--------Montana Reading Program--------
A 4am crack                  2015-12-12
---------------------------------------

Name: The Montana Reading Program:
  Learning Sight Words
Genre: educational
Year: 1984
Credits:
  Developed by: Professional Software
    Services
  Programmed by: Dick Dramstad, Tom
    O'Sullivan, and Kirk Wennerstrom
  Illustrations by: Dee and Jerry
    Williams
  "Developed under a grant from the
  Foundation for the Advancement of
  Computer-aided Education."
Publisher: Program Design, Inc.
Media: single-sided 5.25-inch floppy
OS: DOS 3.3
Previous cracks: none

This disk was so dirty when I got it,
I had to clean it (and my disk drive)
11 times before it would even boot. I
don't often write about this part, but
newly acquired floppies rarely boot on
the first try. If you're holding on to
any rare or unique floppies, the best
time to digitize them was 20 years ago.
The second best time is today.

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  disk read error on first pass

Locksmith Fast Disk Backup
  reads every track except $03; copy
  hangs on boot

EDD 4 bit copy (no sync, no count)
  no errors, but copy boots DOS and
  exits to prompt

Oddly, DOS commands still work at this
point, but the files are gibberish.

]CATALOG

DISK VOLUME 254

*T 009 HTWORDS1
*T 012 HTWORDS2
*T 010 HTWORDS3
*T 011 HTWORDS4
*T 010 HTWORDS5
*T 009 HTSET1A
*T 012 HTSET2A
*T 010 HTSET3A
*T 011 HTSET4A
*T 010 HTSET5A
*T 009 HTSET1B
*T 012 HTSET2B
*T 010 HTSET3B
*T 011 HTSET4B
*T 010 HTSET5B
*A 007 HELLO
*B 002 LOMEM:
*A 004 PROG.S
*B 026 DK.GEN
*B 002 PICMOVE
*B 033 INTRO
*B 012 P3.K
*B 016 P1.K
*B 011 P2.K
 A 034 PROG.G

]LOAD HELLO
...hangs...
<Ctrl-Reset>

]LIST

 A 034 PROG.G

]LOAD HELLO
]LIST

 20746  SQR eghk HCOLOR=  HGR2 o
     vf CHR$  ONERR kth}e
lPs9yw LEN O  A OUT OF MEMORY C THEN
      ROT= TIKXB#42*E&$%,#UNW CLEAR
      SAVE "%.$&rv LOMEM:  STRING TOO L
ONG 4)+8"CTRJ%N@&NKA.7 IN# 4 NOTRACE
     2C8} ILLEGAL QUANTITY  RND
                                d
      TYPE MISMATCH  SPC(
|  ERROR  *  CAN'T CONTINUE  PEEK
      LEFT$  STRING TOO LONG  SYNTAX
      TRACE  OVERFLOW = BAD SUBSCRIPT
      RIGHT$    TYPE MISMATCH  VAL
      INVERSE  TRACE  ASC ' RIGHT$
      REDIM'D ARRAY  UNDEF'D STATEMENT
      RETURN WITHOUT GOSUB  h  TEXT
      ILLEGAL QUANTITY . ASC   ERROR
      VAL  TYPE MISMATCH  GOSUB  SCRN(
       COS  AT  EXP  DIVISION BY ZERO

...and so on...

I viewed some of the text files in Copy
II Plus, and they seem OK. Also, the
binary files load without hanging, and
they appear to be relatively normal.
But all of the BASIC files are garbage.

Copy ][+ nibble editor
  T03 appears to be almost entirely
  sync bytes (all $FF, no data, no
  sectors per se, no structure at all)

Disk Fixer
  T00,S00 -> DOS 3.3 bootloader
  T01,S09 -> startup program is blank?!
  T11 -> DOS 3.3-style disk catalog
  can't read T03 under any combination
    of parameters

Why didn't COPYA work?
  T03 is unreadable because it does not
  have a standard sector structure

Why didn't Locksmith FDB work?
  probably a nibble check during boot,
  looking for some nibble sequence on
  track $03 that wasn't copied

Why didn't my EDD copy work?
  I have no idea.

