---------Jack and the Beanstalk-------- A 4am crack 2014-04-25 --------------------------------------- Jack and the Beanstalk is a 1985 graphical adventure game developed by Golden Software and distributed by HRM Software. The original disk is uncopyable by COPYA or Locksmith Fast Disk Backup. EDD 4 bit copy gives no read errors, but the copy just grinds a few times and reboots. Time for boot tracing with AUTOTRACE. [S5D1=my work disk] [S6D1=original disk] ]PR#5 ... CAPTURING BOOT0 ...boots slot 6... ...boots slot 5... SAVING BOOT0 Hmm, that didn't get as far as I had hoped. Let's see why not. ]CALL -151 *800<2800.28FFM *801L 0801- A5 27 LDA $27 0803- C9 09 CMP #$09 0805- D0 18 BNE $081F 0807- A5 2B LDA $2B 0809- 4A LSR 080A- 4A LSR 080B- 4A LSR 080C- 4A LSR 080D- 09 C0 ORA #$C0 080F- 85 3F STA $3F 0811- A9 5C LDA #$5C 0813- 85 3E STA $3E 0815- 18 CLC 0816- AD FE 08 LDA $08FE 0819- 6D FF 08 ADC $08FF 081C- 8D FE 08 STA $08FE 081F- AE FF 08 LDX $08FF 0822- 30 15 BMI $0839 0824- BD 4D 08 LDA $084D,X 0827- 85 3D STA $3D 0829- CE FF 08 DEC $08FF 082C- AD FE 08 LDA $08FE 082F- 85 27 STA $27 0831- CE FE 08 DEC $08FE 0834- A6 2B LDX $2B 0836- 6C 3E 00 JMP ($003E) 0839- EE FE 08 INC $08FE 083C- EE FE 08 INC $08FE 083F- 20 89 FE JSR $FE89 0842- 20 93 FE JSR $FE93 0845- 20 2F FB JSR $FB2F 0848- A6 2B LDX $2B 084A- 6C FE BB JMP ($BBFE) Everything looks perfectly normal until the indirect jump at $084A. Usually that takes the address from $08FD, but this disk has decided to go on a little adventure first. I'm not sure where yet, since all I have so far is the first sector. But what I do know is that my AUTOTRACE1 program is safe to use. It assumes a normal boot until $084A, then patches $084A to jump to a routine under my control that captures $B600..$BFFF to a safe location (in hi-res graphics page 1) and reboots to my work disk. That should work fine with this disk. ]BRUN AUTOTRACE1 CAPTURING BOOT1 ...boots slot 6... ...boots slot 5... SAVING BOOT1 SAVING RWTS OK, now I have the rest of the boot1 code, including an RWTS file that I can plug into Advanced Demuffin to read the rest of the disk and write it out in a standard format. Advanced Demuffin will only load RWTS files from a drive in slot 6, which is annoying since mine is in slot 5. Note to self: patch that someday. In the meantime, I'm swapping floppy disks like some kind of 14th century monk. [S6,D1=my work disk] ]PR#6 ]BRUN ADVANCED DEMUFFIN 1.1 --> LOAD NEW RWTS MODULE At $B8, load "RWTS" from D1 [S6,D1=original disk] [S6,D2=blank disk] --> FORMAT TARGET DISK ...grind grind grind... --> CONVERT DISK This disk is 16 sectors, and the default options (copy the entire disk, all tracks, all sectors) don't need to be changed. ADVANCED DEMUFFIN 1.1 - COPYRIGHT 1983 WRITTEN BY THE STACK -CORRUPT COMPUTING =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16 SC $00,$00 TO $22,$0F BY $01 TO DRV2 Rebooting my work disk, I can see the disk catalog on the demuffin'd copy. [S5D1=my work disk] [S6D1=demuffin'd copy] ]PR#5 ... ]CATALOG,S6,D1 C1983 DSR^C#254 003 FREE T 017 ADFILE A 016 BOOT A 011 FILER *B 034 FINAL LOGO.PIC A 003 HELLO B 013 JACK A 036 JACK1 A 026 JACK1A A 033 JACK2 B 015 P0.PAC153 B 011 P1.PAC153 B 013 P10.PAC153 B 011 P11.PAC153 B 015 P12.PAC153 B 013 P13.PAC153 B 015 P14.PAC153 B 012 P15.PAC153 B 018 P16.PAC153 B 011 P2.PAC153 B 012 P3.PAC153 B 008 P32.PAC153 B 014 P35.PAC153 B 012 P36.PAC153 B 010 P4.PAC153 B 012 P5.PAC153 B 010 P6.PAC153 B 012 P7.PAC153 B 012 P8.PAC153 B 013 P9.PAC153 B 015 SHAPES (A) B 014 SHAPES (B) B 016 SHAPES (C) T 002 SIDE B 008 UT3 ]RUN HELLO The game loads and runs without complaint. That tells me that all further disk access is done through standard DOS functions. Now to make the disk be able to read itself (remember, it still has the original RWTS on it)... Using Copy ][+, I can "copy DOS" from a freshly initialized DOS 3.3 disk onto the demuffin'd copy. I actually chose Pronto-DOS for this purpose, since it's highly compatible with standard DOS 3.3 but much faster. [S6D1=demuffin'd copy] [S6D2=formatted Pronto-DOS disk] "COPY" --> "DOS" --> "Slot 6 drive 2" to "Slot 6 drive 1" (This just copies tracks 0-2 from one disk to another. Any fast copy program that lets you specify a start and end track would also work.) ]PR#6 Quod erat liberandum. --------------------------------------- A 4am crack No. 21 ------------------EOF------------------