------------The Math Doctor------------ A 4am crack 2017-01-20 --------------------------------------- Name: The Math Doctor Genre: educational Year: 1984 Credits: Barbara Signer Publisher: Modern Education Corporation Platform: Apple ][+ or later Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none ~ Chapter 0 In Which The Tools Almost Save Us This disk was partially cracked by Passport. Here is the transcript: --v-- READING FROM S6,D1 T00,S00 FOUND DOS 3.3 BOOTLOADER USING DISK'S OWN RWTS WRITING TO S5,D2 T00,S03,$91: AA -> DE T00,S03,$35: AA -> DE T00,S06,$AE: AA -> DE T00,S02,$9E: AA -> DE CRACK COMPLETE. --^-- More information and source code is available at https://archive.org/details/Passport4am The disk now boots, which is definitely the sort of thing you want a disk to do. However, it also has the capability to save data to a user-supplied disk in a standard format, which means... Dun dun dun... An RWTS swapper! After selecting ILE from the main menu, then to go back to the main menu, the program presents the following error: --v-- UNABLE TO LOCATE MATH DOCTOR MAKE SURE THAT MATH DOCTOR IS IN DISK DRIVE 1, THEN PRESS ANY KEY. --^-- So let's see what we can do about that. ~ Chapter 1 We POKE Along Attempts to break out of the program with or are unsuccessful. However, since the disk is now in a standard format, I can boot any third-party disk and poke around. [S6,D1=DOS 3.3 system master] [S6,D2=non-working copy] ]PR#6 ... ]CATALOG,D2 DISK VOLUME 254 *A 007 HELLO *B 034 MEC F.PIC *B 034 MD3.PIC *A 005 MAIN MENU *A 073 MATH DOCTOR *A 004 TITLE PAGES *T 002 NUM CON *T 002 ADDITION *T 002 SUBTRACTION *T 002 INTERM *T 002 MULTIPLY *T 002 DIVISION *T 003 FRACTIONS *A 020 FILE --^-- ]LOAD MAIN MENU ]LIST ... 70 GET AN$ 75 PRINT AN$ 77 VTAB 23: HTAB 19: PRINT " ": VTAB 23: HTAB 19 78 IF AN$ < > "T" AND AN$ < > "F" THEN 70 79 HOME : VTAB 12: HTAB 10: PRINT "LOADING ---- PLEASE WAIT" 80 IF AN$ = "T" THEN PRINT D$; "RUN MATH DOCTOR" 90 IF AN$ = "F" THEN PRINT D$; "RUN FILE" 100 GOTO 70 Nothing RWTS-related here, but we're either running MATH DOCTOR or FILE, depending on the user's choice. ]LOAD FILE ]LIST 0 REM ONE MOMENT PLEASE ------ -FP 1 POKE 214,255: DIM D$(20): POKE 47262,222: POKE 47505,222: POKE 47413,222: POKE 48302,222 2 GOSUB 2000 3 ONERR GOTO 3 4 MS = 1 5 POKE 34,0: POKE 47262,222: POKE 47505,222: POKE 47413,222: POKE 48302,222 7 REM ONE MOMENT PLEASE ------ -FP . . . 154 POKE 47262,170: POKE 47505, 170: POKE 47413,170: POKE 48 302,170 155 PRINT CHR$ (4);"RUN MAIN M ENU, D1" Aha! Those POKE commands in the 47xxx and 48xxx range are hitting DOS areas. 47262 = $B89E 47505 = $B991 47413 = $B935 48302 = $BCAE Those four memory locations correspond to the four patches that Passport made. Lines 1 and 5 set the RWTS to standard values (#$DE as the first epilogue). Line 154 sets them to protected values (#$AA for the first epilogue) to read the original disk. Since our disk is no longer "original," we no longer need to POKE the RWTS back and forth. In the spirit of making my changes as minimal as possible (even if it makes my job harder), I decided to change the "POKE" commands to "REM". I don't think this disk does anything fancy with embedding hidden code within the BASIC programs, but altering and "SAVE"ing a program is surprisingly disruptive, so let's do this in a hex editor. Turning to my trusty Copy ][+ sector editor (version 5.5, which can follow files), I follow the "FILE" program and see the underlying Applesoft opcodes look like this: --v-- SECTOR EDITOR DISK B 00- AC 12 24 08 00 00 B2 20 ,R$H@@2 08- 4F 4E 45 20 4D 4F 4D 45 ONE MOME 10- 4E 54 20 50 4C 45 41 53 NT PLEAS 18- 45 20 2D 2D 2D 2D 2D 2D E ------ 20- 2D 04 46 50 00 65 08 01 -DFP@%HA 28- 00 B9 32 31 34 2C 32 35 @9214,25 30- 35 3A 86 44 24 28 32 30 5:.D$(20 38- 29 3A B9 34 37 32 36 32 ):947262 ^^ ^^^^^^^^^^^^^^ POKE 47262 40- 2C 32 32 32 3A B9 34 37 ,222:947 48- 35 30 35 2C 32 32 32 3A 505,222: 50- B9 34 37 34 31 33 2C 32 947413,2 58- 32 32 3A B9 34 38 33 30 22:94830 60- 32 2C 32 32 32 00 6F 08 2,222@/H 68- 02 00 B0 32 30 30 30 00 B@02000@ 70- 77 08 03 00 A5 AB 33 00 7HC@%+3@ 78- 80 08 04 00 4D 53 D0 31 .HD@MSP1 80- 00 B6 08 05 00 B9 33 34 @6HE@934 TRACK $05, SECTOR $A DOS 3.3 [?]-HELP SCREEN --^-- Changing byte $3A from $B9 to $B2 will change the "POKE" on line 1 to a "REM" statement, which will disable that POKE and all the other commands on line 1. The POKE on line 5 is at byte $8B. Following the file, I find the POKE on line 154 is at T15,S0F,$5C. Scanning the rest of the disk for the hex sequence "B9 34 37 32 36 32" (the opcodes for "POKE 47262"), I discover that there are similar POKE commands in the "MATH DOCTOR" program. All told, these patches will disable all RWTS-related POKEs: T05,S0A,$3A: B9 -> B2 \ T05,S0A,$8B: B9 -> B2 } FILE program T15,S0F,$5C: B9 -> B2 / T14,S05,$5C: B9 -> B2 \ MATH DOCTOR T15,S07,$BA: B9 -> B2 / program After extensive testing, I can find no other RWTS-related code. Quod erat liberandum. --------------------------------------- A 4am crack No. 978 ------------------EOF------------------