-----------Car Builder rev. 2----------
A 4am crack                  2016-03-08
---------------------------------------

Name: Car Builder
Version: (*) see below
Genre: educational
Year: 1985
Publisher: Optimum Resource, Inc.
Media: single-sided 5.25-inch floppy
OS: custom
Previous cracks: me, but a different
  version (*)
Similar cracks:
  #616 Stickybear Typing rev. 2
  #615 Stickybear Math 2 rev. 2
  #614 Stickybear Spellgrabber rev. 2
  #613 Stickybear Reading Comprehension
  #611 Stickybear Reading
  #610 Stickybear Word Problems
  #609 Stickybear Math 2 rev. 1
  #586 Stickybear Parts of Speech
  #585 Map Skills
  #336 Car Builder

(*) With modern tools (xxd and diff), I
compared this disk image against all
the other copies I can find, online and
in my private collection. This copy has
significant differences on multiple
tracks, and the boot trace routines I
wrote for the other version don't work
on this one. I'm pretty sure this one
came later, because it has some IIgs-
specific initialization code that the
other one lacked. Both disks simply say
"1985" on the label.

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  read error on first pass

Locksmith Fast Disk Backup
  fails to read T01,S0F; copy hangs
  during boot

EDD 4 bit copy (no sync, no count)
  no read errors, but copy still hangs
  during boot

Disk Fixer
  unable to read T01,S0F by any obvious
  combination of parameters

Why didn't COPYA work?
  intentionally bad sector on track $01

Why didn't Locksmith FDB work?
  probably a nibble check during boot
  that centers around the bad sector

Why didn't my EDD copy work?
  ditto

Next steps:

  1. Trace the boot
  2. Find the nibble check and skip it
  3. There is no step 3 (I hope)

                   ~

               Chapter 1
      In Which We Abuse The Stack
    For Fun And Profit (Mostly Fun)


[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BLOAD BOOT1,A$2600
]CALL -151

*B600<2600.2EFFM ; move RWTS into place
                 ; (but don't overwrite
                 ; Diversi-DOS @ $BF00)
*B700L

; clear hi-res graphics screen 1
B700-   A9 00       LDA   #$00
B702-   A8          TAY
B703-   85 10       STA   $10
B705-   A2 20       LDX   #$20
B707-   86 11       STX   $11
B709-   91 10       STA   ($10),Y
B70B-   C8          INY
B70C-   D0 FB       BNE   $B709
B70E-   E6 11       INC   $11
B710-   CA          DEX
B711-   D0 F6       BNE   $B709

; hmm, a JSR followed by garbage code
B713-   20 5D B6    JSR   $B65D
B716-   01 0E       ORA   ($0E,X)
B718-   00          BRK
B719-   08          PHP
B71A-   18          CLC

; and another (maybe)
B71B-   20 5D B6    JSR   $B65D
B71E-   03          ???
B71F-   0F          ???
B720-   00          BRK

*B65DL

; Ah! This subroutine uses the stack to
; pass in multiple arguments and store
; them in zero page
B65D-   68          PLA
B65E-   85 F0       STA   $F0
B660-   68          PLA
B661-   85 F1       STA   $F1
B663-   A0 01       LDY   #$01
B665-   B1 F0       LDA   ($F0),Y
B667-   85 54       STA   $54
B669-   C8          INY
B66A-   B1 F0       LDA   ($F0),Y
B66C-   85 55       STA   $55
B66E-   C8          INY
B66F-   B1 F0       LDA   ($F0),Y
B671-   85 58       STA   $58
B673-   C8          INY
B674-   B1 F0       LDA   ($F0),Y
B676-   85 59       STA   $59
B678-   C8          INY
B679-   B1 F0       LDA   ($F0),Y
B67B-   85 67       STA   $67
B67D-   18          CLC
B67E-   A5 F0       LDA   $F0
B680-   69 05       ADC   #$05
B682-   A8          TAY
B683-   A5 F1       LDA   $F1
B685-   69 00       ADC   #$00

