Breaking the DRM on the 1982 Apple ][+ port of Burger Time


#1

[Read the post]


#2

I remember one of the early DRM-circumventing methods in those Apple ][ days: when you booted off the floppy, the pre-game prompt would ask you if you wanted to print out the list of valid-copy-confirming codes.


#3

My favorite validation back in the day was for AH-64 where the incorrect call sign at the end of the mission just shot you down.

Good times.


#4

ZOMG - I had Burgertime on the Intellivision.


#5

I always got my C64 games already cracked. No sight of an original in the whole Eastern Bloc, it seemed.


#6

This shit is why a lot of people just used a memory snapshot card that would dump the contents at the press of a button after all the game was loaded. Of course it wasn’t nearly as elegant and your images were much larger.

If the game used the disk a lot then that wasn’t so great, but a lot of stuff just loaded into memory once and that was it. And even if it did, you’d at least bypassed all the boot obfuscation and the secondary loads were often much easier to debug and fix now, so it was a useful debug tool.

One more cool thing to note from the excerpt there - when you ‘boot’ an Apple ][ it really didn’t clear memory or do extensive BIOS crap, just jumped to a location, usually in ROM or peripheral space That’s why he can just boot off his S5,D1 (slot 5, drive 1 if you were wondering) and expect RAM to stay intact. Also why you could cold boot (from powered off!) an Apple ][ into a game in less than 5 seconds off a floppy if you were good - the whole design was brilliant.


#7

I used to have the same version of this for the apple “originally cracked by the freeze.” I loved locksmith. Back in the day you could defeat most copy protection just running a double pass with locksmith.


#8

Favorite quote from his log (after he reaches yet another dead end in his quest):

If this were a job, I’d quit.


#9

I got a lot of cracked C64 games off BBSes (the 1200 baud modem was a little slow, but the files weren’t too big), but I bought some. Often they required a validation code from a booklet, which was annoying. The others usually used the trick of corrupting some sector on the original disk, so you could dupe the disk then use a sector editor to find the bad block and try to damage it to return the same read error to make a copy. Good times.


#10

The good old VC1541 drive… Next track/sector of the chain was in the first bytes of the file sector, so all sorts of shenanigans were possible; a popular prank I did at friends was a loop so after putting the floppy to the drive it started seeking back and forth all the range. You could sometimes even jam the head by pushing it too far beyond the max track.

Indeed, good times…!


#11

I remember how happy my brother and I were when we could afford our second 1541 to speed up disk duplication. Fortunately we didn’t have rappers popping up on the screen to chide us for our moral failures:


#12

Me too! The music would drive my parents nuts (especially my father who always referred to the Intellivision as “The Time Waster”.

I can’t tell you what I’d give to play Advanced Dungeons & Dragons on that machine again. I can’t tell you because it wouldn’t be very much, but it would still be fun.


#13

#14

If I’m reading the log right, this game had that covered as well. As part of the boot it scans all of the devices plugged into the system, and stores the IDs in memory, so that if you tried to run your RAM image on a different machine it would fail.
(see “Chapter 8: In Which We Discover A Decryption Most Foul (Again)”)


#15

I liked

I’ll spare you the gory details, but
there are a few more of these. Just a
few. 16. There are 16 more.

It’s 1982 and this guy is snarking at twenty-first century levels!

EDIT: oh, wait, this is an archaeological exercise, not the logs of an intrepid cracker from back in the day. nvm.


#16

It’s things like this that make a good case for cautious disk preservation, as opposed to simply grabbing whatever cracked/intro’d version might be floating randomly around the Internet.

Also, I love that his tools are named “Super Demuffin” and “Advance Demuffin”. That’s savory, that.

So is all of this “new” stuff? I wonder if they have a couple of those old educational games from my elementary school days whose names I’ve never been able to remember.


[quote=“oldtaku, post:6, topic:71469”]One more cool thing to note from the excerpt there - when you ‘boot’ an Apple ][ it really didn’t clear memory or do extensive BIOS crap, just jumped to a location, usually in ROM or peripheral space That’s why he can just boot off his S5,D1 (slot 5, drive 1 if you were wondering) and expect RAM to stay intact. Also why you could cold boot (from powered off!) an Apple ][ into a game in less than 5 seconds off a floppy if you were good - the whole design was brilliant.[/quote]How does that work…? Is the Apple ][ RAM not volatile?


#17

That really took me back. My 6502 assembler knowledge is still there buried somewhere in the back of my brain. Its a bit rusty though…

Back in the 80s I cracked a floppy that was attached to the cover of a magazine for the BBC Micro. It was a game that you could play 3 times before it locked. You then had to buy it over the phone and you could then unlock it.

I cracked it using a disc sector reader and a jump following disassembler, both of which I had written a year earlier whilst off school with bad salmonella.

The disc used its own format except for the start which was compatible with the BBC file system. I found the code that did the unlocking of the disk but the code was actually scrambled and could only be unscrambled using the pass key. I.e. unlocking modified the disk. I found where the pass key was stored but it itself was scrambled. I.e. rather like a the unix passwd file you could crypt the pass key when it was entered by the user and compare but not decrypt the stored one.

In then end I worked out I could modify the code so that it would over write the pass key stored on the disk and not compare. This required hand editing bytes in the relevent sector to add and change bits of assembler code. I then ran the disk and it asked for a pass code. I typed in any old thing. It updated the disk. I then reverted the code back to how it was and re ran it. It asked for the pass code. I entered the one I had entered before and it unscrambled the unlock code and unlocked.

I’m pretty sure that cost of my time to break it was worth far more than the game itself but it taught me a lot and was rather enjoyable.


#18

Soft boot, not hard boot. I.e. not a power off boot.


#19

I jammed two things together because I was so into it - the first thing is that you can boot / reboot without losing the contents of RAM as long as you don’t hit the power switch. The second thing is that if you do turn power off, you can still cold boot real fast.

There is some hidden brilliance with the first thing - because Woz made the video circuitry take care of the RAM refresh, and the video circuitry is running off on its own, even if the system is totally frozen your RAM still gets refreshed (and stays intact) as long as the hardware isn’t damaged.


#20

Yeah, these secondary checks were pretty common (especially once the snapshot hardware became common). But as noted they were usually much easier to find and neuter than the boot obfuscation.