User Tools

Site Tools


base:all_american_bbs_-_finding_the_serial_number

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

base:all_american_bbs_-_finding_the_serial_number [2015-04-17 04:30] (current)
Line 1: Line 1:
 +The following is a copy (with minor edits) of [[http://​www.lemon64.com/​forum/​viewtopic.php?​t=23725|this thread on Lemon]].
  
 +The All American BBS archives can be found on the zimmers.net archives and its mirrors [[http://​ftp.zimmers.net/​anonftp/​pub/​cbm/​c64/​comm/​bbs/​|in the cbm/​c64/​comm/​bbs directory]],​ files "​aabbs64v116.zip"​ and "​aabbs64v116source.zip"​.
 +----
 +"I have a bit of a mystery to solve, and I'm hoping that someone here can help me.
 +
 +In the late 80's, I purchased a copy of All American BBS from the program'​s author, Nick Smith. When he sent me the disk, he also sent me my serial number, which must be entered whenever the BBS program is loaded.
 +
 +In recent months, I was able to track Nick down, and I got him to send me copies of the latest versions of AA BBS for both the 64 and 128. The 128 version is what I'm using on my BBS now, which doesn'​t require a serial number. The 64 version DOES require a serial number. Unfortunately,​ Nick says he doesn'​t remember what the serial number is for the disk he sent me with the 64 version of AA BBS. He says he remembers that he used a sector editor to set the serial numbers on the disks, but beyond that, he doesn'​t remember anything anymore.
 +
 +I know what my serial number is for my original copy of AA BBS v9.6. The serial number is 2455. He says that all serial numbers are just four digits. But the copy Nick sent me of the last version he released for the 64, v11.6b, I still haven'​t been able to try out because I can't find the serial number.
 +
 +I've posted a d64 of my original copy of AA BBS v9.6 here:
 +http://​hometown.aol.com/​Cottonwoodbbs/​AA96.D64
 +
 +And there'​s a d64 of disk 1 of AA BBS v11.6b here:
 +http://​hometown.aol.com/​Cottonwoodbbs/​AA64-1.D64
 +
 +On both of these, you just type LOAD"​*",​8,​1 which starts the program, select "​b"​ to run the BBS, and select "​no"​ when asked if you want to run the fast loader (it doesn'​t work in VICE). When the program finishes loading, the first thing you're asked is for the serial number. If you type it in wrong, the sides of the screen collapse a bit, just as if you had typed SYS64738, but then it locks up. If you type the correct serial number, then it continues on and asks you for the time and date. Again, the correct serial number for v9.6 is 2455. I've been over the disks again and again with a sector editor, and I can't figure out where the serial number is hidden. If there'​s anyone who's good at this sort of thing and loves a good mystery, PLEASE help me out. Thanks!
 +
 +-Andrew
 +
 +P.S. I have got permission from Nick Smith to release these to the public domain, so there'​s nothing illegal with trying to crack this. You can download the full copies of the latest versions for both the 64 and 128, as well as the source code for each, at http://​hometown.aol.com/​cottonwoodbbs"​
 +----
 +
 +"Load it, wait for "​Please enter your serial number"​ prompt. Start VICE monitor."​
 +
 +<​code>​
 +r
 +  ADDR AC XR YR SP 00 01 NV-BDIZC LIN CYC
 +.;e5d4 00 af ff ea 2f 36 00100011 000 002
 +</​code>​
 +
 +Stack pointer is $ea, so used stack starts feom $01eb. Check it for JSR return address.
 +
 +<​code>​
 +m 01eb
 +>​C:​01eb ​ af ff 8d cb  c5 a3 31 a5  92 c8 46 e1  67 18 e9 a7
