1200XL M.U.L.E. Posted February 24, 2021 Share Posted February 24, 2021 A little while ago I tried playing BC's Quest for Tires and the game formatted my floppy. Let me explain. The game was an executable *.XEX file. I transferred the file to my floppy and ran it from there. When I was done playing I pressed the computer's Reset assuming the computer would reboot to MyDOS. My drive spun up and started making a very distinct head seeking sound pattern. I recognized the pattern as one when formatting a disk but I couldn't believe it. It didn't take long for the pattern to finish and then the drive simply spun. I power cycled the computer and the floppy wouldn't boot the computer. Then I rebooted with a MyDOS boot disk and examined my working floppy here. Sure enough, it was zeroed out - meaning no file and 000 free sectors. I was shocked! I tried a few more *.XEX files of this game I had on my PC and I saw the same behavior. Resetting the computer started a floppy formatting sequence. The last file I tried did not exhibit this behavior. I noticed the file size was also different. All the self-destructing *.XEX files were 142 sectors and the one that worked was only 102 sectors. Did I just experience my first Atari virus? 1 1 Quote Link to comment Share on other sites More sharing options...
+DjayBee Posted February 24, 2021 Share Posted February 24, 2021 How about attaching the files to this thread for further examination? Quote Link to comment Share on other sites More sharing options...
carlsson Posted February 24, 2021 Share Posted February 24, 2021 Atari Online has 6 different XEX files, of which the a1 one is 13 kilobytes and all the others are 18 kilobytes. I would assume that all the larger ones would exhibit this behavior. http://atarionline.pl/v01/index.php?ct=search&query=tires&t=katalog Quote Link to comment Share on other sites More sharing options...
TGB1718 Posted February 24, 2021 Share Posted February 24, 2021 Had a quick look at one of the 18K versions, this bit of code looks slightly suspicious, could be wrong, but might be worth a closer look when I get time. So could be someone put it here deliberately, maybe the creator to try stop copies. It's putting values into IOCB1 not in the normal way i.e. using X register offset and I think $21 is the format command 3467 LDX #0C A2 0C 3469 LDA #00 A9 00 346B STA 035A 8D 5A 03 346E STX 0352 8E 52 03 3471 LDX #10 A2 10 3473 JMP E456 4C 56 E4 3476 STA 035A 8D 5A 03 3479 LDA #52 A9 52 347B STA 0354 8D 54 03 347E LDA #21 A9 21 <<<<<<<<<<<<<<<< format command ??? 3480 STA 0355 8D 55 03 3483 LDX #03 A2 03 3485 BNE 346E D0 E7 3487 JSR 348D 20 8D 34 348A BMI 344B 30 BF 348C RTS 60 1 Quote Link to comment Share on other sites More sharing options...
Rybags Posted February 24, 2021 Share Posted February 24, 2021 (edited) $342 is the command value (and add multiples of $10 for the next 7 IOCBs) $344/5 is the buffer address. $0C being stored in $352 there equates to the CLOSE command. In any case, $21 is the DELETE command for FMS and $22 FORMAT. Can't say I've seen the observed behaviour and can't check on my execuatable version (which was obtained back in the day and always run from a bootable menu). My suspicion is that there's likely an embedded Dos or portion of Dos and it's inadvertantly happening. Or maybe deliberate which could possibly make it one of the world's first computer viruses. Edited February 24, 2021 by Rybags Quote Link to comment Share on other sites More sharing options...
TGB1718 Posted February 24, 2021 Share Posted February 24, 2021 3 hours ago, Rybags said: In any case, $21 is the DELETE command for FMS and $22 FORMAT. I think $21 is Format Single, $22 is Format Enhanced e.g. some code from a disk copy utility 0250 LOOP3 LDA 764 0260 CMP #$3E ;S=SINGLE 0270 BEQ SINGLE 0280 CMP #$2A ;E=ENHANCED 0290 BEQ ENHANCED 0300 JMP LOOP3 0310 SINGLE LDA #$21 0320 LDX #2 0330 STA COMAND,X 0340 JMP XXXX 0350 ENHANCED LDA #$22 0360 LDX #2 0370 STA COMAND,X Quote Link to comment Share on other sites More sharing options...
