-----------The Halley Project----------
A 4am crack                  2014-06-14
---------------------------------------

"The Halley Project" is a 1985 space
simulation game distributed by
Mindscape, Inc. According to the in-
game credits, the game is "by Omar
Khudari and Tom Snyder. Apple version
by Leonard Bertoni. Programming and
graphics by Omar Khudari, M. le Fuge,
Ed McNierney, Peter Reynolds, and
Gabrielle Savage. Copyright (c) 1985
Mindscape, Inc."

COPYA fails immediately with a disk
read error. EDD 4 bit copy gives no
errors, but the copy does not work. It
swings out to a high track and reboots.

Turning to my trusty Copy ][+ sector
editor, I press "P" to enter the Sector
Editor Patcher, then select "DOS 3.3
PATCHED" (which ignores address field
checksums and epilogue bytes). Behold!
All tracks and sectors are readable.

Based on my limited experience cracking
other disks, I would guess that this
disk has

- Standard prologue bytes before the
  address and data fields [otherwise
  Copy ][+ sector editor would give
  read errors, even with the "DOS 3.3
  PATCHED" option]
- Non-standard epilogue bytes after the
  address and data fields [otherwise
  COPYA would work]
- Some secondary protection [otherwise
  the bit copy created with EDD 4 would
  work]

Given the (relatively) weak structural
protection, I used to turn to the DOS
3.3 master disk, patch the RWTS to
ignore checksums and epilogue bytes
(changing $B942 from "SEC" to "CLC"),
and run COPYA. Then, one fine day, and
completely by accident, I came across
an original disk with a bad sector. I
suppose this shouldn't surprise me.
These floppies are decades old by now;
it's amazing any of them work at all.

The point is, I shouldn't be using
tools that ignore potentially serious
read errors. There are other tools,
like Super Demuffin, that can convert a
disk like this (with non-standard
epilogue bytes) into a standard format.
It requires figuring out what the
actual epilogue bytes are, but it has
the advantage of surfacing a read error
if the original disk actually has a
read error.

So... no more COPYA+B942:18 patch. From
now on, it's Super Demuffin or Advanced
Demuffin to convert disks to a standard
format.

The Copy ][+ nibble editor also shows
standard address and data prologues,
but the address and data epilogues are
"FF FF". ("DE AA" is the standard.)
Further inspection suggests that every
track uses the same encoding.

                 --v--

   COPY ][ PLUS BIT COPY PROGRAM 8.4
(C) 1982-9 CENTRAL POINT SOFTWARE, INC.
---------------------------------------

TRACK: 01  START: 2D10  LENGTH: 015F

2CF0: FF FF FF FF FF FF FF FF   VIEW
2CF8: FF FF FF FF FF FF FF FF
2D00: FF FF FF FF FF FF FF FF
2D08: FF FF FF FF FF FF FF FF
2D10: D5 AA 96 FF FE AA AB AA  <-2D10
      ^^^^^^^^
  address prologue

2D18: AA FF FF FF FF FF FF FE
                     ^^^^^
               address epilogue
                (non-standard)

2D20: FF FF FF FF FF D5 AA AD
                     ^^^^^^^^
                  data prologue

2D28: 9A 9B 9A 9B 97 97 9B 97
2D30: 9B 97 9A 97 9B 96 96 96

---------------------------------------

  A  TO ANALYZE DATA  ESC TO QUIT

  ?  FOR HELP SCREEN  /  CHANGE PARMS

  Q  FOR NEXT TRACK   SPACE TO RE-READ

                 --^--

It's time for Super Demuffin.

Super Demuffin is a utility built on
top of Locksmith Fast Disk Copy. It
takes a disk that uses non-standard but
uniform structure, and it converts it
to a standard disk format.  I've
included a copy on my work disk.

When you first run Super Demuffin, it
asks for the parameters of the original
disk. In this case, the prologue bytes
are the same, but the epilogues use
"FF" instead of "DE AA". I just need to
change those two parameters (shown
below). The third byte of the address
epilogue is not important, since most
DOS 3.3-shaped RWTSes ignore it.

                 --v--

      SUPER-DEMUFFIN AND FAST COPY
Modified by: The Saltine/Coast to Coast


   Address prologue: D5 AA 96

   Address epilogue: FF FF EB    DISK
                     ^^ ^^     ORIGINAL
   was "DE AA"-------++-++

      Data prologue: D5 AA AD

      Data epilogue: FF FF EB
                     ^^ ^^
      was "DE AA" ---++-++


 Ignore write errors while demuffining!


