF58 # w+r sector 27, 703-667 =>$b27d -- B26A: A0 D3 LDY #$D3 # message: REMOVE WRITE PROTECT B26C: A2 B1 LDX #$B1 B26E: A9 0D LDA #$0D B270: 20 5C E4 JSR SETVBV # SDLSTL =$b1d3 B273: A5 14 LDA RTCLOK+2 B275: C5 14 CMP RTCLOK+2 B277: F0 FC BEQ $B275 B279: 02 KIL B27A: 4C 7A B2 JMP $B27A # crash B27D: A0 7F LDY #$7F B27F: AD 0A D2 LDA RANDOM B282: 99 00 10 STA $1000,Y B285: 88 DEY B286: 10 F7 BPL $B27F B288: A9 02 LDA #$02 # DCOMND=$57 B28A: 8D 21 A2 STA $A221 B28D: A9 00 LDA #$00 # buffer $1000 B28F: 8D 24 A2 STA $A224 B292: A9 10 LDA #$10 B294: 8D 25 A2 STA $A225 B297: A9 01 LDA #$01 # track 1 B299: 8D 22 A2 STA $A222 B29C: A9 08 LDA #$08 # sector-on-track 9 = sector 27 B29E: 8D 23 A2 STA $A223 B2A1: 20 06 A2 JSR $A206 # try to write sector 27 B2A4: 10 0C BPL $B2B2 # OK => continue B2A6: 8A TXA B2A7: 29 40 AND #$40 B2A9: D0 BF BNE $B26A B2AB: AD 1D A2 LDA $A21D # DVSTAT B2AE: 29 08 AND #$08 B2B0: D0 B8 BNE $B26A # write protected => abort B2B2: CE 21 A2 DEC $A221 # DCOMND=$52 B2B5: A9 80 LDA #$80 # buffer $1080 B2B7: 8D 24 A2 STA $A224 B2BA: 20 06 A2 JSR $A206 # read sector back B2BD: 30 BE BMI $B27D B2BF: A0 7F LDY #$7F B2C1: B9 00 10 LDA $1000,Y B2C4: D9 80 10 CMP $1080,Y B2C7: D0 A1 BNE $B26A # must be identical B2C9: 88 DEY B2CA: 10 F5 BPL $B2C1 B2CC: A9 AC LDA #$AC B2CE: 8D F4 02 STA CHBAS B2D1: 8D 09 D4 STA CHBASE B2D4: A9 02 LDA #$02 B2D6: 8D F3 02 STA CHACT B2D9: A0 B7 LDY #$B7 B2DB: A2 B1 LDX #$B1 B2DD: A9 0D LDA #$0D B2DF: 20 5C E4 JSR SETVBV # SDLSTL=$b1b7 B2E2: A2 04 LDX #$04 B2E4: BD 0A B2 LDA $B20A,X B2E7: 9D C4 02 STA COLOR0,X B2EA: CA DEX B2EB: 10 F7 BPL $B2E4 B2ED: A0 5E LDY #$5E B2EF: A2 AF LDX #$AF B2F1: A9 06 LDA #$06 B2F3: 20 5C E4 JSR SETVBV # VVBLKI =$af5e B2F6: A5 14 LDA RTCLOK+2 B2F8: C5 14 CMP RTCLOK+2 B2FA: F0 FC BEQ $B2F8 # wait for VBI B2FC: AD 01 07 LDA $0701 # Happy Drive? B2FF: F0 0B BEQ $B30C # no => skip B301: A0 0C LDY #$0C B303: B9 0F B2 LDA $B20F,Y # B20F: 28 21 30 30 39 00 24 32 29 36 25 00 01 B306: 99 B3 B0 STA $B0B3,Y # B0B3: 00 00 00 00 00 00 00 00 00 00 00 00 00 B309: 88 DEY B30A: 10 F7 BPL $B303 B30C: A9 00 LDA #$00 # target address $b400 for next load B30E: 8D 29 A2 STA $A229 B311: A9 B4 LDA #$B4 B313: 8D 2A A2 STA $A22A B316: A9 C2 LDA #$C2 # "key" BF40: FF C2 B3 13 00 12 27 01 02 FF B318: 8D 27 A2 STA $A227 # $12 sectors starting with track $13 sector 1 B31B: A9 B3 LDA #$B3 # and 2 sectors from track $27 sector 2 B31D: 8D 28 A2 STA $A228 B320: 20 09 A2 JSR $A209 # =>$a6d3, read mapping table and sectors B323: 90 E7 BCC $B30C B325: 4C 00 B4 JMP $B400 # =>$ba33 =>$b6ac -- A6B9: AD 29 A2 LDA $A229 # starting address for load A6BC: 8D 24 