-------Kittens, Kids, and a Frog------- --------Building Comprehension I------- A 4am crack 2016-02-16 --------------------------------------- Name: Kittens, Kids, and a Frog: Building Comprehension I Version: 06.26.89 Genre: educational Year: 1989 Publisher: Hartley Courseware Media: two single-sided 5.25-inch disks OS: Diversi-DOS (T02,S02 has the string "C1983 DSR" backwards) Previous cracks: none Identical cracks: #575 Milt's Math Drills: Addition and Subtraction #451 Antonyms/Synonyms 1 #420 Fact or Opinion #246 Kittens, Kids, and a Frog v01.11.85 ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified address and data epilogues ("DA AA EB" instead of "DE AA EB") Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "DA AA EB" set Data Epilogue to "DA AA EB" all tracks readable T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "HELLO" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to epilogue) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 115 FREE *A 003 HELLO *A 007 CREDITS *A 018 PWL *A 026 STU PLAN *A 039 SKILL1 *A 044 CREATE LESSON *B 017 I/O *B 009 FROG.PIC *B 011 PICDRAW *B 008 SMCHR.ASC *B 003 SEAL T 031 STU.FILE T 002 LESSONS T 005 FILE1 T 007 FILE2 T 006 FILE3 T 008 FILE4 T 007 FILE5 T 009 FILE6 T 010 FILE7 T 008 FILE8 T 010 FILE9 T 010 FILE10 T 011 FILE11 T 010 FILE12 B 006 P1 B 005 P2 B 007 P3 B 005 P4 B 005 P5 B 006 P6 B 005 P7 B 004 P8 B 004 P9 B 004 P10 B 005 P11 B 006 P12 ]RUN HELLO ...works... [S6,D1=demuffin'd copy] ]PR#6 ...grinds... My copy can't read itself yet. This is not unusual. ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion Then It Crashes Anyway [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP T00,S03,$91 change DA to DE T00,S03,$35 change DA to DE T00,S02,$9E change DA to DE ]PR#6 ...crashes at $9D86... Wait, what? After minutes of furious investigation, I hit upon the source of the problem: the disk volume number. The original disk uses disk volume 001, but the process of converting it with Advanced Demuffin gives me a (non-working) copy with disk volume 254. (This is encoded in every sector's address field.) Why is this a problem? Well, besides appearing in every sector's address field, the volume number is stored in four different places when a disk is initialized: 1. $B7EB (T00,S01,$EB), in the RWTS parameter table used by boot1 to load DOS from tracks 0-2 ["Beneath Apple DOS", p. 8-35] 2. $B7F6 (T00,S01,$F6), also in the RWTS parameter table, as the "last found" disk volume 3. $AA66 (T01,S09,$66), in the parsed keyword table used by DOS to load the startup program (and every other file loaded after that) [ibid., p. 8-21] 4. $B3C1 (T11,S00,$06), in the VTOC header [ibid., p. 8-32] My (non-working) copy has a $01 in each of those locations. Since this doesn't match the actual disk volume number in the address fields, every sector read fails and DOS never loads. (Why did it work when I booted from my work disk? Because that loaded DOS from a separate disk that was already disk volume 254, thus matching up with the actual disk volume number in my non-working copy's address fields.) Deep in the RWTS, this is where it checks that disk volume number: ; get disk volume from RWTS parameter ; table BE10- A0 03 LDY #$03 BE12- B1 48 LDA ($48),Y BE14- 48 PHA ... BE1B- 68 PLA ; $00 acts as a wildcard (ignores the ; disk volume in the address field) BE1C- F0 08 BEQ $BE26 ; does the disk volume in the RWTS ; parameter table match the one in the ; address field we just read? BE1E- C5 2F CMP $2F BE20- F0 04 BEQ $BE26 If I change the LDA at $BE12 to always load $00, instead of loading the actual disk volume from the RWTS parameter table, the RWTS would ignore the disk volume altogether (since $00 acts as a wildcard). T00,S08,$12 change "B1 48" to "A9 00" Success! My copy finally boots and runs on its own. There doesn't appear to be any further copy protection. (Note to self: add this to a future version of Post-Demuffin Patcher.) Quod erat liberandum. --------------------------------------- A 4am crack No. 601 ------------------EOF------------------