Next steps:

  1. Capture bootloader with AUTOTRACE
  2. Find nibble check and disable it
  3. Figure out what's up with the
     garbled BASIC programs

                   ~

               Chapter 1
   In Which We Get Nothing For Free,
  And Our Adventure Begins In Earnest


[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BLOAD BOOT1,A$2600
]CALL -151

; move RWTS into place, except the one
; page at $BF00 that Diversi-DOS 64K
; uses
*B600<2600.2EFFM
*B700L
.
. [nothing suspicious, until...]
.
B730-   A9 00       LDA   #$00
B732-   9D F8 04    STA   $04F8,X
B735-   9D 78 04    STA   $0478,X
B738-   20 03 BB    JSR   $BB03   <-- !
B73B-   A2 FF       LDX   #$FF
B73D-   9A          TXS
B73E-   8E EB B7    STX   $B7EB
B741-   4C C8 BF    JMP   $BFC8
B744-   20 89 FE    JSR   $FE89

; cold-start DOS
B747-   4C 84 9D    JMP   $9D84

Having a JSR at $B738 is not unusual,
but it is supposed to call $B793 to
execute the multi-sector read loop that
reads the rest of DOS into memory. And
there isn't usually any code at all in
$BB00..$BC55. (That range is used for
scratch space during RWTS operations.)

*BB03L

BB03-   4E 06 BB    LSR   $BB06

Uh oh. Self-modifying code. The 6502
processor has no instruction cache, so
one instruction can literally change
the next instruction in memory, and the
CPU will execute the new instruction.
Which is what's happening here.

This may take some patience.

                   ~

               Chapter 2
           In Which We Learn
      The True Meaning Of Patience


To capture this self-modifying code, I
need to reproduce the modifications
without running the modified code. I'll
start with a pristine copy (at $2B00),
copy it into place (at $BB00), then
reproduce the modifications and inspect
the results. Lather, rinse, repeat.

*2B00<BB00.BBFFM

2000-   A0 00       LDY   #$00
2002-   B9 00 2B    LDA   $2B00,Y
2005-   99 00 BB    STA   $BB00,Y
2008-   C8          INY
2009-   D0 F7       BNE   $2002
200B-   4E 06 BB    LSR   $BB06
200E-   60          RTS

*2000G
*BB06L

BB06-   38          SEC
BB07-   6E 0A BB    ROR   $BB0A

More self-modifying code.

*200E:38 6E 0A BB 60
*2000G
*BB0AL

BB0A-   A0 27       LDY   #$27
BB0C-   6E 0F BB    ROR   $BB0F

More.

*2012:6E 0F BB 60
*2000G
*BB0FL

BB0F-   6E 1B BB    ROR   $BB1B
BB12-   6E 15 BB    ROR   $BB15

I'm gonna cry.

*2015:6E 1B BB 6E 15 BB 60
*2000G
*BB15L

BB15-   6E 1E BB    ROR   $BB1E
BB18-   6E 25 BB    ROR   $BB25
BB1B-   B9 00 BB    LDA   $BB00,Y

Kill me now.

*201B:6E 1E BB 6E 25 BB 60
*2000G
*BB1EL

BB1E-   59 00 B8    EOR   $B800,Y
BB21-   99 00 BB    STA   $BB00,Y
BB24-   C8          INY
BB25-   D0 F4       BNE   $BB1B

More, now using the page at $B800 as an
encryption key.

*2021:A0 27 B9 00 BB 59 00 58 99 00 BB
      C8 D0 F4 60
*2000G
*BB27L

BB27-   A0 55       LDY   #$55
BB29-   B9 00 BC    LDA   $BC00,Y
BB2C-   59 00 B8    EOR   $B800,Y
BB2F-   99 00 BC    STA   $BC00,Y
BB32-   88          DEY
BB33-   10 F4       BPL   $BB29

And again, for $BC00.

*202F:A0 55 B9 00 BC 59 00 B8 99 00 BC
      88 10 F4 60
*2000G
*BB35L

Finally some real code.

