-------------Compu-Read 3.4------------
A 4am crack                  2014-09-22
---------------------------------------

"Compu-Read" is a 1982 educational
program distributed by Edu-Ware
Services, Inc. The on-disk main menu
says "Ver. 3.4  25 Jan 82".

COPYA fails miserably and immediately.
Locksmith Fast Disk Backup can read the
first sector of track 0, but nothing
else. Disk Fixer -- my new favorite
sector editor -- can't read anything
past track 0, sector 0, even when I
turn off epilogues and checksums.

Not much to go on. It's time for boot
tracing with AUTOTRACE!

[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0

For those of you just tuning in, my
work disk uses a custom program that I
affectionately call "AUTOTRACE" to
automate the process of boot tracing as
far as possible. For some disks, it
just captures track 0, sector 0 (saved
in a file called "BOOT0") and stops.
For other disks that load in the same
way that an unprotected DOS 3.3 disk
loads, it can potentially do a lot
more. This is not one of those disks.

]CALL -151

*800<2800.28FFM

*801L

; immediately move this code to the
; input buffer at $0200
0801-   A0 0F       LDY   #$0F
0803-   B9 00 08    LDA   $0800,Y
0806-   99 00 02    STA   $0200,Y
0809-   C8          INY
080A-   D0 F7       BNE   $0803

; and continue there
080C-   4C 0F 02    JMP   $020F

*20F<80F.8FFM

*20FL

; set up some sort of data table at
; $0800
020F-   A2 20       LDX   #$20
0211-   A9 03       LDA   #$03
0213-   85 3C       STA   $3C
0215-   18          CLC
0216-   88          DEY
0217-   98          TYA
0218-   24 3C       BIT   $3C
021A-   F0 F5       BEQ   $0211
021C-   26 3C       ROL   $3C
021E-   90 F8       BCC   $0218
0220-   C0 D5       CPY   #$D5
0222-   F0 ED       BEQ   $0211
0224-   CA          DEX
0225-   8A          TXA
0226-   99 00 08    STA   $0800,Y
0229-   D0 E6       BNE   $0211

; zero page initialization -- ($26) is
; usually the target page for reading
; more sectors, so $0300
022B-   85 3D       STA   $3D
022D-   85 26       STA   $26
022F-   A9 03       LDA   #$03
0231-   85 27       STA   $27

; slot number (x16) is in zero page $2B
0233-   A6 2B       LDX   $2B

; call subroutine to read a sector
0235-   20 5D 02    JSR   $025D

*25DL

; read a sector (code is very similar
; to disk controller ROM routine, but
; uses "D5 AA B5" for address prologue)
025D-   18          CLC
025E-   08          PHP
025F-   BD 8C C0    LDA   $C08C,X
0262-   10 FB       BPL   $025F
0264-   49 D5       EOR   #$D5
0266-   D0 F7       BNE   $025F
0268-   BD 8C C0    LDA   $C08C,X
026B-   10 FB       BPL   $0268
026D-   C9 AA       CMP   #$AA
026F-   D0 F3       BNE   $0264
0271-   EA          NOP
0272-   BD 8C C0    LDA   $C08C,X
0275-   10 FB       BPL   $0272
0277-   C9 B5       CMP   #$B5    <-- !
0279-   F0 09       BEQ   $0284
027B-   28          PLP
027C-   90 DF       BCC   $025D
027E-   49 AD       EOR   #$AD
0280-   F0 1F       BEQ   $02A1
0282-   D0 D9       BNE   $025D
0284-   A0 03       LDY   #$03
0286-   84 2A       STY   $2A
0288-   BD 8C C0    LDA   $C08C,X
028B-   10 FB       BPL   $0288
028D-   2A          ROL
028E-   85 3C       STA   $3C
0290-   BD 8C C0    LDA   $C08C,X
0293-   10 FB       BPL   $0290
0295-   25 3C       AND   $3C
0297-   88          DEY
0298-   D0 EE       BNE   $0288
029A-   28          PLP
029B-   C5 3D       CMP   $3D
029D-   D0 BE       BNE   $025D
029F-   B0 BD       BCS   $025E
02A1-   A0 9A       LDY   #$9A
02A3-   84 3C       STY   $3C
02A5-   BC 8C C0    LDY   $C08C,X
02A8-   10 FB       BPL   $02A5
02AA-   59 00 08    EOR   $0800,Y
02AD-   A4 3C       LDY   $3C
02AF-   88          DEY
02B0-   99 00 08    STA   $0800,Y
02B3-   D0 EE       BNE   $02A3
02B5-   84 3C       STY   $3C
02B7-   BC 8C C0    LDY   $C08C,X
02BA-   10 FB       BPL   $02B7
02BC-   59 00 08    EOR   $0800,Y
02BF-   A4 3C       LDY   $3C
02C1-   91 26       STA   ($26),Y
02C3-   C8          INY
02C4-   D0 EF       BNE   $02B5
02C6-   BC 8C C0    LDY   $C08C,X
02C9-   10 FB       BPL   $02C6
02CB-   59 00 08    EOR   $0800,Y
02CE-   D0 8D       BNE   $025D
02D0-   60          RTS

