-----------Spelling Carnival-----------
A 4am crack                  2015-06-14
---------------------------------------

Name: Spelling Carnival
Genre: educational
Year: 1981
Authors: Marley W. Watkins
Publisher: Softsmith
Media: single-sided 5.25-inch floppy
OS: DOS 3.3 with custom bootloader
Other versions: none (preserved here
  for the first time)
Similar cracks: Microzine 3 (no. 332)

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


What does the boot look and sound like?
  1. Softsmith animated title screen
  2. several sequential track reads
  3. track seek (maybe to T11?)
  4. more disk activity (back and forth
     like file access)
  5. program title screen
  6. main menu

Does it access the disk after boot?
  Yes, repeatedly.

Does it have an option to read, write,
or format user-supplied data disks?
  No, but the "Sentence Editor" can
  edit data on the program disk itself.

COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  no read errors, but copy hangs after
    reading one track

Copy ][+ nibble editor
  T00 -> standard prologues, modified
    epilogues (FF FF EB)
  T01..T02 -> corrupted address fields,
    claim to be track $00
  T03..T04 -> not full tracks? looks
    like they have some standard-ish
    sectors, but not 16 per track
    (also claim to be track $00)
  T05..T13 -> standard prologues,
    modified epilogues (FF FF EB),
    standard address fields
  T14+ -> unformatted

                 --v--

   COPY ][ PLUS BIT COPY PROGRAM 8.4
(C) 1982-9 CENTRAL POINT SOFTWARE, INC.
---------------------------------------

TRACK: 01  START: 1D86  LENGTH: 1896
       ^^

1D60: FF FF FF FF FF FF FF FF   VIEW
1D68: FF FF FF FF FF FF FF FF
1D70: FF FF FF FF FF FF FF FF
1D78: FF FF FF FF FF FF FF FF
1D80: FF FF FF FF FF D5 AA 96 <-1D85
                     ^^^^^^^^
                 address prologue

1D88: AA AA AA AA AA AA AA AA
      ^^^^^ ^^^^^ ^^^^^ ^^^^^
      V000   T00   S00  chksm

1D90: FF FF E9 BF E7 F9 FE FF
      ^^^^^^^^
  address epilogue

1D98: FF D5 AA AD E6 E6 F9 F2
         ^^^^^^^^
      data prologue

1DA0: 9B FC F4 DA DA ED FF FD

---------------------------------------

  A  TO ANALYZE DATA  ESC TO QUIT

  ?  FOR HELP SCREEN  /  CHANGE PARMS

  Q  FOR NEXT TRACK   SPACE TO RE-READ

                 --^--

The disk is lying to me. The address
field claims to be track $00, but it's
really track $01. Bad disk! Stop lying!

Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Epilogue to "FF FF EB"
    set Data Epilogue to "FF FF EB"
  T00 readable
  T01..T04 unreadable (no option to
    ignore the corrupted address field)
  T05..T13 readable
  T14+ unreadable (unformatted)
  T11 looks like DOS 3.3 catalog

Copy ][+ sector editor
  ["P" -> "Sector Editor Patcher"]
    set type to "CUSTOM"
    set Address Epilogue to "FF FF"
    set Data Epilogue to "FF FF EB"
  T00, T05..T13 readable

  ["P" -> "Sector Editor Patcher"]
    set CHECK TRACK to "NO"
  T01, T02 readable!
  only parts of T03 and T04 readable:
    T03: S03,04,05,06,07,0A,0B,0C,0D,0E
    T04: S01,02,04,08,09,0C,0F

Why didn't COPYA work?
  modified epilogue bytes (every track)

Why didn't Locksmith FDB work?
  modified epilogue bytes (every track)

Why didn't my EDD copy work?
  I don't know. Maybe a nibble check
  during boot?

Next steps:

  1. Super Demuffin to convert the
     tracks that have modified epilogue
     bytes but are otherwise normal,
     complete, and uncorrupted
  2. Trace the boot
  3. See what happens

                   ~

               Chapter 1
  In Which We'll Take What We Can Get


When you first run Super Demuffin, it
asks for the parameters of the original
disk. In this case, the prologue bytes
are the same, but the epilogues are "FF
FF EB" instead of "DE AA EB".

