----------The Algebra Coach II--------- --Introduction to Quadratic Equations-- A 4am crack 2015-09-23 --------------------------------------- Name: The Algebra Coach II: Introduction to Quadratic Equations Genre: educational Year: 1985 Authors: J.M. Lazerges, Activity Records, Inc. Publisher: Educational Activities, Inc. Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none Identical cracks: #462 Library & Media Skills #461 Geometry Alive! Fundamentals of Geometry ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified data epilogue ("BF AA EB" instead of "DE AA EB") Disk Fixer ["O" -> "Input/Output Control"] set Data Epilogue to "BF AA EB" all tracks readable T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "LOADER II" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to epilogue) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 000 FREE B 002 KWAI B 013 DATA.1 B 032 INPUT.6 B 025 EVA.6 B 002 OILER B 002 STARTUP B 014 HITEXT B 002 INPUTBUFF6 B 022 INTRO B 004 LOGO B 015 PURGE B 024 SCORES B 003 CLOSER B 019 TUTORIAL II B 014 INSTRUCTIONS II B 022 TUTORIAL I B 009 INSTRUCTIONS I B 009 INSTRUCTIONS B 020 CHAPTER 6 B 032 CHAPTER 5 B 028 CHAPTER 3 B 029 CHAPTER 2 B 019 CHAPTER 1 A 057 BASE II A 007 ENDING A 002 BLOADER A 002 TESTER A 006 LOADER II A 008 VARPTR A 003 MAKE STUDFIL A 003 GET STUDFIL T 018 STUDFIL A 029 LOADER ]RUN LOADER II ...hangs... [S5,D1=DOS 3.3 master disk] ]PR#5 ... ]RUN LOADER II,S6,D2 OK, it doesn't like Diversi-DOS 64K for some reason. Either it's calling DOS vectors directly (outside of page 3), or it's using the language card for something and doesn't realize that Diversi-DOS has already relocated itself there. But it works when booted from standard DOS 3.3, which is good. The reason I do this is to check whether there are any runtime checks for subtle differences in the original DOS. If the program runs after booting from a third-party disk, I can eliminate a whole range of possible secondary protections. [S6,D1=demuffin'd copy] ]PR#6 ...grinds... My copy can't read itself yet. This is not unusual. ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP T00,S03,$35 change BF to DE T00,S02,$9E change BF to DE Quod erat liberandum. ~ Epilogue Entering a first name of "SCORES" will take you to an administrative screen to show student records. Entering a first name of "PURGE" will allow you to purge student records. There is no administrative password. --------------------------------------- A 4am crack No. 463 ------------------EOF------------------