; then munges the stack pointer to
; "return" to the next real instruction
; after the parameters
B687-   48          PHA
B688-   98          TYA
B689-   48          PHA

B68A-   A9 00       LDA   #$00
B68C-   85 5A       STA   $5A
B68E-   85 5B       STA   $5B
B690-   85 5E       STA   $5E
B692-   85 53       STA   $53
B694-   A9 01       LDA   #$01
B696-   85 50       STA   $50
B698-   85 52       STA   $52
B69A-   85 60       STA   $60
B69C-   85 62       STA   $62
B69E-   A9 60       LDA   #$60
B6A0-   85 51       STA   $51
B6A2-   85 5F       STA   $5F
B6A4-   A9 00       LDA   #$00
B6A6-   85 57       STA   $57
B6A8-   A9 61       LDA   #$61
B6AA-   85 56       STA   $56
B6AC-   A9 EF       LDA   #$EF
B6AE-   85 63       STA   $63
B6B0-   A9 D8       LDA   #$D8
B6B2-   85 64       STA   $64
B6B4-   A5 67       LDA   $67
B6B6-   D0 01       BNE   $B6B9
B6B8-   60          RTS
B6B9-   A9 01       LDA   #$01
B6BB-   85 5C       STA   $5C
B6BD-   A9 00       LDA   #$00
B6BF-   A0 50       LDY   #$50
B6C1-   20 B5 B7    JSR   $B7B5
B6C4-   E6 59       INC   $59
B6C6-   C6 67       DEC   $67
B6C8-   C6 55       DEC   $55
B6CA-   10 E8       BPL   $B6B4
B6CC-   A9 0F       LDA   #$0F
B6CE-   85 55       STA   $55
B6D0-   E6 54       INC   $54
B6D2-   D0 E0       BNE   $B6B4

This is a multi-sector read loop. It
calls the regular $B7B5 entry point to
read sectors (at $B6C1). Interestingly,
the RWTS parameter table is actually on
zero page, starting at $50. That would
mean that the parameters passed in (on
the stack, after the JSR $B65D) are

  1. start track ($54)
  2. start sector ($55)
  3. start address - low ($58)
  4. start address - high ($59)
  5. sector count ($67)

It uses logical sectors (via the RWTS).
Sectors count down from $0F to $00, and
tracks are decremented once the sector
wraps around to $0F. The target address
is incremented monotonically, and the
sector count is decremented until it
hits 0.

Revisiting the caller with this new
understanding...

; read $18 sectors into $0800 starting
; from T01,S0E
B713-   20 5D B6    JSR   $B65D
B716-  [01 0E 00 08 18]

; read $08 sectors into $6000 starting
; from T03,S0F
B71B-   20 5D B6    JSR   $B65D
B71E-  [03 0F 00 60 08]

; read $13 sectors into $6790 starting
; from T10,S0F
B723-   20 5D B6    JSR   $B65D
B726-  [10 0F 90 67 13]

; continue in the code we just read
B72B-   4C 00 08    JMP   $0800

That's where I'll interrupt the boot.

                   ~

               Chapter 2
  Hello, I'd Like To Have An Argument
         On The Stack, Please


*9600<C600.C6FFM

; set up callback #1 after boot0 loads
; boot1
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C

; start the boot
9707-   4C 01 08    JMP   $0801

; callback #1 is here
; break into monitor instead of jumping
; to $0800
970A-   A9 59       LDA   #$59
970C-   8D 2C B7    STA   $B72C
970F-   A9 FF       LDA   #$FF
9711-   8D 2D B7    STA   $B72D
9714-   4C 00 B7    JMP   $B700

*BSAVE TRACE1,A$9600,L$117

*9600G
...reboots slot 6...
<beep>

*800L

0800-   4C 79 08    JMP   $0879

Woohoo! It worked.

