-----------Magic Slate 20/40----------- A 4am crack 2017-02-11 --------------------------------------- Name: Magic Slate 20-/40-column Version: 1.02 Genre: productivity Year: 1984 Credits: Donna Stanger, Paul Elseth, Jim Kulzer, Simon Lie Publisher: Sunburst Communications Platform: Apple ][+ or later Media: single-sided 5.25-inch floppy OS: custom Previous cracks: none Similar cracks: #1003 Magic Slate 20 v1.3 ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA fails on first pass Locksmith Fast Disk Backup unable to read track $01 EDD 4 bit copy (no sync, no count) works Copy ][+ disk presents a ProDOS catalog --v-- CATALOG DISK SLOT 6 DRIVE 1 /MAGIC.SLATE.1.0 NAME TYPE BLKS MODIFIED MS SYS 24 MS.EDIT20 BIN 50 MS.EDIT40 BIN 51 MS.PRINT40 BIN 37 MS.UTILS40 BIN 26 MS.CONFIG BIN 3 BLOCKS FREE:64 USED:216 TOTAL:280 PRESS [RETURN] --^-- Copy ][+ nibble editor T01 has no structure at all, no data, just sync bytes and scattered nibbles --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- TRACK: 01 START: 1800 LENGTH: 3DFF 4CF8: FF FF FF FF FF FF FF FF VIEW 4D00: FF FF FF FF FF FF FF FF 4D08: FF FF E4 FF FF FF FF FF 4D10: FF B9 FF FF FF FF FF E4 4D18: FF FF FF FF FF D5 BE EC <-4D1D 4D20: F4 F4 F4 F4 F4 F4 FF FF 4D28: FF FF FF FF FF FF FF FF 4D30: FF FF FF D2 D2 D2 FF FF FIND: 4D38: FF FF FF FF FF FF FF FF D5 --------------------------------------- A TO ANALYZE DATA ESC TO QUIT ? FOR HELP SCREEN / CHANGE PARMS Q FOR NEXT TRACK SPACE TO RE-READ --^-- Disk Fixer T00 has standard ProDOS bootloader and disk catalog (see Copy ][+ above) but the disk does not sound or look like ProDOS when it boots. No way to read T01. Why didn't COPYA work? Track $01 is missing/unreadable Why didn't Locksmith FDB work? probably a runtime check that ensures that track $01 is missing/unreadable EDD worked. What does that tell us? No half or quarter tracks, because I didn't even try to copy those. There is definitely a run-time protection check of some kind, but it's probably just checking that track $01 is unreadable. Next steps: 1. Search disk for common elements of a run-time protection check 2. If that fails, trace the boot 3. If that fails, I dunno, go feed the ducks or something ~ Chapter 1 In Which We Get Lucky, To The Detriment Of The Ducks On the theory that some code on disk is trying to access track $01, and thus noticing if it's unexpectedly readable, let's enumerate some of the ways that could happen: - Reading a file that is mapped to the unreadable track $01. Copy II+ "disk map" shows there are no files mapped to track $01, so let's rule that out. In fact, the first file suspiciously skips over the track altogether: --v-- DISK MAP SLOT 6 DRIVE 1 /MAGIC.SLATE.1.0/MS TRACK 1 2 0123456789ABCDEF0123456789ABCDEF012 S0 ..***.............................. EE ..***.............................. CD ..***.............................. TC ..***.............................. OB ..***.............................. RA ..***.............................. 9 ..***.............................. 8 ..***.............................. 7 ..***.............................. 6 ..***.............................. 5 ..***.............................. 4 ..***.............................. 3 ..***.............................. 2 ..***.............................. 1 *.**............................... F *.