Amnesia Cracked

A posting in the CSA2 Users Group has announced a cracked version of the EA game Amnesia.  According to the posting by a CSA2 user going by the moniker Random J Hacker, ”

Amnesia is an Apple II text adventure written by science fiction author Thomas M. Disch.  Its copy protection is in the form of a disk check that  upon failure prevents the player from picking up any objects in the game,  including the bedsheet you are required to wear before leaving the hotel  room in which you awaken.  At this point, the player’s character becomes  tired, and if you choose to make him sleep, he is subjected to nightmares.

This has bothered me for a long time. 😉

I have never seen a working copy of this game.  The Computist magazine softkey (issues 48 and 51) doesn’t work and neither does the crack released by the Digital Gang.

The game is written in an interpreted language and is difficult to follow.  I spent some time tracing through the code and discovered a way to “reprotect” the game in the debugger by forcing track 6 disk reads to fail and allowing track 5 and 5.5 reads to succeed.  Then I compared the memory dump of a successful disk check with that of an unsuccessful one.  It turns out that there are two magic variables that must be set for the game to work properly.  There also appears to be a code checksum that must be preserved by any modification to the disk check routine.

Here’s some of the relevant code in RAM:

; original code (called within a loop)
; …
384e: 20 ff 37   jsr $37ff   ;read sector address field.
3851: b0 03      bcs $3856   ;branch on failure
3853: 20 04 37   jsr $3704   ;read expected sector data. carry set on fail.
3856: a9 00      lda #$00
3858: 6d e2 39   adc $39e2   ;inc magic counter 1 if carry is set
385b: 8d e2 39   sta $39e2   ;update counter
385e: ad e0 c0   lda $c0e0   ;reposition read/write head
3861: ad e2 c0   lda $c0e2
3864: ad e4 c0   lda $c0e4
3867: ad e6 c0   lda $c0e6
386a: 60         rts

Here’s a way to patch it:

; patched code. sets two important disk check result counters.
; …
3851: ad 00 18   lda $1800   ;dummy operation preserves checksum
3854: a9 02      lda #$02
3856: 8d 4d 38   sta $384d   ;set counter 2 to expected value
3859: a9 14      lda #$14
385b: 8d e2 39   sta $39e2   ;set counter 1 to expected value
; …

And here’s how to crack your own copy of Amnesia.  I used the DSK images from the TOSEC collection and tested under Applewin, Virtual ][, and on  a real Apple II+ with 64k.

Side: 1
Track: $09
Sector: $03
Byte: $A5
Old: b0 03 20 04 37 a9 00 6d e2 39
New: ad 00 18 a9 02 8d 4d 38 a9 14

Original disk image MD5: 1631bd90a6fc197ce62bdd9e30d6dd

Patched disk image MD5: b3711fc81078b3846107536a4b3fe829Greets to Apple II fans everywhere.  Have phun!”

No download link was provided for the game however, the game is available as specified in the TOSEC collection and can be cracked as specified above.