; cover our tracks in memory (overwrite
; the call to $BB03)
BB35-   A9 A9       LDA   #$A9
BB37-   8D 8C 08    STA   $088C
BB3A-   A9 B7       LDA   #$B7
BB3C-   8D 8D 08    STA   $088D

; push an address to the stack
BB3F-   A9 B5       LDA   #$B5
BB41-   48          PHA
BB42-   A9 19       LDA   #$19
BB44-   48          PHA

; save some other values on the stack
BB45-   AD EC B7    LDA   $B7EC
BB48-   48          PHA
BB49-   AD F4 B7    LDA   $B7F4
BB4C-   48          PHA

; set up an RWTS seek to track $03
BB4D-   A9 03       LDA   #$03
BB4F-   8D EC B7    STA   $B7EC
BB52-   A9 00       LDA   #$00
BB54-   8D F4 B7    STA   $B7F4

; call RWTS
BB57-   A0 E8       LDY   #$E8
BB59-   A9 B7       LDA   #$B7
BB5B-   20 B5 B7    JSR   $B7B5

; turn on drive motor manually (always
; suspicious)
BB5E-   BD 89 C0    LDA   $C089,X

; restore some values from the stack
BB61-   68          PLA
BB62-   8D F4 B7    STA   $B7F4
BB65-   68          PLA
BB66-   8D EC B7    STA   $B7EC

; look for $D5
BB69-   BD 8C C0    LDA   $C08C,X
BB6C-   10 FB       BPL   $BB69
BB6E-   48          PHA
BB6F-   68          PLA
BB70-   C9 D5       CMP   #$D5
BB72-   D0 F5       BNE   $BB69

; modify data later in this routine (!)
; (might need to track this)
BB74-   A0 00       LDY   #$00
BB76-   8C C8 BB    STY   $BBC8

; look for some weird bitstream
; (hoping I don't need to care about
; the specifics)
BB79-   BD 8C C0    LDA   $C08C,X
BB7C-   10 FB       BPL   $BB79
BB7E-   C9 D5       CMP   #$D5
BB80-   F0 0F       BEQ   $BB91
BB82-   C9 F7       CMP   #$F7
BB84-   D0 01       BNE   $BB87
BB86-   C8          INY

; more data modification -- maybe it's
; just a counter?
BB87-   18          CLC
BB88-   6D C8 BB    ADC   $BBC8
BB8B-   8D C8 BB    STA   $BBC8
BB8E-   4C 79 BB    JMP   $BB79
BB91-   98          TYA
BB92-   F0 E0       BEQ   $BB74
BB94-   BD 8C C0    LDA   $C08C,X
BB97-   10 FB       BPL   $BB94
BB99-   48          PHA
BB9A-   68          PLA
BB9B-   C9 FF       CMP   #$FF
BB9D-   F0 F5       BEQ   $BB94
BB9F-   C9 D5       CMP   #$D5

; this is an error -- $BBCE is the
; failure path
BBA1-   F0 2B       BEQ   $BBCE
BBA3-   A0 05       LDY   #$05
BBA5-   BD 8C C0    LDA   $C08C,X
BBA8-   10 FB       BPL   $BBA5
BBAA-   48          PHA
BBAB-   68          PLA
BBAC-   88          DEY
BBAD-   D0 F6       BNE   $BBA5
BBAF-   BD 8C C0    LDA   $C08C,X
BBB2-   10 FB       BPL   $BBAF
BBB4-   48          PHA
BBB5-   68          PLA
BBB6-   C9 FF       CMP   #$FF
BBB8-   F0 F5       BEQ   $BBAF
BBBA-   C9 D5       CMP   #$D5
BBBC-   D0 10       BNE   $BBCE   ;fail
BBBE-   BD 8C C0    LDA   $C08C,X
BBC1-   10 FB       BPL   $BBBE
BBC3-   C9 FF       CMP   #$FF
BBC5-   D0 07       BNE   $BBCE   ;fail

; success path falls through to here
; (this $00 was modified repeatedly)
; and apparently needs to be $10
BBC7-   A9 00       LDA   #$00
BBC9-   38          SEC
BBCA-   E9 10       SBC   #$10

; success path continues at $BBD0
BBCC-   F0 02       BEQ   $BBD0

; failure path is here (called from
; several places) -- pop the mystery
; address off the stack and continue
BBCE-   68          PLA
BBCF-   68          PLA

; success path continues here -- leave
; mystery address on the stack and
; continue
BBD0-   4C 93 B7    JMP   $B793

If the nibble check succeeds, execution
continues at $B793, then jumps to $B51A
(based on the $B5/$19 pair that was
manually pushed to the stack at $BB3F).

If the nibble check fails, execution
continues at $B793 and returns (because
$B5/$19 was popped off the stack).