                 --v--

      SUPER-DEMUFFIN AND FAST COPY
Modified by: The Saltine/Coast to Coast


   Address prologue: D5 AA 96

   Address epilogue: FF FF EB    DISK
                     ^^^^^     ORIGINAL
change from DE EA----+++++

      Data prologue: D5 AA AD

      Data epilogue: FF FF EB
                     ^^^^^
change from DE AA----+++++


 Ignore write errors while demuffining!


  D - Edit parameters
      <SPACE> - Advance to next parm
      <RETURN> - Exit edit mode
  R - Restore DOS 3.3 parameters
  O - Edit Original disk's parameters
  C - Edit Copy disk's parameters
  G - Begin demuffin process

                 --^--

Pressing "G" switches to the Locksmith
Fast Disk Copy UI. It assumes that both
disks are in slot 6, and that drive 1
is the original and drive 2 is the
copy.

[S6,D1=original disk]
[S6,D2=blank disk]

                 --v--

     LOCKSMITH 7.0  FAST DISK BACKUP


   R.****...............***************
   W***********************************
HEX 00000000000000001111111111111111222
TRK 0123456789ABCDEF0123456789ABCDEF012
   0.AAAA...............AAAAAAAAAAAAAAA
   1.AAAA...............AAAAAAAAAAAAAAA
   2.AAAA...............AAAAAAAAAAAAAAA
   3.AAAA...............AAAAAAAAAAAAAAA
   4.AAAA...............AAAAAAAAAAAAAAA
   5.AAAA...............AAAAAAAAAAAAAAA
   6.AAAA...............AAAAAAAAAAAAAAA
   7.AAAA...............AAAAAAAAAAAAAAA
   8.AAAA...............AAAAAAAAAAAAAAA
   9.AAAA...............AAAAAAAAAAAAAAA
   A.AAAA...............AAAAAAAAAAAAAAA
   B.AAAA...............AAAAAAAAAAAAAAA
   C.AAAA...............AAAAAAAAAAAAAAA
   D.AAAA...............AAAAAAAAAAAAAAA
12 E.AAAA...............AAAAAAAAAAAAAAA
   F.AAAA...............AAAAAAAAAAAAAAA
[               ] PRESS [RESET] TO EXIT

                 --^--

That's about what I expected. It can't
read tracks $01-$04 because the address
field is intentionally corrupted, and
it can't read tracks $14-$22 because
they're unformatted. Other than that,
it worked great.

Let's go see what's on those unreadable
tracks.

[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0

]CALL -151

*800<2800.28FFM

*801L

; set up ($3E) to call disk controller
; ROM routine from the boot slot
0801-   8A          TXA
0802-   4A          LSR
0803-   4A          LSR
0804-   4A          LSR
0805-   4A          LSR
0806-   09 C0       ORA   #$C0
0808-   85 3F       STA   $3F

; hmm
080A-   A9 04       LDA   #$04
080C-   48          PHA

; machine initialization (memory banks,
; TEXT, IN#0, PR#0, &c.)
080D-   2C 81 C0    BIT   $C081
0810-   20 2F FB    JSR   $FB2F
0813-   2C 52 C0    BIT   $C052
0816-   20 89 FE    JSR   $FE89
0819-   20 93 FE    JSR   $FE93
081C-   20 58 FC    JSR   $FC58
081F-   2C 51 C0    BIT   $C051
0822-   2C 54 C0    BIT   $C054
0825-   2C 52 C0    BIT   $C052

; finish setting up ($3E)
0828-   A9 5C       LDA   #$5C
082A-   85 3E       STA   $3E

; the disk controller ROM always exits
; via $0801, so set that to an RTS so
; we can JSR and not have to set up a
; loop
082C-   A9 60       LDA   #$60
082E-   8D 01 08    STA   $0801

; hmm
0831-   A9 72       LDA   #$72
0833-   48          PHA

OK, we've now pushed $04/$72 on the
stack. That's probably important.

; multi-sector read
; Y = start logical sector ($01)
; X = end logical sector ($09)
; A = start address high byte ($50)
0834-   A0 00       LDY   #$00
0836-   84 FC       STY   $FC
0838-   C8          INY
0839-   A9 50       LDA   #$50
083B-   A2 09       LDX   #$09
083D-   20 52 08    JSR   $0852

; call the code we just read (I'll bet
; my hat that this displays the
; animated Softsmith logo)
0840-   20 00 50    JSR   $5000
0843-   2C 50 C0    BIT   $C050

; another sector read, 3 more sectors
; ($0A..$0C) into $9D00..$9FFF
0846-   A0 0A       LDY   #$0A
0848-   A9 9D       LDA   #$9D
084A-   A2 0C       LDX   #$0C
084C-   20 52 08    JSR   $0852

