Disk Deprotection #1

By Richard Judd

Originally published in EUG #49


One of the more handy yet hard-to-find BBC micro sites, Retro BBC, has a guide to getting past that frustrating professional chastity belt, disk protection or more explicitly, Superior Software's disk protection. As many readers use their BBC machines to view the EUG magazine, and as the guide is short and fairly easy to comprehend, we have decided to reproduce it here for all those people who've become too frightened to play their BBC disks of Repton Thru Time in case their disk drive breaks down and destroys it forever! With ProAction flexing its muscles at the only web page with this information, and all of Superior's games for download, it would seem best to lift this documentation immediately too. If ProAction the farce [See EUG #48 - Ed] has its way, BBC owners are in for strife a-plenty as Superior's heirs become intent on blighting the machine's cosy internet existence.

Superior's Disk Protection User Guide

This guide assumes that you know how to view memory address. A simple example, would be typing PRINT ?&41B at the BASIC prompt (then pressing <RETURN>) to display the contents of address 41B in hexadecimal.

Version 1

"Sector Read Fault" text appears in code. (Used 1989, 1989).

Find the file on the disk that contains the attributes below:

      [filename]    000400  000400  0000D9

Some games that use Version One protection are Quest (1988), The Last Ninja (1988), Barbarian (1988), Barbarian 2 (1989) and Predator (1989).

In all the examples above, the protected program code is loaded at &400 so to start, type:

      >*LOAD [filename] <RETURN>

to put the code into memory. Then make a note of the PRINTed contents of the following addresses.

At memory address &41B is the number of sectors which the program will read to gather the protected file code. e.g. contents of &41B = &28 means the file length will be &2800.

At memory address &49A and &49B is the execute address (reversed) when all of the code is loaded from the disk. e.g. contents of &49A = &03, &49B = &11 means that the execute address of the code is &1103.

At memory address &4BF and &4C0 is the start address (reversed) to start loading the code from the disk. e.g. contents of &4BF = &00, &4C0 = &11 means that the start address of the code is &1100.

To stop the code from executing the protected file code, type:

      >?&499=&60 (Return from subroutine) <RETURN>

Then to run the loader, type:

      >CALL &400

This stops the program and returns the user to BASIC, whereby you can now save the data from the original, protected file to a blank disk (Not the original!). So from the above example, the file had the following attributes:

      [filename]    001100  001103  002800
                    Start   Execute Width

So from the prompt, type:

      >*SAVE [filename] 1100+2800 1103

Once the one file has been recovered from the disk and saved, the game can be copied freely. *COPY all of the other files to a blank disk and the game should work.

The Last Ninja - Example Of Version 1 Protection

Protected file = NINJA3
Original file info = NINJA3 000400 000400 0000D9

      >*LOAD NINJA3

Information in loader file:

      &41B = &1C (Length)
      &49A = &09 and &49B = &23 (Execute address - reversed)
      &4BF = &00 and &4C0 = &11 (Start address - reversed)

      >CALL &400
      >*SAVE NINJA3 0001100+1C00 2309

De-protected file info = NINJA3 001100 002309 001C00

And there you have it! Examples of getting past those Superior Software disks implementing the second version of protection are explored in the second part of this article.

Richard Judd
Continue to DISK DEPROTECTION #2, EUG #49