-------------Antonym Antics------------
A 4am crack                  2016-04-25
---------------------------------------

Name: Antonym Antics
Version: 09.20.83
Genre: educational
Year: 1983
Authors: Perry Edwards
Publisher: MUSE Software
Media: two single-sided 5.25-inch discs
OS: DOS 3.3
Previous cracks: none
Identical cracks:
  #497 The Eating Machine

Disk 1 is protected but bootable.
Disk 2 is unprotected but unbootable.
Life is like that.
This has not been a haiku.

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error, but it
  earns a participation medal just for
  showing up

Locksmith Fast Disk Backup
  can read some of track $00 (not S08
  or S0F), all of tracks $01 and $02,
  nothing else

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  tracks $03+ use modified address
  prologue "D5 DA 96", data prologue
  "D5 DA AD", data epilogue "DE DA AB"

Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Prologue to "D5 DA 96"
    set Data Prologue to "D5 DA 96"
    set Data Epilogue to "D5 DA 96"
  Success! Tracks 3+ readable!
  But they look a little bit weird...
  Possibly a modified nibble translate
  table?

                 --v--

-------------- DISK EDIT --------------
TRACK $11/SECTOR $0F/VOLUME $01/BYTE$00
---------------------------------------
$00:>24<35 2A 24 24 24 24 24   $5*$$$$$
$08: 24 24 24 27 2B 26 EC E1   $$$'+&la
$10: E8 E8 EB 84 84 84 84 84   hhk.....
$18: 84 84 84 84 84 84 84 84   ........
$20: 84 84 84 84 84 84 84 84   ........
$28: 84 84 84 84 34 24 27 29   ....4$')
$30: 20 E8 EB E3 EB 84 84 84    hkck...
$38: 84 84 84 84 84 84 84 84   ........
$40: 84 84 84 84 84 84 84 84   ........
$48: 84 84 84 84 84 84 84 31   .......1
$50: 24 20 2C 20 F7 E7 F6 F1   $ , wgvq
$58: EA E7 EC 84 84 84 84 84   jgl.....
$60: 84 84 84 84 84 84 84 84   ........
$68: 84 84 84 84 84 84 84 84   ........
$70: 84 84 27 24 21 2C 26 F4   ..'$!,&t
$78: F6 EB E3 F6 E5 E9 84 84   vkcvei..
----------------------------------------
BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL

---------------------------------------
COMMAND : _

                 --^--

Why didn't COPYA work?
  modified prologues and epilogues

Why didn't Locksmith FDB work?
  modified prologues and epilogues

EDD worked. What does that tell us?
  no half or quarter tracks
  almost certainly no nibble check
  (just structural changes to epilogue)

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. patch RWTS to read standard format

                   ~

               Chapter 1
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself
    And It Does Not Go At All Well


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

[<Return> to start conversion]

...Advanced Demuffin crashes...

Wait, what?

                   ~

               Chapter 2
        In Which We Muse On The
    Pluralization Of Made-Up Words


]PR#5
...hold down <Esc> key during boot so
   Diversi-DOS doesn't relocate to the
   language card...

I'll leave the standard RWTS (on my
work disk) at $B800 and load the
original disk's RWTS at $3800. Then I
can use standard monitor commands to
compare them.

]BLOAD RWTS,A$3800
]CALL -151

The entry point that Advanced Demuffin
calls is $BD00, so let's start there.

*3D00<BD00.BDFFV

BD95-5A (E7)
BD96-BE (BC)
BDA4-4E (46)
BDBD-30 (7F)

Aha! Four differences, just in the
$BD00..$BDFF range alone.

*3D90L

3D90-   A0 04       LDY   #$04
3D92-   B1 48       LDA   ($48),Y
3D94-   20 E7 BC    JSR   $BCE7   <-- ?
3D97-   28          PLP
3D98-   D0 11       BNE   $3DAB

According to "Beneath Apple DOS," this
code (normally at $BD90) will "get
destination track and go to it using
MYSEEK subroutine at $BE5A." [p. 8-38]
But instead of $BE5A, we're calling
$BCE7 instead, which is normally unused
space.

*3CE7L

; save track number (in accumulator)
3CE7-   48          PHA

; track > 3?
3CE8-   C9 03       CMP   #$03

; yes, branch
3CEA-   B0 04       BCS   $3CF0

; no, track is 0-2
3CEC-   A9 AA       LDA   #$AA
3CEE-   D0 02       BNE   $3CF2
3CF0-   A9 DA       LDA   #$DA

; uh oh
3CF2-   20 B6 B6    JSR   $B6B6
3CF5-   A9 0E       LDA   #$0E
3CF7-   8D 55 B6    STA   $B655
3CFA-   68          PLA
3CFB-   4C 5A BE    JMP   $BE5A

Without even investigating the routine
at $B6B6 (which I will, don't worry),
I can tell you why Advanced Demuffin
crashed. This RWTS is calling a custom
routine outside the $B800..$BFFF range.
It's not self-contained like most RWTSs
are(*). If you boot the original disk,
T00,S00 is reloaded at $B600, so it's
available for whatever. (Even later
versions of DOS 3.3 use it for code
patches.)

