-----Early Games for Young Children---- A 4am crack 2014-08-20 --------------------------------------- "Early Games for Young Children" is a 1982 educational game by John Paulson and distributed by Springboard Software, Inc. COPYA fails immediately and miserably. EDD 4 bit copy gives no errors, but the copy just grinds until it crashes. Turning to my trusty Copy ][+ sector editor, I press "P" to get to the Sector Editor Patcher, and select "DOS 3.3 PATCHED". This option ignores checksum bytes and epilogue sequences. As long as the address and data prologue are standard ("D5 AA 96" and "D5 AA AD", respectively), this will allow me to read each sector. And lo and behold, it works! I can read the data from every sector on every track. The Copy ][+ nibble editor also shows standard address and data prologues, but a non-standard address epilogue of "AD BB EB" (instead of "DE AA EB") and a non-standard data epilogue of "ED BB EB" (instead of "DE AA EB"). --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- TRACK: 06 START: 3308 LENGTH: 015F 2F98: 97 D7 A7 96 9A 96 E6 97 VIEW 2FA0: E7 96 E5 9B 97 CF D3 9B 2FA8: DA DE A6 ED BB EB FC FF ^^^^^^^^ non-standard data epilogue 2FB0: FF FF FF FF FF FF FF FF 2FB8: FF FF FF FF FF D5 AA 96 <-2FB8 ^^^^^^^^ address prologue 2FC0: FF FE AB AE AF AF FB FF 2FC8: AD BB EB AF FF FF FE FF ^^^^^^^^ non-standard address epilogue 2FD0: FF FF FF D5 AA AD AE EC ^^^^^^^^ data prologue 2FD8: CD B3 AD F4 B2 CD FC 9B --------------------------------------- A TO ANALYZE DATA ESC TO QUIT ? FOR HELP SCREEN / CHANGE PARMS Q FOR NEXT TRACK SPACE TO RE-READ --^-- Some quick inspection suggests that all tracks on the disk use the same non- standard epilogue sequences. Given the (relatively) weak structural protection, I used to turn to the DOS 3.3 master disk, patch the RWTS to ignore checksums and epilogue bytes (changing $B942 from "SEC" to "CLC"), and run COPYA. Then, one fine day, and completely by accident, I came across an original disk with a bad sector. I suppose this shouldn't surprise me. These floppies are decades old by now; it's amazing any of them work at all. The point is, I shouldn't be using tools that ignore potentially serious read errors. So, no more COPYA+B942:18 patch. From now on, it's Super Demuffin or Advanced Demuffin to convert disks to a standard format. Given that this disk is self-booting, I should be able to use my AUTOTRACE program to extract the RWTS from the original disk, then load that into Advanced Demuffin to convert it to a standard format. [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#6 ]BRUN ADVANCED DEMUFFIN 1.1 --> EXIT TO MONITOR *F1F:50 ; use slot 5 *800G ; resume --> LOAD NEW RWTS MODULE At $B8, load "RWTS" from drive 1 --> EXIT TO MONITOR *F1F:60 ; use slot 6 *800G ; resume --> FORMAT TARGET DISK ...grind grind grind... --> CONVERT DISK This disk is 16 sectors, and the default options (copy the entire disk, all tracks, all sectors) don't need to be changed. --v-- ADVANCED DEMUFFIN 1.1 - COPYRIGHT 1983 WRITTEN BY THE STACK -CORRUPT COMPUTING =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16 SC $00,$00 TO $22,$0F BY $01 TO DRV2 --^-- The disk's own RWTS gave no read errors on any track. This is the power and the genius of Advanced Demuffin. Every disk must be able to read itself. So, let it read itself, then capture the data and write it out in a standard format. Depending on how the original RWTS was written, a demuffin'd disk may not be