------------Alphabet Circus------------
A 4am crack                  2015-05-26
---------------------------------------

Name: Alphabet Circus
Genre: educational
Year: 1984
Authors: Neosoft
Publisher: Developmental Learning
  Materials (DLM)
Media: single-sided 5.25-inch floppy
OS: Pronto-DOS (T02,S00 contains the
  string "PRONTO-DOS" backwards)
Other versions: none (preserved here
  for the first time)
Similar cracks: Alien Addition (crack
  no. 277)

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  disk read error on first pass

Locksmith Fast Disk Backup
  can't read anything past track $02

EDD 4 bit copy (no sync, no count)
  no errors during copying
  copy loads a few tracks then grinds
    and crashes

Copy ][+ nibble editor
  T03+ -> modified address and data
    prologue ("D7 AA 96" / "D7 AA AD")
    and modified epilogues ("DF AA EB")

Disk Fixer
  T00 -> looks like a DOS 3.3 RWTS
  T00-T02 -> looks like a full DOS
  T01,S07 -> startup program is "HELLO"
  ["O" -> "Input/Output Control"]
    set Address Prologue to "D7 AA 96"
    set Address Epilogue to "DF AA EB"
    set Data Prologue to "D7 AA AD"
    set Data Epilogue to "DF AA EB"
  T03+ readable!
  T11 -> DOS 3.3 disk catalog

Why didn't COPYA work?
  modified prologue bytes (T03+)

Why didn't Locksmith FDB work?
  ditto

Why didn't my EDD copy work?
  probably a nibble check during boot

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. find nibble check and bypass it

                   ~

               Chapter 1
In Which Automated Tools Get Us Nowhere


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC1:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC2:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC3:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC4:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC5:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC6:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC7:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC8:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC9:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCA:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCB:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCC:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCD:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCE:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCF:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

Well then. That was... not entirely
successful. Not entirely unsuccessful,
I suppose. But I need to dig deeper.

                   ~

               Chapter 2
  In Which We Find Something Curious
  And Our Adventure Begins In Earnest


]PR#5
...
]CALL -151

*9600<C600.C6FFM

; set up callback #1 after boot0 loads
; boot1
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C

; start the boot
9707-   4C 01 08    JMP   $0801

; (callback #1) set up callback #2
; after boot1 loads boot2
970A-   A9 4C       LDA   #$4C
970C-   8D 47 B7    STA   $B747
970F-   A9 1C       LDA   #$1C
9711-   8D 48 B7    STA   $B748
9714-   A9 97       LDA   #$97
9716-   8D 49 B7    STA   $B749

; continue the boot
9719-   4C 00 B7    JMP   $B700

; (callback #2) copy entire DOS into
; lower memory so it survives a reboot
; to my work disk
971C-   A2 23       LDX   #$23
971E-   A0 00       LDY   #$00
9720-   B9 00 9D    LDA   $9D00,Y
9723-   99 00 2D    STA   $2D00,Y
9726-   C8          INY
9727-   D0 F7       BNE   $9720
9729-   EE 22 97    INC   $9722
972C-   EE 25 97    INC   $9725
972F-   CA          DEX
9730-   D0 EE       BNE   $9720

; and reboot to my work disk
9732-   4C 00 C5    JMP   $C500

*BSAVE TRACE2,A$9600,L$135
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT2,A$2D00,L$2300
]CALL -151

*FE89G FE93G      ; disconnect my DOS
*9D00<2D00.4FFFM  ; move DOS into place

*9D84L
.
. nothing unusual, until...
.
9E4D-   4C 0D BF    JMP   $BF0D

That is supposed to jump to $A180. And
$BF0D is supposed to be part of the
INIT routine. I certainly hope we're
not formatting the disk.

*BF0DL

; set up RWTS parameter table
; track $02
BF0D-   A0 02       LDY   #$02
BF0F-   8C EC B7    STY   $B7EC
BF12-   88          DEY

; read command ($01)
BF13-   8C F4 B7    STY   $B7F4
BF16-   88          DEY
BF17-   F0 01       BEQ   $BF1A
BF19-   6C 8C F0    JMP   ($F08C) <-- ?
BF1C-   B7          ???

Wait, what?