Returning to caller...

0238-   4C D1 02    JMP   $02D1

*2D1L

; decode raw nibble data based on the
; data table we set up earlier at $0800
02D1-   A8          TAY
02D2-   A2 00       LDX   #$00
02D4-   B9 00 08    LDA   $0800,Y
02D7-   4A          LSR
02D8-   3E CC 03    ROL   $03CC,X
02DB-   4A          LSR
02DC-   3E 99 03    ROL   $0399,X
02DF-   85 3C       STA   $3C
02E1-   B1 26       LDA   ($26),Y
02E3-   0A          ASL
02E4-   0A          ASL
02E5-   0A          ASL
02E6-   05 3C       ORA   $3C
02E8-   91 26       STA   ($26),Y
02EA-   C8          INY
02EB-   E8          INX
02EC-   E0 33       CPX   #$33
02EE-   D0 E4       BNE   $02D4
02F0-   C6 2A       DEC   $2A
02F2-   D0 DE       BNE   $02D2

; checksum
02F4-   CC 00 03    CPY   $0300
02F7-   D0 03       BNE   $02FC

; checksum passed, continue with boot
02F9-   4C 3B 02    JMP   $023B

; checksum failed, print "ERR" and exit
02FC-   4C 2D FF    JMP   $FF2D

*23BL

; Weird. This code is modifying the
; code it just read from disk. Not sure
; why yet.
023B-   A9 A9       LDA   #$A9
023D-   8D 1F 03    STA   $031F
0240-   A9 02       LDA   #$02
0242-   8D 20 03    STA   $0320

; jump to the code we just read
0245-   4C 01 03    JMP   $0301

OK, this I need to interrupt the boot.

*9600<C600.C6FFM

; reproduce initial memcopy
96F8-   A0 0F       LDY   #$0F
96FA-   B9 00 08    LDA   $0800,Y
96FD-   99 00 02    STA   $0200,Y
9700-   C8          INY
9701-   D0 F7       BNE   $96FA

; set up callback to a routine under my
; control (at $0245, instead of jumping
; to $0301)
9703-   A9 4C       LDA   #$4C
9705-   8D 45 02    STA   $0245
9708-   A9 15       LDA   #$15
970A-   8D 46 02    STA   $0246
970D-   A9 97       LDA   #$97
970F-   8D 47 02    STA   $0247

; start the boot
9712-   4C 0F 02    JMP   $020F

; callback is here -- relocate the code
; at $0300 so it survives a reboot
9715-   A0 00       LDY   #$00
9717-   B9 00 03    LDA   $0300,Y
971A-   99 00 23    STA   $2300,Y
971D-   C8          INY
971E-   D0 F7       BNE   $9717

; turn off slot 6 drive motor
9720-   AD E8 C0    LDA   $C0E8

; reboot to my work disk
9723-   4C 00 C5    JMP   $C500

*BSAVE TRACE1,A$9600,L$126

*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT1 0300-03FF,A$2300,L$100
]CALL -151

*300<2300.23FFM

*301L

; data table fiddling
0301-   B9 00 08    LDA   $0800,Y
0304-   0A          ASL
0305-   0A          ASL
0306-   0A          ASL
0307-   99 00 08    STA   $0800,Y
030A-   C8          INY
030B-   D0 F4       BNE   $0301

