----------Design Your Own Home--------- A 4am crack 2015-01-12 --------------------------------------- Name: Design Your Own Home - Interior Design Version: not listed Genre: productivity Year: 1986 Publisher: Abracadata Limited Authors: Don Fudge Media: 3 single-sided 5.25" floppies Other versions: none (preserved here for the first time) The program comes on three disks: 1. "Program - joystick/paddles/pad" 2. "Program - mouse" 3. "Data" Disks 1 and 2 are bootable and appear to be independent of each other. Disk 3 boots to a HELLO program that prints "Hi-Res Interior Design (please boot program disk now!)" ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA disk read error Locksmith Fast Disk Backup unable to read odd-numbered tracks EDD 4 bit copy (no sync, no count) no errors, but copy grinds on boot Copy ][+ nibble editor every other track uses a non-standard address prologue (D4AA96 vs. D5AA96) Disk Fixer T00 readable. Also T02, T04, T06... T00 looks like a DOS 3.3 RWTS ["O" -> "Input/Output Control"] set Address Prologue to "D4 AA 96" T01 readable. Also T03, T05, T07... T11 looks like a DOS 3.3 disk catalog T01,S09 -> startup program is "HELLO" Why didn't COPYA work? modified prologue on odd tracks Why didn't Locksmith FDB work? modified prologue on odd tracks Why didn't my EDD copy work? I don't know. Maybe a nibble check during boot? Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read demuffin'd disk ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 ... CAPTURING BOOT0 SAVING BOOT0 /!\ BOOT0 JUMPS TO $BB00 CAPTURING BOOT1 SAVING BOOT1 SAVING RWTS ($BB00 is probably a nibble check.) ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC1:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC2:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC3:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC4:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC5:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC6:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC7:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC8:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SC9:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCA:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCB:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCC:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCD:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCE:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR SCF:RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Why didn't Advanced Demuffin work? I don't know. Maybe $BB00 modifies the RWTS during boot? ]PR#5 ... ]BLOAD BOOT1,A$2600 ]CALL -151 *FE89G FE93G ; disconnect DOS *B600<2600.2FFFM ; move RWTS into place *BB00L ; set reset vector (unfriendly but OK) BB00- A9 5D LDA #$5D BB02- 8D F2 03 STA $03F2 BB05- A9 B7 LDA #$B7 BB07- EA NOP BB08- 8D F3 03 STA $03F3 BB0B- 49 A5 EOR #$A5 BB0D- 8D F4 03 STA $03F4 ; set zero page (suspicious) BB10- A9 AA LDA #$AA BB12- 85 31 STA $31 ; maybe a reboot vector in The Badlands ; ($BA95 is normally unused) BB14- AD E9 B7 LDA $B7E9 BB17- 4A LSR BB18- 4A LSR BB19- 4A LSR BB1A- 4A LSR BB1B- 09 C0 ORA #$C0 BB1D- 8D 95 BA STA $BA95 ; continue to boot1 BB20- 4C 00 B7 JMP $B700 Hypotheses busted: * This isn't a nibble check * This doesn't modify the RWTS New hypothesis: RWTS uses value of zero page $31 somehow. (i.e. Maybe it does modify the RWTS, but indirectly.) *B944L ; routine to read address prologue B944- A0 FC LDY #$FC B946- 84 26 STY $26 B948- C8 INY B949- D0 04 BNE $B94F B94B- E6 26 INC $26 B94D- F0 F3 BEQ $B942 B94F- BD 8C C0 LDA $C08C,X B952- 10 FB BPL $B94F ; find prologue nibble #1 B954- 4A LSR B955- C9 6A CMP #$6A B957- D0 EF BNE $B948 B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 ; find #2 B95E- C5 31 CMP $31 B960- D0 F2 BNE $B954 B962- A0 03 LDY #$03 B964- BD 8C C0 LDA $C08C,X B967- 10 FB BPL $B964 ; find #3 B969- C9 96 CMP #$96 B96B- D0 E7 BNE $B954 The code to find prologue nibble #1 explains how this disk can read its odd-numbered tracks (with non-standard address prologue "D4 AA 96"). Normal address prologue byte 1 is $D5. In binary: $D5 = 1101 0101 After LSR: 0110 1010 = $6A Odd-numbered tracks use $D4 instead. In binary: $D4 = 1101 0100 After LSR: 0110 1010 = $6A So this code will match either prologue and work on both odd and even tracks. Furthermore, RWTS code is time-critical between reading the last bit of one nibble and reading the first bit of the next. If it's too fast or too slow, it will get out of phase (because the disk spins independently of the CPU). Compare DOS 3.3 (cycle count in margin) B94F- BD 8C C0 LDA $C08C,X B952- 10 FB BPL $B94F B954- C9 D5 CMP #$D5 | 2 B956- D0 F0 BNE $B948 | 2 * B958- EA NOP | 2 B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 (*) on the time-critical path, this branch is not taken, so always 2 ...and this disk's RWTS: B94F- BD 8C C0 LDA $C08C,X B952- 10 FB BPL $B94F B954- 4A LSR | 2 B955- C9 6A CMP #$6A | 2 B957- D0 EF BNE $B948 | 2 * B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 Despite being more "flexible" (matching $D5 or $D4), this disk's RWTS uses the same number of bytes of code and runs in the same number of cycles. Nice. Now look at the code to find the second nibble of the address prologue: B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 B95E- C5 31 CMP $31 B960- D0 F2 BNE $B954 There's zero page $31, initialized at $BB00 during boot. That's why Advanced Demuffin failed. When it called the original disk's RWTS, zero page $31 was never initialized. Solution: an IOB module that Advanced Demuffin calls before calling the original disk's RWTS. (Read the docs on my work disk.) *C500G ... ]CALL -151 ]BLOAD ADVANCED DEMUFFIN 1.5 ; standard Advanced Demuffin setup ; (unchanged) 1400- 4A LSR 1401- 8D 22 0F STA $0F22 1404- 8C 23 0F STY $0F23 1407- 8E 27 0F STX $0F27 140A- A9 01 LDA #$01 140C- 8D 20 0F STA $0F20 140F- 8D 2A 0F STA $0F2A ; initialize zero page 1412- A9 AA LDA #$AA 1414- 85 31 STA $31 ; call RWTS 1416- A9 0F LDA #$0F 1418- A0 1E LDY #$1E 141A- 4C 00 BD JMP $BD00 *BSAVE IOB $31,A$1400,L$FB *BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 [press "I" to load a new IOB module] --> load "IOB $31" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 000 FREE A 005 HELLO B 025 PIC.I A 023 DEC3 A 012 DEC4 B 033 PATRN B 006 FILL3 B 015 TRIPLE.3 A 025 DEC2 A 038 DEC1 B 045 A1 A 019 INSTALL B 008 TRIPLE.1 A 008 MENU B 006 ALLCHAR B 002 MIRROR B 053 A2 B 053 A3 B 054 A5 B 048 A4 A 005 PRINTERS B 002 FLIP B 011 P ]RUN HELLO Success! The program loads and runs! [S6,D1=demuffin'd copy] ]PR#6 Success! The disk boots and loads! Why doesn't it require any patches? Its "flexible" RWTS is just as capable of reading a standard disk (address prologue "D5 AA 96" on all tracks) as the original disk (address prologue alternates D4/D5). Program disk #2 is identical to #1. Data disk is COPYA-able already, so no conversion required. Quod erat liberandum. --------------------------------------- A 4am crack No. 184 ------------------EOF------------------