----------Meet The Presidents---------- A 4am crack 2015-05-25 --------------------------------------- Name: Meet The Presidents Genre: educational Year: 1981 Authors: V. Bauman and S. Bernstein of Versa Computing, Inc. Publisher: Softsmith Media: 4 single-sided 5.25-inch disks OS: DOS 3.3 Other versions: none (preserved here for the first time) All four disks are bootable and appear to be independent of each other. I'll start with disk 1. ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor all tracks use standard prologues (address: D5 AA 96, data: D5 AA AD) but modified epilogues (address: FF FF EB, data: FF FF EB) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "FF FF EB" set Data Epilogue to "FF FF EB" Success! All tracks readable! T00 -> completely non-standard T11 -> DOS 3.3 disk catalog Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) Next steps: 1. Super Demuffin to convert disk to a standard format 2. Patch RWTS (if necessary) 3. There is no step 3 (I hope) ~ Chapter 1 In Which We Choose The Right Tool For The Job I'm going to use Super Demuffin here instead of my usual go-to conversion tool, Advanced Demuffin. The disk uses a custom bootloader to display the Softsmith logo, so my AUTOTRACE script on my work disk won't capture the RWTS. But luckily, the RWTS modifications are minor -- custom epilogue bytes, same on every track -- so Super Demuffin will work just fine. When you first run Super Demuffin, it asks for the parameters of the original disk. In this case, the prologue bytes are the same, but the epilogues are "FF FF EB" instead of "DE AA EB". --v-- SUPER-DEMUFFIN AND FAST COPY Modified by: The Saltine/Coast to Coast Address prologue: D5 AA 96 Address epilogue: FF FF EB DISK ^^^^^ ORIGINAL *change from "DE AA" Data prologue: D5 AA AD Data epilogue: FF FF EB ^^^^^ *change from "DE AA" Ignore write errors while demuffining! D - Edit parameters - Advance to next parm - Exit edit mode R - Restore DOS 3.3 parameters O - Edit Original disk's parameters C - Edit Copy disk's parameters G - Begin demuffin process --^-- Pressing "G" switches to the Locksmith Fast Disk Copy UI. It assumes that both disks are in slot 6, and that drive 1 is the original and drive 2 is the copy. [S6,D1=original disk] [S6,D2=blank disk] --v-- LOCKSMITH 7.0 FAST DISK BACKUP RR.................................. W*********************************** HEX 00000000000000001111111111111111222 TRK 0123456789ABCDEF0123456789ABCDEF012 0A.................................. 1................................... 2................................... 3................................... 4................................... 5................................... 6................................... 7................................... 8................................... 9................................... A................................... B................................... C................................... D................................... 12 E................................... F................................... [ ] PRESS [RESET] TO EXIT --^-- Hmm, it copied everything except the very first sector of the very first track. There are only a few ways that T00,S00 can be modified, because the the disk controller ROM routine needs to be able to read it. That limits you, basically, to modified epilogue bytes. Perhaps it uses a different epilogue sequence, and I didn't notice in my initial investigation? I'll copy it manually. [Disk Fixer] ["O" -> "Input/Output Control"] set "CHECKSUM ENABLED" to "NO" [read track $00, sector $00] ["C" to copy buffer to drive 2] OK. [S6,D1=demuffin'd copy] ]PR#6 ...grinds... My demuffin'd copy can't read itself yet. This is not unusual. ~ Chapter 2 In Which We Go RWTS Spelunking This disk uses a custom bootloader from Softsmith, which (judging by a cursory examination in a sector editor) takes up all of track $00 for its animated title screen. But after that, it loads a lightly modified DOS 3.3 (modulo the epilogue bytes) in the usual place in memory, and the rest of the disk uses standard DOS 3.3 commands. Turning once again to my trusty Disk Fixer sector editor, I scanned for the hex sequence "BD 8C C0" ("LDA $C08C,X" is the customary way to read the data latch and get a nibble from disk) and found dozens of hits on track $02. At least some of the sectors on track $02 are loaded in reverse order into $B700..$BFFF: sector | address --------+-------- T02,S0F | $B700 T02,S0E | $B800 T02,S0D | $B900 T02,S0C | $BA00 T02,S0B | $BB00 T02,S0A | $BC00 T02,S09 | $BD00 T02,S08 | $BE00 T02,S07 | $BF00 This is based solely on a visual inspection. You can compare the code on these sectors to sectors $01-$09 on track $00 of a freshly formatted DOS 3.3 disk -- it's nearly identical. It's certainly "shaped" the same way. For future reference (mostly mine), here's a nice chart of the memory locations for all the prologues and epilogues in a DOS 3.3-shaped RWTS. 0x | read | write ---------------+-------+------- D5 | $B955 | $BC7A prologue AA | $B95F | $BC7F / 96 | $B96A | $BC84 ADDRESS -------+-------+------- \ DE | $B991 | $BCAE epilogue AA | $B99B | $BCB3 EB | | $BCB8 ---------------+-------+------- D5 | $B8E7 | $B853 prologue AA | $B8F1 | $B858 / AD | $B8FC | $B85D DATA ----------+-------+------- \ DE | $B935 | $B89E epilogue AA | $B93F | $B8A3 EB | | $B8A8 ---------------+-------+------- (2 epilogue bytes) x (address + data) x (read + write) = 8 patches total: T02,S0A,$AE change FF to DE ; $BCAE T02,S0A,$B3 change FF to AA ; $BCB3 T02,S0D,$35 change FF to DE ; $B935 T02,S0D,$3F change FF to AA ; $B93F T02,S0D,$91 change FF to DE ; $B991 T02,S0D,$9B change FF to AA ; $B99B T02,S0E,$9E change FF to DE ; $B89E T02,S0E,$A3 change FF to AA ; $B8A3 All 4 disks use identical protection. Quod erat liberandum. --------------------------------------- A 4am crack No. 316 ------------------EOF------------------