---Basic Vocabulary Builder: Spanish---
A 4am crack                  2016-03-24
---------------------------------------

Name: Basic Vocabulary Builder: Spanish
Genre: educational
Year: 1984
Credits: based on "Basic Vocabulary
  Builder Duplicating Master Book" by
  Dorothy Gabel Liebowitz
Publisher: National Textbook Company
Media: two single-sided 5.25-inch disks
OS: DOS 3.3
Previous cracks: none
Similar cracks:
  #447 Pirate's Treasure
  #370 Terrapin Logo 3.0
  #368 Catlab
  #206 Basic Vocabulary Builder demo
  #205 PyschDisk

Both disks are bootable. I'll start
with disk 1.

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  can't read anything beyond T00,S09

EDD 4 bit copy (no sync, no count)
  no disk errors, but copy just grinds

Copy ][+ nibble editor
  modified address and data epilogues
    "F2 AA EB"

Disk Fixer
  can read T00,S00-S09 (looks like a
    DOS 3.3 RWTS)
  ["O" -> "Input/Output Control"]
    set Address Epilogue to "F2 AA EB"
    set Data Epilogue to "F2 AA EB"
  No luck
    set CHECKSUM ENABLED = NO
  Higher sectors and tracks readable
    but seem encrypted/garbled

Why didn't COPYA work?
  modified epilogue bytes

Why didn't Locksmith FDB work?
  ditto

Why can't Disk Fixer read the sectors?
  I don't know. It's possible I misread
  the raw nibble output in Copy ][+ and
  got the epilogue bytes wrong. As for
  the "encrypted" data with checksum
  turned off, that could be a modified
  nibble-to-byte translation table or
  a decryption loop within the RWTS. Or
  something else altogether.

Why didn't my EDD copy work?
  I don't know.

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. patch RWTS to read standard format
     (if necessary)

                   ~

               Chapter 1
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:R..................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:R..................................
SC1:R..................................
SC2:R..................................
SC3:R..................................
SC4:R..................................
SC5:R..................................
SC6:R..................................
SC7:R..................................
SC8:R..................................
SC9:R..................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

Hmm. The disk's own RWTS can't read
(most of) track 0, specifically the
part loaded during boot that contains
the RWTS. I can write that manually to
my copy if I need to.

]PR#5
...
]CATALOG,S6,D2

C1983 DSR^C#254
010 FREE

*A 004 HELLO
*B 013 GEN
*B 004 FLEX
*B 002 ASSEMBLE
*B 003 INKEY1
*T 018 EXAMPLES
*A 018 MENU
*B 003 INKEY_TIME
*A 026 DRIVER
*T 005 FILE1
*T 005 FILE2
*T 005 FILE3
*T 005 FILE4
*T 005 FILE5
*T 005 FILE6
*T 005 FILE7
*T 005 FILE8
*T 005 FILE9
*T 005 FILE10
*T 005 FILE11
*T 005 FILE12
 B 029 PIC.LOGO
 B 012 PIC.EX
*B 024 PIC.1
*B 021 PIC.2
*B 023 PIC.3
*B 020 PIC.4
*B 022 PIC.5
*B 020 PIC.6
*B 008 PIC.7
 B 022 PIC.7A
*B 025 PIC.8
*B 023 PIC.9
 T 002 STAT
*B 022 PIC.10
 T 002 NAMEFILE
*B 002 SHAPES
*T 008 INSTRUC
 T 002 RECORD
*A 021 EXAM
*B 018 PIC.11
*B 021 PIC.12
*T 005 DIR

]RUN HELLO
...works...

                   ~

               Chapter 2
       In Which Life Is A Grind
           And Then You Die


Let's write the missing sectors from
track 0 to my demuffin'd copy and see
if it can boot.

]PR#5
]CALL -151

; straightforward multi-sector write
; loop, via the RWTS vector at $03D9
08C0-   A9 08       LDA   #$08
08C2-   A0 E8       LDY   #$E8
08C4-   20 D9 03    JSR   $03D9
08C7-   AC ED 08    LDY   $08ED
08CA-   88          DEY
08CB-   10 05       BPL   $08D2
08CD-   A0 0F       LDY   #$0F
08CF-   CE EC 08    DEC   $08EC
08D2-   8C ED 08    STY   $08ED
08D5-   CE F1 08    DEC   $08F1
08D8-   CE E1 08    DEC   $08E1
08DB-   D0 E3       BNE   $08C0
08DD-   60          RTS

08E0- 00 0A 00 00 00 00 00 00
         ^^
    sector count

08E8- 01 60 01 00 00 09 FB 08
         ^^ ^^    ^^ ^^
         S6 D1    T0 S9

08F0- 00 2F 00 00 02 00 FE 60
      ^^^^^       ^^
     address    write

08F8- 01 00 00 00 01 EF D8 00

*BSAVE WRITE BOOT1,A$8C0,L$40
*BLOAD BOOT1,A$2600
*BLOAD BOOT0,A$2600
*8C0G
*C600G
...grind grind grind...

Hmm.

