---------Wild West Math Level 3-------- A 4am crack 2017-06-20 --------------------------------------- Name: Wild West Math Level 3 Genre: educational Year: 1990 Publisher: Micrograms Publishing Platform: Apple ][+ or later Media: 3 single-sided 5.25-inch disks OS: custom Previous cracks: none ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA no errors, but copy hangs on boot with a text screen full of code Locksmith Fast Disk Backup ditto EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor disk volume is 000, which is unusual, but otherwise tracks look normal -- 16-sector, standard address fields, standard everything really --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- TRACK: 01 START: 1800 LENGTH: 3DFF 17E0: FF FF 80 80 FF FF 80 80 VIEW 17E8: FF FF 80 80 FF FF 80 80 17F0: FF FF 80 80 FF FF 80 80 17F8: FF FF 80 80 FF FF 80 80 1800: FF FF FF FF FF FF FF FF <-1800 1808: FF FF FF FF FF D5 AA 96 ^^^^^^^^ address prologue 1810: AA AA AA AB AB AB AB AA V=000 T=$01 S=$03 chksm 1818: DE AA BE FF FF FF FF FF ^^^^^ address epilogue 1820: FF FF D5 AA AD 96 96 96 ^^^^^^^^ data prologue --------------------------------------- A TO ANALYZE DATA ESC TO QUIT ? FOR HELP SCREEN / CHANGE PARMS Q FOR NEXT TRACK SPACE TO RE-READ --^-- Disk Fixer all tracks readable custom bootloader DOS-style disk catalog on track $02 --v-- -------------- DISK EDIT -------------- TRACK $02/SECTOR $0F/VOLUME $00/BYTE$01 --------------------------------------- $00: 00>02<0E 00 00 00 00 00 @BN@@@@@ $08: 00 00 00 03 0F 04 C4 C5 @@@CODDE $10: C3 B1 B5 AE B1 B9 B8 B9 C15.1989 $18: A0 A0 A0 A0 A0 A0 A0 A0 $20: A0 A0 A0 A0 A0 A0 A0 A0 $28: A0 A0 A0 A0 02 00 04 0F B@DO $30: 04 D0 C9 AE D4 C9 D4 CC DPI.TITL $38: C5 A0 A0 A0 A0 A0 A0 A0 E $40: A0 A0 A0 A0 A0 A0 A0 A0 $48: A0 A0 A0 A0 A0 A0 A0 22 " $50: 00 09 0F 04 D3 D4 AE CE @IODST.N $58: D5 CD A0 A0 A0 A0 A0 A0 UM $60: A0 A0 A0 A0 A0 A0 A0 A0 $68: A0 A0 A0 A0 A0 A0 A0 A0 $70: A0 A0 08 00 0A 0F 04 D3 H@JODS $78: D4 AE C6 CF CE D4 A0 A0 T.FONT --------------------------------------- BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL --------------------------------------- COMMAND : _ --^-- Why didn't COPYA or Locksmith FDB work? probably a nibble check in early boot Why *did* EDD work? the nibble check probably isn't very strong Next steps: 1. Trace the boot 2. Find the protection check and disable it 3. Declare victory (*) (*) go to the gym ~ Chapter 1 In Which We Take A Shortcut That Turns Out To Be Not So Short The fastest way to find a runtime protection check is to search for the instruction that turns on the drive motor. Generally this is "LDA $C089,X" (following the convention that the X register contains the boot slot x 16), but it could also be hard-coded to slot 6 like "LDA $C0E9" or some other variant. [Disk Fixer] ["F"]ind ["H"]ex "BD 89 C0" No matches whatsoever. Which is odd. --> "AD E9 C0" No matches whatsoever. WTF. Maybe it's encrypted to prevent exactly the thing I'm trying to do right now? Let's try searching for the instruction that loads the data latch to fetch a single nibble from disk: "LDA $C08C,X". --> "BD 8C C0" No matches whatsoever. This is looking less and less like a shortcut. Maybe the hard-coded variant "LDA $C0EC"? After that I'm out of ideas and I'm going to trace the boot from the beginning. --> "AD