------------Algebra Volume 4----------- A 4am crack 2015-08-07 --------------------------------------- Name: Algebra Volume 4 Version: 1.0 (10-JAN-83) Genre: educational Year: 1983 Publisher: Edu-Ware, Inc. Media: single-sided 5.25-inch floppy OS: DOS 3.3 Other cracks: none Similar cracks: Algebra Volume 1 v1.3 (crack no. 372) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read anything after T00,S09 (but reads T00,S00-S09 successfully) EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified address and data epilogues ("DA AA EB" instead of "DE AA EB") Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "DA AA EB" set Data Epilogue to "DA AA EB" all tracks readable T00 -> looks like a DOS 3.3 RWTS T00-T02 -> looks like a full DOS 3.3 T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "EDU-WARE" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to epilogue) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:R.................................. +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:R.................................. SC1:R.................................. SC2:R.................................. SC3:R.................................. SC4:R.................................. SC5:R.................................. SC6:R.................................. SC7:R.................................. SC8:R.................................. SC9:R.................................. SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Right. Those unreadable sectors are the boot0 and boot1 code, which are read by the disk controller ROM on boot. They are not protected (standard prologues, epilogues, the works). But the RWTS that reads the rest of the disk is strict enough that it can't read them. ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 000 FREE *A 007 EDU-WARE *B 031 EWS3 A 054 ALGEBRA 4 T 002 AM4.PROGRESS A 039 AM4.1.1 A 050 AM4.2 A 045 AM4.2.1 A 045 AM4.3 A 055 AM4.3.1 A 039 AM4.4 A 054 AM4.4.1 A 031 AM4.5 A 056 AM4.5.1 A 010 AM4.5.1.1 ]RUN EDU-WARE ...works... Next steps: 1. Write boot0/boot1 back to my copy 2. Patch the RWTS so it can read a standard format (now that the entire disk is in one) ~ Chapter 2 In Which We Restore The Bootloader Then Remove The Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion Let's write the missing sectors from track $00 to my demuffin'd copy and see if it can boot. ]PR#5 ]CALL -151 ; straightforward multi-sector write ; loop, via the RWTS vector at $03D9 08C0- A9 08 LDA #$08 08C2- A0 E8 LDY #$E8 08C4- 20 D9 03 JSR $03D9 08C7- AC ED 08 LDY $08ED 08CA- 88 DEY 08CB- 10 05 BPL $08D2 08CD- A0 0F LDY #$0F 08CF- CE EC 08 DEC $08EC 08D2- 8C ED 08 STY $08ED 08D5- CE F1 08 DEC $08F1 08D8- CE E1 08 DEC $08E1 08DB- D0 E3 BNE $08C0 08DD- 60 RTS sector count vv 08E0- 00 0A 00 00 00 00 00 00 08E8- 01 60 01 00 00 09 FB 08 ^^ ^^ track/sector 08F0- 00 2F 00 00 02 00 FE 60 ^^ starting address 08F8- 01 00 00 00 01 EF D8 00 *BSAVE WRITE BOOT1,A$8C0,L$40 *BLOAD BOOT1,A$2600 *8C0G *C600G ...grind grind grind... My demuffin'd copy can't read itself. This is not unusual or even unexpected, given how strict the RWTS seems to be. Let's see if Post-Demuffin Patcher can restore the RWTS. ]PR#5 ... ]BRUN PDP T00,S03,$91 change DA to DE T00,S03,$35 change DA to DE T00,S02,$9E change DA to DE ]PR#6 ...works... Quod erat liberandum. --------------------------------------- A 4am crack No. 397 ------------------EOF------------------