-------------Moptown Hotel------------- A 4am crack 2015-01-21 --------------------------------------- Name: Moptown Hotel Version: 1.2 Genre: educational Year: 1981 Author: Leslie Grimm Publisher: The Learning Company Media: single-sided 5.25-inch floppy OS: DOS 3.3 Other versions: none (preserved here for the first time) Identical cracks: - Gertrude's Secrets, Bumble Games, Juggles' Rainbow, Moptown Parade, Reader Rabbit, Wizard of Words (The Learning Company) - Xevious (Mindscape) - The Notable Phantom (DesignWare) - Animal Kingdom, Race Car 'Rithmetic, Magical Myths (Unicorn Software) - Pitstop II (Epyx) - Microzine issues 12, 13, 17, and 18 (Scholastic) Somebody been sellin' copy protection. ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) no errors, but copy fills screen with garbage and reboots Copy ][+ nibble editor all tracks use standard prologues (address: D5 AA 96, data: D5 AA AD) but modified epilogues (address: FF FF FF, data: FF FF FF) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "FF FF FF" set Data Epilogue to "FF FF FF" Success! All tracks readable! T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S07 -> startup program is "HELLO" (probably a Pronto-DOS variant) Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) Why didn't my EDD copy work? probably a nibble check during boot Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. find nibble check and bypass it ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 /!\ BOOT0 JUMPS TO $08C0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS /!\ NIBBLE CHECK AT $BB00 ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:..............................RRRRR +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:..............................RRRRR SC1:..............................RRRRR SC2:..............................RRRRR SC3:..............................RRRRR SC4:..............................RRRRR SC5:..............................RRRRR SC6:..............................RRRRR SC7:..............................RRRRR SC8:..............................RRRRR SC9:..............................RRRRR SCA:..............................RRRRR SCB:..............................RRRRR SCC:..............................RRRRR SCD:..............................RRRRR SCE:..............................RRRRR SCF:..............................RRRRR ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Hmm. Tracks $1E-$22 are unreadable. The Copy ][+ nibble editor can't make heads or tails of them. They're probably unformatted. ]PR#5 ]CATALOG,S6,D2 C1983 DSR^C#254 000 FREE A 011 HELLO A 033 CHANGE ME A 020 SECRET PAL A 036 MOPTOWN HOTEL B 006 WHOSE BIRTHDAY?.LPIC B 034 PIC.MAP B 034 PIC.HOTEL A 030 MOPTOWN MAP A 028 WHOSE BIRTHDAY? A 032 WHO'S NEXT DOOR? A 033 SPOT ME B 063 HOTELDATA B 051 RAMLOADER B 002 MUSICRESETMOVESHAPE B 004 MOPTOWN 1.1 ERROR SRT.O A 014 MENU ]RUN HELLO ...works... I'm still curious about those high- numbered tracks. Copy ][+ 5.5 --> TRACK/SECTOR MAP --v-- TRACK 1 2 0123456789ABCDEF0123456789ABCDEF012 S0 ...DFGHIJKLLLMMPM PBCDPFGHIJKL..... E1 ..BDFGHIJKLLLMMPM OBCDPFGHIJKL..... C2 ..BDFGGIJKLLLMMPM OBCDPFGHIJKL..... T3 ..BDFGGIJKLLLMMNM OBCDPFGHIJKL..... O4 ..BDFFGHJKLLLMMNM OBCDPFGHIJKL..... R5 ..BDFFGHJKLLLMMMM ABCDPFGHIJKL..... 6 ..BDDFGHJKLLLMMMM ABCDPFGHIJKL..... 7 ..BDDFGHJKKLLMMMM ABCDPFGHIJKL..... 8 ..BDDFGHIJKLLLMMM ABCDPFGHIJKL..... 9 ..BDDFGHIJKLLLMMM ABCDPFGHIJKL..... A ..BCDFGHIJKLLLMMM ABCDEFGHIJKL..... B ..BCDFGHIJKLLLMMM ABCDEFGHIJKL..... C ..BCDFGHIJKLLLMMM ABCDEFGHIJKL..... D ..BCDFGHIJKLLLMMM ABCDEFGHIJKL..... E ..BBDFGHIJKLLLMMM ABCDEFGHIJKL..... F ..BBDFGHIJKLLLMMM ABCDEFGHIJKL..... --^-- Confirmed: tracks $1E-$22 are unused. ]PR#6 ...fills screen with garbage, reboots endlessly... Let's go find that nibble check. ~ Chapter 2 Drop The Bit, Start The Music [S5,D1=my work disk] ]PR#5 ]BLOAD BOOT0,A$800 ]CALL -151 *801L . . all normal until... . 084A- 4C C0 08 JMP $08C0 *8C0L 08C0- 8E E9 B7 STX $B7E9 08C3- 6C FD 08 JMP ($08FD) *BLOAD BOOT1,A$2600 *FE89G FE93G ; disconnect DOS *B600<2600.2FFFM ; move RWTS into place *B700L B700- 20 00 BB JSR $BB00 *BB00L BB00- A0 00 LDY #$00 BB02- B9 00 BB LDA $BB00,Y BB05- 99 00 02 STA $0200,Y BB08- 88 DEY BB09- D0 F7 BNE $2B02 BB0B- 60 RTS *20C