-----------Animal Stories IV-----------
A 4am crack                  2023-01-26
---------------------------------------

Name: Animal Stories IV
Genre: educational
Year: 1990
Publisher: Micrograms Publishing
Platform: Apple ][+ or later (64K)
Media: 5.25-inch disk
Sides: 1
OS: custom
Previous cracks: none
Similar cracks:
  #1266 Wild West Math Level 3

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  no read errors, but the copy hangs on
  boot with a text screen full of
  garbage

Locksmith Fast Disk Backup
  ditto

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  16-sector, standard address fields,
  standard everything really

                 --v--

   COPY ][ PLUS BIT COPY PROGRAM 8.4
(C) 1982-9 CENTRAL POINT SOFTWARE, INC.
---------------------------------------

TRACK: 01  START: 2BDD  LENGTH: 1860

2BB8: 96 96 96 DE AA BE FF F3   VIEW
2BC0: FC FF FF FF FF FF FF FF
2BC8: FF FF FF FF FF FF FF FF
2BD0: FF FF FF FF FF FF FF FF
2BD8: FF FF FF FF FF D5 AA 96  <-2BDD
                     ^^^^^^^^
                 address prologue

2BE0: FF FE AA AB AA AA FF FF
      V=254 T=$01 S=$00 chksm

2BE8: DE AA BE FF FF FF FF FF
      ^^^^^
 address epilogue

2BF0: FF FF D5 AA AD 9B 97 9B
            ^^^^^^^^
         data prologue

2BF8: 9A 9B 9A 9A 96 96 96 96

                 --^--

Disk Fixer
  all tracks readable
  standard ProDOS bootloader
  ProDOS-style disk catalog on track 0

Wait, really?

                 --v--

[S7,D1=/A4AMCRACK]
]PR#7
...boots ProDOS hard drive...

]CAT,S6,D1

/ANIMAL.STORIES4

 NAME           TYPE  BLOCKS  MODIFIED

 BAD3.5          SYS       7  26-SEP-90
 PI.AS           BIN      17  <NO DATE>
 ST.ASFONT       BIN       4  <NO DATE>
 UTL             BIN       8  13-JUL-90
 CR.AS           BIN      25  <NO DATE>
 STORIES         BIN      35  23-AUG-90
 SEP.26.90       BIN      13  26-SEP-90

BLOCKS FREE:  164     BLOCKS USED:  116

                 --^--

That is... very weird. ProDOS but not
ProDOS. What is BAD3.5? Why is there a
file named SEP.26.90 with a file date
of 26-SEP-90? I have so many questions.

Why didn't COPYA or Locksmith FDB work?
  probably a nibble check in early boot

Why *did* EDD work?
  the nibble check probably isn't very
  strong

Next steps:

  1. Trace the boot
  2. Find the protection check and
     disable it
  3. Declare victory (*)

(*) go to the gym

                   ~

               Chapter 1
      In Which We Take A Shortcut


The fastest way to find a runtime
protection check is to search for the
instruction that turns on the drive
motor. Generally this is "LDA $C089,X"
(following the convention that the X
register contains the boot slot x 16),
but it could also be hard-coded to
slot 6 like "LDA $C0E9" or some other
variant.

[Disk Fixer]
  ["F"]ind
    ["H"]ex
      "BD 89 C0"

One match on track 0, part of the
ProDOS bootloader.

-->   "AD E9 C0"

No matches whatsoever. Hmm. Maybe it's
encrypted to prevent exactly the thing
I'm trying to do right now? How dare
they.

Let's try searching for the instruction
that loads the data latch to fetch a
single nibble from disk: "LDA $C08C,X".

-->   "BD 8C C0"

Again one match on track 0, part of the
ProDOS bootloader. Nothing else.

I gotta say, this is feeling more and
more like the "shortcut" your uncle
tells you to take that ends up getting
you lost in New Jersey. (*)

(*) not that there's anything wrong
    with that

Maybe the RWTS is hitting the soft
switch directly, without indexing on
slot?, So "LDA $C0EC" instead of
"LDA $C08C,X". I sure hope so, because
after that I'm out of ideas and I'm
going to trace the boot from the
beginning.

-->   "AD EC C0"

Aha!

                 --v--

------------- DISK SEARCH -------------

$01/$0B-$21   $01/$0B-$2A   $01/$0B-$33
$01/$0C-$61   $01/$0C-$6A   $01/$0C-$73
$01/$0C-$83   $01/$0C-$8B   $01/$0C-$C6
$01/$0C-$CF   $01/$0C-$D8

                 --^--

Praise be. Let's see what we found:

                 --v--

T01,S0B
----------- DISASSEMBLY MODE ----------
; match first epilogue nibble ($DE)
0021:AD EC C0       LDA   $C0EC
0024:10 FB          BPL   $0021
0026:C9 DE          CMP   #$DE
0028:D0 E7          BNE   $0011

; match second epilogue nibble ($AA)
002A:AD EC C0       LDA   $C0EC
002D:10 FB          BPL   $002A
002F:C9 AA          CMP   #$AA
0031:D0 EE          BNE   $0021

; match... a third epilogue nibble?!?
0033:AD EC C0       LDA   $C0EC
0036:10 FB          BPL   $0033
0038:C9 BE          CMP   #$BE
003A:D0 E5          BNE   $0021
003C:18             CLC
003D:60             RTS

                 --^--

Oh wow. That's not what I was expecting
at all, but that's the problem. There
is no protection check. The protection
is purely structural -- this RWTS code
is super-strict and requires a third
(non-standard) epilogue nibble.

Technically, both the address epilogue
and the data epilogue are three nibbles
$DE $AA $EB. But even standard DOS 3.3
never checks more than the first two.
(ProDOS only checks the first one.)
Literally nothing checks the third
nibble of the epilogue.

Except this disk.

And because it's non-standard ($BE
instead of $EB), the disk looks like
it's unprotected. It even copies with
COPYA! But the copy can't read itself
because the third epilogue nibble is
wrong.

The solution is to patch this RWTS so
it ignores the third epilogue nibble.
The least invasive way to do that is to
change the "BNE" after "CMP #$BE" so it
branches to the next instruction,
effectively making it a NOP.

T01,S0B,$3B: E5 --> 00

]PR#6
...works, and it is glorious...

(Note the disk only boots from slot 6,
due to the hard-coded slot-dependent
soft switches in the RWTS. Also note
that despite using a ProDOS directory,
it does not actually use ProDOS beyond
the bootloader. Further note that
"Beyond The Bootloader" would be a fine
name for a cracking-themed podcast or
something. Someone should get on that.)

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 3065
------------------EOF------------------