*2000<800.1FFFM

*C500G
...
]CALL -151

*800<2000.37FFM

*BSAVE BOOT2 0800-1FFF,A$800,L$1800
*BSAVE BOOT2 6000-7AFF,A$6000,L$1B00

*800L

0800-   4C 79 08    JMP   $0879

*879L

; A quick investigation reveals that
; this is also a multi-sector read loop
; that takes parameters on the stack,
; just like the one at $B65D. So this
; reads $0C sectors into $7A90 starting
; from T19,S0F.
0879-   20 DD 65    JSR   $65DD
087C-  [19 0F 90 7A 0C]

; and call it
0881-   20 90 7A    JSR   $7A90

Once again, time to interrupt the boot.

                   ~

               Chapter 3
      In Which We Grow Suspicious


*9600<C600.C6FFM

; set up callback #1 after boot0 loads
; boot1
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C

; start the boot
9707-   4C 01 08    JMP   $0801

; callback #1 is here
; set up callback #2 after boot1 loads
; boot2 (into $0800, &c.)
970A-   A9 17       LDA   #$17
970C-   8D 2C B7    STA   $B72C
970F-   A9 97       LDA   #$97
9711-   8D 2D B7    STA   $B72D

; continue the boot
9714-   4C 00 B7    JMP   $B700

; callback #2 is here
; set up callback #3 after boot2 loads
; more code into $7A90
9717-   A9 4C       LDA   #$4C
9719-   8D 81 08    STA   $0881
971C-   A9 29       LDA   #$29
971E-   8D 82 08    STA   $0882
9721-   A9 97       LDA   #$97
9723-   8D 83 08    STA   $0883

; continue the boot
9726-   4C 00 08    JMP   $0800

; callback #3 is here
; just reboot to my work disk
9729-   4C 00 C5    JMP   $C500

*BSAVE TRACE2,A$9600,L$12C

*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT2 7A90,A$7A90,L$C00
]CALL -151

*7A90L

; slow to 1 Mhz (IIgs)
7A90-   AD 36 C0    LDA   $C036
7A93-   29 7F       AND   #$7F
7A95-   8D 36 C0    STA   $C036

; black border (IIgs)
7A98-   AD 34 C0    LDA   $C034
7A9B-   29 F0       AND   #$F0
7A9D-   8D 34 C0    STA   $C034

; memory bank initialization
7AA0-   8D 0C C0    STA   $C00C
7AA3-   8D 02 C0    STA   $C002
7AA6-   8D 04 C0    STA   $C004

; show hi-res graphics page 1
7AA9-   8D 50 C0    STA   $C050
7AAC-   8D 57 C0    STA   $C057
7AAF-   8D 54 C0    STA   $C054
7AB2-   8D 52 C0    STA   $C052
7AB5-   8D 10 C0    STA   $C010
7AB8-   20 B0 7C    JSR   $7CB0

*7CB0L

; hmm, creating code one byte at a time
7CB0-   A9 20       LDA   #$20
7CB2-   8D FA 7C    STA   $7CFA
7CB5-   A9 02       LDA   #$02
7CB7-   8D FC 7C    STA   $7CFC
7CBA-   A9 D8       LDA   #$D8
7CBC-   8D FB 7C    STA   $7CFB
7CBF-   A9 60       LDA   #$60
7CC1-   8D FD 7C    STA   $7CFD

; ($50) -> $1E00
7CC4-   A9 00       LDA   #$00
7CC6-   85 50       STA   $50
7CC8-   A9 1E       LDA   #$1E
7CCA-   85 51       STA   $51

; wipe $46 bytes of memory at $1E00
7CCC-   A0 46       LDY   #$46
7CCE-   A9 00       LDA   #$00
7CD0-   91 50       STA   ($50),Y
7CD2-   88          DEY
7CD3-   D0 FB       BNE   $7CD0