Mclaneinc Posted February 24, 2021 Share Posted February 24, 2021 This is novel, can't say I've heard of this before, a friend did a multi boot that had or said it had Outrun on, basically it was justa loader pic and a format routine. Told you to press start to play and chunk chunk chunk chunk..... I'd love to find out if these are old hacks or new? And of course, why? 1 Quote Link to comment Share on other sites More sharing options...
TGB1718 Posted February 24, 2021 Share Posted February 24, 2021 45 minutes ago, Mclaneinc said: This is novel, can't say I've heard of this before, a friend did a multi boot that had or said it had Outrun on, basically it was justa loader pic and a format routine. Told you to press start to play and chunk chunk chunk chunk..... I'd love to find out if these are old hacks or new? And of course, why? Pretty sure I've seen that one way back in the day, so don't think it's recent. As for why, there have always those that do thing like that because it's funny, even though they never see the "fruits of their labour's" I think a better term is "moron's" 3 Quote Link to comment Share on other sites More sharing options...
xxl Posted February 24, 2021 Share Posted February 24, 2021 this could be part of a security feature, it is possible that the game first checks what medium it is booting from, or whether the medium is the original. 1 Quote Link to comment Share on other sites More sharing options...
Mclaneinc Posted February 24, 2021 Share Posted February 24, 2021 I must admit I wasn't in the habit of pressing system reset, I'd either power off manually or jump into Omnimon a Jsr to E477 so its probably why I never saw them. I'd seen protections like Savage Pond which would fill RAM if it saw Omnimon but never an actual malicious bit of code (bar that Outrun I mentioned, but to be fair the game was not real so it made no odds if the disk got formatted). Yeah, trust me I know morons, my daughters Uni is full of them, ironic a place of education with so many people doing stupid stuff. I've always seen viruses as more later on things like on the Amiga and ST, as for today its not just a moron but international gangs looking to rip the world off. Back then it seemed more civil, people were coding because it was a new experience and they wanted to show how good they were is more positive ways ie demo's , intro's etc Now my inbox gets at least 3 "we have your password and we watched you on that porn site, send us mega bitcoin" nonsense per day....Porn site, hell my shoulders ache enough as it is... 2 Quote Link to comment Share on other sites More sharing options...
Mclaneinc Posted February 24, 2021 Share Posted February 24, 2021 6 minutes ago, xxl said: this could be part of a security feature, it is possible that the game first checks what medium it is booting from, or whether the medium is the original. It could but to format the disk, they could just fill mem and overwrite the code.. Quote Link to comment Share on other sites More sharing options...
1200XL M.U.L.E. Posted February 24, 2021 Author Share Posted February 24, 2021 9 hours ago, DjayBee said: How about attaching the files to this thread for further examination? I pulled the *.XEX files from my Trashcan along with 1 untested version and 1 good version. The files are in the Zip file attached here. I think the file name will make each version obvious. Maybe some files are duplicates of each other? 9 hours ago, carlsson said: Atari Online has 6 different XEX files, of which the a1 one is 13 kilobytes and all the others are 18 kilobytes. I would assume that all the larger ones would exhibit this behavior. http://atarionline.pl/v01/index.php?ct=search&query=tires&t=katalog Those file names are familiar. That is what they were called before I shortened their names to 8.3 format. However, I did not download from here. TOSEC and Pigwa were my sources. bc.zip 1 Quote Link to comment Share on other sites More sharing options...
_The Doctor__ Posted February 24, 2021 Share Posted February 24, 2021 name this stuff with danger or fmt in the names please... we really don't want it floating around... willy nilly to snag the unsuspecting again. Quote Link to comment Share on other sites More sharing options...
+DjayBee Posted February 24, 2021 Share Posted February 24, 2021 (edited) These files are the same as on atarionline.pl and they differ from the (unprotected) boot disk by only a few bytes which deactivate reading and writing the high score from sector 720. One also deactivates the trigger to start a game. You can calm down again @_The Doctor__ 7 hours ago, TGB1718 said: It's putting values into IOCB1 not in the normal way There is no disk format command inside and also no code which looks like the one in TGB1718's posting. Edited February 24, 2021 by DjayBee Quote Link to comment Share on other sites More sharing options...
cx2k Posted February 24, 2021 Share Posted February 24, 2021 I created a program years ago that I protected so that if you took my name out of it or changed it, it would do a check and format the disk. John Quote Link to comment Share on other sites More sharing options...
