-----------Double 'N' Trouble---------- A 4am crack 2017-01-22 --------------------------------------- Name: Double 'N' Trouble Genre: educational Year: 1985 Credits: Jim Parshall, Garnet Chappell Publisher: Hartley Courseware Platform: Apple ][+ or later Media: single-sided 5.25-inch floppy OS: Diversi-DOS ~ Chapter 0 In Which The Tools Almost Save Us This disk was partially cracked by Passport. Here is the transcript for disk 1: --v-- READING FROM S6,D1 T00,S00 FOUND DOS 3.3 BOOTLOADER USING DISK'S OWN RWTS WRITING TO S5,D2 T00,S03,$91: DA -> DE T00,S03,$35: DA -> DE T00,S02,$9E: DA -> DE T00,S08 RWTS REQUIRES A NON-STANDARD DISK VOLUME NUMBER. T00,S08,$12: B148 -> A900 CRACK COMPLETE. --^-- More information and source code is available at https://archive.org/details/Passport4am Disk 2 is unprotected. But wait! If the program disk is protected with a strict RWTS and the data disk is unprotected, then there must be... Dun dun dun... An RWTS swapper! Indeed, entering a student name of "MENU" (no quotes) takes you to the sooper-sekret teacher's menu: --v-- WELCOME TO THE TEACHER'S MENU <1> CATALOG THE DISK <2> EDIT TOPIC QUESTIONS <3> PRINT TOPIC QUESTIONS <4> REVIEW STUDENT SCORES <5> PROGRAM UTILITIES <6> RUN DOUBLE 'N' TROUBLE WHICH? _ --^-- Selecting <5> PROGRAM UTILITIES allows you to transfer data files between the (protected) program disk and the (unprotected) data disk: --v-- FILE TRANSFER UTILITY <1> COPY FILES FROM MASTER DISK ONTO DATA DISK <2> COPY FILES FROM DATA DISK ONTO MASTER DISK <3> DELETE FILES ON DATA DISK <4> RETURN TO MAIN MENU WHICH? ==> _ --^-- Selecting 1, 2, or 3 prompts you to insert the master disk in drive 1, then it fails to recognize that the master disk is, in fact, inserted. Presumably because it expects the disk to be protected in exactly the way that Passport just fixed. Thus. ~ Chapter 1 We POKE Along Booting my almost-but-not-quite-working copy, I can hit to break to a working prompt. ]PR#6 ... ] BREAK ]LIST LANGUAGE NOT AVAILABLE ]LIST Hmm. Perhaps the old trick of embedding a and a DOS command in a REM statement? ]LOAD HELLO ]SPEED=20 ]LIST 2 REM Yes indeed. ]SPEED=255 ]LIST 3, 5 POKE 214,128: POKE 40286,252: POKE 40287,164 10 TEXT : HOME : VTAB 17: PRINT "DOUBLE 'N' TROUBLE": PRINT : PRINT "VERSION 04.02.85": PRINT : PRINT "(C) 1985 HARTLEY C OURSEWARE, INC." 11 Z = PEEK (64435): IF Z < > 56 AND Z < > 234 THEN VTAB 10: PRINT "BE SURE CAPS LOCK KEY IS DOWN!": PRINT " ---- ---- ----" 12 A = PEEK (78) + 1: FOR X = 1 TO A:Z = RND (1): NEXT 40 FOR K = 1 TO 5: READ Z: FOR T = 0 TO 2: POKE Z + T,234: NEXT 41 DATA 44537,44542,44555,44560 ,44480 100 PRINT "RUNFS TITLE PAGE" ]CATALOG C1983 DSR C#254 *A 003 HELLO *A 009 FS TITLE PAGE *A 045 FS PRGRM *A 024 FS GORB *A 026 FS EPLGE *A 038 FS T-MENU *A 029 FS T-MENU CR&ED *A 034 FILE TRANSFER *B 003 GARBAG *B 007 SMALL CHARACTERS *B 004 HRBU *B 002 IR *B 016 PICDRAW *B 005 GORBTECH *T 002 CHAMP.F *T 002 FS OPTIONS *T 002 FSFIL.TMP *T 003 MENU.FILE *T 008 STUDENT.SCORES T 014 SURVIVAL T 014 MOTHER GOOSE T 014 PLANTS T 014 NICKNAMES T 014 OLOGIES T 014 NATIONAL PARKS T 014 SONGS T 014 HOLIDAYS T 014 WEATHER WORDS T 014 THINGS WE CAN'T SEE T 014 WHO DID WHAT? T 014 NOT WHAT THEY SEEM T 014 BEST T 014 U.S. CITIES T 014 WRITERS OF MUSIC T 014 ANIMALS T 001 STU.FILE ]LOAD FILE TRANSFER . . . 