------------Buzz Bang Harvey-----------
A 4am crack                  2019-03-05
---------------------------------------

Name: Buzz Bang Harvey
Genre: educational
Year: 1984
Authors: Scott Rackey
Publisher: Queue, Inc.
Platform: Apple ][+ or later
Media: 5.25-inch disk
Sides: 1
OS: DOS 3.3
Previous cracks: none
Similar cracks:
  #607 German Vocabulary Games

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  disk read error on first pass

Locksmith Fast Disk Backup
  can't read anything past track $02

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  T03+ have modified prologues
  address: "BA AA 96"
  data: "D5 AA 96"

Disk Fixer
  T00 -> looks like a DOS 3.3 RWTS
  T00-T02 -> looks like a full DOS
  T01,S09 -> startup program is "HELLO"
  T03+ unreadable
  ["O" -> "Input/Output Control"]
    set address prologue to "BA AA 96"
    set data prologue to "D5 AA 96"
  Success! T03+ readable
  T11 -> standard DOS 3.3 disk catalog

Why didn't COPYA work?
  modified address and data prologues
  on track $03+

Why didn't Locksmith FDB work?
  ditto

EDD worked. What does that tell us?
  no half or quarter tracks
  almost certainly no nibble check
  (just structural changes to epilogue)

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. patch RWTS to read standard format

                   ~

               Chapter 1
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC1:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC2:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC3:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC4:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC5:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC6:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC7:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC8:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SC9:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCA:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCB:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCC:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCD:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCE:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
SCF:...RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

Drat. I was hoping the RWTS was smart
enough to use the proper address and
data prologues based on which track is
being read. But it looks like it's a
one-shot change after DOS is loaded.

I need to dig deeper to find out where
that change happens.

                   ~

               Chapter 2
         In Which We Discover
        A Historical Curiosity


]PR#5
...
]BLOAD BOOT1,A$3600
]CALL -151

*B600<3600.3EFFM
*B700L
.
. all normal, until...
.
B747-   4C 82 A2    JMP   $A282

That normally jumps to $9D84 to cold-
start DOS, load the startup program,
and so on and so forth. But first,
we're doing a little something extra
at $A282. That is normally part of the
RENAME command handler, but I'm going
to go out on a limb here and guess that
we're not really renaming anything.

Let's see what's hiding there instead.

*9600<C600.C6FFM

; set up callback #1 after boot0 loads
; boot1
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C

; start the boot
9707-   4C 01 08    JMP   $0801

; (callback #1) set up callback #2
; after boot1 loads boot2
970A-   A9 4C       LDA   #$4C
970C-   8D 47 B7    STA   $B747
970F-   A9 1C       LDA   #$1C
9711-   8D 48 B7    STA   $B748
9714-   A9 97       LDA   #$97
9716-   8D 49 B7    STA   $B749

; continue the boot
9719-   4C 00 B7    JMP   $B700

; (callback #2) copy entire DOS into
; lower memory so it survives a reboot
; to my work disk
971C-   A2 23       LDX   #$23
971E-   A0 00       LDY   #$00
9720-   B9 00 9D    LDA   $9D00,Y
9723-   99 00 1D    STA   $1D00,Y
9726-   C8          INY
9727-   D0 F7       BNE   $9720
9729-   EE 22 97    INC   $9722
972C-   EE 25 97    INC   $9725
972F-   CA          DEX
9730-   D0 EE       BNE   $9720

; and reboot to my work disk
9732-   4C 00 C5    JMP   $C500

*BSAVE TRACE2,A$9600,L$135
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT2,A$1D00,L$2300
]CALL -151

*FE89G FE93G      ; disconnect DOS
*9D00<1D00.3FFFM  ; move DOS into place

*A282L

; clear some memory
A282-   A0 79       LDY   #$79
A284-   A9 60       LDA   #$60
A286-   A2 00       LDX   #$00
A288-   9D 8E AE    STA   $AE8E,X
A28B-   E8          INX
A28C-   88          DEY
A28D-   D0 F9       BNE   $A288
A28F-   8D 4F A5    STA   $A54F
A292-   8D 50 A5    STA   $A550

; and continue elsewhere
A295-   4C 32 A3    JMP   $A332

(By the way, $A281 is just an RTS, in
case you actually tried to rename a
file.)

