------Freddy's Puzzling Adventures----- A 4am crack 2015-03-28 --------------------------------------- Name: Freddy's Puzzling Adventures Version: "REV D" (from disk catalog) Genre: educational Year: 1984 Authors: Ahead Designs Publisher: Developmental Learning Materials Media: single-sided 5.25-inch floppy OS: Diversi-DOS Other versions: none (preserved here for the first time) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified addres and data epilogue bytes ("AA DE EB" for each) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "AA DE EB" set Data Epilogue to "AA DE EB" all tracks readable T00 -> looks like a DOS 3.3 RWTS T00-T02 -> looks like full DOS 3.3 T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "F.P.A. REV D" T02,S02 -> reverse string "C1983 DSR" (Diversi-DOS marker) Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ]CATALOG,S6,D2 C1983 DSR^C#254 051 FREE *A 002 F.P.A. REV D *B 020 START *B 029 MENU *B 038 NC *B 028 WC *B 011 TS *B 015 F0 *B 017 F1 *B 018 F3 *B 016 F4 *B 016 F5 *B 018 F6 *B 015 N0 *B 013 N1 *B 013 N2 *B 016 N3 *B 017 N4 *B 015 N5 *B 011 W0 *B 016 W1 *B 017 W2 *B 013 W3 *B 004 DB *B 003 N0A *B 003 N1A *B 003 N2A *B 003 N3A *B 003 N4A *B 003 N5A *B 008 W0A *B 007 W1A *B 023 W2A *B 007 W3A B 002 [NMZ 0:MONEY\ A 002 HELLO [S6,D1=demuffin'd copy] ]PR#6 ...grinds... My copy can't read itself yet. I have a tool to fix that. ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP T00,S03,$91 change AA to DE T00,S03,$9B change DE to AA T00,S03,$35 change AA to DE T00,S03,$3F change DE to AA T00,S06,$AE change AA to DE T00,S06,$B3 change DE to AA T00,S02,$9E change AA to DE T00,S02,$A3 change DE to AA (Just RWTS fixes. There doesn't appear to be any further protection.) Quod erat liberandum. --------------------------------------- A 4am crack No. 288 ------------------EOF------------------