--------------Microzine 26------------- A 4am crack 2014-08-20 --------------------------------------- "Microzine" was an educational disk- based magazine published by Scholastic between 1983 and 1992. Issue no. 26 is a double-sided disk that features "The Wizard of Darkling Wood" and "Math Mall". COPYA fails miserably and immediately. Locksmith Fast Disk Backup can read every other track. Seriously. It looks like this: --v-- LOCKSMITH 7.0 FAST DISK BACKUP R.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. W HEX 00000000000000001111111111111111222 TRK 0123456789ABCDEF0123456789ABCDEF012 0.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 1.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 2.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 3.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 4.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 5.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 6.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 7.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 8.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 9.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. B.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. C.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. D.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 12 E.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. F.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. [ ] PRESS [RESET] TO EXIT --^-- Turning to my trusty Copy ][+ sector editor, I press "P" to get to the Sector Editor Patcher, and select "DOS 3.3 PATCHED". This option ignores checksum bytes and epilogue sequences -- as long as the address and data prologue are standard ("D5 AA 96" and "D5 AA AD", respectively), this will allow me to read each sector. And lo and behold, it works... for track 0. But not track 1. But yes track 2! But not track 3. &c. Some manual inspection with the Copy ][+ nibble editor reveals that every odd track has a non-standard address prologue. Track | Address | Data ------+----------+---------- $00 | D5 AA 96 | D5 AA AD $01 |>D4D4D4 LOAD NEW RWTS MODULE At $B8, load "RWTS" from D1 --> LOAD NEW IOB MODULE load "IOB" from D1 [S6,D1=original disk] [S6,D2=blank disk] --> CONVERT DISK --> CHANGE DEFAULT VALUES? N This disk is 16 sectors, and the default options (copy the entire disk, all tracks, all sectors) don't need to be changed unless something goes horribly wrong (again). --v-- ADVANCED DEMUFFIN 1.1 - COPYRIGHT 1983 WRITTEN BY THE STACK -CORRUPT COMPUTING =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16 SC $00,$00 TO $22,$0F BY $01 TO DRV2 --^-- Hooray! IOB saves the day! [S6,D1=my work disk] [S6,D2=fully demuffin'd copy] ]PR#6 ... ]CATALOG,S6,D2 C1983 DSR^C#254 004 FREE A 004 HELLO B 012 PACK.MICRO7 B 005 NEW.SET A 003 YIK2 B 002 CS.OPTIONS B 010 TOC.2 B 002 TOC.3 B 045 TOC.4 B 011 TOC.5 B 003 UNPACKDATA.1 B 007 TL.0 B 019 TAPMAIN.2 B 047 TAPMAIN.3 B 007 TM.0 B 003 UNPACKTEXT.1 B 004 DBASEW.SET B 008 TN.0 B 012 SOUNDFILE B 006 TO.0 B 007 TP.0 B 002 WAND B 002 WIZARD B 007 TR.0 B 007 TS.0 B 008 TT.0 B 007 TU.0 B 002 DRUID B 002 DRAGON B 002 TROLL B 002 JESTER B 002 FLEA B 002 CHICKEN B 002 DOG B 002 GIANT B 002 SCAV B 002 WITCH B 002 KNIGHT B 008 RIVER B 008 BLANK B 008 TRMAP B 008 MLAND B 008 TLAND B 008 KLAND B 008 TMAP B 004 FRAME B 002 IYOU B 002 RAFT B 008 CLAND B 008 KMAP B 008 MMAP B 008 CMAP B 007 TA.0 B 008 TB.0 B 007 TC.0 B 007 TD.0 B 007 TE.0 B 007 TF.0 B 007 TG.0 B 007 TH.0 B 007 TI.0 B 007 TJ.0 B 007 TK.0 B 007 TV.0 B 008 TW.0 B 007 TX.0 B 005 TY.0 B 007 TQ.0 B 012 PAC.WIZ TITLE ]RUN HELLO The program loads and runs without complaint. All further disk access is done through standard DOS functions. (It even runs from drive 2!) There doesn't appear to be any kind of nibble check or other copy protection, beyond the custom DOS. This is weird. I put the demuffin'd copy in drive 1 and try booting it... and it works! But I haven't touched the RWTS; it's still the original RWTS that expects a modified address prologue on every other track. So there's no way this RWTS can read a disk that uses standard address prologue on every track. How is that possible? Here's how: the original RWTS doesn't actually check for a specific address prologue. It does some bit math on the first byte in the sequence and allows a certain result. [S6,D1=my work disk] ]PR#6 ... ]BLOAD BOOT1,A$2600 ]CALL -151 *FE89G FE93G ; disconnect DOS *B600<2600.2FFFM ; move RWTS into place *B94FL ; first byte does bit math (matches ; either "D4" or "D5") B94F- BD 8C C0 LDA $C08C,X B952- 10 FB BPL $B94F B954- 4A LSR B955- C9 6A CMP #$6A B957- D0 EF BNE $B948 ; second byte is in zero page (grr) B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 B95E- C5 31 CMP $31 B960- D0 F2 BNE $B954 B962- A0 03 LDY #$03 ; third byte is just a constant B964- BD 8C C0 LDA $C08C,X B967- 10 FB BPL $B964 B969- C9 96 CMP #$96 B96B- D0 E7 BNE $B954 The demuffin'd copy uses the standard address prologue ("D5 AA 96") on every track, but that's OK. As far as this RWTS is concerned, either "D5 AA 96" or "D4 AA 96" is OK on any track. It doesn't actually check the track number when it reads; it just does some bit math that accepts both. When they mastered the original disk, they wrote every other track with a non-standard address prologue, but the RWTS is just liberal enough that it doesn't care. Quod erat liberandum. --------------------------------------- A 4am crack No. 117 ------------------EOF------------------