-----------Terrapin Logo 2.0-----------
A 4am crack                  2014-12-16
-------------------. updated 2016-01-14
                   |___________________

Terrapin Logo is an implementation of
the Logo programming language. It was
written by L. Klotz, P. Sobalvarro, and
S. Hain under the supervision of H.
Abelson. This is version 2.0,
distributed in 1984 by Terrapin, Inc.

COPYA fails miserably and immediately.
EDD 4 bit copy gives no read errors,
but the copy just reboots endlessly.

In my experience, programs do not
spontaneously reboot unless someone
tells them to.

The original disk appears to boot a
modified DOS 3.3. Listening to the disk
drive, it quickly moves out to track 2,
then back to track 1, then track 0,
then swings out to track $11 to read
the disk catalog and load the startup
program (HELLO or similar). The DOS
load takes just slightly longer than I
would expect. Or it could just be my
imagination.

Turning to my trusty Disk Fixer sector
editor, I go to "Input/Output Control"
(press "O") and set CHECKSUM ENABLED =
NO. This option ignores checksum bytes
and epilogue sequences -- as long as
the address and data prologue are
standard ("D5 AA 96" and "D5 AA AD",
respectively), this will allow me to
read each sector. And lo and behold, it
works! I can read the data from every
sector on every track.

T00,S06 has an interesting message:

                 --v--

------------- DISK EDIT ---------------
TRACK $00/SECTOR $06/VOLUME $FE/BYTE$00
---------------------------------------
$00:>A0<A0 A0 A0 A0 A0 A0 A0
$08: A0 A0 A0 A0 D4 C8 C9 D3       THIS
$10: A0 C4 C9 D3 CB A0 D0 D2    DISK PR
$18: CF D4 C5 C3 D4 C5 C4 A0   OTECTED
$20: C2 D9 A0 D3 D4 C5 D6 C5   BY STEVE
$28: A0 C7 CC C5 CE CE C5 D2    GLENNER
$30: A7 D3 A0 A2 D4 C8 C5 A0   'S "THE
$38: D3 C1 C6 C5 A2 A0 A0 A0   SAFE"
$40: A0 A0 A0 A0 A0 A0 A0 A0
$48: A0 A0 A0 A0 A0 A0 A0 A0
$50: A0 A0 A0 A0 A0 A0 38 BD         8=
$58: 8D C0 BD 8E C0 30 5E A9   .@=.@0^)
$60: FF 9D 8F C0 DD 8C C0 48   ...@].@H
$68: 68 20 C3 BC 20 C3 BC 9D   ( C< C<.
$70: 8D C0 DD 8C C0 EA 88 D0   .@].@j.P
$78: F0 A9 D5 20 D5 BC A9 AA   p)U U<)*
---------------------------------------
BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL

---------------------------------------
COMMAND : _

                 --^--

Let's go crack "The Safe."

[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

For those of you just tuning in, my
work disk uses a custom program that I
affectionately call "AUTOTRACE" to
automate the process of boot tracing as
far as possible. For some disks, this
just captures track 0, sector 0 (saved
in a file called "BOOT0") and stops.
For other disks that load in the same
way that an unprotected DOS 3.3 disk
loads, it captures the next stage of
the boot process as well (in a file
called "BOOT1"). BOOT1 contains sectors
0-9 on track 0, which are loaded into
memory at $B600..$BFFF. This generally
contains the RWTS routines which the
program uses to read the rest of the
disk.

If the RWTS is fairly normal as well
(and my AUTOTRACE program just spot-
checks a few memory locations to guess
at its "normalcy"), there's a good
chance I'll be able to use a tool
called Advanced Demuffin (written in
1983 by The Stack) to convert the disk
from whatever weird format it uses to
store its sector data into a standard
disk readable by unprotected DOS 3.3
disks or any other third-party tools.
In this case, AUTOTRACE extracts the
RWTS routines (generally loaded from
track 0, sectors 2-9 into $B800..$BFFF)
and saves *that* into a third file
called "RWTS".

If anything looks fishy or non-
standard, AUTOTRACE just stops, and I
have to check the files it saved so far
to determine why. But in this case, it
ran all the way through, automatically
capturing BOOT0, BOOT1, and RWTS files.
Now I can use Advanced Demuffin to
convert the disk to a standard format.
(It uses the disk's own RWTS to read
the original, then a standard DOS 3.3-
compatible RWTS to write out the data,
sector by sector.)

[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
...

]BRUN ADVANCED DEMUFFIN 1.5

[press "5" to switch to slot 5]

[press "R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

[press "6" to switch to slot 6]

[press "C" to convert disk]

This disk is 16 sectors, and the
default options (copy the entire disk,
all tracks, all sectors) don't need to
be changed unless something goes
horribly wrong.

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:...................................
SC6:...................................
SC7:...................................
SC8:...................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

The disk's own RWTS gave no read errors
on any track. This is the power and the
genius of Advanced Demuffin. Every disk
must be able to read itself. So, let it
read itself, then capture the data and
write it out in a standard format.

[S6,D1=demuffin'd copy]
[S5,D1=my work disk]

]PR#5
...

]CATALOG,S6,D1

C1983 DSR^C#254
009 FREE

 B 008 STARTLOGO
 B 138 LOGO

]BRUN STARTLOGO

Prints "LOADING, PLEASE WAIT..."

...and crashes.

Hmm.

]PR#5
...

]BRUN LOGO,S6,D1

Success! The main program loads and
runs without complaint. Something in
the loader program must be accessing
DOS locations directly instead of using
the vectors on page 3. (None of the
usual DOS locations work because my
work disk uses 64K Diversi-DOS.)