; call the next instruction, then fall
; through to do it again
7CD5-   20 D8 7C    JSR   $7CD8

; read $02 sectors into $42D8 starting
; from T02,S06
7CD8-   20 E8 65    JSR   $65E8
7CDB-  [02 06 D8 42 02]

; copy these pages (well, most of them)
; to very low memory
7CE0-   A0 00       LDY   #$00
7CE2-   B9 D8 42    LDA   $42D8,Y
7CE5-   99 D8 02    STA   $02D8,Y
7CE8-   C8          INY
7CE9-   D0 F7       BNE   $7CE2
7CEB-   A0 90       LDY   #$90
7CED-   B9 D6 43    LDA   $43D6,Y
7CF0-   99 D6 03    STA   $03D6,Y
7CF3-   88          DEY
7CF4-   D0 F7       BNE   $7CED

; and... crash?
7CF6-   20 FA 7C    JSR   $7CFA
7CF9-   60          RTS
7CFA-   00          BRK
7CFB-   00          BRK
7CFC-   00          BRK
7CFD-   00          BRK

Ah, but we just modified $7CFA..$7CFD
(at $7CB0). This is the code that ends
up there:

*7CFA:20 D8 02 60

*7CFAL

7CFA-   20 D8 02    JSR   $02D8
7CFD-   60          RTS

Highly suspect.

Let's interrupt at $7CF6 and see what
sneaky code ends up in the input buffer
($02D8), the page 3 vectors ($03D6),
and overflowing onto the text page.

                   ~

               Chapter 4
  Why Build One When You Can Have Two
          At Twice The Price?


*9600<C600.C6FFM

; set up callback #1 and start the boot
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C
9707-   4C 01 08    JMP   $0801

; callback #1 is here
; set up callback #2 and continue boot
970A-   A9 17       LDA   #$17
970C-   8D 2C B7    STA   $B72C
970F-   A9 97       LDA   #$97
9711-   8D 2D B7    STA   $B72D
9714-   4C 00 B7    JMP   $B700

; callback #2 is here
; set up callback #3 and continue boot
9717-   A9 4C       LDA   #$4C
9719-   8D 81 08    STA   $0881
971C-   A9 29       LDA   #$29
971E-   8D 82 08    STA   $0882
9721-   A9 97       LDA   #$97
9723-   8D 83 08    STA   $0883
9726-   4C 00 08    JMP   $0800

; callback #3 is here
; set up callback #4 and continue boot
9729-   A9 4C       LDA   #$4C
972B-   8D F6 7C    STA   $7CF6
972E-   A9 3B       LDA   #$3B
9730-   8D F7 7C    STA   $7CF7
9733-   A9 97       LDA   #$97
9735-   8D F8 7C    STA   $7CF8
9738-   4C 90 7A    JMP   $7A90

; callback #4 is here
; capture the code that ends up in low
; memory and reboot to my work disk
973B-   A2 02       LDX   #$02
973D-   B9 D8 02    LDA   $02D8,Y
9740-   99 00 20    STA   $2000,Y
9743-   C8          INY
9744-   D0 F7       BNE   $973D
9746-   EE 3F 97    INC   $973F
9749-   EE 42 97    INC   $9742
974C-   CA          DEX
974D-   D0 EE       BNE   $973D
974F-   4C 00 C5    JMP   $C500

*BSAVE TRACE3,A$9600,L$152

*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT2 02D8,A$2000,L$200

Since part of this ends up on the text
page, I'm going to load it at $22D8.
Relative branches will look correct,
but absolute addresses will be off by
$2000.

