--------Snack Attack and Friends------- A 4am crack 2016-11-08 --------------------------------------- Name: Snack Attack and Friends Genre: arcade Year: 1983 Author: Dan Illowsky Publisher: Funtastic, Inc. Platform: Apple ][+ or later Media: single-sided 5.25-inch floppy OS: custom Previous cracks: none (of this compilation) This disk is a compilation of three games. Two were previously released as individual disks by Datamost. ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup reads track $00, nothing more EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor T00 -> standard T01-T20 -> modified address prologue ("D5 AA AA" instead of "D5 AA 96") T21-T22 -> unformatted (hi-res disk scan confirms this) Disk Fixer ["O" -> "Input/Output Control"] set Address Prologue to "D5 AA AA" Success! T01-T20 readable! T00 -> totally custom bootloader Why didn't COPYA work? modified address prologue Why didn't Locksmith FDB work? ditto EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to prologues and epilogues) Next steps: 1. Sector-copy T00 2. Build an RWTS to copy T01-T20 3. Patch bootloader to read the now-standard address prologue ~ Chapter 1 In Which We Use The Original Disk As A Weapon Against Itself And It Goes Swimmingly [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 ... ]CALL -151 ; copy RWTS *3800 At $B8, load "RWTS 1+" from D1 ["6" to switch to slot 6] ["C" to convert disk] ["Y" to change default values] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM ======================================= INPUT ALL VALUES IN HEX SECTORS PER TRACK? (13/16) 16 START TRACK: $01 <-- change this START SECTOR: $00 END TRACK: $20 <-- change this END SECTOR: $0F INCREMENT: 1 MAX # OF RETRIES: 0 COPY FROM DRIVE 1 TO DRIVE: 2 ======================================= 16SC $01,$00-$20,$0F BY1.0 S6,D1->S6,D2 --^-- And here we go... --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK: ................................ +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0: ................................ SC1: ................................ SC2: ................................ SC3: ................................ SC4: ................................ SC5: ................................ SC6: ................................ SC7: ................................ SC8: ................................ SC9: ................................ SCA: ................................ SCB: ................................ SCC: ................................ SCD: ................................ SCE: ................................ SCF: ................................ ======================================= 16SC $01,$00-$20,$0F BY1.0 S6,D1->S6,D2 --^-- [S6,D1=non-working copy] ]PR#6 ...grinds... The disk can not read itself, because it is still looking for the nonstandard address prologue. ~ Chapter 2 One Byte To Rule Them All A quick sector search for "C9 AA" finds the disk's (quite minimal) RWTS on track $00. T00,S07 ----------- DISASSEMBLY MODE ---------- 004C:18 CLC 004D:08 PHP 004E:BD 8C C0 LDA $C08C,X 0051:10 FB BPL $004E 0053:49 D5 EOR #$D5 0055:D0 F7 BNE $004E 0057:BD 8C C0 LDA $C08C,X 005A:10 FB BPL $0057 005C:C9 AA CMP #$AA 005E:D0 F3 BNE $0053 0060:EA NOP 0061:BD 8C C0 LDA $C08C,X 0064:10 FB BPL $0061 0066:C9 AA CMP #$AA <-- 0068:F0 09 BEQ $0073 006A:28 PLP 006B:90 DF BCC $004C 006D:49 AD EOR #$AD 006F:F0 25 BEQ $0096 0071:D0 D9 BNE $004C This RWTS is structured like the drive controller firmware at $C600. On the first loop, it reads the address prologue; on the second loop, the data prologue. The only difference is the third nibble, which (for the address) is checked at byte offset $67. T00,S07,$67: AA -> 96 ]PR#6 ...works... Quod erat liberandum. --------------------------------------- A 4am crack No. 896 ------------------EOF------------------