But this is definitely a good sign. It
tells me that the program itself
doesn't care about the DOS that loaded
it, once it's loaded. Some programs
will check for DOS-specific quirks and
fail if they detect that they were
loaded from anything but the original
disk's custom DOS. But I don't see any
evidence of that here.

But I'm not done yet...

]PR#6

...no dice. The disk grinds, unable to
read itself. This is not unusual. A lot
of disks need some sort of post-
demuffin patching, and I got tired of
doing it manually, so I wrote a program
to do it for me. It is called,
unsurprisingly, Post-Demuffin Patcher.
It prompts you to select a slot and
drive, then reads the demuffin'd disk,
checks for a modified DOS 3.3-shaped
RWTS, and applies the necessary patches
so the disk can read itself. (It can
also detect and bypass some nibble
checks.) I've included a copy of Post-
Demuffin Patcher on my work disk; the
full source code is currently available
at <https://archive.org/details/
PostDemuffinPatcher4am>.

]PR#5
...

]BRUN PDP

T00,S03,$91 change EB to DE
T00,S03,$35 change BB to DE
T00,S06,$AE change EB to DE
T00,S02,$9E change BB to DE
T00,S01,$39 change 00BB to 93B7

This is the actual output of the
program. Post-Demuffin Patcher prints
out the changes it is going to make
before it writes them to the disk. The
first four lines are just modifying
epilogue bytes. The last line is
interesting though. I want to go back
to the bootloader code I captured
earlier to see what that's about.

]PR#5
...

]BLOAD BOOT1,A$2600
]CALL -151

*FE89G FE93G     ; disconnect DOS

*B600<2600.2FFF  ; move DOS into place

*B700L
.
. nothing unusual, until...
.
B738-   20 00 BB    JSR   $BB00 <-- WTF
B73B-   A2 FF       LDX   #$FF
B73D-   9A          TXS
B73E-   8E EB B7    STX   $B7EB
B741-   4C C8 BF    JMP   $BFC8
B744-   20 89 FE    JSR   $FE89
B747-   4C 84 9D    JMP   $9D84

At $B738, I was expecting a call to
$B793, the multi-sector read routine.
There shouldn't be any code at $BB00.
That page is used as scratch space by
the RWTS, and it's overwritten on every
sector read.

*BB00L

; relocate this code to graphics page
BB00-   A2 00       LDX   #$00
BB02-   BD 00 BB    LDA   $BB00,X
BB05-   9D 00 40    STA   $4000,X
BB08-   CA          DEX
BB09-   D0 F7       BNE   $BB02

; and continue there
BB0B-   4C 0E 40    JMP   $400E

; save RWTS parameter table
BB0E-   A2 10       LDX   #$10
BB10-   BD E8 B7    LDA   $B7E8,X
BB13-   9D 69 40    STA   $4069,X
BB16-   CA          DEX
BB17-   10 F7       BPL   $BB10

; track $02
BB19-   A9 02       LDA   #$02
BB1B-   8D EC B7    STA   $B7EC

; sector $0F
BB1E-   A9 0F       LDA   #$0F
BB20-   8D ED B7    STA   $B7ED

; volume $00 (wildcard)
BB23-   A9 00       LDA   #$00
BB25-   8D EB B7    STA   $B7EB

; store at $4100
BB28-   A9 00       LDA   #$00
BB2A-   8D F0 B7    STA   $B7F0
BB2D-   A9 41       LDA   #$41
BB2F-   8D F1 B7    STA   $B7F1

; read
BB32-   A9 B7       LDA   #$B7
BB34-   A0 E8       LDY   #$E8
BB36-   20 00 BD    JSR   $BD00

; fail on read error
BB39-   B0 07       BCS   $BB42

; read entire track
BB3B-   CE ED B7    DEC   $B7ED
BB3E-   10 F2       BPL   $BB32

; continue at $BB45
BB40-   30 03       BMI   $BB45

; failure path is here -- reboot
; immediately (this explains the
; behavior I saw on my failed
; bit copy)
BB42-   4C 00 C6    JMP   $C600

; copy protection continues here
BB45-   EA          NOP
BB46-   EA          NOP
BB47-   EA          NOP

; sector $00
BB48-   A9 00       LDA   #$00
BB4A-   8D ED B7    STA   $B7ED

; write?!?
BB4D-   A9 02       LDA   #$02
BB4F-   8D F4 B7    STA   $B7F4

; call RWTS to write the sector we just
; read (back to T02,S00)
BB52-   A9 B7       LDA   #$B7
BB54-   A0 E8       LDY   #$E8
BB56-   20 00 BD    JSR   $BD00

; aha! if that *worked*, fail
BB59-   90 E7       BCC   $BB42

; restore original RWTS parameter table
BB5B-   A2 10       LDX   #$10
BB5D-   BD 69 40    LDA   $4069,X
BB60-   9D E8 B7    STA   $B7E8,X
BB63-   CA          DEX
BB64-   10 F7       BPL   $BB5D

; continue to real multi-sector read
BB66-   4C 93 B7    JMP   $B793

Did you catch that? This is a very
elaborate way of checking that the disk
is... write-protected.

To verify this, I went back to the copy
I made with EDD 4 bit copy, and write-
protected the disk. It boots right up
without complaint.

Anyway, Post-Demuffin Patcher already
figured all this out for me. Its patch
(changing the JSR $BB00 to JSR $B793 on
T00,S01) was the correct solution. My
demuffin'd copy works flawlessly, with
or without a write-protect tab. I just
thought it was interesting to peek
inside "The Safe."

Quod erat liberandum.

                   ~

               Changelog


2016-01-14

- typo

2014-12-16

- initial release

---------------------------------------
A 4am crack                     No. 178
------------------EOF------------------