--------Building Reading Skills--------
A 4am crack                  2016-03-06
---------------------------------------

Name: Building Reading Skills
Version: "85-02"
Genre: educational
Year: 1985
Publisher: Josten Learning Systems
Media: two single-sided 5.25-inch disks
OS: DOS 3.3
Previous cracks: none
Identical cracks:
  #631 A Treasure Hunt of Facts

I have two disks:

  1. "Short Vowels"
  2. "Long Vowels"

Both disks are bootable and appear to
be independent of each other. I'll
start with disk 1.

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  modified epilogues ("F5 AA EB")
  odd-numbered tracks (1, 3, 5...) also
    have a modified address prologue
    ("D4 AA 96")

Disk Fixer
  ["O" -> "Input/Output Control"]
  set Address Epilogue to "F5 AA EB"
  -> even-numbered tracks readable
  T00 looks like a DOS 3.3 RWTS
  set Address Prologue to "D4 AA 96"
  -> odd-numbered tracks also readable
  T01 readable. Also T03, T05, T07...
  T11 looks like a DOS 3.3 disk catalog
  T01,S09 -> startup program is "HELLO"

Why didn't COPYA work?
  modified prologue and epilogue

Why didn't Locksmith FDB work?
  modified prologue and epilogue

EDD worked. What does that tell us?
  no half or quarter tracks
  almost certainly no nibble check
  (just structural changes to prologues
  and epilogues)

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. patch RWTS to read standard format

                   ~

               Chapter 1
         Bit Math Is Best Math


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BLOAD RWTS,A$3800
]CALL -151

*B800<3800.3EFFM
*B944L

; routine to read address prologue
B944-   A0 FC       LDY   #$FC
B946-   84 26       STY   $26
B948-   C8          INY
B949-   D0 04       BNE   $B94F
B94B-   E6 26       INC   $26
B94D-   F0 F3       BEQ   $B942
B94F-   BD 8C C0    LDA   $C08C,X
B952-   10 FB       BPL   $B94F

; find prologue nibble #1
B954-   4A          LSR
B955-   C9 6A       CMP   #$6A
B957-   D0 EF       BNE   $B948
B959-   BD 8C C0    LDA   $C08C,X
B95C-   10 FB       BPL   $B959

; find #2
B95E-   C9 AA       CMP   #$AA
B960-   D0 F2       BNE   $B954
B962-   A0 03       LDY   #$03
B964-   BD 8C C0    LDA   $C08C,X
B967-   10 FB       BPL   $B964

; find #3
B969-   C9 96       CMP   #$96
B96B-   D0 E7       BNE   $B954

Well this just answers a whole slew of
questions at once.

The code to find prologue nibble #1
explains how this disk can read its
odd-numbered tracks (with non-standard
address prologue "D4 AA 96").

Normal address prologue byte 1 is $D5.
In binary: $D5 = 1101 0101
After LSR:       0110 1010 = $6A

Odd-numbered tracks use $D4 instead.
In binary: $D4 = 1101 0100
After LSR:       0110 1010 = $6A

So this code will match either prologue
and work on both odd and even tracks.

Furthermore, RWTS code is time-critical
between reading the last bit of one
nibble and reading the first bit of the
next. If it's too fast or too slow, it
will get out of phase (because the disk
spins independently of the CPU).

Compare DOS 3.3 (cycle count in margin)

B94F-   BD 8C C0    LDA   $C08C,X
B952-   10 FB       BPL   $B94F
B954-   C9 D5       CMP   #$D5    | 2
B956-   D0 F0       BNE   $B948   | 2 *
B958-   EA          NOP           | 2
B959-   BD 8C C0    LDA   $C08C,X
B95C-   10 FB       BPL   $B959

(*) on the time-critical path, this
    branch is not taken, so always 2

...and this disk's RWTS:

B94F-   BD 8C C0    LDA   $C08C,X
B952-   10 FB       BPL   $B94F
B954-   4A          LSR           | 2
B955-   C9 6A       CMP   #$6A    | 2
B957-   D0 EF       BNE   $B948   | 2 *
B959-   BD 8C C0    LDA   $C08C,X
B95C-   10 FB       BPL   $B959

Despite being more "flexible" (matching
$D5 or $D4), this disk's RWTS uses the
same number of bytes of code and runs
in the same number of cycles. Nice.

I don't need to change anything here in
order to crack it. I just wanted to
explain how it works.

                   ~

               Chapter 2
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself


*BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:...................................
SC6:...................................
SC7:...................................
SC8:...................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

The disk's own RWTS gave no read errors
on any track. This is the power and the
genius of Advanced Demuffin. Every disk
must be able to read itself. So, let it
read itself, then capture the data and
write it out in a standard format.

]PR#5
...
]CATALOG,S6,D2

C1983 DSR^C#254
089 FREE

 A 004 HELLO
 A 004 EGO
 B 034 LOGO.BRS
 B 002 SPEAK BY NUM $9260
 B 005 UL1.UFONIC LOADER 3.3 48K
 B 005 PP
 B 226 USS.BRS-E
 B 002 E.BRS
 B 017 E.SUBS1
 B 006 E.SUBS2
 B 010 E.INTRO
 B 002 E.PARMS
 B 013 EACTS
 B 023 E4I
 B 026 E4L
 B 008 PA
 B 003 AWNS
 B 021 E4G
 B 010 EG1
 B 005 EG2

]RUN HELLO
...works...

[S6,D1=demuffin'd copy]

]PR#6
...grinds...

My demuffin'd copy can not read itself,
because it's still looking for the non-
standard epilogue bytes. This is so
common, I wrote a tool to fix it for me
automaticlaly.

                   ~

               Chapter 3
 In Which We Remove All Traces Of Copy
Protection Using An Automated Tool That
   I Wrote For Just Such An Occasion

[S6,D1=demuffin'd copy]
[S5,D1=my work disk]

]PR#5
]BRUN PDP

; restore epilogues to standard values
T00,S03,$91 change F5 to DE
T00,S02,$9E change F5 to DE

]PR#6
...works...

Quod erat liberandum.

                   ~

           Acknowledgements


This program requires the Ufonic Voice
System, which is a hardware add-on card
that I don't have and that is not
emulated by any known emulator. Without
the card, the program displays an error
message and hangs. Many thanks to
@yesterbits and @L1ttl3john for testing
this crack on a real Apple II with the
necessary add-on card.

---------------------------------------
A 4am crack                     No. 632
------------------EOF------------------