-------------Little Riddles------------ A 4am crack 2016-03-02 --------------------------------------- Name: Little Riddles Version: 01.29.86 Genre: educational Year: 1986 Publisher: Hartley Courseware Media: two single-sided 5.25-inch disks OS: Diversi-DOS (T02,S02 has the string "C1983 DSR" backwards) Previous cracks: none Identical cracks: #603 Reading for Meaning Level 1 #575 Milt's Math Drills: Addition and Subtraction #451 Antonyms/Synonyms 1 #420 Fact or Opinion #246 Kittens, Kids, and a Frog v01.11.85 Both disks are bootable. I'll start with disk 1. ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified address and data epilogues ("DA AA EB" instead of "DE AA EB") Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "DA AA EB" set Data Epilogue to "DA AA EB" all tracks readable T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "HELLO" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to epilogue) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 018 FREE *A 005 HELLO *A 013 CREDITS *A 043 CREATE LESSON *A 023 STU PLAN *A 017 PWL *A 043 SKILL1 *B 003 CLOWNF *B 012 PICDRAW2 *B 009 LGCHRS *B 008 SMALL CHARS *B 003 GARBAG *B 004 HR4 *B 002 IR *T 031 STU.FILE *T 002 LESSONS.FILE T 011 FILE1 T 011 FILE2 T 011 FILE3 T 011 FILE4 T 011 FILE5 T 012 FILE6 T 011 FILE7 T 011 FILE8 T 012 FILE9 T 012 FILE10 *B 003 P101 *B 003 P102 *B 002 P103 *B 003 P104 *B 003 P105 *B 003 P106 *B 003 P107 *B 005 P108 *B 003 P109 *B 002 P110 *B 003 P111 *B 003 P112 *B 003 P113 *B 003 P114 *B 003 P115 *B 003 P116 *B 003 P117 *B 003 P118 *B 003 P119 *B 003 P120 *B 003 P121 *B 003 P122 *B 004 P123 *B 004 P124 *B 004 P125 *B 004 P126 *B 003 P127 *B 002 P128 *B 004 P129 *B 002 P130 *B 004 P131 *B 003 P132 *B 004 P133 *B 002 P134 *B 003 P135 *B 003 P136 *B 003 P137 *B 003 P138 *B 003 P139 *B 004 P140 *B 003 P141 *B 003 P142 *B 003 P143 *B 003 P144 *B 003 P145 *B 004 P146 *B 003 P147 *B 003 P148 *B 003 C1 *B 003 C2 *B 003 C3 ]RUN HELLO ...works... The reason I always do this is to see whether there are any runtime checks for subtle differences in the original DOS. If the program runs after booting from a third-party disk, I can eliminate a whole range of possible secondary protections. [S6,D1=demuffin'd copy] ]PR#6 ...grinds... My copy can't read itself yet. This is not unusual. ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion And Updated Very Recently To Make This Look Easy [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP ; fix non-standard epilogue bytes T00,S03,$91 change DA to DE T00,S03,$35 change DA to DE T00,S02,$9E change DA to DE ; ignore disk volume numbers (original ; disk had a non-standard disk volume) T00,S08,$12 change B148 to A900 ]PR#6 ...works... Disk 2 has identical protection. Quod erat liberandum. ~ Usage Notes When you're asked to enter your name, you can type "MENU" to access the management console. The console allows you to rename lessons, add and remove students, and print student progress reports. There is no password. Student information is stored in the "STU.FILE" text file. I confirmed that there is no personally identifiable information lingering in this file. It is so large because it has placeholders for future student records. --------------------------------------- A 4am crack No. 629 ------------------EOF------------------