----------------Galaxian--------------- A 4am crack 2015-03-08 --------------------------------------- Name: Galaxian Genre: arcade Year: 1983 Publisher: Atari, Inc. Media: single-sided 5.25-inch floppy OS: custom Other versions: - The Apple Addict file crack - Asimov has an uncracked .nib image Similar cracks: Gremlins (4am crack no. 250) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified addres and data epilogue bytes ("AA DE EB" for each) T01 unreadable (unformatted) T08-T22 unreadable (unformatted) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "AA DE EB" set Data Epilogue to "AA DE EB" all tracks readable T00 -> looks like a DOS 3.3 RWTS no sign of rest of DOS though no sign of a catalog on any track Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] [press "Y" to change default values] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM ======================================= INPUT ALL VALUES IN HEX SECTORS PER TRACK? (13/16) 16 START TRACK: $00 START SECTOR: $00 END TRACK: $07 <-- change this END SECTOR: $0F <-- change this INCREMENT: 1 MAX # OF RETRIES: 0 COPY FROM DRIVE 1 TO DRIVE: 2 ======================================= 16SC $00,$00-$07,$0F BY$01 S6,D1->S6,D2 --^-- And here we go... --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:.R...... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:.R...... SC1:.R...... SC2:.R...... SC3:.R...... SC4:.R...... SC5:.R...... SC6:.R...... SC7:.R...... SC8:.R...... SC9:.R...... SCA:.R...... SCB:.R...... SCC:.R...... SCD:.R...... SCE:.R...... SCF:.R...... ======================================= 16SC $00,$00-$07,$0F BY$01 S6,D1->S6,D2 --^-- Track 1 is unreadable, but I knew that already. Let's hope it doesn't matter. [S6,D1=demuffin'd copy] ]PR#6 ...grinds... My copy can't read itself yet. For future reference (mostly mine), here's a nice chart of the memory locations for all the prologues and epilogues in a DOS 3.3-shaped RWTS. If the disk loads T00,S01 into $B700 (this does), then $B800 will be in T00,S02; $B900 in T00,S03; and so on. 0x | read | write ---------------+-------+------- D5 | $B955 | $BC7A prologue AA | $B95F | $BC7F / 96 | $B96A | $BC84 ADDRESS -------+-------+------- \ DE | $B991 | $BCAE epilogue AA | $B99B | $BCB3 EB | | $BCB8 ---------------+-------+------- D5 | $B8E7 | $B853 prologue AA | $B8F1 | $B858 / AD | $B8FC | $B85D DATA ----------+-------+------- \ DE | $B935 | $B89E epilogue AA | $B93F | $B8A3 EB | | $B8A8 ---------------+-------+------- I spent way too much time making that. Anyway, here are the four patches that allow my copy to read itself: T00,S03,$91 change AA to DE T00,S03,$9B change DE to AA T00,S03,$35 change AA to DE T00,S03,$3F change DE to AA Quod erat liberandum. --------------------------------------- A 4am crack No. 256 ------------------EOF------------------