Burgertime — How It Was Cracked Over and Over Again

Thirty years have passed yet we get constant reminders of what the Apple computing world was like.  One such reminder is the saga of the Data East published game Burgertime.   Over the years since it’s release in 1982, there have been several renditions of the game on many different platforms and even numerous more cracks of the game, particularly on the Apple ][ computer.

Recently, Rich Martin (A.K.A. Datawiz) wrote of his exploration of the winding trail of the cracks and how they worked.   Here is his Story:

“There is now a new disk with a patched version of burgertime that works around an incompatibility with the Apple IIgs. Both the joystick and non- joystick versions have the patch.

The incompatibility stems from the original’s Crackist’s (The Freeze) penchant for obfuscation. After the obligatory crack screen, you are asked to press a key to start. Once a key is pressed, some memory moves are done to put the game back in place. However, instead of jumping straight to the game’s entry point, Freeze decided to be tricky and take an indirect route.

At the Hires crack screen, when you hit a key the program continues around $2947, where there’s an oddball routine to check over HGR2. Control continues to $1D00. At $1D00, there’s a check to see if the previous code was run, which would put #BC in $BFFF. If not, it goes into a nice infinite loop. Otherwise, it runs a short subroutine to patch in 3 #EA into the game code.

Original code:
A9A7: JSR BF00

At $BF00 it’s a check for KEYIN and compare against the key values for a cheat and something else (more on that later). Why they cracker wanted to NOP it out is unclear. Once NOP’d the code is called later in the game, so it seems like a pointless endeavor….

Continuing on we hit an RTS at $1D0A and the stack is pointing to $FFFF, which makes us jump over to the zero page at $0000! At $000C I hit a BRK instruction, which jumps control over to $C3FD.  At $C46A there’s a jmp to $FA47, which hits an indirect jmp to ($3f0) at $FA56. Interestingly enough, $3f0 hold 59 FA, which jumps us back to the next instruction. At $FA59, there’s a jsr to $F882 which finally leads us to $FDED At $FDED, we have an indirect jmp to ($0036) which holds the final start point for the game 00 A3.
Execution goes to $A300 and the game finally start.

Somewhere in that mess, the IIgs doesn’t emulate the same behavior, so it breaks. The fix is fairly straightforward. Instead of jumping to the start of this nonsense at $2947, go directly to $a300 and start the game.

The disk patches occur at Track 1D Sector 05 and Track 0F Sector 0D.
Old: 4C 47 29
New: 4C 00 A3

I mentioned that in addition to the cheat key (Control-C) that the crackist put in, I found another key check for a Control-L. This is supposed to flip to text screen, and decode some text that’s EORd with #13 to hide it from prying eyes. Unfortunately, the code doesn’t work right. At best I get a black or white screen, but perhaps the code works under an Apple II or II+. In any case, if you break out and run the code at $BF10, you should see it. If not, here’s the text output which is a small thank you list to Freeze’s buddies.

I checked through all the published secret key files and it was never documented, so in a strange way I feel like some sort of pirate archaeologist! 🙂

*** However, the story is not quite over!

A few days ago usotsuki posted a bunch of disks that he’s crunched together, and in disk 3 of the compilation there’s a copy of burger time.

http://204.16.8.40/other/btime/New Apple Crunch by usotsuki volume 03.dsk

Out of curiosity, I decided to take a look to see if it was the same crack. To my surprise, this one is cracked by a different person– The Atom and One Eye. I’ve seen his work before, and it’s not uncommon to see several cracks of the same game. But I decided to poke around in the code anyway.

Imagine my surprise to find that the code for the cheat was still there at the same entry point ($BF00). However, what was also there was the secret key to display the hidden Thanks page from the Freeze ($B100). And decoded it’s the exact same message!

So it seems that The Atom “stole” the crack from Freeze by removing his title page and inserting his own. However, in his haste he did not remove the hidden proof of who cracked it, which was the secret key! This might also explain why Freeze went through the trouble to obfuscate his code– to keep guys like The Atom from claiming his “work”.

Amazing– there really is no honor among thieves! 🙂

I had a bunch of fun with this, and it started with just helping a friend play a game on his IIgs. This platform is still full of fun and amazement even after all these years!

To download the patched version of the Burgertime disk, you can go to:

http://204.16.8.40/other/btime/burgertime_gs_patched.dsk

Please follow and like us:

About the Author

A.P.P.L.E.

The A.P.P.L.E. Website is run by the Apple Pugetsound Program Library Exchange Users Group and is open to all Apple and Macintosh fans and their friends.