---------Flash Spell Helicopter-------- A 4am crack 2015-03-27 --------------------------------------- Name: Flash Spell Helicopter Version: 1984-10-22 (seen in comments) Genre: educational Year: 1983 Authors: Mark S. Appel, Don Ross, Jon Paul Publisher: Microcomputer Workshops Courseware Media: single-sided 5.25-inch floppy OS: DOS 3.3 Other versions: none (preserved here for the first time) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) copy swings to high track, then hangs Copy ][+ nibble editor modified prologues and epilogues address: "BC ** F5" / "E9 F6 **" (second prologue byte and third epilogue byte vary, even between different sectors on one track) data: "97 FF DD" / "A7 CF F4" Disk Fixer ["O" -> "Input/Output Control"] set CHECKSUM ENABLED to "NO" T00,S00 readable rest of track $00 unreadable virtually impossible to read any tracks beyond T00, due to varying address prologue on every sector(!) Why didn't COPYA work? modified prologues & epilogues Why didn't Locksmith FDB work? ditto Why didn't my EDD copy work? probably a nibble check during boot Next steps: 1. Boot trace to capture RWTS 2. Advanced Demuffin to convert disk to standard format 3. Find nibble check and disable it ~ Chapter 1 In Which We Dive Head First Into Unfriendly Territory ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 ]CALL -151 *800<2800.28FFM *801L ; non-standard from the get go 0801- 20 B3 08 JSR $08B3 *8B3L ; change nibble table used by the disk ; controller ROM routine (this explains ; why I couldn't read the rest of track ; $00 with a sector editor) 08B3- A9 3F LDA #$3F 08B5- 8D 6C 03 STA $036C 08B8- A9 1C LDA #$1C 08BA- 8D CC 03 STA $03CC 08BD- A9 00 LDA #$00 08BF- 8D D5 03 STA $03D5 08C2- A9 37 LDA #$37 08C4- 8D A3 03 STA $03A3 ; regular code from $0801 08C7- A5 27 LDA $27 08C9- C9 09 CMP #$09 08CB- 60 RTS Continuing from $0804... *804L ; standard DOS 3.3 bootloader 0804- D0 19 BNE $081F 0806- EA NOP 0807- A5 2B LDA $2B 0809- 4A LSR 080A- 4A LSR 080B- 4A LSR 080C- 4A LSR 080D- 09 C0 ORA #$C0 080F- 85 3F STA $3F 0811- A9 5C LDA #$5C 0813- 85 3E STA $3E 0815- 18 CLC 0816- AD FE 08 LDA $08FE 0819- 6D FF 08 ADC $08FF 081C- 8D FE 08 STA $08FE 081F- AE FF 08 LDX $08FF 0822- F0 15 BEQ $0839 0824- 8A TXA ; well, mostly standard 0825- EA NOP 0826- EA NOP 0827- 85 3D STA $3D 0829- CE FF 08 DEC $08FF 082C- AD FE 08 LDA $08FE 082F- 85 27 STA $27 0831- CE FE 08 DEC $08FE 0834- A6 2B LDX $2B 0836- 6C 3E 00 JMP ($003E) ; execution continues here after sector ; read loop exits (from $0822) 0839- EE FE 08 INC $08FE 083C- EE FE 08 INC $08FE 083F- 20 89 FE JSR $FE89 0842- 20 93 FE JSR $FE93 0845- 20 2F FB JSR $FB2F ; copy this sector (which we didn't ; re-read) to higher memory 0848- A2 FF LDX #$FF 084A- BD 00 08 LDA $0800,X 084D- 9D 00 B6 STA $B600,X 0850- CA DEX 0851- E0 FF CPX #$FF 0853- D0 F5 BNE $084A ; hmm 0855- 20 CC 08 JSR $08CC *8CCL ; trash all of main memory except the ; part we just loaded from disk 08CC- A9 00 LDA #$00 08CE- 85 00 STA $00 