; looks like we're loading the next
; phase into $0900
030D-   A6 2B       LDX   $2B
030F-   A9 09       LDA   #$09
0311-   85 27       STA   $27

; don't know what this is yet
0313-   AD CC 03    LDA   $03CC
0316-   85 41       STA   $41

*3CC

03CC- B6

*318L

0318-   84 40       STY   $40
031A-   8A          TXA
031B-   4A          LSR
031C-   4A          LSR
031D-   4A          LSR
031E-   4A          LSR

; This is the instruction that got
; replaced at $023B. Looking at the
; previous few instructions (which
; are useless because this modified
; instruction blows away the contents
; of the accumulator), it appears that
; this code can be used to re-use the
; disk controller ROM routine to read
; sectors, but has been modified to use
; the routine at $025D instead.
031F-   A9 02       LDA   #$02
0321-   85 3F       STA   $3F
0323-   A9 5D       LDA   #$5D
0325-   85 3E       STA   $3E

; read a sector
0327-   20 43 03    JSR   $0343

*343L

0343-   6C 3E 00    JMP   ($003E)

*32AL

; decode nibble data
032A-   20 46 03    JSR   $0346

*346L

0346-   A2 32       LDX   #$32
0348-   A0 00       LDY   #$00
034A-   BD 00 08    LDA   $0800,X
034D-   4A          LSR
034E-   4A          LSR
034F-   4A          LSR
0350-   85 3C       STA   $3C
0352-   4A          LSR
0353-   85 2A       STA   $2A
0355-   4A          LSR

; Ah, I see what's going on now. The
; routine at $025D stores raw data in
; the target page ($0900), but doesn't
; decode it. This routine now takes
; that data and decodes it (using the
; data table we set up at $0800), then
; it stores the final data in ($40).
; Zero page $40 was set up from $03CC,
; which is $B6. So this is storing data
; at $B600 and up.
0356-   1D 00 09    ORA   $0900,X
0359-   91 40       STA   ($40),Y
035B-   C8          INY
035C-   BD 33 08    LDA   $0833,X
035F-   4A          LSR
0360-   4A          LSR
0361-   4A          LSR
0362-   4A          LSR
0363-   26 3C       ROL   $3C
0365-   4A          LSR
0366-   26 2A       ROL   $2A
0368-   1D 33 09    ORA   $0933,X
036B-   91 40       STA   ($40),Y
036D-   C8          INY
036E-   BD 66 08    LDA   $0866,X
0371-   4A          LSR
0372-   4A          LSR
0373-   4A          LSR
0374-   4A          LSR
0375-   26 3C       ROL   $3C
0377-   4A          LSR
0378-   26 2A       ROL   $2A
037A-   1D 66 09    ORA   $0966,X
037D-   91 40       STA   ($40),Y
037F-   C8          INY
0380-   A5 2A       LDA   $2A
0382-   29 07       AND   #$07
0384-   1D 99 09    ORA   $0999,X
0387-   91 40       STA   ($40),Y
0389-   C8          INY
038A-   A5 3C       LDA   $3C
038C-   29 07       AND   #$07
038E-   1D CC 09    ORA   $09CC,X
0391-   91 40       STA   ($40),Y
0393-   C8          INY
0394-   CA          DEX
0395-   10 B3       BPL   $034A
0397-   AD 99 08    LDA   $0899
039A-   4A          LSR
039B-   4A          LSR
039C-   4A          LSR
039D-   0D FF 09    ORA   $09FF
03A0-   91 40       STA   ($40),Y
03A2-   A6 2B       LDX   $2B
03A4-   60          RTS

Returning to caller...

*32DL

; Zero page $3D is a counter for the
; number of sectors read already. $03FF
; is the total number of sectors.
032D-   A5 3D       LDA   $3D
032F-   4D FF 03    EOR   $03FF

; if we've read enough sectors, break
; out of the loop
0332-   F0 06       BEQ   $033A

*3FF

03FF- 09

We're reading $0A sectors. (The
comparison happens before the count is
incremented, so add 1.)