Oh, I see it. The Y register starts at
2, is decremented twice, then the BEQ
branches to... the middle of the next
listed instruction. Just to make it
slightly more difficult to do exactly
the thing I am trying to do, 31 years
later. A little "f--- you" from 1984.

On the bright side, at least we're not
formatting the disk.

*BF19:EA    ; change to NOP for listing

*BF0DL

BF0D-   A0 02       LDY   #$02
BF0F-   8C EC B7    STY   $B7EC
BF12-   88          DEY
BF13-   8C F4 B7    STY   $B7F4
BF16-   88          DEY
BF17-   F0 01       BEQ   $BF1A
BF19-   EA          NOP

; more RWTS parameter setup
BF1A-   8C F0 B7    STY   $B7F0
BF1D-   8C EB B7    STY   $B7EB
BF20-   A2 09       LDX   #$09
BF22-   D0 01       BNE   $BF25
BF24-   20 8E ED    JSR   $ED8E   <-- ?
BF27-   B7          ???

The same obfuscation trick again: $BF22
branches to $BF25, which is in the
middle of the listed instruction at
$BF24. There is no JSR to $ED8E; that's
not even a real entry point.

*BF24:EA

I'm sure the suspense is killing you:
yes, there are several more of these.

*BF2C:EA

*BF34:EA

And here is the final, unobfuscated
disassembly:

*BF0DL

; track $02
BF0D-   A0 02       LDY   #$02
BF0F-   8C EC B7    STY   $B7EC
BF12-   88          DEY

; read command ($01)
BF13-   8C F4 B7    STY   $B7F4
BF16-   88          DEY
BF17-   F0 01       BEQ   $BF1A
BF19-   EA          NOP
BF1A-   8C F0 B7    STY   $B7F0

; any disk volume number
BF1D-   8C EB B7    STY   $B7EB
BF20-   A2 09       LDX   #$09
BF22-   D0 01       BNE   $BF25
BF24-   EA          NOP

; sector $09
BF25-   8E ED B7    STX   $B7ED

; into $7900
BF28-   A9 79       LDA   #$79
BF2A-   D0 01       BNE   $BF2D
BF2C-   EA          NOP
BF2D-   8D F1 B7    STA   $B7F1
BF30-   A9 B7       LDA   #$B7
BF32-   D0 01       BNE   $BF35
BF34-   EA          NOP
BF35-   A0 E8       LDY   #$E8

; read the sector
BF37-   20 B5 B7    JSR   $B7B5

; jump to the code we just read
BF3A-   4C 02 79    JMP   $7902

And that's where I can interrupt the
boot to capture the code at $7900.

                   ~

               Chapter 3
     In Which We Try To Understand
     Some Code That Someone Really
     Doesn't Want Us To Understand


*9600<C600.C6FFM

; set up callback #1 after boot0 loads
; boot1
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C

; start the boot
9707-   4C 01 08    JMP   $0801

; (callback #1) set up callback #2
; after boot1 loads boot2
970A-   A9 4C       LDA   #$4C
970C-   8D 47 B7    STA   $B747
970F-   A9 1C       LDA   #$1C
9711-   8D 48 B7    STA   $B748
9714-   A9 97       LDA   #$97
9716-   8D 49 B7    STA   $B749

; continue the boot
9719-   4C 00 B7    JMP   $B700

; (callback #2) set up callback #3
; after boot2 loads the mystery code at
; $7900
971C-   A9 4C       LDA   #$4C
971E-   8D 3A BF    STA   $BF3A
9721-   A9 2E       LDA   #$2E
9723-   8D 3B BF    STA   $BF3B
9726-   A9 97       LDA   #$97
9728-   8D 3C BF    STA   $BF3C
9728-   8D 3C BF    STA   $BF3C

; continue the boot
972B-   4C 84 9D    JMP   $9D84

; (callback #3) reboot to my work disk
972E-   4C 00 C5    JMP   $C500

*BSAVE TRACE3,A$9600,L$131
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT3 7900-79FF,A$7900,L$100
]CALL -151

*7902L

7902-   EA          NOP
7903-   A9 01       LDA   #$01
7905-   8D F4 B7    STA   $B7F4
7908-   D0 01       BNE   $790B
790A-   4C A9 0A    JMP   $0AA9
790D-   8D ED B7    STA   $B7ED
7910-   D0 01       BNE   $7913
7912-   6C A9 02    JMP   ($02A9)

Argh, more obfuscation. $7908 branches
to $790B, so the JMP listed at $790A is
fake and never executed. Ditto $7910
(branching to $7913). And, as it turns
out, several more...