]BLOAD BOOT2 02D8,A$22D8
]CALL -151

*22D8L

; whatever this is doing, it's going to
; keep doing it until it works (note
; the infinite loop if the carry bit
; is set)
22D8-   A0 3C       LDY   #$3C
22DA-   A9 04       LDA   #$04
22DC-   20 E2 02    JSR   $02E2
22DF-   B0 F7       BCS   $22D8
22E1-   60          RTS

; save registers
22E2-   48          PHA
22E3-   8A          TXA
22E4-   48          PHA
22E5-   98          TYA
22E6-   48          PHA

; do something
22E7-   20 F8 02    JSR   $02F8

; restore registers
22EA-   68          PLA
22EB-   A8          TAY
22EC-   68          PLA
22ED-   AA          TAX
22EE-   68          PLA

; read a sector via RWTS
22EF-   20 B5 B7    JSR   $B7B5

; do the same thing again (but save and
; restore the processor flags)
22F2-   08          PHP
22F3-   20 F8 02    JSR   $02F8
22F6-   28          PLP

; and return to caller with the flags
; from the RWTS call
22F7-   60          RTS

OK, this is a bit convoluted, but it's
not intentionally obfuscated. It's just
cautious. The heart of it is a standard
RWTS call (at $02EF) which absolutely
has to work, otherwise $02DF will keep
branching back to $02D8 to try again.
The RWTS parameter table is at $043C
(passed in A and Y, set at $02D8).
Before and after the RWTS call, we call
a routine at $02F8. The RWTS parameter
table is never modified, so it's just
whatever was read from disk. Let's see
what that is, then we'll see what's at
$02F8.

*243C.2450

243C- 01 60 01 00
2440- 01 0F 4D 04 00 1E 00 00
2448- 01 00 00 60 01 00 01 EF
2450- D8

That's reading from slot 6, drive 1,
track $01, sector $0F (aha! that's the
unreadable sector), into $1E00.

*22F8L

; take two bytes from a data structure
; starting at $0321 and store them in
; zero page $02/$03
22F8-   A2 00       LDX   #$00
22FA-   A0 00       LDY   #$00
22FC-   BD 21 03    LDA   $0321,X
22FF-   E8          INX
2300-   85 02       STA   $02
2302-   BD 21 03    LDA   $0321,X
2305-   E8          INX
2306-   85 03       STA   $03
2308-   C5 02       CMP   $02
230A-   D0 05       BNE   $2311
230C-   C9 00       CMP   #$00
230E-   D0 01       BNE   $2311
2310-   60          RTS

; swap the byte at ($02),Y with the
; byte at $0321,X
2311-   BD 21 03    LDA   $0321,X
2314-   48          PHA
2315-   B1 02       LDA   ($02),Y
2317-   9D 21 03    STA   $0321,X
231A-   E8          INX
231B-   68          PLA
231C-   91 02       STA   ($02),Y

; and loop back (will exit if the BNEs
; at $030A and $030E fail)
231E-   4C FC 02    JMP   $02FC

So we're swapping some bytes in memory,
then (since we call the same routine
again) swapping them back after the
RWTS call at $02EF. This is driven by
a data structure (starting at $0321)
that contains an array of triples
(two byte address + one byte value)
followed by two null bytes.

Here is the data structure:

*2321.2334

2321- C2 B8 4C
      C3 B8 8E
      C4 B8 03
      DC B8 4C
      DD B8 35
      DE B8 03
      00 00

So we're swapping three bytes at $B8C2
(4C 8E 03) and three bytes at $B8DC
(4C 35 03). That... is right in the
middle of RWTS code. $B8C2 is the
POSTNIBBLE routine that converts the
342 nibbles on disk into 256 bytes in
memory. $B8DC is the READ routine. And
we're completely replacing (well,
redirecting) both of them to custom
routines that we just read from disk,
in order to read the unreadable sector
on track $01.

Let's see what's at $038E and $0335.

