------First Start Writing Program------
A 4am crack                  2015-12-18
---------------------------------------

Name: First Start Writing Program
Genre: educational
Year: 1994
Publisher: Troll Associates
Media: single-sided 5.25-inch floppy
OS: ProDOS 1.7
Previous cracks: none
Similar cracks:
  #446 The Quarter Mile 4.1
  #439 Graphic Converter
  #253 Force and Motion

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  no errors, but copy grinds on boot

Copy ][+ nibble editor
  T00 -> standard prologues
  T01+ -> modified address prologue
    ("AB BF D5")
  also modified address epilogue (not
    sure what exactly, not consistent?)

Disk Fixer
  ["O" -> "Input/Output Control"]
    set "CHECKSUM ENABLED" = "NO"
  T00 readable, looks like ProDOS
    (including bootloader and catalog)
  ["O" -> "Input/Output Control"]
    set Address Prologue to "AB BF D5"
    turn off epilogue checking
    other tracks readable

Why didn't COPYA work?
  modified prologues and epilogues

Why didn't Locksmith FDB work?
  modified prologues and epilogues

Why didn't my EDD copy work?
  I don't know. Maybe a nibble check
  during boot?

Converting the disk to a standard
format will be tricky. Super Demuffin
doesn't have an option to ignore
epilogue bytes entirely. (I would feel
uncomfortable doing that anyway -- what
if the original disk had a legitimate
bad sector?) Advanced Demuffin requires
a DOS 3.3-shaped RWTS, but this disk
uses ProDOS. The automated tools I've
built don't work well on ProDOS. (Note
to self: fix that someday.)

Next steps:

  1. Boot trace the original disk to
     capture the PRODOS file in memory
  2. Use the RWTS inside the PRODOS
     file to build a DOS-shaped RWTS
     that can read the original disk
  3. Use Advanced Demuffin to convert
     the disk to a standard format
  4. Patch the bootloader and/or the
     PRODOS file to be able to read
     a standard format disk
  5. Find and disable the nibble check

                   ~

               Chapter 1
      In Which We Ponder Whether
     Two Heads Are Better Than One


[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0

]BLOAD BOOT0,A$800
]CALL -151
*801L
.
. nothing suspicious, which is, in and
. of itself, quite suspicious
.

; jump to PRODOS file once loaded
08FC-   4C 00 20    JMP   $2000

OK, let's interrupt the boot there.

*9600<C600.C6FFM

; ProDOS boot0 is sensitive to the
; value of the accumulator, so don't
; clobber it
96F8-   48          PHA

; set up callback to my own routine
; instead of executing PRODOS file
96F9-   A9 07       LDA   #$07
96FB-   8D FD 08    STA   $08FD
96FE-   A9 97       LDA   #$97
9700-   8D FE 08    STA   $08FE

; restore accumulator
9703-   68          PLA

; start the boot
9704-   4C 01 08    JMP   $0801

; callback is here -- just turn off the
; slot 6 drive motor and reboot to my
; work disk
9707-   AD E8 C0    LDA   $C0E8
970A-   4C 00 C5    JMP   $C500

*BSAVE TRACE.PRODOS,A$9600,L$10D

The only thing I don't know is exactly
how big the PRODOS file is. Different
versions are different sizes, and of
course many protected disks add their
own special code. So I'm going to clear
main memory with a special pattern so I
can see which pages are overwritten
after PRODOS is loaded.

*800:FD N 801<800.BEFEM

*BRUN TRACE.PRODOS
...reboots slot 6...
...reboots slot 5...

]CALL -151

[perusing memory, starting at $2000]

It looks like $5E00 is the first page
that still has repeated $FD bytes.

*5E-20
=3E
*BSAVE BOOT1.PRODOS,A$2000,L$3E00

Scanning through memory again, I found
the RWTS code at $5598.

