-----------The Coveted Mirror---------- A 4am crack 2015-07-19 --------------------------------------- Name: The Coveted Mirror Genre: adventure Year: 1983 Authors: Eagle I. Berns and Holly Thomason Publisher: Penguin Software, Inc. Media: double-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: Asimov has several uncredited cracks Only side B is bootable, so I'll start there. ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified address and data epilogues ("DA AA EB" instead of "DE AA EB") odd-numbered tracks (1, 3, 5...) also have a modified address prologue ("D4 AA 96" instead of "D5 AA 96") Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "DA AA EB" -> even-numbered tracks readable T00 looks like a DOS 3.3 RWTS ["O" -> "Input/Output Control"] set Address Prologue to "D4 AA 96" -> odd-numbered tracks readable T01,S09 -> start program is "SETUPA" T11 has a DOS 3.3 disk catalog Why didn't COPYA work? modified prologue and epilogues Why didn't Locksmith FDB work? modified prologue and epilogues EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to epilogue) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk (side B)] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 ... CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 051 FREE B 016 SETUP B 034 LOGO.PIC B 011 FLY.ANM B 010 CM.UTILS B 017 CM B 011 CM.ACTIONS0 B 013 CM.ACTIONS1 B 012 CM.ACTIONS2 B 017 CM.ACTIONS3 B 007 CM.MESSAGES B 002 CM.CONSTANTS B 017 JOUST B 023 JOUST.ANM B 008 FISHGAME B 010 FISHGAME.ANM B 034 FISHGAME.PIC B 029 SIGNGAME B 034 SIGNGAME.PIC B 003 EUNPACK B 003 EUTILS B 005 ECOLORFILL B 004 ENDGAME B 005 LTBLUE.PAK B 004 YIPPEE.OBJ B 005 FERD.OBJ B 004 HAVE.OBJ B 006 SIPSY.OBJ B 003 CHEERS.OBJ B 004 LTPURPLE.PAK B 005 MAR.OBJ B 005 NAL.OBJ B 006 ROSY.OBJ B 006 KING.OBJ B 003 HA.OBJ A 002 SETUPA I 003 APPLESOFT [S6,D1=demuffin'd copy] ]PR#6 ...grinds... My copy can't read itself yet. This is not unusual. ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ... ]BRUN PDP T00,S03,$91 change DA to DE T00,S03,$35 change DA to DE T00,S02,$9E change DA to DE Advanced Demuffin converts side A with the same RWTS. Side A is not bootable, so no further patches are required. Quod erat liberandum. ~ Epilogue In Which We Stop And Smell The RWTS I want to look more closely at two lines of this RWTS, because they're beautiful and you should never pass up an opportunity to appreciate beauty. ]PR#5 ... ]BLOAD RWTS,A$2800 ]CALL -151 *FE89G FE93G ; disconnect DOS *B800<2800.2FFFM ; move RWTS into place *B944L ; routine to read address prologue B944- A0 FC LDY #$FC B946- 84 26 STY $26 B948- C8 INY B949- D0 04 BNE $B94F B94B- E6 26 INC $26 B94D- F0 F3 BEQ $B942 ; find prologue nibble #1 B94F- BD 8C C0 LDA $C08C,X B952- 10 FB BPL $B94F B954- 4A LSR <-- ! B955- 49 6A EOR #$6A <-- ! B957- D0 EF BNE $B948 ; find #2 B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 B95E- C9 AA CMP #$AA B960- D0 F2 BNE $B954 B962- A0 03 LDY #$03 ; find #3 B964- BD 8C C0 LDA $C08C,X B967- 10 FB BPL $B964 B969- C9 96 CMP #$96 B96B- D0 E7 BNE $B954 The code to find prologue nibble #1 (specifically, the two instructions at $B954 and $B955) are the key to how this disk can read its odd-numbered tracks (with non-standard address prologue "D4 AA 96"). To understand why, we need to look at the bits. A standard address prologue starts with $D5, and the even-numbered tracks use this. In binary: $D5 = 1101 0101 After LSR: 0110 1010 = $6A But on this disk, the odd-numbered tracks have a custom address prologue that starts with $D4 instead. In binary: $D4 = 1101 0100 After LSR: 0110 1010 = $6A By starting with the address prologue and munging it with LSR + EOR #$6A, the code will match either $D5 or $D4. This allows the program disk (side B) to use any pattern of address prologues "D5 AA 96" or "D4 AA 96". They chose to alternate even and odd tracks, but this low-level RWTS code doesn't care what track it's reading. But wait, it gets better. The game writes to side A for saved games. The RWTS always writes an address prologue of "D5 AA 96". And that's OK, because the RWTS can read that too. There's no magic to the specific pattern of alternating address prologues on even and odd tracks. The RWTS will accept "D5 AA 96" or "D4 AA 96" on any track. That means there's no need to switch modes between "read a protected program disk" and "read an unprotected data disk." There's only one mode. Furthermore (and this is where things get really beautiful), RWTS code is time-critical between reading the last bit of one nibble and reading the first bit of the next. If it's too fast or too slow, it will get out of phase (because the disk spins independently of the CPU). Compare DOS 3.3 (cycle count in margin) B94F- BD 8C C0 LDA $C08C,X B952- 10 FB BPL $B94F B954- C9 D5 CMP #$D5 | 2 B956- D0 F0 BNE $B948 | 2 * B958- EA NOP | 2 B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 (*) on the time-critical path, this branch is not taken, so always 2 ...and this disk's RWTS: B94F- BD 8C C0 LDA $C08C,X B952- 10 FB BPL $B94F B954- 4A LSR | 2 B955- 49 6A EOR #$6A | 2 B957- D0 EF BNE $B948 | 2 * B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 Despite being more "flexible" (matching $D5 or $D4), this disk's RWTS uses the same number of bytes of code and runs in the same number of cycles. Nice. Finally, this explains why I didn't need to patch the address prologue code at $B954 and $B955 after Advanced Demuffin converted the disk to a standard format. The cracked disk uses "D5 AA 96" on every track. The RWTS sees that, does its bit math, and says, "I'll allow it." --------------------------------------- A 4am crack No. 376 ------------------EOF------------------