Breaking the DRM on the 1982 Apple ][+ port of Burger Time

4AM is a prolific computer historian whose practice involves cracking the copy protection on neglected Apple ][+ floppy disks, producing not just games, but voluminous logs that reveal the secret history of the cat-and-mouse between crackers and publishers.

4AM's logfile for their crack of the 1982 crack of Burger Time (which I played until my fingers bled, but on a Colecovision, I think) reveals some incredible, subtle trickery that played out within the extremely confined headroom of a 5.25" floppy's limited sectors.

Chapter 1
In Which We Start From Scratch

We're starting from bare metal on this
one. My automated tools, they do nothing
for us. Strap in.

[S6,D1=original disk]

[S6,D2=crack-in-progress (the partial
  copy I made with Locksmith Fast Disk
  Backup)]

[S5,D1=my work disk]

]PR#5
...
]CALL -151

*9600<C600.C6FFM

; copy boot sector (T00,S00) to the
; graphics page so it survives a reboot
96F8- A0 00 LDY #$00
96FA- B9 00 08 LDA $0800,Y
96FD- 99 00 20 STA $2000,Y
9700- C8 INY
9701- D0 F7 BNE $96FA

; turn off slot 6 drive motor
9703- AD E8 C0 LDA $C0E8

; reboot to my work disk in slot 5
9706- 4C 00 C5 JMP $C500

BurgerTime: A 4am crack, 2015-12-31 [4AM/archive.org]

Apple II Library: The 4am Collection [archive.org]

(via JWZ)


Notable Replies

  1. I remember one of the early DRM-circumventing methods in those Apple ][ days: when you booted off the floppy, the pre-game prompt would ask you if you wanted to print out the list of valid-copy-confirming codes.

  2. My favorite validation back in the day was for AH-64 where the incorrect call sign at the end of the mission just shot you down.

    Good times.

  3. I always got my C64 games already cracked. No sight of an original in the whole Eastern Bloc, it seemed.

  4. I remember how happy my brother and I were when we could afford our second 1541 to speed up disk duplication. Fortunately we didn't have rappers popping up on the screen to chide us for our moral failures:

  5. That really took me back. My 6502 assembler knowledge is still there buried somewhere in the back of my brain. Its a bit rusty though...

    Back in the 80s I cracked a floppy that was attached to the cover of a magazine for the BBC Micro. It was a game that you could play 3 times before it locked. You then had to buy it over the phone and you could then unlock it.

    I cracked it using a disc sector reader and a jump following disassembler, both of which I had written a year earlier whilst off school with bad salmonella.

    The disc used its own format except for the start which was compatible with the BBC file system. I found the code that did the unlocking of the disk but the code was actually scrambled and could only be unscrambled using the pass key. I.e. unlocking modified the disk. I found where the pass key was stored but it itself was scrambled. I.e. rather like a the unix passwd file you could crypt the pass key when it was entered by the user and compare but not decrypt the stored one.

    In then end I worked out I could modify the code so that it would over write the pass key stored on the disk and not compare. This required hand editing bytes in the relevent sector to add and change bits of assembler code. I then ran the disk and it asked for a pass code. I typed in any old thing. It updated the disk. I then reverted the code back to how it was and re ran it. It asked for the pass code. I entered the one I had entered before and it unscrambled the unlock code and unlocked.

    I'm pretty sure that cost of my time to break it was worth far more than the game itself but it taught me a lot and was rather enjoyable.

Continue the discussion bbs.boingboing.net

17 more replies

Participants