-----------Hey Diddle Diddle----------- A 4am crack 2015-01-26 --------------------------------------- Name: Hey Diddle Diddle! Genre: educational Year: 1983 Authors: Dale Disharoon, Robin Bush Publisher: Spinnaker Software, Inc. Media: single-sided 5.25-inch floppy OS: DOS 3.3 Other versions: none (preserved here for the first time) Identical cracks: The Time Tunnel (4am crack no. 162) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) no errors, but copy hangs on boot Copy ][+ nibble editor all tracks use standard prologues (address: D5 AA 96, data: D5 AA AD) but modified epilogues (address: FF FF FF, data: FF FF FF) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "FF FF FF" set Data Epilogue to "FF FF FF" Success! All tracks readable! T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "HEY DIDDLE DIDDLE" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) Why didn't my EDD copy work? probably a nibble check during boot Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. Patch RWTS to read standard format (if necessary) 4. find nibble check and bypass it ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 /!\ BOOT0 JUMPS TO ($BBFE) CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:R.................................. +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:R.................................. SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Hmm. Even the disk's own RWTS can't read T00,S0A. I'm hoping that part of the copy protection and not a bad disk. ]PR#5 ]CATALOG,S6,D2 C1983 DSR^C#254 132 FREE A 003 HEY DIDDLE DIDDLE B 008 MASH.0 B 007 MASH.1 B 007 MASH.2 B 009 MASH.3 B 008 MASH.4 B 008 MASH.5 B 009 MASH.6 B 010 MASH.7 B 008 MASH.8 B 008 MASH.9 B 007 MASH.10 B 010 MASH.11 B 010 MASH.12 B 008 MASH.13 B 009 MASH.14 B 012 MASH.15 B 009 MASH.16 B 006 MASH.17 B 008 MASH.18 B 009 MASH.19 B 008 MASH.20 B 008 MASH.21 B 009 MASH.22 B 011 MASH.23 B 010 MASH.24 B 010 MASH.25 B 010 MASH.26 B 008 MASH.27 B 011 MASH.28 B 008 MASH.29 B 009 MASH.30 T 034 RHYMES A 041 DIDDLE B 011 GRAPHICS ROUTINES B 003 MASTER DRAW ]RUN HEY DIDDLE DIDDLE ...works... [S6,D1=demuffin'd copy] ]PR#6 ...still hangs on boot... ~ Chapter 2 In Which We Run Into An Old Friend ]PR#5 ... ]BLOAD BOOT0,A$800 ]CALL -151 *801L . . all normal, until... . 084A- 6C FE BB JMP ($BBFE) *BLOAD BOOT1,A$2600 *FE89G FE93G ; disconnect DOS *B600<2600.2FFFM ; move RWTS into place *BBFE.BBFF BBFE- 00 BB *BB00L ; Ah, I recognize this routine already. ; It was used by several different ; publishers, and it apparently had ; tweakable options. Turning off an ; option would generate code that makes ; no sense at first glance. BB00- A9 FF LDA #$FF BB02- 85 D6 STA $D6 BB04- BD 8D C0 LDA $C08D,X ; Some disks have a "LDA $C08E,X" here ; to require that the disk be write- ; protected. With the option off, it's ; just an unconditional jump. BB07- A9 FF LDA #$FF BB09- EA NOP BB0A- 30 05 BMI $BB11 ;[always skipped] ;BB0C- A2 B1 LDX #$B1 ;BB0E- 4C F0 BB JMP $BBF0 ; check low-level reset vector ; (I think this was protection against ; "boot inspectors" like Watson) BB11- AD FD FF LDA $FFFD BB14- C9 FA CMP #$FA BB16- F0 05 BEQ $BB1D ; fail if it's been modified BB18- A2 B2 LDX #$B2 BB1A- 4C F0 BB JMP $BBF0 ; look for a magic nibble sequence on ; track 0 BB1D- BD 8C C0 LDA $C08C,X BB20- A9 00 LDA #$00 BB22- 8D 00 02 STA $0200 BB25- BD 8C C0 LDA $C08C,X BB28- 10 FB BPL $BB25 BB2A- C9 EB CMP #$EB BB2C- D0 F7 BNE $BB25 BB2E- BD 8C C0 LDA $C08C,X BB31- 10 FB BPL $BB2E BB33- C9 D5 CMP #$D5 BB35- D0 EE BNE $BB25 BB37- BD 8C C0 LDA $C08C,X BB3A- 10 FB BPL $BB37 BB3C- C9 AA CMP #$AA BB3E- D0 E5 BNE $BB25 ; wipe most of memory ($0800..