------------Snooper Troops 2-----------
A 4am crack                  2015-03-25
---------------------------------------

Name: Snooper Troops and the case of
  The Disappearing Dolphin
Genre: adventure
Year: 1982
Author: Tom Snyder / Computer Learning
  Connection, Inc.
Publisher: Spinnaker Software
Media: single-sided 5.25-inch floppy
OS: DOS 3.3
Other versions: none (preserved here
  for the first time)
Similar cracks: Frogger (no. 231);
  Troll's Tale (no. 109)

Asimov has a disk image labeled
"snooper_troops_ii", but it's really
Snooper Troops 1 (Granite Point Ghost).
As far as I can tell, this is a first-
time preservation.

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  read error on T09 but copy works
  anyway

Copy ][+ nibble editor
  T00-T02 -> modified address epilogue
    (ED AA EB)
  T03-T22 -> modified address prologue
    (BB AA 96)
  T09 -> unformatted? mostly sync bytes

Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Epilogue to "ED AA EB"
  T00-T02 -> looks like DOS 3.3
  T01,S09 -> startup program is HELLO
  ["O" -> "Input/Output Control"]
    set Address Epilogue to "DE AA EB"
    set Address Prologue to "BB AA 96"
  T11 -> looks like disk catalog

Why didn't COPYA work?
  modified epilogues / prologues

Why didn't Locksmith FDB work?
  ditto

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. patch RWTS to read standard format
     (if necessary)

                   ~

               Chapter 1
    In Which Things Don't Always Go
           According To Plan


[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BRUN ADVANCED DEMUFFIN 1.5

[press "5" to switch to slot 5]

[press "R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

[press "6" to switch to slot 6]

[press "C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC1:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC2:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC3:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC4:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC5:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC6:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC7:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC8:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC9:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCA:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCB:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCC:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCD:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCE:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCF:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

Let's back up.

]PR#5
]BLOAD BOOT1,A$2600
]CALL -151

*FE89G FE93G     ; disconnect DOS
*B600<2600.2FFFM ; move RWTS into place

*B700L
.
. nothing unusual at all
.
B747-   4C 84 9D    JMP   $9D84

It makes sense that I haven't found
anything unusual yet. Evidence so far
suggests that the RWTS on disk can read
tracks 0-2 (which is where it's loading
DOS), then it switches to a different
RWTS that can read the rest of the
disk. So whatever this disk is doing to
modify its RWTS or load a new one, it's
going to do it after loading DOS. And I
need to find out where.

But that means I need to trace the boot
even further.

*C500G          ; because I have no DOS
...
]CALL -151

*9600<C600.C6FFM

; set up callback #1 after boot0 is
; loaded
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C

; start the boot
9707-   4C 01 08    JMP   $0801

; (callback #1) set up callback #2
; after DOS is loaded
970A-   A9 4C       LDA   #$4C
970C-   8D 47 B7    STA   $B747
970F-   A9 1C       LDA   #$1C
9711-   8D 48 B7    STA   $B748
9714-   A9 97       LDA   #$97
9716-   8D 49 B7    STA   $B749

; continue the boot
9719-   4C 00 B7    JMP   $B700

; (callback #2) copy all of DOS to the
; graphics page so it survives a reboot
971C-   A2 23       LDX   #$23
971E-   A0 00       LDY   #$00
9720-   B9 00 9D    LDA   $9D00,Y
9723-   99 00 2D    STA   $2D00,Y
9726-   C8          INY
9727-   D0 F7       BNE   $9720
9729-   EE 22 97    INC   $9722
972C-   EE 25 97    INC   $9725
972F-   CA          DEX
9730-   D0 EE       BNE   $9720

; reboot to my work disk
9732-   4C 00 C5    JMP   $C500

*BSAVE TRACE2,A$9600,L$135
*9600G
...reboots slot 6...
...reboots slot 5...
]BSAVE BOOT2,A$2D00,L$2300
]CALL -151

*FE89G FE93G      ; disconnect my DOS
*9D00<2D00.4FFFM  ; move DOS into place

*9D84L

9D84-   4C BB B4    JMP   $B4BB

I'm pretty sure *that's* not normal.

