--------------Rapid Reader------------- A 4am crack 2014-06-06 --------------------------------------- "Rapid Reader" is a 1981 educational program by Robert W. Smith. COPYA fails miserably and immediately with a disk read error. EDD 4 bit copy gives errors on tracks $21 and $22, and the copy does not work. It boots with what sounds like a normal DOS (track 2, then 1, then 0), but then it just hangs with the drive motor running. Turning to my trusty Copy ][+ sector editor, I press "P" to get to the Sector Editor Patcher, and select "DOS 3.3 PATCHED". This option ignores checksum bytes and epilogue sequences. As long as the address and data prologue are standard ("D5 AA 96" and "D5 AA AD", respectively), this will allow me to read each sector. And lo and behold, it works! I can read the data from every sector on every track, except tracks $21 and $22. Track $11 appears to be a standard DOS 3.3 disk catalog. T01,S09 lists HELLO as the autorun program. Based on my limited experience cracking other disks, I would guess that this disk has - Standard prologue bytes before the address and data fields [otherwise Copy ][+ sector editor would give read errors, even with the "DOS 3.3 PATCHED" option] - Non-standard epilogue bytes after the address and data fields [otherwise COPYA would work] - Some secondary protection [otherwise the bit copy created with EDD 4 would work] Given the (relatively) weak structural protection, I used to turn to the DOS 3.3 master disk, patch the RWTS to ignore checksums and epilogue bytes (changing $B942 from "SEC" to "CLC"), and run COPYA. Then, one fine day, and completely by accident, I came across an original disk with a bad sector. I suppose this shouldn't surprise me. These floppies are decades old by now; it's amazing any of them work at all. The point is, I shouldn't be using tools that ignore potentially serious read errors. There are other tools, like Super Demuffin, that can convert a disk like this (with non-standard epilogue bytes) into a standard format. It requires figuring out what the actual epilogue bytes are, but it has the advantage of surfacing a read error if the original disk actually has a read error. So... no more COPYA+B942:18 patch. From now on, it's Super Demuffin or Advanced Demuffin to convert disks to a standard format. Based on my initial inspection with a sector editor, this disk loads DOS and runs a HELLO program. So it shouldn't be difficult to capture the RWTS and load it into Advanced Demuffin. [S6,D1=original disk] [S5,D1=my work disk] ]PR#5 ... CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS Well, that worked flawlessly. My work disk first runs AUTOTRACE0, which sets up a minimal boot trace to capture the first sector of track 0 and saves it to the file "BOOT0" (on my work disk, not the original disk). If the first sector looks reasonably normal, it runs AUTOTRACE1, which sets up a more involved boot trace to capture the rest of track 0 and save it to the file "BOOT1". If *that* looks reasonably normal, it saves the RWTS to a file, unimaginatively named "RWTS", which can be loaded with Advanced Demuffin to copy each track of the original disk to a duplicate with standard address/data prologue/epilogue sequences. Advanced Demuffin will only load RWTS files from a drive in slot 6, which is annoying since mine is in slot 5. Note to self: patch that someday. In the meantime, I'm swapping floppy disks like some kind of 20th century nerd. [S6,D1=my work disk] ]PR#6 ... ]BRUN ADVANCED DEMUFFIN 1.1 --> LOAD NEW RWTS MODULE At $B8, load "RWTS" from drive 1 [S6,D1=original disk] [S6,D2=blank disk] --> FORMAT TARGET DISK ...grind grind grind... --> CONVERT DISK This disk is 16 sectors, and the default options (copy the entire disk, all tracks, all sectors) don't need to be changed. --v-- ADVANCED DEMUFFIN 1.1 - COPYRIGHT 1983 WRITTEN BY THE STACK -CORRUPT COMPUTING =======PRESS ANY KEY TO CONTINUE======= TRK:.................................RR +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:.................................RR SC1:.................................RR SC2:.................................RR SC3:.................................RR SC4:.................................RR SC5:.................................RR SC6:.................................RR SC7:.................................R. SC8:.................................RR SC9:.................................RR SCA:.................................R. SCB:.................................RR SCC:.................................RR SCD:.................................RR SCE:.................................RR SCF:.................................RR ======================================= 16 SC $00,$00 TO $22,$0F BY 1.0 TO DRV2 --^-- Now