; another sector read, this time just
; one sector, into $0400 (X is already
; less than Y on entry, so loop will
; exit after one read)
084F-   A9 04       LDA   #$04
0851-   AA          TAX

; falls through to multi-sector read
; entry point (was also called earlier
; from $083D and $084C)
0852-   85 27       STA   $27
0854-   E8          INX
0855-   86 49       STX   $49
0857-   84 F9       STY   $F9

; map logical into physical sector and
; store it in zero page where the disk
; controller ROM will look for it
0859-   B9 70 08    LDA   $0870,Y
085C-   85 3D       STA   $3D

; read sector via disk controller ROM
085E-   20 6B 08    JSR   $086B

; loop until done
0861-   A4 F9       LDY   $F9
0863-   C8          INY
0864-   C4 49       CPY   $49
0866-   90 EF       BCC   $0857
0868-   A5 27       LDA   $27
086A-   60          RTS
086B-   A6 2B       LDX   $2B
086D-   6C 3E 00    JMP   ($003E)

0870-  [00 03 05 07 09 0B 0D 0F]
       [02 04 06 08 0A 0C 0E 01]

That's it. Flexible but compact.

It's a weird combination of reads,
though. 9 pages at $5000. 3 pages at
$9D00. 1 page at $0400.

Of course, we manually pushed $04/$72
on the stack earlier, so once we fall
through to the sector read routine and
it hits the RTS at $088F, it will
"return" to $0472 + 1 = $0473.

Let's interrupt the boot before it gets
there.

                   ~

               Chapter 2
 In Which Things Get Brilliantly Weird


*9600<C600.C6FFM

; set up callback by changing the two
; bytes that are pushed to the stack
96F8-   A9 97       LDA   #$97
96FA-   8D 0B 08    STA   $080B
96FD-   A9 04       LDA   #$04
96FF-   8D 32 08    STA   $0832

; start the boot
9702-   4C 01 08    JMP   $0801

; callback is here -- copy $9D00 stuff
; to lower memory so it survives a
; reboot
9705-   A2 03       LDX   #$03
9707-   A0 00       LDY   #$00
9709-   B9 00 9D    LDA   $9D00,Y
970C-   99 00 1D    STA   $1D00,Y
970F-   C8          INY
9710-   D0 F7       BNE   $9709
9712-   EE 0B 97    INC   $970B
9715-   EE 0E 97    INC   $970E
9718-   CA          DEX
9719-   D0 EE       BNE   $9709

; copy code at $0400 to graphics page
; so it survives a reboot, too
971B-   B9 00 04    LDA   $0400,Y
971E-   99 00 24    STA   $2400,Y
9721-   C8          INY
9722-   D0 F7       BNE   $971B

; turn off slot 6 drive motor
9724-   AD E8 C0    LDA   $C0E8

; reboot to my work disk
9727-   4C 00 C5    JMP   $C500

*BSAVE TRACE,A$9600,L$12A

*BRUN TRACE
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT1 9D00-9FFF,A$1D00,L$300
]BSAVE BOOT1 5000-58FF,A$5000,L$900
]BSAVE BOOT1 0400-04FF,A$2400,L$100
]CALL -151

*5000G
...displays Softsmith logo and exits...

That appears to be self-contained.
Let's see what ends up on $0400. The
entry point was $0473, so let's start
there. I'll have to leave the code at
$2400. Relative branches will look
correct, but absolute addresses in
$04xx will be off by $2000.

*BLOAD BOOT1 0400-04FF,A$2400

*2473L

; not sure what $4A is for yet
2473-   46 4A       LSR   $4A
2475-   20 BB 04    JSR   $04BB

*24BBL

24BB-   A9 A0       LDA   #$A0
24BD-   4C 0B 04    JMP   $040B

*240BL

; call the next line, then fall through
; and execute it again (more on this in
; a minute)
240B-   20 0E 04    JSR   $040E
240E-   20 33 04    JSR   $0433

*2433L

; call the following line, then fall
; through and do it again
2433-   20 36 04    JSR   $0436

; save A and Y
2436-   48          PHA
2437-   98          TYA
2438-   48          PHA