                   ~

               Chapter 2
      In Which It All Comes Down
             To Two Bytes


*B4BBL

; overwriting the instruction that just
; called this routine -- highly suspect
B4BB-   A9 AD       LDA   #$AD
B4BD-   8D 84 9D    STA   $9D84
B4C0-   A9 E9       LDA   #$E9
B4C2-   8D 85 9D    STA   $9D85
B4C5-   A9 B7       LDA   #$B7
B4C7-   8D 86 9D    STA   $9D86

; overwriting most of the $B700 code?
; also suspicious
B4CA-   A2 00       LDX   #$00
B4CC-   BD BB B3    LDA   $B3BB,X
B4CF-   5E BB 33    LSR   $33BB,X
B4D2-   1E BB B3    ASL   $B3BB,X
B4D5-   9D 00 B7    STA   $B700,X
B4D8-   E8          INX
B4D9-   E0 B5       CPX   #$B5
B4DB-   90 EF       BCC   $B4CC
B4DD-   D8          CLD
B4DE-   AD FF CF    LDA   $CFFF

; overwriting the language card
B4E1-   AD 81 C0    LDA   $C081
B4E4-   AD 81 C0    LDA   $C081
B4E7-   A2 00       LDX   #$00
B4E9-   BD 00 F8    LDA   $F800,X
B4EC-   1E BB 34    ASL   $34BB,X
B4EF-   9D 00 F8    STA   $F800,X
B4F2-   E8          INX
B4F3-   D0 F4       BNE   $B4E9
B4F5-   EE EB B4    INC   $B4EB
B4F8-   EE F1 B4    INC   $B4F1
B4FB-   D0 EA       BNE   $B4E7

; hmm
B4FD-   AD 00 B7    LDA   $B700
B500-   F0 12       BEQ   $B514

OK, I need to know whether this branch
is taken. Let's break here and see.

*B4FD:60
*B4BBG
*B700

B700- 00

OK, so we continue to $B514.

*B514L

; set reset vector (both of them at
; $03F2 and $FFFC)
B514-   A9 00       LDA   #$00
B516-   8D FC FF    STA   $FFFC
B519-   8D F2 03    STA   $03F2
B51C-   A9 BF       LDA   #$BF
B51E-   8D F3 03    STA   $03F3
B521-   8D FD FF    STA   $FFFD
B524-   49 A5       EOR   #$A5
B526-   8D F4 03    STA   $03F4

; Aha! Fiddling with RWTS parameters!
B529-   AC 82 C0    LDY   $C082
B52C-   A0 DE       LDY   #$DE
B52E-   8C 91 B9    STY   $B991 <- RWTS
B531-   20 5E B7    JSR   $B75E
B534-   4C 6F B7    JMP   $B76F

The value at $B991 is one of the
address epilogue bytes.

*B75EL

; Double aha! More RWTS fiddling!
B75E-   AE 07 B7    LDX   $B707
B761-   8E 55 B9    STX   $B955 <- RWTS
B764-   AD 97 A3    LDA   $A397
B767-   C9 60       CMP   #$60
B769-   D0 03       BNE   $B76E
B76B-   8D 62 B7    STA   $B762
B76E-   60          RTS

The value at $B955 is one of the
address prologue bytes...

*B707

B707- BB

...and we're changing it to $BB.
Continuing...

*B76FL

; what have we here?
B76F-   2C 06 B7    BIT   $B706
B772-   10 20       BPL   $B794
B774-   AE 03 B7    LDX   $B703

; 1
B777-   20 37 B5    JSR   $B537
B77A-   C9 06       CMP   #$06
B77C-   B0 23       BCS   $B7A1
B77E-   AE 04 B7    LDX   $B704

; 2
B781-   20 37 B5    JSR   $B537
B784-   C9 06       CMP   #$06
B786-   90 19       BCC   $B7A1
B788-   AE 05 B7    LDX   $B705

; 3
B78B-   20 37 B5    JSR   $B537
B78E-   C9 06       CMP   #$06
B790-   B0 0F       BCS   $B7A1
B792-   90 0A       BCC   $B79E
B794-   AE 04 B7    LDX   $B704

; 4
B797-   20 37 B5    JSR   $B537
B79A-   C9 02       CMP   #$02
B79C-   D0 03       BNE   $B7A1

; continue to normal boot
B79E-   4C 84 9D    JMP   $9D84

So what's at $B537 that's so important
that we need to call it up to 4 times?
I'm guessing it's a nibble check.

*B537L

; seek to a track (given in X register,
; which is populated from $B704 or
; $B705, both of which are $09 -- the
; track that EDD 4 couldn't read)
B537-   8E EC B7    STX   $B7EC
B53A-   A9 00       LDA   #$00
B53C-   8D F4 B7    STA   $B7F4
B53F-   A9 B7       LDA   #$B7
B541-   A0 E8       LDY   #$E8
B543-   20 B5 B7    JSR   $B7B5
B546-   AE E9 B7    LDX   $B7E9

; turn on drive motor manually
; (suspicious)
B549-   BD 89 C0    LDA   $C089,X
B54C-   BD 8E C0    LDA   $C08E,X

; set some counters
B54F-   A9 19       LDA   #$19
B551-   85 0D       STA   $0D
B553-   A0 00       LDY   #$00
B555-   84 09       STY   $09
B557-   A0 A0       LDY   #$A0

