----------Monty Plays Scrabble--------- A 4am crack 2016-03-08 --------------------------------------- Name: Monty Plays Scrabble Version: 2.0 Genre: board game Year: 1981 Publisher: Ritam Corporation Media: single-sided 5.25-inch floppy OS: custom with DOS 3.3 bootloader Previous cracks: none of this version ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA read error on first pass Locksmith Fast Disk Backup can't read anything beyond track $00 EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor track $01+ uses modified epilogues ("DF AA EB") for address and data Disk Fixer T00 looks like a DOS 3.3 bootloader ["O" -> "Input/Output Control"] set Address Epilogue to "DF AA EB" set Data Epilogue to "DF AA EB" Success! All tracks readable! no sign of the rest of DOS no sign of a disk catalog Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check just structural changes to epilogues Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format 4. declare victory(*) (*) take a nap ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself [S6,D1=original disk] [S6,D2=failed copy from Locksmith Fast Disk Backup (has track $00)] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 [press "5" to switch to slot 5] [press "R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 [press "6" to switch to slot 6] [press "C" to convert disk] --> CHANGE DEFAULT VALUES? Y --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM ======================================= INPUT ALL VALUES IN HEX SECTORS PER TRACK? (13/16) 16 START TRACK: $01 <-- change this START SECTOR: $00 END TRACK: $22 END SECTOR: $0F INCREMENT: 1 MAX # OF RETRIES: 0 COPY FROM DRIVE 1 TO DRIVE: 2 ======================================= 16SC $01,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- Now press RETURN to start the copy... --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK: .................................. +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0: .................................. SC1: .................................. SC2: .................................. SC3: .................................. SC4: .................................. SC5: .................................. SC6: .................................. SC7: .................................. SC8: .................................. SC9: .................................. SCA: .................................. SCB: .................................. SCC: .................................. SCD: .................................. SCE: .................................. SCF: .................................. ======================================= 16SC $01,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- This is the power and the genius of Advanced Demuffin. Every disk must be able to read itself. So, let it read itself, then capture the data and write it out in a standard format. [S6,D1=demuffin'd copy] ]PR#6 ...grinds and crashes... My demuffin'd copy can not read itself, because it's still looking for the non- standard epilogue bytes. This is so common, I wrote a tool to fix it for me automatically: "Post-Demuffin Patcher". (I am not good with names.) I included the binary on my work disk, but you can download the source code at https://archive.org/details/ PostDemuffinPatcher4am It does a lot more than just fix non- standard epilogue bytes, but it looks like that's the only thing this disk needs. But let's find out! ~ Chapter 2 In Which We Remove All Traces Of Copy Protection Using An Automated Tool That I Wrote For Just Such An Occasion [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP ; restore standard epilogues in RWTS T00,S03,$91 change DF to DE T00,S03,$35 change DF to DE T00,S06,$AE change DF to DE T00,S02,$9E change DF to DE ]PR#6 ...works... Quod erat liberandum. --------------------------------------- A 4am crack No. 641 ------------------EOF------------------