-------------Moptown Hotel------------- A 4am crack 2015-07-12 --------------------------------------- Name: Moptown Hotel Version: 1.3 Genre: educational Year: title screen says "1981" disk label says "1984" Author: Leslie Grimm Publisher: The Learning Company Media: single-sided 5.25-inch floppy OS: Pronto-DOS Other cracks: none Identical cracks: Moptown Hotel 1.2 (crack no. 196) and many others COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) no errors, but copy fills screen with garbage and reboots Copy ][+ nibble editor all tracks use standard prologues (address: D5 AA 96, data: D5 AA AD) but modified epilogues (address: FF FF FF, data: FF FF FF) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "FF FF FF" set Data Epilogue to "FF FF FF" Success! All tracks readable! T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S07 -> startup program is "HELLO" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) Why didn't my EDD copy work? probably a nibble check during boot Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. find nibble check and bypass it ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 /!\ BOOT0 JUMPS TO $08C0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS /!\ NIBBLE CHECK AT $BB00 ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- The disk's own RWTS gave no read errors on any track. This is the power and the genius of Advanced Demuffin. Every disk must be able to read itself. So, let it read itself, then capture the data and write it out in a standard format. ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 065 FREE A 011 HELLO A 033 CHANGE ME A 020 SECRET PAL A 036 MOPTOWN HOTEL B 006 WHOSE BIRTHDAY?.LPIC B 034 PIC.MAP B 034 PIC.HOTEL A 030 MOPTOWN MAP A 028 WHOSE BIRTHDAY? A 032 WHO'S NEXT DOOR? A 033 SPOT ME B 063 HOTELDATA B 051 RAMLOADER B 002 MUSICRESETMOVESHAPE B 004 MOPTOWN 1.1 ERROR SRT.O A 014 MENU ]RUN HELLO ...works... [S6,D1=demuffin'd copy] ]PR#6 ...fills screen with garbage, reboots endlessly... Let's go find that nibble check. ~ Chapter 2 In Which We Run Into An Old Friend ]PR#5 ]BLOAD BOOT0,A$800 ]CALL -151 *801L . . all normal until... . 084A- 4C C0 08 JMP $08C0 *8C0L 08C0- 8E E9 B7 STX $B7E9 08C3- 6C FD 08 JMP ($08FD) *BLOAD BOOT1,A$2600 *FE89G FE93G ; disconnect DOS *B600<2600.2FFFM ; move RWTS into place *B700L B700- 20 00 BB JSR $BB00 *BB00L BB00- A0 00 LDY #$00 BB02- B9 00 BB LDA $BB00,Y BB05- 99 00 02 STA $0200,Y BB08- 88 DEY BB09- D0 F7 BNE $2B02 BB0B- 60 RTS *20C