**............................... USE ARROW KEYS TO MAP OTHER FILES --^-- - Issuing a ProDOS MLI "raw block read" and checking the return code. This is a popular technique under ProDOS, partly because it can be adapted to work on 3.5-inch and 5.25-inch disks. But I'm not sure if this disk is really full ProDOS or if it just uses the ProDOS disk structure for convenience. At any rate, a sector search for "20 00 BF" (a JSR to the standard ProDOS MLI entry point) yields precisely zero results, so... - Manually seeking to the track and looking for a nibble sequence. There is no explicit support for "seeking to a particular track" unless you're calling ProDOS internals. Without calling into ProDOS, this technique would require low-level disk access (turning on the drive and hitting the right stepper motors and whatnot). Here are some possibilities: "BD 89 C0" (LDA $C089,X) ; drive on "AD E9 C0" (LDA $C0E9) ; drive on "BD 80 C0" (LDA $C080,X) ; stepper And lo! A search for "BD 89 C0" yields several results. --v-- ------------- DISK SEARCH ------------- $00/$0E-$A7 $03/$09-$85 $04/$0A-$1D $17/$0E-$30 PRESS [RETURN] --^-- - T00,S0E is part of PRODOS (although I think it's called "MS" on this disk). - T04,S0A appears to be legitimate RWTS code of some sort. (The existence of "LDA $C08A,X" nearly is a strong indication of legitimacy; RWTS code needs to deal with both drives, but copy protection routines rarely work on anything but drive 1.) - T17,S0E is similarly unsuspicious. That leaves T03,S09. And that is a different kettle of nibbles altogether. ~ Chapter 2 A Different Kettle of Nibbles The routine containing "LDA $C089,X" appears to start at offset $5B: --v-- T03,S09 ----------- DISASSEMBLY MODE ---------- ; save flags 005B:08 PHP ; prevent interrupts 005C:78 SEI ; not sure what this does 005D:A5 43 LDA $43 005F:29 7F AND #$7F 0061:85 07 STA $07 0063:A9 00 LDA #$00 0065:85 46 STA $46 0067:85 47 STA $47 0069:85 44 STA $44 006B:A9 60 LDA #$60 006D:85 45 STA $45 006F:A9 01 LDA #$01 0071:85 42 STA $42 0073:20 00 08 JSR $0800 0076:A9 08 LDA #$08 0078:85 46 STA $46 007A:A9 00 LDA #$00 007C:85 47 STA $47 007E:85 42 STA $42 0080:20 00 08 JSR $0800 ; turn on drive motor manually 0083:A6 07 LDX $07 0085:BD 89 C0 LDA $C089,X 0088:BD 8E C0 LDA $C08E,X ; set up Death Counter 008B:A0 00 LDY #$00 008D:84 08 STY $08 008F:C8 INY 0090:D0 04 BNE $0096 0092:E6 08 INC $08 ; if Death Counter hits 0, fail 0094:F0 1F BEQ $00B5 ; match nibble sequence "D5 BE EC" 0096:BD 8C C0 LDA $C08C,X 0099:10 FB BPL $0096 009B:C9 D5 CMP #$D5 009D:D0 F0 BNE $008F 009F:BD 8C C0 LDA $C08C,X 00A2:10 FB BPL $009F 00A4:C9 BE CMP #$BE 00A6:D0 F3 BNE $009B 00A8:BD 8C C0 LDA $C08C,X 00AB:10 FB BPL $00A8 00AD:C9 EC CMP #$EC 00AF:D0 EA BNE $009B ; restore flags, clear carry, and exit 00B1:28 PLP 00B2:18 CLC 00B3:90 02 BCC $00B7 ; restore flags, set carry, and exit 00B5:28 PLP 00B6:38 SEC ; turn off drive motor on the way out 00B7:BD 88 C0 LDA $C088,X 00BA:60 RTS Pretty straightforward. We're looking for a non-standard nibble sequence that doesn't normally exist. But it does exist on track $01 -- I saw it earlier in the Copy II Plus nibble editor. The caller expects the carry flag to be clear on success or set on failure (like DOS and ProDOS conventions). If I change the failure path at offset $B5 to match the success path at offset $B1, the caller will always think the protection check succeeded. In other words, change the "SEC" to a "CLC". T03,S07,$B6: 38 -> 18 Quod erat liberandum. ~ Usage Notes Hold on boot to enter the configuration menu. You can setup your printer and switch between 20 and 40 column editing mode. --------------------------------------- A 4am crack No. 1009 ------------------EOF------------------