--------------Numeration 1-------------
A 4am crack                  2014-04-25
---------------------------------------

Numeration 1: Under The Big Top is a
1985 educational program authored by
Thomas Hartsig and distributed by
Scott, Foresman and Company.

COPYA copies the original disk with no
read errors, but when the copy boots,
it loads a few tracks and stalls. EDD 4
bit copy fares no better.

It's time for boot tracing with
AUTOTRACE.

[S5D1=my work disk]
[S6D1=original disk]

]PR
[S5D1=my work disk]
[S6D1=original disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

Well that all went flawlessly.

]BLOAD BOOT1,A$2600
]CALL -151
*B600<2600.2EFEM
*B700L

; OK
B700-   8E E9 B7    STX   $B7E9
B703-   8E F7 B7    STX   $B7F7
B706-   A9 01       LDA   #$01
B708-   8D F8 B7    STA   $B7F8
B70B-   8D EA B7    STA   $B7EA
B70E-   AD E0 B7    LDA   $B7E0
B711-   8D E1 B7    STA   $B7E1
B714-   A9 03       LDA   #$03
B716-   8D EC B7    STA   $B7EC
B719-   A9 08       LDA   #$08
B71B-   8D ED B7    STA   $B7ED
B71E-   AC E7 B7    LDY   $B7E7
B721-   88          DEY
B722-   8C F1 B7    STY   $B7F1
B725-   A9 01       LDA   #$01
B727-   8D F4 B7    STA   $B7F4
B72A-   8A          TXA
B72B-   4A          LSR
B72C-   4A          LSR
B72D-   4A          LSR
B72E-   4A          LSR
B72F-   AA          TAX

; still OK
B730-   A9 00       LDA   #$00
B732-   9D F8 04    STA   $04F8,X
B735-   9D 78 04    STA   $0478,X

; probably reading stuff from disk here
B738-   20 93 B7    JSR   $B793

It looks like this is using the
standard multi-read routine at $B793 to
load a bunch of stuff into memory
starting at T03,S08 and working
backwards. (This is how regular DOS 3.3
loads, except that starts at T02,S04.)

I'll run just a little bit of this and
look at the RWTS parameter table.

*B738:60
*B700G
*B7E0.B7FF

B7E0- 2F 2F 0A 2F E8 B7 00 B6
         ^^
         ++-- number of sectors to read

B7E8- 01 D2 01 00 03 08 FB B7
                  ^^ ^^
    first track --++ ++-- first sector

B7F0- 00 B5 00 01 01 03 FE D2
      ^^^^^
      +++++-- starting address ($B500)

B7F8- 01 00 00 00 01 EF D8 00

The way the multi-sector read routine
works, it reads one sector, then
decrements the sector number ($B7ED)
until it's past $00, then resets it to
$0F and decrements the track number
($B7EC). Along the way, it decrements
the memory address ($B7F0/$B7F1) after
each sector read, and decrements the
counter at $B7E1 until it's past $00.

So, given this RWTS parameter table,
we're going to read a total of $2F
sectors into $8700..$B5FF, backwards.

T03,S08 --> $B500..$B5FF
T03,S07 --> $B400..$B4FF
...
T03,S00 --> $AD00..$ADFF
T02,S0F --> $AC00..$ACFF
...
T01,S0F --> $9C00..$9CFF
...
T00,S0F --> $8C00..$8CFF
...
T00,S0A --> $8700..$87FF

That all happens inside $B793. Then
execution continues at $B73B:

; reset the stack pointer
B73B-   A2 FF       LDX   #$FF
B73D-   9A          TXS
B73E-   8E EB B7    STX   $B7EB

; this looks like the end, but it's
; really a standard "patch" that does
; some language card initialization and
; jumps back to $B744
B741-   4C C8 BF    JMP   $BFC8

; OK
B744-   20 89 FE    JSR   $FE89

; boot continues at $8800, apparently
B747-   4C 00 88    JMP   $8800

So that's where I need to stop the boot
and take a look at what's going on.