The routine at $B51A is the difference
between the original disk and my non-
working bit copy. The original ran it;
my EDD bit copy did not. (The copy I
made with Locksmith FDB just looped
forever looking for the right sequence
of sync bytes.)

I need to trace $B51A. But before I
trace it, I'll save my work to date.

*2B00<BB00.BCFFM
*C500G
...
]BSAVE DECRYPT BB00,A$2000,L$3E
]BSAVE BB00 DECRYPTED,A$2B00,L$100

Now let's see what's at $B51A.

                   ~

               Chapter 3
  In Which We Begin To Tire Of These
  Opportunities To Practice Patience


*9600<C600.C6FFM

; set up callback #1 after boot0
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C

; start the boot
9707-   4C 01 08    JMP   $0801

; callback #1 is here --
; change the JSR at $B738 so it just
; calls the regular multi-sector read
; routine ($B793)
970A-   A9 93       LDA   #$93
970C-   8D 39 B7    STA   $B739
970F-   A9 B7       LDA   #$B7
9711-   8D 3A B7    STA   $B73A

; set up callback #2 after the multi-
; sector read routine returns
9714-   A9 4C       LDA   #$4C
9716-   8D 3B B7    STA   $B73B
9719-   A9 26       LDA   #$26
971B-   8D 3C B7    STA   $B73C
971E-   A9 97       LDA   #$97
9720-   8D 3D B7    STA   $B73D

; continue the boot with these patches
9723-   4C 00 B7    JMP   $B700

; callback #2 is here --
; DOS is now in memory, including the
; mystery routine at $B51A, so copy
; everything to lower memory so it will
; survive a reboot
9726-   A2 23       LDX   #$23
9728-   A0 00       LDY   #$00
972A-   B9 00 9D    LDA   $9D00,Y
972D-   99 00 1D    STA   $1D00,Y
9730-   C8          INY
9731-   D0 F7       BNE   $972A
9733-   EE 2C 97    INC   $972C
9736-   EE 2F 97    INC   $972F
9739-   CA          DEX
973A-   D0 EE       BNE   $972A

; reboot to my work disk
973C-   4C 00 C5    JMP   $C500

*BSAVE TRACE,A$9600,L$13F
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT2,A$1D00,L$2300
]CALL -151

; move DOS into place (except the one
; page at $BF00 that Diversi-DOS 64K
; uses)
*9D00<1D00.3EFFM

*B51AL

B51A-   4E 1D B5    LSR   $B51D
B51D-   71 6E       ADC   ($6E),Y
B51F-   21 B5       AND   ($B5,X)
B521-   40          RTI
B522-   3E 6E 26    ROL   $266E,X
B525-   B5 DD       LDA   $DD,X
B527-   32          ???

Oh no. More self-modifying code.

OK, here we go. First, a pristine copy
in lower memory.

*4500<B500.B5FFM

Now we start reproducing the code self-
modifications, line by line.

2000-   A0 00       LDY   #$00
2002-   B9 00 45    LDA   $4500,Y
2005-   99 00 B5    STA   $B500,Y
2008-   C8          INY
2009-   D0 F7       BNE   $2002
200B-   98          TYA
200C-   4E 1D B5    LSR   $B51D
200F-   60          RTS

*2000G
*B51DL

B51D-   38          SEC
B51E-   6E 21 B5    ROR   $B521

*200F:38 6E 21 B5 60
*2000G
*B521L

B521-   A0 3E       LDY   #$3E
B523-   6E 26 B5    ROR   $B526

*2013:A0 3E 6E 26 B5 60
*2000G
*B526L

B526-   6E 32 B5    ROR   $B532
B529-   6E 2C B5    ROR   $B52C

*2018:6E 32 B5 6E 2C B5 60
*2000G
*B52CL

B52C-   6E 35 B5    ROR   $B535
B52F-   6E 3C B5    ROR   $B53C
B532-   B9 00 B5    LDA   $B500,Y

*201E:6E 35 B5 6E 3C B5 B9 0 B5 60
*2000G
*B535L

B535-   59 00 B8    EOR   $B800,Y
B538-   99 00 B5    STA   $B500,Y
B53B-   C8          INY
B53C-   D0 F4       BNE   $B532

