---------------Battlezone-------------- A 4am crack 2015-03-18 --------------------------------------- Name: Battlezone Genre: arcade Year: 1983 Publisher: Atari Media: single-sided 5.25-inch floppy OS: custom Other versions: - Piratesoft/Nascomp - Asimov has an uncracked .nib image ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor T01 unformatted T00, T02+ -> modified address and data epilogue bytes ("AA DE EB") Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "AA DE EB" set Data Epilogue to "AA DE EB" T00, T02+ readable T01 still unreadable T00,S00 -> looks like DOS 3.3 boot0 T00,S01+ -> definitely not a standard DOS 3.3 RWTS though no sign of a full DOS no sign of a disk catalog Why didn't COPYA work? modified epilogue bytes (all tracks) Why didn't Locksmith FDB work? modified epilogue bytes (all tracks) Next steps: 1. Super Demuffin 2. Patch RWTS 3. There is no step 3 (I hope) ~ Chapter 1 In Which We Choose The Right Tool For The Job --v-- SUPER-DEMUFFIN AND FAST COPY Modified by: The Saltine/Coast to Coast Address prologue: D5 AA 96 Address epilogue: AA DE EB DISK ^^^^^ ORIGINAL change from DE AA ---+++++ Data prologue: D5 AA AD Data epilogue: AA DE EB ^^^^^ change from DE AA ---+++++ Ignore write errors while demuffining! D - Edit parameters - Advance to next parm - Exit edit mode R - Restore DOS 3.3 parameters O - Edit Original disk's parameters C - Edit Copy disk's parameters G - Begin demuffin process --^-- Pressing "G" switches to the Locksmith Fast Disk Copy UI. It assumes that both disks are in slot 6, and that drive 1 is the original and drive 2 is the copy. [S6,D1=original disk] [S6,D2=blank disk] --v-- LOCKSMITH 7.0 FAST DISK BACKUP R................................... W*********************************** HEX 00000000000000001111111111111111222 TRK 0123456789ABCDEF0123456789ABCDEF012 0.A................................. 1.A................................. 2.A................................. 3.A................................. 4.A................................. 5.A................................. 6.A................................. 7.A................................. 8.A................................. 9.A................................. A.A................................. B.A................................. C.A................................. D.A................................. 12 E.A................................. F.A................................. [ ] PRESS [RESET] TO EXIT --^-- Track 1 is unreadable, but I knew that already. Let's hope it doesn't matter. ]PR#6 ...grinds... The demuffin'd disk can't read itself. This is not unusual. ~ Chapter 2 In Which We Patch The RWTS And Our Adventure Comes To A Quick But Satisfying End Looking through track 0 with my trusty Disk Fixer sector editor, I see an RWTS much like the one used in ProDOS. Here is the code that matches the address prologue, then decodes the address field: T00,S05 ----------- DISASSEMBLY MODE ---------- 0098:A0 FC LDY #$FC 009A:8C 6B A4 STY $A46B 009D:C8 INY 009E:D0 05 BNE $00A5 00A0:EE 6B A4 INC $A46B 00A3:F0 56 BEQ $00FB 00A5:BD 8C C0 LDA $C08C,X 00A8:10 FB BPL $00A5 00AA:C9 D5 CMP #$D5 <- OK 00AC:D0 EF BNE $009D 00AE:EA NOP 00AF:BD 8C C0 LDA $C08C,X 00B2:10 FB BPL $00AF 00B4:C9 AA CMP #$AA <- OK 00B6:D0 F2 BNE $00AA 00B8:A0 03 LDY #$03 00BA:BD 8C C0 LDA $C08C,X 00BD:10 FB BPL $00BA 00BF:C9 96 CMP #$96 <- OK 00C1:D0 E7 BNE $00AA After decoding the address field, it checks for two nibbles of the epilogue: T00,S05 ----------- DISASSEMBLY MODE ---------- 00E6:BD 8C C0 LDA $C08C,X 00E9:10 FB BPL $00E6 00EB:C9 AA CMP #$AA <-- ! 00ED:D0 0C BNE $00FB 00EF:EA NOP 00F0:BD 8C C0 LDA $C08C,X 00F3:10 FB BPL $00F0 00F5:C9 DE CMP #$DE <-- ! 00F7:D0 02 BNE $00FB 00F9:18 CLC 00FA:60 RTS 00FB:38 SEC 00FC:60 RTS Those CMPs need to be reversed; $AA should be $DE and vice-versa. And here is the code that matches the data prologue, then decodes the data field: T00,S06 ----------- DISASSEMBLY MODE ---------- 0031:A0 20 LDY #$20 0033:88 DEY 0034:F0 37 BEQ $006D 0036:BD 8C C0 LDA $C08C,X 0039:10 FB BPL $0036 003B:49 D5 EOR #$D5 <- OK 003D:D0 F4 BNE $0033 003F:EA NOP 0040:BD 8C C0 LDA $C08C,X 0043:10 FB BPL $0040 0045:C9 AA CMP #$AA <- OK 0047:D0 F2 BNE $003B 0049:EA NOP 004A:BD 8C C0 LDA $C08C,X 004D:10 FB BPL $004A 004F:C9 AD CMP #$AD <- OK 0051:D0 E8 BNE $003B Later in that sector, it checks one byte of the data epilogue (also like ProDOS): T00,S06 ----------- DISASSEMBLY MODE ---------- 00C0:A6 3E LDX $3E 00C2:BD 8C C0 LDA $C08C,X 00C5:10 FB BPL $00C2 00C7:C9 AA CMP #$AA <-- ! 00C9:18 CLC 00CA:F0 01 BEQ $00CD 00CC:38 SEC 00CD:68 PLA 00CE:A0 55 LDY #$55 00D0:91 44 STA ($44),Y 00D2:60 RTS That CMP needs to be $DE, the first nibble of the standard data epilogue sequence. T00,S06,$C8 change "AA" to "DE" T00,S05,$EC change "AA" to "DE" T00,S05,$F6 change "DE" to "AA" Quod erat liberandum. --------------------------------------- A 4am crack No. 275 ------------------EOF------------------