-------------Extra! Extra!------------- A 4am crack 2015-12-18 --------------------------------------- Name: Extra! Extra! Genre: educational Year: 1984 Publisher: Milton Bradley Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none [Not to be confused with the re-release by Media Materials a year later with an updated copy protection scheme.] ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified addres and data epilogue bytes ("AA AA EB" for each) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "AA AA EB" set Data Epilogue to "AA AA EB" all tracks readable T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "HELLO" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. there is no step 3 (I hope) ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ]CATALOG,S6,D2 C1983 DSR^C#254 062 FREE A 002 HELLO B 003 R6 T 214 CLUS B 006 JBEGIN.OBJ B 003 JK B 008 KOEI B 034 MB.TITLE T 003 PH0 T 003 PH1 T 003 PH2 B 002 REC B 026 RUNTIME.CG B 002 KJID B 002 UNP B 005 R1 B 005 R2 B 004 R3 B 006 R4 B 004 R5 B 007 R0 B 002 SCRL B 062 J12.OBJ B 018 JINST.OBJ B 006 R7 T 003 VAR T 001 PFILE3 ]RUN HELLO ...works... [S6,D1=demuffin'd copy] ]PR#6 ...grinds... ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP T00,S03,$91 change AA to DE T00,S03,$35 change AA to DE T00,S02,$9E change AA to DE (Just RWTS fixes, and they missed one of the epilogue bytes. Luckily the disk doesn't write to itself, so the bug is never exercised. There doesn't appear to be any secondary protection.) Quod erat liberandum. --------------------------------------- A 4am crack No. 534 ------------------EOF------------------