  D - Edit parameters
      <SPACE> - Advance to next parm
      <RETURN> - Exit edit mode
  R - Restore DOS 3.3 parameters
  O - Edit Original disk's parameters
  C - Edit Copy disk's parameters
  G - Begin demuffin process

                 --^--

Pressing "G" switches to the Locksmith
Fast Disk Copy UI. It assumes that both
disks are in slot 6, and that drive 1
is the original and drive 2 is the
copy.

[S6,D1=original disk]
[S6,D2=blank disk]

                 --v--

     LOCKSMITH 7.0  FAST DISK BACKUP


   R...................................
   W***********************************
HEX 00000000000000001111111111111111222
TRK 0123456789ABCDEF0123456789ABCDEF012
   0...................................
   1...................................
   2...................................
   3...................................
   4...................................
   5...................................
   6...................................
   7...................................
   8...................................
   9...................................
   A...................................
   B...................................
   C...................................
   D...................................
12 E...................................
   F...................................
[               ] PRESS [RESET] TO EXIT

                 --^--

Now I have a copy of the disk in a
standard format that can be read by any
tools. That is, I can copy this copy
with COPYA or Locksmith Fast Disk
Backup, without patching the DOS 3.3
RWTS beforehand. I can sector edit the
disk without messing with the Sector
Editor Patcher. &c.

There are two problems with this copy:

1. Depending on how the original disk
   was written, this copy may or may
   not be able to read itself. I may
   need to patch the disk's RWTS to
   deal with the fact that the disk is
   now in a standard format.

2. Even if it can read itself, it won't
   run. The copies I tried to make --
   even the bit copies -- just rebooted
   endlessly, which means there is some
   code being executed during boot to
   check if the disk is original.
   (Hint: it's not.)

Just by booting the copy, I can rule
out problem #1. The disk seems to read
itself just fine. It makes it exactly
as far as the failed bit copy -- far
enough to figure out that it's not an
original disk and reboot.

It's time for boot tracing.

[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0

]CALL -151

*800<2800.28FFM

*801L

; Put an "RTS" instruction at $801.
; Many custom boot0 routines do this so
; they can JSR $C65C to re-use the disk
; controller ROM routine to read more
; sectors. The ROM routine ends with a
; JMP $801, so putting an "RTS" there
; allows this code to call it as a
; subroutine.
0801-   A9 60       LDA   #$60
0803-   8D 01 08    STA   $0801

; clear some (but not all) of the text
; page (weird)
0806-   A2 00       LDX   #$00
0808-   A9 A0       LDA   #$A0
080A-   9D 00 04    STA   $0400,X
080D-   E8          INX
080E-   D0 FA       BNE   $080A
0810-   8E 78 04    STX   $0478

; zero page $27 holds the high byte of
; the address that the disk controller
; ROM routine will store data read from
; disk. So it looks like we're going to
; load some code into $3F00 (or maybe a
; graphical title screen?)
0813-   A9 3F       LDA   #$3F
0815-   85 27       STA   $27
0817-   A9 0F       LDA   #$0F
0819-   AA          TAX
081A-   A0 20       LDY   #$20

; don't know what this does yet; might
; be a multi-sector read routine
081C-   20 CD 08    JSR   $08CD

*8CDL

08CD-   85 41       STA   $41
08CF-   86 FF       STX   $FF
08D1-   84 FE       STY   $FE
08D3-   A2 60       LDX   #$60
08D5-   A5 41       LDA   $41
08D7-   0A          ASL

; not going to delve into this routine
; too deeply, but it looks like it
; positions the drive head on the track
; given in zero page $41
08D8-   20 3B 08    JSR   $083B

08DB-   A9 00       LDA   #$00
08DD-   85 26       STA   $26
08DF-   A4 FF       LDY   $FF

; looks like a physical-to-logical
; sector map
08E1-   B9 BD 08    LDA   $08BD,Y
08E4-   85 3D       STA   $3D

; read a sector
08E6-   A2 60       LDX   #$60
08E8-   20 5C C6    JSR   $C65C

; loop to read more sectors
08EB-   C6 FF       DEC   $FF
08ED-   10 06       BPL   $08F5

; loop to read more tracks
08EF-   A9 0F       LDA   #$0F
08F1-   85 FF       STA   $FF
08F3-   C6 41       DEC   $41
08F5-   C6 27       DEC   $27
08F7-   C6 27       DEC   $27
08F9-   C6 FE       DEC   $FE
08FB-   D0 D6       BNE   $08D3
08FD-   60          RTS

OK, so $08CD reads sectors from disk,
in descending sector order, descending
track order, and descending address
order. It looks like the caller needs
to store the first (highest) address in
$27 manually, then the accumulator
holds the starting track number,
X-register holds the starting sector
number, and the Y-register holds the
number of sectors to read. Backtracking
to where I left off...

