-----------Alphabetical Order---------- A 4am crack 2016-01-26 --------------------------------------- Name: Alphabetical Order Genre: educational Year: 1984 Author: KARD Software Publisher: Intellectual Software, Inc. Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none Similar cracks: #281 Flash Spell Helicopter ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified prologues and epilogues address: "CD ** BC" / "BA FA **" (second prologue byte and third epilogue byte vary, even between different sectors on one track) data: "DE F7 E5" / "EC BD" Disk Fixer ["O" -> "Input/Output Control"] set CHECKSUM ENABLED to "NO" T00,S00 readable rest of track $00 unreadable virtually impossible to read any tracks beyond T00, due to varying address prologue on every sector(!) Why didn't COPYA work? modified prologues & epilogues Why didn't Locksmith FDB work? ditto EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to prologues and epilogues) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Dive Head First Into Unfriendly Territory ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 ]CALL -151 *800<2800.28FFM *801L ; non-standard from the get go 0801- 20 B3 08 JSR $08B3 *8B3L ; change nibble table used by the disk ; controller ROM routine (this explains ; why I couldn't read the rest of track ; $00 with a sector editor) 08B3- A9 3F LDA #$3F 08B5- 8D 6C 03 STA $036C 08B8- A9 1C LDA #$1C 08BA- 8D CC 03 STA $03CC 08BD- A9 00 LDA #$00 08BF- 8D D5 03 STA $03D5 08C2- A9 37 LDA #$37 08C4- 8D A3 03 STA $03A3 ; regular code from $0801 08C7- A5 27 LDA $27 08C9- C9 09 CMP #$09 08CB- 60 RTS Continuing from $0804... *804L ; standard DOS 3.3 bootloader 0804- D0 19 BNE $081F 0806- EA NOP 0807- A5 2B LDA $2B 0809- 4A LSR 080A- 4A LSR 080B- 4A LSR 080C- 4A LSR 080D- 09 C0 ORA #$C0 080F- 85 3F STA $3F 0811- A9 5C LDA #$5C 0813- 85 3E STA $3E 0815- 18 CLC 0816- AD FE 08 LDA $08FE 0819- 6D FF 08 ADC $08FF 081C- 8D FE 08 STA $08FE 081F- AE FF 08 LDX $08FF 0822- F0 15 BEQ $0839 0824- 8A TXA ; well, mostly standard 0825- EA NOP 0826- EA NOP 0827- 85 3D STA $3D 0829- CE FF 08 DEC $08FF 082C- AD FE 08 LDA $08FE 082F- 85 27 STA $27 0831- CE FE 08 DEC $08FE 0834- A6 2B LDX $2B 0836- 6C 3E 00 JMP ($003E) ; execution continues here after sector ; read loop exits (from $0822) 0839- EE FE 08 INC $08FE 083C- EE FE 08 INC $08FE 083F- 20 89 FE JSR $FE89 0842- 20 93 FE JSR $FE93 0845- 20 2F FB JSR $FB2F ; copy this sector (which we didn't ; re-read) to higher memory 0848- A2 FF LDX #$FF 084A- BD 00 08 LDA $0800,X 084D- 9D 00 B6 STA $B600,X 0850- CA DEX 0851- E0 FF CPX #$FF 0853- D0 F5 BNE $084A ; hmm 0855- 20 CC 08 JSR $08CC *8CCL ; trash all of main memory except the ; part we just loaded from disk 08CC- A9 00 LDA #$00 08CE- 85 00 STA $00 08D0- A9 B5 LDA #$B5 08D2- 85 01 STA $01 08D4- A0 FF LDY #$FF 08D6- C8 INY 08D7- B9 00 F0 LDA $F000,Y 08DA- 91 00 STA ($00),Y 08DC- C0 FF CPY #$FF 08DE- D0 F6 BNE $08D6 08E0- C6 01 DEC $01 08E2- A9 08 LDA #$08 08E4- C5 01 CMP $01 08E6- D0 EC BNE $08D4 08E8- 60 RTS Continuing from $0858... *858L 0858- A6 2B LDX $2B 085A- 4C 00 BB JMP $BB00 OK, that's where I need to interrupt the boot. But first I'll need to neuter the subroutine at $08CC that trashes all of main memory. *9600 At $B8, load "RWTS" from drive 1 [press "6" to switch to slot 6] [press "C" to convert disk] --> CHANGE DEFAULT VALUES? Y --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM ======================================= INPUT ALL VALUES IN HEX SECTORS PER TRACK? (13/16) 16 START TRACK: $01 <-- change this START SECTOR: $00 END TRACK: $22 END SECTOR: $0F INCREMENT: 1 MAX # OF RETRIES: 0 COPY FROM DRIVE 1 TO DRIVE: 2 ======================================= 16SC $01,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Now press RETURN to start the copy... --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK: .R................................ +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0: .................................. SC1: .................................. SC2: .................................. SC3: .................................. SC4: .................................. SC5: .................................. SC6: .................................. SC7: .................................. SC8: .................................. SC9: .................................. SCA: .................................. SCB: .R................................ SCC: .R................................ SCD: .R................................ SCE: .R................................ SCF: .R................................ ======================================= 16SC $01,$00-$22,$0F BY$01 S6,D1->S6,D2 --^-- Oh what fresh hell is this. Never mind, we'll look into it later. ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 298 FREE *A 002 HELLO *A 005 MENU A 032 ALPHABETICAL ORDER *A 018 WORD WRITER *A 010 CLASS READER4 *A 006 WL DELETER *A 012 STUDENT FILE READER *A 009 CLASS PRINTER *A 005 CL DELETER2 *T 003 A1 *T 003 A2 *T 003 A3 *T 003 B1 *T 003 B2 *T 003 B3 *T 003 C1 *T 003 C2 *T 003 C3 *T 003 D1 *T 004 D2 *T 004 D3 *T 003 E1 *T 003 E2 *T 003 E3 *B 034 AOIS *A 015 TITLE *A 002 HE2 T 001 S S ]RUN HELLO ...works... The reason I always do this is to see whether there are any runtime checks for subtle differences in the original DOS. If the program runs after booting from a third-party disk, I can eliminate a whole range of possible secondary protections. Now to make the disk be able to read itself. (Remember, it still has the original RWTS on it.) As a bonus, this will also destroy the nibble check at $BB00. [Copy ][+ 8.4] --> COPY --> DOS --> from slot 6, drive 2 --> to slot 6, drive 1 [S6,D1=demuffin'd copy] [S6,D2=newly formatted DOS 3.3 disk] ...read read read... ...write write write... ]PR#6 ...works... What about the bad sectors on track 2? They're unformatted and unused. The DOS is loaded from T02,S0A backwards, but the entire track is marked as used in the disk catalog VTOC. Quod erat liberandum. ~ Acknowledgements Many thanks to LoGo for supplying the the original floppy disk. --------------------------------------- A 4am crack No. 592 ------------------EOF------------------