datawiz

burgertime_gs_patched.dsk
http://204.16.8.40/other/btime/burge...gs_patched.dsk
(Will also upload to asimov)

This disk is a patched version of burgertime that works around an
incompatibility with the Apple IIgs. Both the joystick and non-
joystick versions have the patch.

The incompatibility stems from the original's Crackist's (The Freeze)
penchant for obfuscation. After the obligatory crack screen, you are
asked to press a key to start. Once a key is pressed, some memory
moves are done to put the game back in place. However, instead of
jumping straight to the game's entry point, Freeze decided to be
tricky and take an indirect route.

http://204.16.8.40/other/btime/btime_freeze_crack.png

At the Hires crack screen, when you hit a key the program continues
around $2947, where there's an oddball routine to check over HGR2.
Control continues to $1D00.
At $1D00, there's a check to see if the previous code was run, which
would put #BC in $BFFF. If not, it goes into a nice infinite loop.
Otherwise, it runs a short subroutine to patch in 3 #EA into the game
code.

Original code:
A9A7: JSR BF00

At $BF00 it's a check for KEYIN and compare against the key values for
a cheat and something else (more on that later).

Why they cracker wanted to NOP it out is unclear. Once NOP'd the code
is called later in the game, so it seems like a pointless endeavor….

Continuing on we hit an RTS at $1D0A and the stack is pointing to
$FFFF, which makes us jump over to the zero page at $0000!

At $000C I hit a BRK instruction, which jumps control over to $C3FD.
At $C46A there's a jmp to $FA47, which hits an indirect jmp to ($3f0)
at $FA56.
Interestingly enough, $3f0 hold 59 FA, which jumps us back to the next
instruction.
At $FA59, there's a jsr to $F882 which finally leads us to $FDED
At $FDED, we have an indirect jmp to ($0036) which holds the final
start point for the game 00 A3
Execution goes to $A300 and the game finally start.

Somewhere in that mess, the IIgs doesn't emulate the same behavior, so
it breaks. The fix is fairly straightforward. Instead of jumping to
the start of this nonsense at $2947, go directly to $a300 and start
the game.

The disk patches occur at Track 1D Sector 05 and Track 0F Sector 0D.
Old: 4C 47 29
New: 4C 00 A3

I mentioned that in addition to the cheat key (Control-C) that the
crackist put in, I found another key check for a Control-L. This is
supposed to flip to text screen, and decode some text that's EORd with
#13 to hide it from prying eyes. Unfortunately, the code doesn't work
right. At best I get a black or white screen, but perhaps the code
works under an Apple II or II+. In any case, if you break out and run
the code at $BF10, you should see it. If not, here's the text output
which is a small thank you list to Freeze's buddies.

http://204.16.8.40/other/btime/btime_secret_key.png

I checked through all the published secret key files and it was never
documented, so in a strange way I feel like some sort of pirate
archaeologist! :-)

*** However, the story is not quite over!

A few days ago usotsuki posted a bunch of disks that he's crunched
together, and in disk 3 of the compilation there's a copy of burger
time.

http://204.16.8.40/other/btime/New Apple Crunch by usotsuki volume
03.dsk

Out of curiosity, I decided to take a look to see if it was the same
crack. To my surprise, this one is cracked by a different person-- The
Atom and One Eye. I've seen his work before, and it's not uncommon to
see several cracks of the same game. But I decided to poke around in
the code anyway.

http://204.16.8.40/other/btime/btime_atom_crack.png

Imagine my surprise to find that the code for the cheat was still
there at the same entry point ($BF00). However, what was also there
was the secret key to display the hidden Thanks page from the Freeze
($B100). And decoded it's the exact same message…

http://204.16.8.40/other/btime/btime_secret_key.png

So it seems that The Atom "stole" the crack from Freeze by removing
his title page and inserting his own. However, in his haste he did not
remove the hidden proof of who cracked it, which was the secret key!
This might also explain why Freeze went through the trouble to
obfuscate his code-- to keep guys like The Atom from claiming his
"work".

Amazing-- there really is no honor among thieves!

I had a bunch of fun with this, and it started with just helping a
friend play a game on his IIgs. This platform is still full of fun and
amazement even after all these years!

Rich

Antoine Vignau

Really interesting story, thanks for that,
antoine

Senor Wences

Great documentation of your efforts, and as Antoine said, a great
story. "No honor among thieves!"

Moose

On Dec 30 2011, 10:04*am, datawiz <rich.mar...@gmail.com> wrote:

>I feel like some sort of pirate archaeologist! :-)

Yes, that's exactly what this is !


>Freeze went through the trouble to
> obfuscate his code-- to keep guys like The Atom from claiming his
> "work".

Exactly. Or better yet, when Atom releases "his" crack, all Freeze
has to do is ask people to do the Ctrl-L trick to see whose work it
really is - bammo, egg is all over Atom's face !!

If you haven't seen this already, make sure you check out Jason
Scott's very entertaining lecture on "You're Stealing it Wrong: 30
Years of Inter-Pirate Battles" ( http://vimeo.com/15400820 ), where,
among other things, he talks about Apple ][ crack screens and shows
how they evolved over time and how the "rivalry" between groups became
a hell of a lot "nastier" over time. Things like you found - Atom
stealing Freeze's crack - would have resulted in Atom being lampooned,
e.g. on future crack screens.

Keep up the excellent detective work Rich !!

All the best,

Moose OMalley
__________________________________________________ __
Moose's Software Valley - Established July, 1996.
WEB: http://move.to/moose
__________________________________________________ __