----------------AceCalc---------------- A 4am crack 2015-07-14 --------------------------------------- Name: AceCalc Version: 2.0 Genre: productivity Year: 1983 Authors: William G. Graves Publisher: ArtSci, Inc. Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none (Asimov has a corrupted copy that crashes on boot) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA read error on first pass Locksmith Fast Disk Backup can't read T04-T0B EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor T04-T0B has modified data epilogue ("D5 AA EB" instead of "DE AA EB") Disk Fixer T00 -> looks like DOS 3.3 master boot (into low memory) T01,S0A -> startup program is "HELLO" (yes really, sector $0A instead of $09 -- everything is off by 1) T11 -> DOS 3.3 disk catalog ["O" -> "Input/Output Control"] set Data Epilogue to "D5 AA EB" Success! T04-T0B readable Why didn't COPYA work? modified data epilogue (T04-T0B) Why didn't Locksmith FDB work? modified data epilogue (T04-T0B) EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check just structural changes to epilogue This disk has a regular DOS 3.3 disk catalog, can it can load and save files from a user's data disk (in a standard format). That means there must be an RWTS swapper somewhere that changes the expected data epilogue sequence when it goes to read tracks $04-$0B. Next steps: 1. Super Demuffin to copy T04-T0B 2. Manual sector copy the rest 3. Find the RWTS swapper and patch it ~ Chapter 1 In Which We Choose The Right Tools For The Job When you first run Super Demuffin, it asks for the parameters of the original disk. In this case, the prologue bytes are the same, but the data epilogue is "D5 AA EB" instead of "DE AA EB". --v-- SUPER-DEMUFFIN AND FAST COPY Modified by: The Saltine/Coast to Coast Address prologue: D5 AA 96 Address epilogue: FF FF EB DISK ORIGINAL Data prologue: D5 AA AD Data epilogue: D5 AA EB ^^ *change from "DE" Ignore write errors while demuffining! D - Edit parameters - Advance to next parm - Exit edit mode R - Restore DOS 3.3 parameters O - Edit Original disk's parameters C - Edit Copy disk's parameters G - Begin demuffin process --^-- Pressing "G" switches to the Locksmith Fast Disk Copy UI. It assumes that both disks are in slot 6, and that drive 1 is the original and drive 2 is the copy. [S6,D1=original disk] [S6,D2=blank disk] --v-- LOCKSMITH 7.0 FAST DISK BACKUP R****........*********************** W*********************************** HEX 00000000000000001111111111111111222 TRK 0123456789ABCDEF0123456789ABCDEF012 0DDDD........DDDDDDDDDDDDDDDDDDDDDDD 1DDDD........DDDDDDDDDDDDDDDDDDDDDDD 2DDDD........DDDDDDDDDDDDDDDDDDDDDDD 3DDDD........DDDDDDDDDDDDDDDDDDDDDDD 4DDDD........DDDDDDDDDDDDDDDDDDDDDDD 5DDDD........DDDDDDDDDDDDDDDDDDDDDDD 6DDDD........DDDDDDDDDDDDDDDDDDDDDDD 7DDDD........DDDDDDDDDDDDDDDDDDDDDDD 8DDDD........DDDDDDDDDDDDDDDDDDDDDDD 9DDDD........DDDDDDDDDDDDDDDDDDDDDDD ADDDD........DDDDDDDDDDDDDDDDDDDDDDD BDDDD........DDDDDDDDDDDDDDDDDDDDDDD CDDDD........DDDDDDDDDDDDDDDDDDDDDDD DDDDD........DDDDDDDDDDDDDDDDDDDDDDD 12 EDDDD........DDDDDDDDDDDDDDDDDDDDDDD FDDDD........DDDDDDDDDDDDDDDDDDDDDDD [ ] PRESS [RESET] TO EXIT --^-- As expected, only tracks $04-$0B are copyable with the modified parameters. Now turning to Copy II+ bit copy, we select "manual sector copy" and copy tracks $00-$03, then again with tracks $0C-$22. [screenshot omitted, use your imagination] Now we have all tracks copied onto one disk in a standard format. [S6,D1=copy] ]PR#6 ...grinds endlessly... Let's go find that RWTS swapper. ~ Chapter 2 In Which We Find An RWTS Swapper Of A Most Curious Nature [S6,D1=non-working copy] [S5,D1=my work disk] ]PR#5 ... ]CATALOG,S6,D1 C1983 DSR^C#254 212 FREE *T 006 DEMO.COST *T 008 DEMO.PROPOSAL *B 002 HELLO B 004 PRINTER *B 004 PRINTER.DBLE.SPACE B 002 SYS.OPTIONS B 003 VIDEO *B 003 VIDEO.ACE *B 003 VIDEO.FULLVIEW80 *B 002 VIDEO.STB80 *B 003 VIDEO.VIDEX *B 002 VIDEO.WIZARD80 *B 018 VIDEO70 ]BLOAD HELLO ]CALL -151 ; last BLOAD address (Diversi-DOS 64K) *BF55.BF56 BF55- 00 09 *900L ; get address of RWTS parameter table 0900- 20 E3 03 JSR $03E3 0903- 84 1E STY $1E 0905- 85 1F STA $1F ; sector $0A 0907- A0 05 LDY #$05 0909- A9 0A LDA #$0A 090B- 91 1E STA ($1E),Y 090D- 88 DEY ; track $00 090E- A9 00 LDA #$00 0910- 91 1E STA ($1E),Y 0912- 88 DEY ; disk volume 0 (wildcard) 0913- A9 00 LDA #$00 0915- 91 1E STA ($1E),Y ; into $1A00 0917- A0 08 LDY #$08 0919- 91 1E STA ($1E),Y 091B- A9 1A LDA #$1A 091D- C8 INY 091E- 91 1E STA ($1E),Y ; read command 0920- A0 0C LDY #$0C 0922- A9 01 LDA #$01 0924- 91 1E STA ($1E),Y 0926- A4 1E LDY $1E 0928- A5 1F LDA $1F ; call RWTS 092A- 20 D9 03 JSR $03D9 ; loop endlessly on failure 092D- B0 D1 BCS $0900 ; otherwise continue with the code we ; just read 092F- 4C 00 1A JMP $1A00 I can interrupt this at $092F and see what it's loading from track $00. *92F:60 *900G *1A00L 1A00- A0 00 LDY #$00 1A02- B9 00 1A LDA $1A00,Y 1A05- 99 00 40 STA $4000,Y 1A08- C8 INY 1A09- D0 F7 BNE $1A02 1A0B- 4C 0E 40 JMP $400E Look, if you don't want to be at $1A00, just say so. *1A0B:60 *1A00G *400EL 400E- A0 01 LDY #$01 4010- 20 96 40 JSR $4096 *4096L 4096- BE FE 40 LDX $40FE,Y ; set up an address at $3C/$3D 4099- A9 00 LDA #$00 409B- 85 3C STA $3C ; = $9D 409D- AD D2 03 LDA $03D2 40A0- 18 CLC 40A1- 69 1C ADC #$1C ; $9D + $1C = $B9 40A3- 85 3D STA $3D 40A5- A0 35 LDY #$35 40A7- 8A TXA ; so storing X in $B935 40A8- 91 3C STA ($3C),Y 40AA- 60 RTS A bit circuitous, but that's what I'm looking for. $B935 is the address of the first data epilogue byte in the RWTS in memory. *B92FL B92F- BD 8C C0 LDA $C08C,X B932- 10 FB BPL $B92F B934- C9 DE CMP #$DE <-- ! B936- D0 0A BNE $B942 B938- EA NOP B939- BD 8C C0 LDA $C08C,X B93C- 10 FB BPL $B939 B93E- C9 AA CMP #$AA B940- F0 5C BEQ $B99E B942- 38 SEC B943- 60 RTS But what is X? It's set at $4096 from an array starting at $40FE. (And I'm guessing it's a really small array, since we only read one sector from disk and we're near the end of it.) *40FE.40FF 40FE- DE D5 I see it now. Y is 1 going into this routine, so X gets $D5, which is the custom data epilogue byte. To switch the RWTS back to normal, you could set Y to 0 and call this same routine at $4096. X would get the value from $40FE ($DE) instead of from $40FF ($D5). Continuing from $4013... *4013L 4013- A2 22 LDX #$22 4015- A9 00 LDA #$00 4017- 85 19 STA $19 4019- A9 04 LDA #$04 401B- A0 08 LDY #$08 ; this is a multi-sector read routine 401D- 20 48 40 JSR $4048 ; loop forever on error (this explains ; the behavior I saw on my non-working ; copy) 4020- B0 F1 BCS $4013 4022- A2 48 LDX #$48 4024- A5 18 LDA $18 4026- A0 50 LDY #$50 ; another multi-sector read 4028- 20 48 40 JSR $4048 402B- B0 E6 BCS $4013 ; aha! now we switch the RWTS back to ; normal by calling $4096 with Y=0! 402D- A0 00 LDY #$00 402F- 20 96 40 JSR $4096 4032- A0 BB LDY #$BB 4034- 84 1B STY $1B 4036- A0 B3 LDY #$B3 4038- 84 1C STY $1C 403A- A9 00 LDA #$00 403C- 85 19 STA $19 403E- A9 11 LDA #$11 4040- A2 01 LDX #$01 ; another multi-sector read 4042- 20 4E 40 JSR $404E ; jump to main program 4045- 4C 00 20 JMP $2000 To disable the RWTS swapper, I can change the array of epilogue values at $40FE so they're all $DE, which tells the code at $4096 that the epilogue for tracks $04-0B is the same as it is for other tracks. Which is, you know, true. So that's nice. T00,S0A,$FF change D5 to DE Quod erat liberandum. --------------------------------------- A 4am crack No. 366 ------------------EOF------------------