----------The Perfect College----------
A 4am crack                  2015-08-09
---------------------------------------

Name: The Perfect College
Genre: educational
Year: 1987
Authors: Soft Press Corp.
Publisher: Mindscape
Media: double-sided 5.25-inch floppy
OS: custom
Previous cracks: none
Similar cracks: ColorMe (crack no. 25)

Side A is protected but bootable.
Side B is unprotected but unbootable.
Life is like that.
This has not been a haiku.

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error, but it
  gets a participation medal just for
  showing up

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  no errors, but the copy just boots,
  briefly ponders the meaning of life,
  then reboots

Copy ][+ nibble editor
  all tracks use standard prologues
  (address: D5 AA 96, data: D5 AA AD)
  but modified epilogues
  (address: FF FF FF, data: FF FF FF)

Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Epilogue to "FF FF FF"
    set Data Epilogue to "FF FF FF"
  Success! All tracks readable!
  T00 -> custom bootloader
  No sign of a disk catalog anywhere
  No sign of any known OS
  No sign of intelligent life anywhere

Why didn't COPYA work?
  modified epilogue bytes (every track)

Why didn't Locksmith FDB work?
  modified epilogue bytes (every track)

Why didn't my EDD copy work?
  Probably a nibble check during boot.
  Definitely a nibble check. Disks do
  not spontaneously reboot unless
  someone tells them to. That is not
  a thing that happens naturally. That
  is just not a thing.

Next steps:

  1. Super Demuffin to convert the disk
     to a standard format
  2. Patch the RWTS (if necessary)
  3. Find nibble check and bypass it

                   ~

               Chapter 1
          In Which We Choose
      The Right Tool For The Job


I'm going to use Super Demuffin here
(instead of my usual go-to conversion
tool, Advanced Demuffin). The disk uses
some custom bootloader that I've never
seen before [correction: I saw it once
on crack no. 25, but whatever]. My
automated tools won't capture the RWTS.
Luckily, the RWTS modifications are
minor (custom epilogue bytes, same on
every track), so Super Demuffin will
work just fine.

When you first run Super Demuffin, it
asks for the parameters of the original
disk. In this case, the prologue bytes
are the same, but the epilogues are "FF
FF FF" instead of "DE AA EB".

                 --v--

      SUPER-DEMUFFIN AND FAST COPY
Modified by: The Saltine/Coast to Coast


   Address prologue: D5 AA 96

   Address epilogue: FF FF FF    DISK
                     ^^^^^^^^  ORIGINAL
change from DE AA EB ++++++++

      Data prologue: D5 AA AD

      Data epilogue: FF FF FF
                     ^^^^^^^^
change from DE AA EB ++++++++


 Ignore write errors while demuffining!


  D - Edit parameters
      <SPACE> - Advance to next parm
      <RETURN> - Exit edit mode
  R - Restore DOS 3.3 parameters
  O - Edit Original disk's parameters
  C - Edit Copy disk's parameters
  G - Begin demuffin process

                 --^--

Pressing "G" switches to the Locksmith
Fast Disk Copy UI. It assumes that both
disks are in slot 6, and that drive 1
is the original and drive 2 is the
copy.

[S6,D1=original disk]
[S6,D2=blank disk]

                 --v--

     LOCKSMITH 7.0  FAST DISK BACKUP


   R...................................
   W***********************************
HEX 00000000000000001111111111111111222
TRK 0123456789ABCDEF0123456789ABCDEF012
   0...................................
   1...................................
   2...................................
   3...................................
   4...................................
   5...................................
   6...................................
   7...................................
   8...................................
   9...................................
   A...................................
   B...................................
   C...................................
   D...................................
12 E...................................
   F...................................
[               ] PRESS [RESET] TO EXIT

                 --^--

Piece of cake.

]PR#6
...reboots endlessly...

Humbug. But not unexpected.

Let's go find that nibble check.

                   ~

               Chapter 2
     Every Day A Little Boot Trace


[S6,D1=non-working copy]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0

]BLOAD BOOT0,A$800
]CALL -151

*801L

0801-   A5 27       LDA   $27
0803-   C9 09       CMP   #$09
0805-   D0 13       BNE   $081A

; first-time initialization -- set
; 40 column mode and 80STOREOFF
0807-   8D 0C C0    STA   $C00C
080A-   8D 00 C0    STA   $C000

; munge boot slot into $Cx format and
; make a vector to read another sector
; via the disk controller ROM routine
080D-   8A          TXA
080E-   4A          LSR
080F-   4A          LSR
0810-   4A          LSR
0811-   4A          LSR
0812-   09 C0       ORA   #$C0
0814-   85 3F       STA   $3F
0816-   A9 5C       LDA   #$5C
0818-   85 3E       STA   $3E

; sector count
081A-   CE 75 08    DEC   $0875
081D-   30 03       BMI   $0822

*875

0875- 0F

OK, we're reading the rest of track $00
into memory at $0900..$17FF.