08D0- A9 B5 LDA #$B5 08D2- 85 01 STA $01 08D4- A0 FF LDY #$FF 08D6- C8 INY 08D7- B9 00 F0 LDA $F000,Y 08DA- 91 00 STA ($00),Y 08DC- C0 FF CPY #$FF 08DE- D0 F6 BNE $08D6 08E0- C6 01 DEC $01 08E2- A9 08 LDA #$08 08E4- C5 01 CMP $01 08E6- D0 EC BNE $08D4 08E8- 60 RTS Continuing from $0858... *858L 0858- A6 2B LDX $2B 085A- 4C 00 BB JMP $BB00 OK, that's where I need to interrupt the boot. But first I'll need to neuter the subroutine at $08CC that trashes all of main memory. *9600 At $B8, load "RWTS" from drive 1 [press "6" to switch to slot 6] [press "C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:R.RRRRRRRRRRRRRRR.R........RRRRRRRR +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:R..RRRRRRRRRRRRRR.R........RRRRRRRR SC1:R..RRRRRRRRRRRRRR.R........RRRRRRRR SC2:R..RRRRRRRRRRRRRR.R........RRRRRRRR SC3:R..RRRRRRRRRRRRRR.R........RRRRRRRR SC4:R..RRRRRRRRRRRRRR.R........RRRRRRRR SC5:R..RRRRRRRRRRRRRR.R........RRRRRRRR SC6:R..RRRRRRRRRRRRRR.R........RRRRRRRR SC7:R..RRRRRRRRRRRRRR.R........RRRRRRRR SC8:R..RRRRRRRRRRRRRR.R........RRRRRRRR SC9:R..RRRRRRRRRRRRRR.R.........RRRRRRR SCA:R..RRRRRRRRRRRRRR.R.........RRRRRRR SCB:R.RRRRRRRRRRRRRRR.R.........RRRRRRR SCC:R.RRRRRRRRRRRRRRR.R.........RRRRRRR SCD:R.RRRRRRRRRRRRRRR.R.........RRRRRRR SCE:R.RRRRRRRRRRRRRRR.R..........R.R..R SCF:R.RRRRRRRRRRRRRRR.R..........R..... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Well that's... disappointing. But wait! Turning to Copy ][+ (5.5, the last version that has this style of disk map), I see an amazing(*) coincidence. (*) not guaranteed, actual amazement may vary [Copy ][+ 5.5] --> TRACK/SECTOR MAP --> DISK B --v-- TRACK/SECTOR MAP DISK B A *A 002 HELLO B *A 003 LOGO C *B 002 UNPACKER D *B 014 LOGO.PAC E *B 002 SKIP.OBJ F *B 002 KEY.OBJ G *B 018 FSH83.ANM H *A 064 F I *A 028 GAME J T 002 PASSWORD K T 002 SD L T 003 SPELLING.DICT M T 003 SPELLINGTWO.DICT TRACK 1 2 0123456789ABCDEF0123456789ABCDEF012 S0 ... .DGHHHHII E1 ... .DGHHHHII C2 ... .DGHHHHII T3 ... .DGHHHHII O4 ... .DGHHHHII R5 ... .DGGHHHHI 6 ... .DGGHHHHI 7 ... .DFGHHHHI 8 ... .DFGHHHHI 9 ... .CEGHHHHII A ... .CEGHHHHII B ... .BDGHHHHII C ... .BDGHHHHII D ... .BDGHHHHII E ... .ADGHHHHIIJ L KM F ... .ADGHHHHIIJ LLKMM --^-- Literally every sector on the disk on the disk that isn't actively used is unreadable. On the plus side, every sector on the disk that *is* used is readable. So... flawless victory, I guess. Now to make the disk be able to read itself (remember, it still has the original RWTS on it)... [Copy ][+ 8.4] --> COPY --> DOS --> from slot 6, drive 2 --> to slot 6, drive 1 [S6,D1=demuffin'd copy] [S6,D2=newly formatted DOS 3.3 disk] ...read read read... ...write write write... ]PR#6 ...works... There doesn't appear to be any further protection. Quod erat liberandum. ~ Epilogue: Usage Notes According to the file named PASSWORD, the password to access the management sytem is STEPHEN. --------------------------------------- A 4am crack No. 281 ------------------EOF------------------