--------------Alge-Blaster------------- A 4am crack 2015-10-30 --------------------------------------- Name: Alge-Blaster Genre: educational Year: 1985 Authors: Programming: Anders Beitnes Data files: Wendy Barels Editing: Cathy Johnson C Compiler: Manx Software Direction: Jan Davidson Publisher: Davidson & Associates, Inc. Media: 3.5-inch floppy (800K) OS: ProDOS 1.1.1 Previous cracks: uncredited crack ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways Copy ][+ 9.1 ("COPY" > "DISK") read error on block $0308; copy loads then prints "Insert master disk and press ." CFFA 3000 import read error on block 776 (= $0308); booting the disk image in an emulator exhibits the same behavior as the backup I made with Copy ][+ disk copy The original disk boots without complaint, so either this bad block is part of the protection check, or it's unrelated and I got incredibly lucky. Next steps: 1. Trace the startup program 2. Find and disable the protection check 3. Declare victory(*) (*) Take a nap ~ Chapter 1 In Which Things Do Not Go As Planned [S7,D1=my ProDOS hard drive] [S5,D1=original disk] ]PR#7 ... ]CAT,S5,D1 /ALGEBLASTER NAME TYPE BLOCKS MODIFIED PRODOS SYS 30 10-JUN-86 JNK TXT 1 4-MAR-46 ALGEBLASTER $F8 78 2-JAN-88 FLOW.SET BIN 3 6-AUG-87 SMALL.SET BIN 3 6-AUG-87 BIG.FONT BIN 6 6-AUG-87 EDIT $F8 50 2-JAN-88 SHELL.SYSTEM SYS 54 6-OCT-87 PROFILE TXT 1 3-OCT-87 TITLE $F8 36 6-OCT-87 *DATA DIR 7 6-JAN-88 DESKTOP $00 3 17-SEP-56 BLOCKS FREE: 1002 BLOCKS USED: 598 "SHELL.SYSTEM" is the Aztec C Shell (it says so on boot). It's possible that it has been modified to include a nibble check, but I have a hunch the action is elsewhere -- either in "ALGEBLASTER" or "TITLE" (both of type "$F8" -- a custom type). Call it cracker's intuition. ]PREFIX /ALGEBLASTER ]BLOAD ALGEBLASTER FILE TYPE MISMATCH ]BLOAD ALGEBLASTER,T$F8 INVALID PARAMETER !@#$% ProDOS and its unloadable types. ]PR#7 ... [Block Warden] ["C"hange device -> S5,D1] ["F"ollow file] ["ALGEBLASTER"] ["L"]ist from offset 0] --v-- Block: $0026 (38) Prefix: /ALGEBLASTER/ Following: ALGEBLASTER, Type LNK, Rel block 1, Byte $000000 1000: 4C 78 75 JMP $7578 --^-- Well that looks like executable code, at least. But now what? I have an idea. Other Davidson titles use the ProDOS MLI to check that a particular block is unreadable. Calling the MLI has a distinct signature: it's always JSR $BF00, followed by the MLI command (one byte). The command for a raw block read is $80. [Block Warden] ["E"dit mode] ["Ctrl-S" to search] ["$20 00 BF 80"] Bingo! Here's Block Warden's custom disassembly of the relevant portion of code in the ALGEBLASTER file (with added comments): --v-- Block: $0055 (85) Prefix: /ALGEBLASTER/ ; set block $110 (used for 5.25-inch ; disks) 100D: A9 10 LDA #$10 ). 100F: 8D 04 08 STA $0804 ... 1012: A9 01 LDA #$01 ). 1014: 8D 05 08 STA $0805 ... ; unconditional jump 1017: D0 0C BNE $1025 P. 1019: F0 0A BEQ $1025 p. ; set block $308 (used by 3.5-inch ; disks) 101B: A9 08 LDA #$08 ). 101D: 8D 04 08 STA $0804 ... 1020: A9 03 LDA #$03 ). 1022: 8D 05 08 STA $0805 ... ; execution continues here -- ; set unit number 1025: AD 30 BF LDA $BF30 -0? 1028: 8D 01 08 STA $0801 ... ; number of parameters 102B: A9 03 LDA #$03 ). 102D: 8D 00 08 STA $0800 ... 1030: A9 0A LDA #$0A ). 1032: 8D 02 08 STA $0802 ... 1035: A9 08 LDA #$08 ). 1037: 8D 03 08 STA $0803 ... ; call ProDOS MLI with MLI command $80 103A: 20 00 BF JSR $BF00 .? 103D: 80 (read block) . 103E: 00 08 .. ; if no error, branch forward 1040: 90 0A BCC $104C .. ; if MLI error is not "I/O ERROR", ; branch forward 1042: C9 27 CMP #$27 I' 1044: D0 06 BNE $104C P. ; original disks end up here (because ; the specified block is bad ($110 for ; 5.25-inch disks, $308 for 3.5-inch) ; and the MLI returns an I/O error) 1046: A9 01 LDA #$01 ). 1048: 85 08 STA $08 .. 104A: D0 04 BNE $1050 P. ; copies end up here (because the ; specified block is *not* bad) 104C: A9 00 LDA #$00 ) 104E: 85 08 STA $08 .. --^-- That's the side effect that triggers the "Insert master disk" error later: whether zero page $08 is $01 or $00. To fix this, I should be able to change the code at offset $4C from "LDA #$00" to "LDA #$01" (to match the code at offset $46 in the success path). [S5,D1=non-working copy] Block $0055, offset $4D change 00 to 01 ]PR#5 ...works... Quod erat liberandum. --------------------------------------- A 4am crack No. 479 ------------------EOF------------------