-----------Terrapin Logo 1.3-----------
A 4am crack                  2015-01-15
-------------------. updated 2016-01-14
                   |___________________

Name: Terrapin Logo
Version: 1.3
Genre: programming
Year: 1982
Publisher: Terrapin, Inc.
Authors: L. Klotz, P. Sobalvarro, S.
  Hain, H. Abelson
Media: single-sided 5.25-inch floppy
Other cracks: none of this version
  (preserved here for the first time)
Similar cracks: Terrapin Logo 2.0 (4am
  crack no. 178)

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  no errors, but copy reboots endlessly

Copy ][+ nibble editor
  all tracks use standard prologues
  (address: D5 AA 96, data: D5 AA AD)
  but modified epilogues
  (address: EB AA EB, data: BB AA EB)

Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Epilogue to "EB AA EB"
    set Data Epilogue to "BB AA EB"
  Success! All tracks readable!
  T00 -> looks like a DOS 3.3 RWTS
  T11 -> DOS 3.3 disk catalog
  T01,S09 -> startup program is
    "STARTLOGO"

T00,S06 has an interesting message:

                 --v--

------------- DISK EDIT ---------------
TRACK $00/SECTOR $06/VOLUME $FE/BYTE$00
---------------------------------------
$00:>A0<A0 A0 A0 A0 A0 A0 A0
$08: A0 A0 A0 A0 D4 C8 C9 D3       THIS
$10: A0 C4 C9 D3 CB A0 D0 D2    DISK PR
$18: CF D4 C5 C3 D4 C5 C4 A0   OTECTED
$20: C2 D9 A0 D3 D4 C5 D6 C5   BY STEVE
$28: A0 C7 CC C5 CE CE C5 D2    GLENNER
$30: A7 D3 A0 A2 D4 C8 C5 A0   'S "THE
$38: D3 C1 C6 C5 A2 A0 A0 A0   SAFE"
$40: A0 A0 A0 A0 A0 A0 A0 A0
$48: A0 A0 A0 A0 A0 A0 A0 A0
$50: A0 A0 A0 A0 A0 A0 38 BD         8=
$58: 8D C0 BD 8E C0 30 5E A9   .@=.@0^)
$60: FF 9D 8F C0 DD 8C C0 48   ...@].@H
$68: 68 20 C3 BC 20 C3 BC 9D   ( C< C<.
$70: 8D C0 DD 8C C0 EA 88 D0   .@].@j.P
$78: F0 A9 D5 20 D5 BC A9 AA   p)U U<)*
---------------------------------------
BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL

                 --^--

Why didn't COPYA work?
  modified epilogue bytes (every track)

Why didn't Locksmith FDB work?
  modified epilogue bytes (every track)

Why didn't my EDD copy work?
  probably a nibble check during boot
  (programs do not spontaneously reboot
  unless someone tells them to)

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. Patch RWTS to read standard format
  4. find nibble check and bypass it

Let's go crack "The Safe."

                   ~

               Chapter 1
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:...................................
SC6:...................................
SC7:...................................
SC8:...................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

]PR#5
]CATALOG,S6,D2

C1983 DSR^C#254
020 FREE

 B 128 LOGO
 B 007 STARTLOGO

]BRUN STARTLOGO
...reboots...

[S6,D1=demuffin'd copy]

]PR#6
...grinds then reboots...

Hmm.

                   ~

               Chapter 2
    In Which We Go Safe-Cracking And
      Discover A Most Curious Lock


]PR#5
]BLOAD BOOT1,A$2600
]CALL -151

*FE89G FE93G     ; disconnect DOS

*B600<2600.2FFF  ; move DOS into place

*B700L
.
. nothing unusual, until...
.
B738-   20 00 BB    JSR   $BB00 <-- WTF
B73B-   A2 FF       LDX   #$FF
B73D-   9A          TXS
B73E-   8E EB B7    STX   $B7EB
B741-   4C C8 BF    JMP   $BFC8
B744-   20 89 FE    JSR   $FE89
B747-   4C 84 9D    JMP   $9D84

At $B738, I was expecting a call to
$B793, the multi-sector read routine.
There shouldn't be any code at $BB00.
That page is used as scratch space by
the RWTS, and it's overwritten on every
sector read.

