-------------Magic Slate 40------------ A 4am crack 2017-02-09 --------------------------------------- Name: Magic Slate 40-column Version: 1.3 Genre: productivity Year: 1986 Credits: Donna Stanger, Paul Elseth, Jim Kulzer, Simon Lie Publisher: Sunburst Communications Platform: Apple ][+ or later Media: single-sided 5.25-inch floppy OS: custom Previous cracks: none Similar cracks: #1003 Magic Slate 20 ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA fails on first pass Locksmith Fast Disk Backup unable to read track $01 EDD 4 bit copy (no sync, no count) works Copy ][+ disk presents a ProDOS catalog --v-- CATALOG DISK SLOT 6 DRIVE 1 /MAGIC.SLATE.40 NAME TYPE BLKS MODIFIED MS SYS 32 09-DEC-86 MS.CONFIG BIN 3 01-FEB-91 MS.EDIT40 SYS 53 02-MAR-87 MS.PRINT40 SYS 45 06-JAN-87 MS.UTILS40 SYS 28 12-FEB-87 BLOCKS FREE:104 USED:176 TOTAL:280 PRESS [RETURN] --^-- Copy ][+ nibble editor T01 has no structure at all, no data, just sync bytes and scattered nibbles --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- TRACK: 01 START: 1800 LENGTH: 3DFF 4CF8: FF FF FF FF FF FF FF FF VIEW 4D00: FF FF FF FF FF FF FF FF 4D08: FF FF E4 FF FF FF FF FF 4D10: FF B9 FF FF FF FF FF E4 4D18: FF FF FF FF FF D5 BE EC <-4D1D 4D20: F4 F4 F4 F4 F4 F4 FF FF 4D28: FF FF FF FF FF FF FF FF 4D30: FF FF FF D2 D2 D2 FF FF FIND: 4D38: FF FF FF FF FF FF FF FF D5 --------------------------------------- A TO ANALYZE DATA ESC TO QUIT ? FOR HELP SCREEN / CHANGE PARMS Q FOR NEXT TRACK SPACE TO RE-READ --^-- Disk Fixer T00 has standard ProDOS bootloader and disk catalog (see Copy ][+ above) but the disk does not sound or look like ProDOS when it boots. No way to read T01. Why didn't COPYA work? Track $01 is missing/unreadable Why didn't Locksmith FDB work? probably a runtime check that ensures that track $01 is missing/unreadable EDD worked. What does that tell us? No half or quarter tracks, because I didn't even try to copy those. There is definitely a run-time protection check of some kind, but it's probably just checking that track $01 is unreadable. Next steps: 1. Search disk for common elements of a run-time protection check 2. If that fails, trace the boot 3. If that fails, I dunno, go feed the ducks or something ~ Chapter 1 In Which We Get Lucky, To The Detriment Of The Ducks On the theory that some code on disk is trying to access track $01, and thus noticing if it's unexpectedly readable, let's enumerate some of the ways that could happen: - Reading a file that is mapped to the unreadable track $01. Copy II+ "disk map" shows there are no files mapped to track $01, so let's rule that out. In fact, the first file suspiciously skips over the track altogether: --v-- DISK MAP SLOT 6 DRIVE 1 /MAGIC.SLATE.40/MS TRACK 1 2 0123456789ABCDEF0123456789ABCDEF012 S0 ..****............................. EE ..****............................. CD ..****............................. TC ..****............................. OB ..****............................. RA ..****............................. 9 ..****............................. 8 ..****............................. 7 ..****............................. 6 ..****............................. 5 ..****............................. 4 ..****............................. 3 ..****............................. 2 ..****............................. 1 *.***.............................. F *.***.............................. USE ARROW KEYS TO MAP OTHER FILES --^-- - Issuing a ProDOS MLI "raw block read" and checking the return code. This is a popular technique under ProDOS, partly because it can be adapted to work on 3.5-inch and 5.25-inch disks. But I'm not sure if this disk is really full ProDOS or if it just uses the ProDOS disk structure for convenience. At any rate, a sector search for "20 00 BF" (a JSR to the standard ProDOS MLI entry point) yields precisely zero results, so... - Manually seeking to the track and looking for a nibble sequence. There is no explicit support for "seeking to a particular track" unless you're calling ProDOS internals. Without calling into ProDOS, this technique would require low-level disk access (turning on the drive and hitting the right stepper motors and whatnot). Here are some possibilities: "BD 89 C0" (LDA $C089,X) ; drive on "AD E9 C0" (LDA $C0E9) ; drive on "BD 80 C0" (LDA $C080,X) ; stepper And lo! A search for "BD 89 C0" yields several results. --v-- ------------- DISK SEARCH ------------- $00/$0E-$A7 $02/$0D-$3A $05/$0A-$6E $13/$07-$2F PRESS [RETURN] --^-- - T00,S0E is part of PRODOS (although I think it's called "MS" on this disk). - T05,S0A appears to be legitimate RWTS code of some sort. (The existence of "LDA $C08A,X" nearly is a strong indication of legitimacy; RWTS code needs to deal with both drives, but copy protection routines rarely work on anything but drive 1.) - T13,S07 is similarly unsuspicious. That leaves T02,S0D. And that is a different kettle of nibbles altogether. ~ Chapter 2 A Different Kettle of Nibbles The routine containing "LDA $C089,X" appears to start at offset $22: --v-- T02,S0D ----------- DISASSEMBLY MODE ---------- ; save flags 0022:08 PHP ; prevent interrupts 0023:78 SEI ; not sure what this does 0024:84 46 STY $46 0026:84 47 STY $47 0028:20 00 08 JSR $0800 002B:A9 08 LDA #$08 002D:85 46 STA $46 002F:A9 00 LDA #$00 0031:85 47 STA $47 0033:85 42 STA $42 0035:20 00 08 JSR $0800 ; turn on drive motor manually 0038:A6 07 LDX $07 003A:BD 89 C0 LDA $C089,X 003D:BD 8E C0 LDA $C08E,X ; set up Death Counter 0040:A0 00 LDY #$00 0042:84 08 STY $08 0044:C8 INY 0045:D0 04 BNE $004B 0047:E6 08 INC $08 ; if Death Counter hits 0, fail 0049:F0 1F BEQ $006A ; match nibble sequence "D5 BE EC" 004B:BD 8C C0 LDA $C08C,X 004E:10 FB BPL $004B 0050:C9 D5 CMP #$D5 0052:D0 F0 BNE $0044 0054:BD 8C C0 LDA $C08C,X 0057:10 FB BPL $0054 0059:C9 BE CMP #$BE 005B:D0 F3 BNE $0050 005D:BD 8C C0 LDA $C08C,X 0060:10 FB BPL $005D 0062:C9 EC CMP #$EC 0064:D0 EA BNE $0050 ; restore flags, clear carry, and exit 0066:28 PLP 0067:18 CLC 0068:90 02 BCC $006C ; restore flags, set carry, and exit 006A:28 PLP 006B:38 SEC ; turn off drive motor on the way out 006C:BD 88 C0 LDA $C088,X 006F:60 RTS Pretty straightforward. We're looking for a non-standard nibble sequence that doesn't normally exist. But it does exist on track $01 -- I saw it earlier in the Copy II Plus nibble editor. The caller expects the carry flag to be clear on success or set on failure (like DOS and ProDOS conventions). If I change the failure path at offset $6A to match the success path at offset $66, the caller will always think the protection check succeeded. In other words, change the "SEC" to a "CLC". T02,S0D,$6B: 38 -> 18 Quod erat liberandum. --------------------------------------- A 4am crack No. 1004 ------------------EOF------------------