-----------Scuffy and Friends---------- A 4am crack 2016-02-18 --------------------------------------- Name: Scuffy and Friends Version: 07.05.89 Genre: educational Year: 1989 Publisher: Hartley Courseware Media: two single-sided 5.25-inch disks OS: Diversi-DOS (T02,S02 has the string "C1983 DSR" backwards) Previous cracks: none Identical cracks: #575 Milt's Math Drills: Addition and Subtraction #451 Antonyms/Synonyms 1 #420 Fact or Opinion #246 Kittens, Kids, and a Frog v01.11.85 Both disks are bootable. I'll start with disk 1. ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified address and data epilogues ("DA AA EB" instead of "DE AA EB") Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "DA AA EB" set Data Epilogue to "DA AA EB" all tracks readable T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "HELLO" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to epilogue) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 070 FREE *A 003 HELLO *A 018 PWL *A 026 STU PLAN *A 039 SKILL1 *A 045 CREATE LESSON *A 010 CREDITS *B 017 I/O *B 003 SCUFFY *B 011 PICDRAW *B 008 SMCHR.ASC *B 009 SC5 T 031 STU.FILE T 002 LESSONS T 006 FILE1 T 006 FILE2 T 007 FILE3 T 007 FILE4 T 008 FILE5 T 009 FILE6 T 010 FILE7 T 008 FILE8 T 008 FILE9 *B 007 P1 *B 008 P2 *B 007 P3 *B 007 P4 *B 006 P5 *B 004 P6 *B 005 P7 *B 006 P8 *B 006 P9 *B 004 P101 *B 003 P102 *B 005 P103 *B 004 P104 *B 005 P105 *B 005 P106 *B 004 P107 *B 004 P108 *B 004 P109 *B 004 P110 *B 005 P111 *B 004 P112 *B 004 P113 *B 003 P114 *B 003 P115 *B 003 P116 *B 004 P117 *B 003 P118 *B 003 P119 *B 003 P120 *B 002 BARK ]RUN HELLO ...works... The reason I always do this is to see whether there are any runtime checks for subtle differences in the original DOS. If the program runs after booting from a third-party disk, I can eliminate a whole range of possible secondary protections. [S6,D1=demuffin'd copy] ]PR#6 ...grinds... My copy can't read itself yet. This is not unusual. ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion And Updated Very Recently To Make This Look Easy [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP ; fix non-standard epilogue bytes T00,S03,$91 change DA to DE T00,S03,$35 change DA to DE T00,S02,$9E change DA to DE ; ignore disk volume numbers (original ; disk had a non-standard disk volume) T00,S08,$12 change B148 to A900 ]PR#6 ...works... Disk 2 has identical protection. Quod erat liberandum. ~ Usage Notes When you're asked to enter your name, you can type "MENU" to access the management console. The console allows you to rename lessons, add and remove students, and print student progress reports. There is no password. Student information is stored in the "STU.FILE" text file. I confirmed that there is no personally identifiable information lingering in this file. It is so large because it has placeholders for future student records. --------------------------------------- A 4am crack No. 602 ------------------EOF------------------