------------Capitalization------------- A 4am crack 2015-09-18 --------------------------------------- Name: Capitalization Genre: educational Year: 1982 Author: Activity Records, Inc. Publisher: Educational Activities, Inc. Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none Similar cracks: SAT Score Improvement System: Vocabulary (crack no. 374) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified data epilogue ("BF AA EB" instead of "DE AA EB") Disk Fixer ["O" -> "Input/Output Control"] set Data Epilogue to "BF AA EB" all tracks readable T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "LOADER" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to epilogue) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 215 FREE *A 003 LOADER *A 010 CAP9 *A 019 CAP8 *B 006 FINAL SHAPES+ *B 034 COV *B 034 LOGO *A 010 CAP0 *A 007 GRAPHIC *B 002 M *A 015 CAP7 *A 023 CAP3 *A 020 CAP2 *A 021 CAP1 *A 024 CAP4 *A 020 CAP5 *A 022 CAP6 *A 002 SOUND OPTION DONE>2/24/82 *A 009 EAMENU ]RUN LOADER ...displays title screen and crashes... ]TEXT ...screen still displaying a BASIC error message... ERROR #8 I/O ERR BREAK IN 25 ]TEXT ]LIST 25 25 PRINT CHR$ (4);"BLOAD FINAL SHAPES+,A$D000" OK, it doesn't like Diversi-DOS 64K because it's loading something into the language card directly, and Diversi-DOS has already relocated itself there. No big deal; let's try it with the DOS 3.3 master disk instead. (The reason I do this is to check whether there are any runtime checks for subtle differences in the original DOS. If the program runs after booting from a third-party disk, I can eliminate a whole range of possible secondary protections.) [S5,D1=DOS 3.3 master disk] ]PR#5 ... ]RUN LOADER,S6,D2 ...works... Well OK then. [S6,D1=demuffin'd copy] ]PR#6 ...grinds... My copy can't read itself yet. This is not unusual. ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP T00,S03,$35 change BF to DE T00,S02,$9E change BF to DE (Just RWTS changes.) ]PR#6 ...works... Quod erat liberandum. --------------------------------------- A 4am crack No. 453 ------------------EOF------------------