*790A:EA

*7912:EA

*7928:EA

*7933:EA

*7939:EA

*793E:EA

*7947:EA

*794D:EA

Seriously.

Here is the final, unobfuscated
disassembly:

*7902L

7902-   EA          NOP

; RWTS read command ($01)
7903-   A9 01       LDA   #$01
7905-   8D F4 B7    STA   $B7F4
7908-   D0 01       BNE   $790B
790A-   EA          NOP

; sector $0A
790B-   A9 0A       LDA   #$0A
790D-   8D ED B7    STA   $B7ED
7910-   D0 01       BNE   $7913
7912-   EA          NOP

; track $02
7913-   A9 02       LDA   #$02
7915-   8D EC B7    STA   $B7EC

; into $BF00
7918-   A9 BF       LDA   #$BF
791A-   8D F1 B7    STA   $B7F1

; read the sector
791D-   A9 B7       LDA   #$B7
791F-   A0 E8       LDY   #$E8
7921-   20 B5 B7    JSR   $B7B5

7924-   A9 DF       LDA   #$DF
7926-   D0 01       BNE   $7929
7928-   EA          NOP

; fiddle with RWTS (data prologue)
7929-   8D 35 B9    STA   $B935
792C-   8D 9E B8    STA   $B89E

; more RWTS fiddling
792F-   A0 FC       LDY   #$FC
7931-   D0 01       BNE   $7934
7933-   EA          NOP
7934-   8C 60 BC    STY   $BC60
7937-   D0 01       BNE   $793A
7939-   EA          NOP

; address prologue
793A-   A0 D7       LDY   #$D7
793C-   D0 01       BNE   $793F
793E-   EA          NOP
793F-   8C 7A BC    STY   $BC7A
7942-   8C 55 B9    STY   $B955
7945-   D0 01       BNE   $7948
7947-   EA          NOP
7948-   8C E7 B8    STY   $B8E7
794B-   D0 01       BNE   $794E
794D-   EA          NOP
794E-   8C 53 B8    STY   $B853

; set up another read, from T03,S00
7951-   A9 00       LDA   #$00
7953-   8D ED B7    STA   $B7ED
7956-   A0 03       LDY   #$03
7958-   8C EC B7    STY   $B7EC

; restore JMP that led us here (a.k.a.
; cover our tracks from anyone who
; manages to break into the program
; later and capture memory)
795B-   A2 80       LDX   #$80
795D-   8E 4E 9E    STX   $9E4E
7960-   A2 A1       LDX   #$A1
7962-   8E 4F 9E    STX   $9E4F

; the next read is into $7900 (and will
; overwrite this code)
7965-   A9 79       LDA   #$79
7967-   8D F1 B7    STA   $B7F1
796A-   A9 00       LDA   #$00
796C-   8D EB B7    STA   $B7EB

; continue elsewhere
796F-   4C AF BE    JMP   $BEAF

I don't have the original disk's $BEAF
in memory anymore, but I have it on my
work disk.

*BLOAD BOOT2,A$2D00

*FE89G FE93G      ; disconnect DOS
*9D00<2D00.4FFFM  ; move DOS into place

*BEAFL

; execute the sector read (into $7900)
BEAF-   A9 B7       LDA   #$B7
BEB1-   A0 E8       LDY   #$E8
BEB3-   20 B5 B7    JSR   $B7B5

; finally continue with the boot (but
; with the RWTS modifications in place)
BEB6-   4C 80 A1    JMP   $A180

And that's where my next interrupt will
be.

