--------Mr. and Mrs. Potato Head------- A 4am crack 2016-01-21 --------------------------------------- Name: Mr. and Mrs. Potato Head Genre: educational Year: 1985 Publisher: Random House, Inc. Media: double-sided 5.25-inch floppy OS: Diversi-DOS Previous cracks: none Identical cracks: #467 Snoopy to the Rescue #441 Garfield Double Dares #188 Garfield, Eat Your Words many other Random House titles Both sides are bootable. I'll start with side A. _____________________________ { } { "Taters gonna tate." } { } { - No one. No one has } { ever said this. } {_____________________________} ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways, And We Keep Our Eyes Peeled COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) copy works Copy ][+ nibble editor all tracks use standard prologues (address: D5 AA 96, data: D5 AA AD) but modified address epilogue (AA DE EB instead of DE AA EB) Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "AA DE EB" Success! All tracks readable! T00 -> looks like a DOS 3.3 RWTS T11 -> DOS 3.3 disk catalog T01,S09 -> startup program is "STEX" Why didn't COPYA work? modified epilogue bytes (every track) Why didn't Locksmith FDB work? modified epilogue bytes (every track) EDD worked. What does that tell us? probably just structural protection (modified epilogue), no nibble check Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 Cracking Ain't No Spec-tater Sport [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ]CATALOG,S6,D2 C1983 DSR^C#254 047 FREE A 004 HELLO B 011 P1 B 004 P2 B 012 P3 B 010 P4 B 006 P5 B 009 P6 B 027 P7 B 021 P8 B 012 A1 B 004 A2 B 011 A3 B 006 A5 B 010 A6 B 027 A7 B 010 APRIL B 003 JCL.OBJ II A 012 ST A 020 ANIM B 005 RH.PAC B 017 TI.PAC B 015 B4.PAC B 011 B3.PAC B 011 B2.PAC B 011 B5.PAC B 010 A4 A 003 CREDITS B 011 WO.PAC B 015 B1.PAC B 002 SNDS B 002 TI.MSC B 004 MS B 009 CR.PAC B 009 OPT1 A 018 MAIN B 003 MENU1.PAC B 007 ACONS B 021 A8 B 002 ALI A 023 ORIGIN B 006 BPLATE.CPRS B 009 CONDENSED B 006 STEX ]BRUN STEX ...works... [S6,D1=demuffin'd copy] ]PR#6 ...grinds then crashes... The demuffin'd disk can't read itself. This is not unusual. ~ Chapter 2 I Crack, Therefore I Yam [S6,D1=demuffin'd copy] [S5,D1=my work disk] ]PR#5 ]BRUN PDP ; fix epilogue byte checking in RWTS T00,S03,$91 change AA to DE T00,S03,$9B change DE to AA T00,S06,$AE change AA to DE T00,S06,$B3 change DE to AA Side B has identical protection. Quod erat liberandum. --------------------------------------- A 4am crack No. 587 ------------------EOF------------------