
Cracking BurgerTime, a 1982 game on a floppy disk - pavel_lishin
https://ia801505.us.archive.org/33/items/BurgerTime4amCrack/BurgerTime%20(4am%20crack).txt
======
JoshTriplett
Interesting exploration and impressive persistence. This approach definitely
provides more detailed information about how the process worked. This seems
like the only approach that would have worked back in 1982.

Reading the description of the archive.org project at
[https://archive.org/details/apple_ii_library_4am&tab=about](https://archive.org/details/apple_ii_library_4am&tab=about)
makes it clear that this effort intentionally deconstructs and documents the
original copy protection.

Other than as an exploration of copy protection, though, I can't help but
wonder if the simplest approach to preserve and run the same software today
would involve an appropriate emulator, more accurate floppy drive emulation,
and the unmodified original disk image. The crazy amount of self-decryption
and obfuscated code wouldn't matter as long as it found what it expected on
the disk; the modifications just let it run on real hardware using a copied
disk.

Apart from allowing the use of the original unmodified disk, emulation would
also avoid the possibility of missing more subtle copy protection schemes.
This particular disk made things easier by just stopping the game at the
start. Some of the worse copy protection mechanisms developed later would
detect a copied game, leave it somewhat playable, but make it either
exceptionally difficult or intentionally broken near the end. Sometimes they
would include a more obvious copy protection scheme to defeat that prevented
playing the game at all, so that a prospective cracker would think themselves
successful once the game starts. See
[http://media.earthboundcentral.com/2011/05/earthbounds-
copy-...](http://media.earthboundcentral.com/2011/05/earthbounds-copy-
protection/index.html) for an example.

~~~
kevin_thibedeau
Some copy protection systems relied on using subtle timing errors to create
disks that would read as "corrupt" by standard system software. Replicating
this behavior in an emulator would be a major undertaking as well as being
hard to reproduce in an image format.

~~~
delinka
I think the ultimate problem with emulation is the disk image: how do you
image a disk with these subtle timing errors? The default behavior of the
software operating the drive isn't aware of half tracks; every vendor uses
different tricks so you don't know which 'timing errors' to activate; etc.

~~~
david-given
Go look into Kryoflux:

[http://www.kryoflux.com/?page=kf_features](http://www.kryoflux.com/?page=kf_features)

It's a USB floppy controller which allows you to image the raw magnetic state
of the disk (subject to head step and width). It allows you to record the disk
and _then_ try to figure out what the format is. It's good enough to allow you
to read CLV disks, such as Mac floppies, from an image taken from a CAV drive,
such as a PC one. I don't know whether it supports half tracks --- probably
--- but it will certainly support all the weird timing error tricks.

It's not what I would call user friendly but once you've figured it out the
results are magical. I was able to image an ancient BBC Micro floppy disk once
and then spend ages figuring out how to parse the sector layout and encoding
density working with just the image. Not only does this avoid having to keep
working with the fragile disk, but it's way faster!

------
kabdib
I wrote some 6502 protection code for Atari game cartridges. The problem was
that a cartridge could be copied (trivially), then loaded into RAM at the same
address, then run. There were many disks running around with cracks of
cartridges that you could just load and run. The goal of the protection code
was to detect whether the code was running in RAM or ROM, usually by hiding
writes that would cause crashes or be detected by the game logic.

Once I had about two weeks to spare on a protection system; it used a couple
levels of decryption and some delaying tactics so that the title would crash
minutes after starting.

A prolific Atari pirate lived in my apartment complex. After the cartridge
shipped, I asked him about it. "Oh, that was a hard one. It took me and my
friends three days to crack."

Time and numbers are not on the side of DRM. (I'm also unconvinced that Atari
lost much money to copying).

~~~
ddingus
Cart protection on 6502 was tough to hide. I personally never reversed one,
but a friend and I did a couple for the 6809. That thing was tough! Lots of
options, addressing modes, etc... Took weeks, and it was on cassette.

I've often wondered about your last bit there.