; increment target page (starts at $B6)
0334-   E6 41       INC   $41

; increment sector count
0336-   E6 3D       INC   $3D

; this is really an unconditional jump
0338-   D0 ED       BNE   $0327

; Break out of loop here (from $0332).
; Accumulator is always zero at this
; point.
033A-   85 3E       STA   $3E

; still $B6
033C-   AD CC 03    LDA   $03CC
033F-   85 3F       STA   $3F

; now $B7
0341-   E6 3F       INC   $3F

; jump to $B700 to continue the boot
0343-   6C 3E 00    JMP   ($003E)

This is the strangest way I have ever
seen to load boot1 into $B600..$BFFF,
but OK. Let's capture it.

*9600<C600.C6FFM

; same as TRACE1 -- reproduce memcopy
; and set up first callback
96F8-   A0 0F       LDY   #$0F
96FA-   B9 00 08    LDA   $0800,Y
96FD-   99 00 02    STA   $0200,Y
9700-   C8          INY
9701-   D0 F7       BNE   $96FA
9703-   A9 4C       LDA   #$4C
9705-   8D 45 02    STA   $0245
9708-   A9 15       LDA   #$15
970A-   8D 46 02    STA   $0246
970D-   A9 97       LDA   #$97
970F-   8D 47 02    STA   $0247

; start the boot
9712-   4C 0F 02    JMP   $020F

; first callback is here -- set up
; second callback at $033C (after all
; sectors have been read)
9715-   A9 4C       LDA   #$4C
9717-   8D 3C 03    STA   $033C
971A-   A9 27       LDA   #$27
971C-   8D 3D 03    STA   $033D
971F-   A9 97       LDA   #$97
9721-   8D 3E 03    STA   $033E

; continue to boot
9724-   4C 01 03    JMP   $0301

; second callback is here -- turn off
; drive motor and break
9727-   AD E8 C0    LDA   $C0E8
972A-   4C 59 FF    JMP   $FF59

*BSAVE TRACE2,A$9600,L$12D

*9600G
...reboots slot 6...
<beep>

*B700L

; well, would you look at that -- we've
; managed to load a more-or-less normal
; boot1 from disk
B700-   8E E9 B7    STX   $B7E9
B703-   8E F7 B7    STX   $B7F7
B706-   A9 01       LDA   #$01
B708-   8D F8 B7    STA   $B7F8
B70B-   8D EA B7    STA   $B7EA
B70E-   AD E0 B7    LDA   $B7E0
B711-   8D E1 B7    STA   $B7E1
B714-   A9 00       LDA   #$00
B716-   8D EC B7    STA   $B7EC
B719-   AD E2 B7    LDA   $B7E2
B71C-   8D ED B7    STA   $B7ED
B71F-   AD E3 B7    LDA   $B7E3
B722-   8D F1 B7    STA   $B7F1
B725-   A9 01       LDA   #$01
B727-   8D F4 B7    STA   $B7F4
B72A-   8A          TXA
B72B-   4A          LSR
B72C-   4A          LSR
B72D-   4A          LSR
B72E-   4A          LSR
B72F-   AA          TAX
B730-   A9 00       LDA   #$00
B732-   9D F8 04    STA   $04F8,X
B735-   9D 78 04    STA   $0478,X
B738-   20 93 B7    JSR   $B793
B73B-   A2 FF       LDX   #$FF
B73D-   9A          TXS
B73E-   8E EB B7    STX   $B7EB
B741-   20 93 FE    JSR   $FE93
B744-   20 89 FE    JSR   $FE89
B747-   4C 84 9D    JMP   $9D84

*BD00L

; it even has a normal RWTS entry point
; (which means I can probably use
; Advanced Demuffin to get all the data
; off this disk)
BD00-   84 48       STY   $48
BD02-   85 49       STA   $49
BD04-   A0 01       LDY   #$01
BD06-   B1 48       LDA   ($48),Y
BD08-   AA          TAX
BD09-   8C F8 04    STY   $04F8
BD0C-   A0 0F       LDY   #$0F
BD0E-   D1 48       CMP   ($48),Y
BD10-   F0 1B       BEQ   $BD2D

; relocate this so it survives a reboot
*2600<B600.BFFFM

; reboot to my work disk
*C500G
...

