-------------Magic Slate 40------------ A 4am crack 2017-08-25 --------------------------------------- Name: Magic Slate 40-column Version: 1.4 Genre: productivity Year: 1987 Credits: Donna Stanger, Paul Elseth Publisher: Sunburst Communications Platform: Apple ][+ or later Media: single-sided 5.25-inch floppy OS: custom Previous cracks: none Similar cracks: #1005 Magic Slate 80 v1.4 ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA fails on first pass Locksmith Fast Disk Backup unable to read track $01 EDD 4 bit copy (no sync, no count) works Copy ][+ disk presents a ProDOS catalog --v-- CATALOG DISK SLOT 6 DRIVE 1 /MAGIC.SLATE.40 NAME TYPE BLKS MODIFIED MS SYS 32 16-JUL-87 MS.CONFIG BIN 3 MS.EDIT40 SYS 53 03-SEP-87 MS.PRINT40 SYS 45 07-JUL-87 MS.UTILS40 SYS 28 19-OCT-87 BLOCKS FREE:104 USED:176 TOTAL:280 --^-- Copy ][+ nibble editor T01 has no structure at all, no data, just sync bytes and scattered nibbles --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- TRACK: 01 START: 1800 LENGTH: 3DFF 4CF8: FF FF FF FF FF FF FF FF VIEW 4D00: FF FF FF FF FF FF FF FF 4D08: FF FF E4 FF FF FF FF FF 4D10: FF B9 FF FF FF FF FF E4 4D18: FF FF FF FF FF D5 BE EC <-4D1D 4D20: F4 F4 F4 F4 F4 F4 FF FF 4D28: FF FF FF FF FF FF FF FF 4D30: FF FF FF D2 D2 D2 FF FF FIND: 4D38: FF FF FF FF FF FF FF FF D5 --------------------------------------- A TO ANALYZE DATA ESC TO QUIT ? FOR HELP SCREEN / CHANGE PARMS Q FOR NEXT TRACK SPACE TO RE-READ --^-- Disk Fixer T00 has standard ProDOS bootloader and disk catalog (see Copy ][+ above) but the disk does not sound or look like ProDOS when it boots. No way to read T01. Why didn't COPYA work? Track $01 is missing/unreadable Why didn't Locksmith FDB work? probably a runtime check that ensures that track $01 is missing/unreadable EDD worked. What does that tell us? No half or quarter tracks, because I didn't even try to copy those. There is definitely a run-time protection check of some kind, but it's probably just checking that track $01 is unreadable. Next steps: 1. Search disk for common elements of a run-time protection check 2. If that fails, trace the boot 3. If that fails, I dunno, go feed the ducks or something ~ Chapter 1 In Which We Get Lucky, To The Detriment Of The Ducks On the theory that some code on disk is trying to access track $01, and thus noticing if it's unexpectedly readable, let's enumerate some of the ways that could happen: - Reading a file that is mapped to the unreadable track $01. Copy II+ "disk map" shows there are no files mapped to track $01, so let's rule that out. In fact, the first file suspiciously skips over the track altogether: --v-- DISK MAP SLOT 6 DRIVE 1 /MAGIC.SLATE.40/MS TRACK 1 2 0123456789ABCDEF0123456789ABCDEF012 S0 ..****............................. EE ..****............................. CD ..****............................. TC ..****............................. OB ..****............................. RA ..****............................. 9 ..****............................. 8 ..****............................. 7 ..****............................. 6 ..****............................. 5 ..****............................. 4 ..****............................. 3 ..****............................. 2 ..****............................. 1 *.***.............................. F *.***.............................. USE ARROW KEYS TO MAP OTHER FILES --^-- - Issuing a ProDOS MLI "raw block read" and checking the return code. This is a popular technique under ProDOS, partly because it can be adapted to work on 3.5-inch and 5.25-inch disks. But I'm not sure if this disk is really full ProDOS or if it just uses the ProDOS disk structure for convenience. At any rate, a sector search for "20 00 BF" (a JSR to the standard ProDOS MLI entry point) yields precisely zero results, so... - Manually seeking to the track and looking for a nibble sequence. There is no explicit support for "seeking to a particular track" unless you're calling ProDOS internals. Without calling into ProDOS, this technique would require low-level disk access (turning on the drive and hitting the right stepper motors and whatnot). Here are some possibilities: "BD 89 C0" (LDA $C089,X) ; drive on "AD E9 C0" (LDA $C0E9) ; drive on "BD 80 C0" (LDA $C080,X) ; stepper And lo! A search for "BD 89 C0" yields several results. --v-- ------------- DISK SEARCH ------------- $00/$0E-$A7 $02/$0D-$53 $05/$0A-$76 $13/$07-$2F --^-- - T00,S0E is part of PRODOS (although I think it's called "MS" on this disk). - T05,S0A appears to be legitimate RWTS code of some sort. (The existence of "LDA $C08A,X" nearly is a strong indication of legitimacy; RWTS code needs to deal with both drives, but copy protection routines rarely work on anything but drive 1.) - T13,S07 is similarly unsuspicious. That leaves T02,S0D. And that is a different kettle of nibbles altogether. ~ Chapter 2 A Different Kettle of Nibbles The routine containing "LDA $C089,X" appears to start at offset $3B: --v-- T02,S0D ----------- DISASSEMBLY MODE ---------- ; save flags 003B:08 PHP ; prevent interrupts 003C:78 SEI ; not sure what this does 003D:84 46 STY $46 003F:84 47 STY $47 0041:20 00 08 JSR $0800 0044:A9 08 LDA #$08 0046:85 46 STA $46 0048:A9 00 LDA #$00 004A:85 47 STA $47 004C:85 42 STA $42 004E:20 00 08 JSR $0800 ; turn on drive motor manually 0051:A6 07 LDX $07 0053:BD 89 C0 LDA $C089,X 0056:BD 8E C0 LDA $C08E,X ; set up Death Counter 0059:A0 00 LDY #$00 005B:84 08 STY $08 005D:C8 INY 005E:D0 04 BNE $0064 0060:E6 08 INC $08 ; if Death Counter hits 0, fail 0062:F0 1F BEQ $0083 ; match nibble sequence "D5 BE EC" 0064:BD 8C C0 LDA $C08C,X 0067:10 FB BPL $0064 0069:C9 D5 CMP #$D5 006B:D0 F0 BNE $005D 006D:BD 8C C0 LDA $C08C,X 0070:10 FB BPL $006D 0072:C9 BE CMP #$BE 0074:D0 F3 BNE $0069 0076:BD 8C C0 LDA $C08C,X 0079:10 FB BPL $0076 007B:C9 EC CMP #$EC 007D:D0 EA BNE $0069 ; restore flags, clear carry, and exit 007F:28 PLP 0080:18 CLC 0081:90 02 BCC $0085 ; restore flags, set carry, and exit 0083:28 PLP 0084:38 SEC ; turn off drive motor on the way out 0085:BD 88 C0 LDA $C088,X 0088:60 RTS --^-- Pretty straightforward. We're looking for a non-standard nibble sequence that doesn't normally exist. But it does exist on track $01 -- I saw it earlier in the Copy II Plus nibble editor. The caller expects the carry flag to be clear on success or set on failure (like DOS and ProDOS conventions). If I change the failure path at offset $83 to match the success path at offset $7F, the caller will always think the protection check succeeded. In other words, change the "SEC" to a "CLC". T02,S0D,$84: 38 -> 18 Quod erat liberandum. --------------------------------------- A 4am crack No. 1384 ------------------EOF------------------