*BB00L

; relocate this code to graphics page
BB00-   A2 00       LDX   #$00
BB02-   BD 00 BB    LDA   $BB00,X
BB05-   9D 00 40    STA   $4000,X
BB08-   CA          DEX
BB09-   D0 F7       BNE   $BB02

; and continue there
BB0B-   4C 0E 40    JMP   $400E

; save RWTS parameter table
BB0E-   A2 10       LDX   #$10
BB10-   BD E8 B7    LDA   $B7E8,X
BB13-   9D 69 40    STA   $4069,X
BB16-   CA          DEX
BB17-   10 F7       BPL   $BB10

; track $02
BB19-   A9 02       LDA   #$02
BB1B-   8D EC B7    STA   $B7EC

; sector $0F
BB1E-   A9 0F       LDA   #$0F
BB20-   8D ED B7    STA   $B7ED

; volume $00 (wildcard)
BB23-   A9 00       LDA   #$00
BB25-   8D EB B7    STA   $B7EB

; store at $4100
BB28-   A9 00       LDA   #$00
BB2A-   8D F0 B7    STA   $B7F0
BB2D-   A9 41       LDA   #$41
BB2F-   8D F1 B7    STA   $B7F1

; read
BB32-   A9 B7       LDA   #$B7
BB34-   A0 E8       LDY   #$E8
BB36-   20 00 BD    JSR   $BD00

; fail on read error
BB39-   B0 07       BCS   $BB42

; read entire track
BB3B-   CE ED B7    DEC   $B7ED
BB3E-   10 F2       BPL   $BB32

; continue at $BB45
BB40-   30 03       BMI   $BB45

; failure path is here -- reboot
; immediately (this explains the
; behavior I saw on my failed
; bit copy)
BB42-   4C 00 C6    JMP   $C600

; copy protection continues here
BB45-   EA          NOP
BB46-   EA          NOP
BB47-   EA          NOP

; sector $00
BB48-   A9 00       LDA   #$00
BB4A-   8D ED B7    STA   $B7ED

; write?!?
BB4D-   A9 02       LDA   #$02
BB4F-   8D F4 B7    STA   $B7F4

; call RWTS to write the sector we just
; read (back to T02,S00)
BB52-   A9 B7       LDA   #$B7
BB54-   A0 E8       LDY   #$E8
BB56-   20 00 BD    JSR   $BD00

; aha! if that *worked*, fail
BB59-   90 E7       BCC   $BB42

; restore original RWTS parameter table
BB5B-   A2 10       LDX   #$10
BB5D-   BD 69 40    LDA   $4069,X
BB60-   9D E8 B7    STA   $B7E8,X
BB63-   CA          DEX
BB64-   10 F7       BPL   $BB5D

; continue to real multi-sector read
BB66-   4C 93 B7    JMP   $B793

Did you catch that? This is a very
elaborate way of checking that the disk
is... write-protected.

To verify this, I went back to the copy
I made with EDD 4 bit copy, and write-
protected the disk. It boots right up
without complaint.

                   ~

               Chapter 3
 In Which We Remove All Traces Of Copy
Protection Using An Automated Tool That
   I Wrote For Just Such An Occasion


[S6,D1=demuffin'd copy]
[S5,D1=my work disk]

]PR#5
]BRUN PDP

; fix epilogue byte checking in RWTS
T00,S03,$91 change EB to DE
T00,S03,$35 change BB to DE
T00,S06,$AE change EB to DE
T00,S02,$9E change BB to DE

; bypass copy protection
T00,S01,$39 change 00BB to 93B7

Quod erat liberandum.

                   ~

               Changelog


2016-01-14

- typo

2015-01-15

- initial release

---------------------------------------
A 4am crack                     No. 187
------------------EOF------------------