*9600<C600.C6FFM

; set up a callback after boot0 so we
; can set up another callback
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C
9707-   4C 01 08    JMP   $0801

; this is called after boot0 has loaded
; boot1 (into $B700..$BFFF), so now we
; can patch that to do the multi-sector
; read and then break instead of going
; on to $8800
970A-   A9 4C       LDA   #$4C
970C-   8D 3B B7    STA   $B73B
970F-   A9 59       LDA   #$59
9711-   8D 3C B7    STA   $B73C
9714-   A9 FF       LDA   #$FF
9716-   8D 3D B7    STA   $B73D
9719-   4C 00 B7    JMP   $B700

*BSAVE TRACE2,A$9600,L$11C
*9600G
...reboots slot 6...
...breaks to monitor...

*2700<8700.B5FFM
*C500G
...
]BSAVE BOOT2,A$2700,L$2F00
]CALL -151
*8700<2700.55FFM
*8800L

; screw up reset vector
8800-   A9 00       LDA   #$00
8802-   8D EB B7    STA   $B7EB
8805-   A2 FF       LDX   #$FF
8807-   9A          TXS
8808-   A9 69       LDA   #$69
880A-   8D F2 03    STA   $03F2
880D-   A9 FF       LDA   #$FF
880F-   8D F3 03    STA   $03F3
8812-   20 6F FB    JSR   $FB6F
8815-   EE F3 03    INC   $03F3
8818-   20 00 87    JSR   $8700

*8700L

8700-   A9 00       LDA   #$00
8702-   48          PHA
8703-   28          PLP
8704-   D0 01       BNE   $8707
8706-   4C A9 B7    JMP   $B7A9

; set up an RWTS parameter table
8709-   A0 E8       LDY   #$E8
870B-   85 11       STA   $11
870D-   84 10       STY   $10
870F-   A9 11       LDA   #$11
8711-   A0 04       LDY   #$04
8713-   91 10       STA   ($10),Y
8715-   A9 00       LDA   #$00
8717-   A0 0C       LDY   #$0C
8719-   91 10       STA   ($10),Y
871B-   A5 11       LDA   $11
871D-   A4 10       LDY   $10

; read a single sector
871F-   20 B5 B7    JSR   $B7B5

; OK
8722-   A0 01       LDY   #$01
8724-   D0 01       BNE   $8727
8726-   D0 B1       BNE   $86D9
8728-   10 AA       BPL   $86D4
872A-   D0 01       BNE   $872D
872C-   D0 BD       BNE   $86EB

; wait, what?
872E-   89          ???
872F-   C0 A9       CPY   #$A9
8731-   56 85       LSR   $85,X
8733-   11 D0       ORA   ($D0),Y
8735-   01 D0       ORA   ($D0,X)

Ah. Fun times. Did you notice what
happened? At $8722, it loaded a
constant (1) into the Y register, then
branched into the middle of the next
instruction, $8727. So everything after
that looks like nonsense, and it is,
because it's never executed like that.
This is what is actually executed next:

8727-   B1 10       LDA   ($10),Y
8729-   AA          TAX
872A-   D0 01       BNE   $872D

Look, they did it again.

872D-   BD 89 C0    LDA   $C089,X
8730-   A9 56       LDA   #$56
8732-   85 11       STA   $11
8734-   D0 01       BNE   $8737

And again.

8737-   C6 12       DEC   $12
8739-   F0 03       BEQ   $873E
873B-   D0 0A       BNE   $8747
873D-   D0 C6       BNE   $8705

And again.

(OK, I'm just going to insert NOPs in
place of all the unused fake-out-the
disassembly-listing bytes.)

Here's the result:

