-----------------Tapper---------------- A 4am crack 2015-03-02 --------------------------------------- Name: Tapper Genre: arcade Year: 1984 Publisher: Sega Enterprises, Inc. Media: single-sided 5.25-inch floppy OS: custom Other versions: - The Mechanic / The Micron crack - Quad Destiny crack ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup can't read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified address and data epilogues (AA DE EB) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "AA DE EB" set Data Epilogue to "AA DE EB" all tracks readable Why didn't COPYA work? modified epilogue bytes Why didn't Locksmith FDB work? ditto Next steps: 1. Convert disk to standard format with Super Demuffin 2. Patch RWTS to read standard format (if necessary) 3. Disable nibble check (if any) ~ Chapter 1 In Which It's All Over Before It Begins [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 ... ]BRUN SUPER DEMUFFIN --v-- SUPER-DEMUFFIN AND FAST COPY Modified by: The Saltine/Coast to Coast Address prologue: D5 AA 96 Address epilogue: AA DE EB DISK ^^^^^ ORIGINAL was "DE AA"-------+++++ Data prologue: D5 AA AD Data epilogue: AA DE EB ^^^^^ was "DE AA"-------+++++ Ignore write errors while demuffining! D - Edit parameters - Advance to next parm - Exit edit mode R - Restore DOS 3.3 parameters O - Edit Original disk's parameters C - Edit Copy disk's parameters G - Begin demuffin process --^-- Pressing "G" switches to the Locksmith Fast Disk Copy UI. --v-- LOCKSMITH 7.0 FAST DISK BACKUP R................................... W*********************************** HEX 00000000000000001111111111111111222 TRK 0123456789ABCDEF0123456789ABCDEF012 0................................... 1................................... 2................................... 3................................... 4................................... 5................................... 6................................... 7................................... 8................................... 9................................... A................................... B................................... C................................... D................................... 12 E................................... F................................... [ ] PRESS [RESET] TO EXIT --^-- [S6,D1=Super Demuffin'd copy] ]PR#6 ...grinds... OK, the copy can't read itself yet. [Disk Fixer] --> "F"ind --> "H"ex --> "BD 8C C0" ; LDA $C08C,X Looks like the disk uses a custom RWTS. Here's the relevant code that checks the epilogue sequences, on T00,S03: --v-- ----------- DISASSEMBLY MODE ---------- 0093:BD 8C C0 LDA $C08C,X 0096:10 FB BPL $0093 0098:C9 AA CMP #$AA 009A:D0 0A BNE $00A6 009C:EA NOP 009D:BD 8C C0 LDA $C08C,X 00A0:10 FB BPL $009D 00A2:C9 DE CMP #$DE 00A4:F0 5C BEQ $0102 00A6:38 SEC 00A7:60 RTS . . . ----------- DISASSEMBLY MODE ----------- 00EF:BD 8C C0 LDA $C08C,X 00F2:10 FB BPL $00EF 00F4:C9 AA CMP #$AA 00F6:D0 AE BNE $00A6 00F8:EA NOP 00F9:BD 8C C0 LDA $C08C,X 00FC:10 FB BPL $00F9 00FE:C9 DE CMP #$DE --^-- T00,S03,$99 change "AA" to "DE" T00,S03,$A3 change "DE" to "AA" T00,S03,$F5 change "AA" to "DE" T00,S03,$FF change "DE" to "AA" ]PR#6 ...works... There doesn't appear to be any further protection. Quod erat liberandum. --------------------------------------- A 4am crack No. 234 ------------------EOF------------------