*2027:59 0 B8 99 0 B5 C8 D0 F4 60
*2000G
*B53EL

B53E-   A0 1A       LDY   #$1A
B540-   88          DEY
B541-   B9 00 B5    LDA   $B500,Y
B544-   59 00 B8    EOR   $B800,Y
B547-   99 00 B5    STA   $B500,Y
B54A-   88          DEY
B54B-   10 F4       BPL   $B541
B54D-   A0 00       LDY   #$00
B54F-   B9 00 B4    LDA   $B400,Y
B552-   59 00 B8    EOR   $B800,Y
B555-   99 00 B4    STA   $B400,Y
B558-   88          DEY
B559-   D0 F4       BNE   $B54F

*2030<B53E.B55AM
*204D:60
*2000G
*B55BL

Finally some real code.

; set reset vector
B55B-   A9 4B       LDA   #$4B
B55D-   8D F2 03    STA   $03F2
B560-   A9 B7       LDA   #$B7
B562-   8D F3 03    STA   $03F3
B565-   49 A5       EOR   #$A5
B567-   8D F4 03    STA   $03F4

; a loop to change various memory
; locations, based on a list of patches
; at $B400
B56A-   A9 00       LDA   #$00
B56C-   85 00       STA   $00
B56E-   A9 B4       LDA   #$B4
B570-   85 01       STA   $01
B572-   A0 00       LDY   #$00
B574-   F0 0B       BEQ   $B581
B576-   B1 00       LDA   ($00),Y
B578-   99 FF FF    STA   $FFFF,Y
B57B-   88          DEY
B57C-   D0 F8       BNE   $B576
B57E-   A4 02       LDY   $02
B580-   C8          INY
B581-   B1 00       LDA   ($00),Y
B583-   F0 1C       BEQ   $B5A1
B585-   85 02       STA   $02
B587-   C8          INY
B588-   B1 00       LDA   ($00),Y
B58A-   8D 79 B5    STA   $B579
B58D-   C8          INY
B58E-   B1 00       LDA   ($00),Y
B590-   8D 7A B5    STA   $B57A
B593-   98          TYA
B594-   18          CLC
B595-   A4 02       LDY   $02
B597-   65 00       ADC   $00
B599-   85 00       STA   $00
B59B-   90 D9       BCC   $B576
B59D-   E6 01       INC   $01
B59F-   D0 D5       BNE   $B576
B5A1-   60          RTS

Each patch is a variable-length record,
starting at $B400 (pointed to by ($00))
and continuing until the first byte of
the record is $00 (compared at $B583).
The general format of each record is

+0  [1 byte]    length of data, or $00
+1  [2 bytes]   starting address (-1)
+3  [variable]  data to write in memory

Once decrypted, the raw patch records
look like this:

*B400.B519

B400- 1E 74 AA C8 C5 CC CC CF
B408- A0 A0 A0 A0 A0 A0 A0 A0
B410- A0 A0 A0 A0 A0 A0 A0 A0
B418- A0 A0 A0 A0 A0 A0 A0 A0
B420- A0 01 26 A4 A1 21 4C A4
B428- A5 68 48 38 A5 AF E5 67
B430- A8 A5 B0 E5 68 AA E8 65
B438- 68 85 68 C6 68 20 BC A3
B440- CA D0 F8 68 85 68 6C 60
B448- 9D 12 BB A3 98 49 52 51
B450- 67 91 67 88 C0 FF D0 F4
B458- 60 A9 01 20 B1 A4 13 2F
B460- 9E A9 80 85 D6 30 0B AD
B468- 00 C0 C9 83 F0 F9 4C D2
B470- D7 EA A9 06 03 02 A5 4C
B478- 36 9E 30 49 B7 60 A0 20
B480- B9 59 B7 99 00 03 88 10
B488- F7 4C 00 03 A9 BF 85 01
B490- A0 00 84 00 91 00 C8 D0
B498- FB C6 01 A5 01 C9 08 B0
B4A0- F3 AD 81 C0 20 93 FE 20
B4A8- 89 FE 4C 00 E0 01 C1 B7
B4B0- 60 03 72 9E 4B B7 12 02
B4B8- 96 A3 18 60 00 8A A3 4C
B4C0- 82 A5 32 7E A5 4C 84 9D
B4C8- 20 71 A4 A5 68 48 A5 67
B4D0- 48 38 AE 61 AA AC 60 AA
B4D8- D0 01 CA 88 8A E8 6D 73
B4E0- AA 85 68 AD 72 AA 85 67
B4E8- C6 68 20 BC A3 CA D0 F8
B4F0- 68 85 67 68 85 68 60 02
B4F8- 51 A3 9A A3 02 5A A3 A6
B500- A3 15 96 A3 EA 18 60 8D
B508- 61 AA 8C 60 AA 20 E0 A3
B510- 4C 85 A5 20 FF A3 4C 85
B518- A5 00

