-----------Double 'N' Trouble----------
A 4am crack                  2017-01-22
---------------------------------------

Name: Double 'N' Trouble
Genre: educational
Year: 1985
Credits: Jim Parshall, Garnet Chappell
Publisher: Hartley Courseware
Platform: Apple ][+ or later
Media: single-sided 5.25-inch floppy
OS: Diversi-DOS

                   ~

               Chapter 0
   In Which The Tools Almost Save Us


This disk was partially cracked by
Passport. Here is the transcript for
disk 1:

                 --v--

READING FROM S6,D1
T00,S00 FOUND DOS 3.3 BOOTLOADER
USING DISK'S OWN RWTS
WRITING TO S5,D2
T00,S03,$91: DA -> DE
T00,S03,$35: DA -> DE
T00,S02,$9E: DA -> DE
T00,S08 RWTS REQUIRES A NON-STANDARD
DISK VOLUME NUMBER.
T00,S08,$12: B148 -> A900
CRACK COMPLETE.

                 --^--

More information and source code is
available at
https://archive.org/details/Passport4am

Disk 2 is unprotected.

But wait! If the program disk is
protected with a strict RWTS and the
data disk is unprotected, then there
must be...

Dun dun dun...

An RWTS swapper!

Indeed, entering a student name of
"MENU" (no quotes) takes you to the
sooper-sekret teacher's menu:

                 --v--

    WELCOME TO THE TEACHER'S MENU


      <1> CATALOG THE DISK

      <2> EDIT TOPIC QUESTIONS

      <3> PRINT TOPIC QUESTIONS

      <4> REVIEW STUDENT SCORES

      <5> PROGRAM UTILITIES

      <6> RUN DOUBLE 'N' TROUBLE


          WHICH? _


                 --^--

Selecting <5> PROGRAM UTILITIES allows
you to transfer data files between the
(protected) program disk and the
(unprotected) data disk:

                 --v--

        FILE TRANSFER UTILITY



     <1> COPY FILES FROM MASTER
         DISK ONTO DATA DISK

     <2> COPY FILES FROM DATA
         DISK ONTO MASTER DISK

     <3> DELETE FILES ON DATA DISK

     <4> RETURN TO MAIN MENU



         WHICH? ==> _


                 --^--

Selecting 1, 2, or 3 prompts you to
insert the master disk in drive 1, then
it fails to recognize that the master
disk is, in fact, inserted. Presumably
because it expects the disk to be
protected in exactly the way that
Passport just fixed.

Thus.

                   ~

               Chapter 1
             We POKE Along


Booting my almost-but-not-quite-working
copy, I can hit <Ctrl-C> to break to a
working prompt.

]PR#6
...
<Ctrl-C>

]

BREAK
]LIST


LANGUAGE NOT AVAILABLE


]LIST


Hmm. Perhaps the old trick of embedding
a <Ctrl-D> and a DOS command in a REM
statement?

]LOAD HELLO

]SPEED=20

]LIST

 2  REM


Yes indeed.

]SPEED=255

]LIST 3,

 5  POKE 214,128: POKE 40286,252:
      POKE 40287,164
 10  TEXT : HOME : VTAB 17: PRINT
     "DOUBLE 'N' TROUBLE": PRINT
     : PRINT "VERSION 04.02.85": PRINT
     : PRINT "(C) 1985  HARTLEY C
     OURSEWARE, INC."
 11 Z =  PEEK (64435): IF Z <  >
     56 AND Z <  > 234 THEN  VTAB
     10: PRINT "BE SURE CAPS LOCK
      KEY IS DOWN!": PRINT "
        ---- ----        ----"
 12 A =  PEEK (78) + 1: FOR X = 1
      TO A:Z =  RND (1): NEXT
 40  FOR K = 1 TO 5: READ Z: FOR
     T = 0 TO 2: POKE Z + T,234: NEXT
 41  DATA 44537,44542,44555,44560
     ,44480
 100  PRINT "RUNFS TITLE PAGE"


