---------------Dyno-Quest-------------- A 4am crack 2015-03-27 --------------------------------------- Name: Dyno-Quest Genre: educational Year: 1984 Author: Methods & Solutions Publisher: Mindplay, Inc. Media: single-sided 5.25-inch floppy OS: custom Other versions: Asimov has a cracked uncredited .nib image Similar cracks: Math Magic (no. 282) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA reads several passes then fails with a disk read error Locksmith Fast Disk Backup reads every track except $1E; copy hangs on boot EDD 4 bit copy (no sync, no count) no errors, but copy prints an error "THIS IS A COPYRIGHTED DISK. IT IS EITHER PIRATED OR DAMAGED." and hangs Copy ][+ nibble editor T1E is mostly self-sync bytes ($FF), no sector structure Disk Fixer unable to read track $1E with any combination of parameters Why didn't COPYA work? track $1E is intentionally unreadable Why didn't Locksmith FDB work? probably stuck in an infinite loop trying to read the unreadable T1E Why didn't my EDD copy work? definitely a nibble check during boot Next steps: 1. Boot trace 2. Find nibble check and disable it 3. There is no step 3 (I hope) ~ Chapter 1 In Which We Quickly Find Ourselves In Unfamiliar Territory [S6,D1=original disk] [S5,D1=my work disk] ]PR#5 ... CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BLOAD BOOT1,A$2600 ]CALL -151 *FE89G FE93G ; disconnect DOS *B600<2600.2FFFM ; move RWTS into place *B700L ; right off the bat, I'm lost -- this ; bootloader is not at all what I was ; expecting B700- 20 06 B7 JSR $B706 B703- 4C 00 B5 JMP $B500 $B500 isn't loaded yet (boot0 loads boot1 into $B600..$BFFF), so it must be the next stage of the boot which is loaded by the subroutine at $B706. B706- AE 27 B7 LDX $B727 B709- CA DEX B70A- 8A TXA B70B- 18 CLC B70C- 6D 2D B7 ADC $B72D B70F- C9 10 CMP #$10 B711- 30 08 BMI $B71B B713- EE 2C B7 INC $B72C B716- 38 SEC B717- E9 10 SBC #$10 B719- 10 F4 BPL $B70F B71B- 8D 2D B7 STA $B72D B71E- AE 27 B7 LDX $B727 B721- CA DEX B722- 8A TXA B723- 18 CLC B724- 4C 3D B7 JMP $B73D This code didn't make a lot of sense to me until I looked at the bytes starting at $B727: B727- 02 B728- 01 60 01 00 01 00 37 B7 B730- 00 B5 00 00 01 00 00 60 B738- 01 00 01 EF D8 Aha! That's an RWTS parameter table (starting at $B728), and this is all a multi-sector read loop. B73D- 6D 31 B7 ADC $B731 B740- 8D 31 B7 STA $B731 B743- 78 SEI B744- A0 28 LDY #$28 B746- A9 B7 LDA #$B7 B748- 20 00 BD JSR $BD00 B74B- AE 29 B7 LDX $B729 B74E- 90 63 BCC $B7B3 ; check RWTS command ($02 = write) B750- AD 34 B7 LDA $B734 B753- C9 02 CMP #$02 ; read ($01) and seek ($00) will branch B755- D0 42 BNE $B799 ... B799- 58 CLI ; turn off drive motor (this is usually ; taken care of within the RWTS, but ; maybe this RWTS doesn't?) B79A- BD 88 C0 LDA $C088,X B79D- CE 2D B7 DEC $B72D B7A0- 10 08 BPL $B7AA B7A2- CE 2C B7 DEC $B72C B7A5- A9 0F LDA #$0F B7A7- 8D 2D B7 STA $B72D B7AA- CE 31 B7 DEC $B731 B7AD- CE 27 B7 DEC $B727 B7B0- D0 91 BNE $B743 B7B2- 60 RTS B7B3- A9 00 LDA #$00 B7B5- 8D 35 B7 STA $B735 B7B8- 4C 99 B7 JMP $B799 There doesn't appear to be any funny business. It's a bit convoluted, but it just loads sectors from a given track until $B727 hits 0. Let's see what's at $B500. *9600