---------Charlie Brown's 1-2-3s-------- A 4am crack 2015-03-01 --------------------------------------- Name: Charlie Brown's 1-2-3s Genre: educational Year: 1985 Publisher: Random House, Inc. Media: double-sided 5.25-inch floppy Other cracks: Asimov has an uncracked .nib image Identical cracks: Charlie Brown's ABC's (4am crack no. 226) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) copy works Copy ][+ nibble editor all tracks use standard prologues (address: D5 AA 96, data: D5 AA AD) but modified address epilogue (AA DE EB instead of DE AA EB) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "AA DE EB" Success! All tracks readable! T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "HELLO" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) EDD worked. What does that tell us? probably just structural protection (modified epilogue), no nibble check Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ]CATALOG,S6,D2 C1983 DSR^C#254 004 FREE A 006 HELLO B 041 SEQ9 A 017 TITLE A 017 GAME123.V5 B 009 CONDENSED B 005 ANIMPAC B 002 LDBANK B 002 BANKDISPLAY B 009 PRINTDIR B 023 BANK.LNK B 028 RH/TITLE.LNK B 026 SEQ6 B 009 CR.CPRS B 002 SEQ1.MSC B 040 SEQ1 T 002 PARMS B 002 TITLE.MSC B 002 POSNEG.MSC B 002 SEQ2.MSC B 002 SEQ3.MSC B 002 SEQ4.MSC B 003 SEQ5.MSC B 003 SEQ6.MSC B 002 SEQ7.MSC B 002 SEQ8.MSC B 002 SEQ9.MSC B 043 SEQ4 B 034 SEQ5 B 046 SEQ7 B 034 SEQ8 B 033 SEQ2 B 042 SEQ3 ]RUN HELLO ...loads title screen then hangs... However, booting from a DOS 3.3 master disk and running HELLO does work. [S6,D1=demuffin'd copy] ]PR#6 ...grinds then crashes... The demuffin'd disk can't read itself. This is not unusual. ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP ; fix epilogue byte checking in RWTS T00,S03,$91 change AA to DE T00,S03,$9B change DE to AA T00,S06,$AE change AA to DE T00,S06,$B3 change DE to AA Quod erat liberandum. --------------------------------------- A 4am crack No. 232 ------------------EOF------------------