; look for a self-sync byte ($FF)
B559-   BD 8C C0    LDA   $C08C,X
B55C-   10 FB       BPL   $B559
B55E-   49 FF       EOR   #$FF
B560-   F0 16       BEQ   $B578
B562-   E6 09       INC   $09
B564-   F0 1E       BEQ   $B584

; wait loop
B566-   8A          TXA
B567-   48          PHA
B568-   A2 10       LDX   #$10
B56A-   CA          DEX
B56B-   10 FD       BPL   $B56A
B56D-   68          PLA
B56E-   AA          TAX

; look for something other than a self-
; sync byte
B56F-   BD 8C C0    LDA   $C08C,X
B572-   10 FB       BPL   $B56F
B574-   49 FF       EOR   #$FF
B576-   D0 0C       BNE   $B584
B578-   C8          INY
B579-   D0 DE       BNE   $B559
B57B-   C6 0D       DEC   $0D
B57D-   D0 DA       BNE   $B559
B57F-   A5 09       LDA   $09
B581-   18          CLC
B582-   90 02       BCC   $B586

; success path is here (failure path
; skips over this and goes to $B586)
B584-   A9 FF       LDA   #$FF
B586-   48          PHA
B587-   BD 88 C0    LDA   $C088,X
B58A-   68          PLA
B58B-   60          RTS

OK, two things here. First of all,
nothing happens if the nibble check
succeeds. There are no long-term side
effects. It just continues booting.

Second, I can create the RWTS I need to
read the rest of the disk. I only need
to change two bytes.

[S6,D1=original disk]
[S6,D2=demuffin'd disk with tracks 0-2]
[S5,D1=my work disk]

*C500G     ; because I destroyed DOS
...
]BLOAD RWTS,A$2800
]CALL -151
*2991:DE   ; was "ED"
*2955:BB   ; was "D5"
*BSAVE RWTS 3+,A$2800,L$800

                   ~

               Chapter 3
   In Which We Use The Original Disk
      As A Weapon Against Itself,
          And It Is Glorious


]BRUN ADVANCED DEMUFFIN 1.5

[press "5" to switch to slot 5]

[press "R" to load a new RWTS module]
  --> At $B8, load "RWTS 3+" from D1

[press "6" to switch to slot 6]

[press "C" to convert disk]

[press "Y" to change default values]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======================================


INPUT ALL VALUES IN HEX


SECTORS PER TRACK? (13/16) 16

START TRACK: $03        <-- change this
START SECTOR: $00

END TRACK: $22
END SECTOR: $0F

INCREMENT: 1

MAX # OF RETRIES: 0

COPY FROM DRIVE 1
TO DRIVE: 2
=======================================
16SC $03,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

Now press RETURN to start the copy...

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:   ......R.........................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:   ......R.........................
SC1:   ......R.........................
SC2:   ......R.........................
SC3:   ......R.........................
SC4:   ......R.........................
SC5:   ......R.........................
SC6:   ......R.........................
SC7:   ......R.........................
SC8:   ......R.........................
SC9:   ......R.........................
SCA:   ......R.........................
SCB:   ......R.........................
SCC:   ......R.........................
SCD:   ......R.........................
SCE:   ......R.........................
SCF:   ......R.........................
=======================================
16SC $03,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

Now what?!? Oh wait, I remember EDD had
problems on track $09 as well. And the
nibble check did an RWTS seek to track
$09. I can't read it because there's
nothing to read.

]PR#5
...
]CATALOG,S6,D2

C1983 DSR^C#254
038 FREE

 T 006 SECTOR
 T 010 WALLS
 A 064 X
 B 019 CRUNCHED PIC2
 A 003 HELLO
 B 023 CRUNCHED PIC12
 B 034 HOUSE9
 B 006 CHARAC TABLE
 T 046 AQUAINT
 T 007 CONFESS
 T 009 MRX
 T 009 SPECIAL
 B 016 CRUNCHED PIC10
 T 011 QU
 B 016 CRUNCHED PIC11
 B 003 HRG
 B 019 CRUNCHED PIC3
 B 020 CRUNCHED PIC4
 B 020 CRUNCHED PIC5
 B 021 CRUNCHED PIC1
 A 004 INTRO INIT
 B 002 FORD1
 B 003 UTIL.$0800
 B 015 CRUNCHED PIC9
 B 017 CRUNCHED PIC6
 T 002 AGENT 1
 B 018 CRUNCHED PIC7
 T 002 AGENT 2
 B 017 CRUNCHED PIC8

]RUN HELLO
...works...

Now to make the disk be able to read
itself, and skip the copy protection
routine at $B4BB.

T00,S03,$91 change "ED" to "DE"
T00,S0C,$84 change "4C BB B4"
                to "AD E9 B7"

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 278
------------------EOF------------------