*238EL

; new POSTNIBBLE routine
238E-   A0 87       LDY   #$87
2390-   20 AB 03    JSR   $03AB
2393-   88          DEY
2394-   20 AB 03    JSR   $03AB
2397-   0A          ASL
2398-   0A          ASL
2399-   0A          ASL
239A-   0A          ASL
239B-   85 00       STA   $00
239D-   20 AB 03    JSR   $03AB
23A0-   05 00       ORA   $00
23A2-   91 3E       STA   ($3E),Y
23A4-   98          TYA
23A5-   88          DEY
23A6-   C9 00       CMP   #$00
23A8-   D0 EA       BNE   $2394
23AA-   60          RTS
23AB-   98          TYA
23AC-   48          PHA
23AD-   C9 87       CMP   #$87
23AF-   D0 19       BNE   $23CA
23B1-   A0 55       LDY   #$55
23B3-   AD C0 FB    LDA   $FBC0
23B6-   F0 0C       BEQ   $23C4
23B8-   AE 8D 03    LDX   $038D
23BB-   BD 8D C0    LDA   $C08D,X
23BE-   BD 8E C0    LDA   $C08E,X
23C1-   10 01       BPL   $23C4
23C3-   88          DEY
23C4-   84 02       STY   $02
23C6-   A2 00       LDX   #$00
23C8-   86 01       STX   $01
23CA-   A4 02       LDY   $02
23CC-   A6 01       LDX   $01
23CE-   30 0C       BMI   $23DC
23D0-   BE FF BB    LDX   $BBFF,Y
23D3-   88          DEY
23D4-   D0 0A       BNE   $23E0
23D6-   A9 FF       LDA   #$FF
23D8-   85 01       STA   $01
23DA-   D0 04       BNE   $23E0
23DC-   BE 00 BB    LDX   $BB00,Y
23DF-   C8          INY
23E0-   84 02       STY   $02
23E2-   68          PLA
23E3-   A8          TAY
23E4-   BD 3C 03    LDA   $033C,X
23E7-   60          RTS

*2335L

; new READ routine
2335-   A0 20       LDY   #$20
2337-   8E 8D 03    STX   $038D
233A-   88          DEY
233B-   F0 4E       BEQ   $238B
233D-   BD 8C C0    LDA   $C08C,X
2340-   10 FB       BPL   $233D
2342-   49 D5       EOR   #$D5
2344-   D0 F4       BNE   $233A
2346-   EA          NOP
2347-   BD 8C C0    LDA   $C08C,X
234A-   10 FB       BPL   $2347
234C-   C9 AA       CMP   #$AA
234E-   D0 F2       BNE   $2342
2350-   A0 56       LDY   #$56
2352-   BD 8C C0    LDA   $C08C,X
2355-   10 FB       BPL   $2352
2357-   EA          NOP
2358-   EA          NOP
2359-   9D 8D C0    STA   $C08D,X
235C-   88          DEY
235D-   84 26       STY   $26
235F-   BD 8C C0    LDA   $C08C,X
2362-   10 FB       BPL   $235F
2364-   BC 00 BA    LDY   $BA00,X
2367-   A4 26       LDY   $26
2369-   99 00 BC    STA   $BC00,Y
236C-   D0 EE       BNE   $235C
236E-   84 26       STY   $26
2370-   BD 8C C0    LDA   $C08C,X
2373-   10 FB       BPL   $2370
2375-   BC 00 BA    LDY   $BA00,X
2378-   A4 26       LDY   $26
237A-   99 00 BB    STA   $BB00,Y
237D-   C8          INY
237E-   D0 EE       BNE   $236E
2380-   AD 52 BC    LDA   $BC52
2383-   29 F0       AND   #$F0
2385-   C9 90       CMP   #$90
2387-   F0 02       BEQ   $238B
2389-   18          CLC
238A-   60          RTS
238B-   38          SEC
238C-   60          RTS
238D-   00          BRK

And that's how we're going to read the
unreadable sector: we're going to let
this code do it for us.