Sugarland Posted February 24, 2021 Share Posted February 24, 2021 15 hours ago, 1200XL M.U.L.E. said: A little while ago I tried playing BC's Quest for Tires and the game formatted my floppy. Let me explain. Maybe the game just doesn't want you playing it any more. Quote Link to comment Share on other sites More sharing options...
xxl Posted February 24, 2021 Share Posted February 24, 2021 3 hours ago, cx2k said: I created a program years ago that I protected so that if you took my name out of it or changed it, it would do a check and format the disk. John delicious. is somewhere available? Quote Link to comment Share on other sites More sharing options...
+Stephen Posted February 25, 2021 Share Posted February 25, 2021 1 hour ago, xxl said: 5 hours ago, cx2k said: I created a program years ago that I protected so that if you took my name out of it or changed it, it would do a check and format the disk. John delicious. is somewhere available? Damn - please don't get any more ideas to screw us U1MB users over Quote Link to comment Share on other sites More sharing options...
xxl Posted February 25, 2021 Share Posted February 25, 2021 19 minutes ago, Stephen said: Damn - please don't get any more ideas to screw us U1MB users over constructor screw U1MB users cutting off your savoring half of the D3 page I didn't think about them for a second - why should I do this, they are nothing special to me. 1 Quote Link to comment Share on other sites More sharing options...
+Nezgar Posted February 25, 2021 Share Posted February 25, 2021 As an early copy protection mechanism, IIRC Brøderbund's "A.E." checks if your disk drive responded to Happy commands, and if so issue a format command and show "Gotcha!" on the screen. In theory with the controller add-on, it could have also disengaged a write protect by software control if you hadn't disabled that function... Quote Link to comment Share on other sites More sharing options...
1200XL M.U.L.E. Posted February 25, 2021 Author Share Posted February 25, 2021 Wow, some of these schemes sound evil! @Nezgar Imagine if you had legitimately bought "A.E." but happened to have a Happy 1050 drive? So .. back to my original posting. Do some of the BC Quest for Tires executable have verified code to format a floppy upon a computer reset? Quote Link to comment Share on other sites More sharing options...
+Nezgar Posted February 25, 2021 Share Posted February 25, 2021 2 minutes ago, 1200XL M.U.L.E. said: Imagine if you had legitimately bought "A.E." but happened to have a Happy 1050 drive? Your original would have been write protected. A.E. came out in '82 and 1050 hadnt been released yet. I dont think the 810 versions of the happy had a software controllable write protect. Quote Link to comment Share on other sites More sharing options...
Mclaneinc Posted February 25, 2021 Share Posted February 25, 2021 I suspect that it would be the same for the Archiver and any other programmable drive... Devious people...One of the reasons I got a switch made for my Omnimon, for the few that didn't like it, it was annoying.. Quote Link to comment Share on other sites More sharing options...
+DjayBee Posted February 25, 2021 Share Posted February 25, 2021 13 hours ago, 1200XL M.U.L.E. said: Do some of the BC Quest for Tires executable have verified code to format a floppy upon a computer reset? None of the ones you posted. See post #14 here in this thread. Quote Link to comment Share on other sites More sharing options...
EddyFree Posted February 26, 2021 Share Posted February 26, 2021 I didn't see anything strange either. As mentioned above, the 5 culprits read and write the high score data to sector 720. 3DB9: A9 57 LDA #$57 ; Write Sector With Verify 3DBB: 4C 30 3E JMP $3E30 ---------- 3E30: D8 CLD 3E31: 8D 02 03 STA DCOMND 3E34: A9 02 LDA #$02 3E36: 8D 0B 03 STA DAUX2 3E39: A9 D0 LDA #$D0 3E3B: 8D 0A 03 STA DAUX1 ; $02D0 = Sector 720 3E3E: A9 00 LDA #$00 3E40: 8D 04 03 STA DBUFLO 3E43: A9 0D LDA #$0D 3E45: 8D 05 03 STA DBUFHI ; $0D00 = High Score Data (Uses Internal Character Code) 3E48: A9 01 LDA #$01 3E4A: 8D 01 03 STA DUNIT ; Disk Drive 1 3E4D: 20 53 E4 JSR DSKINV 3E50: 60 RTS ----------- 54B4: A9 52 LDA #$52 ; Read Sector 54B6: 20 30 3E JSR $3E30 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.