$95FF) ; although, ironically, not the part ; I'm using for boot tracing BB40- A9 4C LDA #$4C BB42- A0 00 LDY #$00 BB44- 99 00 95 STA $9500,Y BB47- 88 DEY BB48- D0 FA BNE $BB44 BB4A- CE 46 BB DEC $BB46 BB4D- AD 46 BB LDA $BB46 BB50- C9 07 CMP #$07 BB52- D0 EC BNE $BB40 ; fiddle with the RWTS to ignore ; epilogue bytes BB54- A9 18 LDA #$18 BB56- 8D 42 B9 STA $B942 ; sector $0A BB59- A9 0A LDA #$0A BB5B- 8D ED B7 STA $B7ED BB5E- D0 05 BNE $BB65 ...[some zeroes used for data later]... ; track $00 BB65- A9 00 LDA #$00 BB67- 8D EC B7 STA $B7EC ; seek command (not read) BB6A- 8D F0 B7 STA $B7F0 ; into $4000 BB6D- A9 40 LDA #$40 BB6F- 8D F1 B7 STA $B7F1 BB72- A9 01 LDA #$01 BB74- 8D F4 B7 STA $B7F4 BB77- 8D F8 B7 STA $B7F8 BB7A- 8D EA B7 STA $B7EA BB7D- 8E E9 B7 STX $B7E9 BB80- 8E F7 B7 STX $B7F7 ; more RWTS fiddling, so sector reads ; save raw nibble data in $6C00 range BB83- A0 6C LDY #$6C BB85- 8C 10 B9 STY $B910 BB88- 8C CE B8 STY $B8CE BB8B- 8C D2 B8 STY $B8D2 BB8E- 88 DEY BB8F- 8C 21 B9 STY $B921 ; a sector read, with modified RWTS BB92- 20 E7 BB JSR $BBE7 ; copy the raw nibble data elsewhere BB95- A0 55 LDY #$55 BB97- B9 00 6C LDA $6C00,Y BB9A- 99 00 5C STA $5C00,Y BB9D- 88 DEY BB9E- 10 F7 BPL $BB97 BBA0- AD 02 6B LDA $6B02 BBA3- 85 06 STA $06 ; another sector read BBA5- 20 E7 BB JSR $BBE7 BBA8- AD 02 6B LDA $6B02 BBAB- 85 07 STA $07 ; and another BBAD- 20 E7 BB JSR $BBE7 BBB0- AD 02 6B LDA $6B02 BBB3- 85 08 STA $08 ; compare this read's nibble data to ; the previous read's nibble data BBB5- A0 55 LDY #$55 BBB7- B9 00 6C LDA $6C00,Y BBBA- D9 00 5C CMP $5C00,Y ; fail if anything doesn't match BBBD- D0 2F BNE $BBEE BBBF- 88 DEY BBC0- 10 F5 BPL $BBB7 ; more comparisons of the side effects ; generated by the modified RWTS BBC2- A5 06 LDA $06 BBC4- C5 07 CMP $07 BBC6- D0 04 BNE $BBCC BBC8- C5 08 CMP $08 BBCA- F0 17 BEQ $BBE3 ; success path is here -- ; first, restore the RWTS code BBCC- A9 38 LDA #$38 BBCE- 8D 42 B9 STA $B942 BBD1- A0 BC LDY #$BC BBD3- 8C 10 B9 STY $B910 BBD6- 8C CE B8 STY $B8CE BBD9- 8C D2 B8 STY $B8D2 BBDC- 88 DEY BBDD- 8C 21 B9 STY $B921 ; then continue with boot1 as normal BBE0- 4C 00 B7 JMP $B700 BBE3- 4C 54 BB JMP $BB54 ... BBE7- A9 B7 LDA #$B7 BBE9- A0 E8 LDY #$E8 BBEB- 4C B5 B7 JMP $B7B5 ; failure path from comparison at $BBBD BBEE- A2 B3 LDX #$B3 ; general failure path is here -- ; clear screen, show text screen, write ; error code, and jump to The Badlands BBF0- 20 58 FC JSR $FC58 BBF3- 20 2D FF JSR $FF2D BBF6- 8E 03 04 STX $0403 BBF9- 4C 5B B7 JMP $B75B I'm guessing my non-working copy never got as far as wiping main memory, since the search for the nibble sequence is unconditional and neverending. That explains the behavior I saw -- it spun forever with the drive motor on, and it never got off track 0. The important takeaway here is that there don't appear to be any long-term side effects of this copy protection. If it succeeds, it restores everything that it modified (in the RWTS code), then it just jumps to $B700 to start the boot1 phase. But that's it; nothing else seems to rely on some magic number that it pulls from the raw nibbles or anything. It doesn't decrypt anything. It doesn't even clear the carry flag. ~ Chapter 3 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ... ]BRUN PDP ; fix epilogue byte checking in RWTS T00,S03,$91 change FF to DE T00,S03,$9B change FF to AA T00,S03,$35 change FF to DE T00,S03,$3F change FF to AA T00,S02,$9E change FF to DE T00,S02,$A3 change FF to AA T00,S02,$A8 change FF to EB ; bypass nibble check after boot0 T00,S00,$4B change FEBB to FD08 ; fix nibble table (ooh, I didn't see ; this in my investigation -- hooray ; for automation) T00,S04,$29 change AA to 96 Quod erat liberandum. --------------------------------------- A 4am crack No. 203 ------------------EOF------------------