---------------Frogger II-------------- A 4am crack 2015-03-02 --------------------------------------- Name: Frogger II: Three Deep Genre: arcade Year: 1984 Publisher: Sega Enterprises, Inc. Media: single-sided 5.25-inch floppy OS: custom Other versions: The Micron / Black Bag; Asimov has an uncracked .nib image ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup can't read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified address and data epilogues (AA DE EB) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "AA DE EB" set Data Epilogue to "AA DE EB" T00, T02-T22 readable T01,S00 readable, but nothing else on that track Copy ][+ nibble editor again T01 appears to have only one sector; the rest of the track is all $FF Why didn't COPYA work? modified epilogue bytes Why didn't Locksmith FDB work? ditto Next steps: 1. Convert disk to standard format with Super Demuffin 2. Patch RWTS to read standard format (if necessary) 3. Disable nibble check (if any) ~ Chapter 1 In Which It's All Over Before It Begins [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 ... ]BRUN SUPER DEMUFFIN --v-- SUPER-DEMUFFIN AND FAST COPY Modified by: The Saltine/Coast to Coast Address prologue: D5 AA 96 Address epilogue: AA DE EB DISK ^^^^^ ORIGINAL was "DE AA"-------+++++ Data prologue: D5 AA AD Data epilogue: AA DE EB ^^^^^ was "DE AA"-------+++++ Ignore write errors while demuffining! D - Edit parameters - Advance to next parm - Exit edit mode R - Restore DOS 3.3 parameters O - Edit Original disk's parameters C - Edit Copy disk's parameters G - Begin demuffin process --^-- Pressing "G" switches to the Locksmith Fast Disk Copy UI. --v-- LOCKSMITH 7.0 FAST DISK BACKUP R................................... W*********************************** HEX 00000000000000001111111111111111222 TRK 0123456789ABCDEF0123456789ABCDEF012 0................................... 1.D................................. 2.D................................. 3.D................................. 4.D................................. 5.D................................. 6.D................................. 7.D................................. 8.D................................. 9.D................................. A.D................................. B.D................................. C.D................................. D.D................................. 12 E.D................................. F.D................................. [ ] PRESS [RESET] TO EXIT --^-- As expected, it can only read the first sector from track $01. Everything else copies without a hitch. [S6,D1=Super Demuffin'd copy] ]PR#6 ...grinds... OK, the copy can't read itself yet. [Disk Fixer] --> "F"ind --> "H"ex --> "BD 8C C0" ; LDA $C08C,X Looks like the disk uses a custom RWTS. Here's the relevant code that checks the epilogue sequences, on T00,S03: --v-- ----------- DISASSEMBLY MODE ---------- 0021:BD 8C C0 LDA $C08C,X 0024:10 FB BPL $0021 0026:C9 AA CMP #$AA 0028:D0 0A BNE $0034 002A:EA NOP 002B:BD 8C C0 LDA $C08C,X 002E:10 FB BPL $002B 0030:C9 DE CMP #$DE 0032:F0 5C BEQ $0090 0034:38 SEC 0035:60 RTS . . . 007D:BD 8C C0 LDA $C08C,X 0080:10 FB BPL $007D 0082:C9 AA CMP #$AA 0084:D0 AE BNE $0034 0086:EA NOP 0087:BD 8C C0 LDA $C08C,X 008A:10 FB BPL $0087 008C:C9 DE CMP #$DE 008E:D0 A4 BNE $0034 0090:18 CLC 0091:60 RTS --^-- T00,S03,$27 change "AA" to "DE" T00,S03,$31 change "DE" to "AA" T00,S03,$83 change "AA" to "DE" T00,S03,$8D change "DE" to "AA" ]PR#6 ...works... There doesn't appear to be any further protection. Quod erat liberandum. --------------------------------------- A 4am crack No. 233 ------------------EOF------------------