]PR#5
]BLOAD RWTS,A$2800
]CALL -151
*FE89G FE93G     ; disconnect DOS
*B800<2800.2FFFM ; move RWTS into place
*B800L
.
. nothing unusual, until...
.
B8DC-   A0 20       LDY   #$20
B8DE-   88          DEY
B8DF-   F0 61       BEQ   $B942

; normal "D5"
B8E1-   BD 8C C0    LDA   $C08C,X
B8E4-   10 FB       BPL   $B8E1
B8E6-   49 D5       EOR   #$D5
B8E8-   D0 F4       BNE   $B8DE
B8EA-   EA          NOP

; normal "AA"
B8EB-   BD 8C C0    LDA   $C08C,X
B8EE-   10 FB       BPL   $B8EB
B8F0-   C9 AA       CMP   #$AA
B8F2-   D0 F2       BNE   $B8E6
B8F4-   EA          NOP

; normal "AD"
B8F5-   BD 8C C0    LDA   $C08C,X
B8F8-   10 FB       BPL   $B8F5
B8FA-   C9 AD       CMP   #$AD
B8FC-   D0 E8       BNE   $B8E6

; wait, what?
B8FE-   4C CA BE    JMP   $BECA

There is not supposed to be a jump
there. That usually continues into the
$BFxx page and ends at $B943.

*BECAL

; read another nibble
BECA-   BD 8C C0    LDA   $C08C,X
BECD-   10 FB       BPL   $BECA

; kill some time to get out of sync
; with the "proper" start of nibbles)
BECF-   BD 8D C0    LDA   $C08D,X
BED2-   EA          NOP

; skip over bits that are set (note the
; branch instruction -- it's BMI, not
; the usual BPL)
BED3-   BD 8C C0    LDA   $C08C,X
BED6-   30 FB       BMI   $BED3

; read another nibble
BED8-   BD 8C C0    LDA   $C08C,X
BEDB-   10 FB       BPL   $BED8

; this is the usual code at $B8FE
BEDD-   A9 00       LDA   #$00
BEDF-   A0 56       LDY   #$56

; continue with RWTS
BEE1-   4C 01 B9    JMP   $B901

This RWTS expects (but ignores) some
extra nibbles after the data field
prologue. This explains why my sector
editor couldn't read these sectors.
But not just that. There need to be
timing bits in the right places between
the nibbles, otherwise the loop at
$BED3 won't skip over the right number
of bits, and the disk will be out of
phase when the RWTS goes to try to read
the sector data.

This explains why my EDD bit copy would
just grind trying to read itself. It
doesn't copy those extra timing bits
between the nibbles.

Of course, my demuffin'd disk can't
make heads or tails of itself, because
Advanced Demuffin successfully captured
the real sector data from each sector
and wrote it out in a standard format.

But wait, there's more! If you order
right now, you ALSO get... a custom
write routine as well! That's right,
this RWTS is a true read/write RWTS.
In the place where it would normally
write out the data field prologue
("D5 AA AD"), I see this instead:

*B848L

B848-   A0 03       LDY   #$03
B84A-   48          PHA
B84B-   68          PLA
B84C-   20 B9 B8    JSR   $B8B9
B84F-   88          DEY
B850-   D0 F8       BNE   $B84A
B852-   4C B1 BE    JMP   $BEB1   <-- !
B855-   EA          NOP
B856-   EA          NOP
B857-   A9 AA       LDA   #$AA
B859-   20 B8 B8    JSR   $B8B8
B85C-   A9 AD       LDA   #$AD
B85E-   20 BB B8    JSR   $B8BB

*BEB1L

; write a custom sequence of bits that
; the routine at $BECA can read
BEB1-   A0 06       LDY   #$06
BEB3-   EA          NOP
BEB4-   EA          NOP
BEB5-   B9 DF BC    LDA   $BCDF,Y
BEB8-   9D 8D C0    STA   $C08D,X
BEBB-   1D 8C C0    ORA   $C08C,X
BEBE-   EA          NOP
BEBF-   EA          NOP
BEC0-   EA          NOP
BEC1-   EA          NOP
BEC2-   A9 FC       LDA   #$FC
BEC4-   88          DEY
BEC5-   D0 EC       BNE   $BEB3

; continue with RWTS
BEC7-   4C 5E B8    JMP   $B85E

Again, this is completely useless now
that Advanced Demuffin has converted
the disk to a standard format.

                   ~

               Chapter 3
 In Which We Remove All Traces Of Copy
Protection Using An Automated Tool That
   I Wrote For Just Such An Occasion


[S6,D1=demuffin'd copy]
[S5,D1=my work disk]

]PR#5
]BRUN PDP

; remove the JMP instructions and
; restore the original code for reading
; and writing the data field prologue
T00,S02,$49 change 03 to 04
T00,S02,$52 change 4CB1BEEAEA to A9D520
B8B8
T00,S02,$5F change BB to B8
T00,S02,$F4 change EABD8CC010FBC9ADD0E8
4CCABE to A056BD8CC010FBC9ADD0E7A900

; restore original epilogue byte checks
T00,S03,$91 change F2 to DE
T00,S03,$35 change F2 to DE
T00,S02,$9E change F2 to DE

]PR#6
...works...

Disk 2 has identical protection.

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 653
------------------EOF------------------
