----------------Pie-Man---------------- A 4am crack 2017-08-08 --------------------------------------- Name: Pie-Man Genre: arcade Year: 1982 Credits: Eagle Berns and Michael Kosaka Publisher: Penguin Software Platform: Apple ][+ or later Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: file crack (no title) ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) read errors on T12+ but copy works Copy ][+ nibble editor T12+ appear unformatted disk volume 000 other tracks use "DA AA EB" for both address and data field epilogue odd-numbered tracks: non-standard address prologue ("D4 AA 96") --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- TRACK: 01 START: 21A2 LENGTH: 1879 2C38: BB AC B4 A6 9E DB F2 9D VIEW 2C40: BA 9A D6 F2 FB DA AA EB 2C48: 99 B4 B4 B4 B4 9C FF F9 2C50: FF DC 97 F4 BE B6 DD 96 2C58: 94 FE FF FF FF D4 AA 96 ^^^^^^^^ address prologue 2C60: AA AA AA AB AB AF AB AE ^^^^^ ^^^^^ ^^^^^ ^^^^^ V=000 T=$01 S=$07 chksm 2C68: DA AA EB 99 B4 B4 B4 E5 ^^^^^^^^ address epilogue 2C70: E5 FF FF FF FF D5 AA AD ^^^^^^^^ data prologue 2C78: E7 CE D9 B9 AB D9 B3 EB --^-- Disk Fixer bootloader looks like DOS 3.3; given the proper prologue and epilogue parameters, track $11 is readable and looks like a normal disk catalog with one file ("HELLO") which is also listed as the startup program Why didn't COPYA work? modified prologues and epilogues Why didn't Locksmith FDB work? ditto EDD worked. What does that tell us? No half or quarter tracks, because I didn't even try to copy those. Just the structural changes (prologues and epilogues) and an RWTS patched to read them. Next steps: 1. Convert disk to standard format with Passport or Advanced Demuffin 2. Patch RWTS to read standard format 3. Declare victory (*) (*) Go to the gym ~ Chapter 1 Bit Math Is Best Math Passport successfully captures the RWTS and converts the disk to a standard format, but the bootloader is just different enough that it refuses to apply any patches. So I am stuck with the task of patching the RWTS by hand like some kind of 20th century peasant. T00,S01,$9E: DA -> DE T00,S02,$35: DA -> DE T00,S02,$91: DA -> DE T0C,S0C,$C2: DA -> DE There's no need to patch the address prologue, because it's flexible enough to read a standard disk already. That's a neat trick! Here's how it works: --v-- ; original code on T00,S03, loaded into ; memory at $B900 B944- A0 FC LDY #$FC B946- 84 26 STY $26 B948- C8 INY B949- D0 04 BNE $B94F B94B- E6 26 INC $26 B94D- F0 F3 BEQ $B942 ; find prologue nibble #1 B94F- BD 8C C0 LDA $C08C,X B952- 10 FB BPL $B94F B954- 4A LSR B955- 49 6A EOR #$6A B957- D0 EF BNE $B948 ; find prologue nibble #2 B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 B95E- C9 AA CMP #$AA B960- D0 F2 BNE $B954 B962- A0 03 LDY #$03 ; find prologue nibble #3 B964- BD 8C C0 LDA $C08C,X B967- 10 FB BPL $B964 B969- C9 96 CMP #$96 B96B- D0 E7 BNE $B954 --^-- The code to find prologue nibble #1 explains how this disk can read its odd-numbered tracks (with non-standard address prologue "D4 AA 96"). Normal address prologue byte 1 is $D5. In binary: $D5 = 1101 0101 After LSR: 0110 1010 = $6A Odd-numbered tracks use $D4 instead. In binary: $D4 = 1101 0100 After LSR: 0110 1010 = $6A So this code will match either prologue and work on both odd and