----------------Neutrons--------------- A 4am crack 2017-08-13 --------------------------------------- Name: Neutrons Genre: arcade Year: 1981 (*) Publisher: Level-10 (a division of Dakin5 Corporation) Platform: Apple ][+ or later Media: single-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: by Master Disk (file) (*) There is no visible copyright date on the disk label or in the game, but I found the original trademark application for "Neutrons" by Dakin5 Corporation. It lists the "first use in commerce" date as 1981-12-17. ~ Chapter 0 In Which The Tools Do Not Save Us This disk was automatically cracked by Passport. Here is the transcript: --v-- Reading from S6,D1 T00,S00 Found DOS 3.3 bootloader Using disk's own RWTS Writing to S6,D2 T00,S03,$35: AA -> DE T00,S03,$3F: DE -> AA T00,S02,$9E: AA -> DE T00,S02,$A3: DE -> AA Crack complete. --^-- [Narrator] But the crack was not complete. The copy that Passport produces is in a standard format, fully readable by third-party tools. But when I boot it, it immediately starts grinding like it can't read itself. Hmm. ~ Chapter 1 It's Only Metadata Turning, as one does, to my trusty sector editor, I examined the RWTS code and found an unpatched JMP. This is in the routine that starts at $B944, which finds the address prologue, parses the address field, then finds the address epilogue. --v-- T00,S03 ($B900) ----------- DISASSEMBLY MODE ---------- ; find first nibble of address epilogue ; as usual 008B:BD 8C C0 LDA $C08C,X 008E:10 FB BPL $008B 0090:C9 DE CMP #$DE 0092:D0 AE BNE $0042 0094:EA NOP 0095:BD 8C C0 LDA $C08C,X 0098:10 FB BPL $0095 ; wait, what? 009A:4C B3 B6 JMP $B6B3 --^-- $B600 is loaded from T00,00. T00,S00 ($B600) ----------- DISASSEMBLY MODE ---------- ; check for standard second epilogue ; nibble ($AA) 00B3:C9 AA CMP #$AA 00B5:D0 0C BNE $00C3 ; take track number (parsed from ; address field) 00B7:A5 2E LDA $2E 00B9:F0 04 BEQ $00BF ; if track > 0, munge it ?!?!? 00BB:49 7E EOR #$7E 00BD:85 2E STA $2E ; clear carry on the way out (so RWTS ; doesn't complain) 00BF:A9 AA LDA #$AA 00C1:18 CLC 00C2:60 RTS ; oh, and if the second epilogue ; doesn't match, immediately reboot ; (friendly! but not the cause of our ; current problem) 00C3:4C 00 C6 JMP $C600 --^-- What the hell is going on? To answer that burning question, let's turn to a raw nibble view, via the Copy II Plus nibble editor. --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- TRACK: 01 START: 2C9D LENGTH: 18A6 2C78: FF FC FF FF FF FF FF FF VIEW 2C80: FF FF FF FF FF FF FF FF 2C88: FF FF FF FF FF AB AB AB 2C90: AB AB AB AB AB AB AB AB 2C98: AB AB AB AB AB D5 AA 96 <-2C9D ^^^^^^^^ address prologue 2CA0: FF FE BF FF AA AA EA AB ^^^^^ ^^^^^ ^^^^^ ^^^^^ V=254 T=$7F S=$00 chksm 2CA8: DE AA AB AB AB AB AB AB ^^^^^ address epilogue 2CB0: AB AB AB AB D5 AA AD F2 2CB8: FA D7 D7 A6 BE FE F7 FB --^-- Every track (except track 0) has intentionally corrupted metadata -- the track number has been XOR'd with #$7E. Bad disk! Stop lying! (Passport uses the disk's own RWTS to read the disk but uses standard ProDOS calls to write the data out to a copy. It didn't even notice the corrupted metadata, because it was corrupted in exactly the way that the disk's own code expected. But Passport didn't fully patch the copy either. Maybe the next version...) Since my copy is no longer lying about which track is which, the RWTS needs to get with the program and stop altering the track number of every sector. ; $B6BD: "STA $2E" -> "BIT $2E" T00,S00,$BD: 85 -> 24 ]PR#6 ...works... Quod erat liberandum. --------------------------------------- A 4am crack No. 1362 ------------------EOF------------------