BC'S Quest for Tires formatted my floppy - why?

[1200XL M.U.L.E.]

A little while ago I tried playing BC's Quest for Tires and the game formatted my floppy. Let me explain.

 

The game was an executable *.XEX file. I transferred the file to my floppy and ran it from there. When I was done playing I pressed the computer's Reset assuming the computer would reboot to MyDOS. My drive spun up and started making a very distinct head seeking sound pattern. I recognized the pattern as one when formatting a disk but I couldn't believe it. It didn't take long for the pattern to finish and then the drive simply spun. I power cycled the computer and the floppy wouldn't boot the computer. Then I rebooted with a MyDOS boot disk and examined my working floppy here. Sure enough, it was zeroed out - meaning no file and 000 free sectors. I was shocked!

 

I tried a few more *.XEX files of this game I had on my PC and I saw the same behavior. Resetting the computer started a floppy formatting sequence. The last file I tried did not exhibit this behavior. I noticed the file size was also different. All the self-destructing *.XEX files were 142 sectors and the one that worked was only 102 sectors.

 

Did I just experience my first Atari virus?

[+DjayBee]

How about attaching the files to this thread for further examination?

[carlsson]

Atari Online has 6 different XEX files, of which the a1 one is 13 kilobytes and all the others are 18 kilobytes. I would assume that all the larger ones would exhibit this behavior.

http://atarionline.pl/v01/index.php?ct=search&query=tires&t=katalog

[TGB1718]

Had a quick look at one of the 18K versions, this bit of code looks slightly suspicious, could be

wrong, but might be worth a closer look when I get time.

So could be someone put it here deliberately, maybe the creator to try stop copies.

 

It's putting values into IOCB1 not in the normal way i.e. using X register offset and I think $21 is the format command

 

3467   LDX  #0C       A2 0C
3469   LDA  #00       A9 00
346B   STA  035A      8D 5A 03
346E   STX  0352      8E 52 03
3471   LDX  #10       A2 10
3473   JMP  E456      4C 56 E4
3476   STA  035A      8D 5A 03
3479   LDA  #52       A9 52
347B   STA  0354      8D 54 03
347E   LDA  #21       A9 21      <<<<<<<<<<<<<<<< format command ???
3480   STA  0355      8D 55 03
3483   LDX  #03       A2 03
3485   BNE  346E      D0 E7
3487   JSR  348D      20 8D 34
348A   BMI  344B      30 BF
348C   RTS            60

[Rybags]

$342 is the command value (and add multiples of $10 for the next 7 IOCBs)

 

$344/5 is the buffer address.  $0C being stored in $352 there equates to the CLOSE command.

In any case, $21 is the DELETE command for FMS and $22 FORMAT.

 

Can't say I've seen the observed behaviour and can't check on my execuatable version (which was obtained back in the day and always run from a bootable menu).

 

My suspicion is that there's likely an embedded Dos or portion of Dos and it's inadvertantly happening.  Or maybe deliberate which could possibly make it one of the world's first computer viruses.

Edited February 24, 2021 by Rybags

[TGB1718]

3 hours ago, Rybags said:

In any case, $21 is the DELETE command for FMS and $22 FORMAT.

I think $21 is Format Single, $22 is Format Enhanced

e.g. some code from a disk copy utility

 

0250 LOOP3 LDA 764
0260     CMP #$3E    ;S=SINGLE
0270     BEQ SINGLE
0280     CMP #$2A    ;E=ENHANCED
0290     BEQ ENHANCED
0300     JMP LOOP3
0310 SINGLE LDA #$21
0320     LDX #2
0330     STA COMAND,X
0340     JMP XXXX
0350 ENHANCED LDA #$22
0360     LDX #2
0370     STA COMAND,X

[Mclaneinc]

This is novel, can't say I've heard of this before, a friend did a multi boot that had or said it had Outrun on, basically it was justa loader pic and a format routine. Told you to press start to play and chunk chunk chunk chunk.....

 

I'd love to find out if these are old hacks or new?

 

And of course, why?

[TGB1718]

45 minutes ago, Mclaneinc said:

This is novel, can't say I've heard of this before, a friend did a multi boot that had or said it had Outrun on, basically it was justa loader pic and a format routine. Told you to press start to play and chunk chunk chunk chunk.....

 

I'd love to find out if these are old hacks or new?

 

And of course, why?

Pretty sure I've seen that one way back in the day, so don't think it's recent.

 

As for why, there have always those that do thing like that because it's funny, even though they never see the "fruits of their labour's"

I think a better term is "moron's"

 

[xxl]

this could be part of a security feature, it is possible that the game first checks what medium it is booting from, or whether the medium is the original.

[Mclaneinc]

 

I must admit I wasn't in the habit of pressing system reset, I'd either power off manually or jump into Omnimon a Jsr to E477 so its probably why I never saw them. I'd seen protections like Savage Pond which would fill RAM if it saw Omnimon but never an actual malicious bit of code (bar that Outrun I mentioned, but to be fair the game was not real so it made no odds if the disk got formatted).

 

Yeah, trust me I know morons, my daughters Uni is full of them, ironic a place of education with so many people doing stupid stuff. I've always seen viruses as more later on things like on the Amiga and ST, as for today its not just a moron but international gangs looking to rip the world off. Back then it seemed more civil, people were coding because it was a new experience and they wanted to show how good they were is more positive ways ie demo's , intro's etc

 

Now my inbox gets at least 3 "we have your password and we watched you on that porn site, send us mega bitcoin" nonsense per day....Porn site, hell my shoulders ache enough as it is...

