------------Alligator Alley------------ A 4am crack 2016-04-25 --------------------------------------- Name: Alligator Alley Genre: educational Year: 1984 Authors: Jerry Chaffin, Bill Maxwell, Barbara Thompson Publisher: Developmental Learning Materials (DLM) Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none Similar cracks: #599 Word Man #317 Alphabet Circus #277 Alien Addition ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA disk read error on first pass Locksmith Fast Disk Backup can't read anything past track $02 EDD 4 bit copy (no sync, no count) no errors during copying copy loads a few tracks then grinds and crashes Copy ][+ nibble editor T03 appears unformatted ("HI-RES DISK SCAN" confirms this) T04+ use modified data epilogue (DF AA EB) Disk Fixer T00 -> looks like a DOS 3.3 RWTS T00-T02 -> looks like a full DOS T01,S09 -> startup program is "HELLO" ["O" -> "Input/Output Control"] set Data Epilogue to "DF AA EB" T04+ readable, but slightly garbage --v-- -------------- DISK EDIT -------------- TRACK $11/SECTOR $0F/VOLUME $20/BYTE$00 --------------------------------------- $00:>00<12 0D 03 03 03 03 03 @RMCCCCC $08: 03 03 03 12 0F 02 C8 C5 CCCROBHE $10: C0 C0 C3 AC AC AC AC AC @@C,,,,, $18: AC AC AC AC AC AC AC AC ,,,,,,,, $20: AC AC AC AC AC AC AC AC ,,,,,,,, $28: AC AC AC AC 0D 0C 1D 02 ,,,,ML]B $30: 8B C3 C9 CE AC AC AC AC .CIN,,,, $38: AC AC AC AC AC AC AC AC ,,,,,,,, $40: AC AC AC AC AC AC AC AC ,,,,,,,, $48: AC AC AC AC AC AC AC 1D ,,,,,,,] $50: 0C 1F 0B 84 CC CF CB CF L_K.LOKO $58: B1 A0 A0 A0 A0 A0 A0 A0 1 $60: A0 A0 A0 A0 A0 A0 A0 A0 $68: A0 A0 A0 A0 A0 A0 A0 A0 $70: A0 A0 10 00 18 07 88 C0 P@XG.@ $78: C3 C7 C3 BE AC AC AC AC CGC>,,,, --------------------------------------- BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL --------------------------------------- COMMAND : _ --^-- Why didn't COPYA work? T03 unformatted, modified epilogue bytes (T04+) Why didn't Locksmith FDB work? ditto Why didn't my EDD copy work? probably a nibble check during boot Why do the sectors look like garbage even after changing the data epilogue? probably some changes to the nibble translate table (possibly tied to the protection check) Next steps: 1. trace the boot to find the protection check and RWTS changes 2. capture the final RWTS and use it to convert the rest of the disk 3. ??? ~ Chapter 1 In Which Automated Tools Get Us Nowhere [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 ... CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC1:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC2:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC3:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC4:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC5:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC6:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC7:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC8:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC9:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCA:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCB:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCC:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCD:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCE:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCF:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Well then. That was... not entirely successful. Not entirely unsuccessful, I suppose. But I need to dig deeper. ~ Chapter 2 In Which We Find Something Curious And Our Adventure Begins In Earnest ]PR#5 ... ]CALL -151 *9600 At $B8, load "RWTS 4+" from D1 ["6" to switch to slot 6] ["C" to convert disk] ["Y" to change default values] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM ======================================= INPUT ALL VALUES IN HEX SECTORS PER TRACK? (13/16) 16 START TRACK: $04 <-- change this START SECTOR: $00 END TRACK: $22 END SECTOR: $0F INCREMENT: 1 MAX # OF RETRIES: 0 COPY FROM DRIVE 1 TO DRIVE: 2 ======================================= 16SC $04,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- And here we go... --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK: ............................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0: ............................... SC1: ............................... SC2: ............................... SC3: ............................... SC4: ............................... SC5: ............................... SC6: ............................... SC7: ............................... SC8: ............................... SC9: ............................... SCA: ............................... SCB: ............................... SCC: ............................... SCD: ............................... SCE: ............................... SCF: ............................... ======================================= 16SC $04,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 264 FREE A 002 HELLO *B 018 LIB *B 016 LOGO1 *B 021 LOGO2 *B 017 LOGO3 B 010 AMS-STARTUP.OBJ B 041 AMS-GAME.OBJ B 021 AMS-CONTROL.OBJ B 051 AMS-CREATE.OBJ *B 003 DEFAULT *B 009 AMS-SHAPES1 *B 008 AMS-SHAPES2 *B 005 PROBLEM-SHAPES B 004 GAME-LIST B 002 WORD-LIST1 B 002 WORD-LIST2 B 002 WORD-LIST3 ]RUN HELLO ...works... The reason I always do this is to see whether there are any runtime checks for subtle differences in the original DOS. If the program runs after booting from a third-party disk, I can eliminate a whole range of possible secondary protections. Now to make the disk be able to read itself (remember, it still has the original RWTS on it)... [Copy ][+ 8.4] --> COPY --> DOS --> from slot 6, drive 2 --> to slot 6, drive 1 [S6,D1=demuffin'd copy] [S6,D2=newly formatted DOS 3.3 disk] ...read read read... ...write write write... ]PR#6 ...works... There doesn't appear to be any further protection. Quod erat liberandum. --------------------------------------- A 4am crack No. 679 ------------------EOF------------------