-------Hands On BASIC Programming------ A 4am crack 2016-02-21 --------------------------------------- Name: Hands On BASIC Programming Version: 1.0 (25 Feb 83) Genre: educational Year: 1983 Author: Neil Bennett, Ph.D. Publisher: Edu-Ware Media: one single-sided 5.25-inch disk OS: DOS 3.3 Previous cracks: none Similar cracks: #575 Milt's Math Drills: Addition and Subtraction #451 Antonyms/Synonyms 1 #420 Fact or Opinion #246 Kittens, Kids, and a Frog v01.11.85 ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read anything past T00,S09 EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified address and data epilogues ("DA AA EB" instead of "DE AA EB") on T01+, and on sectors $0A-$0F of track $00 Disk Fixer T00 -> looks like a DOS 3.3 RWTS ["O" -> "Input/Output Control"] set Address Epilogue to "DA AA EB" set Data Epilogue to "DA AA EB" T01+ readable (also the rest of T00) T00-T02 -> full copy of DOS 3.3 T01,S09 -> startup program is "EDU-WARE" T11 -> DOS 3.3 disk catalog Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to epilogue) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:R.................................. +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:R.................................. SC1:R.................................. SC2:R.................................. SC3:R.................................. SC4:R.................................. SC5:R.................................. SC6:R.................................. SC7:R.................................. SC8:R.................................. SC9:R.................................. SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Argh. The RWTS can read every sector on the disk, except the ones that contain the RWTS. (Those are loaded by the disk controller firmware.) But soft, what light from yonder disk catalog breaks! ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 297 FREE *A 009 EDU-WARE *B 031 EWS3 *A 003 HANDS ON BASIC PROGRAMMING *B 034 HOB.PIC *I 002 APPLESOFT *B 143 HHB ]RUN EDU-WARE ...works... (The reason I always do this is to see whether there are any runtime checks for subtle differences in the original DOS. If the program runs after booting from a third-party disk, I can eliminate a whole range of possible secondary protections.) Using my trusty Disk Fixer sector editor, I manually copied sectors $00 through $09 of track $00 from the original disk to my demuffin'd copy. [S6,D1=demuffin'd copy, with restored track $00] ]PR#6 ...grinds... My copy can't read itself yet. This is not unusual. ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP ; fix non-standard epilogue bytes T00,S03,$91 change DA to DE T00,S03,$35 change DA to DE T00,S02,$9E change DA to DE ]PR#6 ...works... Quod erat liberandum. --------------------------------------- A 4am crack No. 608 ------------------EOF------------------