----------The Electronic Atlas--------- A 4am crack 2014-08-01 --------------------------------------- "The Electronic Atlas" is a 1990 educational program created by James L. Negroni and distributed by Geo-Soft. It comes on 8 unnumbered, single-sided disks: - "The United States" program disk - "The United States" data disk - "The Americas" program disk - "The Americas" data disk - "Europe" program disk - "Europe" data disk - "Africa" program disk - "Africa" data disk I can not find any reference to this program online, so I do not know if there are more disks in the series. Each program disk is bootable and needs its corresponding data disk to function beyond the title screen. Starting with "The United States" program disk, COPYA fails miserably and immediately. EDD 4 bit copy gives no read errors, but the copy just grinds. Turning to my trusty Copy ][+ sector editor, I press "P" to get to the Sector Editor Patcher, and select "DOS 3.3 PATCHED". This option ignores checksum bytes and epilogue sequences -- as long as the address and data prologue are standard ("D5 AA 96" and "D5 AA AD", respectively), this will allow me to read each sector. And lo and behold, it works... for track 0. But not track 1. But wait! It starts working again on track 2. But not track 3. Some manual inspection with the Copy ][+ nibble editor reveals that, besides the non-standard epilogue, every odd track has a non-standard address prologue as well. Track | Address | Data ------+----------+---------- $00 | D5 AA 96 | D5 AA AD $01 | D4 AA 96 | D5 AA AD $02 | D5 AA 96 | D5 AA AD $03 | D4 AA 96 | D5 AA AD $04 | D5 AA 96 | D5 AA AD $05 | D4 AA 96 | D5 AA AD And so on. Time for boot tracing with AUTOTRACE. [S6,D1=original disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 For those of you just tuning in, my work disk uses a custom program that I affectionately call "AUTOTRACE" to automate the process of boot tracing as far as possible. For some disks (like this one, apparently), it just captures track 0, sector 0 (saved in a file called "BOOT0") and stops. For other disks that load in the same way that an unprotected DOS 3.3 disk loads, it captures the next stage of the boot process as well (in a file called "BOOT1"). BOOT1 contains sectors 0-9 on track 0, which are loaded into memory at $B600..$BFFF. This generally contains the RWTS routines which the program uses to read the rest of the disk. If the RWTS is fairly normal as well (and my AUTOTRACE program just spot- checks a few memory locations to guess at its "normalcy"), AUTOTRACE extracts the RWTS routines (generally loaded from track 0, sectors 2-9 into $B800.. $BFFF) and saves *that* into a third file called "RWTS". There's a good chance I'll be able to load that "RWTS" file into a tool called Advanced Demuffin (written in 1983 by The Stack) to convert the disk into a standard disk readable by unprotected DOS 3.3 disks or any other third-party tools. If anything looks fishy or non- standard, AUTOTRACE just stops, and I have to check the files it saved so far to determine why. In this case, it stopped after capturing T00,S00. So I need to look at that sector and figure out why. ]CALL -151 *800<2800.28FFM *801L . . all normal, until... . 084A- 4C C0 08 JMP $08F0 A little something extra before the boot1 code. I don't like extra. Extra is bad. *8F0L ; odd 08F0- A9 AA LDA #$AA 08F2- 85 31 STA $31 ; suspicious (this code is also loaded at $B600, so this will overwrite the $AA byte in the LDA instruction above) 08F4- A9 00 LDA #$00 08F6- 8D F1 B6 STA $B6F1 ; continue with boot1 08F9- 4C 00 B7 JMP $B700 This code is important, but it's not obvious why unless you've seen the technique before. Which I think I have. Let me see if I'm right. First, I'll need to let my AUTOTRACE program capture the rest of boot1. ]BRUN AUTOTRACE1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BLOAD BOOT1,A$2600 ]CALL -151 *FE89G FE93G ; disconnect DOS *B600<2600.2FFFM ; move RWTS into place *B92FL ; check for epilogue bytes (part of the ; standard DOS 3.3 RWTS) B92F- BD 8C C0 LDA $C08C,X B932- 10 FB BPL $B92F B934- C9 DE CMP #$DE B936- D0 0A BNE $B942 B938- EA NOP B939- BD 8C C0 LDA $C08C,X B93C- 10 FB BPL $B939 ; there it is! B93E- C5 31 CMP $31 B940- F0 5C BEQ $B99E B942- 38 SEC B943- 60 RTS This RWTS is doing something sneaky to make my job harder: it's putting one of the epilogue bytes into a zero page address, then reading the value from there instead of using a constant. Why? Because f--- you, that's why. Because it makes the extracted RWTS useless without initializing the magic zero page location with the right magic number. Automated RWTS extraction programs wouldn't find this. If I load this RWTS into Advanced Demuffin, it will not be able to read the original disk, because the RWTS itself is not what initializes the magic zero page location. This calls for an IOB module. What's an IOB module? Well, the author of Advanced Demuffin anticipated that he couldn't anticipate everything, so he made the program extensible. Quoting from the Advanced Demuffin softdocs (included on my work disk): --v-- An IOB module is an interface for the source RWTS. Advanced Demuffin uses the IOB module to set up the IOB table and jump to RWTS. The IOB module is stored from $1400-$14FB. When Advanced Demuffin