-----------Basic Electronics----------- --------Electronic Fundamentals-------- A 4am crack 2016-01-13 -------------------. updated 2016-01-14 |___________________ Name: Basic Electronics: Electronic Fundamentals Genre: educational Year: 1983 Publisher: Encyclopaedia Britannica Educational Corporation Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none Similar cracks: #563 Basic Electronics: Atomic Theory #187 Terrapin Logo 1.3 #178 Terrapin Logo 2.0 ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) no errors, but copy reboots endlessly Copy ][+ nibble editor all tracks use standard prologues (address: D5 AA 96, data: D5 AA AD) but modified epilogues (address: 96 AA EB, data: 96 AA EB) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "96 AA EB" set Data Epilogue to "96 AA EB" Success! All tracks readable! T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "ELEC FUND PROG.INIT" T00,S06 has an interesting message: --v-- ------------- DISK EDIT --------------- TRACK $00/SECTOR $06/VOLUME $FE/BYTE$00 --------------------------------------- $00:>A0F7<0D 00 0B 01 00 FE 00 wM@KA@~@ $68: 01 00 06 00 01 00 00 00 A@F@A@@@ $70: 00 00 00 03 00 C5 CC C5 @@@C@ELE $78: C3 A0 C6 D5 CE C4 A0 D0 C FUND P $80: D2 CF C7 AE C9 CE C9 D4 ROG.INIT $88: A0 A0 A0 A0 A0 A0 A0 A0 $90: A0 A0 A0 D0 D2 CF D4 C5 PROTE $98: C3 D4 C5 C4 A0 D7 C9 D4 CTED WIT $A0: C8 A0 D3 C1 C6 C5 A0 B1 H SAFE 1 $A8: AE B1 A0 A0 A0 A0 A0 A0 .1 $B0: A0 03 84 00 00 00 40 00 C.@@@@@ $B8: C1 D0 D0 CC C5 D3 CF C6 APPLESOF $C0: D4 E8 B7 BB B3 BB B4 00 Th7;3;4@ $C8: C0 7E B3 21 AB 05 AC 57 @>3!+E,W $D0: AC 6F AC 2A AD 97 AD EE ,/,*-.-n $D8: AC F5 AC 39 AC 11 AD 8D ,u,9,Q-. --------------------------------------- BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL --------------------------------------- COMMAND : _ --^-- Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) Why didn't my EDD copy work? probably a nibble check during boot (programs do not spontaneously reboot unless someone tells them to) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. Patch RWTS to read standard format 4. find nibble check and bypass it Let's go crack "The Safe." ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ]CATALOG,S6,D2 C1983 DSR^C#254 038 FREE *A 002 ELEC FUND PROG.INIT *A 037 HOHMS.LAW-2 *A 004 BOOT.PLE B 019 PLE.48 B 019 PLE.LC *B 005 ESCAPE SAVE *A 035 WELCOME.OHM'S.LAW *A 022 OHMS.LAW-1 *A 002 ELEC.FUND.1.A *B 015 HELLO *B 026 ALL-BINARY *B 010 ALTS.FONT *B 002 ID.ELEC.FUND.1 *B 010 CIRCLE.OBJ *A 018 ELEC.FUND.1.MR *A 014 INDEX.ELEC.FUND.1 *A 019 WELCOME.CURRENT.VOLTAGE *A 013 CURRENT.VOLTAGE-1 *A 029 CURRENT.VOLTAGE-2 *A 018 CURRENT.VOLTAGE-3 *A 037 OHMS.LAW-2 *A 036 WELCOME.DC.POWER *A 016 DC.POWER-1 *A 029 DC.POWER-2 *A 021 DC.POWER-3 ]RUN ELEC FUND PROG.INIT ...works... [S6,D1=demuffin'd copy] ]PR#6 ...grinds then reboots... Hmm. ~ Chapter 2 In Which We Go Safe-Cracking And Discover A Most Curious Lock ]PR#5 ]BLOAD BOOT1,A$2600 ]CALL -151 *FE89G FE93G ; disconnect DOS *B600<2600.2FFF ; move DOS into place *B700L . . nothing unusual, until... . B738- 20 00 BB JSR $BB00 <-- ! At $B738, I was expecting a call to $B793, the multi-sector read routine. There shouldn't be any code at $BB00. That page is used as scratch space by the RWTS, and it's overwritten on every sector read. *BB00L ; relocate this code to graphics page BB00- A2 00 LDX #$00 BB02- BD 00 BB LDA $BB00,X BB05- 9D 00 40 STA $4000,X BB08- CA DEX BB09- D0 F7 BNE $BB02 ; and continue there BB0B- 4C 0E 40 JMP $400E ; save RWTS parameter table BB0E- A2 10 LDX #$10 BB10- BD E8 B7 LDA $B7E8,X BB13- 9D 69 40 STA $4069,X BB16- CA DEX BB17- 10 F7 BPL $BB10 ; track $02 BB19- A9 02 LDA #$02 BB1B- 8D EC B7 STA $B7EC ; sector $0F BB1E- A9 0F LDA #$0F BB20- 8D ED B7 STA $B7ED ; volume $00 (wildcard) BB23- A9 00 LDA #$00 BB25- 8D EB B7 STA $B7EB ; store at $4100 BB28- A9 00 LDA #$00 BB2A- 8D F0 B7 STA $B7F0 BB2D- A9 41 LDA #$41 BB2F- 8D F1 B7 STA $B7F1 ; read BB32- A9 B7 LDA #$B7 BB34- A0 E8 LDY #$E8 BB36- 20 00 BD JSR $BD00 ; fail on read error BB39- B0 07 BCS $BB42 ; read entire track BB3B- CE ED B7 DEC $B7ED BB3E- 10 F2 BPL $BB32 ; continue at $BB45 BB40- 30 03 BMI $BB45 ; failure path is here -- reboot ; immediately (this explains the ; behavior I saw on my failed ; bit copy) BB42- 4C 00 C6 JMP $C600 ; copy protection continues here BB45- EA NOP BB46- EA NOP BB47- EA NOP ; sector $00 BB48- A9 00 LDA #$00 BB4A- 8D ED B7 STA $B7ED ; write?!? BB4D- A9 02 LDA #$02 BB4F- 8D F4 B7 STA $B7F4 ; call RWTS to write the sector we just ; read (back to T02,S00) BB52- A9 B7 LDA #$B7 BB54- A0 E8 LDY #$E8 BB56- 20 00 BD JSR $BD00 ; aha! if that *worked*, fail BB59- 90 E7 BCC $BB42 ; restore original RWTS parameter table BB5B- A2 10 LDX #$10 BB5D- BD 69 40 LDA $4069,X BB60- 9D E8 B7 STA $B7E8,X BB63- CA DEX BB64- 10 F7 BPL $BB5D ; continue to real multi-sector read BB66- 4C 93 B7 JMP $B793 Did you catch that? This is a very elaborate way of checking that the disk is... write-protected. To verify this, I went back to the copy I made with EDD 4 bit copy, and write- protected the disk. It boots right up without complaint. ~ Chapter 3 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP ; fix epilogue byte checking in RWTS T00,S03,$91 change 96 to DE T00,S03,$35 change 96 to DE T00,S06,$AE change 96 to DE T00,S02,$9E change 96 to DE ; bypass copy protection T00,S01,$39 change 00BB to 93B7 Quod erat liberandum. ~ Changelog 2016-01-14 - typo 2016-01-13 - initial release --------------------------------------- A 4am crack No. 564 ------------------EOF------------------