-------------Micro Habitats------------ A 4am crack 2017-01-16 --------------------------------------- Name: Micro Habitats Construction Set Genre: educational Year: 1984 Credits: Software Productions Publisher: Reader's Digest Software Platform: Apple ][+ or later Media: single-sided 5.25-inch floppy OS: custom Previous cracks: none Identical cracks: #964 Alphabet Beasts & Company ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA disk read error on first pass Locksmith Fast Disk Backup reads track $00-$02 and track $11, but nothing else EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor T00-T02 -> standard T03-T10 -> modified data prologue ("D5 AA D5" instead of "D5 AA AD") T11 -> standard T12-T22 -> modified data prologue (same as T03-T10) Disk Fixer T00 -> bootloader starts off like Apple DOS 3.3 but quickly goes off into custom code ["O" -> "Input/Output Control"] set Address Prologue to "D5 AA D5" Success! T03-T10 and T12+ readable! Why didn't COPYA work? modified data prologue Why didn't Locksmith FDB work? ditto EDD worked. What does that tell us? no half or quarter tracks almost certainly no nibble check (just structural changes to prologues and epilogues) Next steps: 1. Convert the non-standard tracks with Super Demuffin 2. Sector copy the standard tracks 3. Patch bootloader to read the now-standard data prologue 4. Declare victory (*) (*) go to the gym ~ Chapter 1 In Which We Use The Right Tool For The Job, Twice Super Demuffin is a cracker's utility built on top of Locksmith Fast Disk Copy. It takes a disk that uses non- standard but uniform address and data prologue and epilogue bytes, and it converts it to a standard disk format. In this case, I expect it will only be able to convert tracks $03-$10 and tracks $12-$22. That's OK; I'll use Copy II Plus manual sector copy to copy the other tracks later. When you first run Super Demuffin, it asks for the parameters of the original disk. In this case, the epilogue bytes are the same, but the data prologue is "D5 AA D5" instead of "D5 AA AD". --v-- SUPER-DEMUFFIN AND FAST COPY Modified by: The Saltine/Coast to Coast Address prologue: D5 AA 96 Address epilogue: DE AA EB DISK ORIGINAL Data prologue: D5 AA D5 ^^ change from AD ------------++ Data epilogue: DE AA EB Ignore write errors while demuffining! D - Edit parameters - Advance to next parm - Exit edit mode R - Restore DOS 3.3 parameters O - Edit Original disk's parameters C - Edit Copy disk's parameters G - Begin demuffin process --^-- Pressing "G" switches to the Locksmith Fast Disk Copy UI. It assumes that both disks are in slot 6, and that drive 1 is the original and drive 2 is the copy. [S6,D1=original disk] [S6,D2=blank disk] --v-- LOCKSMITH 7.0 FAST DISK BACKUP R***..............*................. W*********************************** HEX 00000000000000001111111111111111222 TRK 0123456789ABCDEF0123456789ABCDEF012 0DDD..............D................. 1DDD..............D................. 2DDD..............D................. 3DDD..............D................. 4DDD..............D................. 5DDD..............D................. 6DDD..............D................. 7DDD..............D................. 8DDD..............D................. 9DDD..............D................. ADDD..............D................. BDDD..............D................. CDDD..............D................. DDDD..............D................. 12 EDDD..............D................. FDDD..............D................. [ ] PRESS [RESET] TO EXIT --^-- As expected, tracks $00-$02 and $11 are unreadable with these non-standard RWTS parameters (because they're standard). But everything else converted cleanly, so I've got that going for me, which is nice. Turning to my trusty Copy II Plus... (Version 8.4 please; later versions are buggy. Not in the specific feature we're using here, but why increase your mental load by working around bugs that will never be fixed?) Turning to my trusty Copy II Plus... I select COPY / BIT COPY / MANUAL SECTOR COPY so I can copy just the tracks I want: tracks $00-$02. --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- ORIGINAL DRIVE: 1 DUPLICATE DRIVE: 2 ENTER START TRACK: 0 ENTER END TRACK: 2 <-- change this TRACK INCREMENT: 1 USING SECTOR COPY --------------------------------------- -- INSERT DISKETTES -- RETURN TO BEGIN Q TO QUIT ESC TO RESTART / TO MODIFY --^-- That works flawlessly, as expected. (Even COPYA had no problem with these tracks. They're as standard as they come.) I repeat the manual sector copy with track $11. (Copy II Plus expects track numbers in hex, so enter "11" for both the start and end track.) Now I have the entire disk in a standard format. But of course it won't work yet, because the RWTS is still expecting certain tracks to use a non- standard data prologue. [S6,D1=non-working copy] ]PR#6 ...works... Wait, what? ~ Chapter 2 In Which We Angrily Investigate Why We Suddenly Have A Working Copy Poking through track $00, I found the code to match the custom data prologue. It turns out to be quite... flexible: --v-- T00,S03 ----------- DISASSEMBLY MODE ---------- 00DC:A0 20 LDY #$20 00DE:88 DEY 00DF:F0 61 BEQ $0142 00E1:BD 8C C0 LDA $C08C,X 00E4:10 FB BPL $00E1 00E6:49 D5 EOR #$D5 00E8:D0 F4 BNE $00DE 00EA:EA NOP 00EB:BD 8C C0 LDA $C08C,X 00EE:10 FB BPL $00EB 00F0:C9 AA CMP #$AA 00F2:D0 F2 BNE $00E6 00F4:A0 56 LDY #$56 00F6:BD 8C C0 LDA $C08C,X 00F9:10 FB BPL $00F6 00FB:C9 AA CMP #$AA 00FD:F0 F7 BEQ $00F6 <-- ! --^-- Did you see that? It matches #$D5 for the first nibble and $$AA for the second, as usual. But for the third nibble, it matches any value EXCEPT #$AA. If it finds #$AA, it loops back to offset $F6 to read another nibble. That explains how some tracks on the original disk can use a standard data prologue while others are non-standard. This code doesn't care either way. And now that every track on my copy uses a standard data prologue, this code still doesn't care. So no RWTS patches are required. Quod erat liberandum. --------------------------------------- A 4am crack No. 969 ------------------EOF------------------