A2 STA $A224 # -> DBUFLO/HI A6BF: AD 2A A2 LDA $A22A A6C2: 8D 25 A2 STA $A225 A6C5: 20 F7 A5 JSR $A5F7 # fill $a222-$a226 A6C8: 90 07 BCC $A6D1 # finished => exit A6CA: 20 70 A6 JSR $A670 # read all sectors A6CD: B0 F6 BCS $A6C5 # OK => next block A6CF: 90 01 BCC $A6D2 # ERROR => exit A6D1: 38 SEC A6D2: 60 RTS A6D3: 20 37 A6 JSR $A637 # (via $a209) read 3 sectors to $be80, starting with 703 A6D6: 90 0C BCC $A6E4 A6D8: 20 D2 A5 JSR $A5D2 # locate $a227/8 ("key") in $bfxx A6DB: 90 07 BCC $A6E4 A6DD: A9 01 LDA #$01 A6DF: 8D 21 A2 STA $A221 # DCOMND=$52 A6E2: D0 D5 BNE $A6B9 # read A6E4: 60 RTS A6E5: A0 00 LDY #$00 # next block to read (?) A6E7: B9 00 BF LDA $BF00,Y A6EA: F0 09 BEQ $A6F5 A6EC: 18 CLC A6ED: 98 TYA A6EE: 69 20 ADC #$20 A6F0: A8 TAY A6F1: D0 F4 BNE $A6E7 A6F3: 18 CLC A6F4: 60 RTS A6F5: A9 FF LDA #$FF A6F7: 99 00 BF STA $BF00,Y A6FA: AD 27 A2 LDA $A227 A6FD: 99 01 BF STA $BF01,Y A700: AD 28 A2 LDA $A228 A703: 99 02 BF STA $BF02,Y A706: 8C 2C A2 STY $A22C A709: 38 SEC A70A: 60 RTS -- A5D2: A0 00 LDY #$00 # locate "key" in $bf00-$bfff A5D4: B9 00 BF LDA $BF00,Y # format: FF "key" "key" track sec-on-track count BF00: FF D0 C1 24 00 01 FF 00 00 00 00 00 00 00 00 00 BF10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BF20: FF C2 B2 23 00 10 FF 00 00 00 00 00 00 00 00 00 BF30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BF40: FF C2 B3 13 00 12 27 01 02 FF 00 00 00 00 00 00 BF50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BF60: FF D0 D2 25 01 24 27 02 26 27 03 12 14 03 03 FF BF70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BF80: FF C3 C8 11 03 10 FF 00 00 00 00 00 00 00 00 00 BF90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BFA0: FF D3 C3 27 04 26 27 05 26 27 06 26 27 07 26 27 BFB0: 08 26 27 09 02 FF 00 00 00 00 00 00 00 00 00 00 A5D7: F0 10 BEQ $A5E9 A5D9: AD 27 A2 LDA $A227 # 1st byte of key A5DC: D9 01 BF CMP $BF01,Y A5DF: D0 08 BNE $A5E9 A5E1: AD 28 A2 LDA $A228 # 2nd byte of key A5E4: D9 02 BF CMP $BF02,Y A5E7: F0 09 BEQ $A5F2 A5E9: 18 CLC A5EA: 98 TYA A5EB: 69 20 ADC #$20 # try next entry A5ED: A8 TAY A5EE: D0 E4 BNE $A5D4 A5F0: 18 CLC # "key" not found A5F1: 60 RTS A5F2: 8C 2C A2 STY $A22C # "key" found A5F5: 38 SEC A5F6: 60 RTS A5F7: AC 2C A2 LDY $A22C # current pointer into $bfxx A5FA: B9 03 BF LDA $BF03,Y A5FD: C9 FF CMP #$FF # current load finished? A5FF: F0 17 BEQ $A618 # yes => exit A601: 8D 22 A2 STA $A222 # starting track A604: C8 INY A605: B9 03 BF LDA $BF03,Y A608: 8D 23 A2 STA $A223 # starting sector-on-track (minus 1) A60B: C8 INY A60C: B9 03 BF LDA $BF03,Y A60F: 8D 26 A2 STA $A226 # number of sectors A612: C8 INY A613: 8C 2C