-------------Alien Addition------------
A 4am crack                  2015-03-20
---------------------------------------

Name: Alien Addition
Genre: educational
Year: 1982
Authors: Jerry Chaffin & Bill Maxwell
Publisher: Developmental Learning
  Materials (DLM)
Media: single-sided 5.25-inch floppy
OS: DOS 3.3
Other versions: none (preserved here
  for the first time)

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  disk read error on first pass

Locksmith Fast Disk Backup
  can't read anything past track $02

EDD 4 bit copy (no sync, no count)
  no errors, but copy loads DOS,
    displays prompt, then fills screen
    with null bytes and reboots

Copy ][+ nibble editor
  T03+ -> modified address and data
    prologue ("D7 AA 96" / "D7 AA AD")
    and modified epilogues ("DF AA EB")

Disk Fixer
  T00 -> looks like a DOS 3.3 RWTS
  T00-T02 -> looks like a full DOS
  T01,S09 -> startup program is "HELLO"
  ["O" -> "Input/Output Control"]
    set Address Prologue to "D7 AA 96"
    set Address Epilogue to "DF AA EB"
    set Data Prologue to "D7 AA AD"
    set Data Epilogue to "DF AA EB"
  T03+ readable!
  T11 -> DOS 3.3 disk catalog

Why didn't COPYA work?
  modified epilogue bytes (every track)

Why didn't Locksmith FDB work?
  modified epilogue bytes (every track)

Why didn't my EDD copy work?
  probably a nibble check during boot

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. find nibble check and bypass it

                   ~

               Chapter 1
In Which Automated Tools Get Us Nowhere


[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

There's nothing unusual in anything
I've captured so far. The RWTS looks
completely standard. Boot0 just jumps
to boot1, which jumps to $9D84 to start
DOS.

I need to dig deeper.

]CALL -151
*9600<C600.C6FFM

; set up callback #1 after boot0 loads
; boot1
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C

; start the boot
9707-   4C 01 08    JMP   $0801

; (callback #1) set up callback #2
; after boot1 loads boot2
970A-   A9 17       LDA   #$17
970C-   8D 48 B7    STA   $B748
970F-   A9 97       LDA   #$97
9711-   8D 49 B7    STA   $B749

; continue the boot
9714-   4C 00 B7    JMP   $B700

; (callback #2) copy entire DOS into
; lower memory so it survives a reboot
; to my work disk
9717-   A2 23       LDX   #$23
9719-   A0 00       LDY   #$00
971B-   B9 00 9D    LDA   $9D00,Y
971E-   99 00 2D    STA   $2D00,Y
9721-   C8          INY
9722-   D0 F7       BNE   $971B
9724-   EE 1D 97    INC   $971D
9727-   EE 20 97    INC   $9720
972A-   CA          DEX
972B-   D0 EE       BNE   $971B

; and reboot to my work disk
972D-   4C 00 C5    JMP   $C500

*BSAVE TRACE2,A$9600,L$130
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT2,A$2D00,L$2300
]CALL -151

*FE89G FE93G      ; disconnect my DOS
*9D00<2D00.4FFFM  ; move DOS into place

*9D84L
.
. nothing unusual, until...
.
9E4D-   4C 8E AE    JMP   $AE8E

This usually jumps to $A180 to execute
the RUN command that's been set up in
late-stage DOS. (This is what runs
HELLO or whatever is set as the startup
program.) "Beneath Apple DOS" says that
$AE8E is the INIT handler. I very much
doubt that the disk is formatting
itself on boot.

                   ~

               Chapter 2
 In Which We See A Whole Lotta Nothin'


