----------The Invoice Factory----------
A 4am crack                  2017-01-09
---------------------------------------

Name: The Invoice Factory
Version: 1.5
Genre: productivity
Year: 1981
Publisher: MicroLab, Inc.
Media: 2 single-sided 5.25-inch disks
OS: DOS 3.3
Previous cracks: none

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  read error on first pass

Locksmith Fast Disk Backup
  unable to read track $03+

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  T03+ use modified data prologue
  ("D5 AA B5" instead of "D5 AA AD")

Disk Fixer
  T00 -> looks like DOS 3.3 bootloader
  T01,S09 -> startup program is "ABC"
  ["O" -> "Input/Output Control"]
    set Data Prologue to "D5 AA B5"
  still can't read track $03 or higher,
  not sure why
  ["O" -> "Input/Output Control"]
    set CHECKSUM ENABLED to "NO"
  Success! Now able to read the rest of
  the disk (tracks $03+)

Why didn't COPYA work?
  data prologue modified after DOS load

Why didn't Locksmith FDB work?
  ditto

EDD worked. What does that tell us?
  no half or quarter tracks
  almost certainly no nibble check
  (just structural changes to epilogue)

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. patch RWTS to read standard format

                   ~

               Chapter 1
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself
       And It Goes Rather Poorly


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC1:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC2:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC3:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC4:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC5:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC6:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC7:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC8:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC9:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCA:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCB:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCC:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCD:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCE:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCF:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

Right. I could have predicted that.
Somewhere after DOS loads, it changes
the RWTS to read the modified format of
tracks $03+.

Let's find out where.

                   ~

               Chapter 2
  In Which It All Comes Down To 1 Bit


*9600<C600.C6FFM

96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C
9707-   4C 01 08    JMP   $0801
970A-   A9 4C       LDA   #$4C
970C-   8D 47 B7    STA   $B747
970F-   A9 1C       LDA   #$1C
9711-   8D 48 B7    STA   $B748
9714-   A9 97       LDA   #$97
9716-   8D 49 B7    STA   $B749
9719-   4C 00 B7    JMP   $B700
971C-   A2 23       LDX   #$23
971E-   A0 00       LDY   #$00
9720-   B9 00 9D    LDA   $9D00,Y
9723-   99 00 2D    STA   $2D00,Y
9726-   C8          INY
9727-   D0 F7       BNE   $9720
9729-   EE 22 97    INC   $9722
972C-   EE 25 97    INC   $9725
972F-   CA          DEX
9730-   D0 EE       BNE   $9720
9732-   4C 00 C5    JMP   $C500

*BSAVE TRACE,A$9600,L$135
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT2 9D00,A$2D00,L$2300
]CALL -151

*FE89G FE93G      ; disconnect real DOS

*9D00<2D00.4FFFM  ; move DOS into place

*9D84L
.
. [normal DOS stuff]
.
9E4D-   4C F0 A4    JMP   $A4F0

OK, that is not normal. That usually
goes to $A180 to complete the late-
stage DOS initialization and execute
the startup program.

*A4F0L

A4F0-   20 61 BC    JSR   $BC61
A4F3-   4C 80 A1    JMP   $A180

So we do end up at $A180... eventually.
But first we're doing something at
$BC61. In a standard DOS, this is not
an entry point; it's in the middle of
the routine at $BC56 that writes the
address field during initialization.

*BC61L

BC61-   A9 01       LDA   #$01
BC63-   8D 00 B9    STA   $B900
BC66-   A9 B5       LDA   #$B5
BC68-   8D FC B8    STA   $B8FC
BC6B-   60          RTS

This is very interesting. The second
store changes the third data prologue
from #$AD to #$B5. I knew that already,
based on my initial investigation with
a nibble editor. But what I didn't know
until now was why I couldn't read track
$03 and above with a sector editor,
even after changing the data prologue
parameters.

The first store explains why: it's
changing the initial value of the data
field checksum to #$01 (from #$00). On
a standard disk, the RWTS calculates a
checksum by XOR'ing all the values in
the data field and comparing it to the
checksum value, which is stored on disk
just before the data epilogue. On this
disk, the RWTS calculates a checksum,
but it starts the calculation at #$01
instead of #$00. If you don't know this
and try to read those sectors with a
third-party tool (as I did), every
sector's checksum will be off by 1 bit.
My sector editor was trying to verify
the data field of each sector, but it
couldn't, because every sector is
intentionally corrupted in a specific
way.

But wait! This program can read and
write data from standard user-supplied
data disks. That means there must be a
routine that reverses this damage --
changing the third nibble of the data
prologue back to #$AD and the initial
data field checksum back to #$00.

It didn't take long to find it.

*BC56L

BC56-   A9 00       LDA   #$00
BC58-   8D 00 B9    STA   $B900
BC5B-   A9 AD       LDA   #$AD
BC5D-   8D FC B8    STA   $B8FC
BC60-   60          RTS

So this answers two questions at once.
First, how can I read tracks $03-$22?
By applying the RWTS patches at $BC61.
Second, how can I ensure that my crack
continues to work with user-supplied
data disks? By disabling the routine at
$BC61 altogether.

                   ~

               Chapter 3
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself
                 Again
       And It Goes About As Well
          As Can Be Expected


; apply RWTS patches
*BC61G

; move RWTS out of the way so it
; survives a reboot
*3800<B800.BFFFM

; reboot my work disk
*C500G
...

; save patched RWTS
]BSAVE RWTS 3+,A$3800,L$800

Now I can use this patched RWTS file to
convert tracks $03-$22.

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

["Y" to change default values]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======================================


INPUT ALL VALUES IN HEX


SECTORS PER TRACK? (13/16) 16

START TRACK: $03        <-- change this
START SECTOR: $00
END TRACK: $22
END SECTOR: $0F

INCREMENT: 1

MAX # OF RETRIES: 0

COPY FROM DRIVE 1
TO DRIVE: 2
=======================================
16SC $03,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

[S6,D1=original disk]
[S6,D2=partially demuffin'd disk]

And here we go...

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:   ................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:   ................................
SC1:   ................................
SC2:   ................................
SC3:   ................................
SC4:   ................................
SC5:   ................................
SC6:   ................................
SC7:   ................................
SC8:   ................................
SC9:   ................................
SCA:   ................................
SCB:   ................................
SCC:   ................................
SCD:   ................................
SCE:   ................................
SCF:   ................................
=======================================
16SC $03,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

Now I can disable the RWTS patching
routine by putting an "RTS" at $BC61:

T00,S06,$61: A9 -> 60

]PR#6
...works, and it is glorious...

Quod erat liberandum.

                   ~

            Acknowledgments


Thanks to @L1ttl3john for the original
disks.

---------------------------------------
A 4am crack                     No. 949
------------------EOF------------------