A2 STY $A22C A616: 38 SEC # OK A617: 60 RTS A618: 18 CLC # load finished A619: 60 RTS A61A: CE 22 A2 DEC $A222 # next track A61D: 10 16 BPL $A635 # <0 ? A61F: A9 27 LDA #$27 # yes => track $27 A621: 8D 22 A2 STA $A222 A624: EE 23 A2 INC $A223 # ... and next sector on track A627: AD 23 A2 LDA $A223 A62A: C9 12 CMP #$12 # last sector on track? A62C: 90 07 BCC $A635 # no => exit A62E: A9 00 LDA #$00 # reset to $0 A630: 8D 23 A2 STA $A223 A633: 18 CLC # exit with error (?) A634: 60 RTS A635: 38 SEC # exit A636: 60 RTS A637: A9 01 LDA #$01 # =>READ A639: D0 02 BNE $A63D A63B: A9 02 LDA #$02 # =>WRITE A63D: 8D 21 A2 STA $A221 # pointer,X A640: A9 80 LDA #$80 # buffer $be80 A642: 8D 24 A2 STA $A224 A645: A9 BE LDA #$BE A647: 8D 25 A2 STA $A225 A64A: A9 27 LDA #$27 # start on track $27 A64C: 8D 22 A2 STA $A222 A64F: A9 00 LDA #$00 # and read 1st sector on each track A651: 8D 23 A2 STA $A223 A654: A9 03 LDA #$03 # 3 sectors A656: 8D 26 A2 STA $A226 A659: 20 70 A6 JSR $A670 # read n sectors A65C: 90 10 BCC $A66E A65E: AD FE BE LDA $BEFE # buffer,$7e A661: C9 59 CMP #$59 # marker for mapping table = $59 $4c A663: D0 09 BNE $A66E A665: AD FF BE LDA $BEFF # buffer,$7f A668: C9 4C CMP #$4C A66A: D0 02 BNE $A66E A66C: 38 SEC # sector contents verified A66D: 60 RTS A66E: 18 CLC # wrong sector contents A66F: 60 RTS A670: 20 06 A2 JSR $A206 # =>$a507, read n sectors A673: 30 18 BMI $A68D A675: 18 CLC A676: AD 24 A2 LDA $A224 # increment buffer A679: 69 80 ADC #$80 A67B: 8D 24 A2 STA $A224 A67E: 90 03 BCC $A683 A680: EE 25 A2 INC $A225 A683: 20 1A A6 JSR $A61A # calculate next sector number A686: CE 26 A2 DEC $A226 # another sector? A689: D0 E5 BNE $A670 # yes=>loop A68B: 38 SEC A68C: 60 RTS # no=>done A68D: 18 CLC # error A68E: 60 RTS -- A88E: A2 00 LDX #$00 # VBI while loading A890: 20 E2 A8 JSR $A8E2 # check CDTMV1 ... A893: D0 03 BNE $A898 A895: 20 FF A8 JSR $A8FF # ... and exec if needed A898: A5 42 LDA CRITIC A89A: D0 25 BNE $A8C1 A89C: E6 14 INC RTCLOK+2 # increment RTCLOK+2 A89E: AD 2F 02 LDA SDMCTL # handle shadow registers A8A1: 8D 00 D4 STA DMACTL A8A4: AD F4 02 LDA CHBAS A8A7: 8D 09 D4 STA CHBASE A8AA: AD 30 02 LDA SDLSTL A8AD: 8D 02 D4 STA DLISTL A8B0: AD 31 02 LDA SDLSTH A8B3: 8D 03 D4 STA DLISTH A8B6: A2 04 LDX #$04 A8B8: BD C4 02 LDA COLOR0,X A8BB: 9D 16 D0 STA COLPF0,X A8BE: CA DEX A8BF: 10 F7 BPL $A8B8 A8C1: A9 08 LDA #$08 # reset yellow keys A8C3: 8D 1F D0 STA CONSOL A8C6: AD 1F D0 LDA CONSOL A8C9: 29 07 AND #$07 A8CB: C9 07 CMP #$07 # any one pressed? A8CD: D0 10 BNE $A8DF # yes => reboot A8CF: A2 05 LDX #$05 # no => check OS A8D1: BD FA FF LDA $FFFA,X A8D4: DD 00 01 CMP $0100,X