------------Clowning Around------------ A 4am crack 2015-12-16 --------------------------------------- Name: Clowning Around Genre: educational Year: 1985 Publisher: Learning Technologies, Inc. Media: single-sided 5.25-inch floppy OS: Diversi-DOS Previous cracks: none ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) copy works Copy ][+ nibble editor all tracks use standard prologues (address: D5 AA 96, data: D5 AA AD) but modified address + data epilogues (AA DE EB instead of DE AA EB) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "AA DE EB" set Data Epilogue to "AA DE EB" Success! All tracks readable! T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "HELLO" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to prologues and epilogues) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ]CATALOG,S6,D2 ]CATALOG,S6,D2 C1983 DSR^C#254 229 FREE A 003 HELLO B 003 DDT *B 005 BUS A 022 PGM B 034 TITLE *B 031 TITLE-1 B 031 TITLE-2 *B 003 PR B 018 P1 B 018 P2 B 039 P3 B 003 DDT1 *B 002 DATA B 002 DDT2 B 002 UNPACKER B 017 CLOWNING AROUND.PAC B 034 TITLE.LTI ]RUN HELLO ...hangs... [S5,D1=DOS 3.3 master disk] ]PR#5 ]RUN HELLO,S6,D2 ...program loads and runs... So it doesn't like Diversi-DOS 64K (the DOS on my work disk). It's probably accessing DOS functions directly or assuming the RWTS parameter table is at specific address, instead of using the vectors on page 3. Or possibly it uses the language card itself. But it works when I boot an unmodified DOS 3.3. That means it isn't checking for its original DOS at runtime, which rules out a whole class of secondary protections that now I don't need to look for. [S6,D1=demuffin'd copy] ]PR#6 ...grinds then crashes... The demuffin'd disk can't read itself. This is not unusual. I need to patch the RWTS to read a standard disk. ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP T00,S03,$91 change AA to DE T00,S03,$9B change DE to AA T00,S03,$35 change AA to DE T00,S03,$3F change DE to AA T00,S06,$AE change AA to DE T00,S06,$B3 change DE to AA T00,S02,$9E change AA to DE T00,S02,$A3 change DE to AA Quod erat liberandum. --------------------------------------- A 4am crack No. 520 ------------------EOF------------------