-------Alphabet Beasts & Company-------
A 4am crack                  2017-01-14
---------------------------------------

Name: Alphabet Beasts & Company
Genre: educational
Year: 1983
Credits: Software Productions
Publisher: Reader's Digest Software
Platform: Apple ][+ or later
Media: single-sided 5.25-inch floppy
OS: custom
Previous cracks: none

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  disk read error on first pass

Locksmith Fast Disk Backup
  reads track $00-$02 and track $11,
  but nothing else

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  T00-T02 -> standard
  T03-T10 -> modified data prologue
    ("D5 AA D5" instead of "D5 AA AD")
  T11 -> standard
  T12-T22 -> modified data prologue
    (same as T03-T10)

Disk Fixer
  T00 -> bootloader starts off like
    Apple DOS 3.3 but quickly goes off
    into custom code
  ["O" -> "Input/Output Control"]
    set Address Prologue to "D5 AA D5"
  Success! T03-T10 and T12+ readable!

Why didn't COPYA work?
  modified data prologue

Why didn't Locksmith FDB work?
  ditto

EDD worked. What does that tell us?
  no half or quarter tracks
  almost certainly no nibble check
  (just structural changes to prologues
  and epilogues)

Next steps:

  1. Convert the non-standard tracks
     with Super Demuffin
  2. Sector copy the standard tracks
  3. Patch bootloader to read the
     now-standard data prologue
  4. Declare victory (*)

(*) go to the gym

                   ~

               Chapter 1
    In Which We Use The Right Tool
          For The Job, Twice


Super Demuffin is a cracker's utility
built on top of Locksmith Fast Disk
Copy. It takes a disk that uses non-
standard but uniform address and data
prologue and epilogue bytes, and it
converts it to a standard disk format.
In this case, I expect it will only be
able to convert tracks $03-$10 and
tracks $12-$22. That's OK; I'll use
Copy II Plus manual sector copy to copy
the other tracks later.

When you first run Super Demuffin, it
asks for the parameters of the original
disk. In this case, the epilogue bytes
are the same, but the data prologue is
"D5 AA D5" instead of "D5 AA AD".

                 --v--

      SUPER-DEMUFFIN AND FAST COPY
Modified by: The Saltine/Coast to Coast


   Address prologue: D5 AA 96

   Address epilogue: DE AA EB    DISK
                               ORIGINAL

      Data prologue: D5 AA D5
                           ^^
change from AD ------------++

      Data epilogue: DE AA EB


 Ignore write errors while demuffining!


  D - Edit parameters
      <SPACE> - Advance to next parm
      <RETURN> - Exit edit mode
  R - Restore DOS 3.3 parameters
  O - Edit Original disk's parameters
  C - Edit Copy disk's parameters
  G - Begin demuffin process

                 --^--

Pressing "G" switches to the Locksmith
Fast Disk Copy UI. It assumes that both
disks are in slot 6, and that drive 1
is the original and drive 2 is the
copy.

[S6,D1=original disk]
[S6,D2=blank disk]

                 --v--

     LOCKSMITH 7.0  FAST DISK BACKUP


   R***..............*.................
   W***********************************
HEX 00000000000000001111111111111111222
TRK 0123456789ABCDEF0123456789ABCDEF012
   0DDD..............D.................
   1DDD..............D.................
   2DDD..............D.................
   3DDD..............D.................
   4DDD..............D.................
   5DDD..............D.................
   6DDD..............D.................
   7DDD..............D.................
   8DDD..............D.................
   9DDD..............D.................
   ADDD..............D.................
   BDDD..............D.................
   CDDD..............D.................
   DDDD..............D.................
12 EDDD..............D.................
   FDDD..............D.................
[               ] PRESS [RESET] TO EXIT

                 --^--

As expected, tracks $00-$02 and $11 are
unreadable with these non-standard RWTS
parameters (because they're standard).
But everything else converted cleanly,
so I've got that going for me, which is
nice.

Turning to my trusty Copy II Plus...
(Version 8.4 please; later versions are
buggy. Not in the specific feature
we're using here, but why increase your
mental load by working around bugs that
will never be fixed?)

Turning to my trusty Copy II Plus... I
select COPY / BIT COPY / MANUAL SECTOR
COPY so I can copy just the tracks I
want: tracks $00-$02.

                 --v--

   COPY ][ PLUS BIT COPY PROGRAM 8.4
(C) 1982-9 CENTRAL POINT SOFTWARE, INC.
---------------------------------------

  ORIGINAL  DRIVE:    1
  DUPLICATE DRIVE:    2

  ENTER START TRACK:  0
  ENTER END   TRACK:  2 <-- change this

  TRACK INCREMENT:    1

  USING SECTOR COPY



---------------------------------------

        -- INSERT DISKETTES --

   RETURN TO BEGIN        Q TO QUIT
   ESC    TO RESTART      / TO MODIFY

                 --^--

That works flawlessly, as expected.
(Even COPYA had no problem with these
tracks. They're as standard as they
come.)

I repeat the manual sector copy with
track $11. (Copy II Plus expects track
numbers in hex, so enter "11" for both
the start and end track.)

Now I have the entire disk in a
standard format. But of course it won't
work yet, because the RWTS is still
expecting certain tracks to use a non-
standard data prologue.

[S6,D1=non-working copy]

]PR#6
...works...

Wait, what?

                   ~

               Chapter 2
    In Which We Angrily Investigate
  Why We Suddenly Have A Working Copy


Poking through track $00, I found the
code to match the custom data prologue.
It turns out to be quite... flexible:

                 --v--

T00,S03
----------- DISASSEMBLY MODE ----------
00DC:A0 20          LDY   #$20
00DE:88             DEY
00DF:F0 61          BEQ   $0142
00E1:BD 8C C0       LDA   $C08C,X
00E4:10 FB          BPL   $00E1
00E6:49 D5          EOR   #$D5
00E8:D0 F4          BNE   $00DE
00EA:EA             NOP
00EB:BD 8C C0       LDA   $C08C,X
00EE:10 FB          BPL   $00EB
00F0:C9 AA          CMP   #$AA
00F2:D0 F2          BNE   $00E6
00F4:A0 56          LDY   #$56
00F6:BD 8C C0       LDA   $C08C,X
00F9:10 FB          BPL   $00F6
00FB:C9 AA          CMP   #$AA
00FD:F0 F7          BEQ   $00F6   <-- !

                 --^--

Did you see that? It matches #$D5 for
the first nibble and $$AA for the
second, as usual. But for the third
nibble, it matches any value EXCEPT
#$AA. If it finds #$AA, it loops back
to offset $F6 to read another nibble.

That explains how some tracks on the
original disk can use a standard data
prologue while others are non-standard.
This code doesn't care either way. And
now that every track on my copy uses a
standard data prologue, this code still
doesn't care. So no RWTS patches are
required.

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 964
------------------EOF------------------
