-------Kittens, Kids, and a Frog------- A 4am crack 2015-03-06 --------------------------------------- Name: Kittens, Kids, and a Frog Version: 01.11.85 Genre: educational Year: 1985 Author: Janet Goldman Publisher: Hartley Courseware, Inc. Media: two single-sided 5.25-inch disks OS: DOS 3.3 Identical cracks: Reading for Meaning Level 2 (4am crack no. 154), other Hartley Courseware titles ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified address and data epilogue bytes ("DA AA EB" for each) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "DA AA EB" set Data Epilogue to "DA AA EB" all tracks readable T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "HELLO" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ]CATALOG,S6,D2 C1983 DSR^C#254 112 FREE *A 003 HELLO *A 010 CREDITS *A 045 KKF *A 045 CREATE LESSON *A 021 STU PLAN *A 014 PWL *B 002 IR *B 004 HR4 *B 003 GARBAG *B 003 SMILES *B 009 LGCHRS *B 012 PICDRAW *B 009 FROG.PIC *T 031 STU.FILE *T 002 LESSONS.FILE *T 001 COPYRIGHT (C) 1985 *T 001 HARTLEY COURSEWARE INC. *T 001 ALL RIGHTS RESERVED T 006 CARS 1 T 007 CARS 2 T 007 BUG 1 T 008 BUG 2 T 007 TURTLE T 009 LIZARD T 010 MOUSE T 008 TAZ 1 T 010 TAZ 2 T 010 TAZ 3 T 011 TAZ 4 T 010 TAZ 5 B 006 P1 B 005 P2 B 007 P3 B 005 P4 B 005 P5 B 006 P6 B 005 P7 B 004 P8 B 007 P9 B 005 P10 B 005 P11 B 005 P12 ]RUN HELLO ...works... [S6,D1=demuffin'd copy] ]PR#6 ...grinds... My copy can't read itself yet. I have a tool to fix that. ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion And Then It Crashes Anyway [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP T00,S03,$91 change DA to DE T00,S03,$35 change DA to DE T00,S02,$9E change DA to DE ]PR#6 ...crashes at $9D86... Wait, what? After minutes of furious investigation, I hit upon the source of the problem: the disk volume number. The original disk uses disk volume 001, but the process of converting it with Advanced Demuffin gives me a (non-working) copy with disk volume 254. (This is encoded in every sector's address field.) Why is this a problem? Well, besides appearing in every sector's address field, the volume number is stored in four different places when a disk is initialized: 1. $B7EB (T00,S01,$EB), in the RWTS parameter table used by boot1 to load DOS from tracks 0-2 ["Beneath Apple DOS", p. 8-35] 2. $B7F6 (T00,S01,$F6), also in the RWTS parameter table, as the "last found" disk volume 3. $AA66 (T01,S09,$66), in the parsed keyword table used by DOS to load the startup program (and every other file loaded after that) [ibid., p. 8-21] 4. $B3C1 (T11,S00,$06), in the VTOC header [ibid., p. 8-32] My (non-working) copy has a $01 in each of those locations. Since this doesn't match the actual disk volume number in the address fields, every sector read fails and DOS never loads. (Why did it work when I booted from my work disk? Because that loaded DOS from a separate disk that was already disk volume 254, thus matching up with the actual disk volume number in my non-working copy's address fields.) Using my trusty Disk Fixer sector editor, I changed each of the aforementioned locations to $FE. T00,S01,$EB change 01 to FE T00,S01,$F6 change 01 to FE T01,S09,$66 change 01 to FE T11,S06,$06 change 01 to FE Success! My copy finally boots and runs on its own. There doesn't appear to be any further copy protection. (Note to self: add this to a future version of Post-Demuffin Patcher.) Disk 2 has identical protection. Quod erat liberandum. --------------------------------------- A 4am crack No. 246 ------------------EOF------------------