Confessions of a Disk Cracker: the secrets of 4am.

Paleotronic chats with the infamous Apple II disk preservationist about his motivations

Why did you choose to start aggressively de-protecting, archiving and re-distributing Apple II software?

It’s tempting to rewrite history and give myself some noble purpose for starting this hobby, but in this case the truth makes for a better story. My parents bought themselves an Apple //e when I was 10, and it quickly came to dominate my leisure time. Pirated software was rampant, and I idolized the crackers whose names I saw flash and scroll on the crack screens of the games I traded with my friends. I also admired the few who documented their methods in cracking tutorials, initially distributed as BBS text files and later collated and redistributed on disk. I PEEK’d and POKE’d and CALL’d many late nights as a teenager, but I could never quite put it all together.

In late 2013, I acquired a real Apple //e and bought a few lots of original disks on eBay, mostly arcade games that I had acquired illicitly in my youth: Sneakers, Repton, Dino Eggs. To my surprise, the originals had more content than I remembered! Sneakers has an animated boot sequence. Repton has a multi-page introduction that explains the “back story” of the game. So I set out to create “complete” cracks that faithfully reproduced the original experience. I decided to document my methods because I enjoy technical writing and because I had admired the classic crackers who had done so. I decided to leave out the crack screens, although a handful of my early cracks do have Easter eggs where you can see “4am” if you know how to trigger it.

One of those eBay lots had an educational game, “Ten Little Robots.” After cracking it, I couldn’t find any copies of it online, which seemed odd. Surely everything has been cracked? Perhaps it was just mis-named or mis-filed? Then I found another disk that seemed to be a first-time preservation. And another. And it slowly dawned on me that maybe not everything has been cracked.

I mentioned this to Jason Scott, and he set me straight. Preservation is driven by pirates, who are driven by ego but constrained by the technical limitations of their era. In the 1980s, this meant storage space and network speed. Nobody got kudos for cracking “Irregular Spanish Verbs in the Future Tense,” no BBS would waste the hard drive space to host it, and no user would sacrifice their phone line to download it. So it never got preserved in any form.

And even the things that did get cracked weren’t fully preserved. Those same technical constraints led to a culture where the smallest version of a game always won. That meant stripping out the animated boot sequence, the title screen, the multi-page introduction, the cut scenes, anything deemed “non-essential” to the pirates. The holy grail was cutting away so much that you could distribute the game (or what was left of it) as a single file that could be combined with other unrelated games on a single floppy disk.

30 years later, that’s exactly what I saw: half-preserved arcade games, a smattering of educational software, and virtually nothing else. I realized I could have a real impact while having just as much fun, just as much intellectual challenge. Along the way, I’ve discovered that educational software is rich with history, personality, humor, and technical achievement. It’s been delightful.

Did you have any concerns over copyright? Do you feel the ethical considerations over lost software outweigh the rights of the copyright owner to restrict distribution of their works?

I host the write-ups and deprotected software (as disk images) on archive.org. They fully comply with DMCA takedown notices. They’ve never received one for anything in the 4am collection. In fact, just the opposite – I’ve had several authors find their own software and thank me for preserving it. One author even apologized for the copy protection. He understood it was a “necessary evil” at the time, but he was so glad that someone had finally bothered to cut through it. He said it was so exciting to be able to experience his own work again, for the first time in decades.

Since most of the Disk II’s higher-level functionality is based in software loaded from the disk itself, this allowed for a large variety of copy protection schemes. How has this been a hindrance to saving Apple II software?

We still can’t make perfect digital representations of Apple II floppy disks. Disks are analog, physical objects, made up of hundreds of thousands of magnetic flux changes. Those changes are stored in a physical layout on a physical disk and read by physical drives with their own variances and limitations. Disk II drives leave most of the functionality to software, and software exploits every possible edge case.

Where copy programs would drop bits, protection schemes checked for missing bits. Where copy programs would misalign data across tracks, protection schemes checked for cross-track alignment. Oh, your copy program can’t read some data on the disk when it’s physically too close to other data? Guess how we’re laying out our data on our next disk! And so on. It was a big cat-and-mouse game, an endless war that only ended when everyone lost.

All of that physicality is hard to capture digitally, and for decades there were no serious attempts to try. In the 1990s, people devised ways to digitize some approximation of a disk, just the post-processed nibbles and bytes. This was sufficient for digitizing cracked software, because the crackers had already normalized the original disks down to bytes so they could distribute them via BBS.

In the modern era, there is some specialized hardware that can digitize a floppy disk at the level of magnetic flux changes. For a variety of reasons, the hardware developers focused on non-Apple II platforms, and a few unresolved technical differences prevented a community of Apple II-specific preservationists from reusing it. There is some new development on this front, and I’m optimistic that collectors will soon be able to create flux-level digital copies of Apple II floppy disks, and users will be able to boot original software in emulators.

What copy protection schemes are the most common, and which one is the most tricky, in your experience?

The most common protection schemes were the ones that were productized and resold to hundreds of publishers. This was coordinated through the disk duplication houses, who offered copy protection as a “value add” on top of mastering the disks themselves. Publishers got the benefit of the latest and greatest copy protection without needing to play the cat-and-mouse game themselves.

The E7 bitstream, a.k.a. “generic bit slip protection,” was the most common. It was a sequence of 1s and 0s, specially crafted so the first half could be read “in phase,” then the code would intentionally skip half a byte and read the second half “out of phase.” Bit copiers would drop bits due to hardware limitations, and the out-of-phase values would be wrong. It was brilliant.

