--------Explorations in Science-------- A 4am crack 2016-03-06 --------------------------------------- Name: Explorations in Science Version: "85-01" Genre: educational Year: 1985 Publisher: Josten Learning Systems Media: two single-sided 5.25-inch disks OS: DOS 3.3 Previous cracks: none Identical cracks: #633 Spelling Attack #632 Building Reading Skills #631 A Treasure Hunt of Facts I have two disks: 1. "Earth Science: Weather Wise" 2. "Life Science: Animal Survival" Both disks are bootable and appear to be independent of each other. I'll start with disk 1. ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified epilogues ("F5 AA EB") odd-numbered tracks (1, 3, 5...) also have a modified address prologue ("D4 AA 96") Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "F5 AA EB" -> even-numbered tracks readable T00 looks like a DOS 3.3 RWTS set Address Prologue to "D4 AA 96" -> odd-numbered tracks also readable T01 readable. Also T03, T05, T07... T11 looks like a DOS 3.3 disk catalog T01,S09 -> startup program is "HELLO" Why didn't COPYA work? modified prologue and epilogue Why didn't Locksmith FDB work? modified prologue and epilogue EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to prologues and epilogues) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 Bit Math Is Best Math [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 ... CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BLOAD RWTS,A$3800 ]CALL -151 *B800<3800.3EFFM *B944L ; routine to read address prologue B944- A0 FC LDY #$FC B946- 84 26 STY $26 B948- C8 INY B949- D0 04 BNE $B94F B94B- E6 26 INC $26 B94D- F0 F3 BEQ $B942 B94F- BD 8C C0 LDA $C08C,X B952- 10 FB BPL $B94F ; find prologue nibble #1 B954- 4A LSR B955- C9 6A CMP #$6A B957- D0 EF BNE $B948 B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 ; find #2 B95E- C9 AA CMP #$AA B960- D0 F2 BNE $B954 B962- A0 03 LDY #$03 B964- BD 8C C0 LDA $C08C,X B967- 10 FB BPL $B964 ; find #3 B969- C9 96 CMP #$96 B96B- D0 E7 BNE $B954 Well this just answers a whole slew of questions at once. The code to find prologue nibble #1 explains how this disk can read its odd-numbered tracks (with non-standard address prologue "D4 AA 96"). Normal address prologue byte 1 is $D5. In binary: $D5 = 1101 0101 After LSR: 0110 1010 = $6A Odd-numbered tracks use $D4 instead. In binary: $D4 = 1101 0100 After LSR: 0110 1010 = $6A So this code will match either prologue and work on both odd and even tracks. Furthermore, RWTS code is time-critical between reading the last bit of one nibble and reading the first bit of the next. If it's too fast or too slow, it will get out of phase (because the disk spins independently of the CPU). Compare DOS 3.3 (cycle count in margin) B94F- BD 8C C0 LDA $C08C,X B952- 10 FB BPL $B94F B954- C9 D5 CMP #$D5 | 2 B956- D0 F0 BNE $B948 | 2 * B958- EA NOP | 2 B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 (*) on the time-critical path, this branch is not taken, so always 2 ...and this disk's RWTS: B94F- BD 8C C0 LDA $C08C,X B952- 10 FB BPL $B94F B954- 4A LSR | 2 B955- C9 6A CMP #$6A | 2 B957- D0 EF BNE $B948 | 2 * B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 Despite being more "flexible" (matching $D5 or $D4), this disk's RWTS uses the same number of bytes of code and runs in the same number of cycles. Nice. I don't need to change anything here in order to crack it. I just wanted to explain how it works. ~ Chapter 2 In Which We Attempt To Use The Original Disk As A Weapon Against Itself *BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- The disk's own RWTS gave no read errors on any track. This is the power and the genius of Advanced Demuffin. Every disk must be able to read itself. So, let it read itself, then capture the data and write it out in a standard format. ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 001 FREE A 003 HELLO B 234 WWS.SOUNDTRACK B 009 WWS.LOGO.PAC B 008 WWS.SETUP B 022 WWS.SHPTBL B 031 WWS.TWO B 007 FRM 16.PAC B 014 RWRDTBL1.PAC B 017 WWS.SUBLIB B 008 WWS.ONE B 010 FRM 19.PAC B 006 PACTBL B 007 CIRUS.PAC B 008 STRATUS.PAC B 009 CUM/NIM.PAC B 005 CUMUL.PAC B 011 ONETBL.PAC B 005 TORNADO.PAC B 013 RWRDTBL2.PAC B 008 WWS.DATA1 B 002 WWS.E25REFUEL B 008 WWS.DATA2 B 008 WWS.DATA3 B 008 WWS.DATA4 B 008 WWS.DATA5 B 008 WWS.DATA6 B 012 WWS.REWARD.SHPTBL B 014 WWS.REWARD B 002 WWS.TWOA ]RUN HELLO ...works... [S6,D1=demuffin'd copy] ]PR#6 ...grinds... My demuffin'd copy can not read itself, because it's still looking for the non- standard epilogue bytes. This is so common, I wrote a tool to fix it for me automatically. ~ Chapter 3 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP ; restore epilogues to standard values T00,S03,$91 change F5 to DE T00,S02,$9E change F5 to DE ]PR#6 ...works... Disk 2 has identical protection. Quod erat liberandum. ~ Acknowledgements This program requires the Ufonic Voice System, which is a hardware add-on card that I don't have and that is not emulated by any known emulator. Without the card, the program displays an error message and hangs. Many thanks to @yesterbits and @L1ttl3john for testing this crack on a real Apple II with the necessary add-on card. --------------------------------------- A 4am crack No. 634 ------------------EOF------------------