---High School Math Competency Series-- ----------------Part II---------------- A 4am crack 2016-04-25 --------------------------------------- Name: High School Math Competency Series Part II Version: 1.0 Genre: educational Year: on-disk title screen says 1982 disk label says 1984 Author: Celia Keenholtz Publisher: Microcomputer Workshops Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none Similar cracks: #612 Sentence Diagramming #605 Weather Forecasting #604 American Government #592 Alphabetical Order #281 Flash Spell Helicopter ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified prologues and epilogues address: "E5 ** 9D" / "B3 F4 **" (second prologue byte and third epilogue byte vary, even between different sectors on one track) data: "BE E6 DE" / "9F DA" T03-T10 unformatted ("HI-RES DISK SCAN" confirms this) Disk Fixer ["O" -> "Input/Output Control"] set CHECKSUM ENABLED to "NO" T00,S00 readable rest of track $00 unreadable virtually impossible to read any tracks beyond T00, due to varying address prologue on every sector(!) Why didn't COPYA work? modified prologues & epilogues Why didn't Locksmith FDB work? ditto EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to prologues and epilogues) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Dive Head First Into Unfriendly Territory ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 ]CALL -151 *800<2800.28FFM *801L ; non-standard from the get go 0801- 20 B3 08 JSR $08B3 *8B3L ; change nibble table used by the disk ; controller ROM routine (this explains ; why I couldn't read the rest of track ; $00 with a sector editor) 08B3- A9 3F LDA #$3F 08B5- 8D 6C 03 STA $036C 08B8- A9 1C LDA #$1C 08BA- 8D CC 03 STA $03CC 08BD- A9 00 LDA #$00 08BF- 8D D5 03 STA $03D5 08C2- A9 37 LDA #$37 08C4- 8D A3 03 STA $03A3 ; regular code from $0801 08C7- A5 27 LDA $27 08C9- C9 09 CMP #$09 08CB- 60 RTS Continuing from $0804... *804L ; standard DOS 3.3 bootloader 0804- D0 19 BNE $081F 0806- EA NOP 0807- A5 2B LDA $2B 0809- 4A LSR 080A- 4A LSR 080B- 4A LSR 080C- 4A LSR 080D- 09 C0 ORA #$C0 080F- 85 3F STA $3F 0811- A9 5C LDA #$5C 0813- 85 3E STA $3E 0815- 18 CLC 0816- AD FE 08 LDA $08FE 0819- 6D FF 08 ADC $08FF 081C- 8D FE 08 STA $08FE 081F- AE FF 08 LDX $08FF 0822- F0 15 BEQ $0839 0824- 8A TXA ; well, mostly standard 0825- EA NOP 0826- EA NOP 0827- 85 3D STA $3D 0829- CE FF 08 DEC $08FF 082C- AD FE 08 LDA $08FE 082F- 85 27 STA $27 0831- CE FE 08 DEC $08FE 0834- A6 2B LDX $2B 0836- 6C 3E 00 JMP ($003E) ; execution continues here after sector ; read loop exits (from $0822) 0839- EE FE 08 INC $08FE 083C- EE FE 08 INC $08FE 083F- 20 89 FE JSR $FE89 0842- 20 93 FE JSR $FE93 0845- 20 2F FB JSR $FB2F ; copy this sector (which we didn't ; re-read) to higher memory 0848- A2 FF LDX #$FF 084A- BD 00 08 LDA $0800,X 084D- 9D 00 B6 STA $B600,X 0850- CA DEX 0851- E0 FF CPX #$FF 0853- D0 F5 BNE $084A ; hmm 0855- 20 CC 08 JSR $08CC *8CCL ; trash all of main memory except the ; part we just loaded from disk 08CC- A9 00 LDA #$00 08CE- 85 00 STA $00 08D0- A9 B5 LDA #$B5 08D2- 85 01 STA $01 08D4- A0 FF LDY #$FF 08D6- C8 INY 08D7- B9 00 F0 LDA $F000,Y 08DA- 91 00 STA ($00),Y 08DC- C0 FF CPY #$FF 08DE- D0 F6 BNE $08D6 08E0- C6 01 DEC $01 08E2- A9 08 LDA #$08 08E4- C5 01 CMP $01 08E6- D0 EC BNE $08D4 08E8- 60 RTS Continuing from $0858... *858L 0858- A6 2B LDX $2B 085A- 4C 00 BB JMP $BB00 OK, that's where I need to interrupt the boot. But first I'll