able to read itself. Some developers just patch the RWTS to ignore epilogue bytes, while others patch the RWTS to look for specific non-standard epilogue bytes. Demuffin'd disks in the latter category will grind immediately on boot, since as soon as the RWTS is loaded, all further disk reads will look for the original (non-standard) epilogue bytes and not find them. Booting the demuffin'd copy confirms that this disk is in the latter category: it grinds almost immediately on boot, unable to read itself. For future reference (mostly mine), here's a nice chart of the memory locations for all the prologues and epilogues in a DOS 3.3-shaped RWTS. If the RWTS stores $B700 in T00,S01 (most do), then $B8xx will be in T00,S02; $B9xx in T00,S03; and so on. 0x | read | write ---------------+-------+------- D5 | $B955 | $BC7A prologue AA | $B95F | $BC7F / 96 | $B96A | $BC84 ADDRESS -------+-------+------- \ DE | $B991 | $BCAE epilogue AA | $B99B | $BCB3 EB | | $BCB8 ---------------+-------+------- D5 | $B8E7 | $B853 prologue AA | $B8F1 | $B858 / AD | $B8FC | $B85D DATA ----------+-------+------- \ DE | $B935 | $B89E epilogue AA | $B93F | $B8A3 EB | | $B8A8 ---------------+-------+------- I spent way too much time making that. Anyway, here are the three patches that allow my copy to read itself. T00,S02,$9E change "ED" to "DE" T00,S02,$A3 change "BB" to "AA" T00,S03,$35 change "ED" to "DE" T00,S03,$3F change "BB" to "AA" T00,S03,$91 change "AD" to "DE" Hmm. Nestled in the depths of this RWTS is one last surprise for me. When it goes to check the address epilogue sequence, a normal DOS 3.3 disk looks like this: B98B- BD 8C C0 LDA $C08C,X B98E- 10 FB BPL $B98B B990- C9 DE CMP #$DE B992- D0 AE BNE $B942 B994- EA NOP B995- BD 8C C0 LDA $C08C,X B998- 10 FB BPL $B995 B99A- C9 AA CMP #$AA B99C- D0 A4 BNE $B942 B99E- 18 CLC B99F- 60 RTS But this disk does something else: ]PR#5 ... ]BLOAD RWTS,A$2800 ]CALL -151 *FE89G FE93G ; disconnect DOS *B800<2800.2FFFM ; move RWTS into place *B98BL B98B- BD 8C C0 LDA $C08C,X B98E- 10 FB BPL $B98B B990- C9 AD CMP #$AD B992- D0 AE BNE $B942 B994- DD 8C C0 CMP $C08C,X B997- D0 A9 BNE $B942 B999- 4C F0 BC JMP $BCF0 ; WTF B99C- D0 A4 BNE $B942 B99E- 18 CLC B99F- 60 RTS I've already patched the comparison at $B990 (it should be "DE", that's easy enough). But what is at $BCF0? *BCF0L BCF0- 20 58 FF JSR $FF58 BCF3- BD 8C C0 LDA $C08C,X BCF6- 10 FB BPL $BCF3 BCF8- C9 BB CMP #$BB BCFA- D0 02 BNE $BCFE BCFC- 18 CLC BCFD- 60 RTS BCFE- 38 SEC BCFF- 60 RTS Ah, this is one of those weird timing tricks -- and it explains why my EDD 4 bit copy didn't work. The original disk was authored so that there are always extra timing bits after the first epilogue byte. Because of the extra waiting here ($FF58 is just an RTS, but calling it and returning takes a few clock cycles), the RWTS actually requires those timing bits to be in the right place. Otherwise, the disk will spin too far while this routine is killing time, and when the RWTS goes to check the last epilogue byte (at $BCF8) it won't find it. Never a dull moment... Anyway, now that Advanced Demuffin has converted the disk to a standard format, I have no need for this sort of tomfoolery. This patch will revert the epilogue search code to match the standard DOS 3.3 RWTS: T00,S03,$94 change "DD 8C C0 D0 A9 4C F0 BC" to "EA BD 8C C0 10 FB C9 AA" Quod erat liberandum. --------------------------------------- A 4am crack No. 119 ------------------EOF------------------