; show hi-res graphics page 1
081F-   2C 57 C0    BIT   $C057
0822-   2C 54 C0    BIT   $C054
0825-   2C 52 C0    BIT   $C052
0828-   2C 50 C0    BIT   $C050

; more sector reads, reading 3 sectors
; from track 0, sectors 1-3, into
; $1D00..$1FFF
082B-   A2 1F       LDX   #$1F
082D-   86 27       STX   $27
082F-   A9 00       LDA   #$00
0831-   A2 03       LDX   #$03
0833-   A0 03       LDY   #$03
0835-   20 CD 08    JSR   $08CD

; jump to somewhere within that code
0838-   4C 87 1F    JMP   $1F87

OK, that's where I need to interrupt
the boot to find out what happens next.

*9600<C600.C6FFM

; set up a callback at $0838 to jump to
; a routine under my control instead of
; continuing to $1F87
96F8-   A9 4C       LDA   #$4C
96FA-   8D 38 08    STA   $0838
96FD-   A9 0A       LDA   #$0A
96FF-   8D 39 08    STA   $0839
9702-   A9 97       LDA   #$97
9704-   8D 3A 08    STA   $083A

; start the boot
9707-   4C 01 08    JMP   $0801

; callback is here -- turn off the disk
; motor and reboot to my work disk
970A-   AD E8 C0    LDA   $C0E8
970D-   4C 00 C5    JMP   $C500

*BSAVE TRACE1,A$9600,L$110

*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT1,A$1D00,L$2300
]CALL -151

*1F87L

; this uses the same multi-sector read
; routine to read one(!) sector from
; track $11, sector $00, at address
; $8000 and jump to it
1F87-   A9 00       LDA   #$00
1F89-   85 26       STA   $26
1F8B-   A9 80       LDA   #$80
1F8D-   85 27       STA   $27
1F8F-   A9 11       LDA   #$11
1F91-   A2 00       LDX   #$00
1F93-   A0 01       LDY   #$01
1F95-   20 CD 08    JSR   $08CD
1F98-   4C 00 80    JMP   $8000

And that's where I need to set another
callback.

*9600<C600.C6FFM

; same as TRACE1
96F8-   A9 4C       LDA   #$4C
96FA-   8D 38 08    STA   $0838
96FD-   A9 0A       LDA   #$0A
96FF-   8D 39 08    STA   $0839
9702-   A9 97       LDA   #$97
9704-   8D 3A 08    STA   $083A

; start boot
9707-   4C 01 08    JMP   $0801

; first callback is here -- set up the
; second callback
970A-   A9 4C       LDA   #$4C
970C-   8D 98 1F    STA   $1F98
970F-   A9 1C       LDA   #$1C
9711-   8D 99 1F    STA   $1F99
9714-   A9 97       LDA   #$97
9716-   8D 9A 1F    STA   $1F9A

; continue boot
9719-   4C 87 1F    JMP   $1F87

; second callback is here
971C-   AD E8 C0    LDA   $C0E8
971F-   4C 00 C5    JMP   $C500

*BSAVE TRACE2,A$9600,L$122

*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT2,A$8000,L$100
]CALL -151

*8000L

; save zero page state
8000-   A2 FF       LDX   #$FF
8002-   B5 00       LDA   $00,X
8004-   9D 00 83    STA   $8300,X
8007-   CA          DEX
8008-   D0 F8       BNE   $8002
800A-   A9 0A       LDA   #$0A
800C-   85 50       STA   $50

; manually turn on disk motor -- this
; is never not suspicious
800E-   A6 2B       LDX   $2B
8010-   BD 89 C0    LDA   $C089,X
8013-   BD 8E C0    LDA   $C08E,X
8016-   A9 9B       LDA   #$9B
8018-   85 48       STA   $48
801A-   A9 80       LDA   #$80
801C-   85 49       STA   $49
801E-   A9 80       LDA   #$80
8020-   85 51       STA   $51
8022-   C6 51       DEC   $51
8024-   F0 6E       BEQ   $8094

