--------------Drug Alert!-------------- A 4am crack 2015-08-21 --------------------------------------- Name: Drug Alert! Genre: educational Year: 1986 Authors: Methods & Solutions Publisher: Mindplay Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified data epilogue ("BF AA EB" instead of "DE AA EB") Disk Fixer ["O" -> "Input/Output Control"] set Data Epilogue to "BF AA EB" all tracks readable T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "HELLO" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to epilogue) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS SAVING IOB ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 [press "I" to load a new IOB module] --> load "IOB" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 003 FREE T 005 NAMES B 005 STUFF B 058 GAME.OBJ T 002 ROOMS INDEX T 128 HANDBOOK B 029 HAND.OBJ A 002 HELLO B 010 DGRAPH B 005 INCIN B 002 ELEV T 031 ROOMS B 010 HELLO 2.OBJ B 002 UNP B 028 DUMP.OBJ B 028 INIT.OBJ B 005 RM29 B 005 RM36 T 025 HANDBOOK2 T 004 DRUG.DAT B 026 RUNTIME.CG B 035 UT.OBJ B 005 RM45 B 005 RM26 B 005 RM43 B 005 RM35 B 005 RM11 B 005 RM13 B 008 N.SPC T 002 LOCAL CONTACT B 010 PU.PK B 010 PD.PK T 009 HANDBOOK INDEX ]RUN HELLO ...works... [S6,D1=demuffin'd copy] ]PR#6 ...grinds... My copy can't read itself yet. This is not unusual. ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP T00,S03,$35 change BF to DE T00,S02,$9E change BF to DE Quod erat liberandum. ~ Epilogue The password to read the drug handbook is SESAME. --------------------------------------- A 4am crack No. 414 ------------------EOF------------------