---Knowledge Master: World History 1--- A 4am crack 2014-10-28 --------------------------------------- "Knowledge Master: World History 1" is a 1987 educational program distributed by Academic Hallmarks. COPYA fails miserably and immediately. Locksmith Fast Disk Backup fares no better. EDD 4 bit copy gives no read errors, but the copy it creates just hangs very early in the boot process. It doesn't sound like it ever gets off track 0. Turning to my trusty Disk Fixer sector editor, I go to "Input/Output Control" (press "O") and set CHECKSUM ENABLED= NO. (This ignores address and data epilogue bytes.) Now I can read every sector on every track. From a brief manual inspection, I'd say the RWTS on track 0 strongly resembles a DOS 3.3 RWTS. There is a VTOC (disk catalog) on track $11, but the original disk sounds like it's doing some extra disk work before loading DOS. It does eventually display the normal DOS prompt and swing out to track $11, though. Given the (relatively) weak structural protection, I used to turn to the DOS 3.3 master disk, patch the RWTS to ignore checksums and epilogue bytes (changing $B942 from "SEC" to "CLC"), and run COPYA. Then, one fine day, and completely by accident, I came across an original disk with a bad sector. I suppose this shouldn't surprise me. These floppies are decades old by now; it's amazing any of them work at all. The point is, I shouldn't be using tools that ignore potentially serious read errors. There are other tools, like Super Demuffin, that can convert a disk like this (with non-standard epilogue bytes) into a standard format. It requires figuring out what the actual epilogue bytes are, but it has the advantage of surfacing a read error if the original disk actually has a read error. So... no more COPYA+B942:18 patch. From now on, it's Super Demuffin or Advanced Demuffin to convert disks to a standard format. I should be able to use my AUTOTRACE program to extract the RWTS from the original disk, then load that into Advanced Demuffin to convert it to a standard format. Time for boot tracing with AUTOTRACE. [S6,D1=original disk] [S5,D1=my work disk] ]PR#5 ... CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 /!\ BOOT0 JUMPS TO ($BBFE) CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS Well, that worked flawlessly. My work disk first runs AUTOTRACE0, which sets up a minimal boot trace to capture the first sector of track 0 and saves it to the file "BOOT0" (on my work disk, not the original disk). If the first sector looks reasonably normal, it runs AUTOTRACE1, which sets up a more involved boot trace to capture the rest of track 0 and save it to the file "BOOT1". If *that* looks reasonably normal, it saves the RWTS to a file, unimaginatively named "RWTS", which can be loaded with Advanced Demuffin to copy each track of the original disk to a duplicate with standard address/data prologue/epilogue sequences. Furthermore, my AUTOTRACE program detected a non-standard jump after boot0. Usually boot0 loads boot1 and jumps to it indirectly via ($08FD), but this disk is jumping to ($BBFE) instead. Highly suspicious; definitely worth a look. I'll come back to the nibble check. First, I want to take the RWTS I extracted and load it into Advanced Demuffin to convert this disk to a standard format. [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 ... ]BRUN ADVANCED DEMUFFIN 1.5 [press "5" to switch to slot 5] [press "R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 [press "6" to switch to slot 6] [press "C" to convert disk] This disk is 16 sectors, and the default options (copy the entire disk, all tracks, all sectors) don't need to be changed unless something goes horribly wrong. --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- The disk's own RWTS gave no read errors on any track. This is the power and the genius of Advanced Demuffin. Every disk must be able to read itself. So, let it read itself, then capture the data and write it out in a standard format. Now I have a copy of each disk in a standard format that can be read by any third-party tool. That is, I can copy these disks with COPYA or Locksmith Fast Disk Backup, without patching the DOS 3.3 RWTS beforehand. I can sector edit the disk without messing with the epilogue bytes, &c. There are two problems with this copy: 1. Depending on how the original RWTS was written, a demuffin'd disk may not be able to read itself. Some developers just patch the RWTS to ignore epilogue bytes, while others patch the RWTS to look for specific non-standard epilogue bytes. Demuffin'd disks in the latter category will grind immediately on boot, since