*5598L

; ProDOS only uses the bootloader RWTS
; to load the PRODOS file, which then
; has its own fuller, more robust RWTS.
; This code, which is later relocated
; to $D398 in the language card, checks
; the address prologue.
5598-   A9 00       LDA   #$00
559A-   8D 6C D3    STA   $D36C
559D-   A0 FC       LDY   #$FC
559F-   8C 6B D3    STY   $D36B
55A2-   78          SEI
55A3-   C8          INY
55A4-   D0 05       BNE   $55AB
55A6-   EE 6B D3    INC   $D36B
55A9-   F0 50       BEQ   $55FB

; find prologue byte #1
55AB-   BD 8C C0    LDA   $C08C,X
55AE-   10 FB       BPL   $55AB
55B0-   C9 D5       CMP   #$D5    <-- ?
55B2-   D0 EF       BNE   $55A3
55B4-   EA          NOP

I could have sworn the original disk's
address prologue was "AB BF D5".

; and again?
55B5-   BD 8C C0    LDA   $C08C,X

; Wait, no BPL loop here! It only reads
; the data latch once.
55B8-   C9 D5       CMP   #$D5

; if data latch is (still) $D5, jump
; right to address field logic
55BA-   F0 12       BEQ   $55CE

; otherwise continue and... look for
; the (standard) prologue nibble #2
55BC-   BD 8C C0    LDA   $C08C,X
55BF-   10 FB       BPL   $55BC
55C1-   C9 AA       CMP   #$AA
55C3-   D0 DE       BNE   $55A3

; and the standard prologue nibble #3
55C5-   BD 8C C0    LDA   $C08C,X
55C8-   10 FB       BPL   $55C5
55CA-   C9 96       CMP   #$96
55CC-   D0 D5       BNE   $55A3

; decode address field (standard)
55CE-   A0 03       LDY   #$03
55D0-   BD 8C C0    LDA   $C08C,X
55D3-   10 FB       BPL   $55D0
55D5-   2A          ROL
55D6-   8D 6B D3    STA   $D36B
55D9-   BD 8C C0    LDA   $C08C,X
55DC-   10 FB       BPL   $55D9
55DE-   2D 6B D3    AND   $D36B
55E1-   99 6D D3    STA   $D36D,Y
55E4-   4D 6C D3    EOR   $D36C
55E7-   8D 6C D3    STA   $D36C
55EA-   88          DEY
55EB-   10 E3       BPL   $55D0
55ED-   A8          TAY
55EE-   D0 0B       BNE   $55FB

; immediately exit -- no epilogue
; checking at all
55F0-   18          CLC
55F1-   60          RTS
55F2-   00          BRK   | These are
55F3-   00          BRK   | really on
55F4-   00          BRK   | the disk,
55F5-   00          BRK   | just taking
55F6-   00          BRK   | up space,
55F7-   00          BRK   | like this
55F8-   00          BRK   | comment.
55F9-   18          CLC
55FA-   60          RTS
55FB-   38          SEC
55FC-   60          RTS

This RWTS will accept two different
address prologues. If it finds a $D5
followed by a timing bit, that's it;
that's the entire address prologue.
(The presence of the timing bit causes
the $D5 nibble to be held in the data
latch for an extra 8 CPU cycles, which
is why the second non-looped "LDA" at
$55B5 still returns $D5.) Without the
timing bit, it looks for the rest of a
standard prologue, which allows it to
read the unprotected track 0 and all of
side B.

Turning back to the Copy ][+ nibble
editor, I see the crucial detail that I
missed the first time. The "D5" that I
thought was the third nibble in the
address prologue is actually the first,
and it is displayed in inverse, meaning
it has timing bits after it. (Sorry
that doesn't show up in text.)

The disk does happen to have a 3-nibble
address prologue on every sector, but
it only uses the one of them (plus a
timing bit). I'm guessing that this
accidental consistency is a side effect
of the original mastering process.

With this information, I can build a
flexible DOS 3.3-shaped RWTS that can
read this disk.

                   ~

               Chapter 2
       In Which We Build An RWTS


]PR#5
[press "Esc" during boot so Diversi-DOS
 stays in main memory and doesn't
 relocate to the language card]
...
]CALL -151
*1800<B800.BFFFM

OK, I have a copy of a standard DOS 3.3
shaped RWTS.

ProDOS uses addresses in the language
card RAM bank (specifically $D36C for
the address field checksum and $D36B
for the death counter), so I'm not able
to copy the code directly. But I was
able to rebuild the same logic in the
shape of a DOS 3.3 RWTS.