; position drive head
8026-   20 A3 80    JSR   $80A3
8029-   B0 69       BCS   $8094
802B-   A5 2E       LDA   $2E
802D-   C9 07       CMP   #$07
802F-   D0 F1       BNE   $8022

; Search for a specific sequence of
; nibbles in the "dead zone" between
; the address field and data field.
; This area is normally not important,
; so COPYA didn't copy it precisely
; because normal disks don't care.
; (Actually, it's even more evil than
; that, because the original disk is
; written with timing bits in specific
; non-standard places between the
; nibbles in the dead zone. This code
; not only requires the right nibbles
; in the right order, it reads them
; just slightly faster than normal. So
; the timing bits need to be in the
; right places too, or the disk will
; get out of sync and read the wrong
; nibble values. This will trip up even
; the best bit copiers. And you can
; forget about making a disk image for
; emulators -- those don't store timing
; bits at all.)
8031-   A0 00       LDY   #$00
8033-   BD 8C C0    LDA   $C08C,X
8036-   10 FB       BPL   $8033
8038-   88          DEY
8039-   F0 59       BEQ   $8094
803B-   C9 D5       CMP   #$D5
803D-   D0 F4       BNE   $8033
803F-   A0 00       LDY   #$00
8041-   BD 8C C0    LDA   $C08C,X
8044-   10 FB       BPL   $8041
8046-   88          DEY
8047-   F0 4B       BEQ   $8094
8049-   C9 E7       CMP   #$E7
804B-   D0 F4       BNE   $8041
804D-   BD 8C C0    LDA   $C08C,X
8050-   10 FB       BPL   $804D
8052-   C9 E7       CMP   #$E7
8054-   D0 3E       BNE   $8094
8056-   BD 8C C0    LDA   $C08C,X
8059-   10 FB       BPL   $8056
805B-   C9 E7       CMP   #$E7
805D-   D0 35       BNE   $8094
805F-   BD 8D C0    LDA   $C08D,X
8062-   A0 10       LDY   #$10
8064-   24 06       BIT   $06
8066-   BD 8C C0    LDA   $C08C,X
8069-   10 FB       BPL   $8066
806B-   88          DEY
806C-   F0 26       BEQ   $8094
806E-   C9 EE       CMP   #$EE
8070-   D0 F4       BNE   $8066
8072-   A0 07       LDY   #$07
8074-   BD 8C C0    LDA   $C08C,X
8077-   10 FB       BPL   $8074
8079-   D1 48       CMP   ($48),Y
807B-   D0 17       BNE   $8094
807D-   88          DEY
807E-   10 F4       BPL   $8074

; if we get here, the nibble check has
; succeeded
; restore zero page state
8080-   A2 FF       LDX   #$FF
8082-   BD 00 83    LDA   $8300,X
8085-   95 00       STA   $00,X
8087-   CA          DEX
8088-   D0 F8       BNE   $8082

; reposition drive head
808A-   A2 60       LDX   #$60
808C-   A9 00       LDA   #$00
808E-   20 3B 08    JSR   $083B

; execution continues at $1D00
8091-   4C 00 1D    JMP   $1D00

8094-   C6 50       DEC   $50
8096-   D0 86       BNE   $801E

; nibble check failed -- reboot
8098-   4C 00 C6    JMP   $C600

It appears that there are no side
effects to the nibble check. If it
passes, it positions the drive head
back to track 0 and jumps to the next
stage (at $1D00). If it fails, it
reboots. So it appears I can just
bypass this entire routine and jump
straight to the success path at
$808A. Actually, no, let's backtrack
even further. This routine was the only
thing read from disk at $1F87. If I'm
bypassing it, I don't even need that
disk read. That means I *also* don't
need to reposition the drive head back
to track 0, since it was at track 0
before calling $1F87.

What I'm saying is the entire routine
at $1F87 is unnecessary. It slows down
the boot by swinging the drive head out
to track $11 and back, just to do a
nibble check that I'm going to bypass.

That takes me all the way back to the
boot0 code on T00,S00. At $0838, I can
jump to $1D00 instead of $1F87 to skip
both the track $11 disk read and the
nibble check.

T00,S00,$39 change "87 1F" to "00 1D"

Quod erat liberandum.

---------------------------------------
A 4am crack                      No. 74
-------------------EOF-----------------