--------Your Personal Net Worth-------- A 4am crack 2015-06-15 --------------------------------------- Name: Your Personal Net Worth Genre: productivity Year: 1984 Publisher: Scarborough Systems, Inc. Media: single-sided 5.25-inch floppy OS: DOS 3.3 Other versions: none (preserved here for the first time) Similar cracks: - Gene Machine (crack no. 297) - Mask Parade (crack no. 302) - Heredity Dog (crack no. 314) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways What does the boot look and sound like? 1. extended DOS load (1 extra track?) 2. DOS prompt 3. track seek (maybe to T11?) 4. file-like disk activity 5. title screen Does it access the disk after boot? Yes. Does it have an option to read, write, or format user-supplied data disks? Yes. COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) no errors, but copy displays "ERR1" and reboots Copy ][+ nibble editor all tracks use standard prologues (address: D5 AA 96, data: D5 AA AD) but modified epilogues (address: FF FF FF, data: FF FF FF) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "FF FF FF" set Data Epilogue to "FF FF FF" Success! All tracks readable! T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "NW" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) Why didn't my EDD copy work? probably a nibble check during boot Next steps: 1. AUTOTRACE to capture RWTS 2. Advanced Demuffin to convert disk to standard format 3. Post-Demuffin Patcher to get RWTS to read standard format 4. Find nibble check and bypass it ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 /!\ BOOT0 JUMPS TO ($BBFE) CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:R.................................. +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:R.................................. SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Hmm. Even the disk's own RWTS can't read T00,S0A. I'm hoping that part of the copy protection and not a bad disk. ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 000 FREE A 004 NW B 006 HELPJB B 004 PLAYER B 003 SWSONG B 142 NW0 B 006 HELP0A B 006 HELPAA B 006 HELPAB B 006 HELPAC B 006 HELPAD B 006 HELPAE B 006 HELPBA B 006 HELPBB B 006 HELPBC B 006 HELPBD B 006 HELPBE B 006 HELPBF B 006 HELPBG B 006 HELPBH B 006 HELPCA B 006 HELPCB B 006 HELPDA B 006 HELPDB B 006 HELPDC B 006 HELPDD B 006 HELPDE B 006 HELPDF B 006 HELPDG B 006 HELPDH B 006 HELPDI B 006 HELPDJ B 006 HELPDK B 006 HELPDL B 006 HELPDM B 006 HELPDN B 006 HELPDO B 006 HELPDP B 006 HELPDQ B 006 HELPDR B 006 HELPEA B 006 HELPEB B 006 HELPEC B 006 HELPFA B 006 HELPFB B 006 HELPFC B 006 HELPGA B 006 HELPGB B 006 HELPGC B 006 HELPHA B 006 HELPHB B 006 HELPHC B 006 HELPIA B 006 HELPIB B 006 HELPIC B 006 HELPJA B 006 HELPJC B 000 HELPKA B 006 HELPKB B 006 HELPKC B 006 HELPKD B 006 HELPKE B 001 TT [S6,D1=demuffin'd copy] ]PR#6 ...still hangs on boot... ~ Chapter 2 In Which We Run Into An Old Friend ]PR#5 ... ]BLOAD BOOT0,A$800 ]CALL -151 *801L . . all normal, until... . 084A- 6C FE BB JMP ($BBFE) *BLOAD BOOT1,A$2600 *FE89G FE93G ; disconnect DOS *B600<2600.2FFFM ; move RWTS into place *BBFE.BBFF BBFE- 00 BB *BB00L ; Ah, I recognize this routine already. ; It was used by several different ; publishers, and it apparently had ; tweakable options. Turning off an ; option would generate code that makes ; no sense at first glance. ; Reset the RUN flag (how friendly!) BB00- A9 00 LDA #$00 BB02- 85 D6 STA $D6 ; check for write protect BB04- BD 8D C0 LDA $C08D,X BB07- BD 8E C0 LDA $C08E,X BB0A- 30 05 BMI $BB11 ; fail if not write protected BB0C- A2 B1 LDX #$B1 BB0E- 4C F0 BB JMP $BBF0 (This is actually why my EDD copy would immediately reboot with "ERR1" -- it wasn't write protected.) ; Some disks check the low-level reset ; vector (I think this was protection ; against "boot inspectors" like Watson ; that installed themselves in the ; language card and left it active ; during boot). This disk changes the ; CMP to an "LDA #$00", making this ; another unconditional jump. BB11- AD FD FF LDA $FFFD BB14- A9 00 LDA #$00 BB16- F0 05 BEQ $BB1D ;[always skipped] ;BB18- A2 B2 LDX #$B2 ;BB1A- 4C F0 BB JMP $BBF0 ; execution continues here (from $BB16) BB1D- BD 8C C0 LDA $C08C,X ; Set the first character of the input ; buffer to null. This can be checked ; later to ensure that an attacker (me) ; hasn't interrupted the boot and been ; typing things. BB20- A9 00 LDA #$00 BB22- 8D 00 02 STA $0200 ; look for a magic nibble sequence on ; track 0 BB25- BD 8C C0 LDA $C08C,X BB28- 10 FB BPL $BB25 BB2A- C9 EB CMP #$EB BB2C- D0 F7 BNE $BB25 BB2E- BD 8C C0 LDA $C08C,X BB31- 10 FB BPL $BB2E BB33- C9 D5 CMP #$D5 BB35- D0 EE BNE $BB25 BB37- BD 8C C0 LDA $C08C,X BB3A- 10 FB BPL $BB37 BB3C- C9 AA CMP #$AA BB3E- D0 E5 BNE $BB25 ; wipe most of memory ($0800..