--------------Super Bunny--------------
A 4am crack                  2015-11-27
---------------------------------------

Name: Super Bunny
Genre: arcade
Year: 1983
Credits:
  Programmer: Vic Leone
  Game Concept: Bill Russell
  Super Bunny Concept: Gary Koffler
  Graphics: Thomas Spears
  Super Bunny Story: Dale Kranz
  Cover Art & Illustrations: Martin
    Cannon
  Director: Art Huff
Publisher: Datamost
Media: single-sided 5.25-inch floppy
OS: DOS 3.3
Previous cracks: one uncredited crack
  that says "unprotected version" in
  French on boot
Similar cracks:
  #281 Flash Spell Helicopter

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  modified prologues and epilogues
  address: "9B ** CE" / "CD B4 **"
    (second prologue byte and third
     epilogue byte vary, even between
     different sectors on one track)
  data: "AB FD F3" / "CF DF"

Disk Fixer
  ["O" -> "Input/Output Control"]
    set CHECKSUM ENABLED to "NO"
  T00,S00 readable
  rest of track $00 unreadable
  virtually impossible to read any
  tracks beyond T00, due to varying
  address prologue on every sector(!)

Why didn't COPYA work?
  modified prologues & epilogues

Why didn't Locksmith FDB work?
  ditto

EDD worked. What does that tell us?
  no half or quarter tracks
  almost certainly no nibble check
  (just structural changes to prologues
  and epilogues)

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. patch RWTS to read standard format

                   ~

               Chapter 1
      In Which We Dive Head First
       Into Unfriendly Territory


]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0

]CALL -151
*800<2800.28FFM
*801L

; non-standard from the get go
0801-   20 B3 08    JSR   $08B3

*8B3L

; change nibble table used by the disk
; controller ROM routine (this explains
; why I couldn't read the rest of track
; $00 with a sector editor)
08B3-   A9 3F       LDA   #$3F
08B5-   8D 6C 03    STA   $036C
08B8-   A9 1C       LDA   #$1C
08BA-   8D CC 03    STA   $03CC
08BD-   A9 00       LDA   #$00
08BF-   8D D5 03    STA   $03D5
08C2-   A9 37       LDA   #$37
08C4-   8D A3 03    STA   $03A3

; regular code from $0801
08C7-   A5 27       LDA   $27
08C9-   C9 09       CMP   #$09
08CB-   60          RTS

Continuing from $0804...

*804L

; standard DOS 3.3 bootloader
0804-   D0 19       BNE   $081F
0806-   EA          NOP
0807-   A5 2B       LDA   $2B
0809-   4A          LSR
080A-   4A          LSR
080B-   4A          LSR
080C-   4A          LSR
080D-   09 C0       ORA   #$C0
080F-   85 3F       STA   $3F
0811-   A9 5C       LDA   #$5C
0813-   85 3E       STA   $3E
0815-   18          CLC
0816-   AD FE 08    LDA   $08FE
0819-   6D FF 08    ADC   $08FF
081C-   8D FE 08    STA   $08FE
081F-   AE FF 08    LDX   $08FF
0822-   F0 15       BEQ   $0839
0824-   8A          TXA

; well, mostly standard
0825-   EA          NOP
0826-   EA          NOP
0827-   85 3D       STA   $3D
0829-   CE FF 08    DEC   $08FF
082C-   AD FE 08    LDA   $08FE
082F-   85 27       STA   $27
0831-   CE FE 08    DEC   $08FE
0834-   A6 2B       LDX   $2B
0836-   6C 3E 00    JMP   ($003E)

; execution continues here after sector
; read loop exits (from $0822)
0839-   EE FE 08    INC   $08FE
083C-   EE FE 08    INC   $08FE
083F-   20 89 FE    JSR   $FE89
0842-   20 93 FE    JSR   $FE93
0845-   20 2F FB    JSR   $FB2F

; copy this sector (which we didn't
; re-read) to higher memory
0848-   A2 FF       LDX   #$FF
084A-   BD 00 08    LDA   $0800,X
084D-   9D 00 B6    STA   $B600,X
0850-   CA          DEX
0851-   E0 FF       CPX   #$FF
0853-   D0 F5       BNE   $084A

; hmm
0855-   20 CC 08    JSR   $08CC

*8CCL

; trash all of main memory except the
; part we just loaded from disk
08CC-   A9 00       LDA   #$00
08CE-   85 00       STA   $00
08D0-   A9 B5       LDA   #$B5
08D2-   85 01       STA   $01
08D4-   A0 FF       LDY   #$FF
08D6-   C8          INY
08D7-   B9 00 F0    LDA   $F000,Y
08DA-   91 00       STA   ($00),Y
08DC-   C0 FF       CPY   #$FF
08DE-   D0 F6       BNE   $08D6
08E0-   C6 01       DEC   $01
08E2-   A9 08       LDA   #$08
08E4-   C5 01       CMP   $01
08E6-   D0 EC       BNE   $08D4
08E8-   60          RTS

Continuing from $0858...

