--------------TellStar II--------------
A 4am crack                  2017-03-11
---------------------------------------

Name: TellStar II
Version: (*) see below
Genre: productivity/astronomy
Year: 1982
Credits: Evan M. Scharf
Publisher: Scharf Software Systems
Platform: Apple ][+ or later
Media: single-sided 5.25-inch floppy
OS: DOS 3.3
Previous cracks: none (of this version)

(*) As with many Apple II disks, there
is limited versioning information. Some
other copies of this program display an
explicit version number on the title
page; others at least have a revision
date in a REM statement in the startup
program. My copy, alas, has neither,
which tells me that it is unique but
not whether it is newer or older!

Some kind soul uploaded a manual to a
different version. I can tell you that
this is the "Level II" version of the
program, which offers views of both the
Northern and Southern hemispheres.
("Level I" offers only one hemisphere.)
My copy also allows you to enter dates
up to year 3000. (Early versions only
allowed up to 1999.) It also allows you
to save views to a user-supplied data
disk. (Early versions could only print
them out.)

So, as far as I can tell, this version
has not been preserved, and it is more
advanced than any of the other copies I
could find online.

                   ~

This disk was automatically cracked by
Passport. Here is the transcript:

                 --v--

T00,S00 FOUND DOS 3.3 BOOTLOADER
USING DISK'S OWN RWTS
WRITING TO S5,D2
SWITCHING TO BUILT-IN RWTS
T00,S02,$49: 03 -> 04
T00,S02,$52: 4CB1BEEAEA -> A9D520B8B8
T00,S02,$5F: BB -> B8
T00,S02 RWTS REQUIRES EXTRA NIBBLES AND
TIMING BITS AFTER THE DATA PROLOGUE BY
JUMPING TO $BECA.
T00,S02,$F4: EABD8CC010FBC9ADD0E84CCABE
-> A056BD8CC010FBC9ADD0E7A900
T00,S03,$91: AF -> DE
T00,S03,$35: AF -> DE
T00,S02,$9E: AF -> DE
T00,S08 RWTS REQUIRES A NON-STANDARD
DISK VOLUME NUMBER.
T00,S08,$12: B148 -> A900
CRACK COMPLETE.

                 --^--

More information and source code is
available at
https://archive.org/details/Passport4am

                   ~

The disk that Passport produced works
flawlessly... almost.

Steps to reproduce:

1. Display a star view (any date and
   location)
2. At "L  I  C  <-  ->  O  D  G  S  E"
   prompt, press "G"
3. At "SAVE VIEW S PRINT VIEW P END E"
   prompt, press "S"
4. At "PLACE 'SAVE' DISKETTE IN DRIVE
   PRESS ANY KEY WHEN READY" prompt,
   insert a formatted DOS 3.3 disk and
   press a key
5. At "PLACE 'TELLSTAR' DISKETTE IN
   DRIVE PRESS ANY KEY WHEN READY"
   prompt, reinsert the program disk
   and press a key

                 --v--

I/O ERROR
BREAK IN 0
]

                 --^--

There is an RWTS swapper somewhere. It
"switches" to a standard RWTS so it can
save files on user-supplied data disks.
This has no effect, since we've already
standardized the RWTS with Passport.
But then it tries to switch back to the
protected RWTS so it can read more code
from the program disk, which fails
because the program disk is no longer
protected.

Hmm.

See if you can spot it:

[S5,D1=work disk]

]PR#5
...
]CATALOG,S6,D1

*A 011 TELLSTAR
*I 007 APPLESOFT
*B 050 FPBASIC
*B 017 RUNTIME
*B 029 TELLSTAR I.OBJ
*B 003 CHAR.GEN
*B 006 CHAR.TBL
*B 006 FTL.B
*B 038 TELLSTAR II.OBJ
*B 044 NORTH.TABLE.OBJ
*B 043 SOUTH.TABLE.OBJ
*B 041 MESSIER.TABLE.OBJ
*B 037 CALCULATIONS.OBJ
*B 052 TELLSTAR DISPLAY.OBJ
*B 004 STAR.SHAPES
*B 002 DOS.SWITCH.OBJ
*B 037 TELLSTAR UTIL.OBJ
 T 002 LOCATION
 T 011 STR.DEMO
 B 028 COM.DEMO
 B 006 VAR.DEMO

Yeah, "DOS.SWITCH.OBJ" jumped out at me
too.

