----Tim and the Cat and Jen the Hen---- A 4am crack 2014-06-03 --------------------------------------- "Tim and the Cat and Jen the Hen" is a 1988 educational program by Janet Goldman and distributed by Hartley Courseware, Inc. It comes on two disks, each bootable. [The copy protection is identical to "Tim and the Cat and The Big Red Hat," also distributed by Hartley Courseware. This write-up is therefore quite similar to that one, with a few minor corrections.] COPYA fails immediately with a disk read error. EDD 4 bit copy gives no errors, and the copy works, which suggests that this disk many not use any secondary protection beyond the non-standard disk structure. (I have seem some weaker nibble checks that can be defeated with a strong bit copier, so you never know until you try.) Turning to my trusty Copy ][+ sector editor, I press "P" to get to the Sector Editor Patcher, and select "DOS 3.3 PATCHED". This option ignores checksum bytes and epilogue sequences. As long as the address and data prologue are standard ("D5 AA 96" and "D5 AA AD", respectively), this will allow me to read each sector. And lo and behold, it works! I can read the data from every sector on every track. The Copy ][+ nibble editor also shows standard address and data prologues, but an address epilogue of DA AA FF and a data epilogue of DA AA EB. (The standard epilogues are "DE AA EB" for both.) --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- TRACK: 03 START: 22EB LENGTH: 015F 22C8: D3 D3 D3 D3 D3 D3 D3 D3 VIEW 22D0: D3 D3 D3 D3 D3 D3 BA 96 22D8: 96 96 96 96 96 96 FF DA ^^----+ | 22E0: AA EB FF FF FF FF FF FF | ^^^^^ | data epilogue -----------------+ 22E8: FF FF FF D5 AA 96 AA AB <-22EB ^^^^^^^^ address prologue 22F0: AB AB AA AA AB AA DA AA ^^^^^ address epilogue 22F8: FF FF FF FF FF FF FF D5 ^^----+ | 2300: AA AD FE DA DA 9B 9B 9B | ^^^^^ | data prologue------------------+ 2308: 9B 9B 9B 9B 9B 9B 9B 9B --------------------------------------- A TO ANALYZE DATA ESC TO QUIT ? FOR HELP SCREEN / CHANGE PARMS Q FOR NEXT TRACK SPACE TO RE-READ --^-- Some quick inspection suggests that all tracks on each disk use the same non- standard address and data epilogue bytes. I could probably use COPYA with the $B942:18 patch to copy these disks, but instead I'm going to try another utility that I just learned about: Super Demuffin. Super Demuffin is a cracker's utility built on top of Locksmith Fast Disk Copy. It takes a disk that uses non- standard but uniform address and data prologue and epilogue bytes, and it converts it to a standard disk format. I've included a copy on my work disk. When you first run Super Demuffin, it asks for the parameters of the original disk. In this case, the prologue bytes are the same, but the epilogues use "DA" instead of "DE". I just need to change those two parameters (shown below). The third byte of the address epilogue is not important, since most DOS 3.3-shaped RWTSes ignore it. --v-- SUPER-DEMUFFIN AND FAST COPY Modified by: The Saltine/Coast to Coast Address prologue: D5 AA 96 Address epilogue: DA AA EB DISK ^^ ORIGINAL *change from "DE" ---++ Data prologue: D5 AA AD Data epilogue: DA AA EB ^^ *change from "DE" ---++ Ignore write errors while demuffining! D - Edit parameters - Advance to next parm - Exit edit mode R - Restore DOS 3.3 parameters O - Edit Original disk's parameters C - Edit Copy disk's parameters G - Begin demuffin process --^-- Pressing "G" switches to the Locksmith Fast Disk Copy UI. It assumes that both disks are in slot 6, and that drive 1 is the original and drive 2 is the copy. [S6,D1=original disk] [S6,D2=blank disk] --v-- LOCKSMITH 7.0 FAST DISK BACKUP R................................... W*********************************** HEX 00000000000000001111111111111111222 TRK 0123456789ABCDEF0123456789ABCDEF012 0................................... 1................................... 2................................... 3................................... 4................................... 5................................... 6................................... 7................................... 8................................... 9................................... A................................... B................................... C................................... D................................... 12 E................................... F................................... [ ] PRESS [RESET] TO EXIT --^-- (I do this for both disks.) This gives me copies in a standard disk format, but I still need to modify the RWTS on disk to look for the (now standard) epilogue bytes. Switching to my trusty Copy ][+ sector editor, I search for the hex byte "DA" and find all four instances (address epilogue read and write, data epilogue read and write). For future reference (mostly mine), here's a nice chart of the memory locations for all the prologues and epilogues in a DOS 3.3-shaped RWTS. If the RWTS stores $B700 in T00,S01 (most do), then $B8xx will be in T00,S02; $B9xx in T00,S03; and so on. 0x | read | write ---------------+-------+------- D5 | $B955 | $BC7A prologue AA | $B95F | $BC7F / 96 | $B96A | $BC84 ADDRESS -------+-------+------- \ DE | $B991 | $BCAE epilogue AA | $B99B | $BCB3 EB | | $BCB8 ---------------+-------+------- D5 | $B8E7 | $B853 prologue AA | $B8F1 | $B858 / AD | $B8FC | $B85D DATA ----------+-------+------- \ DE | $B935 | $B89E epilogue AA | $B93F | $B8A3 EB | | $B8A8 ---------------+-------+------- I spent way too much time making that. Anyway, here are the four patches that allow my copy to read itself. (These patches apply to each disk.) T00,S02,$9E change "DA" to "DE" T00,S03,$35 change "DA" to "DE" T00,S03,$91 change "DA" to "DE" T00,S06,$AE change "DA" to "DE" Success! Both disks boot and load with no complaint. There doesn't appear to be any secondary protection. Quod erat liberandum. --------------------------------------- A 4am crack No. 58 ------------------EOF------------------