*858L

0858-   A6 2B       LDX   $2B
085A-   4C 00 B7    JMP   $B700

OK, that's where I need to interrupt
the boot. But first I'll need to neuter
the subroutine at $08CC that trashes
all of main memory.

*9600<C600.C6FFM

; disable memory wipe
96F8-   A9 60       LDA   #$60
96FA-   8D CC 08    STA   $08CC

; set up callback instead of continuing
; to $B700
96FD-   A9 0A       LDA   #$0A
96FF-   8D 5B 08    STA   $085B
9702-   A9 97       LDA   #$97
9704-   8D 5C 08    STA   $085C

; start the boot
9707-   4C 01 08    JMP   $0801

; (callback is here) copy the code to
; lower memory so it survives a reboot
970A-   A2 0A       LDX   #$0A
970C-   A0 00       LDY   #$00
970E-   B9 00 B6    LDA   $B600,Y
9711-   99 00 26    STA   $2600,Y
9714-   C8          INY
9715-   D0 F7       BNE   $970E
9717-   EE 10 97    INC   $9710
971A-   EE 13 97    INC   $9713
971D-   CA          DEX
971E-   D0 EE       BNE   $970E

; turn off drive motor
9720-   AD E8 C0    LDA   $C0E8

; reboot to my work disk
9723-   4C 00 C5    JMP   $C500

*BSAVE TRACE,A$9600,L$126
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT1,A$2600,L$A00

                   ~

               Chapter 2
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself


$B700 looks more or less like DOS 3.3
boot1, except it starts reading DOS at
T02,S0A. But more importantly, $B800+
appears to be a DOS 3.3-shaped RWTS.
Here, for example, is the code to match
the Panglossian address prologue:

*B94FL

; prologue #1 = $9B
B94F-   BD 8C C0    LDA   $C08C,X
B952-   10 FB       BPL   $B94F
B954-   C9 9B       CMP   #$9B
B956-   D0 F0       BNE   $B948
B958-   EA          NOP

; doesn't actually care what the second
; prologue nibble is
B959-   BD 8C C0    LDA   $C08C,X
B95C-   10 FB       BPL   $B959
B95E-   C9 EB       CMP   #$EB
B960-   EA          NOP
B961-   EA          NOP
B962-   A0 03       LDY   #$03

; prologue #3 = $CE
B964-   BD 8C C0    LDA   $C08C,X
B967-   10 FB       BPL   $B964
B969-   C9 CE       CMP   #$CE
B96B-   D0 E7       BNE   $B954

Thus...

*C500G     ; because I destroyed DOS
...
]BLOAD BOOT1,A$2600
]BSAVE RWTS,A$2800

[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]BRUN ADVANCED DEMUFFIN 1.5

[press "5" to switch to slot 5]

[press "R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

[press "6" to switch to slot 6]

[press "C" to convert disk]

--> CHANGE DEFAULT VALUES? Y

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======================================


INPUT ALL VALUES IN HEX


SECTORS PER TRACK? (13/16) 16

START TRACK: $01        <-- change this
START SECTOR: $00

END TRACK: $22
END SECTOR: $0F

INCREMENT: 1

MAX # OF RETRIES: 0

COPY FROM DRIVE 1
TO DRIVE: 2
=======================================
16SC $01,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

Now press RETURN to start the copy...

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK: ..................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0: ..................................
SC1: ..................................
SC2: ..................................
SC3: ..................................
SC4: ..................................
SC5: ..................................
SC6: ..................................
SC7: ..................................
SC8: ..................................
SC9: ..................................
SCA: ..................................
SCB: ..................................
SCC: ..................................
SCD: ..................................
SCE: ..................................
SCF: ..................................
=======================================
16SC $01,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

]PR#5
...
]CATALOG,S6,D2

C1983 DSR^C#254
002 FREE

 B 034 OVERLAY1
 B 034 OVERLAY2
 B 034 OVERLAY3
 B 034 OVERLAY4
 B 034 OVERLAY5
 B 034 OVERLAY6
 B 034 OVERLAY7
 B 002 RELOC
 B 036 OBJECT
 B 013 DATA
 A 002 BOOT

]RUN BOOT
...crashes...

[S5,D1=DOS 3.3 system master]

]PR#5
]RUN BOOT,S6,D2
...works...

OK, it doesn't like Diversi-DOS 64K for
some reason. It's probably loading
something into the language card, and
Diversi-DOS has already relocated
itself there. But it works when booted
from standard DOS 3.3, which is good.

The reason I always do this is to see
whether there are any runtime checks
for subtle differences in the original
DOS. If the program runs after booting
from a third-party disk, I can
eliminate a whole range of possible
secondary protections.

Now to make the disk be able to read
itself (remember, it still has the
original RWTS on it)...

[Copy ][+ 8.4]
  --> COPY
    --> DOS
      --> from slot 6, drive 2
      -->   to slot 6, drive 1

[S6,D1=demuffin'd copy]
[S6,D2=newly formatted DOS 3.3 disk]

...read read read...
...write write write...

]PR#6
...works...

There doesn't appear to be any further
protection.

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 508
------------------EOF------------------