The way it was in my little home town is a lot of people copied stuff. But,
they barely could afford the computers too. Those who did have the bucks
bought most of the stuff that ended up copied. You might be right, at least
early on.

Later in the 80's, disk copying was massive. The C64 scene seemed to have
buyers, but nearly everyone was on copied media in the Atari scene. Fewer
machines, more copies, and it seemed like easier copies too... Some schemes
were bad sector ones, and frankly, one could just count the beeps, open the
door, wait for the error and continue. Not everyone checked the nature of the
error, it seems.

------
incepted
I'm both impressed and terrified that most of this article makes sense to me,
even thirty years later.

It feels like writing the protection must have taken longer than developing
the game itself.

If you're curious, here is the actual game:

[https://www.youtube.com/watch?v=5wEWftbwSm4](https://www.youtube.com/watch?v=5wEWftbwSm4)

Hard to imagine they went to that amount of trouble to protect it, but those
were different days.

~~~
Sanddancer
This was written just a couple days ago, it's just in the formatting of files
written 30 years ago. The writing and explanation style is definitely a lot
more modern and detailed.

~~~
incepted
Oh, wow... now my mind is blown for real.

May I ask how you know that?

Does this mean that the person actually cracked this game recently just to
post such a write up?

~~~
homarp
see
[https://archive.org/details/apple_ii_library_4am](https://archive.org/details/apple_ii_library_4am)
A collection of historical software for Apple II computers from the 1980s and
early 1990s. Each item was originally copy protected (i.e. the original floppy
disk could not be copied to another floppy disk), but the copy protection has
been removed and documented. Most items also include a "work disk" comprising
the intermediate files created during the deprotection.

To send feedback, ask questions, or get notified of new releases, follow
@a2_4am on Twitter.

~~~
incepted
Fascinating.

Do you know how they do it? I mean, in order to crack these games, they need
to have the original physical floppy, don't they? Or do they have a digital
version of the protected floppy with all its weird sectoring and data on it?.

~~~
MagerValp
Well you'd have to start with an original floppy or cassette, wouldn't you?
Some still enjoy cracking on the real hardware, but most make a low level
floppy or tape image and work from that.

I've only cracked relatively simple stuff, but working in an emulator is a LOT
easier than working on real hardware. In an emulator you can freeze the system
and inspect both the computer and the disk drive, set breakpoints, modify
memory, and so on, and it's totally undetectable to the protection code.

------
Sanddancer
Fantastic article as to how cracking was done back in the day. Plus, I've
gotta give style points for it being formatted as 40 column, even if it isn't
in all upper case, like files from back in the day would be. Though I was
surprised he didn't check to see what that solitary bad sector was near the
beginning of his explorations, because that was a pretty common way of keeping
raw disk copy software from duplicating programs. All in all fascinating
article.

~~~
Narishma
3 days ago, not back in the day.

------
jacquesm
Hehe, lots of dusty neurons firing while reading this. Wonder how many old
school hackers cut their teeth on cracking games.

    
    
      > In Which I'd Like To Add You
      > To My Professional Network Of
      > Linked Catalog Sectors
    

Priceless...

How much wall clock time went into this?

    
    
      > I'm beginning to suspect that this disk
      > is nothing more than an infinite series
      > of decryption routines with a game
      > bolted on as an afterthought.

~~~
Vivtek
I would guess that to the guy who did the copy protection it _was_ his master
work in decryption routines, funded by the sad necessity of putting a game
written by some talentless hacks into it as the ultimate payload.

------
acomjean
I love reading the deconstruction.

Those apple copy protection schemes. Pirated software always had a "cracked
by" load screen.

The most interesting thing to me were the hardware copy cards. Since most
software fit in RAM, and the whole software would load at once, these cards
let you push a button and make a bootable disk of whatever your computer was
running.

When a disk failure meant trying to find another copy somewhere there was a
legit fear of loosing your software.

central point software made some of these cards. A little info is available
online. (Being before the internet took off, the names aren't search engine
friendly.). Alaska Card Advert (why settle for copying the lower 48K.. Before
they called it backup..)

[https://s-media-cache-
ak0.pinimg.com/736x/e2/70/cd/e270cdd90...](https://s-media-cache-
ak0.pinimg.com/736x/e2/70/cd/e270cdd9028e17de61c0fd204b056884.jpg)

Bottom of this page has some interesting pictures and history of these card:
[http://retro.icequake.net/dob/](http://retro.icequake.net/dob/)

