---------------Word Walk--------------- A 4am crack 2016-04-25 --------------------------------------- Name: Word Walk Genre: educational Year: 1984 Publisher: Random House, Inc. Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none Identical cracks: #647 Galaxy Math #467 Snoopy To The Rescue #441 Garfield Double Dares #188 Garfield, Eat Your Words ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) copy works Copy ][+ nibble editor all tracks use standard prologues (address: D5 AA 96, data: D5 AA AD) but modified address epilogue (AA DE EB instead of DE AA EB) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "AA DE EB" Success! All tracks readable! T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "STEX" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) EDD worked. What does that tell us? probably just structural protection (modified epilogue), no nibble check Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ]CATALOG,S6,D2 C1983 DSR^C#254 044 FREE A 004 HELLO B 054 MC.OBJ B 019 H2.OBJ B 011 H.OBJ B 013 WIN5.OBJ B 008 GAME1.CPRS B 051 GAME.OBJ B 004 H0.OBJ *T 004 GF1 B 003 MUSIC B 002 GAME.MSC B 017 H3.OBJ B 003 CIRCLE.SHP *B 006 TEXT B 007 WIN7.OBJ *B 017 RUNTIME *T 003 GF2 B 007 T2.CPRS *T 002 OB B 006 T1.CPRS B 004 GREXPA B 034 BALL.PIC B 010 WIN6.OBJ B 013 H2.5.OBJ B 034 W1.PIC B 006 SMALL.FNT B 034 W2.PIC B 007 CR.CPRS B 010 HRCG B 009 GAME2.CPRS B 011 STEX B 004 GREXPA2 T 016 DF2 B 003 H3.5.OBJ T 016 DF1 ]BRUN STEX ...works... [S6,D1=demuffin'd copy] ]PR#6 ...grinds then crashes... My demuffin'd copy can not read itself, because it's still looking for the non- standard epilogue bytes. This is so common, I wrote a tool to fix it for me automatically: "Post-Demuffin Patcher". (I am not good with names.) I included the binary on my work disk, but you can download the source code at https://archive.org/details/ PostDemuffinPatcher4am It does a lot more than just fix non- standard epilogue bytes, but it looks like that's the only thing this disk needs. But let's find out! ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP T00,S03,$91 change AA to DE T00,S03,$9B change DE to AA T00,S06,$AE change AA to DE T00,S06,$B3 change DE to AA Quod erat liberandum. ~ Acknowledgements Many thanks to LoGo for supplying the the original floppy disk. --------------------------------------- A 4am crack No. 674 ------------------EOF------------------