; low-level disk stuff (see below)
2439-   A5 FC       LDA   $FC
243B-   85 FD       STA   $FD
243D-   E6 FC       INC   $FC
243F-   A5 FC       LDA   $FC
2441-   29 03       AND   #$03
2443-   0A          ASL
2444-   05 2B       ORA   $2B
2446-   A8          TAY
2447-   B9 81 C0    LDA   $C081,Y

; wait loop
244A-   A9 30       LDA   #$30
244C-   20 A8 FC    JSR   $FCA8

; more low-level disk stuff
244F-   A5 FD       LDA   $FD
2451-   29 03       AND   #$03
2453-   0A          ASL
2454-   05 2B       ORA   $2B
2456-   A8          TAY
2457-   B9 80 C0    LDA   $C080,Y

; more waiting
245A-   A9 30       LDA   #$30
245C-   20 A8 FC    JSR   $FCA8

; restore A and Y on the way out
245F-   68          PLA
2460-   A8          TAY
2461-   68          PLA
2462-   60          RTS

This is a very clever and compact way
to advance the drive head to the next
track. Normally DOS 3.3 keeps track of
this and has a (much more complicated)
routine to move the head back and forth
as needed. But this loader only needs
to move it forward, so the entire
process collapses to this:

1. Set up the Y register to be a slot
   number (x16) plus the appropriate
   phase (0-3, depending on which track
   the drive head is on)

2. LDA $C081,Y to turn on the
   appropriate stepper motor

3. Wait exactly the right amount of
   time (as measured in CPU cycles)

4. LDA $C080,Y to turn off the
   appropriate stepper motor

5. Wait the right amount of time again

...which is exactly what this routine
at $0436 is doing. But that only gets
us halfway there -- literally, it only
moves the drive head by half a track.
But! Since $0433 "falls through" to
$0436, it ends up doing this twice. Two
half tracks equal one whole track, so
calling the routine at $0433 will move
the drive head to the next whole track.

(By the way, this is why it initialized
zero page $FC to $00 at $0834. That's
the "current" track where the drive
head is at boot; it gets updated when
the drive head advances.)

Everything I know about low-level disk
stepping, I learned from this excellent
Usenet post:
macgui.com/usenet/?group=1&id=31160

Continuing at $0411...

*2411L

2411-   A2 0F       LDX   #$0F
2413-   A0 00       LDY   #$00

; store A in zero page $27, used by the
; disk controller ROM routine as the
; target page to store sectors read
; from disk
2415-   85 27       STA   $27

; X is the final sector to read
2417-   E8          INX
2418-   86 49       STX   $49

; Y is the current sector to read
; (starting with whatever was passed in
; and incrementing until it equals the
; value passed in the X register)
241A-   84 F9       STY   $F9
241C-   98          TYA

; But wait, there's more! Based on the
; high bit of zero page $4A, Y is
; either a logical sector (the map of
; logical->physical sectors is at
; $0263) or a physical sector
241D-   24 4A       BIT   $4A
241F-   30 03       BMI   $2424
2421-   B9 63 04    LDA   $0463,Y

; store physical sector in $3D (again,
; used by the disk controller ROM)
2424-   85 3D       STA   $3D

; read sector by jumping to ($003E),
; which points to $Cx5C (e.g. $C65C if
; booting from slot 6) and exit via
; $0801, which is an RTS by now, so
; this just continues to the next line
2426-   20 00 04    JSR   $0400

; increment sector index
2429-   A4 F9       LDY   $F9
242B-   C8          INY

; are there more sectors to read?
242C-   C4 49       CPY   $49

; yes, branch back and repeat
242E-   90 EA       BCC   $241A

; no, exit with last page (+1) in A
; (disk controller ROM increments this
; after storing sector data, so on exit
; this will be the first page that was
; NOT filled with data in this loop)
2430-   A5 27       LDA   $27
2432-   60          RTS

But wait, it gets better. Not only do
we use this call-and-fall pattern to
advance a whole track (at $0433, which
calls $0436), but we also use it at
$040B, which calls $040E (to advance a
whole track and read a whole track) and
falls through to... $040E! So, with one
call to $040B, we can read two tracks
into consecutive memory; in this case,
$A000..$BFFF.

Fun(*) fact: they're not used on this
disk, but you could call $0408 to read
three tracks, or $0405 to read four.
It's call-and-fall all the way down.

(*)not guaranteed, actual fun may vary

And that brings us all the way back to
$0478.

