---------Fay: That Math Woman!---------
A 4am crack                  2021-06-11
---------------------------------------

Name: Fay: That Math Woman!
Genre: educational
Year: 1983
Credits: David Vincent, Paul Melhus
Publisher: Didatech Software
Platform: Apple ][+ or later (32K)
Media: 5.25-inch disk
Sides: 1
OS: DOS 3.3
Previous cracks: none

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  read error on second pass

Locksmith Fast Disk Backup
  unable to read track 9
  copy boots as far as the text title
  screen, then prints "ILLEGAL DISC"
  and exits to a prompt

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  track 9 appears to have real sectors
  but uses a non-standard address
  prologue ($AA $95 $96)

                 --v--

   COPY ][ PLUS BIT COPY PROGRAM 8.4
(C) 1982-9 CENTRAL POINT SOFTWARE, INC.
---------------------------------------

TRACK: 09  START: 2C89  LENGTH: 189F

2C68: FF FF FF FF FF FF FF FF   VIEW
2C70: FF FF FF FF FF FF FF FF
2C78: FF FF FF FF FF FF FF FF
2C80: FF FF FF FF FF FF FF FF
2C88: FF AA 95 96 AA AA AE AB  <-2C89
         ^^^^^^^^
     address prologue

2C90: AE AA AA AB DE AA EA B5
                  ^^^^^
            address epilogue

2C98: FF FF FF FF FF D5 AA AD
                     ^^^^^^^^
                  data prologue

2CA0: 96 96 96 96 96 96 96 96
2CA8: 96 96 96 96 96 96 96 96

                 --^--

Disk Fixer
  setting the address prologue to
  $AA $95 $96, I am able to read all 16
  sectors on track 9, which are empty

Why didn't COPYA work?
  track 9 uses non-standard prologue

Why didn't Locksmith FDB work?
  There could be a run-time check that
  alters the RWTS to read track 9. The
  original disk does not grind during
  boot, which suggests that either the
  RWTS is patched to auto-switch the
  prologue on track 9, or a user mode
  program is patching it temporarily.

EDD worked. What does that tell us?
  no half or quarter tracks
  almost certainly no nibble check
  (just the structural changes to the
   address prologue on track 9)

Next steps:

  1. find the bad-sector check
  2. disable it
  3. declare victory (*)

(*) go to the home gym

                   ~

               Chapter 1
 In Which We Check If We Are Too High
      To Deal With This Right Now


The disk uses a standard DOS 3.3 disk
catalog, but all the files are named
with control characters in them, making
it difficult to access them from third-
party tools.

Copy ][+ "RENAME FILES" fixes that.

Relatedly, Copy ][+ says that the boot
program is named "F" (plus a bunch of
control characters), which is weird
because F is a text file. But that is,
technically, something that DOS 3.3
supported, so maybe it's true.

Thus:

[S6,D1=non-working copy]
[S5,D1=my work disk]

]PR#5
...
]CATALOG,S6

C1983 DSR^C#254
432 FREE

*T 002 F
*B 002 A
*B 058 Y
*B 002 T

]TLIST F

BRUN T,A$800,D1
BRUN AQWADATS\^,A$4000,D1
BRUN YGOTT_^^,A$800,D1

It does appear to be true that this
disk boots to a text file full of DOS
commands. Honestly, I had forgotten
this was even possible in two thousand
twenty two in the year of our Lord.

OK.

"T" is a memory check. The program
requires 32K of memory. No, I'm not
kidding. It uses loads DOS 3.3 master
in low memory, which relocates itself
as high as possible ($9D00+ if you have
at least 48K). This "T" program checks
where DOS ended up and prints an
"INSUFFICIENT MEMORY" error if DOS
isn't high enough.

"A" (plus control characters) prints
the text title page and exits.

That leaves "Y", which is executed from
$800.

