------------Early Elementary----------- A 4am crack 2015-07-01 --------------------------------------- Name: Early Elementary Disk I Genre: educational Year: 1981 Publisher: Compu-Tations Media: single-sided 5.25-inch floppy OS: DOS 3.3 Other versions: none (preserved here for the first time) Similar cracks: Snooper Troops 2 (crack no. 278) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) read error on T1B but copy works Copy ][+ nibble editor T00-T02 -> modified address epilogue (ED AA EB) T03-T22 -> modified address prologue (D4 AA 96) T1B -> unformatted? mostly sync bytes Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "ED AA EB" T00-T02 -> looks like DOS 3.3 T01,S09 -> startup program is HELLO ["O" -> "Input/Output Control"] set Address Epilogue to "DE AA EB" set Address Prologue to "D4 AA 96" T11 -> looks like disk catalog Why didn't COPYA work? modified epilogues / prologues Why didn't Locksmith FDB work? ditto Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format (if necessary) ~ Chapter 1 In Which Things Don't Always Go According To Plan [S6,D1=original disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 [press "5" to switch to slot 5] [press "R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 [press "6" to switch to slot 6] [press "C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC1:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC2:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC3:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC4:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC5:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC6:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC7:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC8:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC9:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCA:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCB:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCC:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCD:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCE:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCF:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Let's back up. ]PR#5 ]BLOAD BOOT1,A$2600 ]CALL -151 *FE89G FE93G ; disconnect DOS *B600<2600.2FFFM ; move RWTS into place *B700L . . nothing unusual at all . B747- 4C 84 9D JMP $9D84 It makes sense that I haven't found anything unusual yet. Evidence so far suggests that the RWTS on disk can read tracks 0-2 (which is where it's loading DOS), then it switches to a different RWTS that can read the rest of the disk. So whatever this disk is doing to modify its RWTS or load a new one, it's going to do it after loading DOS. And I need to find out where. But that means I need to trace the boot even further. *C500G ; because I have no DOS ... ]CALL -151 *9600 At $B8, load "RWTS 3+" from D1 [press "6" to switch to slot 6] [press "C" to convert disk] [press "Y" to change default values] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM ======================================= INPUT ALL VALUES IN HEX SECTORS PER TRACK? (13/16) 16 START TRACK: $03 <-- change this START SECTOR: $00 END TRACK: $22 END SECTOR: $0F INCREMENT: 1 MAX # OF RETRIES: 0 COPY FROM DRIVE 1 TO DRIVE: 2 ======================================= 16SC $03,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Now press RETURN to start the copy... --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK: ........................R....... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0: ........................R....... SC1: ........................R....... SC2: ........................R....... SC3: ........................R....... SC4: ........................R....... SC5: ........................R....... SC6: ........................R....... SC7: ........................R....... SC8: ........................R....... SC9: ........................R....... SCA: ........................R....... SCB: ........................R....... SCC: ........................R....... SCD: ........................R....... SCE: ........................R....... SCF: ........................R....... ======================================= 16SC $03,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Now what?!? Oh wait, I remember EDD had problems on track $1B as well. And the nibble check did an RWTS seek to track $1B. I can't read it because there's nothing to read. ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 287 FREE *A 017 INTRO LOWER EL *A 026 COLOR MATCH *A 029 NUMBER DRILL *A 017 SHAPE MATCH B 033 PIC.SHAPE TITLE *A 002 HELLO T 004 CLASS FILE *A 029 TEACHER FILE T 002 T *A 032 COUNT THE SHAPES T 002 N ]RUN HELLO ...works... Now to make the disk be able to read itself, and skip the copy protection routine at $B4BB. [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ... ]BRUN PDP T00,S03,$91 change ED to DE T00,S0C,$84 change 4CBBB4 to ADE9B7 ]PR#6 ...works... Quod erat liberandum. --------------------------------------- A 4am crack No. 353 ------------------EOF------------------