                   ~

               Chapter 3
         Every Byte Is Sacred,
         Every Byte Is Great,
         If A Byte Gets Wasted,
         Woz Gets Quite Irate


*2478L

2478-   20 95 04    JSR   $0495

*2495L

; advance to track 3
2495-   20 33 04    JSR   $0433

; more zero page fiddling
2498-   A9 00       LDA   #$00
249A-   85 41       STA   $41

; set high bit of zero page $4A
249C-   38          SEC
249D-   66 4A       ROR   $4A

; read 5 sectors into $4000..$44FF
249F-   A9 40       LDA   #$40
24A1-   A0 01       LDY   #$01
24A3-   A2 05       LDX   #$05
24A5-   20 15 04    JSR   $0415

; move the drive head one phase only,
; to the next HALF track
24A8-   20 36 04    JSR   $0436

; read more sectors ($06..$0A) from
; track 3.5
24AB-   A2 0A       LDX   #$0A
24AD-   20 15 04    JSR   $0415

; advance another half track
24B0-   20 36 04    JSR   $0436

; read more sectors ($0B..$0F) from
; track 4
24B3-   A2 0F       LDX   #$0F
24B5-   20 15 04    JSR   $0415

; fiddle with $4A again
24B8-   46 4A       LSR   $4A
24BA-   60          RTS

So here's the deal with $4A: we
initialized it at $0473 by a blind LSR,
which clears the high bit. This tells
the multi-sector read routine at $0415
to use logical sectors. Then we set the
high bit at $049C with SEC + ROR,
indicating we want $0415 to read
physical sectors. Then we read a few
sectors from track 3, a few from track
3.5, and a few from track 4. Then we
reset $4A with another LSR, and we're
back to using logical sectors.

This explains why my EDD bit copy
failed. This disk is storing data on
half tracks. Worse, it's storing data
on *adjacent* half tracks -- a few on
track 3, a few on track 3.5, and a few
on track 4. Due to limitations of the
Disk II drive mechanism, that would be
virtually impossible for a generic bit
copier to reproduce on a blank floppy.

Every part of this code is brilliant.
AND it fits in a single sector in low
memory. AND it's flexible enough to
read from virtually uncopyable disks.

Continuing...

*247BL

; now put slot number (x16) into...
; an RWTS parameter table?!?
247B-   A6 2B       LDX   $2B
247D-   8E E9 B7    STX   $B7E9

; set up DOS globals (tracking where
; the drive head is)
2480-   20 8E BE    JSR   $BE8E
2483-   A5 FC       LDA   $FC
2485-   99 78 04    STA   $0478,Y
2488-   4A          LSR
2489-   8D 78 04    STA   $0478

; push $B7/$3A on the stack
248C-   A9 B7       LDA   #$B7
248E-   48          PHA
248F-   A9 3A       LDA   #$3A
2491-   48          PHA

; and exit through HOME
2492-   4C 58 FC    JMP   $FC58

Execution continues at $B73B (because
we just pushed $B7/$3A on the stack).

                   ~

               Chapter 4
     In Which We Can See The Light
     At The End Of The Tunnel And
       We Just Hope It's Not An
            Oncoming Train


I can interrupt the boot by changing
the values pushed on the stack at
$048C and $048F.

*9600<C600.C6FFM

; set up callback #1 after boot0 loads
; boot1 into $0400
96F8-   A9 97       LDA   #$97
96FA-   8D 0B 08    STA   $080B
96FD-   A9 04       LDA   #$04
96FF-   8D 32 08    STA   $0832

; start the boot
9702-   4C 01 08    JMP   $0801

; callback #1 is here
; change final stack push to call my
; callback #2
9705-   A9 97       LDA   #$97
9707-   8D 8D 04    STA   $048D
970A-   A9 11       LDA   #$11
970C-   8D 90 04    STA   $0490

; continue the boot
970F-   4C 73 04    JMP   $0473

; callback #2 is here
; turn off slot 6 drive motor and
; break to the monitor
9712-   AD E8 C0    LDA   $C0E8
9715-   4C 59 FF    JMP   $FF59

*BSAVE TRACE2,A$9600,L$118

*9600G
...reboots slot 6...
...read read read...
<beep>

At this point, we have a full copy of
DOS 3.3 in memory, albeit put there in
the most roundabout way. Spot checking
the RWTS, it's perfectly normal except
it expects "FF FF EB" epilogue bytes.
Which, by the way, is just the sort of
RWTS that could read tracks $05-$13.

Let me save these chunks before I
forget.