need to neuter the subroutine at $08CC that trashes all of main memory. *9600 At $B8, load "RWTS" from drive 1 [press "6" to switch to slot 6] [press "C" to convert disk] --> CHANGE DEFAULT VALUES? Y --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM ======================================= INPUT ALL VALUES IN HEX SECTORS PER TRACK? (13/16) 16 START TRACK: $01 <-- change this START SECTOR: $00 END TRACK: $02 <-- and this END SECTOR: $0F INCREMENT: 1 MAX # OF RETRIES: 0 COPY FROM DRIVE 1 TO DRIVE: 2 ======================================= 16SC $01,$00-$02,$0F BY1.0 S6,D1->S6,D2 --^-- Now press RETURN to start the copy... --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK: .R +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0: .. SC1: .. SC2: .. SC3: .. SC4: .. SC5: .. SC6: .. SC7: .. SC8: .. SC9: .. SCA: .. SCB: .R SCC: .R SCD: .R SCE: .R SCF: .R ======================================= 16SC $01,$00-$02,$0F BY$01 S6,D1->S6,D2 --^-- Oh what fresh hell is this. Never mind, we'll look into it later. Back at the main menu, we start another conversion with custom values. --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM ======================================= INPUT ALL VALUES IN HEX SECTORS PER TRACK? (13/16) 16 START TRACK: $11 <-- change this START SECTOR: $00 END TRACK: $22 END SECTOR: $0F INCREMENT: 1 MAX # OF RETRIES: 0 COPY FROM DRIVE 1 TO DRIVE: 2 ======================================= 16SC $11,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Now press RETURN to start the copy... --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK: .................. +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0: .................. SC1: .................. SC2: .................. SC3: .................. SC4: .................. SC5: .................. SC6: .................. SC7: .................. SC8: .................. SC9: .................. SCA: .................. SCB: .................. SCC: .................. SCD: .................. SCE: .................. SCF: .................. ======================================= 16SC $01,$00-$22,$0F BY$01 S6,D1->S6,D2 --^-- Praise the nibbles and butter my bits, it actually worked. ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 227 FREE *A 002 HELLO *B 003 RBOOT *B 005 RLOAD *A 007 MENU *A 003 HRCG/INIT *T 002 START INIT *R 012 HRCG *A 037 PROBABILITY *B 005 ASC2 *A 022 GEOMETRY *A 030 RATIO *A 020 STATISTICS *A 031 PERCENT *A 045 MONEY *A 029 MISCELLANEOUS *B 014 LOGO.PAC *B 002 UNPACKER ]RUN HELLO ...works... The reason I always do this is to see whether there are any runtime checks for subtle differences in the original DOS. If the program runs after booting from a third-party disk, I can eliminate a whole range of possible secondary protections. Now to make the disk be able to read itself. (Remember, it still has the original RWTS on it.) As a bonus, this will also destroy the nibble check at $BB00. [Copy ][+ 8.4] --> COPY --> DOS --> from slot 6, drive 2 --> to slot 6, drive 1 [S6,D1=demuffin'd copy] [S6,D2=newly formatted DOS 3.3 disk] ...read read read... ...write write write... ]PR#6 ...works... What about the bad sectors on track 2? They're unformatted and unused. The DOS is loaded from T02,S0A backwards, but the entire track is marked as used in the disk catalog VTOC. Quod erat liberandum. --------------------------------------- A 4am crack No. 680 ------------------EOF------------------