as soon as the RWTS is loaded, all further disk reads will look for the original (non-standard) epilogue bytes and not find them. 2. Even if it can read itself, it won't run. The copies I tried to make -- even the bit copies -- just hung, which means there is some code being executed during boot to check if the disk is original. (Hint: it's not.) Booting my non-working copy, it seems I need to solve #2 before I can tackle #1. The disk exhibits the same behavior as my failed bit copy: the disk hangs very early in the boot process. I don't think it's even getting far enough to call the RWTS. Let's go find that nibble check. ]PR#5 ... ]BLOAD BOOT1,A$2600 ]CALL -151 *FE89G FE93G B600<2600.2FFFM *BBFE.BBFF BBFE- 00 BB *BB00L BB00- A9 FF LDA #$FF BB02- 85 D6 STA $D6 ; sense whether the disk is write- ; protected... BB04- BD 8D C0 LDA $C08D,X BB07- BD 8E C0 LDA $C08E,X ; ... but don't actually do anything ; with this information (both paths ; end up at $BB0F) BB0A- 30 03 BMI $BB0F BB0C- 4C 0F BB JMP $BB0F ; check the low-level reset vector... BB0F- AD FD FF LDA $FFFD BB12- C9 FA CMP #$FA ; ...but don't actually do anything ; with this information either (WTF?) BB14- D0 00 BNE $BB16 ; look for a magic nibble sequence on ; track 0 BB16- BD 8C C0 LDA $C08C,X BB19- A9 00 LDA #$00 BB1B- 8D 00 02 STA $0200 BB1E- BD 8C C0 LDA $C08C,X BB21- 10 FB BPL $BB1E BB23- C9 EB CMP #$EB BB25- D0 F7 BNE $BB1E BB27- BD 8C C0 LDA $C08C,X BB2A- 10 FB BPL $BB27 BB2C- C9 D5 CMP #$D5 BB2E- D0 EE BNE $BB1E BB30- BD 8C C0 LDA $C08C,X BB33- 10 FB BPL $BB30 BB35- C9 AA CMP #$AA BB37- D0 E5 BNE $BB1E ; wipe most of main memory BB39- A9 4C LDA #$4C BB3B- A0 00 LDY #$00 BB3D- 99 00 95 STA $9500,Y BB40- 88 DEY BB41- D0 FA BNE $BB3D BB43- CE 3F BB DEC $BB3F BB46- AD 3F BB LDA $BB3F BB49- C9 07 CMP #$07 BB4B- D0 EC BNE $BB39 ; and continue with boot1 BB4D- 4C 00 B7 JMP $B700 I'm guessing my non-working copy never got as far as wiping main memory, since the search for the nibble sequence is unconditional and neverending. That explains the behavior I saw -- it spun forever with the drive motor on, and it never got off track 0. I'm also guessing that this copy protection was adapted from a more general one that had a few options. One option would fail if the copy was write-protected. Another would fail if a program like Watson had changed to the language card and patched the low- level reset vector. This disk has code for both but actually cares about neither. Now that I understand it, fixing it is the easy part. A lot of disks need this sort of post- demuffin patching, and I got tired of doing it manually, so I wrote a program to do it for me. It is called, unsurprisingly, Post-Demuffin Patcher. It prompts you to select a slot and drive, then reads the demuffin'd disk, checks for a modified DOS 3.3-shaped RWTS, and applies the necessary patches so the disk can read itself. (It can also detect and bypass some nibble checks.) I've included a copy of Post- Demuffin Patcher on my work disk; the full source code is currently available at . [S6,D1=demuffin'd copy] ]PR#5 ... ]BRUN PDP T00,S03,$91 change FF to DE T00,S03,$9B change FF to AA T00,S03,$35 change FF to DE T00,S03,$3F change FF to AA T00,S02,$9E change FF to DE T00,S02,$A3 change FF to AA T00,S02,$A8 change FF to EB T00,S00,$4B change FEBB to FD08 (This is the actual output of the program. Post-Demuffin Patcher prints out the changes it is going to make before it writes them to the disk.) The first 7 lines are RWTS patches. This solves problem #1 -- the original disk used a modified RWTS that couldn't read a standard disk. The last line is a patch to boot0 to jump to ($08FD) instead of ($BBFE). This solves problem #2 -- the original disk called a nibble check after boot0. Calling ($08FD) bypasses the check. I should point out that Post-Demuffin Patcher is really quite conservative in making patches. It checks a lot of the surrounding code before deciding to patch a specific location (like the RWTS patches). And in the case of bypassing the nibble check, it actually checks every single byte of code before the jump to ($BBFE) to ensure that the disk is using a standard DOS 3.3 boot0 routine up until that point. There were dozens of patches that it didn't make to this disk, because it decided they weren't needed or it wasn't 100% sure what was going on. ]PR#6 And it works. The disk boots and runs with no complaint. There doesn't appear to be any further protection. Hooray for automation. (Oh, this is gonna get good.) Quod erat liberandum. --------------------------------------- A 4am crack No. 155 ------------------EOF------------------