Analysis of protection system at Broderbund Games

1 post / 0 new
speedyG's picture
Offline
Last seen: 4 years 10 months ago
Joined: Nov 16 2011 - 07:45
Posts: 2493
Analysis of protection system at Broderbund Games

Hello all together

here is an example of a commonly used disk protection system.
reading about it might give you an idea how far such protection
systems manipulate a disk to avoid the making of a copy of a disk....

First you have to unpack the UTILS for Wings of Fury.
If you haven't done so already, unpack sides 1 and 2.
Then, use CONVERT WINGS S1 to convert side one of the UNPACKED disk,
and CONVERT WINGS S2 to convert side 2. Put the unpacked disk in drive 1
when the programs tell you to do so.

Only ONE drive is required in order to convert Wings of Fury and make it
playable. The unpacked disks are merely overwritten into 18-sector format
which makes for a fast conversion and saves disk swapping.

COPY18: This is your bonus for getting the crack of Wings of Fury.

This program DOES require 2 drives.

It's features include: Copy sides 1 and 2 of WOF, change prolog byte,
and copy a range of tracks.

Big deal, you say -- well, these utilities are for 18-sector warez,
and using it you can quickly and easily copy virtually all other
Broderbund 18-sector games!

How 18-sector protection works:

Most of you know that normal DOS 3.3 writes 16 sectors per track,
and that each sector can be individually read in or written out
to the disk.

With Broderbund's 18-sector protection, it is more complicated.
Each track actually consists of 6 blocks, containing $300 bytes
of information (3 sectors or 3 pages). Each page/sector can be
loaded into memory anywhere and individually. When writing,
however, the entire track must be written at once.

How to use Broderbund's RWTS:

First, it is located at $4E00-5300
in all of the utilities. It is AIRHEART's RWTS since it was the
handiest one around. Using the loader is similar to ProDOS--
you JSR to it, and then the commands are imbedded after it.

For example,

JSR $4E00
HEX 00,01,04

[more code]

turns on drive 1 after a small delay.

This chart shows all of the combinations:

First byte:00: Turns on drive; Byte 2: 01 or 02: drive 1 or 2;
Byte 3:xx: delay to wait before accessing drive--4 is usually good.
First byte:01: Turns off drive.
First byte:02: Position drive head; Byte 2:00 or xx:
if 00, assume track number in $FF is current track.
If nonzero, read from track head is currently over
and determine current track;
Byte 3:xx: Track to move to.
First byte:03: Read a track;
Byte 2:xx: Page to begin reading at. Reads in $12 pages of information starting
at xx.
First byte:04: Read a track; Bytes 2-$13 (18 bytes): Pages to which data is to
be stored. If you don't want to read in sectors, use 00 as the
page number to read them in at.
For example, 04,32,34,35,36,37,38,39,3A,3B,3C,3D,3E,3F,00,00,00,00
is the code usually used to load in the rest of a hi-res picture
(after a 03,20).
First byte:05: Write a track; Byte 2:xx: Page to start writing from.
Analogous to 03.
First byte:06: Write a track; Bytes 2-#13:Pages to write from.
Analogous to 04.
First byte:07: Change prolog byte.
Byte 2:xx: New prolog.
This allows you to read in other 18-sector Broderbund warez.
The prolog byte for WOF is $96. For Airheart, it was $A4.

Use a nibble editor to discover what it should be for other games.
Changing this value in the COPY18 program along with copying a range of tracks
makes all 18-sector programs easily copyable (though not in 16-sector format).

18-sector disk accesses are FAST! Broderbund has written a great little RWTS
and with these docs, other people doing future cracks should have a much easier
time.

Also, I cleaned up the first few stages of WOF's boot, which makes it much easier
for someone else to do a complete crack.

All of these utilities is enough for me -- but the analysis is the hard work.

Someone only needs to grind out the 16 sector version! Space in the first boot
stage was so tight that I didn't even have room to shut off the drive while the
title page was up!

have fun with the explenation

speedyG