------------------Ogre----------------- A 4am crack 2015-08-02 --------------------------------------- Name: Ogre Genre: strategy Year: 1986 Author: Steve Meuse Publisher: Origin Systems Media: single-sided 5.25-inch floppy OS: ProDOS 1.1.1 Previous cracks: The Talisman / First Class Identical cracks: Letters for You (crack no. 364) Opposites Attract (crack no. 190) This Land Is Your Land (no. 251) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup can't read any track EDD 4 bit copy (no sync, no count) no errors, but copy only boots as far as ProDOS title screen, then gives "RELOCATION / CONFIGURATION ERROR" Copy ][+ nibble editor modified address epilogue "AF AB AB" odd-numbered tracks (1, 3, 5...) also have a modified address prologue ("D4 AA 96") Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "AF AB AB" -> even-numbered tracks readable set Address Prologue to "D4 AA 96" -> odd-numbered tracks also readable T00 -> looks like ProDOS Why didn't COPYA work? modified prologue/epilogue bytes Why didn't Locksmith FDB work? modified prologue/epilogue bytes Why didn't my EDD copy work? I don't know. The error is a standard ProDOS message, but it could easily have been triggered manually after a failed nibble check. Converting the disk to a standard format will be tricky. Super Demuffin assumes all tracks share the same prologue and epilogue bytes, but this disk's address prologue alternates between "D5 AA 96" and "D4 AA 96". Advanced Demuffin requires a DOS 3.3- shaped RWTS, but this disk uses ProDOS. Next steps: 1. Build an RWTS that can read the original disk 2. Convert it to a standard format with Advanced Demuffin 3. Patch the bootloader and/or the PRODOS file to be able to read a standard format disk 4. Find the nibble check (or whatever is triggering the relocation error on the EDD copy) and bypass it ~ Chapter 1 Bit Math Is Best Math [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 ]BLOAD BOOT0,A$800 ]CALL -151 *801L . . standard ProDOS bootloader, until... . 0831- 85 40 STA $40 0833- 85 48 STA $48 0835- A0 63 LDY #$63 0837- B1 48 LDA ($48),Y 0839- 99 94 09 STA $0994,Y 083C- C8 INY 083D- C0 EB CPY #$EB 083F- D0 F6 BNE $0837 0841- A2 06 LDX #$06 0843- BC 1D 09 LDY $091D,X 0846- BD 24 09 LDA $0924,X 0849- 99 F2 09 STA $09F2,Y 084C- BD 2B 09 LDA $092B,X 084F- 20 48 09 JSR $0948 <- ! 0852- CA DEX 0853- 10 EE BPL $0843 Standard ProDOS does have this memory copy loop at $0841..$0854, but it does not have any JSR in it. Normally, the instruction at $084F is "STA $0A7F,X", and $0948 is part of the routine that displays the "UNABLE TO LOAD PRODOS" message if something goes wrong during early boot. *9600 EF) *1958:EF *1944L 1944- A0 FC LDY #$FC 1946- 84 26 STY $26 1948- C8 INY 1949- D0 04 BNE $194F 194B- E6 26 INC $26 194D- F0 F3 BEQ $1942 194F- BD 8C C0 LDA $C08C,X 1952- 10 FB BPL $194F 1954- 4A LSR 1955- C9 6A CMP #$6A 1957- D0 EF BNE $1948 ; copy address epilogue byte checker *198B<53E6.53FAM ; fix one branch (03 -> 02) *199C:02 *198BL 198B- BD 8C C0 LDA $C08C,X 198E- 10 FB BPL $198B 1990- C9 DE CMP #$DE 1992- F0 0A BEQ $199E 1994- 48 PHA 1995- 68 PLA 1996- BD 8C C0 LDA $C08C,X 1999- C9 08 CMP #$08 199B- B0 02 BCS $199F 199D- EA NOP 199E- 18 CLC 199F- 60 RTS Now I have a DOS 3.3-shaped RWTS that can read this disk. *BSAVE RWTS LIKE PRODOS,A$1800,L$800 [S6,D1=original disk] [S6,D2=blank disk] *BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS LIKE PRODOS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- [S7,D1=ProDOS hard drive] ]PR#7 ]CAT,S6,D2 /OGRE NAME TYPE BLOCKS MODIFIED *PRODOS SYS 30 18-SEP-84 MI.SYSTEM SYS 5 9-JUN-86 MI.HELLO BIN 8 11-JUN-86 OTITLER BIN 7 9-JUN-86 OL BIN 13 11-JUN-86 OH BIN 46 11-JUN-86 ED BIN 13 11-JUN-86 P1 BIN 16 11-JUN-86 P2 BIN 4 11-JUN-86 U1 BIN 5 1-MAY-86 U2 BIN 5 1-MAY-86 U3 BIN 5 1-MAY-86 U4 BIN 5 1-MAY-86 U5 BIN 5 1-MAY-86 F1 BIN 5 1-MAY-86 F2 BIN 5 1-MAY-86 F3 BIN 5 1-MAY-86 F4 BIN 5 1-MAY-86 F5 BIN 5 1-MAY-86 G1 BIN 5 2-MAY-86 G2 BIN 5 1-MAY-86 G3 BIN 5 1-MAY-86 G4 BIN 5 1-MAY-86 G5 BIN 5 1-MAY-86 PR BIN 1 7-MAY-86 EA BIN 5 9-JUN-86 OGRE.PAC BIN 11 29-MAY-86 OGRE.ANMTBL BIN 13 28-MAY-86 CP.PAC BIN 10 9-JUN-86 CP.ANMTBL BIN 8 9-JUN-86 BLOCKS FREE: 8 BLOCKS USED: 272 ~ Chapter 3 In Which Our Adventure Comes To A Sudden But Satisfying Conclusion [S6,D1=demuffin'd disk] ]PR#6 ...program boots and runs... Wait, what? Why did the demuffin'd copy work? Advanced Demuffin wrote out the data from each sector onto a standard disk that uses "D5 AA 96" prologue and "DE AA EB" epilogue. The bootloader RWTS always matches "D5 AA 96" and doesn't care that it never sees a "D4 AA 96", and it never checks epilogue bytes at all. The RWTS within the PRODOS file always matches "D5 AA 96", and its epilogue checker always matches "DE" and never checks the timing bit. Thus no RWTS patches are necessary. But then why didn't the EDD copy work? The bootloader RWTS doesn't check epilogue bytes at all, so it was able to read the disk and load the PRODOS file. Once control is transferred to the PRODOS file, it switches to its own RWTS to read the disk catalog and find the first .SYSTEM file. But its own RWTS can't read the disk, because EDD preserved the original prologue epilogue but not the timing bits. The prologue checker (at $D398) finds "D5 AA 96" even-numbered tracks) or "D4 AA 96" (odd-numbered tracks). But the epilogue checker's first compare (at $D3EB) didn't match because the first epilogue byte was still the original value ($AF), and its second compare (at $D3F4) didn't match because there was no timing bit after the first byte. ProDOS can't read the disk catalog, so it displays the "RELOCATION / CONFIGURATION ERROR" and gives up. There was never any nibble check; the very structure of the disk itself is designed to foil bit copiers. Quod erat liberandum. --------------------------------------- A 4am crack No. 386 ------------------EOF------------------