------------Kinder Koncepts------------
A 4am crack                  2018-02-15
---------------------------------------

Name: Kinder Koncepts: Mathematics and
  Reading Readiness
Genre: educational
Year: 1983
Publisher: Midwest Software
Platform: Apple ][+ or later
Media: 5.25-inch disk
Sides: 1
OS: DOS 3.3
Previous cracks: none (Asimov has an
  uncracked .nib which works and an
  uncracked .dsk which doesn't)

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  read error on first pass

Locksmith Fast Disk Backup
  unable to read track 3
  copy boots to graphic title screen
  then grinds and hangs

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  track 3 has standard 16 sector
  structure but a non-standard epilogue
  ($DF instead of $DE for the first
  address epilogue nibble)

                 --v--

   COPY ][ PLUS BIT COPY PROGRAM 8.4
(C) 1982-9 CENTRAL POINT SOFTWARE, INC.
---------------------------------------

TRACK: 03  START: 29D2  LENGTH: 1891

29B0: EF 9F E7 F9 FE FF FF FF   VIEW
29B8: FF FF FF FF FF FF FF FF
29C0: FF FF FF FF FF FF FF FF
29C8: FF FF FF FF FF FF FF FF
29D0: FF FF D5 AA 96 AA AA AB  <-29D2
            ^^^^^^^^
         address prologue

29D8: AB AA AA AB AB DF AA FF
                     ^^^^^
                 address epilogue

29E0: D2 FF FF FF FF FF D5 AA
29E8: AD 96 96 96 96 96 96 96
29F0: 96 96 96 96 96 96 96 96

                 --^--

Disk Fixer
  setting the first address epilogue
  nibble to $DF allows me to read the
  non-standard track 3 -- all sectors
  are full of zeroes

Why didn't COPYA work?
  non-standard epilogue on track 3

Why didn't Locksmith FDB work?
  probably a runtime protection check
  that is verifying the non-standard
  structure on track 3

EDD worked. What does that tell us?
  the runtime protection check is weak,
  only checking the epilogue nibble but
  not anything fancy with timing bits

Next steps:

  1. trace the startup program
  2. disable the runtime protection
     check
  3. declare victory (*)

(*) go to the gym

                   ~

               Chapter 1
      Today Is A Good Day To Spy


[S6,D1=non-working copy]

]PR#6
<Ctrl-C>

]LIST
...continues booting...

Hmm. Someone set the "RUN" flag (zero
page $D6) early enough that I can't get
to a working prompt.

]PR#6
<Ctrl-C>

; built-in command (not trapped by the
; "RUN" flag) clears the BASIC program
; in memory but also clears the "RUN"
; flag so further commands will work
; unimpeded
]FP

]CATALOG

DISK VOLUME 254

 B 002 CONCENTRATE.LTR
 B 015 CONCENTRATE.P
 A 010 CONCENTRATION
 B 016 COPY.LETTERS.P
 A 010 COPY.THE.LETTER
 A 011 DIFF.PATTERN
 B 008 DIFF.P
 B 011 DIFF.SHAPE.P
 B 002 DIFF.SHP
 A 010 DIFFERENT.SHAPE
 A 008 HELLO
 A 011 HIDDEN.WITHIN
 A 009 LETTER.MATCH
 B 013 LETTER.MATCH.P
 A 008 LETTER.ORDER
 A 010 LETTER.SEQUENCE
 A 010 LETTER.TWINS
 B 017 LETTER.TWINS.P
...

Don't tell me what I can't do.

"HELLO" looks promising.

]LOAD HELLO
]LIST

 20  REM    HELLO PROGRAM FOR
 30  REM    KINDER KONCEPTS
 40  REM    (C) MIDWEST SOFTWARE,

 50  REM    1983


 60  LOMEM: 31744: REM  $7C00
 70  TEXT : HOME
 80  PRINT  CHR$ (27) CHR$ (17): REM
      SET 40 COLUMN MODE
 90 D$ =  CHR$ (4): DIM A$(15)
 100  FOR J = 1 TO 15
 110  READ A$(J)
 120  NEXT
 125  ONERR  GOTO 6000
 130  HGR : POKE  - 16302,0: IF  PEEK
     (1015) = 3 THEN 180
 140  PRINT D$"BLOAD LOGO.P": PRINT
     D$"BRUN UNPACK"

My non-working copy appeared to get at
least this far, because I saw the
graphic title screen before things went
south.

 150  PRINT D$"BLOAD MUSIC,A$300"

 160  POKE 1014,0: POKE 1015,3
 165  PRINT D$"BRUN MIDWEST,A$9AA
     6"

That looks suspicious.

]BLOAD MIDWEST,A$9AA6
]CALL -151

*9AA6L

; change first epilogue nibble
9AA6-   A9 DF       LDA   #$DF
9AA8-   8D 91 B9    STA   $B991

; execute an RWTS call (see below)
9AAB-   A0 BA       LDY   #$BA
9AAD-   A9 9A       LDA   #$9A
9AAF-   20 00 BD    JSR   $BD00

; on failure, branch to this address,
; i.e. hang forever
9AB2-   B0 FE       BCS   $9AB2

; restore first epilogue nibble
9AB4-   A9 DE       LDA   #$DE
9AB6-   8D 91 B9    STA   $B991
9AB9-   60          RTS

; RWTS parameter table for reading
; track 3, sector 0 into $9ACF
9ABA-       01 60 01 00 03 00
                        ^^ ^^
                     track sector

9AC0- CB 9A CF 9A 00 00 01 00
            ^^^^^       ^^
           address    "read"

9AC8- 00 60 01 00 01 EF D8 00

The easiest patch would be to disable
this routine altogether by placing an
"RTS" at $9AA6, but that leaves me
vulnerable to a possible second-level
protection later, checking that the
read actually happened and some byte
in $9ACF..$9BCE is really 0. Unlikely,
but why take the chance?

So, I'll let the read happen but just
change the epilogue value at $9AA7 to
the standard $DE.

My trusty Disk Fixer sector editor
tells me that this "MIDWEST" file is
on track 7.

T07,S0A,$05: DF -> DE

]PR#6
...works...

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 1696
------------------EOF------------------