---------BASIC Building Blocks--------- A 4am crack 2015-10-26 --------------------------------------- Name: BASIC Building Blocks Genre: educational Year: 1983 Publisher: Micro Education Corporation of America Media: two single-sided 5.25-inch discs OS: ProDOS 1.0.1 Previous cracks: none ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA fails on last pass Locksmith Fast Disk Backup unable to read track $22; copy boots ProDOS, displays BASIC prompt, shows title screens, briefly grinds disk 2, then wipes memory and halts (The original disk also grinds disk 2, then continues. Like it's looking for a data disk but continuing if it can't find one.) EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor track $22 has modified prologues ("D5 AA 97" / "D5 AA AC") --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- TRACK: 22 START: 2D45 LENGTH: 1799 2D20: FF FF FF FF FF FF FF FF VIEW 2D28: FF FF FF FF FF FF FF FF 2D30: FF FF FF FF FF FF FF FF 2D38: FF FF FF FF FF FF FF FF 2D40: FF FF FF FF FF D5 AA 97 <-2D45 ^^^^^^^^ address prologue 2D48: AA AA BB AA AA AA BB AA ^^^^^ ^^^^^ ^^^^^ ^^^^^ v=000 t=$22 s=$00 chksm 2D50: DE AA EB FF FF FF FF FF ^^^^^^^^ epilogue (standard) 2D58: FF D5 AA AC 96 96 96 96 ^^^^^^^^ data prologue 2D60: 96 96 96 96 96 96 96 96 --------------------------------------- A TO ANALYZE DATA ESC TO QUIT ? FOR HELP SCREEN / CHANGE PARMS Q FOR NEXT TRACK SPACE TO RE-READ --^-- Disk Fixer ["O" -> "Input/Output Control"] set Address Prologue to "D5 AA 97" set Data Prologue to "D5 AA AC" Success! Track $22 is readable! (It's 16 sectors of all zeroes) Why didn't COPYA work? modified prologues on track $22 Why didn't Locksmith FDB work? modified prologues on track $22 There's no data on track $22. (All the sectors are blank.) This is strictly a copy protection check. Next steps: 1. Trace the startup program 2. Find and disable the protection check that reads track $22 3. Declare victory(*) (*) Take a nap ~ Chapter 1 In Which We Catch Ourselves Adjusting Our RWTS in Public [S6,D1=original disk] [S7,D1=my ProDOS hard drive] ]PR#7 ... ]CAT,S6,D1 /DISK1 NAME TYPE BLOCKS MODIFIED *PRODOS SYS 31 1-JAN-84 *BASIC.SYSTEM SYS 21 15-NOV-83 B1 BAS 1 STARTUP BAS 6 PREBDT BIN 1 HIRESC BIN 8 L.E BIN 13 OPENMECA1 BIN 17 11-OCT-83 OPENSCREEN BIN 17 11-OCT-83 BDT BIN 11 B2 BAS 1 LARGE.FONT BIN 6 SMALL.FONT BIN 5 11-OCT-83 TOC BIN 1 HELP BIN 1 L.F BIN 15 L.A BIN 17 C1 BAS 1 L.B BIN 15 L.G BIN 16 L.C BIN 17 C2 BAS 1 L.D BIN 21 D1 BAS 1 D2 BAS 1 D3 BAS 1 D4 BAS 1 D5 BAS 1 D6 BAS 1 D7 BAS 1 D8 BAS 1 E1 BAS 1 E2 BAS 1 E3 BAS 1 E4 BAS 1 F1 BAS 1 F2 BAS 1 F3 BAS 1 F4 BAS 1 G1 BAS 1 G2 BAS 1 G3 BAS 1 G4 BAS 1 G5 BAS 1 G6 BAS 1 BLOCKS FREE: 0 BLOCKS USED: 280 ]PREFIX /DISK1 ]LOAD STARTUP ]LIST . . . 