-----------Basic Electronics----------- ------Fundamentals of DC Circuitry----- A 4am crack 2016-01-13 -------------------. updated 2016-01-14 |___________________ Name: Basic Electronics: Fundamentals of DC Circuitry Genre: educational Year: 1983 Publisher: Encyclopaedia Britannica Educational Corporation Media: 3 single-sided 5.25-inch disks OS: DOS 3.3 Previous cracks: none Similar cracks: #566 Basic Electronics: Electronic Math #565 Basic Electronics: Electronic Prefixes, Symbols, and Concepts #564 Basic Electronics: Electronic Fundamentals #563 Basic Electronics: Atomic Theory #187 Terrapin Logo 1.3 #178 Terrapin Logo 2.0 I have 3 disks, all bootable, all protected, all independent. I'll start with disk 1. ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) no errors, but copy reboots endlessly Copy ][+ nibble editor all tracks use standard prologues (address: D5 AA 96, data: D5 AA AD) but modified epilogues (address: ED AA EB, data: EE AA EB) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "ED AA EB" set Data Epilogue to "EE AA EB" Success! All tracks readable! T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "CIRCUITRY.PROG.INIT" T00,S06 has an interesting message: --v-- ------------- DISK EDIT --------------- TRACK $00/SECTOR $06/VOLUME $FE/BYTE$00 --------------------------------------- $00:>A0F7<0D 00 0B 01 00 FE 00 wM@KA@~@ $68: 01 00 06 00 01 00 00 00 A@F@A@@@ $70: 00 00 00 03 00 C3 C9 D2 @@@C@CIR $78: C3 D5 C9 D4 D2 D9 AE D0 CUITRY.P $80: D2 CF C7 AE C9 CE C9 D4 ROG.INIT $88: A0 A0 A0 A0 A0 A0 A0 A0 $90: A0 A0 A0 D0 D2 CF D4 C5 PROTE $98: C3 D4 C5 C4 A0 D7 C9 D4 CTED WIT $A0: C8 A0 D3 C1 C6 C5 A0 B1 H SAFE 1 $A8: AE B1 A0 A0 A0 A0 A0 A0 .1 $B0: A0 03 84 00 00 00 40 00 C.@@@@@ $B8: C1 D0 D0 CC C5 D3 CF C6 APPLESOF $C0: D4 E8 B7 BB B3 BB B4 00 Th7;3;4@ $C8: C0 7E B3 21 AB 05 AC 57 @>3!+E,W $D0: AC 6F AC 2A AD 97 AD EE ,/,*-.-n $D8: AC F5 AC 39 AC 11 AD 8D ,u,9,Q-. --------------------------------------- BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL --------------------------------------- COMMAND : _ --^-- Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) Why didn't my EDD copy work? probably a nibble check during boot (programs do not spontaneously reboot unless someone tells them to) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. Patch RWTS to read standard format 4. find nibble check and bypass it Let's go crack "The Safe." ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ]CATALOG,S6,D2 C1983 DSR^C#254 024 FREE *A 002 CIRCUITRY.PROG.INIT *B 016 HELLO *A 007 WELCOME.PARALLEL.CIRCUITS.3 *A 028 PARALLEL.CIR.2-2 *B 010 ALTS.FONT *A 014 INDEX.CIRCUITRY.1 *A 028 PARALLEL.CIR.1-3 *A 043 PARALLEL.CIR.2-3 *B 026 ALL-BINARY *A 023 PARALLEL.CIRCUITS.3.1 *B 002 ID.CIRCUITRY.1 *A 002 CIRCUITRY.1.A *A 021 CIRCUITRY.1.MR *A 007 WELCOME.PARALLEL.CIR.2 *B 002 CURRENT FLOW *A 008 WELCOME.SERIES.CIRCUITS *A 022 SERIES.CIRCUITS.1 *A 030 SERIES.CIRCUITS.2 *A 045 SERIES.CIRCUITS.3 *A 029 PARALLEL.CIRCUITS.3.2 *A 007 WELCOME.PARALLEL.CIR.1 *A 041 PARALLEL.CIR.1-1 *A 021 PARALLEL.CIR.1-2 *B 002 POINT *B 004 SCHEMATIC.SYMBOLS.1 *A 032 PARALLEL.CIR.2-1 ]RUN CIRCUITRY.PROG.INIT ...works... [S6,D1=demuffin'd copy] ]PR#6 ...grinds then reboots... Hmm. ~ Chapter 2 In Which We Go Safe-Cracking And Discover A Most Curious Lock ]PR#5 ]BLOAD BOOT1,A$2600 ]CALL -151 *FE89G FE93G ; disconnect DOS *B600<2600.2FFF ; move DOS into place *B700L . . nothing unusual, until... . B738- 20 00 BB JSR $BB00 <-- ! At $B738, I was expecting a call to $B793, the multi-sector read routine. There shouldn't be any code at $BB00. That page is used as scratch space by the RWTS, and it's overwritten on every sector read. *BB00L ; relocate this code to graphics page BB00- A2 00 LDX #$00 BB02- BD 00 BB LDA $BB00,X BB05- 9D 00 40 STA $4000,X BB08- CA DEX BB09- D0 F7 BNE $BB02 ; and continue there BB0B- 4C 0E 40 JMP $400E ; save RWTS parameter table BB0E- A2 10 LDX #$10 BB10- BD E8 B7 LDA $B7E8,X BB13- 9D 69 40 STA $4069,X BB16- CA DEX BB17- 10 F7 BPL $BB10 ; track $02 BB19- A9 02 LDA #$02 BB1B- 8D EC B7 STA $B7EC ; sector $0F BB1E- A9 0F LDA #$0F BB20- 8D ED B7 STA $B7ED ; volume $00 (wildcard) BB23- A9 00 LDA #$00 BB25- 8D EB B7 STA $B7EB ; store at $4100 BB28- A9 00 LDA #$00 BB2A- 8D F0 B7 STA $B7F0 BB2D- A9 41 LDA #$41 BB2F- 8D F1 B7 STA $B7F1 ; read BB32- A9 B7 LDA #$B7 BB34- A0 E8 LDY #$E8 BB36- 20 00 BD JSR $BD00 ; fail on read error BB39- B0 07 BCS $BB42 ; read entire track BB3B- CE ED B7 DEC $B7ED BB3E- 10 F2 BPL $BB32 ; continue at $BB45 BB40- 30 03 BMI $BB45 ; failure path is here -- reboot ; immediately (this explains the ; behavior I saw on my failed ; bit copy) BB42- 4C 00 C6 JMP $C600 ; copy protection continues here BB45- EA NOP BB46- EA NOP BB47- EA NOP ; sector $00 BB48- A9 00 LDA #$00 BB4A- 8D ED B7 STA $B7ED ; write?!? BB4D- A9 02 LDA #$02 BB4F- 8D F4 B7 STA $B7F4 ; call RWTS to write the sector we just ; read (back to T02,S00) BB52- A9 B7 LDA #$B7 BB54- A0 E8 LDY #$E8 BB56- 20 00 BD JSR $BD00 ; aha! if that *worked*, fail BB59- 90 E7 BCC $BB42 ; restore original RWTS parameter table BB5B- A2 10 LDX #$10 BB5D- BD 69 40 LDA $4069,X BB60- 9D E8 B7 STA $B7E8,X BB63- CA DEX BB64- 10 F7 BPL $BB5D ; continue to real multi-sector read BB66- 4C 93 B7 JMP $B793 Did you catch that? This is a very elaborate way of checking that the disk is... write-protected. To verify this, I went back to the copy I made with EDD 4 bit copy, and write- protected the disk. It boots right up without complaint. ~ Chapter 3 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP ; fix epilogue byte checking in RWTS T00,S03,$91 change ED to DE T00,S03,$35 change EE to DE T00,S06,$AE change ED to DE T00,S02,$9E change EE to DE ; bypass copy protection T00,S01,$39 change 00BB to 93B7 Disk 3 has identical protection. Disk 2 is also protected by "The Safe," but with different epilogue bytes: ]BRUN PDP T00,S03,$91 change AE to DE T00,S03,$35 change EB to DE T00,S06,$AE change AE to DE T00,S02,$9E change EB to DE T00,S01,$39 change 00BB to 93B7 Quod erat liberandum. ~ Changelog 2016-01-14 - typo 2016-01-13 - initial release --------------------------------------- A 4am crack No. 569 ------------------EOF------------------