---------------SuperPrint--------------
A 4am crack                  2015-06-13
---------------------------------------

Name: SuperPrint!
Genre: graphics
Year: 1987
Authors: Joel Fried, Susan Swanson,
  Ken Grey, Lester Humphreys, Kim
  Looney, and David Shearer of
  Pelican Software
Publisher: Scholastic, Inc.
Media: 3 double-sided 5.25-inch disks
OS: ProDOS 1.4
Other versions: none (Asimov has some
  auxiliary graphics packs but not the
  program itself)
Similar cracks: Math Shop (no. 146)

There are a total of six sides, labeled

  1A "Program"
  1B "Work Area"
  2A "Clip Art and Fonts"
  2B "Backgrounds"
  3A "Poster Art"
  3B "Banners"

Only disk 1 side A is bootable, so I'll
start there.

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  no errors, but copy reboots endlessly

Copy ][+ nibble editor
  all tracks use standard prologues
  (address: D5 AA 96, data: D5 AA AD)
  but modified epilogues
  (address: FF FF EB, data: FF FF EB)

Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Epilogue to "FF FF EB"
    set Data Epilogue to "FF FF EB"
  Success! All tracks readable!
  T00 -> ProDOS boot0 and disk catalog

Why didn't COPYA work?
  modified epilogue bytes (every track)

Why didn't Locksmith FDB work?
  modified epilogue bytes (every track)

Why didn't my EDD copy work?
  probably a nibble check during boot

Next steps:

  1. Super Demuffin
  2. Patch RWTS (if necessary)
  3. Find nibble check and bypass it

                   ~

               Chapter 1
          In Which We Choose
      The Right Tool For The Job


I'm going to use Super Demuffin here
(instead of my usual go-to conversion
tool, Advanced Demuffin). The disk is
ProDOS-based, so my AUTOTRACE script
on my work disk won't capture the RWTS.
But luckily, the RWTS modifications are
minor -- custom epilogue bytes, same on
every track -- so Super Demuffin will
work just fine.

When you first run Super Demuffin, it
asks for the parameters of the original
disk. In this case, the prologue bytes
are the same, but the epilogues are "FF
FF EB" instead of "DE AA EB".

                 --v--

      SUPER-DEMUFFIN AND FAST COPY
Modified by: The Saltine/Coast to Coast


   Address prologue: D5 AA 96

   Address epilogue: FF FF EB    DISK
                     ^^^^^     ORIGINAL
             *change from "DE AA"

      Data prologue: D5 AA AD

      Data epilogue: FF FF EB
                     ^^^^^
             *change from "DE AA"


 Ignore write errors while demuffining!


  D - Edit parameters
      <SPACE> - Advance to next parm
      <RETURN> - Exit edit mode
  R - Restore DOS 3.3 parameters
  O - Edit Original disk's parameters
  C - Edit Copy disk's parameters
  G - Begin demuffin process

                 --^--

Pressing "G" switches to the Locksmith
Fast Disk Copy UI. It assumes that both
disks are in slot 6, and that drive 1
is the original and drive 2 is the
copy.

[S6,D1=original disk]
[S6,D2=blank disk]

                 --v--

     LOCKSMITH 7.0  FAST DISK BACKUP


   R...................................
   W***********************************
HEX 00000000000000001111111111111111222
TRK 0123456789ABCDEF0123456789ABCDEF012
   0...................................
   1...................................
   2...................................
   3...................................
   4...................................
   5...................................
   6...................................
   7...................................
   8...................................
   9...................................
   A...................................
   B...................................
   C...................................
   D...................................
12 E...................................
   F...................................
[               ] PRESS [RESET] TO EXIT

                 --^--

There are two problems with this copy:

1. Depending on how the original disk
   was written, this copy may or may
   not be able to read itself. I may
   need to patch the disk's RWTS to
   deal with the fact that the disk is
   now in a standard format.

2. Even if it can read itself, it won't
   run. The copies I tried to make --
   even the bit copies -- just rebooted
   endlessly, which means there is some
   code being executed during boot to
   check if the disk is original.
   (Hint: it's not.)

