------------Bible Discovery------------ A 4am crack 2017-09-03 --------------------------------------- Name: Bible Discovery Genre: educational Year: 1986 Publisher: Santa Barbara Softworks Platform: Apple ][+ or later (64K) Media: double-sided 5.25-inch floppy OS: Apple Pascal Previous cracks: none ~ Only side A is bootable. Both sides are copyable with COPYA, but the copy hangs on boot. After some experimentation, I realized that the original disk was shipped write-protected (no physical notch on either side), so I tried write protecting my copy. Lo! Suddenly it works. Digging into my well worn copy of "Beneath Apple DOS," I find the code to detect if a disk is write-protected on page 6-3. --v-- SENSE WRITE PROTECT LDA $C08D,X LDA $C08E,X Sense write protect. BMI ERROR If high bit set, protected. --^-- OK then. Turning to my trusty Disk Fixer sector editor, I search for the sequence "BD 8D C0" (LDA $C08D,X). Lo! One match, on track 0, sector 1. --v-- T00,S01 ----------- DISASSEMBLY MODE ---------- 0092:BD 8D C0 LDA $C08D,X 0095:BD 8E C0 LDA $C08E,X 0098:30 7C BMI $0116 009A:AD 00 03 LDA $0300 009D:85 CF STA $CF 009F:A9 FF LDA #$FF 00A1:9D 8F C0 STA $C08F,X 00A4:1D 8C C0 ORA $C08C,X 00A7:48 PHA 00A8:68 PLA 00A9:EA NOP --^-- At offset $92, we're checking if the disk is write protected. At offset $98, we're branching if it is. Perhaps I can also branch if it isn't? i.e. Fake out the calling code to believe that the disk is always write- protected. I mean, the original disk was always write-protected, so what's the harm? T00,S01,$9A: AD00 -> 107A Now the disassembly looks like this: --v-- ----------- DISASSEMBLY MODE ---------- 0092:BD 8D C0 LDA $C08D,X 0095:BD 8E C0 LDA $C08E,X 0098:30 7C BMI $0116 009A:10 7A BPL $0116 009C:03 @@@ --^-- Branch if it's write protected, branch if it isn't. ]PR#6 ...works... Quod erat liberandum. --------------------------------------- A 4am crack No. 1397 ------------------EOF------------------