                   ~

               Chapter 4
    In Which We Thoroughly Document
    These Patches, And All Remaining
         Mysteries Are Resolved


Location     | Description      | Value
-------------+------------------+------
$B400        | length of data   |  $1E
$B401/$B402  | starting address | $AA74
$B403..$B420 | data

The first patch sets the name of the
startup program, which is blank on disk
(T01,S09) but is now patched in memory
(at $AA75) as "HELLO".

The second record follows immediately;
there is no record separator.

Location     | Description      | Value
-------------+------------------+------
$B421        | length of data   |  $01
$B422/$B423  | starting address | $A424
$B424..$B424 | data             |  $A3

The second patch munges one branch
instruction in the middle of the LOAD
command handler at $A413 (c.f. "Beneath
Apple DOS" p. 8-12).

Location     | Description      | Value
-------------+------------------+------
$B425        | length of data   |  $21
$B426/$B427  | starting address | $A44D
$B428..$B448 | data

The $21 bytes from $B428..$B448 end up
at $A44E, and they look like this:

A44E-   A5 68       LDA   $68
A450-   48          PHA
A451-   38          SEC
A452-   A5 AF       LDA   $AF
A454-   E5 67       SBC   $67
A456-   A8          TAY
A457-   A5 B0       LDA   $B0
A459-   E5 68       SBC   $68
A45B-   AA          TAX
A45C-   E8          INX
A45D-   65 68       ADC   $68
A45F-   85 68       STA   $68
A461-   C6 68       DEC   $68
A463-   20 BC A3    JSR   $A3BC
A466-   CA          DEX
A467-   D0 F8       BNE   $A461
A469-   68          PLA
A46A-   85 68       STA   $68
A46C-   6C 60 9D    JMP   ($9D60)

This is changing the behavior of the
LOAD command for loading Applesoft
BASIC programs into memory. It extends
past $A450, which is normally the part
of DOS that handles loading Integer
BASIC programs. It also adds a call to
$A3BC, which is normally a test for
Integer BASIC, but which I'm guessing
is about to get overwritten in a later
patch.

Location     | Description      | Value
-------------+------------------+------
$B449        | length of data   |  $12
$B44A/$B44B  | starting address | $A3BB
$B44C..$B45D | data

The $12 bytes from $B44C..$B45D end up
at $A3BC, and they look like this:

A3BC-   98          TYA
A3BD-   49 AA       EOR   #$AA
A3BF-   51 67       EOR   ($67),Y
A3C1-   91 67       STA   ($67),Y
A3C3-   88          DEY
A3C4-   C0 FF       CPY   #$FF
A3C6-   D0 F4       BNE   $A3BC
A3C8-   60          RTS
A3C9-   A9 01       LDA   #$01
A3CB-   20 B1 A4    JSR   $A4B1

This is an on-the-fly decryption that
occurs as Applesoft BASIC programs are
loaded. ($67) points to the BASIC
program in memory. This explains why I
couldn't LOAD or LIST HELLO: it was
encrypted.

Location     | Description      | Value
-------------+------------------+------
$B45E        | length of data   |  $13
$B45F/$B460  | starting address | $9E2F
$B461..$B473 | data

The $12 bytes from $B461..$B473 end up
at $9E30 (part of the late-stage boot),
and they look like this:

9E30-   A9 80       LDA   #$80
9E32-   85 D6       STA   $D6
9E34-   30 0B       BMI   $9E41
9E36-   AD 00 C0    LDA   $C000
9E39-   C9 83       CMP   #$83
9E3B-   F0 F9       BEQ   $9E36
9E3D-   4C D2 D7    JMP   $D7D2
9E40-   EA          NOP
9E41-   A9 06       LDA   #$06

This part of late-stage boot usually
sets the reset vector to something
useful. Instead, this patch will set
the Applesoft RUN flag (zero page $D6),
which makes any command typed from the
BASIC prompt RUN the current program in
memory instead. The rest of the new
code (at $9E36) checks for <Ctrl-C> and
hangs until you press something else.
That part is skipped for now, but I'm
guessing it's called later.