4000 REM 4005 PRINT CHR$ (4);"BLOAD BDT " 4006 CALL MARK: POKE 768,2 4010 ONERR GOTO 4105 4020 PRINT CHR$ (4);"OPEN SESA ME,D2" 4022 PRINT CHR$ (4);"READ SESA ME" 4024 ONERR GOTO 4100 4025 INPUT DRIVES 4026 PRINT CHR$ (4);"CLOSE SES AME" 4030 PRINT CHR$ (4);"BRUN HIRE SC,D1" 4100 PRINT CHR$ (4);"DELETE SE SAME,D2" 4105 POKE 768,1: GOTO 4030 4147 : RETURN 9999 END . . . The subroutine at 4000 looks relevant. Line 4020 tries to open a file on drive 2, then eventually deletes it. Then, line 4030 BRUNs another file. ]4030 TEXT: PRINT "4030": END ]RUN ... 4030 OK, let's go trace HIRESC. An extended CATALOG tells me it loads at $0C00. ]BLOAD HIRESC ]CALL -151 *C00L 0C00- 4C 67 0E JMP $0E67 *E67L ; the STARTUP program put $01 or $02 in ; $0300, indicating the number of ; drives 0E67- AD 00 03 LDA $0300 0E6A- 8D 21 0C STA $0C21 ; munge the reset vector to reboot 0E6D- EE F4 03 INC $03F4 0E70- A9 00 LDA #$00 0E72- 85 73 STA $73 0E74- A9 40 LDA #$40 0E76- 85 74 STA $74 0E78- 20 BB 17 JSR $17BB *17BBL ; read/write RAM bank 1 (where ProDOS ; lives) 17BB- AD 8B C0 LDA $C08B 17BE- AD 8B C0 LDA $C08B ; fiddle with the RWTS in memory (this ; is the third address prologue byte) 17C1- A9 97 LDA #$97 17C3- 8D C0 FB STA $FBC0 ; also modify the third data prologue 17C6- A9 AC LDA #$AC 17C8- 8D 50 FC STA $FC50 ; back to ROM 17CB- AD 8A C0 LDA $C08A ; do a raw block read (MLI command $80) 17CE- 20 00 BF JSR $BF00 17D1- [80 1D 18] *181D. [03 ] ; parameter count [60 ] ; unit number (S6,D1) [00 08] ; address ($0800) [10 01] ; block number ($110, which is on track $22) Aha! We're fiddling with the RWTS in memory, then issuing a raw block read somewhere on track $22. ; branch forward on success 17D4- F0 17 BEQ $17ED ; failure path is here -- call ROM ; routine to wipe all of main memory 17D6- A9 01 LDA #$01 17D8- 85 3D STA $3D 17DA- 85 42 STA $42 17DC- 85 43 STA $43 17DE- A9 00 LDA #$00 17E0- 85 3C STA $3C 17E2- A9 FF LDA #$FF 17E4- 85 3E STA $3E 17E6- 85 3F STA $3F 17E8- A0 00 LDY #$00 17EA- 4C 2C FE JMP $FE2C ; successful execution continues here ; (from $17D4) ; read/write RAM bank 1 again 17ED- AD 8B C0 LDA $C08B 17F0- AD 8B C0 LDA $C08B ; restore proper address prologue 17F3- A9 96 LDA #$96 17F5- 8D C0 FB STA $FBC0 ; restore proper address epilogue 17F8- A9 AD LDA #$AD 17FA- 8D 50 FC STA $FC50 ; back to ROM 17FD- AD 8A C0 LDA $C08A As expected, this copy protection check reads no data and has no side effects. It simply modifies the RWTS on the fly to read the ill-formed track $22, then restores the RWTS and continues. To fix this, I can change the branch command at $17D4 from BEQ to BNE, thus inverting the logic and ensuring that the check only succeeds on a copy. T09,S0C,$D4 change "F0" to "D0" ]PR#6 ...works... Quod erat liberandum. --------------------------------------- A 4am crack No. 477 ------------------EOF------------------