It's time for a little boot tracing.

                   ~

               Chapter 2
  In Which We Run Into An Old Friend
        In An Unexpected Place


[S6,D1=original disk, side A]
[S5,D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0

]BLOAD BOOT0,A$800

]CALL -151

*801L

; This looks like the standard ProDOS
; boot0 code, which is unsurprising,
; since the original disk loads ProDOS
0801-   38          SEC
0802-   B0 03       BCS   $0807
0804-   4C 32 A1    JMP   $A132
0807-   86 43       STX   $43
0809-   C9 03       CMP   #$03
080B-   08          PHP
080C-   8A          TXA
080D-   29 70       AND   #$70
080F-   4A          LSR
0810-   4A          LSR
0811-   4A          LSR
0812-   4A          LSR
0813-   09 C0       ORA   #$C0
0815-   85 49       STA   $49
0817-   A0 FF       LDY   #$FF
0819-   84 48       STY   $48
081B-   28          PLP
081C-   C8          INY
081D-   B1 48       LDA   ($48),Y
081F-   D0 3A       BNE   $085B
0821-   B0 0E       BCS   $0831
0823-   A9 03       LDA   #$03
0825-   8D 00 08    STA   $0800
0828-   E6 3D       INC   $3D
082A-   A5 49       LDA   $49
082C-   48          PHA
082D-   A9 5B       LDA   #$5B
082F-   48          PHA
0830-   60          RTS

; this is not standard
0831-   4C 00 09    JMP   $0900

Let's see what's lurking at $0900. To
do this, I'll need to interrupt the
boot process at $0831, after the code
is loaded into memory but before it
gets executed.

*9600<C600.C6FFM

; ProDOS boot0 code is sensitive to the
; value of the accumulator on entry, so
; make sure we save it and restore it
96F8-   48          PHA

; set up callback to call a routine
; under my control instead of
; continuing to $0900
96F9-   A9 07       LDA   #$07
96FB-   8D 32 08    STA   $0832
96FE-   A9 97       LDA   #$97
9700-   8D 33 08    STA   $0833

; restore the accumulator
9703-   68          PLA

; start the boot
9704-   4C 01 08    JMP   $0801

; callback is here -- relocate the code
; at $0900 to the graphics page so it
; will survive a reboot (my work disk
; auto-loads a HELLO program that would
; overwrite it at $0900)
9707-   A0 00       LDY   #$00
9709-   B9 00 09    LDA   $0900,Y
970C-   99 00 29    STA   $2900,Y
970F-   C8          INY
9710-   D0 F7       BNE   $9709

; turn off the slot 6 drive motor
9712-   AD E8 C0    LDA   $C0E8

; reboot to my work disk
9715-   4C 00 C5    JMP   $C500

*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT1 0900-09FF,A$2900,L$100
]CALL -151

*900<2900.29FFM

*900L

; the first few instructions here are
; what usually happen at $0831 (instead
; of jumping to $0900)
0900-   85 48       STA   $48
0902-   85 40       STA   $40

; munge reset vector
0904-   A9 00       LDA   #$00
0906-   8D F4 03    STA   $03F4

; a counter?
0909-   A9 0A       LDA   #$0A
090B-   85 F4       STA   $F4

; turning on the drive motor manually
; (highly suspicious)
090D-   A6 2B       LDX   $2B
090F-   BD 89 C0    LDA   $C089,X
0912-   BD 8E C0    LDA   $C08E,X

; ($F6) points to a data table used by
; the nibble check (see below).
0915-   A9 A5       LDA   #$A5
0917-   85 F6       STA   $F6
0919-   A9 09       LDA   #$09
091B-   85 F7       STA   $F7

; set up the Death Counter
091D-   A9 80       LDA   #$80
091F-   85 F5       STA   $F5
0921-   C6 F5       DEC   $F5

; if the Death Counter hits zero, fail
0923-   F0 76       BEQ   $099B

; this finds the next address prologue
; ("D5 AA 96") and skips over the
; address field
0925-   20 AD 09    JSR   $09AD

