-----First Degree Linear Equations----- A 4am crack 2014-11-13 --------------------------------------- "First Degree Linear Equations" is a 1984 educational program by Mark Berman, designed by Don Ross, and distributed by Mindscape, Inc. COPYA reads the entire disk without complaint, but the copy does not boot. It sounds like it's loading DOS from tracks 0-2, then it swings out to a high track and stays there forever. Time for boot tracing with AUTOTRACE. [S6,D1=original disk] [S5,D1=my work disk] ]PR#5 ... CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS For those of you just tuning in, my work disk uses a custom program that I affectionately call "AUTOTRACE" to automate the process of boot tracing as far as possible. For some disks, this just captures track 0, sector 0 (saved in a file called "BOOT0") and stops. For other disks that load in the same way that an unprotected DOS 3.3 disk loads, it captures the next stage of the boot process as well (in a file called "BOOT1"). BOOT1 contains sectors 0-9 on track 0, which are loaded into memory at $B600..$BFFF. This generally contains the RWTS routines which the program uses to read the rest of the disk. Since this disk is readable by COPYA and appears to load DOS 3.3 or some variant, I wasn't expecting any major surprises. But you never know. I already know that boot0 is entirely normal, otherwise my AUTOTRACE program would have warned me. So let's start with boot1. ]BLOAD BOOT1,A$2600 ]CALL -151 *FE89G FE93G ; disconnect DOS *B600<2600.2FFFM ; move RWTS into place *B700L . . all normal, until . B747- 4C 00 B4 JMP $B400 That usually jumps to $9D84 to cold- start DOS and execute the HELLO program or whatever. $B400 isn't supposed to contain any executable code. ("Beneath Apple DOS" says it's somewhere in the middle of the VTOC sector buffer, used for reading the disk catalog.) What danger lurks at $B400? *C500G ; because I overwrote DOS ... *9600. [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ... ]BRUN PDP T00,S01,$48 change 00B4 to 849D (This is the actual output of the program. Post-Demuffin Patcher prints out the changes it is going to make before it writes them to the disk.) I should point out that Post-Demuffin Patcher is really quite conservative in making patches. It checks a lot of the surrounding code before deciding to patch a specific location. In the case of bypassing this nibble check, it checks every single byte of code up to and including the JMP $B400, to ensure that the disk is using a standard DOS boot0 and boot1 routine up until that point. And there were dozens of patches that it didn't make to this disk (like RWTS patches), because it decided they weren't needed. ]PR#6 And it works. The disk boots and runs with no complaint. There doesn't appear to be any further protection. Hooray for automation. (Oh, this is gonna get good.) Quod erat liberandum. --------------------------------------- A 4am crack No. 161 ------------------EOF------------------