*A332L

; change address prologue
A332-   A9 BA       LDA   #$BA
A334-   8D 55 B9    STA   $B955
A337-   8D 7A BC    STA   $BC7A

; change data prologue
A33A-   A9 96       LDA   #$96
A33C-   8D 5D B8    STA   $B85D
A33F-   8D FC B8    STA   $B8FC

; change the value used as a self-sync
; byte between sectors
A342-   A9 FA       LDA   #$FA
A344-   8D 60 BC    STA   $BC60

; and continue with the boot
A347-   4C 84 9D    JMP   $9D84

Early nibble copiers got confused by
disks that used nonstandard values for
sync bytes. Using $FA instead of $FF
was, at one point, an effective form of
copy protection. It doesn't affect what
I need to do to deprotect the disk,
though. Just a historical curiosity.

                   ~

               Chapter 3
In Which We Attempt To Use The Original
   Disk As A Weapon Against Itself,
                 Again


I'm going to let this code make the
modifications it wants to make, then
save the RWTS and plug it into Advanced
Demuffin.

*A347:60         ; don't jump to $9D84
*A282G           ; change the RWTS
*3800<B800.BFFFM ; copy the RWTS
*C500G           ; reboot to work disk
...
]BSAVE RWTS 3+,A$3800,L$800

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS 3+" from D1

["6" to switch to slot 6]

["C" to convert disk]

["Y" to change default values]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======================================


INPUT ALL VALUES IN HEX


SECTORS PER TRACK? (13/16) 16

START TRACK: $03        <-- change this
START SECTOR: $00
END TRACK: $22
END SECTOR: $0F

INCREMENT: 1

MAX # OF RETRIES: 0

COPY FROM DRIVE 1
TO DRIVE: 2
=======================================
16SC $03,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

And here we go...

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:   ................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:   ................................
SC1:   ................................
SC2:   ................................
SC3:   ................................
SC4:   ................................
SC5:   ................................
SC6:   ................................
SC7:   ................................
SC8:   ................................
SC9:   ................................
SCA:   ................................
SCB:   ................................
SCC:   ................................
SCD:   ................................
SCE:   ................................
SCF:   ................................
=======================================
16SC $03,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

Bingo.

]PR#5
...
]CATALOG,S6,D2

C1983 DSR^C#254
215 FREE

 A 013 HELLO
 A 023 BUZZ(8-10)
 B 014 TXT/GEN
 A 023 BUZZ(8-10)BACK
 A 023 BUZZ(ALPH)
 A 012 INRO 2
 B 034 INTRO.PIC
 B 034 TABLE.PIC1
 B 002 NOTE
 B 003 SMILES
 T 007 QUOTES
 T 002 SSCORES
 T 002 SNAMES
 B 034 HARVY.PIC
 T 003 NAMES
 T 002 SCORES
 A 023 ALPHARV
 B 002 NOTE.FIN
 A 023 BUZZ(8-24)
 B 002 NOTE.Q

]RUN HELLO
...works...

(The reason I always do this is to see
whether there are any runtime checks
for subtle differences in the original
DOS. If the program runs after booting
from a third-party disk, I can
eliminate a whole range of possible
secondary protections.)

Of course, the disk won't be able to
boot past loading DOS, because it will
still try to switch the RWTS parameters
that no longer need to be switched.
Let's fix that.

$A200 is loaded from T01,S01. The first
part (wiping a small chunk of memory)
is harmless enough. I just want to jump
directly to $9D84 instead of continuing
to $A332.

[S6,D1=demuffin'd copy]

T01,S01,$96 change "32 A3" to "84 9D"

]PR#6
...works...

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 1968
------------------EOF------------------