A8D7: D0 06 BNE $A8DF A8D9: CA DEX A8DA: 10 F5 BPL $A8D1 A8DC: 4C 62 E4 JMP XITVBV A8DF: 4C 77 E4 JMP COLDSV # CONSOL key pressed -- A507: AD 24 A2 LDA $A224 # (via $a206) prepare DCB and read sector A50A: 8D 16 A2 STA $A216 # DBUFLO A50D: AD 25 A2 LDA $A225 # DBUFHI A510: 8D 17 A2 STA $A217 A513: AE 21 A2 LDX $A221 # FORMAT? A516: F0 03 BEQ $A51B # yes=>skip A518: 20 3E A5 JSR $A53E # calculate DAUX1/2: current-track + sector-on-track A51B: BD 2D A2 LDA $A22D,X # get DCOMND from table (EORed 21 52 57) A51E: 49 FF EOR #$FF # EOR #$FF A520: 8D 14 A2 STA $A214 # DCOMND A523: 20 C7 A4 JSR $A4C7 # DSKINV A526: 30 03 BMI $A52B # error? => get status A528: A2 00 LDX #$00 A52A: 60 RTS A52B: 98 TYA A52C: 48 PHA # save DSTATS A52D: A9 53 LDA #$53 # STATUS A52F: 8D 14 A2 STA $A214 # DCOMND A532: 20 C7 A4 JSR $A4C7 # DSKINV A535: AD 1E A2 LDA $A21E # DVSTAT+1 A538: 49 FF EOR #$FF # EOR #$FF A53A: AA TAX # =>X A53B: 68 PLA # restore DSTATS A53C: A8 TAY A53D: 60 RTS A53E: AD 22 A2 LDA $A222 # calculate sector number by A222/3 A541: 8D 14 A2 STA $A214 # current track no. A544: A9 00 LDA #$00 # DAUX1/2 =$00 A546: 8D 1B A2 STA $A21B A549: 8D 1C A2 STA $A21C A54C: A0 08 LDY #$08 # 8 bits A54E: 0E 14 A2 ASL $A214 # multiply $A222*#$12 A551: 90 0E BCC $A561 A553: 18 CLC # DAUX1/2 +=$12 A554: AD 1B A2 LDA $A21B A557: 69 12 ADC #$12 A559: 8D 1B A2 STA $A21B A55C: 90 03 BCC $A561 A55E: EE 1C A2 INC $A21C A561: 88 DEY A562: F0 08 BEQ $A56C A564: 0E 1B A2 ASL $A21B # DAUX1/2 *=$02 A567: 2E 1C A2 ROL $A21C A56A: 90 E2 BCC $A54E # loop (8 times) A56C: 38 SEC # DAUX1/2 +=$A223+1 A56D: AD 1B A2 LDA $A21B # 1st sector on track A570: 6D 23 A2 ADC $A223 # + current sector on track A573: 8D 1B A2 STA $A21B # =>DAUX1/2 A576: 90 03 BCC $A57B A578: EE 1C A2 INC $A21C A57B: 60 RTS -- A7C2: A9 00 LDA #$00 # Check sectors $a001 and $800 A7C4: 8D 16 A2 STA $A216 # buffer $600 A7C7: A9 06 LDA #$06 A7C9: 8D 17 A2 STA $A217 A7CC: A0 01 LDY #$01 A7CE: A9 01 LDA #$01 # sector $a001 A7D0: 8D 1B A2 STA $A21B A7D3: A9 A0 LDA #$A0 A7D5: 8D 1C A2 STA $A21C A7D8: 8C 30 A2 STY $A230 # =>$31 A7DB: 20 9A A7 JSR $A79A A7DE: 30 04 BMI $A7E4 # must be bad A7E0: A9 FF LDA #$FF A7E2: D0 0C BNE $A7F0 A7E4: A9 0D LDA #$0D # =>$3d device-ID? A7E6: 8D 30 A2 STA $A230 A7E9: 20 9A A7 JSR $A79A A7EC: 10 F2 BPL $A7E0 # must be bad A7EE: A9 00 LDA #$00 A7F0: 8D 01 07 STA $0701 A7F3: A9 00 LDA #$00 # sector $800, buffer $800 A7F5: 8D 16 A2 STA $A216 A7F8: 8D 1B A2 STA $A21B A7FB: A9 08 LDA #$08 A7FD: 8D 17 A2 STA $A217 A800: 8D 1C A2 STA $A21C A803: A9 01 LDA #$01 # =>$31 A805: 8D 30 A2 STA $A230 A808: 20 9A A7 JSR $A79A A80B: 30 05 BMI $A812 # must be bad A80D: A9 FF LDA #$FF A80F: 8D 01 07 STA $0701 A812: AD 01 07 LDA $0701 # marker =$00? A815: F0 2B BEQ $A842 # yes => go ahead A817: A9 57 LDA #$57 A819: 8D 14 A2 STA $A214 # DCOMND A81C: A9 00 LDA #$00 A81E: 8D 1B A2 STA $A21B A821: A9 43 LDA #$43 # buffer $a843 A823: 8D 16 A2 STA $A216 A826: A9 A8 LDA #$A8 A828: 8D 17 A2 STA $A217 A82B: A9 08 LDA #$08 # sector $800 A82D: 8D 1C A2 STA $A21C A830: 20 C7 A4 JSR $A4C7 # DSKINV A833: 30 0D BMI $A842 A835: A9 51 LDA #$51 # DCOMND=$51 - Happy OFF (?) A837: 8D 14 A2 STA $A214 A83A: A9 00 LDA #$00 A83C: 8D 15 A2 STA $A215 # DSTATS A83F: 20 55 A2 JSR $A255 # SIOV A842: 60 RTS -- A4C7: AD 46 02 LDA $0246 # DSKINV replacement A4CA: AE 14 A2 LDX $A214 A4CD: E0 21 CPX #$21 A4CF: F0 02 BEQ $A4D3 A4D1: A9 07 LDA #$07 A4D3: 8D 18 A2 STA $A218 A4D6: A2 40 LDX #$40 A4D8: A0 80 LDY #$80 A4DA: AD 14 A2 LDA $A214 A4DD: C9 57 CMP #$57 A4DF: D0 02 BNE $A4E3 A4E1: A2 80 LDX #$80 A4E3: C9 53 CMP #$53 A4E5: D0 0C BNE $A4F3 A4E7: A9 1D LDA #$1D A4E9: 8D 16 A2 STA $A216 A4EC: A9 A2 LDA #$A2 A4EE: 8D 17 A2 STA $A217 A4F1: A0 04 LDY #$04 A4F3: 8E 15 A2 STX $A215 A4F6: 8C 19 A2 STY $A219 A4F9: A9 00 LDA #$00 A4FB: 8D 1A A2 STA $A21A A4FE: 20 55 A2 JSR $A255 A501: 30 03 BMI $A506 A503: AC 15 A2 LDY $A215 A506: 60 RTS -- A255: A9 01 LDA #$01 # SIOV replacement A257: 85 42 STA CRITIC A259: A9 0D LDA #$0D A25B: 85 E6 STA $E6 A25D: A9 28 LDA #$28 A25F: 8D 04 D2 STA AUDF3 A262: A9 00 LDA #$00 A264: 8D 06 D2 STA AUDF4 A267: 18 CLC A268: A9 30 LDA #$30 A26A: 6D 30 A2 ADC $A230 A26D: 85 EC STA $EC A26F: AD 14 A2 LDA $A214 A272: 85 ED STA $ED A274: AD 1B A2 LDA $A21B # DAUX1 A277: 85 EE STA $EE A279: AD 1C A2 LDA $A21C # DAUX2 A27C: 85 EF STA $EF A27E: A9 EC LDA #$EC A280: 85 E2 STA $E2 A282: A9 F0 LDA #$F0 A284: 85 E4 STA $E4 A286: A9 00 LDA #$00 A288: 85 E3 STA $E3 A28A: 85 E5 STA $E5 A28C: A9 34 LDA #$34 A28E: 8D 03 D3 STA PBCTL A291: 20 91 A4 JSR $A491 A294: A5 F1 LDA $F1 A296: D0 03 BNE $A29B A298: 98 TYA A299: D0 07 BNE $A2A2 A29B: C6 E6 DEC $E6 A29D: 10 BE BPL $A25D A29F: 4C D3 A2 JMP $A2D3 A2A2: AD 15 A2 LDA $A215 A2A5: 10 0C BPL $A2B3 A2A7: A9 0D LDA #$0D A2A9: 85 E6 STA $E6 A2AB: 20 16 A4 JSR $A416 A2AE: 20 91 A4 JSR $A491 A2B1: F0 E8 BEQ $A29B A2B3: 20 82 A4 JSR $A482 A2B6: A9 00 LDA #$00 A2B8: 85 F1 STA $F1 A2BA: 20 A2 A4 JSR $A4A2 A2BD: F0 0B BEQ $A2CA A2BF: 2C 15 A2 BIT $A215 A2C2: 50 0F BVC $A2D3 A2C4: 20 16 A4 JSR $A416 A2C7: 20 98 A3 JSR $A398 A2CA: A5 F1 LDA $F1 A2CC: F0 05 BEQ $A2D3 A2CE: AD 13 A2 LDA $A213 A2D1: 85 E0 STA FR1 A2D3: 20 6D A4 JSR $A46D A2D6: A9 00 LDA #$00 A2D8: 85 42 STA CRITIC A2DA: A4 E0 LDY FR1 A2DC: 8C 15 A2 STY $A215 