50000 IF DM = CM OR ND = 2 THEN RETURN 50020 ZZ$ = "DATA": IF DM = 1 THEN ZZ$ = "MASTER" 50025 HOME : VTAB 10: PRINT "IN SERT ";: INVERSE : PRINT ZZ$ ;: NORMAL : PRINT " DISK": PRINT : PRINT "AND PRESS . ";:LM = 1: GOSUB 8999: IF NOT F8 THEN 50025 50030 PRINT : HOME : RETURN 50090 U = 218 + 4 * (DM = 2):CM = DM 50095 POKE - 17234,U: POKE - 18031,U: POKE - 18123,U: POKE - 18274,U: RETURN Aha! On the very last line, I see four suspicious POKE commands, all to RWTS- related addresses. -17234 = 48302 = $BCAE -18031 = 47505 = $B991 -18123 = 47413 = $B935 -18274 = 47262 = $B89E Combined with the math on line 50090, this is definitely the RWTS swapper I'm looking for. Turning to my trusty Disk Fixer sector editor, I press "D" for a directory listing, select "FILE TRANSFER", then use right arrow to follow the file to its last sector, which is T04,S04: --v-- -------------- DISK EDIT -------------- TRACK $04/SECTOR $04/VOLUME $FE/BYTE$40 --------------------------------------- $40: 39 39 3A AD C6 46 38 C4 99:-FF8D $48: 35 30 30 32 35 00 57 28 50025@W( $50: 6E C3 BA 3A 97 3A B1 00 .C::.:1@ $58: 70 28 AA C3 55 D0 32 31 0(*CUP21 $60: 38 C8 34 CA 28 44 4D D0 8H4J(DMP $68: 32 29 3A 43 4D D0 44 4D 2):CMPDM $70: 00 9E 28 AF C3 B9 C9 31 @.(/C9I1 ^^ ^^ ^^ POKE - 1 $78: 37 32 33 34 2C 55 3A B9 7234,U:9 ^^^^^^^^^^^ ^^ ^^ 7 2 3 4 , U $80: C9 31 38 30 33 31 2C 55 I18031,U $88: 3A B9 C9 31 38 31 32 33 :9I18123 $90: 2C 55 3A B9 C9 31 38 32 ,U:9I182 $98: 37 34 2C 55 3A B1 00 00 74,U:1@@ $A0: 00 55 00 00 00 00 00 00 @U@@@@@@ $A8: 00 00 00 00 00 00 00 00 @@@@@@@@ $B0: 00 00 00 00 00 00 00 00 @@@@@@@@ $B8: 00 00 00 00 00 00 00 00 @@@@@@@@ --------------------------------------- BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL DOS3.3:FILE TRANSFER /$20 --------------------------------------- COMMAND : _ --^-- I can change the "POKE" command to "RETURN" (opcode $B1, as shown above at offset $9D), followed by a colon ($3A) to separate Applesoft commands, then a "REM" command (opcode $B2), which will make the rest of the line a comment. T04,S04,$75: B9C931 -> B13AB2 Searching the disk for the same hex sequence for "POKE -17234,U" finds one additional match on T1A,S07, which is apparently part of "FS T-MENU". ]PR#6 ... ]LOAD FS T-MENU . . . 9900 REM CAT 9905 U = 218:Y8 = 0 9909 HOME : POKE 44512,208: POKE 44513,67: POKE 44515,160 9910 ONERR GOTO 9920 9912 POKE - 17234,U: POKE - 1 8031,U: POKE - 18123,U: POKE - 18274,U: IF Y8 THEN 9980 9915 PRINT D$"CATALOG":Y8 = 1:U = 218: GOTO 9912 9920 POKE 216,0:U = U + 4: ONERR GOTO 9940 9921 GOTO 9912 Different logic, but same result: we're altering the RWTS based on the value of U, which changes on line 9920. Using a sector editor, I follow the "FS T-MENU" file and change all those POKE commands on line 9912 to colons (command separators, which do nothing but allow later commands on the same line). T1A,S07,$F1 -> 3A3A3A3A3A3A3A3A3A3A3A3A3A3A3A T03,S00,$00 -> 3A3A3A3A3A3A3A3A3A3A3A3A3A3A3A3A 3A3A3A3A3A3A3A3A3A Here's what that looks like: ]PR#6 ... BREAK ]LOAD FS T-MENU ]LIST 9912 9912 ::::::::::::::::::::::::::: ::::::::::::: IF Y8 THEN 998 0 After seconds of extensive testing, I'm confident there is no other RWTS code to patch. Quod erat liberandum. --------------------------------------- A 4am crack No. 979 ------------------EOF------------------