-------------Music Maestro------------- A 4am crack 2015-03-02 --------------------------------------- Name: Music Maestro Genre: educational Year: 1983 Author: John Paulson Publisher: Springboard Software, Inc. Media: single-sided 5.25-inch floppy OS: DOS 3.3 Other versions: none (preserved here for the first time) Identical cracks: Early Games For Young Children (4am crack no. 119); Easy As ABC (4am crack no. 120) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) no errors, but copy just grinds Copy ][+ nibble editor modified address epilogue (AD BB EB) modified data epilogue (ED BB EB) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "AD BB EB" set Data Epilogue to "ED BB EB" all tracks readable T00 -> looks like a DOS 3.3 RWTS T00-T02 -> looks like a full DOS 3.3 T01,S09 -> startup program is "H" followed by a bunch of control characters T11 -> DOS 3.3 disk catalog Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) Why didn't my EDD copy work? I don't know. Possibly a nibble check during boot? Next steps: 1. AUTOTRACE to capture RWTS 2. Advanced Demuffin to convert disk to a standard format 3. Find that nibble check(?) ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ]CATALOG,S6,D2 C1983 DSR^C#254 267 FREE A 002 SONG LIBRARY >>>>> T 003 ABC T 002 LAMB T 002 THIS OLD MAN T 003 JINGLE BELLS T 003 SUZANNAH T 003 SIMPLE GIFTS Seriously, there's all that blank space in the listing. Annoying catalog tricks are annoying. The startup program is in there somewhere, but it's hidden because its name contains control characters. [S6,D1=demuffin'd copy] ]PR#6 ...grinds... Time to patch the RWTS. ~ Chapter 2 In Which We Learn One Weird Trick To Protect Your Disks! Bit Copiers Hate It! ]PR#5 ]BLOAD RWTS,A$2800 ]CALL -151 *FE89G FE93G ; disconnect DOS *B800<2800.2FFFM ; move RWTS into place *B92FL ; check data epilogue bytes B92F- BD 8C C0 LDA $C08C,X B932- 10 FB BPL $B92F B934- C9 ED CMP #$ED ; $DE B936- D0 0A BNE $B942 B938- EA NOP B939- BD 8C C0 LDA $C08C,X B93C- 10 FB BPL $B939 B93E- C9 BB CMP #$BB ; $AA B940- F0 5C BEQ $B99E B942- 38 SEC B943- 60 RTS *B98BL ; check address epilogue bytes B98B- BD 8C C0 LDA $C08C,X B98E- 10 FB BPL $B98B B990- C9 AD CMP #$AD ; $DE B992- D0 AE BNE $B942 B994- DD 8C C0 CMP $C08C,X | B997- D0 A9 BNE $B942 | B999- 4C F0 BC JMP $BCF0 | WTF B99C- D0 A4 BNE $B942 | B99E- 18 CLC B99F- 60 RTS That's unexpected. On a standard DOS 3.3 disk, the address epilogue checker looks like this: B98B- BD 8C C0 LDA $C08C,X B98E- 10 FB BPL $B98B B990- C9 DE CMP #$DE B992- D0 AE BNE $B942 B994- EA NOP | B995- BD 8C C0 LDA $C08C,X | B998- 10 FB BPL $B995 | B99A- C9 AA CMP #$AA | B99C- D0 A4 BNE $B942 B99E- 18 CLC B99F- 60 RTS But instead of the straightforward compare for the second byte of the epilogue sequence, it jumps to $BCF0. *BCF0L ; $FF58 is always an RTS, so this does ; nothing but kill time BCF0- 20 58 FF JSR $FF58 ; now check for second epilogue byte BCF3- BD 8C C0 LDA $C08C,X BCF6- 10 FB BPL $BCF3 BCF8- C9 BB CMP #$BB BCFA- D0 02 BNE $BCFE BCFC- 18 CLC BCFD- 60 RTS BCFE- 38 SEC BCFF- 60 RTS Ah, this is one of those weird timing tricks... and it explains why my EDD 4 bit copy didn't work. The original disk was authored so that there are always a timing bit after the first address epilogue byte. Because of the extra waiting here ($FF58 is just an RTS, but calling it and returning takes 12 clock cycles), the RWTS actually requires those timing bits to be in the right place. Otherwise, the disk will spin too far while this routine is killing time, and when the RWTS goes to check the second epilogue byte (at $BCF8), it won't find it. Never a dull moment in the land of Apple II copy protection. ~ Chapter 3 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP ; fix address epilogue checking code T00,S03,$94 change DD8CC0D0A94CF0BC to EABD8CC010FBC9AA ; fix other epilogue bytes T00,S03,$91 change AD to DE T00,S03,$35 change ED to DE T00,S03,$3F change BB to AA T00,S02,$9E change ED to DE T00,S02,$A3 change BB to AA Quod erat liberandum. --------------------------------------- A 4am crack No. 236 ------------------EOF------------------