; if that didn't work, fail
0928-   B0 71       BCS   $099B

; loop until we find sector $07 (in
; zero page $F1 after routine at $099B)
092A-   A5 F1       LDA   $F1
092C-   C9 07       CMP   #$07
092E-   D0 F1       BNE   $0921

; here we go
0930-   A0 00       LDY   #$00
0932-   BD 8C C0    LDA   $C08C,X
0935-   10 FB       BPL   $0932
0937-   88          DEY
0938-   F0 61       BEQ   $099B  ; fail

; find $D5
093A-   C9 D5       CMP   #$D5
093C-   D0 F4       BNE   $0932

; find $E7 $E7 $E7
093E-   A0 00       LDY   #$00
0940-   BD 8C C0    LDA   $C08C,X
0943-   10 FB       BPL   $0940
0945-   88          DEY
0946-   F0 53       BEQ   $099B  ; fail
0948-   C9 E7       CMP   #$E7
094A-   D0 F4       BNE   $0940
094C-   BD 8C C0    LDA   $C08C,X
094F-   10 FB       BPL   $094C
0951-   C9 E7       CMP   #$E7
0953-   D0 46       BNE   $099B  ; fail
0955-   BD 8C C0    LDA   $C08C,X
0958-   10 FB       BPL   $0955
095A-   C9 E7       CMP   #$E7
095C-   D0 3D       BNE   $099B  ; fail

; kill some time to get out of sync
; with the "proper" start of nibbles
095E-   BD 8D C0    LDA   $C08D,X
0961-   A0 10       LDY   #$10
0963-   24 06       BIT   $06

; now start looking for nibbles that
; don't really exist (except they do,
; because we're out of sync and reading
; timing bits as data)
0965-   BD 8C C0    LDA   $C08C,X
0968-   10 FB       BPL   $0965
096A-   88          DEY
096B-   F0 2E       BEQ   $099B  ; fail
096D-   C9 EE       CMP   #$EE
096F-   D0 F4       BNE   $0965

; check for nibble sequence stored
; in reverse order at $09A5
0971-   A0 07       LDY   #$07
0973-   BD 8C C0    LDA   $C08C,X
0976-   10 FB       BPL   $0973
0978-   D1 F6       CMP   ($F6),Y
097A-   D0 1F       BNE   $099B  ; fail
097C-   88          DEY
097D-   10 F4       BPL   $0973

; success path is here -- reuse the
; disk controller ROM routine to read
; the sector that was supposed to be
; at $0900 in the first place, then
; "return" to $0834
097F-   A2 60       LDX   #$60
0981-   8E 01 08    STX   $0801
0984-   A6 2B       LDX   $2B
0986-   A9 0B       LDA   #$0B
0988-   85 3D       STA   $3D
098A-   A9 09       LDA   #$09
098C-   85 27       STA   $27
098E-   A9 08       LDA   #$08
0990-   48          PHA
0991-   A9 34       LDA   #$34
0993-   48          PHA
0994-   A5 49       LDA   $49
0996-   48          PHA
0997-   A9 5B       LDA   #$5B
0999-   48          PHA
099A-   60          RTS

; if zero page $F4 hits 0, the nibble
; check has failed
099B-   C6 F4       DEC   $F4
099D-   D0 03       BNE   $09A2

; reboot on failure
099F-   4C 00 C6    JMP   $C600

; or continue trying
09A2-   4C 1D 09    JMP   $091D

; data table of nibbles
09A5-   FC EE EE FC
09A9-   E7 EE FC E7

The first two instructions at $0900 are
necessary, but after that I can jump
immediately to the success path at
$097F.

                   ~

               Chapter 3
 In Which We Remove All Traces Of Copy
Protection Using An Automated Tool That
   I Wrote For Just Such An Occasion


[S6,D1=demuffin'd copy]
[S5,D1=my work disk]

]PR#5
...
]BRUN PDP

T00,S0E,$04 change A9008D to 4C7F09

Success! The program boots and loads
without complaint. There doesn't appear
to be any further copy protection, and
the RWTS is liberal enough that I don't
need to make any modifications to allow
it to read from my unprotected copy.

