--------Little People's Puzzles--------
A 4am crack                  2017-08-24
---------------------------------------

Name: Little People's Puzzles: Things
  That Go
Genre: educational
Year: 1984
Credits: F. Messina, C. Swenson
Publisher: Reader's Digest Services
Platform: Apple ][+ or later
Media: single-sided 5.25-inch floppy
OS: DOS 3.3
Previous cracks: none

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  disk read error on first pass

Locksmith Fast Disk Backup
  reads track $00-$02 and track $11,
  but nothing else

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  T00-T02 -> standard
  T03-T10 -> modified data prologue
    ("D5 AA D5" instead of "D5 AA AD")
  T11 -> standard
  T12-T22 -> modified data prologue
    (same as T03-T10)

Disk Fixer
  T00 -> bootloader starts off like
    Apple DOS 3.3 but quickly goes off
    into custom code
  ["O" -> "Input/Output Control"]
    set Address Prologue to "D5 AA D5"
  Success! T03-T10 and T12+ readable!

Passport
  successful demuffin, but no patches

                 --v--

READING FROM S6,D1
T00,S00 FOUND DOS 3.3 BOOTLOADER
USING DISK'S OWN RWTS
WRITING TO S5,D2

THE DISK WAS COPIED SUCCESSFULLY, BUT
PASSPORT DID NOT APPLY ANY PATCHES.

                 --^--

Yet, mysteriously, the copy produced by
Passport is able to read itself. What?

                   ~

               Chapter 1
    In Which We Angrily Investigate
  Why We Suddenly Have A Working Copy


Poking through track $00, I found the
code to match the custom data prologue.
It turns out to be quite... flexible:

                 --v--

T00,S03
----------- DISASSEMBLY MODE ----------
00DC:A0 20          LDY   #$20
00DE:88             DEY
00DF:F0 61          BEQ   $0142
00E1:BD 8C C0       LDA   $C08C,X
00E4:10 FB          BPL   $00E1
00E6:49 D5          EOR   #$D5
00E8:D0 F4          BNE   $00DE
00EA:EA             NOP
00EB:BD 8C C0       LDA   $C08C,X
00EE:10 FB          BPL   $00EB
00F0:C9 AA          CMP   #$AA
00F2:D0 F2          BNE   $00E6
00F4:A0 56          LDY   #$56
00F6:BD 8C C0       LDA   $C08C,X
00F9:10 FB          BPL   $00F6
00FB:C9 AA          CMP   #$AA
00FD:F0 F7          BEQ   $00F6   <-- !

                 --^--

Did you see that? It matches #$D5 for
the first nibble and $$AA for the
second, as usual. But for the third
nibble, it matches any value EXCEPT
#$AA. If it finds #$AA, it loops back
to $B8F6 to read another nibble.

That explains how some tracks on the
original disk can use a standard data
prologue while others are non-standard.
This code doesn't care either way. And
now that every track on my copy uses a
standard data prologue, this code still
doesn't care. So no RWTS patches are
required.

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 1383
------------------EOF------------------