to make the disk be able to read itself (remember, it still has the original RWTS on it)... Using Copy ][+, I can "copy DOS" from a freshly initialized DOS 3.3 disk onto the demuffin'd copy. This function of Copy ][+ just sector-copies tracks 0-2 from one disk to another, but it's easier than setting that up manually in some other copy program. Copy ][+ --> COPY --> DOS --> from slot 6, drive 2 --> to slot 6, drive 1 [S6,D1=demuffin'd copy] [S6,D2=newly formatted DOS 3.3 disk] ...read read read... ...write write write... ]PR#6 I have good news and bad news. The good news is that my copy can now read itself. The bad news is that it still fails in the same way that my initial bit copy failed: after loading DOS, it clears the screen and hangs with the drive motor running. However, since this now has a standard DOS 3.3 on it, I can break to a prompt with . (The original disk just rebooted when I tried to do that.) ]PR#6 ]CATALOG DISK VOLUME 254 A 962 HELLO *B 963 SVS A :01 SPEED T 005 WDS1 T 006 WDS4 T 005 WDS5 T 005 WDS2 T 005 WDS3 Well that's... odd. I'm pretty sure the HELLO program is not really 962 sectors (which is, you know, almost twice as many sectors as actually fit on a 5.25- inch floppy). I guess... try to LOAD it? What could possibly go wrong? ]LOAD HELLO ]LIST 10 A$ = "SPEED" 20 TEXT : HOME : NORMAL : PR# 0 : IN# 0: CALL 1002: PRINT "B LOADSVS": POKE 1144, PEEK (1 144) * 2: CALL 24816 30 PRINT "RUN"A$ I recognize CALL 1002 -- that's $03EA, the routine that reconnects DOS. 1144 is $0478, which (despite appearances) is not part of the text screen, but is used by DOS to remember the current track number. Then it BLOADs "SVS", a file I saw in the disk catalog, and calls 24816, which is $60F0. ]BLOAD SVS ]CALL -151 *60F0L ; get the slot number (x16) 60F0- AE E9 B7 LDX $B7E9 60F3- 86 08 STX $08 ; turn on the drive motor manually -- ; always suspicious 60F5- BD 89 C0 LDA $C089,X ; maybe parameters for an address or ; data prologue? 60F8- A9 D5 LDA #$D5 60FA- 85 00 STA $00 60FC- 85 02 STA $02 60FE- A9 AA LDA #$AA 6100- 85 01 STA $01 6102- A9 D4 LDA #$D4 6104- 85 03 STA $03 ; this subroutine saves the value of ; $0478 6106- 20 50 61 JSR $6150 6109- 85 0A STA $0A 610B- A0 41 LDY #$41 610D- C8 INY 610E- 98 TYA ; this subroutine moves the drive head ; to a specific track (by phase, which ; is track x 2, so this moves to track ; $21, one of the unreadable/uncopyable ; tracks I noticed earlier) 610F- 20 72 60 JSR $6072 ; interesting self-modifying code 6112- A9 10 LDA #$10 6114- AE 13 61 LDX $6113 6117- E8 INX 6118- E8 INX 6119- E8 INX 611A- E8 INX 611B- 8E 13 61 STX $6113 611E- A2 04 LDX #$04 ; this seems to be the meat of it 6120- 20 00 60 JSR $6000 *6000L 6000- 86 3E STX $3E 6002- 85 3A STA $3A 6004- A6 3E LDX $3E 6006- 86 40 STX $40 6008- A0 00 LDY #$00 600A- A5 3A LDA $3A 600C- 84 3C STY $3C 600E- 85 3D STA $3D 6010- A6 08 LDX $08 ; this subroutine reads a nibble 6012- 20 6C 60 JSR $606C ; compares to values stored earlier ; (at $60F8) 6015- C5 00 CMP $00 6017- D0 F9 BNE $6012 6019- 20 6C 60 JSR $606C 601C- C5 01 CMP $01 601E- D0 F5 BNE $6015 6020- 20 6C 60 JSR $606C 6023- C5 02 CMP $02 6025- D0 F5 BNE $601C 6027- BD 8C C0 LDA $C08C,X 602A- 10 FB BPL $6027 602C- 2A ROL 602D- 85 3F STA $3F 602F- BD 8C C0 LDA $C08C,X 6032- 10 FB BPL $602F 6034- 25 3F AND $3F 6036- 91 3C STA ($3C),Y 6038- C8 INY 6039- D0 EC BNE $6027 603B- 0E 00 C0 ASL $C000 603E- BD 8C C0 LDA $C08C,X 6041- 10 FB BPL $603E 6043- C5 03 CMP $03 6045- D0 BD BNE $6004 6047- E6 3D INC $3D 6049- C6 40 DEC $40 604B- D0 DA BNE $6027 604D- 20 6C 60 JSR $606C 6050- 85 02 STA $02 6052- 20 6C 60 JSR $606C 6055- 85 01 STA $01 6057- 20 6C 60 JSR $606C 605A- 85 00 STA $00 605C- 20 6C 60 JSR $606C 605F- 85 03 STA $03 6061- 20 6C 60 JSR $606C 6064- C5 00 CMP $00 ; final comparison failed, jump to The ; Badlands 6066- D0 01 BNE $6069 ; success path just returns gracefully 6068- 60 RTS ; The Badlands, from which there is no ; return (jumps to reset vector, set up ; to reboot) 6069- 6C F2 03 JMP ($03F2) ; subroutine to read a nibble 606C- BD 8C C0 LDA $C08C,X 606F- 10 FB BPL $606C 6071- 60 RTS This entire routine appears to be unnecessary. At best, it exits gracefully; at worst, it reboots. It was initially called from the HELLO program, which did nothing except load this file, call it, then run another file ("SPEED"). Let's see what happens if I just run that manually: ]RUN SPEED Mirabile dictu! The program loads and runs without complaint. ]RENAME HELLO,HELLO.OLD ]RENAME SPEED,HELLO (I also ran Copy ][+'s "Fix File Sizes" routine on the disk to fix the invalid sizes. The program still runs.) Quod erat liberandum. --------------------------------------- A 4am crack No. 66 ------------------EOF------------------