-----------The Decades Game 3---------- A 4am crack 2016-01-26 --------------------------------------- Name: The Decades Game 3 Genre: educational Year: 1983 Credits: written by Charles S. Goldstein computer graphics by Paul Kuhrman program edited by Mark Feldman Publisher: BrainBank, Inc. Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none Identical cracks: #589 The Decades Game 2 ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified address prologue/epilogue on every track, no particular pattern, each track is different (!) Disk Fixer ["O" -> "Input/Output Control"] set CHECKSUM ENABLED to "NO" T00 readable looks like a standard DOS 3.3 boot0, but the RWTS is missing or rearranged (for example, T00,S02 is entirely empty) Why didn't COPYA work? modified prologues and epilogues Why didn't Locksmith FDB work? ditto EDD worked. What does that tell us? probably just structural protection (modified epilogue), no nibble check Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin 3. patch RWTS to read standard format ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself And Go On A Slight Detour [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 Hmm, we got boot0 and boot1, but my AUTOTRACE script can't find a DOS 3.3- shaped RWTS. Which is not surprising, since I couldn't find it either when I looked with a sector editor. Let's see what we have. ]BLOAD BOOT1,A$3600 ]CALL -151 *FE89G FE93G *B600<3600.3FFFM *B700L . . [absolutely bog standard] . *B793L . . [absolutely bog standard] . *B7B5L . . [absolutely bog standard] . *BD00L ; looks like the standard RWTS entry ; point BD00- 84 48 STY $48 BD02- 85 49 STA $49 BD04- A9 02 LDA #$02 ; these addresses are non-standard ; (usually use holes in the text page) BD06- 85 46 STA $46 BD08- 0A ASL BD09- 8D 19 BA STA $BA19 BD0C- A0 01 LDY #$01 BD0E- B1 48 LDA ($48),Y BD10- 8D 10 BA STA $BA10 BD13- AA TAX BD14- BD 8E C0 LDA $C08E,X BD17- BD 8C C0 LDA $C08C,X BD1A- BD 89 C0 LDA $C089,X BD1D- A0 08 LDY #$08 BD1F- B1 48 LDA ($48),Y BD21- 85 3E STA $3E BD23- C8 INY BD24- B1 48 LDA ($48),Y BD26- 85 3F STA $3F BD28- A0 02 LDY #$02 Poking around further, I stumbled upon the non-standard entry points to read the address prologue and epilogue. The prologue matcher is the same as DOS 3.3 (but in a different memory location), which leads me to believe there is some sort of per-track routine that pokes in the proper prologue values. But the epilogue matcher looks like this: *BBB4L ; get current sector BBB4- A4 2D LDY $2D BBB6- BD 8C C0 LDA $C08C,X BBB9- 10 FB BPL $BBB6 ; part of the nibble translate table -- ; so this disk actually has per-SECTOR ; epilogues, even within the same track BBBB- D9 21 BA CMP $BA21,Y BBBE- D0 AB BNE $BB6B BBC0- EA NOP BBC1- BD 8C C0 LDA $C08C,X BBC4- 10 FB BPL $BBC1 ; another part of the same table BBC6- D9 31 BA CMP $BA31,Y BBC9- D0 A0 BNE $BB6B BBCB- 18 CLC BBCC- 60 RTS I dunno, it looks normal enough that I could just call it with an RWTS table to read a sector. You know, like Advanced Demuffin does. *C500G ... ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B6, load "BOOT1" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:................................... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:................................... SC1:................................... SC2:................................... SC3:................................... SC4:................................... SC5:................................... SC6:................................... SC7:................................... SC8:................................... SC9:................................... SCA:................................... SCB:................................... SCC:................................... SCD:................................... SCE:................................... SCF:................................... ======================================= 16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2 --^-- ]PR#5 ... ]CATALOG,S6,D2 C1983 DSR^C#254 190 FREE *A 007 HELLO *A 056 AH12/NEW*# *A 058 AH13/NEW*# *A 059 AH14/NEW*# *A 061 AH15/NEW*# *A 065 AH11/NEW*# ]RUN HELLO ...works... Now to make the disk be able to read itself (remember, it still has the original RWTS on it)... Using Copy ][+, I can "copy DOS" from a freshly initialized DOS 3.3 disk onto the demuffin'd copy. This function of Copy ][+ just sector-copies tracks 0-2 from one disk to another, but it's easier than setting that up manually in some other copy program. Copy ][+ --> COPY --> DOS --> from slot 6, drive 2 --> to slot 6, drive 1 [S6,D1=demuffin'd copy] [S6,D2=newly formatted DOS 3.3 disk] ...read read read... ...write write write... ]PR#6 ...works... Quod erat liberandum. --------------------------------------- A 4am crack No. 594 ------------------EOF------------------