--Ortho's Personalized Plant Selector-- A 4am crack 2015-12-14 --------------------------------------- Name: Ortho's Personalized Plant Selector Version: 1.0 Genre: productivity Year: 1984 Credits: Design: Ortho Information Services Development: Virtual Combinatics User's Guide: Rex Wolf, COMPAGE Publisher: Chevron Chemical Media: double-sided 5.25-inch floppy OS: ProDOS 1.1 Previous cracks: none Side A is protected but bootable. Side B is unprotected but unbootable. Life is like that. This has not been a haiku. ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) no errors, but copy only boots as far as ProDOS title screen, then gives "RELOCATION / CONFIGURATION ERROR" Copy ][+ nibble editor modified prologues and epilogues on every track (except T00,S00) address = AA D5 AB / DE AB data = AA D5 EB / ED AA EB --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- TRACK: 05 START: 32EA LENGTH: 015F 32D0: 96 96 96 96 96 96 96 96 VIEW 32D8: 96 96 ED AA EB FD D2 D2 ^^^^^^^^ data epilogue 32E0: D2 D2 DD A5 AE BF FF FF 32E8: FF FF DB B7 AD BF D7 AB 32F0: F7 BD EB AF ED AA D5 AB <-32F5 ^^^^^^^^ address prologue 32F8: FF FE AA AF AF AB FA FA ^^^^^ ^^^^^ ^^^^^ ^^^^^ v=255 t=$05 s=$0B chksm 3300: DE AB E4 FF 9E D3 FC DB ^^^^^ address epilogue 3308: B7 AD BF D7 AB AA D5 EB ^^^^^^^^ data prologue 3310: AE EC D3 F3 BF DE F4 D9 --------------------------------------- A TO ANALYZE DATA ESC TO QUIT ? FOR HELP SCREEN / CHANGE PARMS Q FOR NEXT TRACK SPACE TO RE-READ --^-- Disk Fixer T00,S00 is a custom bootloader ["O" -> "Input/Output Control"] set address prologue to "AA D5 AB" set address epilogue to "DE AB EB" set data prologue to "AA D5 EB" set data epilogue to "ED AA EB" Success! all tracks readable, except T00,S0A and T00,S0B I see references to PRODOS, but with those sectors unreadable on track $00, a straight conversion may be difficult Why didn't COPYA work? modified prologues/epilogues Why didn't Locksmith FDB work? modified prologues/epilogues Why didn't my EDD copy work? I don't know. The error is a standard ProDOS message, but it could easily have been triggered manually after a failed nibble check. ~ Chapter 1 In Which We Catch A Lucky [S6,D1=original disk] ]PR#6 ...boots to main menu... dumps me to the monitor with ProDOS still in memory. No reset vector protection at all. ; copy F8 ROM to RAM bank 1 *C089 C089 N F800>> Catalog of files <<< Point to the desired program with the cursor control keys, select by pressing RETURN. ________________________________ Ortho's Personalized Plant Selector --^-- Selecting "Catalog of files" takes me to A GENERAL PURPOSE PROGRAM SELECTOR that displays a full catalog of the (protected) program disk. --v-- __________________________________ Catalog path: /AE/_ PRODOS SYS AE.SYSTEM SYS AE.DEF SYS REGION.OBJ BIN ORTHO SYS CONFIG SYS ORTHO.OBJ BIN CALCULATOR SYS CAL.RES BIN REGION SYS ORTHO2 BIN ZIP.MASTER BIN AE64.SYSTEM SYS AE128.SYSTEM SYS CAL SYS CAL.OBJ BIN ___________________________________ Ortho's Personalized Plant Selector --^-- The catalog path (on the top line) is editable; if I overwrite it entirely with the pathname of another disk, I can SELECT AND EXECUTE ARBITRARY PROGRAMS from any disk. Like, say, this one: [S6,D2=Copy II Plus 8.4] --v-- __________________________________ Catalog path: /COPYIIPLUS8.4/ PRODOS SYS UTIL.SYSTEM SYS BITCOPY.SYSTEM SYS PARM.KEY TXT PARM.DATA TXT ___________________________________ Ortho's Personalized Plant Selector --^-- Selecting UTIL.SYSTEM, I can launch Copy II Plus. The protected version of ProDOS is still in memory, and Copy II Plus 8.4 will use it to catalog and read from any available ProDOS disks -- including the protected original disk. Hooray for abstractions! _____________________ | /!\ Important /!\ |_____________ | | | If you're going to go to all the | | trouble of adding OS-level copy | | protection that makes bit copies | | essentially impossible, don't let | | the user run arbitrary programs | | after your OS is in memory. | |___________________________________| Now I can copy all the files from the original (protected) disk to a blank (unprotected) disk. [S6,D2=blank disk] [Copy II Plus 8.4] [FORMAT DISK] [PRODOS] [SLOT 6, DRIVE 2] VOLUME NAME = "BACKUP" [COPY] [FILES] SOURCE DISK = SLOT 6, DRIVE 1 TARGET DISK = SLOT 6, DRIVE 2 select all files (*.*) [eject original disk from S6,D1] [RENAME] [VOLUME] [SLOT 6, DRIVE 2] VOLUME NAME = "AE" (to match the original disk) [S6,D1=freshly made copy] ]PR#6 ...works... I don't even need to swap the PRODOS file with a clean copy. The dual RWTS can already read standard formatted disks, so no RWTS patches are required. Quod erat liberandum. --------------------------------------- A 4am crack No. 518 ------------------EOF------------------