*AE8EL

AE8E-   EA          NOP
AE8F-   EA          NOP
AE90-   EA          NOP
AE91-   EA          NOP
AE92-   EA          NOP
AE93-   EA          NOP
AE94-   EA          NOP
AE95-   EA          NOP
AE96-   EA          NOP
AE97-   EA          NOP
AE98-   EA          NOP
AE99-   EA          NOP
AE9A-   EA          NOP
AE9B-   EA          NOP
AE9C-   EA          NOP
AE9D-   EA          NOP
AE9E-   EA          NOP
AE9F-   EA          NOP
AEA0-   EA          NOP
AEA1-   EA          NOP
AEA2-   EA          NOP
AEA3-   EA          NOP
AEA4-   EA          NOP
AEA5-   EA          NOP
AEA6-   EA          NOP
AEA7-   EA          NOP
AEA8-   EA          NOP
AEA9-   EA          NOP
AEAA-   EA          NOP
AEAB-   EA          NOP
AEAC-   EA          NOP
AEAD-   EA          NOP
AEAE-   EA          NOP
AEAF-   EA          NOP
AEB0-   EA          NOP
AEB1-   EA          NOP
AEB2-   EA          NOP
AEB3-   EA          NOP
AEB4-   EA          NOP

That's a whole lotta nothin'.

AEB5-   A0 02       LDY   #$02
AEB7-   8C EC B7    STY   $B7EC
AEBA-   88          DEY
AEBB-   8C F4 B7    STY   $B7F4
AEBE-   88          DEY
AEBF-   F0 01       BEQ   $AEC2
AEC1-   6C 8C F0    JMP   ($F08C)
AEC4-   B7          ???
AEC5-   8C EB B7    STY   $B7EB

Wait, what?

Oh, I see it. The Y register starts at
2, is decremented twice, then the BEQ
branches to... the middle of the next
listed instruction. Just to make it
slightly more difficult to do exactly
the thing I am trying to do, 33 years
later. A little "f--- you" from 1982.

*AEC1:EA

*AEB5L

AEB5-   A0 02       LDY   #$02
AEB7-   8C EC B7    STY   $B7EC
AEBA-   88          DEY
AEBB-   8C F4 B7    STY   $B7F4
AEBE-   88          DEY
AEBF-   F0 01       BEQ   $AEC2
AEC1-   EA          NOP
AEC2-   8C F0 B7    STY   $B7F0
AEC5-   8C EB B7    STY   $B7EB
AEC8-   A2 09       LDX   #$09
AECA-   D0 01       BNE   $AECD
AECC-   20 8E ED    JSR   $ED8E
AECF-   B7          ???

And again. And again. And (I'll spare
you the suspense) again.

*AECC:EA
*AED4:EA
*AEDC:EA

Here it is, in all its unobfuscated
glory:

*AEB5L

; set up an RWTS read on T02,S09 into
; $7900
AEB5-   A0 02       LDY   #$02
AEB7-   8C EC B7    STY   $B7EC
AEBA-   88          DEY
AEBB-   8C F4 B7    STY   $B7F4
AEBE-   88          DEY
AEBF-   F0 01       BEQ   $AEC2
AEC1-   EA          NOP
AEC2-   8C F0 B7    STY   $B7F0
AEC5-   8C EB B7    STY   $B7EB
AEC8-   A2 09       LDX   #$09
AECA-   D0 01       BNE   $AECD
AECC-   EA          NOP
AECD-   8E ED B7    STX   $B7ED
AED0-   A9 79       LDA   #$79
AED2-   D0 01       BNE   $AED5
AED4-   EA          NOP
AED5-   8D F1 B7    STA   $B7F1
AED8-   A9 B7       LDA   #$B7
AEDA-   D0 01       BNE   $AEDD
AEDC-   EA          NOP
AEDD-   A0 E8       LDY   #$E8
AEDF-   20 D9 03    JSR   $03D9

; and continue there
AEE2-   4C 02 79    JMP   $7902

Let's see what's there.

*9600<C600.C6FFM

; set up callback #1
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C

; start the boot
9707-   4C 01 08    JMP   $0801

; (callback #1) set up callback #2
970A-   A9 17       LDA   #$17
970C-   8D 48 B7    STA   $B748
970F-   A9 97       LDA   #$97
9711-   8D 49 B7    STA   $B749

; continue the boot
9714-   4C 00 B7    JMP   $B700

; (callback #2) set up callback #3
; to reboot to my work disk after the
; sector is read into $7900
9717-   A9 00       LDA   #$00
9719-   8D E3 AE    STA   $AEE3
971C-   A9 C5       LDA   #$C5
971E-   8D E4 AE    STA   $AEE4

; continue the boot
9721-   4C 84 9D    JMP   $9D84

*BSAVE TRACE3,A$9600,L$124
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT2 7900-79FF,A$7900,L$100

