-------------VCR Companion-------------
A 4am crack                  2017-01-17
-------------------. updated 2021-08-27
                   |___________________

Name: VCR Companion
Version: 1988-09-28 (according to file
  metadata in ProDOS disk catalog)
Genre: graphics
Year: 1988
Credits: Louis Ewens and Lauren Elliott
Publisher: Broderbund Software
Platorm: Apple //e or later (128K)
Media: two double-sided 5.25-inch disks
OS: ProDOS 1.5
Previous cracks: none (of this version)
  Asimov has an uncredited crack whose
  latest file is dated 1988-07-27, so
  this is probably a bugfix release
  that was released two months later.

                   ~

               Chapter 0
    In Which The Tools Will Save Us


Disk 1 is bootable but protected.
The other three sides are unbootable
but unprotected.
Life is like that.
This has not been a haiku.

Disk 1 was automatically cracked by
Passport. Here is the transcript:

                 --v--

READING FROM S6,D1
T00,S00 FOUND PRODOS BOOTLOADER
USING BUILT-IN RWTS
WRITING TO S6,D2
T00,S04 FOUND E7 BITSTREAM
T00,S04,$A4: AC00AC00AC00AC00AC00AC00 ->
 78A8589C30C004A8589C58A8
CRACK COMPLETE.

                 --^--

More information and source code is
available at
https://archive.org/details/Passport4am

Disks 2-4 are unprotected, so that's
that.

Except...

                   ~

               Chapter 1
  In Which The Tools Will Not Save Us


The Passport-assisted crack works, in
the sense that the program disk boots
and works. However, this program has
something that most 8-bit Apple II
programs did not: an option to install
to a hard drive.

This presents a new wrinkle. After the
hard drive install, disk 1 acts as a
"key" disk. That is, after you launch
the program from your hard drive, it
scans all available drives for disk 1
and presents this message:

                 --v--

INSERT VCR COMPANION SIDE 1 INTO A DRIVE

          PRESS ANY KEY TO GO ON

                 --^--

The Passport-cracked version of disk 1
works as a "key" disk, so technically
this crack is already complete. But I
want to bypass this message, which
serves no purpose but copy protection.

So here we go.

Turning to my trusty Disk Fixer sector
editor, I scan for the hex sequence
"C9 E7" (since Passport already told me
that this disk is protected with the E7
bitstream). Mirabile dictu! The copy
protection code is not encrypted or
obfuscated in any way. I found 3 hits:

                 --v--

------------- DISK SEARCH -------------

$05/$0A-$80   $05/$0A-$89   $05/$0A-$92

             PRESS [RETURN]

                 --^--

But this is not the code I want to
disable. After all, if we're running
the E7 protection check, it's because
we've already asked the user to insert
disk 1. What I really want is the code
that runs just before this.

Luckily, it appears to be on the same
sector. Here is the disassembly listing
from byte $05, edited for readability
and annotated:

                 --v--

T05,S0A
----------- DISASSEMBLY MODE ----------
; boot slot
0005:A5 2B          LDA   $2B
0007:8D 15 25       STA   $2515

; ProDOS MLI call
000A:20 00 BF       JSR   $BF00

; "ONLINE" command
000D:C5

; address of parameter table -- looks
; like this sector is loaded at $2500,
; so the parameter table is just below
000E:14 25

; branch on success
0010:F0 0B          BEQ   $001D

; set carry and exit if ONLINE command
; fails (yikes)
0012:38             SEC
0013:60             RTS

; MLI parameter table -- looks like we
; are storing the results of the ONLINE
; command at $6000
0014:02
0015:00
0016:00
0017:60

; ProDOS-style string with length byte
0018:04
0019:"VCR1"

; execution continues here (from the
; BEQ at $2510)
001D:AD 00 60       LDA   $6000
0020:29 0F          AND   #$0F

; check if
0022:C9 04          CMP   #$04
0024:D0 EC          BNE   $0012
0026:AA             TAX

; compare volume name to the string
; above ("VCR1")
0027:BD 00 60       LDA   $6000,X
002A:DD 18 25       CMP   $2518,X
002D:D0 E3          BNE   $0012
002F:CA             DEX
0030:D0 F5          BNE   $0027

; save some of zero page
0032:A2 F0          LDX   #$F0
0034:B5 00          LDA   $00,X
0036:9D 00 02       STA   $0200,X
0039:E8             INX
003A:D0 F8          BNE   $0034

; set up zero page for the check
003C:A9 0A          LDA   #$0A
003E:85 F4          STA   $F4
0040:A5 2B          LDA   $2B
0042:29 70          AND   #$70
0044:85 2B          STA   $2B
0046:AA             TAX

; turn on the drive motor manually
0047:BD 89 C0       LDA   $C089,X
004A:BD 8E C0       LDA   $C08E,X

.
. E7 protection check omitted (but it's
. really interesting; read #681 The
. Hangtown Trilogy if you don't know
. how it works!)
.

; compare out-of-phase nibbles to the
; expected values
00A9:A0 07          LDY   #$07
00AB:BD 8C C0       LDA   $C08C,X
00AE:10 FB          BPL   $00AB
00B0:D1 F6          CMP   ($F6),Y
00B2:D0 05          BNE   $00B9
00B4:88             DEY
00B5:10 F4          BPL   $00AB
00B7:30 03          BMI   $00BC

; failure path (decrements a Death
; Counter and eventually sets the carry
; and exits)
00B9:4C CC 25       JMP   $25CC

; success path (from $25B7)
; restore zero page
00BC:A0 F0          LDY   #$F0
00BE:B9 00 02       LDA   $0200,Y
00C1:99 00 00       STA   $0000,Y
00C4:C8             INY
00C5:D0 F7          BNE   $00BE

; turn off drive motor
00C7:BD 88 C0       LDA   $C088,X

; clear carry and exit
00CA:18             CLC
00CB:60             RTS

                 --^--

To sum up: starting at $2505, we issue
an "ONLINE" command through the ProDOS
MLI, then check if the disk "VCR1" is
in the drive. If so, we execute the E7
protection check and clear the carry
on success. If anything goes wrong, we
set the carry and exit.

I should be able to clear the carry
unconditionally and exit before issuing
the MLI command, to fool the caller
into thinking that disk "VCR1" is in
the drive.

T05,S0A,$05: A52B -> 1860

]PR#6
...works...

I did test this patch thoroughly to
confirm that it does not interfere with
the normal operation of the program. If
the program needs disk 1 for legitimate
(non-protection-related) reasons, it
uses a different routine altogther that
displays a graphical dialog box. And if
the program needs disk 2-4 for any
reason, including during the hard drive
install, it recognizes when they're not
in any drive and recognizes when you
insert them. So this patch only affects
the copy protection check.

Quod erat liberandum.

                   ~

               Changelog


2021-08-27

- updated text to latest Passport log
  for consistency, even though we don't
  end up using it

2017-01-17

- initial release

---------------------------------------
A 4am crack                     No. 972
------------------EOF------------------