                   ~

               Chapter 4
       In Which We (Finally) Use
   The Original Disk Against Itself


*9600<C600.C6FFM

; set up callback #1
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C

; start the boot
9707-   4C 01 08    JMP   $0801

; (callback #1) set up callback #2
970A-   A9 4C       LDA   #$4C
970C-   8D 47 B7    STA   $B747
970F-   A9 1C       LDA   #$1C
9711-   8D 48 B7    STA   $B748
9714-   A9 97       LDA   #$97
9716-   8D 49 B7    STA   $B749

; continue the boot
9719-   4C 00 B7    JMP   $B700

; (callback #2) set up callback #3
971C-   A9 4C       LDA   #$4C
971E-   8D 3A BF    STA   $BF3A
9721-   A9 2E       LDA   #$2E
9723-   8D 3B BF    STA   $BF3B
9726-   A9 97       LDA   #$97
9728-   8D 3C BF    STA   $BF3C

; continue the boot
972B-   4C 84 9D    JMP   $9D84

; (callback #3) set up callback #4
972E-   A9 4C       LDA   #$4C
9730-   8D B6 BE    STA   $BEB6
9733-   A9 40       LDA   #$40
9735-   8D B7 BE    STA   $BEB7
9738-   A9 97       LDA   #$97
973A-   8D B8 BE    STA   $BEB8

; continue the boot
973D-   4C 02 79    JMP   $7902

; (callback #4) save the final RWTS
; in lower memory so it survives a
; reboot
9740-   A2 08       LDX   #$08
9742-   A0 00       LDY   #$00
9744-   B9 00 B8    LDA   $B800,Y
9747-   99 00 28    STA   $2800,Y
974A-   C8          INY
974B-   D0 F7       BNE   $9744
974D-   EE 46 97    INC   $9746
9750-   EE 49 97    INC   $9749
9753-   CA          DEX
9754-   D0 EE       BNE   $9744

; reboot to my work disk
9756-   4C 00 C5    JMP   $C500

*BSAVE TRACE4,A$9600,L$159
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE RWTS 3+,A$2800,L$800

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS 3+" from D1

["6" to switch to slot 6]

["C" to convert disk]

["Y" to change default values]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======================================


INPUT ALL VALUES IN HEX


SECTORS PER TRACK? (13/16) 16

START TRACK: $03        <-- change this
START SECTOR: $00
END TRACK: $22
END SECTOR: $0F

INCREMENT: 1

MAX # OF RETRIES: 0

COPY FROM DRIVE 1
TO DRIVE: 2
=======================================
16SC $03,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

And here we go...

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:   ................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:   ................................
SC1:   ................................
SC2:   ................................
SC3:   ................................
SC4:   ................................
SC5:   ................................
SC6:   ................................
SC7:   ................................
SC8:   ................................
SC9:   ................................
SCA:   ................................
SCB:   ................................
SCC:   ................................
SCD:   ................................
SCE:   ................................
SCF:   ................................
=======================================
16SC $03,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

]PR#5
...
]CATALOG,S6,D2

C1983 DSR^C#254
028 FREE

 A 002 HELLO
 B 010 GRAPHICS
 B 006 PA
 B 033 PAGE1.1
 B 006 PB
 B 006 PS
 B 006 PT
 B 006 PU
 B 006 PV
 B 006 PW
 B 006 PX
 B 006 PC
 B 006 PD
 B 006 PE
 B 006 PF
 B 033 PAGE1B
 B 006 PG
 B 006 PH
 B 006 PI
 B 006 PJ
 B 006 PK
 B 006 PL
 B 006 PM
 B 006 PN
 B 006 PO
 B 006 PP
 B 006 PQ
 B 006 PR
 B 006 PZ
 B 006 PY
 B 063 PIC.PLETRING
 B 019 PIC.PJUG
*B 006 PIC.HAT/SEAL
 A 013 GAME.HELLO
 A 019 GAME.MARQUEE
 A 017 GAME.LOST
 A 022 GAME.WHO
 A 020 GAME.MEET
 A 020 GAME.SECRET
 A 016 GAME.JUGGLER
 A 015 GAME.SCOREBOARD
 B 003 SOUND TEST
 B 033 CIRCUS SELECT

]RUN HELLO
...works...

[S6,D1=non-working copy]
[S6,D2=newly formatted Pronto-DOS disk]

[Copy ][+]
  --> COPY
    --> DOS
      --> from slot 6, drive 2
      -->   to slot 6, drive 1

...read read read...
...write write write...

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 317
------------------EOF------------------