--------------Logic Tools-------------- A 4am crack 2015-01-09 --------------------------------------- Name: Logic Tools Version: "prototype" Genre: educational Year: 1982 Publisher: The Learning Company Authors: Warren Robinett, Leslie Grimm, Teri Perl, Ann Piestrup Media: single-sided 5.25-inch floppy Other versions: none (preserved here for the first time) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) no errors, but copy hangs on boot Copy ][+ nibble editor all tracks use standard prologues (address: D5 AA 96, data: D5 AA AD) but modified epilogues (address: FF FF FF, data: FF FF FF) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "FF FF FF" set Data Epilogue to "FF FF FF" Success! All tracks readable! T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "HELLO" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) Why didn't my EDD copy work? probably a nibble check during boot Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. find nibble check and bypass it ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 /!\ BOOT0 JUMPS TO ($BBFE) CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ]CATALOG,S6,D2 C1983 DSR^C#254 191 FREE A 014 HELLO *B 002 MUSICRESETMOVE A 007 MENU *B 051 RAMLOADER B 042 ADV #105 WITHOUT TX B 040 NEW HOOK AND ARROW WORLD B 004 MAP&TURNGAME.O B 003 NSF TURNLOAD.O B 009 PUZZLES19A.O B 008 PUZZLES20B.O B 004 PUZZLES20D.O B 009 PUZZLES18C.O B 007 PUZZLEDATA B 003 NSF PUZZLELOAD.O B 040 PUZZLE WORLD @ $6000 B 040 GATE WORLD B 010 GATES WALK.O B 007 GATES SIM.O B 003 NSF GATELOAD.O B 002 CLEAR AND REBOOT.O ]RUN HELLO Success! Program loads and runs! [S6,D1=demuffin'd copy] ]PR#6 ...still hangs on boot... ]PR#5 ... ]BLOAD BOOT0,A$800 ]CALL -151 *801L . . . 084A- 6C FE BB JMP ($BBFE) *BLOAD BOOT1,A$2600 *FE89G FE93G ; disconnect DOS *B600<2600.2FFFM ; move RWTS into place *BBFE.BBFF BBFE- 00 BB *BB00L ; RUN flag BB00- A9 00 LDA #$00 BB02- 85 D6 STA $D6 ; check if disk is write-protected BB04- BD 8D C0 LDA $C08D,X BB07- BD 8E C0 LDA $C08E,X ; continue if write-protected BB0A- 30 03 BMI $BB0F ; loop forever if not write-protected BB0C- 4C 0A BB JMP $BB0A ; check low-level reset vector BB0F- AD FD FF LDA $FFFD BB12- C9 FA CMP #$FA ; loop forever if it's been modified BB14- D0 FE BNE $BB14 ; try forever to find a non-standard ; nibble sequence on track 0 BB16- BD 8C C0 LDA $C08C,X BB19- A9 00 LDA #$00 BB1B- 8D 00 02 STA $0200 BB1E- BD 8C C0 LDA $C08C,X BB21- 10 FB BPL $BB1E BB23- C9 EB CMP #$EB BB25- D0 F7 BNE $BB1E BB27- BD 8C C0 LDA $C08C,X BB2A- 10 FB BPL $BB27 BB2C- C9 D5 CMP #$D5 BB2E- D0 EE BNE $BB1E BB30- BD 8C C0 LDA $C08C,X BB33- 10 FB BPL $BB30 BB35- C9 AA CMP #$AA BB37- D0 E5 BNE $BB1E ; wipe most of main memory BB39- A9 4C LDA #$4C BB3B- A0 00 LDY #$00 BB3D- 99 00 95 STA $9500,Y BB40- 88 DEY BB41- D0 FA BNE $BB3D BB43- CE 3F BB DEC $BB3F BB46- AD 3F BB LDA $BB3F BB49- C9 07 CMP #$07 BB4B- D0 EC BNE $BB39 ; continue to boot1 BB4D- 4C 00 B7 JMP $B700 Why didn't my EDD copy work? it wasn't write-protected Does it boot if I write-protect it? yes Could I release this as a .nib file and just tell everyone to mount it as a write-protected disk image in their favorite emulator? yes Am I going to do that? no ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That Was Written For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ... ]BRUN PDP ; fix epilogue byte checking in RWTS T00,S03,$91 change FF to DE T00,S03,$9B change FF to AA T00,S03,$35 change FF to DE T00,S03,$3F change FF to AA T00,S02,$9E change FF to DE T00,S02,$A3 change FF to AA T00,S02,$A8 change FF to EB ; bypass nibble check after boot0 T00,S00,$4B change FEBB to FD08 ; fix nibble table (ooh, I didn't see ; this in my investigation -- hooray ; for automation) T00,S04,$29 change AA to 96 Quod erat liberandum. --------------------------------------- A 4am crack No. 183 ------------------EOF------------------