*2000<A000.BFFFM
*C500G
...
]BSAVE BOOT2 4000-4FFF,A$4000,L$1000
]BSAVE BOOT2 A000-BFFF,A$2000,L$2000

That second file includes the DOS-
shaped RWTS that will read the rest of
the disk after initial boot. I'll need
to patch it to read a standard epilogue
instead of "FF FF EB".

]CALL -151

*389E:DE
*38A3:AA
*3935:DE
*393F:AA
*3991:DE
*399B:AA
*3CAE:DE
*3CB3:AA

*BSAVE PATCHED RWTS B800-BFFF,A$3800,
 L$800

                   ~

               Chapter 5
       In Which Simplicity Is In
        The Eye Of The Beholder


Let's write $A000..$BFFF back to tracks
$01 and $02, but all regular and normal
and without corrupted address fields
that claim to be track $00. Then we'll
write $4000..$4FFF to track $03. No
half tracks, no spirals, no tricks.
Just sectors on a disk.

[S6,D1=demuffin'd copy with T05-T13]
[S5,D1=my work disk]

]PR#5
...
]CALL -151

; page count (decremented)
0300-   A9 30       LDA   #$30
0302-   85 FF       STA   $FF

; logical sector (incremented)
0304-   A9 00       LDA   #$00
0306-   85 FE       STA   $FE

; call RWTS to write sector
0308-   A9 03       LDA   #$03
030A-   A0 88       LDY   #$88
030C-   20 D9 03    JSR   $03D9

; increment logical sector, wrap around
; from $0F to $00 and increment track
030F-   E6 FE       INC   $FE
0311-   A4 FE       LDY   $FE
0313-   C0 10       CPY   #$10
0315-   D0 07       BNE   $031E
0317-   A0 00       LDY   #$00
0319-   84 FE       STY   $FE
031B-   EE 8C 03    INC   $038C

; Convert to the interleave order that
; this disk expects
031E-   B9 40 03    LDA   $0340,Y
0321-   8D 8D 03    STA   $038D

; increment page to write
0324-   EE 91 03    INC   $0391

; loop until done with all pages
0327-   C6 FF       DEC   $FF
0329-   D0 DD       BNE   $0308
032B-   60          RTS

; sector interleave table
*340.34F

0340- 00 06 05 04 03 02 01 0F
0348- 0E 0D 0C 0B 0A 09 08 07

; RWTS parameter table, pre-initialized
; with slot 6, drive 1, track $01,
; sector $00, address $2000, and RWTS
; write command ($02)
*388.397

0388- 01 60 01 00 01 00 FB F7
0390- 00 20 00 00 02 00 00 60

*BSAVE MAKE,A$300,L$98
*BLOAD BOOT2 A000-BFFF,A$2000
*BLOAD PATCHED RWTS B800-BFFF,A$3800
*BLOAD BOOT2 4000-4FFF,A$4000
*300G
...write write write...

Now I need to modify the bootloader at
$0473 to read those (perfectly normal)
sectors from those (perfectly normal)
tracks. Specifically, I need to do
two things:

  1. Skip all the spiral/half track
     stuff. I now have all the data on
     whole tracks, not half tracks.

  2. Modify the routine that advances
     the drive head so it updates zero
     page $41 with the current track.
     The sector read routine at $C65C
     compares the track listed in the
     address field to zero page $41 and
     loops forever until it matches.
     $C600 initializes $41 to 0, and
     the original disk never updates
     $41, but everything works because
     the address fields are corrupted
     and all claim to be track 0. HOW
     F---ING ELEGANT IS THAT.

So part of it will be simpler, because
we'll no longer be spiraling between
tracks. But part of it will actually
be more complicated because the address
fields are no longer corrupted. How
bizarre.

This will change the routine at $0495
to read track 3 into $4000..$4FFF:

T00,S09,$95 change to "A9 40 4C 0E 04"

                 --v--

----------- DISASSEMBLY MODE ----------
0095:A9 40          LDA   #$40
0097:4C 0E 04       JMP   $040E

                 --^--

And this will change the routine at
$0433 to increment the track number in
zero page $41:

T00,S09,$33 change to "20 9A 04"
T00,S09,$9A change to "E6 41 4C 36 04"

                 --v--

----------- DISASSEMBLY MODE ----------
0033:20 9A 04       JSR   $049A

----------- DISASSEMBLY MODE ----------
009A:E6 41          INC   $41
009C:4C 36 04       JMP   $0436

                 --^--

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 343
------------------EOF------------------