                   ~

               Chapter 3
       In Which We Accidentally
      Stumble Down The Wrong Path


]CALL -151

*7902L

7902-   20 75 79    JSR   $7975

*7975L

; check write protect?
7975-   AD ED C0    LDA   $C0ED
7978-   AD EE C0    LDA   $C0EE
797B-   10 08       BPL   $7985

; [skipped]
;797D-   60          RTS
;797E-   AD E8 C0    LDA   $C0E8
;7981-   60          RTS
;7982-   4C FF 00    JMP   $00FF

7985-   4C BF BE    JMP   $BEBF

*BLOAD BOOT2,A$1D00
*FE89G FE93G      ; disconnect work DOS
*9D00<1D00.3FFFM  ; move DOS into place

*BEBFL

BEBF-   A2 12       LDX   #$12
BEC1-   BD CC BE    LDA   $BECC,X
BEC4-   9D 7F BF    STA   $BF7F,X
BEC7-   CA          DEX
BEC8-   D0 F7       BNE   $BEC1
BECA-   4C 80 BF    JMP   $BF80

*BECA:60
*BEBFG

*BF80L

; wipe all memory and reboot
BF80-   A9 00       LDA   #$00
BF82-   AA          TAX
BF83-   CA          DEX
BF84-   9D 00 BE    STA   $BE00,X
BF87-   D0 FA       BNE   $BF83
BF89-   CE 86 BF    DEC   $BF86
BF8C-   D0 F5       BNE   $BF83
BF8E-   4C 00 C6    JMP   $C600

Whoa whoa whoa, I took the wrong path.
This is The Badlands. I did not want to
end up here. (On the other hand, this
explains why my EDD bit copy cleared
the screen with nulls and rebooted. It
ended up here.

Backing up...

                   ~

               Chapter 4
     In Which We Cover Our Tracks


; check write protect?
7975-   AD ED C0    LDA   $C0ED
7978-   AD EE C0    LDA   $C0EE
797B-   10 08       BPL   $7985
797D-   60          RTS

OK, this subroutine is just supposed to
exit gracefully.

Backing up further...

; set up another RWTS read
7905-   A9 01       LDA   #$01
7907-   8D F4 B7    STA   $B7F4
790A-   D0 01       BNE   $790D
790C-   4C A9 0A    JMP   $0AA9
790F-   8D ED B7    STA   $B7ED
7912-   D0 01       BNE   $7915
7914-   6C A9 02    JMP   ($02A9)

Hooray, more obfuscation!

*790C:EA
*7914:EA
*792A:EA
*7935:EA
*793B:EA
*7940:EA
*7949:EA
*794F:EA

*7905L

; set up a read from T02,S0A into $AE00
; (a.k.a. cover our tracks in memory)
7905-   A9 01       LDA   #$01
7907-   8D F4 B7    STA   $B7F4
790A-   D0 01       BNE   $790D
790C-   EA          NOP
790D-   A9 0A       LDA   #$0A
790F-   8D ED B7    STA   $B7ED
7912-   D0 01       BNE   $7915
7914-   EA          NOP
7915-   A9 02       LDA   #$02
7917-   8D EC B7    STA   $B7EC
791A-   A9 AE       LDA   #$AE
791C-   8D F1 B7    STA   $B7F1
791F-   A9 B7       LDA   #$B7
7921-   A0 E8       LDY   #$E8
7923-   20 B5 B7    JSR   $B7B5

; make some modifications to the RWTS
; in memory (these match the values
; I saw earlier, in the nibble editor)
7926-   A9 DF       LDA   #$DF
7928-   D0 01       BNE   $792B
792A-   EA          NOP
792B-   8D 35 B9    STA   $B935
792E-   8D 9E B8    STA   $B89E
7931-   A0 FC       LDY   #$FC
7933-   D0 01       BNE   $7936
7935-   EA          NOP
7936-   8C 60 BC    STY   $BC60
7939-   D0 01       BNE   $793C
793B-   EA          NOP
793C-   A0 D7       LDY   #$D7
793E-   D0 01       BNE   $7941
7940-   EA          NOP
7941-   8C 7A BC    STY   $BC7A
7944-   8C 55 B9    STY   $B955
7947-   D0 01       BNE   $794A
7949-   EA          NOP
794A-   8C E7 B8    STY   $B8E7
794D-   D0 01       BNE   $7950
794F-   EA          NOP
7950-   8C 53 B8    STY   $B853

