-----------Basic Electronics----------- -------------Atomic Theory------------- A 4am crack 2016-01-13 -------------------. updated 2016-01-14 |___________________ Name: Basic Electronics: Atomic Theory Genre: educational Year: 1983 Publisher: Encyclopaedia Britannica Educational Corporation Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none Similar cracks: #187 Terrapin Logo 1.3 #178 Terrapin Logo 2.0 ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) no errors, but copy reboots endlessly Copy ][+ nibble editor all tracks use standard prologues (address: D5 AA 96, data: D5 AA AD) but modified epilogues (address: FF AA EB, data: B6 AA EB) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "FF AA EB" set Data Epilogue to "B6 AA EB" Success! All tracks readable! T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "ATOMIC THEORY PROG.INIT" T00,S06 has an interesting message: --v-- ------------- DISK EDIT --------------- TRACK $00/SECTOR $06/VOLUME $FE/BYTE$00 --------------------------------------- $00:>A03!+E,W $D0: AC 6F AC 2A AD 97 AD EE ,/,*-.-n $D8: AC F5 AC 39 AC 11 AD 8D ,u,9,Q-. --------------------------------------- BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL --------------------------------------- COMMAND : _ --^-- Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) Why didn't my EDD copy work? probably a nibble check during boot (programs do not spontaneously reboot unless someone tells them to) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. Patch RWTS to read standard format 4. find nibble check and bypass it Let's go crack "The Safe." ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ]CATALOG,S6,D2 C1983 DSR^C#254 267 FREE *A 002 ATOMIC THEORY PROG.INIT *A 007 WELCOME.ATOMS.ELEC *A 057 ATOMS.ELEC-1 *A 008 WELCOME.CON.CHAR.CUR *B 014 HELLO *B 026 ALL-BINARY *B 002 CHRPRNT1 *B 002 ID.ATOMIC.TH.1 *B 010 CIRCLE.OBJ *A 002 ATOM.TH.1.A *A 019 ATOMIC.TH.1.MR *A 013 INDEX.ATOM.TH.1 *B 010 ALTS.FONT *A 057 CON.CHAR.CUR-1 ]RUN ATOMIC THEORY PROG.INIT ...works... [S6,D1=demuffin'd copy] ]PR#6 ...grinds then reboots... Hmm. ~ Chapter 2 In Which We Go Safe-Cracking And Discover A Most Curious Lock ]PR#5 ]BLOAD BOOT1,A$2600 ]CALL -151 *FE89G FE93G ; disconnect DOS *B600<2600.2FFF ; move DOS into place *B700L . . nothing unusual, until... . B738- 20 00 BB JSR $BB00 <-- ! At $B738, I was expecting a call to $B793, the multi-sector read routine. There shouldn't be any code at $BB00. That page is used as scratch space by the RWTS, and it's overwritten on every sector read. *BB00L ; relocate this code to graphics page BB00- A2 00 LDX #$00 BB02- BD 00 BB LDA $BB00,X BB05- 9D 00 40 STA $4000,X BB08- CA DEX BB09- D0 F7 BNE $BB02 ; and continue there BB0B- 4C 0E 40 JMP $400E ; save RWTS parameter table BB0E- A2 10 LDX #$10 BB10- BD E8 B7 LDA $B7E8,X BB13- 9D 69 40 STA $4069,X BB16- CA DEX BB17- 10 F7 BPL $BB10 ; track $02 BB19- A9 02 LDA #$02 BB1B- 8D EC B7 STA $B7EC ; sector $0F BB1E- A9 0F LDA #$0F BB20- 8D ED B7 STA $B7ED ; volume $00 (wildcard) BB23- A9 00 LDA #$00 BB25- 8D EB B7 STA $B7EB ; store at $4100 BB28- A9 00 LDA #$00 BB2A- 8D F0 B7 STA $B7F0 BB2D- A9 41 LDA #$41 BB2F- 8D F1 B7 STA $B7F1 ; read BB32- A9 B7 LDA #$B7 BB34- A0 E8 LDY #$E8 BB36- 20 00 BD JSR $BD00 ; fail on read error BB39- B0 07 BCS $BB42 ; read entire track BB3B- CE ED B7 DEC $B7ED BB3E- 10 F2 BPL $BB32 ; continue at $BB45 BB40- 30 03 BMI $BB45 ; failure path is here -- reboot ; immediately (this explains the ; behavior I saw on my failed ; bit copy) BB42- 4C 00 C6 JMP $C600 ; copy protection continues here BB45- EA NOP BB46- EA NOP BB47- EA NOP ; sector $00 BB48- A9 00 LDA #$00 BB4A- 8D ED B7 STA $B7ED ; write?!? BB4D- A9 02 LDA #$02 BB4F- 8D F4 B7 STA $B7F4 ; call RWTS to write the sector we just ; read (back to T02,S00) BB52- A9 B7 LDA #$B7 BB54- A0 E8 LDY #$E8 BB56- 20 00 BD JSR $BD00 ; aha! if that *worked*, fail BB59- 90 E7 BCC $BB42 ; restore original RWTS parameter table BB5B- A2 10 LDX #$10 BB5D- BD 69 40 LDA $4069,X BB60- 9D E8 B7 STA $B7E8,X BB63- CA DEX BB64- 10 F7 BPL $BB5D ; continue to real multi-sector read BB66- 4C 93 B7 JMP $B793 Did you catch that? This is a very elaborate way of checking that the disk is... write-protected. To verify this, I went back to the copy I made with EDD 4 bit copy, and write- protected the disk. It boots right up without complaint. ~ Chapter 3 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP ; fix epilogue byte checking in RWTS T00,S03,$91 change FF to DE T00,S03,$35 change B6 to DE T00,S06,$AE change FF to DE T00,S02,$9E change B6 to DE ; bypass copy protection T00,S01,$39 change 00BB to 93B7 Quod erat liberandum. ~ Changelog 2016-01-14 - typo 2016-01-13 - initial release --------------------------------------- A 4am crack No. 563 ------------------EOF------------------