Microzine17
From DaphneWiki
Contents |
Microzine #17 (MicroAgent of the Body Guard)
The copy of Microzine #17 which I have access to uses a very similar copy protection scheme as Microzine #19 did.
UPDATE: I've just cracked a copy of Microzine #2 which seems to use identical protection as this #17 did. I've read notes about the copy protection used on another #2 and this seems different, so it appears that Scholastic juggled the copy protection.
UPDATE: Microzine #23 uses almost this identical protection with differences noted below.
Recovering the data
The disk has non-standard formatting but can still be read properly as long as a copy program ignores non-fatal errors. To copy the disk,
- Boot a DOS 3.3 system master disk
- type the following at the BASIC prompt:
- "call -151"
- "b942: 18"
- "RUN COPYA"
- copy the microzine disk to a duplicate
The Copy Protection Routine
I located this copy protection routing using the exact same technique as I describe in microzine19.
Here is the relevant code:
00/9022: 20 58 90 JSR $9058 00/9025: 68 PLA 00/9026: 68 PLA 00/9027: a0 00 LDY #$00 00/9029: 84 fe STY $fe 00/902b: b9 4d 90 LDA $904d,Y 00/902e: 09 80 ORA #$80 00/9030: 20 39 90 JSR $9039 00/9033: a4 fe LDY $fe 00/9035: c8 INY 00/9036: 4c 29 90 JMP $9029 00/9039: 6c 36 00 JMP ($0036) 00/903c: 20 e3 03 JSR $03e3 00/903f: 20 d9 03 JSR $03d9 00/9042: a9 00 LDA #$00 00/9044: 85 48 STA $48 00/9046: b0 5d BCS $90a5 00/9048: 60 RTS 00/9049: 08 PHP 00/904a: 04 0c TSB $0c 00/9022: 20 58 90 JSR $9058 00/9025: 68 PLA 00/9026: 68 PLA 00/9027: a0 00 LDY #$00 00/9029: 84 fe STY $fe 00/902b: b9 4d 90 LDA $904d,Y 00/902e: 09 80 ORA #$80 00/9030: 20 39 90 JSR $9039 00/9033: a4 fe LDY $fe 00/9035: c8 INY 00/9036: 4c 29 90 JMP $9029 00/9039: 6c 36 00 JMP ($0036) 00/903c: 20 e3 03 JSR $03e3 00/903f: 20 d9 03 JSR $03d9 00/9042: a9 00 LDA #$00 00/9044: 85 48 STA $48 00/9046: b0 5d BCS $90a5 00/9048: 60 RTS
This is very similar to the Microzine #19 code except the JSR to the nibble checker goes to $9058 (at $9022) instead of $9073.
The point of failure is $90a5 ($90a1 means the nibble check has passed). Here is the nibble check for documentation purposes, but I already commented it in my write-up for #19 so I will avoid doing so again.
00/9058: bd 89 c0 LDA $c089,X 00/905b: a9 56 LDA #$56 00/905d: 85 fd STA $fd 00/905f: a9 08 LDA #$08 00/9061: c6 fc DEC $fc 00/9063: d0 04 BNE $9069 00/9065: c6 fd DEC $fd 00/9067: f0 3c BEQ $90a5 00/9069: bc 8c c0 LDY $c08c,X 00/906c: 10 fb BPL $9069 00/906e: c0 fb CPY #$fb 00/9070: d0 ed BNE $905f 00/9072: f0 00 BEQ $9074 00/9074: ea NOP 00/9075: ea NOP 00/9076: bc 8c c0 LDY $c08c,X 00/9079: c0 08 CPY #$08 00/907b: 2a ROL 00/907c: b0 0b BCS $9089 00/907e: bc 8c c0 LDY $c08c,X 00/9081: 10 fb BPL $907e 00/9083: c0 ff CPY #$ff 00/9085: d0 d8 BNE $905f 00/9087: f0 eb BEQ $9074 00/9089: bc 8c c0 LDY $c08c,X 00/908c: 10 fb BPL $9089 00/908e: 84 fc STY $fc 00/9090: c9 0a CMP #$0a 00/9092: d0 cb BNE $905f 00/9094: bd 8c c0 LDA $c08c,X 00/9097: 10 fb BPL $9094 00/9099: 38 SEC 00/909a: 2a ROL 00/909b: 25 fc AND $fc 00/909d: 49 ff EOR #$ff 00/909f: d0 04 BNE $90a5 00/90a1: dd 88 c0 CMP $c088,X 00/90a4: 60 RTS 00/90a5: a8 TAY 00/90a6: dd 88 c0 CMP $c088,X 00/90a9: 68 PLA 00/90aa: 68 PLA 00/90ab: 99 00 90 STA $9000,Y 00/90ae: c8 INY 00/90af: c0 ab CPY #$ab 00/90b1: d0 f8 BNE $90ab 00/90b3: 60 RTS
Things I learned afterwards
Like #19, whatever is at $9000 is actually a file that is being BRUN.
With a sector editor, I scanned for 20 58 90 68 68 (see $9022). I then used Copy ][+ to show a file map to see which file corresponded to that location. It turned out to be a file called HELLO3.
The Crack
I will use the same method I used for #19 and change the JSR at $9022 to a LDA.
With a sector editor
Search for "20 58 90 68 68". For Microzine #17, I found mine on track $12, sector $E, byte $26. For Microzine #2, I found it on track $1c, sector $E, byte $26.
Simply change the $20 to an $AD and the copy protection will be bypassed.
Microzine 23 notes
The file with the copy protection is called TOC.1 and is stored on track $A, sector $E for me.