(*) Almost 500 write-ups and I still
    don't know how to pluralize "RWTS"

I have the code at $B600; it's in the
"BOOT1" file that my AUTOTRACE script
saved to my work disk.

*BLOAD BOOT1,A$3600
*36B6L

; make a bunch of adjustments to the
; prologues and epilogues
36B6-   8D 58 B8    STA   $B858
36B9-   8D A3 B8    STA   $B8A3
36BC-   8D F1 B8    STA   $B8F1
36BF-   8D 3F B9    STA   $B93F
36C2-   8D 5F B9    STA   $B95F
36C5-   8D 7F BC    STA   $BC7F

; and an adjustment to the nibble
; translate table
36C8-   49 70       EOR   #$70
36CA-   8D 4C BA    STA   $BA4C
36CD-   60          RTS

The solution is simple: use the "BOOT1"
file instead of the "RWTS" file in
Advanced Demuffin.

*BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B6, load "BOOT1" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:R..................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:...................................
SC6:...................................
SC7:...................................
SC8:R..................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:R..................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

Oh what fresh hell is this.

                   ~

               Chapter 3
    In Which We Briefly Investigate
        What Fresh Hell This Is


]PR#5
]CATALOG,S6,D2

C1983 DSR^C#254
003 FREE

 A 016 HELLO
 B 021 LOGO
 B 003 SCRUNCH
 A 016 PROGRAM
 B 004 MOVE&UNSCR2
 B 008 COPYPIC
 B 007 SHAPES
 B 002 WORDS1
 B 032 PIC1
 B 032 PIC2
 B 032 PIC3
 B 032 PIC4
 B 032 PIC5
 B 032 PIC6
 B 032 PIC7
 B 032 PIC8
 B 032 PIC9
 B 032 PIC10
 B 032 PIC11
 B 032 PIC12
 B 032 PIC13

]RUN HELLO
...works...

OK, my copy does not appear to use the
two sectors I can't read. That's good.
That narrows the scope considerably.

]PR#5
]BLOAD BOOT0,A$800
]CALL -151
.
. poke, poke, poke...
.

Aha! Here's the problem.

*84D.85C

084D-                00 0D 0B
0850- 09 07 05 03 01 02 0C 0A
0858- 08 06 04 02 0F

This is the mapping of physical to
logical sectors. It's used by boot0 to
load boot1 from sectors 9 through 0.
Notice anything odd? $02 is listed
twice!

Turning to my trusty Disk Fixer sector
editor and looking at track 0 of the
original disk, I see that the code I
would expect to see on sector 8 (which
is loaded into $BE00..$BEFF) is
actually on sector $0E! Because of the
duplicate $02 in the physical/logical
sector mapping in boot0, the original
disk ignores logical sector 8 and
instead loads that code from logical
sector $0E.

But what about sector $0F? Surely that
is used to hold part of boot2. On a
standard DOS 3.3 disk, DOS is loaded
backwards from T02,S04 down to T00,S0D,
so T00,S0F would be loaded at $9F00.
But on this disk, it is not. Why?

]PR#5
]BLOAD BOOT1,A$2600
]CALL -151
*B700<2700.27FFM
*B700L

B700-   8E E9 B7    STX   $B7E9
B703-   8E F7 B7    STX   $B7F7
B706-   A9 01       LDA   #$01
B708-   8D F8 B7    STA   $B7F8
B70B-   8D EA B7    STA   $B7EA
B70E-   AD E0 B7    LDA   $B7E0
B711-   8D E1 B7    STA   $B7E1
B714-   A9 02       LDA   #$02
B716-   8D EC B7    STA   $B7EC
B719-   A9 0A       LDA   #$0A    <-- !
B71B-   8D ED B7    STA   $B7ED
B71E-   AC E7 B7    LDY   $B7E7
B721-   88          DEY
B722-   8C F1 B7    STY   $B7F1

Aha! DOS is loaded starting from
T02,S0A (instead of T02,S04). So it
never gets as far as T00,S0F, so the
fact that that sector doesn't exist
does not pose any existential threat.

Some days, I wish it were enough just
to bypass the protection instead of so
meticulously understanding it.

[S6,D1=demuffin'd disk]

]PR#6
...loads DOS then grinds and exits with
   an I/O error...

Of course, the converted disk can't
read itself, because it still has that
RWTS swapping code at $B6B6. Let's
neuter that.

T00,S00,$B6 change 8D to 60

]PR#6
...works...

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 678
------------------EOF------------------