8700-   A9 00       LDA   #$00
8702-   48          PHA
8703-   28          PLP
8704-   D0 01       BNE   $8707
8706-   EA          NOP
8706-   A9 B7       LDA   #$B7
8709-   A0 E8       LDY   #$E8
870B-   85 11       STA   $11
870D-   84 10       STY   $10
870F-   A9 11       LDA   #$11
8711-   A0 04       LDY   #$04
8713-   91 10       STA   ($10),Y
8715-   A9 00       LDA   #$00
8717-   A0 0C       LDY   #$0C
8719-   91 10       STA   ($10),Y
871B-   A5 11       LDA   $11
871D-   A4 10       LDY   $10
871F-   20 B5 B7    JSR   $B7B5
8722-   A0 01       LDY   #$01
8724-   D0 01       BNE   $8727
8726-   EA          NOP
8727-   B1 10       LDA   ($10),Y
8729-   AA          TAX
872A-   D0 01       BNE   $872D
872C-   EA          NOP
872D-   BD 89 C0    LDA   $C089,X
8730-   A9 56       LDA   #$56
8732-   85 11       STA   $11
8734-   D0 01       BNE   $8737
8736-   EA          NOP
8737-   C6 12       DEC   $12
8739-   F0 03       BEQ   $873E
873B-   D0 0A       BNE   $8747
873D-   EA          NOP
873E-   C6 11       DEC   $11
8740-   D0 05       BNE   $8747
8742-   A9 FF       LDA   #$FF
8744-   D0 74       BNE   $87BA
8746-   EA          NOP
8747-   BD 8C C0    LDA   $C08C,X
874A-   10 FB       BPL   $8747
874C-   D0 01       BNE   $874F
874E-   EA          NOP
874F-   C9 D5       CMP   #$D5
8751-   F0 03       BEQ   $8756
8753-   D0 E2       BNE   $8737
8755-   EA          NOP
8756-   BD 8C C0    LDA   $C08C,X
8759-   10 FB       BPL   $8756
875B-   D0 01       BNE   $875E
875D-   EA          NOP
875E-   C9 AA       CMP   #$AA
8760-   F0 03       BEQ   $8765
8762-   D0 D3       BNE   $8737
8764-   EA          NOP
8765-   BD 8C C0    LDA   $C08C,X
8768-   10 FB       BPL   $8765
876A-   D0 01       BNE   $876D
876C-   EA          NOP
876D-   C9 96       CMP   #$96
876F-   F0 03       BEQ   $8774
8771-   D0 C4       BNE   $8737
8773-   EA          NOP
8774-   A0 0A       LDY   #$0A
8776-   BD 8C C0    LDA   $C08C,X
8779-   10 FB       BPL   $8776
877B-   D0 01       BNE   $877E
877D-   EA          NOP
877E-   C9 FF       CMP   #$FF
8780-   F0 03       BEQ   $8785
8782-   D0 B3       BNE   $8737
8784-   EA          NOP
8785-   F0 01       BEQ   $8788
8787-   EA          NOP
8788-   BD 8C C0    LDA   $C08C,X
878B-   C9 08       CMP   #$08
878D-   B0 A8       BCS   $8737
878F-   D0 01       BNE   $8792
8791-   EA          NOP
8792-   BD 8C C0    LDA   $C08C,X
8795-   10 FB       BPL   $8792
8797-   D0 01       BNE   $879A
8799-   EA          NOP
879A-   85 10       STA   $10
879C-   88          DEY
879D-   D0 03       BNE   $87A2
879F-   F0 10       BEQ   $87B1
87A1-   EA          NOP
87A2-   BD 8C C0    LDA   $C08C,X
87A5-   10 FB       BPL   $87A2
87A7-   D0 01       BNE   $87AA
87A9-   EA          NOP
87AA-   45 10       EOR   $10
87AC-   D0 EC       BNE   $879A
87AE-   F0 EA       BEQ   $879A
87B0-   EA          NOP
87B1-   A5 10       LDA   $10
87B3-   49 60       EOR   #$60
87B5-   D0 80       BNE   $8737
87B7-   F0 01       BEQ   $87BA
87B9-   EA          NOP
87BA-   DD 88 C0    CMP   $C088,X
87BD-   C9 00       CMP   #$00
87BF-   F0 03       BEQ   $87C4
87C1-   4C 00 87    JMP   $8700
87C4-   60          RTS

What'd'ya know, there's a nibble check
hiding underneath all that obfuscation.
What a surprise. (Not really.)

The important part is this: if the
nibble check succeeds, $87BF branches
to $87C4, which exits gracefully but
doesn't set any flags on the way out.
If the nibble check fails, it jumps
back to the beginning ($87C1 jumps to
$8700 unconditionally) and tries again.
That explains the behavior I saw on my
non-working copy -- it would load a few
tracks and then hang. Right here is
where it's hanging, because it's trying
the nibble check over and over and
failing every time.

Since the nibble check doesn't set any
flags on success, it appears that I can
simply put an "RTS" at $8700 to allow
the entire routine to exit
unconditionally.

T00,S0A,$00 change "A9" to "60"

Success! The game loads and boots with
no further complaint.

Quod erat liberandum.

---------------------------------------
A 4am crack                      No. 23
------------------EOF------------------