]BSAVE BOOT1,A$2600,L$A00
]BSAVE RWTS,A$2800,L$800

Now that I'm over the shock of this
funky bootloader, I'm left with an RWTS
that can presumably read the data from
this disk, and a tool that can use that
RWTS to save the data to a standard
format. I'm referring, of course, to
Advanced Demuffin.

[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]BRUN ADVANCED DEMUFFIN 1.5

[press "5" to switch to slot 5]

[press "R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

[press "6" to switch to slot 6]

[press "C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:RRRR
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:R..
SC1:R..
SC2:R...
SC3:R...
SC4:R...
SC5:R...
SC6:R...
SC7:R...
SC8:R...
SC9:R...
SCA:R...
SCB:R...
SCC:R...
SCD:RRRR
SCE:RRRR
SCF:RRRR
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

OK, I've stopped the conversion process
because I've learned two very important
things

1. Track $00 is unreadable. This should
   not surprise me; it was read by the
   custom code at $025D and $0356, not
   by the RWTS that was loaded into
   high memory later.

2. This is not a 16-sector disk. Track
   $01 and beyond are readable (by the
   RWTS I captured), but only sectors
   $00 through $0C. That's 13 sectors,
   not 16.

                   ~

"I admit it, you are better than I am."

"Then why are you smiling?"

"Because I know something you don't
know."

"And what is that?"

"I... am not a 16-sector disk."

                   ~

The author of Advanced Demuffin was
prepared for this contingency.

Returning to the main menu and pressing
"C" to convert disk, I opt to change
the default values.

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======================================


INPUT ALL VALUES IN HEX


SECTORS PER TRACK? (13/16) 13
                           ^^
                        important

START TRACK: $01
              ^^
           important

START SECTOR: $00
END TRACK: $22
END SECTOR: $0C
             ^^
       also important

INCREMENT: 1

MAX # OF RETRIES: 0

COPY FROM DRIVE 1
TO DRIVE: 2
=======================================
13SC $01,$00-$22,$0C BY$01 S6,D1->S6,D2

                 --^--

Let's try this again.

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK: ..................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0: ..................................
SC1: ..................................
SC2: ..................................
SC3: ..................................
SC4: ..................................
SC5: ..................................
SC6: ..................................
SC7: ..................................
SC8: ..................................
SC9: ..................................
SCA: ..................................
SCB: ..................................
SCC: ..................................
SCD:
SCE:
SCF:
=======================================
13SC $01,$00-$22,$0C BY1.0 S6,D1->S6,D2

                   ~

"Oh, there's something I ought to tell
you."

"Tell me."

"I'm not a 16-sector disk reader."

                   ~

I've never done a 13-sector conversion
before. It was exhilarating.

But wait, it gets better.

]PR#5
...

]CATALOG,S6,D2

C1983 DSR^C#254
168 FREE

*A 009 EDU-WARE
*B 025 EWS2
*A 006 COMPU-READ
*A 027 CR.SYSTEM
*T 002 CR.SYSTEM.PARAMETERS
*T 002 CR.SYSTEM.FILES
*A 019 CR.FB.2
*A 020 CR.FB.3
*A 028 CR.FB.4
*T 003 CR.2.EWS
*T 006 CR.3.EWS
*T 003 CR.4.EWS
*A 012 CR.1
*A 014 CR.2
*A 016 CR.3
*A 017 CR.4
*A 013 CR.ERROR
*T 003 CR.4.TST
*T 003 CR.2.SHA
*T 002 CR.4.
*T 003 CR.4.SH
 T 002 ERR FILE

]RUN EDU-WARE

It works! Unbelievable. It even runs
from drive 2. There doesn't appear to
be any further protection beyond the
custom RWTS and the funky bootloader.

[S6,D1=freshly formatted DOS 3.3 disk]
[S6,D2=demuffin'd copy]

Turning to Copy ][+, I can file-copy
all these files to a freshly formatted
DOS 3.3 disk, then I can change the
boot program from HELLO to EDU-WARE.

Copy ][+
  --> CHANGE BOOT PROGRAM
    --> on slot 6, drive 1
      --> EDU-WARE

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 142
------------------EOF------------------