-------------Library Magic------------- A 4am crack 2015-12-16 --------------------------------------- Name: Library Magic Genre: graphics Year: 1987 Publisher: McCarthy-McCormack Media: double-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none Similar cracks: Catlab (crack no. 368) Vowel Corral (crack no. 330) Race Cars (crack no. 329) It's About Time (crack no. 328) Feed The Frog (crack no. 327) Basic Vocabulary Builder Demo (crack no. 206) PsychDisk (crack no. 204) Terrapin Logo 1.2 (crack no. 172) Both sides are bootable. I'll start with side A. ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup can't read anything beyond T00,S09 EDD 4 bit copy (no sync, no count) no disk errors, but copy just grinds Copy ][+ nibble editor modified address and data epilogues "B6 AA FF" and "B6 AA EB" modified data prologue "D5 AA FF" --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- TRACK: 01 START: 1A5E LENGTH: 18B1 2CE0: AF 9B A6 E6 DA AE 9A DC VIEW 2CE8: D9 9B 9A CB CE B2 B7 CE 2CF0: FE F9 9B AC DA B6 AA F3 ^^^^^ data epilogue 2CF8: FC FF FF FF FF FF FF FF 2D00: FF FF FF FF FF D5 AA 96 <-2D05 ^^^^^^^^ address prologue 2D08: FF FE AA AB AE AE FB FB ^^^^^ ^^^^^ ^^^^^ ^^^^^ v=255 t=$01 s=$0C chksm 2D10: B6 AA EB F3 FC FF FF FF ^^^^^^^^ address epilogue 2D18: FF FF FF D5 AA FF CF CA ^^^^^^^^ data prologue 2D20: DA CA D3 EB A7 FD FD D7 --------------------------------------- A TO ANALYZE DATA ESC TO QUIT ? FOR HELP SCREEN / CHANGE PARMS Q FOR NEXT TRACK SPACE TO RE-READ --^-- Disk Fixer can read T00,S00-S09 (looks like a DOS 3.3 RWTS) ["O" -> "Input/Output Control"] set Address Epilogue to "B6 AA FF" set Data Prologue to "D5 AA FF" set Data Epilogue to "B6 AA EB" No luck set CHECKSUM ENABLED = NO Sectors are "readable" but garbled Why didn't COPYA work? modified epilogue bytes Why didn't Locksmith FDB work? ditto Why can't Disk Fixer read the sectors? I don't know. It's possible I misread the raw nibble output in Copy ][+ and got the epilogue bytes wrong. As for the "encrypted" data with checksum turned off, that could be a modified nibble-to-byte translation table or a decryption loop within the RWTS. Or something else altogether. Why didn't my EDD copy work? I don't know. Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format (if necessary) ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:R.................................. +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:R.................................. SC1:R.................................. SC2:R.................................. SC3:R.................................. SC4:R.................................. SC5:R.................................. SC6:R.................................. SC7:R.................................. SC8:R.................................. SC9:R.................................. SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Hmm. The disk's own RWTS can't most of track 0, specifically the part loaded during boot that contains the RWTS. I can write that manually to my copy if I need to. ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 056 FREE A 002 HELLO *B 003 CURSORS *B 007 ]SMALL STANDARD *B 017 ]BLOCK *B 004 QUICKBLOAD *B 002 PICTURE UNPACKER B 003 PRINTER.INFO B 008 TRIPLE.1 A 009 START A 026 OD B 011 P.RM1 B 015 MM B 014 SM B 008 P.RM2 A 007 MENU B 010 P.RM5 A 020 PF B 002 BLOAD.PATCH *B 002 TS T 002 CURRENT.INFO B 010 RSH B 028 TRIPLE.2 B 015 TRIPLE.3 T 003 PRINTER.LIST T 006 INTERFACE.LIST B 011 P.RM3 B 009 P.RM6 B 010 P.RM7 B 010 P.RM8 B 010 P.RM9 B 008 P.RM10 A 022 WORMS B 013 P.BW1 B 009 P.BW2 B 010 P.BW3 B 010 P.BW4 B 008 P.BW5 B 009 P.BW6 B 012 P.BW7 B 006 P.BW8 B 002 STAR B 008 ODSH B 029 OSHAPES B 010 P.RM4 ]RUN HELLO ...displays main menu then crashes... [S5,D1=DOS 3.3 master disk] ]PR#5 ]RUN HELLO,S6,D2 ...program loads and runs... So it doesn't like Diversi-DOS 64K (the DOS on my work disk). It's probably accessing DOS functions directly or assuming the RWTS parameter table is at specific address, instead of using the vectors on page 3. Or possibly it uses the language card itself. But it works when I boot an unmodified DOS 3.3. That means it isn't checking for its original DOS at runtime, which rules out a whole class of secondary protections that now I don't need to look for. ~ Chapter 2 In Which Life Is A Grind And Then You Die Of course, my copy can't boot on its own yet, because it's missing most of track $00. Sectors $00-$09 used a different prologue/epilogue structure, so I couldn't convert them with the captured RWTS because that RWTS can't read them. But I have those sectors on my work disk as "BOOT1", so let's write them out manually. And by "manually," I mean "not manually." ]PR#5 ]CALL -151 ; straightforward multi-sector write ; loop, via the RWTS vector at $03D9 08C0- A9 08 LDA #$08 08C2- A0 E8 LDY #$E8 08C4- 20 D9 03 JSR $03D9 08C7- AC ED 08 LDY $08ED 08CA- 88 DEY 08CB- 10 05 BPL $08D2 08CD- A0 0F LDY #$0F 08CF- CE EC 08 DEC $08EC 08D2- 8C ED 08 STY $08ED 08D5- CE F1 08 DEC $08F1 08D8- CE E1 08 DEC $08E1 08DB- D0 E3 BNE $08C0 08DD- 60 RTS +-- sector count v 08E0- 00 0A 00 00 00 00 00 00 08E8- 01 60 01 00 00 09 FB 08 ^ ^ track --+ +-- sector 08F0- 00 2F 00 00 02 00 FE 60 ^ +-- starting address 08F8- 01 00 00 00 01 EF D8 00 *BSAVE WRITE BOOT1,A$8C0,L$40 *BLOAD BOOT1,A$2600 *8C0G ...write write write... *C600G ...grind grind grind... Hmm. ]PR#5 ]BLOAD RWTS,A$2800 ]CALL -151 *FE89G FE93G ; disconnect DOS *B800<2800.2FFFM ; move RWTS into place *B800L . . nothing unusual, until... . B8DC- A0 20 LDY #$20 B8DE- 88 DEY B8DF- F0 61 BEQ $B942 ; normal "D5" B8E1- BD 8C C0 LDA $C08C,X B8E4- 10 FB BPL $B8E1 B8E6- 49 D5 EOR #$D5 B8E8- D0 F4 BNE $B8DE B8EA- EA NOP ; normal "AA" B8EB- BD 8C C0 LDA $C08C,X B8EE- 10 FB BPL $B8EB B8F0- C9 AA CMP #$AA B8F2- D0 F2 BNE $B8E6 ; wait, what? B8F4- 4C CA BE JMP $BECA There is not supposed to be a jump there. That usually continues into the $BFxx page and ends at $B943. *BECAL ; read another nibble BECA- BD 8C C0 LDA $C08C,X BECD- 10 FB BPL $BECA ; reset data latch and kill some time to get out of sync with the "proper" ; start of nibbles BECF- BD 8D C0 LDA $C08D,X BED2- A0 56 LDY #$56 ; skip over bits that are set (note the ; branch instruction -- it's BMI, not ; the usual BPL) BED4- BD 8C C0 LDA $C08C,X BED7- 30 FB BMI $BED4 ; read another nibble BED9- BD 8C C0 LDA $C08C,X BEDC- 10 FB BPL $BED9 ; burn some more cycles BEDE- 48 PHA BEDF- 68 PLA BEE0- 48 PHA BEE1- 68 PLA ; continue with RWTS BEE2- 4C F7 B8 JMP $B8F7 This RWTS expects (but ignores) some extra nibbles after the second data field prologue nibble. This explains why my sector editor couldn't read these sectors. But not just that -- there also need to be timing bits in the right places between the nibbles, otherwise the loop at $BED4 won't skip over the right number of bits once we get (intentionally) out of sync with the "proper" start of the nibbles. This explains why my EDD bit copy would just grind trying to read itself. It doesn't copy those extra timing bits between the nibbles. Of course, my demuffin'd disk can't make heads of tails of itself, because Advanced Demuffin successfully captured the real sector data from each sector and wrote it out in a standard format. But wait, there's more! If you order right now, you ALSO get... a custom write routine as well! That's right, this RWTS is a true read/write RWTS. In the place where it would normally write out the data field prologue ("D5 AA AD"), I see this instead: *B848L B848- A0 03 LDY #$03 B84A- 48 PHA B84B- 68 PLA B84C- 20 B9 B8 JSR $B8B9 B84F- 88 DEY B850- D0 F8 BNE $B84A B852- 4C B1 BE JMP $BEB1 <-- ! B855- EA NOP B856- EA NOP B857- A9 AA LDA #$AA B859- 20 B8 B8 JSR $B8B8 B85C- A9 AD LDA #$AD B85E- 20 BB B8 JSR $B8BB *BEB1L ; write a custom sequence of bits that ; the routine at $BECA can read BEB1- A0 06 LDY #$06 BEB3- EA NOP BEB4- EA NOP BEB5- B9 DF BC LDA $BCDF,Y BEB8- 9D 8D C0 STA $C08D,X BEBB- 1D 8C C0 ORA $C08C,X BEBE- EA NOP BEBF- EA NOP BEC0- EA NOP BEC1- EA NOP BEC2- A9 AD LDA #$AD BEC4- 88 DEY BEC5- D0 EC BNE $BEB3 ; continue with RWTS BEC7- 4C 5E B8 JMP $B85E Again, this is completely useless now that Advanced Demuffin has converted the disk to a standard format. ~ Chapter 3 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP ; remove the JMP instructions and ; restore the original code for reading ; and writing the data field prologue T00,S02,$49 change 03 to 04 T00,S02,$52 change 4CB1BEEAEA to A9D520 B8B8 T00,S02,$5F change BB to B8 T00,S02,$F4 change 4CCABEEABD8CC010FB49 ADD0DD to A056BD8CC010FBC9ADD0E7A900 ; restore original epilogue byte checks T00,S03,$91 change B6 to DE T00,S03,$35 change B6 to DE T00,S02,$9E change B6 to DE ]PR#6 ...works... Side B uses identical protection. Quod erat liberandum. --------------------------------------- A 4am crack No. 524 ------------------EOF------------------