; jump to read disk controller ROM to
; read another sector
081F-   6C 3E 00    JMP   ($003E)

; execution continues here (from $081D)
0822-   4C 00 16    JMP   $1600

And that's where I need to interrupt
the boot.

*9600<C600.C6FFM

; set up callback after boot0 loads the
; rest of track $00 into memory
96F8-   A9 4C       LDA   #$4C
96FA-   8D 22 08    STA   $0822
96FD-   A9 0A       LDA   #$0A
96FF-   8D 23 08    STA   $0823
9702-   A9 97       LDA   #$97
9704-   8D 24 08    STA   $0824

; start the boot
9707-   4C 01 08    JMP   $0801

; callback is here --
; copy everything up to the graphics
; page so it survives a reboot
970A-   A2 10       LDX   #$10
970C-   A0 00       LDY   #$00
970E-   B9 00 08    LDA   $0800,Y
9711-   99 00 28    STA   $2800,Y
9714-   C8          INY
9715-   D0 F7       BNE   $970E
9717-   EE 10 97    INC   $9710
971A-   EE 13 97    INC   $9713
971D-   CA          DEX
971E-   D0 EE       BNE   $970E

; turn off slot 6 drive motor
9720-   AD E8 C0    LDA   $C0E8

; reboot to my work disk
9723-   4C 00 C5    JMP   $C500

*BSAVE TRACE,A$9600,L$126
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT1 0800-17FF,A$2800,L$1000

Let's see what evil lurks behind $1600.

                   ~

               Chapter 3
         In Which We Run Into
             An Old Friend


]BLOAD BOOT1 0800-17FF,A$800
]CALL -151

*1600L

; save zero page
1600-   A2 FF       LDX   #$FF
1602-   B5 00       LDA   $00,X
1604-   9D 00 30    STA   $3000,X
1607-   CA          DEX
1608-   D0 F8       BNE   $1602

; set up a counter of some kind
160A-   A9 0A       LDA   #$0A
160C-   85 50       STA   $50

; turn on drive motor manually
160E-   A6 2B       LDX   $2B
1610-   BD 89 C0    LDA   $C089,X
1613-   BD 8E C0    LDA   $C08E,X

; looks like an address ($1696)
1616-   A9 96       LDA   #$96
1618-   85 48       STA   $48
161A-   A9 16       LDA   #$16
161C-   85 49       STA   $49

; probably part of the Death Counter
161E-   A9 80       LDA   #$80
1620-   85 51       STA   $51

; if the Death Counter hits zero, bad
; things happen
1622-   C6 51       DEC   $51
1624-   F0 69       BEQ   $168F

; subroutine looks for the next address
; field and parses it into zero page
; (like $B944 in DOS 3.3)
1626-   20 9E 16    JSR   $169E
1629-   B0 64       BCS   $168F

; check sector
162B-   A5 2D       LDA   $2D
162D-   C9 0D       CMP   #$0D

; not the one we wanted -- loop back
; and try again
162F-   D0 F1       BNE   $1622

; look for $D5 nibble
1631-   A0 00       LDY   #$00
1633-   BD 8C C0    LDA   $C08C,X
1636-   10 FB       BPL   $1633
1638-   88          DEY
1639-   F0 54       BEQ   $168F
163B-   C9 D5       CMP   #$D5
163D-   D0 F4       BNE   $1633

; look for $E7 nibble
163F-   A0 00       LDY   #$00
1641-   BD 8C C0    LDA   $C08C,X
1644-   10 FB       BPL   $1641
1646-   88          DEY

; fail if we don't find it in time
1647-   F0 46       BEQ   $168F
1649-   C9 E7       CMP   #$E7
164B-   D0 F4       BNE   $1641

; look for two more $E7 nibbles
164D-   BD 8C C0    LDA   $C08C,X
1650-   10 FB       BPL   $164D
1652-   C9 E7       CMP   #$E7

; fail if it's anything else
1654-   D0 39       BNE   $168F
1656-   BD 8C C0    LDA   $C08C,X
1659-   10 FB       BPL   $1656
165B-   C9 E7       CMP   #$E7

; fail if it's anything else
165D-   D0 30       BNE   $168F

; kill some time to get out of sync
; with the "proper" start of nibbles
; (see below)
165F-   BD 8D C0    LDA   $C08D,X
1662-   A0 10       LDY   #$10
1664-   24 06       BIT   $06

A short digression here into some super
low-level disk stuff, because this
wasn't low-level enough already...