]BLOAD DOS.SWITCH.OBJ

]PAD
A$4100,L$00DC

]CALL -151

*4100L

4100-   A9 03       LDA   #$03
4102-   8D 49 B8    STA   $B849
4105-   A9 BB       LDA   #$BB
4107-   8D 5F B8    STA   $B85F
410A-   A9 EA       LDA   #$EA
410C-   8D F4 B8    STA   $B8F4
410F-   A9 BD       LDA   #$BD
4111-   8D F5 B8    STA   $B8F5
4114-   A9 8C       LDA   #$8C
4116-   8D F6 B8    STA   $B8F6
4119-   A9 C0       LDA   #$C0
411B-   8D F7 B8    STA   $B8F7
411E-   A9 10       LDA   #$10
4120-   8D F8 B8    STA   $B8F8
4123-   A9 FB       LDA   #$FB
4125-   8D F9 B8    STA   $B8F9
4128-   A9 C9       LDA   #$C9
412A-   8D FA B8    STA   $B8FA
412D-   A9 AD       LDA   #$AD
412F-   8D FB B8    STA   $B8FB
4132-   A9 D0       LDA   #$D0
4134-   8D FC B8    STA   $B8FC
4137-   A9 E8       LDA   #$E8
4139-   8D FD B8    STA   $B8FD
413C-   A9 4C       LDA   #$4C
413E-   8D FE B8    STA   $B8FE
4141-   A9 CA       LDA   #$CA
4143-   8D FF B8    STA   $B8FF
4146-   A9 BE       LDA   #$BE
4148-   8D 00 B9    STA   $B900
414B-   A9 4C       LDA   #$4C
414D-   8D 52 B8    STA   $B852
4150-   A9 B1       LDA   #$B1
4152-   8D 53 B8    STA   $B853
4155-   A9 BE       LDA   #$BE
4157-   8D 54 B8    STA   $B854
415A-   A9 EA       LDA   #$EA
415C-   8D 55 B8    STA   $B855
415F-   8D 56 B8    STA   $B856
4162-   A9 AF       LDA   #$AF
4164-   8D 9E B8    STA   $B89E
4167-   8D 35 B9    STA   $B935
416A-   8D 91 B9    STA   $B991
416D-   60          RTS
416E-   A9 04       LDA   #$04
4170-   8D 49 B8    STA   $B849
4173-   A9 B8       LDA   #$B8
4175-   8D 5F B8    STA   $B85F
4178-   A9 A0       LDA   #$A0
417A-   8D F4 B8    STA   $B8F4
417D-   A9 56       LDA   #$56
417F-   8D F5 B8    STA   $B8F5
4182-   A9 BD       LDA   #$BD
4184-   8D F6 B8    STA   $B8F6
4187-   A9 8C       LDA   #$8C
4189-   8D F7 B8    STA   $B8F7
418C-   A9 C0       LDA   #$C0
418E-   8D F8 B8    STA   $B8F8
4191-   A9 10       LDA   #$10
4193-   8D F9 B8    STA   $B8F9
4196-   A9 FB       LDA   #$FB
4198-   8D FA B8    STA   $B8FA
419B-   A9 C9       LDA   #$C9
419D-   8D FB B8    STA   $B8FB
41A0-   A9 AD       LDA   #$AD
41A2-   8D FC B8    STA   $B8FC
41A5-   A9 D0       LDA   #$D0
41A7-   8D FD B8    STA   $B8FD
41AA-   A9 E7       LDA   #$E7
41AC-   8D FE B8    STA   $B8FE
41AF-   A9 A9       LDA   #$A9
41B1-   8D FF B8    STA   $B8FF
41B4-   A9 00       LDA   #$00
41B6-   8D 00 B9    STA   $B900
41B9-   A9 A9       LDA   #$A9
41BB-   8D 52 B8    STA   $B852
41BE-   A9 D5       LDA   #$D5
41C0-   8D 53 B8    STA   $B853
41C3-   A9 20       LDA   #$20
41C5-   8D 54 B8    STA   $B854
41C8-   A9 B8       LDA   #$B8
41CA-   8D 55 B8    STA   $B855
41CD-   8D 56 B8    STA   $B856
41D0-   A9 DE       LDA   #$DE
41D2-   8D 9E B8    STA   $B89E
41D5-   8D 35 B9    STA   $B935
41D8-   8D 91 B9    STA   $B991
41DB-   60          RTS

Well well well. A set of three shafts
bored into the Earth to obtain water,
but that's not important right now.
What's important is that we have found
the RWTS swapper. The memory locations
it's twiddling line up exactly with the
modifications that Passport made to the
disk. For example, $B849 is stored on
track 0, sector 2. Passport changed the
value on disk from #$03 to #$04. And
here we have a routine at $4100 that
sets it to #$03, and a routine at $416E
that sets it to #$04.

Turning to my trusty Disk Fixer sector
editor, I can follow "DOS.SWITCH.OBJ"
and find this code on track $22. I can
put an "RTS" at each entry point to
neutralize everything.

T22,S0E,$04: A9 -> 60
T22,S0E,$72: A9 -> 60

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 1058
------------------EOF------------------