                   ~

               Chapter 2
 In Which Our Suspicions Are Confirmed


]BLOAD Y,A$800
]CALL -151

*800L

0800-   4C 5D 21    JMP   $215D

*215DL

215D-   A9 00       LDA   #$00
215F-   85 D7       STA   $D7
2161-   85 EA       STA   $EA
2163-   8D 04 03    STA   $0304
2166-   85 06       STA   $06
2168-   85 07       STA   $07

; more memory stuff (not protection-
; related)
216A-   20 A1 33    JSR   $33A1
216D-   85 EE       STA   $EE
216F-   A9 18       LDA   #$18
2171-   85 23       STA   $23

; set reset vector
2173-   A9 26       LDA   #$26
2175-   8D F2 03    STA   $03F2
2178-   A9 22       LDA   #$22
217A-   8D F3 03    STA   $03F3
217D-   A9 87       LDA   #$87
217F-   8D F4 03    STA   $03F4
2182-   20 4B 31    JSR   $314B

*314BL

314B-   AD D2 03    LDA   $03D2
314E-   30 11       BMI   $3161

; patch RWTS (32K machine)
3150-   A9 AA       LDA   #$AA
3152-   8D 55 89    STA   $8955
3155-   8D 7A 8C    STA   $8C7A
3158-   A9 95       LDA   #$95
315A-   8D 5F 89    STA   $895F
315D-   8D 7F 8C    STA   $8C7F
3160-   60          RTS

; patch RWTS (48K machine)
3161-   A9 AA       LDA   #$AA
3163-   8D 55 B9    STA   $B955
3166-   8D 7A BC    STA   $BC7A
3169-   A9 95       LDA   #$95
316B-   8D 5F B9    STA   $B95F
316E-   8D 7F BC    STA   $BC7F
3171-   60          RTS

Aha! Based on how high DOS is, we are
calculating the addresses within the
RWTS that match the address prologue
nibbles, and changing them to the non-
standard $AA $95 $96 we saw on track 9.
So this is setting up for the read of
the protected track.

Continuing from $2185...

2185-   20 36 32    JSR   $3236
2188-   B0 70       BCS   $21FA

Always a suspicious pattern, especially
after seeing that we've just patched
the RWTS in memory. For completeness, I
confirmed that $21FA prints the error
"ILLEGAL DISC" that I saw earlier.

So we're definitely close.

*3236L

3236-   A0 00       LDY   #$00
3238-   B9 46 32    LDA   $3246,Y
323B-   99 80 03    STA   $0380,Y
323E-   C8          INY
323F-   C0 15       CPY   #$15
3241-   D0 F5       BNE   $3238
3243-   4C 1A 30    JMP   $301A

*301AL

; call the RWTS with the parameters we
; just copied to $0380
301A-   A9 03       LDA   #$03
301C-   A0 80       LDY   #$80
301E-   20 D9 03    JSR   $03D9
3021-   60          RTS

*3243:60

*3236G

*380.

0380- 01 60 01 00 09 00 91 03
                  ^^ ^^
               track/sector

0388- 00 F8 00 00 01 00 00 60
      ^^^^^       ^^
     address   command

0390- 01 00 01 EF D8 1A FF FF

We are reading track 9, sector 0...
into $F800. That's ROM, so nothing
will actually be stored there. But that
answers the question of whether the
program cares about the actual contents
of track 9. It does not. It doesn't
even store the contents; it just checks
if the read succeeded by looking at the
carry flag.

Continuing from $218A...

218A-   20 72 31    JSR   $3172

*3172L

3172-   AD D2 03    LDA   $03D2
3175-   30 0D       BMI   $3184

; restore RWTS (32K machine)
3177-   A9 D5       LDA   #$D5
3179-   8D 55 89    STA   $8955
317C-   8D 7A 8C    STA   $8C7A
317F-   A9 AA       LDA   #$AA
3181-   4C 5A 31    JMP   $315A

; restore RWTS (48K machine)
3184-   A9 D5       LDA   #$D5
3186-   8D 55 B9    STA   $B955
3189-   8D 7A BC    STA   $BC7A
318C-   A9 AA       LDA   #$AA
318E-   4C 6B 31    JMP   $316B

To bypass this protection, I can put
"CLC / RTS" at the start of the routine
at $3236 that tries to read track 9,
fooling the caller into thinking that
the read-with-patched-RWTS always
succeeds.

Turning to my trusty sector editor and
my non-filename-patched-but-still-non-
working-copy, I find the routine on
track $17.

T17,S04,$3A: A000 -> 1860

]PR#6
...boots, and it is glorious...

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 2864
------------------EOF------------------