Location     | Description      | Value
-------------+------------------+------
$B474        | length of data   |  $03
$B475/$B476  | starting address | $A502
$B477..$B479 | data

The 3 bytes at $B477 end up at $A503,
which is the tail end of the RUN entry
point. It's just a JMP to the code that
was just patched earlier:

A503-   4C 36 9E    JMP   $9E36

Thus, trying to <Ctrl-C> break to the
prompt during boot will hang until you
press something else. (Even if you did
manage to get to the prompt, the RUN
flag would ensure you couldn't do
anything useful. Defense in depth!)

Location     | Description      | Value
-------------+------------------+------
$B47A        | length of data   |  $30
$B47B/$B47C  | starting address | $B5FF
$B47D..$B4AC | data

The $30 bytes at $B47D end up at $B600.
The new code looks like this:

B600-   60          RTS
B601-   A0 20       LDY   #$20
B603-   B9 0F B6    LDA   $B60F,Y
B606-   99 00 03    STA   $0300,Y
B609-   88          DEY
B60A-   10 F7       BPL   $B603
B60C-   4C 00 03    JMP   $0300
B60F-   A9 BF       LDA   #$BF
B611-   85 01       STA   $01
B613-   A0 00       LDY   #$00
B615-   84 00       STY   $00
B617-   91 00       STA   ($00),Y
B619-   C8          INY
B61A-   D0 FB       BNE   $B617
B61C-   C6 01       DEC   $01
B61E-   A5 01       LDA   $01
B620-   C9 08       CMP   #$08
B622-   B0 F3       BCS   $B617
B624-   AD 81 C0    LDA   $C081
B627-   20 93 FE    JSR   $FE93
B62A-   20 89 FE    JSR   $FE89
B62D-   4C 00 E0    JMP   $E000

Looks like this is going to be The
Badlands routine that wipes main memory
and exits.

Location     | Description      | Value
-------------+------------------+------
$B4AD        | length of data   |  $01
$B4AE/$B4AF  | starting address | $B7C1
$B4B0        | data             |  $60

This puts an RTS instruction at $B7C2,
which would normally set up the RWTS
parameters for writing DOS after INIT.

Location     | Description      | Value
-------------+------------------+------
$B4B1        | length of data   |  $03
$B4B2/$B4B3  | starting address | $9E72
$B4B4..$B4B6 | data

This modifies DOS's image of the page 3
jump vectors so that <Ctrl-Reset> will
jump to $B601, a.k.a. The Badlands.

Location     | Description      | Value
-------------+------------------+------
$B4B7        | length of data   |  $02
$B4B8/$B4B9  | starting address | $A396
$B4BA..$B4BB | data             | 18 60

This patch neutralizes the SAVE handler
at $A397 so it does nothing but claims
to have succeeded.

That's it. The next byte is $00, so the
BEQ at $B583 branches and the patch
loop exits gracefully via RTS. (There
appear to be more patches to decrypt
binary files, but this disk does not
use them.)

The result is a really messed up DOS
that is maximally unfriendly to prying
eyes and maximally incompatible with
any other version of DOS. It decrypts
BASIC files on the fly, traps <Ctrl-
Reset>, traps <Ctrl-C>, sets the RUN
flag, and disables the SAVE command.

It does not, however, hinder copying
the disk itself. (So why did I bother
documenting it? Don't ask me; you're
the one who read this far.) The only
patch I need to bypass the protection
is at $BB03:

 1. push $B5/$19 to the stack
 3. jump to $B793

T00,S05,$03
old: "4E 06 BB 71 6E 0A BB 40 27"
new: "A9 B5 48 A9 19 48 4C 93 B7"

                 --v--

T00,S05
----------- DISASSEMBLY MODE ----------
0003:A9 B5          LDA   #$B5
0005:48             PHA
0006:A9 19          LDA   #$19
0008:48             PHA
0009:4C 93 B7       JMP   $B793

                 --^--

]PR#6
...works, and it is glorious...

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 517
------------------EOF------------------