A2DF: 60 RTS Stage 2 of loader (from $b400): ---------------------------------------------------------- The "pervert dispatcher loop" which controls the load process B6AC: 68 PLA # =$b6 B6AD: 85 D2 STA $D2 B6AF: 86 D3 STX $D3 # =$ff B6B1: 68 PLA # =$f1 B6B2: 29 C7 AND #$C7 # =$c1 B6B4: 85 D4 STA FR0 B6B6: 38 SEC B6B7: 68 PLA # =$42 B6B8: E9 02 SBC #$02 # =$40 B6BA: 85 D5 STA $D5 B6BC: 68 PLA # =$ba B6BD: E9 00 SBC #$00 B6BF: 85 D6 STA $D6 B6C1: 20 D1 B5 JSR $B5D1 # wait for ??? B6C4: 4C C1 B6 JMP $B6C1 # loop until ??? -- B5C6: A5 D4 LDA FR0 B5C8: 48 PHA B5C9: 40 RTI # go somewhere and return by BRK B5CA: 08 PHP B5CB: 68 PLA B5CC: 29 C7 AND #$C7 B5CE: 85 D4 STA FR0 B5D0: 60 RTS B5D1: 20 BF B5 JSR $B5BF B5D4: A0 00 LDY #$00 B5D6: B1 D5 LDA ($D5),Y B5D8: 85 DF STA $DF B5DA: 30 46 BMI $B622 B5DC: C9 30 CMP #$30 B5DE: B0 11 BCS $B5F1 B5E0: C9 0C CMP #$0C B5E2: B0 0A BCS $B5EE B5E4: 0A ASL B5E5: AA TAX B5E6: BD 78 B4 LDA $B478,X # fetch subroutine's address B5E9: 48 PHA B5EA: BD 77 B4 LDA $B477,X B5ED: 48 PHA B5EE: 4C C6 B5 JMP $B5C6 -- # => until $b477/8 =$b4b3, PLP=$c1 B4B3: 68 PLA # =$c3 B4B4: 68 PLA # =$b6 B4B5: A5 D6 LDA $D6 # =$b7 B4B7: 48 PHA B4B8: A5 D5 LDA $D5 # =$15, =$02 B4BA: 48 PHA B4BB: A5 D4 LDA FR0 # =$c1, =$40 B4BD: 48 PHA B4BE: A6 D3 LDX $D3 # =$ff, =$7f B4C0: A5 D2 LDA $D2 # =$c1, =$0b B4C2: 28 PLP # =$f1?, =$70 B4C3: 60 RTS # => $b716, $b703 Routine in sector $eb (235) at offset $7510: ---------------------------------------------------------- B703: A9 00 LDA #$00 # disable VVBLKD B705: 8D 03 B4 STA $B403 B708: 20 06 A2 JSR $A206 # =>$a6d3, $a227/8=$d0 $c1 => 649 to $a000, write damaged sector B70B: A9 80 LDA #$80 # enable VVBLKD B70D: 8D 03 B4 STA $B403 ---------------------------------------------------------- B70B: 4C E0 BF JMP $BFE0 # fake expected sector data and status B70E: 03 B4 B710: 98 TYA B711: 00 BRK # protection fails if code does not return from here Added code to end of sector $29b (667) at offset $14d10: ---------------------------------------------------------- BFE0: AE FF 9F LDX $9FFF # number of stable bytes (minus 2) BFE3: E8 INX BFE4: E8 INX BFE5: AD 0A D2 LDA RANDOM # fill damaged area with random data BFE8: 9D 00 A0 STA $A000,X BFEB: E8 INX BFEC: 10 F7 BPL $BFE5 BFEE: A2 08 LDX #$08 # fake expected status codes BFF0: A0 90 LDY #$90 BFF2: A9 80 LDA #$80 # run the commands overwritten ... BFF4: 8D 03 B4 STA $B403 # ... by crack (enable VVBLKD) BFF7: 4C 10 B7 JMP $B710 # go back (BRK may not be here) VVBLKD running during load: ---------------------------------------------------------- This code is probably the reason why the BRK must be at $B711. B425: 