--------A Treasure Hunt of Facts-------
A 4am crack                  2016-03-06
-------------------. updated 2018-01-21
                   |___________________

Name: A Treasure Hunt of Facts
Version: "84-02"
Genre: educational
Year: 1984
Publisher: Josten Learning Systems
Media: two single-sided 5.25-inch disks
OS: DOS 3.3
Previous cracks: none

I have two disks:

  1. "Addition and Subtraction"
  2. "Multiplication and Division"

Both disks are bootable and appear to
be independent of each other. I'll
start with disk 1.

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  modified address epilogue "F5 AA EB"
  odd-numbered tracks (1, 3, 5...) also
    have a modified address prologue
    ("D4 AA 96")

Disk Fixer
  ["O" -> "Input/Output Control"]
  set Address Epilogue to "F5 AA EB"
  -> even-numbered tracks readable
  T00 looks like a DOS 3.3 RWTS
  set Address Prologue to "D4 AA 96"
  -> odd-numbered tracks also readable
  T01 readable. Also T03, T05, T07...
  T11 looks like a DOS 3.3 disk catalog
  T01,S09 -> startup program is "HELLO"

Why didn't COPYA work?
  modified prologue and epilogue

Why didn't Locksmith FDB work?
  modified prologue and epilogue

EDD worked. What does that tell us?
  no half or quarter tracks
  almost certainly no nibble check
  (just structural changes to prologues
  and epilogues)

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. patch RWTS to read standard format

                   ~

               Chapter 1
         Bit Math Is Best Math


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BLOAD RWTS,A$3800
]CALL -151

*B800<3800.3EFFM
*B944L

; routine to read address prologue
B944-   A0 FC       LDY   #$FC
B946-   84 26       STY   $26
B948-   C8          INY
B949-   D0 04       BNE   $B94F
B94B-   E6 26       INC   $26
B94D-   F0 F3       BEQ   $B942
B94F-   BD 8C C0    LDA   $C08C,X
B952-   10 FB       BPL   $B94F

; find prologue nibble #1
B954-   4A          LSR
B955-   C9 6A       CMP   #$6A
B957-   D0 EF       BNE   $B948
B959-   BD 8C C0    LDA   $C08C,X
B95C-   10 FB       BPL   $B959

; find #2
B95E-   C9 AA       CMP   #$AA
B960-   D0 F2       BNE   $B954
B962-   A0 03       LDY   #$03
B964-   BD 8C C0    LDA   $C08C,X
B967-   10 FB       BPL   $B964

; find #3
B969-   C9 96       CMP   #$96
B96B-   D0 E7       BNE   $B954

Well this just answers a whole slew of
questions at once.

The code to find prologue nibble #1
explains how this disk can read its
odd-numbered tracks (with non-standard
address prologue "D4 AA 96").

Normal address prologue byte 1 is $D5.
In binary: $D5 = 1101 0101
After LSR:       0110 1010 = $6A

Odd-numbered tracks use $D4 instead.
In binary: $D4 = 1101 0100
After LSR:       0110 1010 = $6A

So this code will match either prologue
and work on both odd and even tracks.

Furthermore, RWTS code is time-critical
between reading the last bit of one
nibble and reading the first bit of the
next. If it's too fast or too slow, it
will get out of phase (because the disk
spins independently of the CPU).

Compare DOS 3.3 (cycle count in margin)

B94F-   BD 8C C0    LDA   $C08C,X
B952-   10 FB       BPL   $B94F
B954-   C9 D5       CMP   #$D5    | 2
B956-   D0 F0       BNE   $B948   | 2 *
B958-   EA          NOP           | 2
B959-   BD 8C C0    LDA   $C08C,X
B95C-   10 FB       BPL   $B959

(*) on the time-critical path, this
    branch is not taken, so always 2

...and this disk's RWTS:

B94F-   BD 8C C0    LDA   $C08C,X
B952-   10 FB       BPL   $B94F
B954-   4A          LSR           | 2
B955-   C9 6A       CMP   #$6A    | 2
B957-   D0 EF       BNE   $B948   | 2 *
B959-   BD 8C C0    LDA   $C08C,X
B95C-   10 FB       BPL   $B959

Despite being more "flexible" (matching
$D5 or $D4), this disk's RWTS uses the
same number of bytes of code and runs
in the same number of cycles. Nice.

I don't need to change anything here in
order to crack it. I just wanted to
explain how it works.

                   ~

               Chapter 2
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself


*BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:...................................
SC6:...................................
SC7:...................................
SC8:...................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

The disk's own RWTS gave no read errors
on any track. This is the power and the
genius of Advanced Demuffin. Every disk
must be able to read itself. So, let it
read itself, then capture the data and
write it out in a standard format.

]PR#5
...
]CATALOG,S6,D2

C1983 DSR^C#254
110 FREE

 A 003 HELLO
 B 010 THAS.SETUP
 B 012 THAS.BORG.PAC
 B 003 THAS.BORG1.PAC
 B 238 THAS.SOUNDTRK
 B 009 THAS.SUBLIB
 B 013 THAS.SHPTBL
 B 025 THAS.MAIN
 B 002 PRESCRIPTIONS
 B 052 THAS.PCKTBL1
 B 022 THAS.MAIN1
 B 002 THAS.LIST1
 B 002 THAS.LIST2
 B 002 THAS.LIST3
 B 002 THAS.LIST4
 B 002 THAS.LIST5
 B 002 THAS.LIST6
 B 002 THAS.LIST7
 B 002 THAS.LIST8

]RUN HELLO
...works...

[S6,D1=demuffin'd copy]

]PR#6
...grinds...

My demuffin'd copy can not read itself,
because it's still looking for the non-
standard epilogue bytes. This is so
common, I wrote a tool to fix it for me
automaticlaly.

                   ~

               Chapter 3
 In Which We Remove All Traces Of Copy
Protection Using An Automated Tool That
   I Wrote For Just Such An Occasion

[S6,D1=demuffin'd copy]
[S5,D1=my work disk]

]PR#5
]BRUN PDP

; restore epilogues to standard values
T00,S03,$91 change F5 to DE
T00,S02,$9E change F5 to DE

]PR#6
...works...

Quod erat liberandum.

                   ~

           Acknowledgements


This program requires the Ufonic Voice
System, which is a hardware add-on card
that I don't have and that is not
emulated by any known emulator. Without
the card, the program displays an error
message and hangs. Many thanks to
@yesterbits and @L1ttl3john for testing
this crack on a real Apple II with the
necessary add-on card.

                   ~

               Changelog


2018-01-21

- fixed minor data corruption on disk 2
  (T1B,S0E)

2016-03-06

- initial release

---------------------------------------
A 4am crack                     No. 631
------------------EOF------------------