$95FF) ; although, ironically, not the part ; I'm using for boot tracing BB40- A9 4C LDA #$4C BB42- A0 00 LDY #$00 BB44- 99 00 95 STA $9500,Y BB47- 88 DEY BB48- D0 FA BNE $BB44 BB4A- CE 46 BB DEC $BB46 BB4D- AD 46 BB LDA $BB46 BB50- C9 07 CMP #$07 BB52- D0 EC BNE $BB40 ; fiddle with the RWTS to ignore ; epilogue bytes BB54- A9 18 LDA #$18 BB56- 8D 42 B9 STA $B942 ; sector $0A BB59- A9 0A LDA #$0A BB5B- 8D ED B7 STA $B7ED BB5E- D0 05 BNE $BB65 ...[some zeroes used for data later]... ; track $00 BB65- A9 00 LDA #$00 BB67- 8D EC B7 STA $B7EC ; into $4000 BB6A- 8D F0 B7 STA $B7F0 BB6D- A9 40 LDA #$40 BB6F- 8D F1 B7 STA $B7F1 ; read command BB72- A9 01 LDA #$01 BB74- 8D F4 B7 STA $B7F4 ; set up rest of RWTS table BB77- 8D F8 B7 STA $B7F8 BB7A- 8D EA B7 STA $B7EA BB7D- 8E E9 B7 STX $B7E9 BB80- 8E F7 B7 STX $B7F7 ; more RWTS fiddling, so sector reads ; save raw nibble data in $6C00 range BB83- A0 6C LDY #$6C BB85- 8C 10 B9 STY $B910 BB88- 8C CE B8 STY $B8CE BB8B- 8C D2 B8 STY $B8D2 BB8E- 88 DEY BB8F- 8C 21 B9 STY $B921 ; a sector read, with modified RWTS BB92- 20 E7 BB JSR $BBE7 ; copy the raw nibble data elsewhere BB95- A0 55 LDY #$55 BB97- B9 00 6C LDA $6C00,Y BB9A- 99 00 5C STA $5C00,Y BB9D- 88 DEY BB9E- 10 F7 BPL $BB97 BBA0- AD 02 6B LDA $6B02 BBA3- 85 06 STA $06 ; another sector read BBA5- 20 E7 BB JSR $BBE7 BBA8- AD 02 6B LDA $6B02 BBAB- 85 07 STA $07 ; and another BBAD- 20 E7 BB JSR $BBE7 BBB0- AD 02 6B LDA $6B02 BBB3- 85 08 STA $08 ; compare this read's nibble data to ; the previous read's nibble data BBB5- A0 55 LDY #$55 BBB7- B9 00 6C LDA $6C00,Y BBBA- D9 00 5C CMP $5C00,Y ; fail if anything doesn't match BBBD- D0 2F BNE $BBEE BBBF- 88 DEY BBC0- 10 F5 BPL $BBB7 ; more comparisons of the side effects ; generated by the modified RWTS BBC2- A5 06 LDA $06 BBC4- C5 07 CMP $07 BBC6- D0 04 BNE $BBCC BBC8- C5 08 CMP $08 BBCA- F0 17 BEQ $BBE3 ; success path is here -- ; first, restore the RWTS code BBCC- A9 38 LDA #$38 BBCE- 8D 42 B9 STA $B942 BBD1- A0 BC LDY #$BC BBD3- 8C 10 B9 STY $B910 BBD6- 8C CE B8 STY $B8CE BBD9- 8C D2 B8 STY $B8D2 BBDC- 88 DEY BBDD- 8C 21 B9 STY $B921 ; then continue with boot1 as normal BBE0- 4C 00 B7 JMP $B700 ; failure path from comparison at $BBCA BBE3- 4C 54 BB JMP $BB54 ... BBE7- A9 B7 LDA #$B7 BBE9- A0 E8 LDY #$E8 BBEB- 4C B5 B7 JMP $B7B5 ; failure path from comparison at $BBBD BBEE- A2 B3 LDX #$B3 ; general failure path is here -- ; clear screen, show text screen, write ; error code, and jump to The Badlands BBF0- 20 58 FC JSR $FC58 BBF3- 20 2D FF JSR $FF2D BBF6- 8E 03 04 STX $0403 BBF9- 4C 5B B7 JMP $B75B The important takeaway here is that there don't appear to be any long-term side effects of this copy protection. If it succeeds, it restores everything that it modified (in the RWTS code), then it just jumps to $B700 to start the boot1 phase. But that's it; nothing else seems to rely on some magic number that it pulls from the raw nibbles or anything. It doesn't decrypt anything. It doesn't even clear the carry flag. ~ Chapter 3 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ... ]BRUN PDP ; fix epilogue byte checking in RWTS T00,S03,$91 change FF to DE T00,S03,$9B change FF to AA T00,S03,$35 change FF to DE T00,S03,$3F change FF to AA T00,S02,$9E change FF to DE T00,S02,$A3 change FF to AA T00,S02,$A8 change FF to EB ; disable RWTS swapper (used to switch ; between an RWTS that can read the ; program disk and one that can read ; standard format data disks) T00,S04,$69 change A9 to 60 T00,S04,$7D change A9 to 60 ; bypass nibble check after boot0 T00,S00,$4B change FEBB to FD08 ; fix nibble table (ooh, I didn't see ; this in my investigation -- hooray ; for automation) T00,S04,$29 change AA to 96 Quod erat liberandum. --------------------------------------- A 4am crack No. 345 ------------------EOF------------------