The following is a copy (with minor edits) of this thread on Lemon.
The All American BBS archives can be found on the zimmers.net archives and its mirrors in the cbm/c64/comm/bbs directory, files “aabbs64v116.zip” and “aabbs64v116source.zip”.
“I have a bit of a mystery to solve, and I'm hoping that someone here can help me.
In the late 80's, I purchased a copy of All American BBS from the program's author, Nick Smith. When he sent me the disk, he also sent me my serial number, which must be entered whenever the BBS program is loaded.
In recent months, I was able to track Nick down, and I got him to send me copies of the latest versions of AA BBS for both the 64 and 128. The 128 version is what I'm using on my BBS now, which doesn't require a serial number. The 64 version DOES require a serial number. Unfortunately, Nick says he doesn't remember what the serial number is for the disk he sent me with the 64 version of AA BBS. He says he remembers that he used a sector editor to set the serial numbers on the disks, but beyond that, he doesn't remember anything anymore.
I know what my serial number is for my original copy of AA BBS v9.6. The serial number is 2455. He says that all serial numbers are just four digits. But the copy Nick sent me of the last version he released for the 64, v11.6b, I still haven't been able to try out because I can't find the serial number.
I've posted a d64 of my original copy of AA BBS v9.6 here: http://hometown.aol.com/Cottonwoodbbs/AA96.D64
And there's a d64 of disk 1 of AA BBS v11.6b here: http://hometown.aol.com/Cottonwoodbbs/AA64-1.D64
On both of these, you just type LOAD”*“,8,1 which starts the program, select “b” to run the BBS, and select “no” when asked if you want to run the fast loader (it doesn't work in VICE). When the program finishes loading, the first thing you're asked is for the serial number. If you type it in wrong, the sides of the screen collapse a bit, just as if you had typed SYS64738, but then it locks up. If you type the correct serial number, then it continues on and asks you for the time and date. Again, the correct serial number for v9.6 is 2455. I've been over the disks again and again with a sector editor, and I can't figure out where the serial number is hidden. If there's anyone who's good at this sort of thing and loves a good mystery, PLEASE help me out. Thanks!
-Andrew
P.S. I have got permission from Nick Smith to release these to the public domain, so there's nothing illegal with trying to crack this. You can download the full copies of the latest versions for both the 64 and 128, as well as the source code for each, at http://hometown.aol.com/cottonwoodbbs”
“Load it, wait for “Please enter your serial number” prompt. Start VICE monitor.”
r ADDR AC XR YR SP 00 01 NV-BDIZC LIN CYC .;e5d4 00 af ff ea 2f 36 00100011 000 002
Stack pointer is $ea, so used stack starts feom $01eb. Check it for JSR return address.
m 01eb >C:01eb af ff 8d cb c5 a3 31 a5 92 c8 46 e1 67 18 e9 a7
I guess keyboard input routine was called from $cb8d-2.
d cb8b .C:cb8b 20 CF FF JSR $FFCF .C:cb8e 64 8D NOOP $8D .C:cb90 99 00 BE STA $BE00,Y .C:cb93 88 DEY .C:cb94 80 79 NOOP #$79 .C:cb96 C9 0D CMP #$0D .C:cb98 F0 04 BEQ $CB9E .C:cb9a C0 F8 CPY #$F8 .C:cb9c B0 ED BCS $CB8B .C:cb9e 7A NOOP .C:cb9f E2 D9 NOOP #$D9 .C:cba1 A9 36 LDA #$36 .C:cba3 82 75 NOOP #$75 .C:cba5 4C 20 CB JMP $CB20
Looks like it reads serial number, stores it and jumps to $cb20.
d cb20 .C:cb20 80 64 NOOP #$64 .C:cb22 85 01 STA $01 .C:cb24 82 25 NOOP #$25 .C:cb26 A0 00 LDY #$00 .C:cb28 BF 00 A0 LAX $A000,Y .C:cb2b 49 57 EOR #$57 .C:cb2d 99 00 A0 STA $A000,Y .C:cb30 C8 INY .C:cb31 D0 F5 BNE $CB28 .C:cb33 EF 2A CB ISB $CB2A .C:cb36 EF 2F CB ISB $CB2F .C:cb39 AF 2A CB LAX $CB2A .C:cb3c E0 AF CPX #$AF .C:cb3e 90 E8 BCC $CB28 .C:cb40 A0 A0 LDY #$A0 .C:cb42 8C 2A CB STY $CB2A .C:cb45 8C 2F CB STY $CB2F .C:cb48 60 RTS
Decrypts $axxx area and returns. Set breakpoint to rts and exit, just to come back a bit later.
break cb48 x
Now enter any number and press return. We're back in monitor. Step forward twice to see where we end up
z z .C:a3c6 80 4D NOOP #$4D
What's here?
d a3c6 .C:a3c6 80 4D NOOP #$4D .C:a3c8 1A NOOP .C:a3c9 04 4C NOOP $4C .C:a3cb DA NOOP .C:a3cc C9 00 CMP #$00 .C:a3ce 85 64 STA $64 .C:a3d0 85 65 STA $65 .C:a3d2 A9 0D LDA #$0D .C:a3d4 20 D2 FF JSR $FFD2 .C:a3d7 A9 00 LDA #$00 .C:a3d9 99 00 BE STA $BE00,Y .C:a3dc A0 FF LDY #$FF .C:a3de BF 00 BE LAX $BE00,Y .C:a3e1 20 ED AB JSR $ABED .C:a3e4 D0 06 BNE $A3EC .C:a3e6 88 DEY .C:a3e7 C0 FC CPY #$FC .C:a3e9 B0 F3 BCS $A3DE .C:a3eb 60 RTS .C:a3ec A0 00 LDY #$00 .C:a3ee BF FC A3 LAX $A3FC,Y
Looks like it checks serial number at $abed, so check it out.
d abed .C:abed 49 FF EOR #$FF .C:abef D9 64 BE CMP $BE64,Y .C:abf2 60 RTS
Y ranges from $ff to $fc, so let's see what vlues we compare agains.
m bf60 bf63 >C:bf60 cd ce cf cf
This was EORed with $ff, so let's invert some bits and we get 32 31 30 30 This looks like “2100” in PETSCII, but when we stored serial number into buffer we did it backwards, so it's really “0012”.
Nothing you couldn't do with a decent cartridge on C64 as well.
“I'd like to know where it is located to I can see what I missed.”
It's inside “←AA CGBBS V11.6B” file, but as that's compressed you can't find the bytes anywhere with disk editor. I assume Nick edited the executable before compiling or packing it. Check out source disk #4, file “←ml+11.6”. You need to eor its contents with $6E to find “2100”.