; normal
1944-   A0 FC       LDY   #$FC
1946-   84 26       STY   $26
1948-   C8          INY
1949-   D0 04       BNE   $194F
194B-   E6 26       INC   $26
194D-   F0 F3       BEQ   $1942

; look for $D5, first address prologue
194F-   BD 8C C0    LDA   $C08C,X
1952-   10 FB       BPL   $194F
1954-   C9 D5       CMP   #$D5
1956-   D0 F0       BNE   $1948
1958-   EA          NOP

; look for $D5 again (will still be in
; data latch if timing bit is present)
1959-   BD 8C C0    LDA   $C08C,X
195C-   C9 D5       CMP   #$D5

; if found, we're done -- branch over
; other prologue bytes
195E-   F0 12       BEQ   $1972

; look for $AA, second address prologue
1960-   BD 8C C0    LDA   $C08C,X
1963-   10 FB       BPL   $1960
1965-   C9 AA       CMP   #$AA
1967-   D0 DF       BNE   $1948

; look for $96, third address prologue
1969-   BD 8C C0    LDA   $C08C,X
196C-   10 FB       BPL   $1969
196E-   C9 96       CMP   #$96
1970-   D0 D6       BNE   $1948

; verify address field (normal, but
; shifted from standard DOS 3.3 by $10
; bytes due to extra prologue checker)
1972-   A0 03       LDY   #$03
1974-   A9 00       LDA   #$00
1976-   85 27       STA   $27
1978-   BD 8C C0    LDA   $C08C,X
197B-   10 FB       BPL   $1978
197D-   2A          ROL
197E-   85 26       STA   $26
1980-   BD 8C C0    LDA   $C08C,X
1983-   10 FB       BPL   $1980
1985-   25 26       AND   $26
1987-   99 2C 00    STA   $002C,Y
198A-   45 27       EOR   $27
198C-   88          DEY
198D-   10 E7       BPL   $1976
198F-   A8          TAY

; if the address field checksum fails,
; that's still an error -- set the
; carry and exit
1990-   D0 02       BNE   $1994

; otherwise clear carry and exit
1992-   18          CLC
1993-   60          RTS
1994-   38          SEC
1995-   60          RTS

Now I have a DOS 3.3-shaped RWTS that
can read this disk.

*BSAVE RWTS LIKE PRODOS,A$1800,L$800

[S6,D1=original disk, side A]
[S6,D2=blank disk]
[S5,D1=my work disk]

*BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS LIKE PRODOS"
      from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:...................................
SC6:...................................
SC7:...................................
SC8:...................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

[S7,D1=ProDOS hard drive]

]PR#7
]CAT,S6,D2

/TROLL.WRITE

 NAME           TYPE  BLOCKS  MODIFIED

 PRODOS          SYS      32   9-AUG-88
 HELLO.SYSTEM    SYS      31  15-SEP-93
 A               BIN      60  15-SEP-93
 G               BIN      18  15-SEP-93
 H               BIN      21  15-SEP-93
 I               BIN      68  15-SEP-93
 Q               BIN       6  15-SEP-93
 X               BIN      25  15-SEP-93
 T               BIN      10  15-SEP-93
 Z               BIN       1  10-JUN-06

BLOCKS FREE:    1     BLOCKS USED:  279

]PREFIX /TROLL.WRITE
]-HELLO.SYSTEM
...works...

                   ~

               Chapter 3
    In Which Our Adventure Comes To
  A Sudden But Satisfying Conclusion


[S6,D1=demuffin'd disk]

]PR#6
...program boots and runs...

Wait, what?

Why did the demuffin'd copy work?
  Advanced Demuffin wrote out the data
  from each sector onto a standard disk
  that uses "D5 AA 96" prologue and "DE
  AA EB" epilogue. The RWTS finds the
  first $D5, doesn't find a timing bit,
  but it finds the remaining standard
  prologue (AA 96) and decides that it
  found a valid address field. Thus, no
  RWTS patches are necessary.

But then why didn't the EDD copy work?
  EDD preserved the original address
  prologue but not the timing bits.
  The prologue checker finds the $D5
  (at $55B0) but no timing bit after it
  (at $55B8), so the disk can't read
  itself. There was never any separate
  nibble check; the structure of the
  disk itself is designed to foil bit
  copiers.

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 526
------------------EOF------------------