2C 03 B4 BIT $B403 # VVBLKD enabled? B428: 10 4A BPL $B474 # no => skip B42A: AC 04 B4 LDY $B404 # monitor stack values B42D: 68 PLA B42E: 99 1D B4 STA $B41D,Y B431: 68 PLA B432: 99 19 B4 STA $B419,Y B435: 68 PLA B436: 99 15 B4 STA $B415,Y B439: 68 PLA B43A: 99 11 B4 STA $B411,Y B43D: 68 PLA B43E: 99 09 B4 STA $B409,Y B441: 68 PLA B442: 99 0D B4 STA $B40D,Y B445: BA TSX B446: 8A TXA B447: 99 21 B4 STA $B421,Y B44A: C8 INY B44B: 98 TYA B44C: 29 03 AND #$03 B44E: A8 TAY B44F: B9 05 B4 LDA $B405,Y B452: 10 F6 BPL $B44A B454: B9 21 B4 LDA $B421,Y B457: AA TAX B458: 9A TXS B459: B9 0D B4 LDA $B40D,Y B45C: 48 PHA B45D: B9 09 B4 LDA $B409,Y B460: 48 PHA B461: B9 11 B4 LDA $B411,Y B464: 48 PHA B465: B9 15 B4 LDA $B415,Y B468: 48 PHA B469: B9 19 B4 LDA $B419,Y B46C: 48 PHA B46D: B9 1D B4 LDA $B41D,Y B470: 48 PHA B471: 8C 04 B4 STY $B404 B474: 4C 62 E4 JMP XITVBV Variables at $A2xx ---------------------------------------------------------- A214 DCOMND A215 DSTATS A216 DBUFLO A217 DBUFHI A218 DTIMLO A219 DBYTLO A21A DBYTHI A21B DAUX1 A21C DAUX2 A21D-A220 DVSTAT, 4 bytes A221 pointer,X -> DCOMND A222 track A223 sector-on-track (minus 1) A224 to-be-DBUFLO A225 to-be-DBUFHI A226 sector count A227-A228 "key" A229 start-DBUFLO with key A22A start-DBUFHI with key A22B A22C pointer to key DISKMAP - 40 TRACKS - 18 SECTORS 1 ********** ********** ********** ********** 2 ********** **.******. ........** ********** 3 ********** ********** ********** ********** 4 ********** ********:: :c:::::*** ********** 5 ********** ********** ********** ********** 6 *.******** ********** ********** ********** 7 ********** ********** ********** ********** 8 ********** ********** ********** ********** 9 ********** ********** ********** ********** 10 *......... .......... .......... ........** 11 *......... .......... .......... .......... 12 *......... .......... ..c....... .......... 13 *......... .......... .......... .......... 14 *......... .......... .......... .......... 15 *......... .......... .......... .......... 16 *......... .......... .......... .......... 17 *......... .......... .......... .......... 18 *......... .......... .......... .......... * OK/DATA .,;: OK/EMPTY ($00, $1A, $FF, other) | MISSING d DELETED C BAD CRC l/L LONG/l+DELETED crack.rup NINJA1T raw 7fffffff 1c04288ac7e7f31e66e1e4c52f2928b1 783f6b81366b8cce09a0690a717665a6b07c151b 751b 4ce0bf 14d70 aeff9fe8e8ad0ad29d 14d7a a0e810f7a208a090a9808d03b44c10b7 uncrack.rup NINJA1T raw 4f448b4e e4a5d8f25558f663dc1a5bf85794e17a 947fe05f72da2697c22c07185f37765221b3abc9 751b a9808d 14d70 000000000000000000 14d7a 00000000000000000000000000000000