                   ~

               Chapter 5
 On A Clear Day You Can Trace Forever


*9600<C600.C6FFM

; set up callback #1 and start the boot
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C
9707-   4C 01 08    JMP   $0801

; callback #1 is here
; set up callback #2 and continue boot
970A-   A9 17       LDA   #$17
970C-   8D 2C B7    STA   $B72C
970F-   A9 97       LDA   #$97
9711-   8D 2D B7    STA   $B72D
9714-   4C 00 B7    JMP   $B700

; callback #2 is here
; set up callback #3 and continue boot
9717-   A9 4C       LDA   #$4C
9719-   8D 81 08    STA   $0881
971C-   A9 29       LDA   #$29
971E-   8D 82 08    STA   $0882
9721-   A9 97       LDA   #$97
9723-   8D 83 08    STA   $0883
9726-   4C 00 08    JMP   $0800

; callback #3 is here
; set up callback #4 and continue boot
9729-   A9 4C       LDA   #$4C
972B-   8D F6 7C    STA   $7CF6
972E-   A9 3B       LDA   #$3B
9730-   8D F7 7C    STA   $7CF7
9733-   A9 97       LDA   #$97
9735-   8D F8 7C    STA   $7CF8
9738-   4C 90 7A    JMP   $7A90
973B-   A9 4C       LDA   #$4C
973D-   8D DF 02    STA   $02DF
9740-   A9 4D       LDA   #$4D
9742-   8D E0 02    STA   $02E0
9745-   A9 97       LDA   #$97
9747-   8D E1 02    STA   $02E1
974A-   4C D8 02    JMP   $02D8
974D-   4C 00 C5    JMP   $C500

*BSAVE TRACE4,A$9600,L$150

*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT2 1E00,A$1E00,L$100
]CALL -151

*1E00L

1E00-   11 AD       ORA   ($AD),Y
1E02-   02          ???
1E03-   02          ???
1E04-   C9 D6       CMP   #$D6

That's *almost* code. Wait, I see it.

*1E01L

1E01-   AD 02 02    LDA   $0202
1E04-   C9 D6       CMP   #$D6
1E06-   D0 0A       BNE   $1E12
1E08-   AD 03 02    LDA   $0203
1E0B-   C9 C5       CMP   #$C5
1E0D-   D0 03       BNE   $1E12
1E0F-   4C 30 1E    JMP   $1E30
1E12-   20 C0 0D    JSR   $0DC0
1E15-   20 8B 0C    JSR   $0C8B
1E18-   20 66 60    JSR   $6066
1E1B-   31 1E       AND   ($1E),Y
1E1D-   20 21 0A    JSR   $0A21
1E20-   C9 8D       CMP   #$8D
1E22-   D0 F9       BNE   $1E1D
1E24-   20 FF 0B    JSR   $0BFF
1E27-   20 C0 0D    JSR   $0DC0
1E2A-   20 FF 0B    JSR   $0BFF
1E2D-   4C D7 1D    JMP   $1DD7
1E30-   60          RTS
1E31-   38          SEC

Well, I'm not sure what this is, but it
is most decidedly something. This was
not just a check to ensure that the
unreadable sector was there. The data
on that sector actually matters.

OK, no problem. I have the data now. I
can write it back to T01,S0F on my non-
working copy. Then, if I disable the
RWTS swapper at $02F8, the program will
just read T01,S0F using a standard RWTS
and put it where it expects it ($1E00).

08C0-   A9 08       LDA   #$08
08C2-   A0 E8       LDY   #$E8
08C4-   4C D9 03    JMP   $03D9

08E8- 01 60 01 FE 01 0F FB 08
08F0- 00 1E 00 00 02 00 FE 60
08F8- 01 00 00 00 01 EF D8 00

*BSAVE WRITE T01S0F,A$8C0,L$40

[S6,D1=non-working copy]

*8C0G

$02D8 was read from T02,S06 (at $7CD8).
I want to put an "RTS" at $02F8, so
that's offset $20.

T02,S06,$20 change "A2" to "60"

]PR#6
...works...

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 642
------------------EOF------------------