loads in a IOB module, it reads the first sector of the file off the track-sector list and stores it at $13FC-$14FB. When Advanced Demuffin wants to read a sector it JSRs to the IOB module with the phase number, sector number, and the page number stored in the A, Y and X registers respectively. Since the source drive always has to be drive one, Advanced Demuffin can make the IOB module very compact. After it gets the page,track and sector Advanced Demuffin sets up the IOB for RWTS using this infor- mation, and JMPs to RWTS. (It jumps instead of JSRing, because it lets the RWTS do the RTS.) Here is a list of the IOB module that is built in to Advanced Demuffin: ; Convert phase # to track # 1400- 4A LSR ; Store track number 1401- 8D 22 0F STA $0F22 ; Store sector number 1404- 8C 23 0F STY $0F23 ; Store page number ; [note: original docs have incorrect ; hex opcode on this line] 1407- 8E 27 0F STX $0F27 140A- A9 01 LDA #$01 ; Store the drive number 140C- 8D 20 0F STA $0F20 ; Store the read code 140F- 8D 2A 0F STA $0F2A ; With high byte of IOB 1412- A9 0F LDA #$0F ; With low byte of IOB 1414- A0 1E LDY #$1E ; Goto RWTS 1416- 4C 00 BD JMP $BD00 --^-- Basically, Advanced Demuffin only knows how to call a custom RWTS if it 1. is loaded at $B800..$BFFF 2. uses a standard RWTS parameter table 3. has an entry point at $BD00 that takes the address of the parameter tables in A and Y 4. doesn't require initialization As it turns out, that covers a *lot* of copy protected disks, but it doesn't cover this one because the RWTS relies on the value of zero page $31. So, let's make an IOB module. ]PR#5 ; since DOS was overwritten ... ]CALL -151 ; Most of this is identical to the ; standard IOB module that comes with ; Advanced Demuffin (explained above). 1400- 4A LSR 1401- 8D 22 0F STA $0F22 1404- 8C 23 0F STY $0F23 1407- 8E 27 0F STX $0F27 140A- A9 01 LDA #$01 140C- 8D 20 0F STA $0F20 140F- 8D 2A 0F STA $0F2A ; initialize the magic zero page value 1412- A9 AA LDA #$AA 1414- 85 31 STA $31 ; get the address of the RWTS parameter ; table at $0F1E and call the RWTS 1416- A9 0F LDA #$0F 1418- A0 1E LDY #$1E 141A- 4C 00 BD JMP $BD00 *BSAVE IOB,A$1400,L$1D Now let's tell Advanced Demuffin to use this custom IOB as well as the RWTS we captured from the original disk. [S6,D1=my work disk] ]BRUN ADVANCED DEMUFFIN 1.1 --> LOAD NEW RWTS MODULE At $B8, load "RWTS" from D1 --> LOAD NEW IOB MODULE load "IOB" from D1 [S6,D1=original disk] [S6,D2=blank disk] --> CONVERT DISK --> CHANGE DEFAULT VALUES? N This disk is 16 sectors, and the default options (copy the entire disk, all tracks, all sectors) don't need to be changed unless something goes horribly wrong (again). --v-- ADVANCED DEMUFFIN 1.1 - COPYRIGHT 1983 WRITTEN BY THE STACK -CORRUPT COMPUTING =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16 SC $00,$00 TO $22,$0F BY $01 TO DRV2 --^-- Hooray! IOB saves the day! [S6,D1=my work disk] [S6,D2=fully demuffin'd copy] ]PR#6 ... ]CATALOG,S6,D2 C1983 DSR^C#254 030 FREE *A 003 HELLO *B 011 HI.WRITER *B 013 F.BLOCK *B 008 F.SQUARE.SMALL *B 002 ST.PROBE *B 034 PI.BOOT.SCR *B 034 PI.UNITED STATES *A 010 CREDITS *B 011 ST.US *A 034 MENU *A 067 UNITED STATES *A 036 UNITED STATES.ALT *A 022 CAPITALS.GAME *A 022 STATES.GAME *A 066 TEST *A 070 TEST2 *A 019 TEST.ALT *T 002 SERIAL *T 002 PASSWORD ]RUN HELLO The program loads and runs without complaint. All further disk access is done through standard DOS functions. There doesn't appear to be any kind of nibble check or other copy protection, beyond the custom DOS. Here's something odd, though. I put the demuffin'd copy in drive 1 and tried booting it...and it works! But I haven't touched the RWTS; it's still the original RWTS that expects a modified address prologue on every other track. So there's no way this RWTS can read a disk that uses standard address prologue on every track. How is that possible? Here's how: the original RWTS doesn't actually check for a specific address prologue. It does some bit math on the first byte in the sequence and allows a certain result. [S6,D1=my work disk] ]PR#6 ... ]BLOAD BOOT1,A$2600 ]CALL -151 *FE89G FE93G ; disconnect DOS *B600<2600.2FFFM ; move RWTS into place *B94FL ; first byte does bit math (matches ; either "D4" or "D5") B94F- BD 8C C0 LDA $C08C,X B952- 10 FB BPL $B94F B954- 4A LSR B955- C9 6A CMP #$6A B957- D0 EF BNE $B948 ; second byte is in zero page (grr) B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 B95E- C5 31 CMP $31 B960- D0 F2 BNE $B954 B962- A0 03 LDY #$03 ; third byte is just a constant B964- BD 8C C0 LDA $C08C,X B967- 10 FB BPL $B964 B969- C9 96 CMP #$96 B96B- D0 E7 BNE $B954 The demuffin'd copy uses the standard address prologue ("D5 AA 96") on every track, but that's OK. As far as this RWTS is concerned, either "D5 AA 96" or "D4 AA 96" is OK on any track. It doesn't actually check the track number when it reads; it just does some bit math that accepts both. When they mastered the original disk, they wrote every other track with a non-standard address prologue, but the RWTS is just liberal enough that it doesn't care. All 8 disks appear to use the same copy protection, so the same procedure works on all of them. Quod erat liberandum. --------------------------------------- A 4am crack No. 101 ------------------EOF------------------