---------------Widespread-------------- A 4am crack 2015-06-08 --------------------------------------- Name: Widespread Genre: productivity Year: 1985 Publisher: Software Publishing Corporation Media: double-sided 5.25-inch floppy OS: Apple Pascal 1.1 Other versions: none (preserved here for the first time) Side 1 is the program. Side 2 has some documentation in a large text file, and it appears to be unprotected. Let's start with side 1. ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA no errors, but copy prints "NOT AN EXECUTABLE DISK" and hangs Locksmith Fast Disk Backup ditto EDD 4 bit copy (no sync, no count) ditto Copy ][+ nibble editor nothing suspicious Disk Fixer T00 -> Pascal 1.1 bootloader (only boots from slot 6) T00,S0B -> Pascal disk catalog Why didn't any of my copies work? probably a nibble check in the SYSTEM.STARTUP program Next steps: 1. Use the tools on an Apple Pascal system disk to verify that this disk really uses Apple Pascal 2. Find the HELLO program (usually SYSTEM.STARTUP) and decompile it 3. Hack the p-code to disable the copy protection But first, let me try a shortcut. ~ Chapter 1 In Which We Try A Shortcut Turning to my trusty sector editor, I do a quick scan for some common byte patterns of nibble checks. First, "LDA $C089,X" -- used by virtually every nibble check I've ever seen. (It turns on the drive motor manually, so you can read raw nibbles or whatever.) [Disk Fixer] ["F"ind] ["H"ex] "BD 89 C0" One hit on track $01, but it doesn't appear to be copy protection-related. Next up: "LDA $C0E9" -- a less common variant, since it only works if you booted from slot 6. But I have seen it on a number of Pascal disks that can only boot from slot 6 anyway. ["F"ind] ["H"ex] "AD E9 C0" One hit on T20,S08. --v-- T20,S08 ----------- DISASSEMBLY MODE ---------- ; standard beginning of an external ; assembly language routine called from ; a Pascal program 0076:68 PLA 0077:85 00 STA $00 0079:68 PLA 007A:85 01 STA $01 007C:68 PLA 007D:68 PLA 007E:68 PLA 007F:68 PLA ; turn on slot 6 drive motor manually ; (always suspicious) 0080:AD E9 C0 LDA $C0E9 ; initialize Death Counter 0083:A9 56 LDA #$56 0085:85 03 STA $03 0087:A9 08 LDA #$08 0089:C6 02 DEC $02 008B:D0 04 BNE $0091 008D:C6 03 DEC $03 ; if Death Counter hits zero, give up 008F:F0 3B BEQ $00CC ; look for $FB 0091:AC EC C0 LDY $C0EC 0094:10 FB BPL $0091 0096:C0 FB CPY #$FB 0098:D0 ED BNE $0087 009A:F0 00 BEQ $009C 009C:EA NOP 009D:EA NOP ; followed by a timing bit (note: no ; BPL loop here, we only read the data ; latch once before starting over) 009E:AC EC C0 LDY $C0EC 00A1:C0 08 CPY #$08 ; rotate accumulator (initialized at ; offset $87 above) 00A3:2A ROL ; branch based on the comparison of the ; Y register (at offset $A1 above) 00A4:B0 0B BCS $00B1 ; sync byte? 00A6:AC EC C0 LDY $C0EC 00A9:10 FB BPL $00A6 00AB:C0 FF CPY #$FF ; found a non-sync byte, that's bad ; (decrements Death Counter) 00AD:D0 D8 BNE $0087 ; found a sync byte, that's OK ; (branches to look for a timing bit ; again) 00AF:F0 EB BEQ $009C ; execution continues here after we ; find a timing bit in the right place ; get a nibble and store it 00B1:AC EC C0 LDY $C0EC 00B4:10 FB BPL $00B1 00B6:84 02 STY $02 00B8:C9 0A CMP #$0A 00BA:D0 CB BNE $0087 ; get another nibble 00BC:AD EC C0 LDA $C0EC 00BF:10 FB BPL $00BC ; bit math 00C1:38 SEC 00C2:2A ROL 00C3:25 02 AND $02 00C5:49 FF EOR #$FF 00C7:A8 TAY ; on success, A = $00 00C8:A9 00 LDA #$00 00CA:F0 03 BEQ $00CF ; on failure, A = $FF 00CC:A0 FF LDY #$FF 00CE:98 TYA ; turn off slot 6 drive motor 00CF:CD E8 C0 CMP $C0E8 ; pass return value (in accumulator) ; back to Pascal code 00D2:48 PHA 00D3:98 TYA 00D4:48 PHA 00D5:A5 01 LDA $01 00D7:48 PHA 00D8:A5 00 LDA $00 00DA:48 PHA 00DB:60 RTS --^-- Changing the return value at offset $CC from $FF to $00 should be sufficient to trick the caller into thinking that the nibble check passed. T20,S08,$CD change "FF" to "00" ]PR#6 ...works... So, yeah, we don't need to do anything crazy like decompiling or p-code hacking... this time. Quod erat liberandum. --------------------------------------- A 4am crack No. 334 ------------------EOF------------------