-------Word Mentor: Rhyming Words------ A 4am crack 2016-01-08 --------------------------------------- Name: Word Mentor: Rhyming Words Genre: educational Year: 1985 Publisher: Criterion Micro Soft Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA fatal read error on first pass Locksmith Fast Disk Backup can't read anything beyond track $00 EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor T01+ use modified address prologue (AA D5 96) Disk Fixer ["O" -> "Input/Output Control"] set Address Prologue to "AA D5 96" Success! T01+ readable T01-02 -> looks like a full copy of DOS 3.3, but shifted so the entire thing is on tracks $01 and $02 T11 -> DOS 3.3 disk catalog T02,S02 -> startup program is "HELLO" Why didn't COPYA work? modified address prologue Why didn't Locksmith FDB work? modified address prologue EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to prologues and epilogues) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS SAVING IOB Ah! My automatic boot tracer detected that this RWTS is at $3800, not $B800, so we got an IOB module for free. The IOB module tells Advanced Demuffin how to call the RWTS. (See the docs on my work disk for more about IOB modules.) ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $38, load "RWTS" from drive 1 [press "I" to load a new IOB module] --> load "IOB" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] [press "Y" to change default values] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM ======================================= INPUT ALL VALUES IN HEX SECTORS PER TRACK? (13/16) 16 START TRACK: $01 <-- change this START SECTOR: $00 END TRACK: $22 END SECTOR: $0F INCREMENT: 1 MAX # OF RETRIES: 0 COPY FROM DRIVE 1 TO DRIVE: 2 ======================================= 16SC $01,$00-$22,$0F BY$01 S6,D1->S6,D2 --^-- And here we go... --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM ======================================= TRK: .................................. +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0: .................................. SC1: .................................. SC2: .................................. SC3: .................................. SC4: .................................. SC5: .................................. SC6: .................................. SC7: .................................. SC8: .................................. SC9: .................................. SCA: .................................. SCB: .................................. SCC: .................................. SCD: .................................. SCE: .................................. SCF: .................................. ======================================= 16SC $01,$00-$22,$0F BY$01 S6,D1->S6,D2 --^-- This is the power and the genius of Advanced Demuffin. Every disk must be able to read itself. So, let it read itself, then capture the data and write it out in a standard format. ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 342 FREE T 000 [02/24/85] *T 004 EXERCISE A *T 005 EXERCISE B *T 005 EXERCISE C *T 005 EXERCISE D *T 004 EXERCISE E *B 026 H.IIC A 003 HELLO *B 002 LOMEM: A 018 MGR *B 033 PI.RW A 029 RHYMING WORDS.M T 003 SFILE *B 002 ST.ALIEN *B 002 ST.UFO ]RUN HELLO ...works... ~ Chapter 2 In Which We Finish The Job And Declare Victory(*) (*) take a nap Of course my copy doesn't boot on its own yet, because I'm still missing track $00. Let's fix that. It is the only track that is not protected (even COPYA could copy it). [Copy ][+ 8.4] --> "COPY" --> "BIT COPY" --> "MANUAL SECTOR COPY" --> from SLOT 6, DRIVE 1 --> to SLOT 6, DRIVE 2 --> track $00 only [S6,D1=my copy] [S5,D1=my work disk] ]PR#6 ...grinds and crashes... Now I have a new problem: my copy can't read itself because the RWTS is still looking for the non-standard address prologue on tracks $01 and above. This is not unusual. Never fear, I have a tool for that too. ]PR#5 ... ]BRUN PDP T00,S03,$55 change AA to D5 T00,S03,$5F change D5 to AA T00,S06,$7A change AA to D5 T00,S06,$7F change D5 to AA After swapping the address prologue bytes back to their standard values, the disk boots on its own and seems as happy as a disk can be. There doesn't appear to be any further protection. Quod erat liberandum. ~ Acknowledgements Many thanks to LoGo for supplying the the original floppy disk. --------------------------------------- A 4am crack No. 559 ------------------EOF------------------