EC C0" --v-- ------------- DISK SEARCH ------------- $00/$05-$3F $00/$05-$5C $00/$05-$65 $00/$05-$6F $00/$05-$86 $00/$05-$8E $00/$05-$EF $00/$05-$F8 $00/$06-$01 PRESS [RETURN] --^-- Praise be. Let's see what we found: --v-- T00,S05 ----------- DISASSEMBLY MODE ---------- ; match standard prologue ($D5 $AA $96 ; for address field, $D5 $AA $AD for ; data field, depending on carry bit -- ; same technique as the drive firmware ; at $C600 uses) 005C:AD EC C0 LDA $C0EC 005F:10 FB BPL $005C 0061:49 D5 EOR #$D5 0063:D0 F1 BNE $0056 0065:AD EC C0 LDA $C0EC 0068:10 FB BPL $0065 006A:C9 AA CMP #$AA 006C:D0 F3 BNE $0061 006E:EA NOP 006F:AD EC C0 LDA $C0EC 0072:10 FB BPL $006F 0074:C9 96 CMP #$96 0076:F0 09 BEQ $0081 0078:28 PLP 0079:90 D0 BCC $004B 007B:49 AD EOR #$AD 007D:F0 2E BEQ $00AD 007F:D0 CA BNE $004B ; parse address field 0081:A0 03 LDY #$03 0083:8D 21 0D STA $0D21 0086:AD EC C0 LDA $C0EC 0089:10 FB BPL $0086 008B:2A ROL 008C:85 F9 STA $F9 008E:AD EC C0 LDA $C0EC 0091:10 FB BPL $008E 0093:25 F9 AND $F9 0095:88 DEY 0096:D0 EB BNE $0083 0098:28 PLP 0099:8D 22 0D STA $0D22 009C:C5 EC CMP $EC 009E:D0 AB BNE $004B 00A0:AD 21 0D LDA $0D21 00A3:C5 EB CMP $EB 00A5:B0 A5 BCS $004C 00A7:0A ASL 00A8:85 ED STA $ED . . [regular 6-and-2 encoding, not shown] . ; switch to text screen 2, turn off ; drive motor, and hang (I think this ; is where I ended up on my non-working ; copy) 00E3:2C 51 C0 BIT $C051 00E6:2C 55 C0 BIT $C055 00E9:2C E8 C0 BIT $C0E8 00EC:4C EC 0E JMP $0EEC ; match standard epilogue ($DE $AA) 00EF:AD EC C0 LDA $C0EC 00F2:10 FB BPL $00EF 00F4:C9 DE CMP #$DE 00F6:D0 E4 BNE $00DC 00F8:AD EC C0 LDA $C0EC 00FB:10 FB BPL $00F8 00FD:C9 AA CMP #$AA 00FF:D0 EE BNE $00EF [continuing on T00,S06] ; match... a third epilogue nibble?!? 0001:AD EC C0 LDA $C0EC 0004:10 FB BPL $0001 0006:C9 BE CMP #$BE 0008:D0 E5 BNE $FFEF --^-- Oh wow. That's not what I was expecting at all, but that's the problem. There is no protection check. The protection is purely structural -- this RWTS code is super-strict and requires a third (non-standard) epilogue nibble. Technically, both the address epilogue and the data epilogue are three nibbles $DE $AA $EB. But even standard DOS 3.3 never checks more than the first two. (ProDOS only checks the first one.) Literally nothing checks the third nibble of the epilogue. Except this disk. And it's non-standard ($BE instead of $EB). So the disk looks like it's unprotected (even copies with COPYA), but the copy can't read itself because the third epilogue nibble is wrong. The solution is to patch this RWTS so it ignores the third epilogue nibble. The least invasive way to do that is to change the "BNE" after "CMP #$BE" so it branches to the next instruction, effectively making it a NOP. T00,S06,$09: E5 -> 00 ]PR#6 ...works... ~ Chapter 2 Et Alii I've added support for this patch to Passport, my automated disk verifier and auto-cracker. The transcript will look like this: --v-- READING FROM S6,D1 T00,S00 FOUND MICROGRAMS BOOTLOADER USING BUILT-IN RWTS WRITING TO S6,D2 T00,S06,$09: E5 -> 00 CRACK COMPLETE. --^-- More information and source code is available at https://archive.org/details/Passport4am Disks 2 & 3 have identical protection. Quod erat liberandum. --------------------------------------- A 4am crack No. 1266 ------------------EOF------------------