+--------------------------------------+
|            Logic Builders            |
|     Cracked by ivyrea 06/09/2015     |
+--------------------------------------+

Information
========================================
Genre: Educational
Year: 1984
Author: Methods & Solutions
Publisher: Scholastic, Inc.
Media: Single-sided 5.25" floppy
OS: DOS 3.3
Previous Cracks: None(?)

Initial Efforts
========================================
ADTPro, standard copy: No errors
ADTPro, nibble copy: No errors

Attempting to boot either copy results
in being thrown back to the monitor
with the message:

90C6-    A=08 X=60 Y=08 P=30 S=E6

We've hit a BRK instruction! Recall
that on the 6502, BRK increments PC by
1. This means that the BRK is at $9C04.

Using modern emulation tools, we can set
a breakpoint at $90C4 and inspect the
surrounding memory. Directly above, we
have:

90BA: D0 04    BNE $90C0

; Standard code path
90BC: DD 88 C0 CMP $C088,X 
90BF: 60       RTS

; Fail code path
90C0: A8       TAY
90C1: DD 88 C0 CMP $C088,X
90C4: 00       BRK

My first attempt at cracking involved
patching the value at $90C0 with $60
(RTS). This seems to work just fine!

T1C,S03,$C4 change $A8 to $60.

Alternatively we can just return
immediately from this routine (which
starts at $9073):

T1C,S03,$77 change $BD to $60.

Perhaps I Was Over-Complicating Things
========================================
Further up at $9000 we have what appears
to be the loader. The code here performs
some checks and then executes the BASIC
command "RUN HELLO".

I later discovered that this is the
"XMGPRT1" program on disk. This also
happens to be the boot program.

Amusingly, using Copy ][+ to set the
boot program to HELLO bypasses the
protection and allows the disk to
boot. This technique is what I used in
the final "crack", as it leaves
everything completely intact.