 +</​code>​
 +
 +I guess keyboard input routine was called from $cb8d-2.
 +
 +<​code>​
 +d cb8b
 +.C:​cb8b ​  20 CF FF   JSR $FFCF
 +.C:​cb8e ​  64 8D      NOOP $8D
 +.C:​cb90 ​  99 00 BE   STA $BE00,Y
 +.C:​cb93 ​  ​88 ​        DEY
 +.C:​cb94 ​  80 79      NOOP #$79
 +.C:​cb96 ​  C9 0D      CMP #$0D
 +.C:​cb98 ​  F0 04      BEQ $CB9E
 +.C:​cb9a ​  C0 F8      CPY #$F8
 +.C:​cb9c ​  B0 ED      BCS $CB8B
 +.C:​cb9e ​  ​7A ​        NOOP
 +.C:​cb9f ​  E2 D9      NOOP #$D9
 +.C:​cba1 ​  A9 36      LDA #$36
 +.C:​cba3 ​  82 75      NOOP #$75
 +.C:​cba5 ​  4C 20 CB   JMP $CB20
 +</​code>​
 +
 +Looks like it reads serial number, stores it and jumps to $cb20.
 +
 +<​code>​
 +d cb20
 +.C:​cb20 ​  80 64      NOOP #$64
 +.C:​cb22 ​  85 01      STA $01
 +.C:​cb24 ​  82 25      NOOP #$25
 +.C:​cb26 ​  A0 00      LDY #$00
 +.C:​cb28 ​  BF 00 A0   LAX $A000,Y
 +.C:​cb2b ​  49 57      EOR #$57
 +.C:​cb2d ​  99 00 A0   STA $A000,Y
 +.C:​cb30 ​  ​C8 ​        INY
 +.C:​cb31 ​  D0 F5      BNE $CB28
 +.C:​cb33 ​  EF 2A CB   ISB $CB2A
 +.C:​cb36 ​  EF 2F CB   ISB $CB2F
 +.C:​cb39 ​  AF 2A CB   LAX $CB2A
 +.C:​cb3c ​  E0 AF      CPX #$AF
 +.C:​cb3e ​  90 E8      BCC $CB28
 +.C:​cb40 ​  A0 A0      LDY #$A0
 +.C:​cb42 ​  8C 2A CB   STY $CB2A
 +.C:​cb45 ​  8C 2F CB   STY $CB2F
 +.C:​cb48 ​  ​60 ​        RTS
 +</​code>​
 +
 +Decrypts $axxx area and returns. Set breakpoint to rts and exit, just to come back a bit later.
 +
 +<​code>​
 +break cb48
 +x
 +</​code>​
 +
 +Now enter any number and press return. We're back in monitor. Step forward twice to see where we end up
 +
 +<​code>​
 +z
 +z
 +.C:​a3c6 ​  80 4D      NOOP #$4D
 +</​code>​
 +
 +What's here?
 +
 +<​code>​
 +d a3c6
 +.C:​a3c6 ​  80 4D      NOOP #$4D
 +.C:​a3c8 ​  ​1A ​        NOOP
 +.C:​a3c9 ​  04 4C      NOOP $4C
 +.C:​a3cb ​  ​DA ​        NOOP
 +.C:​a3cc ​  C9 00      CMP #$00
 +.C:​a3ce ​  85 64      STA $64
 +.C:​a3d0 ​  85 65      STA $65
 +.C:​a3d2 ​  A9 0D      LDA #$0D
 +.C:​a3d4 ​  20 D2 FF   JSR $FFD2
 +.C:​a3d7 ​  A9 00      LDA #$00
 +.C:​a3d9 ​  99 00 BE   STA $BE00,Y
 +.C:​a3dc ​  A0 FF      LDY #$FF
 +.C:​a3de ​  BF 00 BE   LAX $BE00,Y
 +.C:​a3e1 ​  20 ED AB   JSR $ABED
 +.C:​a3e4 ​  D0 06      BNE $A3EC
 +.C:​a3e6 ​  ​88 ​        DEY
 +.C:​a3e7 ​  C0 FC      CPY #$FC
 +.C:​a3e9 ​  B0 F3      BCS $A3DE
 +.C:​a3eb ​  ​60 ​        RTS
 +.C:​a3ec ​  A0 00      LDY #$00
 +.C:​a3ee ​  BF FC A3   LAX $A3FC,Y
 +</​code>​
 +
 +Looks like it checks serial number at $abed, so check it out.
 +
 +<​code>​
 +d abed
 +.C:​abed ​  49 FF      EOR #$FF
 +.C:​abef ​  D9 64 BE   CMP $BE64,Y
 +.C:​abf2 ​  ​60 ​        RTS
 +</​code>​
 +
 +Y ranges from $ff to $fc, so let's see what vlues we compare agains.
 +
 +<​code>​
 +m bf60 bf63
 +>​C:​bf60 ​ cd ce cf cf
 +</​code>​
 +
 +This was EORed with $ff, so let's invert some bits and we get
 +32 31 30 30
 +This looks like "​2100"​ in PETSCII, but when we stored serial number into buffer we did it backwards, so it's really "​0012"​.
 +
 +Nothing you couldn'​t do with a decent cartridge on C64 as well.
 +----
 +
 +"​I'​d like to know where it is located to I can see what I missed."​
 +
 +It's inside "<​-AA CGBBS V11.6B"​ file, but as that's compressed you can't find the bytes anywhere with disk editor. I assume Nick edited the executable before compiling or packing it. Check out source disk #4, file "<​-ml+11.6"​. You need to eor its contents with $6E to find "​2100"​.
base/all_american_bbs_-_finding_the_serial_number.txt ยท Last modified: 2015-04-17 04:30 (external edit)