$E7 $E7 $E7 $E7. What would that nibble
sequence look like on disk? The answer
is, "It depends." $E7 in hexadecimal is
11100111 in binary, so here is the
simplest possible answer:

   |--E7--||--E7--||--E7--||--E7--|
   11100111111001111110011111100111

But wait. Every nibble read from disk
must have its high bit set. In theory,
you could insert one or two "0" bits
after any of those nibbles. (Two is the
maximum, due to hardware limitations.)
These extra "0" bits would be swallowed
by the standard "wait for data latch to
have its high bit set" loop, which you
see over and over in any RWTS code:

  :1   LDA $C08C,X
       BPL :1

Now consider the following bitstream:

  |--E7--| |--E7--|  |--E7--||--E7--|
  11100111011100111001110011111100111
          ^        ^^
       (extra)   (extra)

The first $E7 has one extra "0" bit
after it, and the second $E7 has two
extra "0" bits after it. Totally legal,
works on any Apple II computer and any
floppy drive. A "LDA $C08C,X; BPL" loop
would still interpret this bitstream as
a sequence of four $E7 nibbles. Each of
the extra "0" bits appear after we've
just read a nibble and we're waiting
for the high bit to be set again.

Now, what if we miss the first few bits
of this bitstream, then start looking?
The disk is always spinning, whether
we're reading from it or not. If we
waste too much time doing something
other than reading, we'll literally
miss some bits as the disk spins by.
This is why the timing of low-level
RWTS code is so critical.

Let's say we waste 12 CPU cycles before
we start reading this bitstream. Each
bit takes 4 CPU cycles to go by, so
after 12 cycles, we would have missed
the first 3 bits (marked with an X).

            (normal start)

  |--E7--| |--E7--|  |--E7--||--E7--|
  11100111011100111001110011111100111
  XXX  |--EE--| |--E7--|  |--FC--|

           (delayed start)

Ah! It's interpreted as a completely
different nibble sequence if you delay
just a few CPU cycles before you start
reading. Also note that some of those
"extra" bits are no longer being
ignored; now they're being interpreted
as data, as part of the nibbles that
are being returned to the higher level
code. Meanwhile, other bits that were
part of the $E7 nibbles are now being
swallowed.

Now, let's go back to the first stream,
which had no extra bits between the
nibbles, and see what happens when we
waste those same 12 CPU cycles.

           (normal start)

   |--E7--||--E7--||--E7--||--E7--|
   11100111111001111110011111100111
   XXX  |--FC--||--FC--||--FC--|

          (delayed start)

After skipping the first three bits,
the stream is interpreted as a series
of $FC $FC $FC repeating endlessly --
not $EE $E7 $FC like the other stream.

Here's the kicker: generic bit copiers
didn't preserve these extra "0" bits
between nibbles. By "desynchronizing"
(wasting just the right number of CPU
cycles at just the right time), then
interpreting the bits on the disk in
mid-stream, developers could determine
at runtime whether you had an original
disk. Which is precisely the code we
just saw.

Here is the complete "E7 bitstream,"
annotated to show both the synchronized
and desynchronized nibble sequences.

 |--E7--| |--E7--|  |--E7--||--E7--|
 111001110111001110011100111111001110
 XXX  |--EE--| |--E7--|  |--FC--||--E

 |--E7--|  |--E7--||--E7--| |--E7--|
 111001110011100111111001110111001110
 E--| |--E7--|  |--FC--||--EE--| |--E

 |--E7--||--E7--|
 1110011111100111
 E--| |--FC--|

We now return you to the actual code...

; now start looking for nibbles that
; don't really exist (except they do,
; because we're out of sync and reading
; timing bits as data)
1666-   BD 8C C0    LDA   $C08C,X
1669-   10 FB       BPL   $1666
166B-   88          DEY
166C-   F0 21       BEQ   $168F
166E-   C9 EE       CMP   #$EE
1670-   D0 F4       BNE   $1666

; compare the next 8 nibbles to an
; array stored at ($48) [= $1696]
; in reverse order
1672-   A0 07       LDY   #$07
1674-   BD 8C C0    LDA   $C08C,X
1677-   10 FB       BPL   $1674
1679-   D1 48       CMP   ($48),Y

; if any nibble doesn't match, fail
167B-   D0 12       BNE   $168F
167D-   88          DEY
167E-   10 F4       BPL   $1674

; restore zero page
1680-   A2 FF       LDX   #$FF
1682-   BD 00 30    LDA   $3000,X
1685-   95 00       STA   $00,X
1687-   CA          DEX
1688-   D0 F8       BNE   $1682

; success path falls through to here --
; continue at $1706
168A-   A2 60       LDX   #$60
168C-   4C 06 17    JMP   $1706

; any failures end up here -- decrement
; the Death Counter and eventually give
; up and reboot
168F-   C6 50       DEC   $50
1691-   D0 8B       BNE   $161E
1693-   4C 00 C6    JMP   $C600

Finally, the array of desynchronized
nibbles (the E7 bitstream, in reverse
order):

1696-  [FC EE EE FC E7 EE FC E7]

This nibble check has no side effects.
I can simply bypass it by patching
T00,S00 to jump directly to $1706.
(Even the LDX is unnecessary, because
it is repeated at $1706.)

T00,S00,$23 change "00 16" to "06 17"

The RWTS is flexible enough to read the
disk in a standard format, so no RWTS
patches are required.

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 400
------------------EOF------------------