---------Starting with Phonics---------
A 4am crack                  2014-05-27
---------------------------------------

"Starting with Phonics" is a 1983
educational program programmed by
Clifford T. Schafer and published by
K-12 MicroMedia.

COPYA fails with a disk read error
almost immediately. EDD 4 bit copy
gives no read errors, but the copy just
grinds endlessly.

Turning to my trusty Copy ][+ sector
editor, it appears that sectors 0-9 on
track 0 are encoded normally. Beyond
that, things get weird. Pressing "P" to
enter the Sector Editor Patcher, I
select "DOS 3.3 PATCHED" to see if I
can read the sector data by ignoring
address and data epilogues. No such
luck. But if I go further and select
"CUSTOM", then turn off the checksum of
the data field, I can read the sectors.
But they're all garbage. Like they're
encrypted or something.

The original sounds like a DOS 3.3 boot
(track $02 --> $01 --> $00 --> $11 &c.)
But here's what Copy ][+ thinks is on
T11,S0F:


SECTOR EDITOR                   DRIVE 1

00- FB 76 F9 EA F7 F9 F9 FA  {vyjwyyz
08- F9 F9 F9 F9 F9 EB F6 7B  yyyyykv{
10- 31 3C 35 35 36 59 59 59  1<556YYY
18- 59 59 59 59 59 59 59 59  YYYYYYYY
20- 59 59 59 59 59 59 59 59  YYYYYYYY
28- 59 59 59 59 59 59 FA F9  YYYYYYzy
30- EA F6 7D 31 36 35 35 36  jv}16556
38- 2E 59 59 59 59 59 59 59  .YYYYYYY
40- 59 59 59 59 59 59 59 59  YYYYYYYY
48- 59 59 59 59 59 59 59 59  YYYYYYYY
50- 59 D8 F9 ED F6 7D 33 34  YXymv}34
58- 37 34 35 2C 4B 5A 5B 5B  745,KZ[[
60- 5B 5B 5B 5B 5B 5B 5B 5B  [[[[[[[[
68- 5B 5B 5B 5B 5B 5B 5B 5B  [[[[[[[[
70- 5B 5B 5B 5B DA FB EE F4  [[[[Z{nt
78- FF 34 37 3F 55 2F 32 2F  .47?U/2/
80- 37 3E 5B 5B 5B 5B 5B 5B  7>[[[[[[


TRACK $11  SECTOR $0F   CUSTOM


That... is not a disk catalog. Or is
it? If you squint, it kind of looks
like one. A short sequence of bytes in
the $3x range, then a long string of
$59. It feels like that *could* be an
encrypted version of "HELLO" followed
by spaces. Or maybe I'm just imagining
it, seeing patterns where none exist.

Anyway, the original disk boots and
runs. This sector, if it is encrypted,
has to get decrypted at some point.
Let's see if I can use the original
disk as a weapon against itself.

[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

For those of you just tuning in, my
work disk uses a custom program that I
affectionately call "AUTOTRACE" to
automate the process of boot tracing as
far as possible. For some disks, this
just captures track 0, sector 0 (saved
in a file called "BOOT0") and stops.
For other disks that load in the same
way that an unprotected DOS 3.3 disk
loads, it captures the next stage of
the boot process as well (in a file
called "BOOT1"). BOOT1 contains sectors
0-9 on track 0, which are loaded into
memory at $B600..$BFFF. This generally
contains the RWTS routines which the
program uses to read the rest of the
disk.

If the RWTS is fairly normal as well
(and my AUTOTRACE program just spot-
checks a few memory locations to guess
at its "normalcy"), there's a good
chance I'll be able to use a tool
called Advanced Demuffin (written in
1983 by The Stack) to convert the disk
from whatever weird format it uses to
store its sector data into a standard
disk readable by unprotected DOS 3.3
disks or any other third-party tools.
In this case, AUTOTRACE extracts the
RWTS routines (generally loaded from
track 0, sectors 2-9 into $B800..$BFFF)
and saves *that* into a third file
called "RWTS".

If anything looks fishy or non-
standard, AUTOTRACE just stops, and I
have to check the files it saved so far
to determine why. But in this case, it
ran all the way through, automatically
capturing BOOT0, BOOT1, and RWTS files.
Now I can use Advanced Demuffin to
convert the disk to a standard format.
(It uses the disk's own RWTS to read
the original, then a standard DOS 3.3-
compatible RWTS to write out the data,
sector by sector.)

[S6,D1=my work disk]

]PR#6
]BRUN ADVANCED DEMUFFIN 1.1

--> LOAD NEW RWTS MODULE
    At $B8, load "RWTS"
    from D1

[S6,D1=original disk]
[S6,D2=blank disk]

--> FORMAT TARGET DISK

...grind grind grind...

--> CONVERT DISK

This disk is 16 sectors, and the
default options (copy the entire disk,
all tracks, all sectors) don't need to
be changed unless something goes
horribly wrong.

                 --v--

ADVANCED DEMUFFIN 1.1  - COPYRIGHT 1983
WRITTEN BY THE STACK -CORRUPT COMPUTING
=======PRESS ANY KEY TO CONTINUE=======
TRK:...................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:R..................................
SC1:R..................................
SC2:R..................................
SC3:R..................................
SC4:R..................................
SC5:R..................................
SC6:R..................................
SC7:R..................................
SC8:R..................................
SC9:R..................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16 SC $00,$00 TO $22,$0F BY $01 TO DRV2

                 --^--

Well, the disk's own RWTS can't read
the boot1 code on track 0 (sectors
0-9), but that's OK. I captured that
separately (in the "BOOT1" file), and I
can replace it manually if I need to.
Everything else appears to have gone as
well as could be expected. The real
question is... did it work? Was copying
the disk with its own RWTS enough to
decrypt the data? Or am I still left
with garbage?

[S6D1=demuffin'd copy]
[S5D1=my work disk]

]PR#5
...
]CATALOG,S6,D1

C1983 DSR^C#254
349 FREE

*A 003 HELLO
*B 033 HOLLOW
*B 033 HOLLOW2
 B 034 OLD.TITLE
*A 044 STARTING

]RUN HELLO

Good news, everyone! The program loads
and runs without complaint. All further
disk access is done through standard
DOS functions.  (It even runs from
drive 2.) There doesn't appear to be
any kind of nibble check or other copy
protection, beyond the custom RWTS.

Now to make the disk be able to read
itself (remember, it still has the
original RWTS on it)...

Using Copy ][+, I can "copy DOS" from a
freshly initialized disk onto the
demuffin'd copy. This function of Copy
][+ just sector-copies tracks 0-2 from
one disk to another, but it's easier
than setting that up manually in some
other copy program.

Copy ][+
  --> COPY
    --> DOS
      --> from slot 6, drive 2
      -->   to slot 6, drive 1

[S6D1=demuffin'd copy]
[S6D2=newly formatted Pronto-DOS disk]

...read read read...
...write write write...

Quod erat liberandum.

---------------------------------------
A 4am crack                      No. 54
------------------EOF------------------