even tracks. Furthermore, RWTS code is time-critical between reading the last bit of one nibble and reading the first bit of the next. If it's too fast or too slow, it will get out of phase (because the disk spins independently of the CPU). Compare DOS 3.3 (cycle count in margin) B94F- BD 8C C0 LDA $C08C,X B952- 10 FB BPL $B94F B954- C9 D5 CMP #$D5 | 2 B956- D0 F0 BNE $B948 | 2 * B958- EA NOP | 2 B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 (*) on the time-critical path, this branch is not taken, so always 2 ...and this disk's RWTS: B94F- BD 8C C0 LDA $C08C,X B952- 10 FB BPL $B94F B954- 4A LSR | 2 B955- C9 6A CMP #$6A | 2 B957- D0 EF BNE $B948 | 2 * B959- BD 8C C0 LDA $C08C,X B95C- 10 FB BPL $B959 Despite being more "flexible" (matching $D5 or $D4), this disk's RWTS uses the same number of bytes of code and runs in the same number of cycles. Nice. So we're done, right? Not quite. Now my copy boots, loads DOS, sounds like it loads that HELLO program, then grinds and reboots. Perhaps there is another RWTS embedded inside the HELLO program? Or something more sinister? ~ Chapter 2 I Like My Sinister-ness Mild, Not Extra Spicy Booting from a DOS 3.3 system master, I can get a disk catalog of this non- working disk. ]CATALOG DISK VOLUME 254 B 000 HELLO Despite the obviously faked file length on the HELLO program, the BLOAD command does work as expected. ]BLOAD HELLO ]CALL -151 *AA72.AA73 AA72- 00 1C *1C00L ; machine initialization stuff 1C00- 78 SEI 1C01- 20 2F FB JSR $FB2F 1C04- 20 84 FE JSR $FE84 1C07- 20 89 FE JSR $FE89 1C0A- 20 93 FE JSR $FE93 1C0D- 20 58 FC JSR $FC58 ; test for Applesoft in ROM 1C10- 2C 80 C0 BIT $C080 1C13- A9 4C LDA #$4C 1C15- CD 00 E0 CMP $E000 1C18- F0 30 BEQ $1C4A 1C1A- 2C 81 C0 BIT $C081 1C1D- 48 PHA 1C1E- 68 PLA 1C1F- CD 00 E0 CMP $E000 1C22- F0 26 BEQ $1C4A If it doesn't find Applesoft, it prints an error (not shown here). *1C4AL ; clear part of main memory 1C4A- A2 18 LDX #$18 1C4C- A0 02 LDY #$02 1C4E- 98 TYA 1C4F- 99 00 B4 STA $B400,Y 1C52- C8 INY 1C53- D0 FA BNE $1C4F 1C55- CE 51 1C DEC $1C51 1C58- CA DEX 1C59- D0 F4 BNE $1C4F ; hmm 1C5B- A2 20 LDX #$20 1C5D- A9 88 LDA #$88 1C5F- A0 1C LDY #$1C 1C61- 20 9E 1C JSR $1C9E *1C9EL ; save input registers (minus 3, ; apparently) 1C9E- D8 CLD 1C9F- CA DEX 1CA0- 86 1A STX $1A 1CA2- 38 SEC 1CA3- E9 03 SBC #$03 1CA5- 85 18 STA $18 1CA7- B0 01 BCS $1CAA 1CA9- 88 DEY 1CAA- 84 19 STY $19 ; set some RWTS parameters 1CAC- A0 00 LDY #$00 1CAE- 8C F0 B7 STY $B7F0 1CB1- 8C EB B7 STY $B7EB 1CB4- C8 INY 1CB5- 8C F4 B7 STY $B7F4 1CB8- A0 B5 LDY #$B5 1CBA- 8C F1 B7 STY $B7F1 ; oh dear 1CBD- A9 DA LDA #$DA 1CBF- 8D 91 B9 STA $B991 1CC2- 8D 35 B9 STA $B935 And there's our problem: the HELLO program is resetting the patches I made to the RWTS on disk. Further RWTS calls will fail because they're looking for the non-standard epilogues ("DA AA EB") which I've since standardized. Returning to my trusty Disk Fixer sector editor, I press "D" for directory mode and follow the "HELLO" file to track $0C. T0C,S0C,$C2: DA -> DE ]PR#6 ...works.. Quod erat liberandum. ~ Acknowledgments Thanks to Ian Baronofsky for lending me the original disk at Kansasfest 2017. --------------------------------------- A 4am crack No. 1356 ------------------EOF------------------