~~~
rlonstein
I was twelve or thirteen, had a ][e and with a copy of Beneath Apple DOS and
the reference manual, and cracked a lot of software for the challenge. I wrote
my own nibble copier but me and my friends pooled our money and bought Copy
][+ and Locksmith, which worked better.

My favorite, and easiest, trick was to use the 64k extended memory of the
80-column card to overlay the regular memory, copy the ROM and a few low pages
into it, then jump to the boot routine. Then when the disk stopped spinning,
I'd hit the reset button which left me with a copy of the system at that
point. Sometimes I just had to dump the program from the memory, other times I
would use it to disassemble how it loaded. I had a Applied Engineering
RAMWorks card (Dad heavily used AppleWorks) and I recall there being tricks
around that but can't remember (rigged a couple of buttons for page swapping,
I think).

------
leeoniya
this one is also pretty crazy:

Super Mario World Credits Warp Explained

[https://www.youtube.com/watch?v=vAHXK2wut_I](https://www.youtube.com/watch?v=vAHXK2wut_I)

~~~
ddingus
This is crazy! And I second _too interesting..._

------
strags
I added some copy-protection to a Nintendo 64 game once. If the anti-piracy
checks ever triggered, the game would do nothing at first - but after a few
minutes, the frame-rate would ever-so-slowly start to get progressively worse
and worse until it was unplayable. I'd like to think that I pissed at least a
few people off.

~~~
stordoff
If you're going to do that sort of piracy check, you have to be absolutely
certain that it'll never trigger on a genuine copy. Red Alert 2 had a similar
idea - about 60 seconds in to a game, all of your units will explode and the
game ends - but it will sometimes trigger on legitimate copies of the game
(usually due to mods, but I've had it happen on a clean install as well).

------
boot13
Nice work! Kind of hard to believe someone would go to all that trouble now,
but fun is fun, right? I remember at least one game that was less fun to play
than it was to remove the copy protection. Some of my old articles about
removing Apple II copy protection are also posted on archive.com, like this
one: [http://archive.org/stream/computist-
scan-14/issue14#page/n9/...](http://archive.org/stream/computist-
scan-14/issue14#page/n9/mode/1up)

------
DrTung
I remember cracking A2FS1
[https://www.youtube.com/watch?v=sWIuTP_A6IQ](https://www.youtube.com/watch?v=sWIuTP_A6IQ)
This was before floppy disks, the game came on a cassette, but it had the same
style of boot0/boot1 encryption. Starting the game from a copied cassette, it
just printed "STOLEN AIRCRAFT! STOLEN AIRCRAFT!" all over the display.

~~~
abrookewood
Wow .. It looks like it would have been more fun to crack the encryption than
actually play that game!

~~~
Starwatcher2001
Very much so. I remember spending many months cracking game protection, not
because I wanted the game, but because I wanted to pit my wits against the guy
who wrote the protection. I learned more about disk controllers and hidden
opcodes on the Z80 (TRS-80) doing that that any other way. I didn't always
beat the guy, but always learned something.

Kudos to 4am, who has more patience than me. I'd probably have given up well
before the third level of encryption.

------
32bitkid
This reminds me tangentially of the Prince of Persia bootloader/disk format[0]
used for the original Apple II release. Whenever I start to think I am clever
or am feeling frustrated, I have a list of articles/code to read through to
remind me I'm not; this is on there, and I'll be adding this to the list.

[0]:
[http://fabiensanglard.net/prince_of_persia/pop_boot.php](http://fabiensanglard.net/prince_of_persia/pop_boot.php)

