----------------Color Me--------------- A 4am crack 2018-08-29 --------------------------------------- Name: Color Me (*) Genre: educational Year: 1982 Credits: Cherie & Verne Bauman Publisher: Softsmith Platform: Apple ][+ or later Media: 5.25-inch disk Sides: 1 OS: custom Previous cracks: none (*) not to be confused with the 1985 "Color Me Coloring Kit" published by Mindscape. ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor modified address and data epilogues ("FF FF EB" instead of "DE AA EB") on all tracks Disk Fixer ["O"] for INPUT/OUTPUT CONTROL CHECKSUM ENABLED -> "NO" all tracks readable track 0 is a custom bootloader that loads the animated Softsmith logo track 2 looks like a standard RWTS but stored backwards (T02,S0F is normally T00,S01, T02,S0E is normally T00,S02, &c.) Passport converts to standard format but does not apply any patches; copy displays animated Softsmith logo then grinds and freezes Next steps: 1. Patch the RWTS on the normalized copy that Passport created 2. Test for secondary protections 3. Declare victory (*) (*) go to the gym ~ Chapter 1 In Which Our Adventure Begins, And Ends This disk uses a lightly modified DOS 3.3-style RWTS, but it's relocated to track 2 to make room for the Softsmith intro page. Passport doesn't know anything about this, so I get to patch it by hand like some kind of 20th century peasant. ; data epilogue (write) T02,S0E,$9E: FF -> DE T02,S0E,$A3: FF -> AA ; data epilogue (read) T02,S0D,$35: FF -> DE T02,S0D,$3F: FF -> AA ; address epilogue (read) T02,S0D,$91: FF -> DE T02,S0D,$9B: FF -> AA ; address epilogue (write) T02,S0A,$AE: FF -> DE T02,S0A,$B3: FF -> DE ]PR#6 ...works... There doesn't appear to be any way to save pictures to a data disk, so there is no RWTS swapper to worry about. Quod erat liberandum. ~ Epilogue: Further Hacking, Plus Actually Using It From reading the source code (more on that in a moment), you primarily use a joystick to move around and color, plus a few keyboard commands: joystick = move cursor button 0 = fill at joystick location C = clear picture N = select picture by number P = go to next picture Q = quit Pressing "Q" quits to a BASIC prompt with DOS still in memory, even on the original disk. "CATALOG" works. ]CATALOG DISK VOLUME 001 *A 006 HELLO *B 033 C1 *B 002 C2 *B 002 C3 *B 002 PLOAD *B 009 CM25.C *B 011 CM1.C *B 010 CM2.C *B 009 CM3.C *B 012 CM4.C *B 013 CM5.C *B 017 CM6.C *B 010 CM7.C *B 009 CM8.C *B 009 CM9.C *B 010 CM10.C *B 011 CM11.C *B 009 CM12.C *B 009 CM13.C *B 012 CM14.C *B 008 CM15.C *B 009 CM16.C *B 007 CM17.C *B 010 CM18.C *B 011 CM19.C *B 007 CM20.C *B 009 CM21.C *B 013 CM22.C *B 015 CM23.C *B 015 CM24.C B 002 CM21.A B 002 CM2.A B 002 CM6.A B 002 CM7.A B 002 CM10.A B 002 CM3.A B 002 CM4.A B 002 CM5.A *B 002 CM0.A B 002 CM9.A B 002 CM8.A B 002 CM1.A B 002 CM20.A B 002 CM11.A B 002 CM12.A B 002 CM13.A B 002 CM14.A B 002 CM15.A B 002 CM16.A B 002 CM17.A B 002 CM18.A B 002 CM19.A B 002 CM22.A B 002 CM23.A B 002 CM24.A B 002 CM25.A Any other command re-runs the program, but a quick "FP" will reset that RUN flag (zero page $D6) and allow you to LOAD HELLO and view the source code. ]FP ]LOAD HELLO ]LIST 10 XC = 21:YC = 168:P = 0:CL = 0 20 POKE 232,224: POKE 233,111: HGR : POKE - 16302,0: SCALE= 1: HCOLOR= 3: ROT= 0 60 PRINT : PRINT "BLOAD PLOAD": CALL 880 70 PRINT : PRINT "PLOAD C1,A$20 00" 71 PRINT "PLOAD C2,A$6FE0" 75 POKE 32769,32 80 KEEP = 33088: POKE KEEP,1 90 GOTO 612 ... Also crashes the program, so don't do that. ~ Acknowledgments Thanks to @DiskBlitz for the original disk! --------------------------------------- A 4am crack No. 1793 ------------------EOF------------------