---------------Roundabout-------------- A 4am crack 2018-01-31 --------------------------------------- Name: Roundabout Genre: arcade Year: 1983 Credits: Gumby Bitworks Publisher: Datamost Platform: Apple ][+ or later Media: single-sided 5.25-inch floppy OS: DOS 3.3 This disk was automatically converted to a standard format by Passport. Here is the transcript: --v-- READING FROM S6,D1 T00,S00 FOUND DOS 3.3 BOOTLOADER USING DISK'S OWN RWTS T22 IS UNFORMATTED WRITING TO S5,D2 T21 IS UNFORMATTED T20 IS UNFORMATTED T1F IS UNFORMATTED T1E IS UNFORMATTED THE DISK WAS COPIED SUCCESSFULLY, BUT PASSPORT DID NOT APPLY ANY PATCHES. POSSIBLE REASONS: - THE SOURCE DISK IS NOT COPY PROTECTED. - THE TARGET DISK WORKS WITHOUT PATCHES. - THE DISK USES AN UNKNOWN PROTECTION, AND PASSPORT CAN NOT HELP ANY FURTHER. --^-- More information and source code is available at https://archive.org/details/Passport4am ~ The copy does not, in fact, work. It boots and immediately starts grinding as though it is unable to read itself. Turning to my trusty Disk Fixer sector editor, I see a mostly standard DOS 3.3 shaped bootloader with some custom code in T00,S01 to load the game after the RWTS is in place. All RWTS prologue and epilogue code is normal, so there must be some code elsewhere that is changing it. Aha! Found it. At $B9A0, which is the main entry point for the track seek routine (to change to a different track for any reason), I see this: --v-- T00,S03 ----------- DISASSEMBLY MODE ---------- 00A0:4C AF BE JMP $BEAF 00A3:2A ROL 00A4:CD 78 04 CMP $0478 00A7:F0 53 BEQ $00FC --^-- The "2A" byte at offset $A3 is actually part of the code that belongs there -- it's normally "STX $2B / STA $2A" -- which tells me that this JMP opcode has been grafted on top of the normal DOS routine. $BEAF is loaded from T00,S08, so let's look there. --v-- T00,S08 ----------- DISASSEMBLY MODE ---------- ; code that was original at $B9A0 00AF:85 2A STA $2A 00B1:86 2B STX $2B ; set epilogue 00B3:A9 DE LDA #$DE 00B5:8D 9E B8 STA $B89E 00B8:8D AE BC STA $BCAE 00BB:8D 35 B9 STA $B935 00BE:8D 91 B9 STA $B991 ; check track (actually phase, which is ; track x2) 00C1:A5 2A LDA $2A ; track $11 or above? 00C3:C9 22 CMP #$22 ; yes, branch 00C5:B0 15 BCS $00DC ; no, fall through and change epilogues ; again 00C7:A9 DF LDA #$DF 00C9:8D 9E B8 STA $B89E 00CC:8D AE BC STA $BCAE 00CF:8D 35 B9 STA $B935 00D2:8D 91 B9 STA $B991 ; continue with regular code 00D5:A6 2B LDX $2B 00D7:A5 2A LDA $2A 00D9:4C A4 B9 JMP $B9A4 ; execution continues here (from $BEC5) ; add 1 to the phase 00DC:18 CLC 00DD:69 01 ADC #$01 00DF:85 2A STA $2A ; and continue with regular code 00E1:4C A4 B9 JMP $B9A4 --^-- Oh wow. The first half of the disk is relatively normal (modified epilogues but nothing crazy). The second half -- track $11 and above -- stores data one half track higher than usual. So data on track $11 is really on $11.5. Examining the original disk with the Copy II Plus nibble editor confirms this analysis: --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- TRACK: 11.50 START: 1800 LENGTH: 3DFF ^^^^^ half-track 1910: 96 96 96 96 96 96 96 96 VIEW 1918: 96 96 96 96 96 96 96 96 1920: 96 96 DE AA EB FA F9 FE 1928: FF FF FF FF FF FF FF FF 1930: FF FF FF FF FF D5 AA 96 <-1935 ^^^^^^^^ address prologue 1938: FF FE AA BB AE AF FB EA ^^^^^ ^^^^^ ^^^^^ ^^^^^ V=254 T=$11 S=$0D chksm 1940: DE AA E9 FF FF 9E FF FF ^^^^^ address epilogue 1948: FF FF FF D5 AA AD 96 96 ^^^^^^^^ data prologue --^-- The funny thing is that, because the half-track shift is handled entirely within the RWTS, Passport was able to normalize the disk. The data on track $11.5 was read from track $11.5 and written out to track $11, and so on. The RWTS knows how to read the entire disk, and that's exactly what Passport did. The only thing left to do is restore the original code at $B9A0 instead of jumping to $BEAF: T00,S03,$A0: 4CAFBE -> 862B85 Quod erat liberandum. --------------------------------------- A 4am crack No. 1654 ------------------EOF------------------