E7 was invented in 1983 and immediately productized. It protected “Moptown Parade” in 1984, “Rocky’s Boots” in 1985, and “Prince of Persia” in 1989. I’ve found it on disks from Addison-Wesley, Advanced Ideas, DesignWare, Edu-Ware, Microcomputer Workshops, Mindscape, Scholastic, Scott Foresman and Company, The Learning Company, Unicorn Software, Broderbund, Data East, Epyx, and Windham Classics.

The trickiest protections are the ones that are deeply integrated with the program itself, instead of being bolted on by a separate company. Some publishers chose to invest in copy protection themselves, to hire that expertise and keep it in-house. So you get “Gumball” by Broderbund Software, where the author of the game worked directly with the author of the copy protection. If you think you’ve removed all the copy protection because you got the game to boot, you’re in for a surprise on level 3 when the game starts misbehaving on purpose.

Which software developers or manufacturers disks (or individual pieces of software) have been the most difficult to de-protect?

Delayed protections in games were the worst. Sierra On-Line was famous for this. If you bypass the call to the self-decrypting protection check in “Threshold,” it lets you play the game but you can only move your ship to the right. If you change the protection check itself so it always succeeds, “Threshold” lets you play level 1 but glitches out on level 2. There was a separate anti-tamper check that only ran after level 1!

Scott Adams’ “Strange Odyssey” doesn’t run its protection check until you’ve started the game, climbed down the stairs, and taken the shovel. “The Count” doesn’t check until you’ve climbed into the dumbwaiter, which is about 15 moves into the game. And those are the easy ones, because they just reboot or crash immediately if they fail. “Transylvania” has a delayed protection check that deletes a vital location from the map and renders the game unwinnable. “Prince of Persia” neutralizes the effect of a potion you need to drink to finish level 7. “Conflict in Vietnam” has both on- and off-disk protection and 13 separate anti-tamper checks that can trigger a fatal error up to an hour later!

“Have I removed all the copy protection” is functionally equivalent to the Halting Problem. The day we can prove that we’ve removed all the protection from all the disks is the day the universe ends.

Although you obviously prefer creating “clean cracks” of software, is there a place for “cracked” disks that have been altered? Do they have their own historical significance?

Everything has historical significance. The choices those pirates made were driven by constraints that are largely absent today. Nobody born in this millenium has had a download fail at 99% because someone picked up the phone downstairs. Nobody cares about the difference between a 1K download and a 1.1K download. I’ve never needed to advertise the phone number of my BBS. I can read and search every issue of Hardcore Computist on the supercomputer I carry around in my pocket. Classic pirates did more with less.

You de-protect a great deal of educational software. Is this just for completeness and / or because historical “crackers” largely ignored the genre, or do you feel this software is potentially still useful in the education area?

I’m under no illusions that anyone will actually use this software for its original purpose. At best, it would be a technology demonstration, “look how far we’ve come, but 1 + 1 is still 2,” that kind of thing. But its original purpose was important! These were not just bits on a disk or disks in a box. This was curriculum. This was how we taught math and science and grammar and history to an entire generation of children. That seems like something worth saving.

You wrote a utility called Passport to help de-protect Apple II software, so that others could convert their own disk collections into functional emulator files. Could you explain a bit about that utility, and how it works?

There were a number of cracking utilities back in the day. The most versatile was called “Advanced Demuffin.” It used a protected disk as a weapon against itself, reading every sector of the disk with the disk’s own code (“RWTS”), then writing out the data to an unprotected copy. Two problems: first, you had to capture or extract the RWTS yourself; Advanced Demuffin wouldn’t help you with that. Second, you had to patch the code on the unprotected copy so it could read itself.

The vast majority of my early cracks followed the same 3-step process: capture the RWTS, run Advanced Demuffin, patch up the copy. After 8 cracks, I wrote a tool to automate step 1, capturing the RWTS. After 152 cracks, I wrote a tool to automate step 3, patching up the unprotected copy.

After 688 cracks, I wrote Passport.

Passport is an automated disk verification and copy program. And when I say “automatic,” I mean it. Unlike classic bit copiers, there are no parameters, no options, nothing to set beyond destination slot and drive. It either works or it doesn’t.

Also unlike classic copiers, the copy it produces is fully unprotected. It handles all 3 steps of that 3-step process. No fiddling with boot tracing on the front end, no fiddling with sector editors on the back end. It’s all built-in. Passport is a distillation of everything I’ve learned about cracking: every disk, every variation, every edge case.

Of my first 688 cracks, 478 could have been automated with Passport.

This has completely changed my hobby. Passport ensures consistency. I don’t worry about missing a patch or mistyping a hex value. I don’t spend any time doing the grunt work that computers can do for me. If I find two disks with the same protection, I write a new Passport module to automate it. Remember, protection was productized. If I’ve found 2, there are 20 more. They’re out there, rotting away on physical media.

Automation frees me to look beyond the bits. I can spend more time on in-depth write-ups of protection schemes that can’t be automated. I can take screenshots and make boot videos to show off all this wonderful educational software. The copy protection is the least interesting part of these disks. It’s just the part that prevented us from studying all the other parts.

As of February 2018, 4am has deprotected 1673 Apple II software titles, and that number is still climbing.

The 4am collection is online at

https://archive.org/details/apple_ii_library_4am

Most of the software titles listed there can be accessed using the Internet Archive’s in-browser Apple II emulator.

Passport is available from

https://archive.org/details/Passport4am

Please consider subscribing to Paleotronic. Subscribers get a full digital PDF edition and an optional glossy full-colour printed copy, and all content is exclusive to subscribers until the following issue is released. Plus, by subscribing you support our efforts to spread understanding of the history and fundamentals of electronics! Thank you.

Be the first to comment

Leave a Reply