[Mclaneinc]

6 minutes ago, xxl said:

this could be part of a security feature, it is possible that the game first checks what medium it is booting from, or whether the medium is the original.

It could but to format the disk, they could just fill mem and overwrite the code..

[1200XL M.U.L.E.]

9 hours ago, DjayBee said:

How about attaching the files to this thread for further examination?

I pulled the *.XEX files from my Trashcan along with 1 untested version and 1 good version. The files are in the Zip file attached here. I think the file name will make each version obvious. Maybe some files are duplicates of each other?

 

9 hours ago, carlsson said:

Atari Online has 6 different XEX files, of which the a1 one is 13 kilobytes and all the others are 18 kilobytes. I would assume that all the larger ones would exhibit this behavior.

http://atarionline.pl/v01/index.php?ct=search&query=tires&t=katalog

Those file names are familiar. That is what they were called before I shortened their names to 8.3 format. However, I did not download from here. TOSEC and Pigwa were my sources.

bc.zip

[_The Doctor__]

name this stuff with danger or fmt in the names please... we really don't want it floating around... willy nilly to snag the unsuspecting again.

[+DjayBee]

These files are the same as on atarionline.pl and they differ from the (unprotected) boot disk by only a few bytes which deactivate reading and writing the high score from sector 720. One also deactivates the trigger to start a game.

 

You can calm down again @_The Doctor__

 

7 hours ago, TGB1718 said:

It's putting values into IOCB1 not in the normal way

There is no disk format command inside and also no code which  looks like the one in TGB1718's posting.

Edited February 24, 2021 by DjayBee

[cx2k]

I created a program years ago that I protected so that if you took my name out of it or changed it, it would do a check and format the disk.

 

John

 

[Sugarland]

15 hours ago, 1200XL M.U.L.E. said:

A little while ago I tried playing BC's Quest for Tires and the game formatted my floppy. Let me explain.

 

Maybe the game just doesn't want you playing it any more.

 

[xxl]

3 hours ago, cx2k said:

I created a program years ago that I protected so that if you took my name out of it or changed it, it would do a check and format the disk.

 

John

 

delicious. is somewhere available?

[+Stephen]

1 hour ago, xxl said:

5 hours ago, cx2k said:

I created a program years ago that I protected so that if you took my name out of it or changed it, it would do a check and format the disk.

 

John

 

delicious. is somewhere available?

Damn - please don't get any more ideas to screw us U1MB users over

[xxl]

19 minutes ago, Stephen said:

Damn - please don't get any more ideas to screw us U1MB users over

constructor screw U1MB users cutting off your savoring half of the D3 page  I didn't think about them for a second - why should I do this, they are nothing special to me.

[+Nezgar]

As an early copy protection mechanism, IIRC Brøderbund's "A.E." checks if your disk drive responded to Happy commands, and if so issue a format command and show "Gotcha!" on the screen.

 

In theory with the controller add-on, it could have also disengaged a write protect by software control if you hadn't disabled that function...

[1200XL M.U.L.E.]

Wow, some of these schemes sound evil!

 

@Nezgar Imagine if you had legitimately bought "A.E." but happened to have a Happy 1050 drive? 

 

So .. back to my original posting.  Do some of the BC Quest for Tires executable have verified code to format a floppy upon a computer reset?

[+Nezgar]

2 minutes ago, 1200XL M.U.L.E. said:

Imagine if you had legitimately bought "A.E." but happened to have a Happy 1050 drive?

Your original would have been write protected. A.E. came out in '82 and 1050 hadnt been released yet. I dont think the 810 versions of the happy had a software controllable write protect.

[Mclaneinc]

I suspect that it would be the same for the Archiver and any other programmable drive...

 

Devious people...One of the reasons I got a switch made for my Omnimon, for the few that didn't like it, it was annoying..

[+DjayBee]

13 hours ago, 1200XL M.U.L.E. said:

Do some of the BC Quest for Tires executable have verified code to format a floppy upon a computer reset?

None of the ones you posted.

See post #14 here in this thread.

[EddyFree]

 

I didn't see anything strange either. As mentioned above, the 5 culprits read and write the high score data to sector 720.

 

    3DB9: A9 57             LDA #$57     ; Write Sector With Verify
    3DBB: 4C 30 3E          JMP $3E30
----------
    3E30: D8                CLD
    3E31: 8D 02 03          STA DCOMND
    3E34: A9 02             LDA #$02
    3E36: 8D 0B 03          STA DAUX2
    3E39: A9 D0             LDA #$D0
    3E3B: 8D 0A 03          STA DAUX1    ; $02D0 = Sector 720
    3E3E: A9 00             LDA #$00
    3E40: 8D 04 03          STA DBUFLO
    3E43: A9 0D             LDA #$0D
    3E45: 8D 05 03          STA DBUFHI   ; $0D00 = High Score Data (Uses Internal Character Code)
    3E48: A9 01             LDA #$01
    3E4A: 8D 01 03          STA DUNIT    ; Disk Drive 1
    3E4D: 20 53 E4          JSR DSKINV
    3E50: 60                RTS
-----------
    54B4: A9 52             LDA #$52     ; Read Sector
    54B6: 20 30 3E          JSR $3E30