----The Quest for the Scarlet Letter--- A 4am crack 2016-04-11 --------------------------------------- Name: The Quest for the Scarlet Letter Genre: educational/adventure Year: 1982 Author: Stephen Cabrinety Publisher: Superior Software Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none Similar cracks: #644 Meteor Mission #491 Alien Addition rev. 2 #420 Fact or Opinion #419 Who What When Where #351 Home Row ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified data epilogue ("BB DD EB" instead of "DE AA EB") Disk Fixer ["O" -> "Input/Output Control"] set Data Epilogue to "BB DD EB" all tracks readable T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "SELECTION.QSL" followed by some control characters (grr) Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to epilogue) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 :04 FREE *A 000 *B 000 A============================A *A 000 A SUPERIOR SOFTWARE INC. A *A 000 A A *A 000 A COPYRIGHT (C) 1982 A *A 000 A ALL RIGHTS RESERVED A *A 000 A===========================-A *A 000 *B 000 A============================A *A 000 A SUPERIOR SOFTWARE INC. A *A 000 A A *A 000 A COPYRIGHT (C) 1982 A *A 000 A ALL RIGHTS RESERVED A *A 000 A===========================-A *A 000 *B 000 A============================A *A 000 A SUPERIOR SOFTWARE INC. A *A 000 A A *A 000 A COPYRIGHT (C) 1982 A *A 000 A ALL RIGHTS RESERVED A *A 000 A===========================-A *A 000 *B 000 A============================A *A 000 A SUPERIOR SOFTWARE INC. A *A 000 A A *A 000 A COPYRIGHT (C) 1982 A *A 000 A ALL RIGHTS RESERVED A *A 000 A===========================-A *A 000 *B 000 A============================A *A 000 A SUPERIOR SOFTWARE INC. A *A 000 A A *A 000 A COPYRIGHT (C) 1982 A *A 000 A ALL RIGHTS RESERVED A *A 000 A===========================-A *A 000 *B 000 A============================A *A 000 A SUPERIOR SOFTWARE INC. A *A 000 A A *A 000 A COPYRIGHT (C) 1982 A *A 000 A ALL RIGHTS RESERVED A *A 000 A===========================-A ...and so on forever... I suspect the disk catalog has been altered so that one directory sector points to itself as the next directory sector. --v-- -------------- DISK EDIT -------------- TRACK $11/SECTOR $0F/VOLUME $FE/BYTE$00 ---------------------------------------- $00: 00 11 0F 00 00 00 00 00 @QO@@@@@ ^^^^^ "next" directory sector is this sector $08: 00 00 00 66 66 A0 A0 A0 @@@&& $10: A0 A0 A0 A0 A0 A0 A0 A0 $18: A0 A0 A0 A0 A0 A0 A0 A0 $20: A0 A0 A0 A0 A0 A0 A0 A0 $28: A0 A0 A0 A0 00 00 1A 0F @@ZO $30: FF C1 BD BD BD BD BD BD .A====== $38: BD BD BD BD BD BD BD BD ======== $40: BD BD BD BD BD BD BD BD ======== $48: BD BD BD BD BD BD C1 00 ======A@ $50: 00 1B 0F 82 C1 A0 A0 A0 @[O.A $58: D3 D5 D0 C5 D2 C9 CF D2 SUPERIOR $60: A0 D3 CF C6 D4 D7 C1 D2 SOFTWAR $68: C5 A0 C9 CE C3 AE A0 A0 E INC. $70: A0 C1 00 00 1C 0F 82 C1 A@@\O.A $78: A0 A0 A0 A0 A0 A0 A0 A0 --------------------------------------- BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL --------------------------------------- COMMAND : _ --^-- Whee. [S6,D1=demuffin'd copy] ]PR#6 ...grinds then crashes... My demuffin'd copy can not read itself, because it's still looking for the non- standard epilogue bytes. This is so common, I wrote a tool to fix it for me automatically: "Post-Demuffin Patcher". (I am not good with names.) I included the binary on my work disk, but you can download the source code at https://archive.org/details/ PostDemuffinPatcher4am It does a lot more than just fix non- standard epilogue bytes, but it looks like that's the only thing this disk needs. But let's find out! ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP T00,S03,$35 change BB to DE T00,S03,$3F change DD to AA T00,S02,$9E change BB to DE T00,S02,$A3 change DD to AA Quod erat liberandum. --------------------------------------- A 4am crack No. 662 ------------------EOF------------------