Microzine8
From DaphneWiki
Contents |
Microzine #8 (Zazoo)
The copy of Microzine #8 which I have access to uses a very similar copy protection scheme as Microzine #19 (and #17) does.
Recovering the data
The disk has non-standard formatting but can still be read properly as long as a copy program ignores non-fatal errors. To copy the disk,
- Boot a DOS 3.3 system master disk
- type the following at the BASIC prompt:
- "call -151"
- "b942: 18"
- "RUN COPYA"
- copy the microzine disk to a duplicate
The Copy Protection Routine
I cracked this disk after having cracked #19 and if you read what I wrote for microzine19 you'll remember that the copy protection routine is stored in a small file called W.SPC . By chance I happened to catalog the disk before attempting to crack it and found W.SPC, so I was suspicious. I located its track/sector number using Copy ][+'s Disk Mapping feature, and then went to that spot and sure enough, there was the copy protection routine.
Here is the relevant code:
00/9000: 20 e3 03 JSR $03e3 00/9003: 85 fb STA $fb 00/9005: 84 fa STY $fa 00/9007: a9 c5 LDA #$c5 00/9009: 48 PHA 00/900a: a9 00 LDA #$00 00/900c: 85 fc STA $fc 00/900e: a2 03 LDX #$03 00/9010: bc 35 90 LDY $9035,X 00/9013: 91 fa STA ($fa),Y 00/9015: ca DEX 00/9016: 10 f8 BPL $9010 00/9018: 8a TXA 00/9019: 48 PHA 00/901a: 20 28 90 JSR $9028 00/901d: a0 01 LDY #$01 00/901f: b1 fa LDA ($fa),Y 00/9021: aa TAX 00/9022: 20 39 90 JSR $9039 00/9025: 68 PLA 00/9026: 68 PLA 00/9027: 60 RTS 00/9028: 20 e3 03 JSR $03e3 00/902b: 20 d9 03 JSR $03d9 00/902e: a9 00 LDA #$00 00/9030: 85 48 STA $48 00/9032: b0 52 BCS $9086 00/9034: 60 RTS
The nibble check is at $9039.
00/9039: bd 89 c0 LDA $c089,X 00/903c: a9 56 LDA #$56 00/903e: 85 fd STA $fd 00/9040: a9 08 LDA #$08 00/9042: c6 fc DEC $fc 00/9044: d0 04 BNE $904a 00/9046: c6 fd DEC $fd 00/9048: f0 3c BEQ $9086 00/904a: bc 8c c0 LDY $c08c,X 00/904d: 10 fb BPL $904a 00/904f: c0 fb CPY #$fb 00/9051: d0 ed BNE $9040 00/9053: f0 00 BEQ $9055 00/9055: ea NOP 00/9056: ea NOP 00/9057: bc 8c c0 LDY $c08c,X 00/905a: c0 08 CPY #$08 00/905c: 2a ROL 00/905d: b0 0b BCS $906a 00/905f: bc 8c c0 LDY $c08c,X 00/9062: 10 fb BPL $905f 00/9064: c0 ff CPY #$ff 00/9066: d0 d8 BNE $9040 00/9068: f0 eb BEQ $9055 00/906a: bc 8c c0 LDY $c08c,X 00/906d: 10 fb BPL $906a 00/906f: 84 fc STY $fc 00/9071: c9 0a CMP #$0a 00/9073: d0 cb BNE $9040 00/9075: bd 8c c0 LDA $c08c,X 00/9078: 10 fb BPL $9075 00/907a: 38 SEC 00/907b: 2a ROL 00/907c: 25 fc AND $fc 00/907e: 49 ff EOR #$ff 00/9080: d0 04 BNE $9086 00/9082: dd 88 c0 CMP $c088,X 00/9085: 60 RTS 00/9086: a8 TAY 00/9087: dd 88 c0 CMP $c088,X 00/908a: 68 PLA 00/908b: 68 PLA 00/908c: 99 00 90 STA $9000,Y 00/908f: c8 INY 00/9090: c0 8b CPY #$8b 00/9092: d0 f8 BNE $908c 00/9094: 60 RTS
If the nibble check passes, it goes to $9082, otherwise it ends up at $9086 on failure.
This is very similar to the Microzine #19 code except the JSR to the nibble checker goes to $9039 (at $9022) instead of $9073.
The Crack
I will use the same method I used for #19 and change the JSR at $9022 to a LDA.
With a sector editor
Search for "20 39 90 68 68". I found mine on track $2, sector $2, byte $26. Simply change the $20 to an $AD and the copy protection will be bypassed.