; another RWTS read, this one from
; T04,S00, into $7900 -- presumably to
; cover our tracks here, too
7953-   A9 00       LDA   #$00
7955-   8D ED B7    STA   $B7ED
7958-   A0 04       LDY   #$04
795A-   8C EC B7    STY   $B7EC

; Oh, and reset the jump at $9E4D.
; COVER ALL THE TRACKS!
795D-   A2 80       LDX   #$80
795F-   8E 4E 9E    STX   $9E4E
7962-   A2 A1       LDX   #$A1
7964-   8E 4F 9E    STX   $9E4F
7967-   A9 79       LDA   #$79
7969-   8D F1 B7    STA   $B7F1
796C-   A9 00       LDA   #$00
796E-   8D EB B7    STA   $B7EB

; continue elsewhere
7971-   4C AF BE    JMP   $BEAF

*BEAFL

; read T04,S00 into $7900
BEAF-   A9 B7       LDA   #$B7
BEB1-   A0 E8       LDY   #$E8
BEB3-   20 B5 B7    JSR   $B7B5

; this is actually harmless
BEB6-   A9 4C       LDA   #$4C
BEB8-   20 B2 A5    JSR   $A5B2
BEBB-   EA          NOP

; and this is where $9E4D was supposed
; to jump to run the HELLO program
BEBC-   4C 80 A1    JMP   $A180

I'll let this code make the RWTS
modifications, then stop.

*7971:60
*7926G

Now I have the "final" RWTS in memory,
which can read the bulk of the disk
(starting on track $03).

*2800<B800.BFFFM
*C500G
...
]BSAVE RWTS 3+,A$2800,L$800

                   ~

               Chapter 5
       In Which We (Finally) Use
   The Original Disk Against Itself


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

[press "Y" to change default values]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======================================


INPUT ALL VALUES IN HEX


SECTORS PER TRACK? (13/16) 16

START TRACK: $03        <-- change this
START SECTOR: $00
END TRACK: $22
END SECTOR: $0F

INCREMENT: 1

MAX # OF RETRIES: 0

COPY FROM DRIVE 1
TO DRIVE: 2
=======================================
16SC $30,$00-$22,$0F BY$01 S6,D1->S6,D2

                 --^--

And here we go...

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:   ................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:   ................................
SC1:   ................................
SC2:   ................................
SC3:   ................................
SC4:   ................................
SC5:   ................................
SC6:   ................................
SC7:   ................................
SC8:   ................................
SC9:   ................................
SCA:   ................................
SCB:   ................................
SCC:   ................................
SCD:   ................................
SCE:   ................................
SCF:   ................................
=======================================
16SC $30,$00-$22,$0F BY$01 S6,D1->S6,D2

                 --^--

]PR#5
...
]CATALOG,S6,D2

C1983 DSR^C#254
339 FREE

 A 012 HELLO
 B 034 LOGO1
 B 034 LOGO2
 B 034 LOGO3
 B 011 ALIENMATH.MAIN
 B 005 ALIENMATH.GRAPHICS
 B 020 ALIENMATH.BACK
 B 007 ALIENMATH.IMAGE

]RUN HELLO
...works...

[Copy ][+ 8.4]
  --> "COPY"
    --> "BIT COPY"
      --> "MANUAL SECTOR COPY"
        --> from SLOT 6, DRIVE 1
        -->   to SLOT 6, DRIVE 2
        --> tracks $00-$02

Notes on the way out:

  1. Ironically, the RWTS on disk is
     totally standard, which means it
     can already read the demuffin'd
     disk. So no RWTS patches are
     required.
  2. There wasn't ever any nibble
     check. My EDD bit copy didn't
     work because my copy wasn't write-
     protected.
  3. The copy protection has no side
     effects except patching the RWTS
     in a way that I don't want, and
     doing a write-protect check that
     I also don't want. The only thing
     I need to patch is the jump at
     $9E4D, to go to $A180 directly.

T00,S0D,$4E change "8E AE" to "80 A1"

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 277
------------------EOF------------------