The other five sides are unprotected.

Quod erat liberand one more thing...

                   ~

               Chapter 4
     In Which It's All Just, Like,
            1s And 0s, Man


$E7 $E7 $E7 $E7. What would that nibble
sequence look like on disk? The answer
is, "It depends." $E7 in hexadecimal is
11100111 in binary, so here is the
simplest possible answer:

   |--E7--||--E7--||--E7--||--E7--|
   11100111111001111110011111100111

But wait. Every nibble read from disk
must have its high bit set. In theory,
you could insert one or two "0" bits
after any of those nibbles. (Two is the
maximum due to hardware limitations.)
These extra "0" bits would be swallowed
by the standard "wait for data latch to
have its high bit set" loop:

  :1   LDA $C08C,X
       BPL :1

Consider the following bitstream:

  |--E7--| |--E7--|  |--E7--||--E7--|
  11100111011100111001110011111100111
          ^        ^^
       (extra)   (extra)

The first $E7 has one extra "0" bit
after it, and the second $E7 has two
extra "0" bits after it. Totally legal,
works on any Apple II computer and any
floppy drive. A "LDA $C08C,X; BPL" loop
would still interpret this bitstream as
a sequence of four $E7 nibbles. Each of
the extra "0" bits appear after we've
just read a nibble and we're waiting
for the high bit to be set again.

Now, what if we miss the first few bits
of this bitstream, then start looking?
The disk is always spinning, whether
we're reading from it or not. If we
waste too much time doing something
other than reading, we'll literally
miss some bits as the disk spins by.
This is why the timing of low-level
RWTS code is so critical.

Let's say we waste 12 CPU cycles before
we start reading this bitstream. Each
bit takes 4 CPU cycles to go by, so
after 12 cycles, we would have missed
the first 3 bits (marked with an X).

            (normal start)

  |--E7--| |--E7--|  |--E7--||--E7--|
  11100111011100111001110011111100111
  XXX  |--EE--| |--E7--|  |--FC--|

           (delayed start)

Ah! It's interpreted as a completely
different nibble sequence if you delay
just a few CPU cycles before you start
reading. Also note that some of those
"extra" bits are no longer being
ignored; now they're being interpreted
as data, as part of the nibbles that
are being returned to the higher level
code. Meanwhile, other bits that were
part of the $E7 nibbles are now being
swallowed.

Now, let's go back to the first stream,
which had no extra bits between the
nibbles, and see what happens when we
waste those same 12 CPU cycles.

           (normal start)

   |--E7--||--E7--||--E7--||--E7--|
   11100111111001111110011111100111
   XXX  |--FC--||--FC--||--FC--|

          (delayed start)

After skipping the first three bits,
the stream is interpreted as a series
of $FC $FC $FC repeating endlessly --
not $EE $E7 $FC like the other stream.

Here's the kicker: generic bit copiers
didn't preserve these extra "0" bits
between nibbles. By "desynchronizing"
(wasting just the right number of CPU
cycles at just the right time), then
interpreting the bits on the disk in
mid-stream, developers could determine
at runtime whether you had an original
disk.

Here is the complete "E7 bitstream,"
annotated to show both the synchronized
and desynchronized nibble sequences.
($0265 wastes the right amount of time;
$0274 checks for $EE; $027F checks for
the rest of the nibbles, stored in
reverse order at $02C7.)

 |--E7--| |--E7--|  |--E7--||--E7--|
 111001110111001110011100111111001110
 XXX  |--EE--| |--E7--|  |--FC--||--E

 |--E7--|  |--E7--||--E7--| |--E7--|
 111001110011100111111001110111001110
 E--| |--E7--|  |--FC--||--EE--| |--E

 |--E7--||--E7--|
 1110011111100111
 E--| |--FC--|

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 339
------------------EOF------------------