]CATALOG

C1983 DSR C#254

*A 003 HELLO
*A 009 FS TITLE PAGE
*A 045 FS PRGRM
*A 024 FS GORB
*A 026 FS EPLGE
*A 038 FS T-MENU
*A 029 FS T-MENU CR&ED
*A 034 FILE TRANSFER
*B 003 GARBAG
*B 007 SMALL CHARACTERS
*B 004 HRBU
*B 002 IR
*B 016 PICDRAW
*B 005 GORBTECH
*T 002 CHAMP.F
*T 002 FS OPTIONS
*T 002 FSFIL.TMP
*T 003 MENU.FILE
*T 008 STUDENT.SCORES
 T 014 SURVIVAL
 T 014 MOTHER GOOSE
 T 014 PLANTS
 T 014 NICKNAMES
 T 014 OLOGIES
 T 014 NATIONAL PARKS
 T 014 SONGS
 T 014 HOLIDAYS
 T 014 WEATHER WORDS
 T 014 THINGS WE CAN'T SEE
 T 014 WHO DID WHAT?
 T 014 NOT WHAT THEY SEEM
 T 014 BEST
 T 014 U.S. CITIES
 T 014 WRITERS OF MUSIC
 T 014 ANIMALS
 T 001 STU.FILE


]LOAD FILE TRANSFER
.
.
.
 50000  IF DM = CM OR ND = 2 THEN
      RETURN
 50020 ZZ$ = "DATA": IF DM = 1 THEN
     ZZ$ = "MASTER"
 50025  HOME : VTAB 10: PRINT "IN
     SERT ";: INVERSE : PRINT ZZ$
     ;: NORMAL : PRINT " DISK": PRINT
     : PRINT "AND PRESS <RETURN>.
      ";:LM = 1: GOSUB 8999: IF  NOT
     F8 THEN 50025
 50030  PRINT : HOME : RETURN
 50090 U = 218 + 4 * (DM = 2):CM =
     DM
 50095  POKE  - 17234,U: POKE  -
     18031,U: POKE  - 18123,U: POKE
      - 18274,U: RETURN


Aha! On the very last line, I see four
suspicious POKE commands, all to RWTS-
related addresses.

-17234 = 48302 = $BCAE
-18031 = 47505 = $B991
-18123 = 47413 = $B935
-18274 = 47262 = $B89E

Combined with the math on line 50090,
this is definitely the RWTS swapper I'm
looking for.

Turning to my trusty Disk Fixer sector
editor, I press "D" for a directory
listing, select "FILE TRANSFER", then
use right arrow to follow the file to
its last sector, which is T04,S04:

                 --v--

-------------- DISK EDIT --------------
TRACK $04/SECTOR $04/VOLUME $FE/BYTE$40
---------------------------------------
$40: 39 39 3A AD C6 46 38 C4   99:-FF8D
$48: 35 30 30 32 35 00 57 28   50025@W(
$50: 6E C3 BA 3A 97 3A B1 00   .C::.:1@
$58: 70 28 AA C3 55 D0 32 31   0(*CUP21
$60: 38 C8 34 CA 28 44 4D D0   8H4J(DMP
$68: 32 29 3A 43 4D D0 44 4D   2):CMPDM
$70: 00 9E 28 AF C3 B9 C9 31   @.(/C9I1
                    ^^ ^^ ^^
                   POKE -  1

$78: 37 32 33 34 2C 55 3A B9   7234,U:9
     ^^^^^^^^^^^ ^^ ^^
      7  2  3  4  ,  U

$80: C9 31 38 30 33 31 2C 55   I18031,U
$88: 3A B9 C9 31 38 31 32 33   :9I18123
$90: 2C 55 3A B9 C9 31 38 32   ,U:9I182
$98: 37 34 2C 55 3A B1 00 00   74,U:1@@
$A0: 00 55 00 00 00 00 00 00   @U@@@@@@
$A8: 00 00 00 00 00 00 00 00   @@@@@@@@
$B0: 00 00 00 00 00 00 00 00   @@@@@@@@
$B8: 00 00 00 00 00 00 00 00   @@@@@@@@
---------------------------------------
BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL
DOS3.3:FILE TRANSFER               /$20
---------------------------------------
COMMAND : _

                 --^--

I can change the "POKE" command to
"RETURN" (opcode $B1, as shown above at
offset $9D), followed by a colon ($3A)
to separate Applesoft commands, then a
"REM" command (opcode $B2), which will
make the rest of the line a comment.

T04,S04,$75: B9C931 -> B13AB2

Searching the disk for the same hex
sequence for "POKE -17234,U" finds one
additional match on T1A,S07, which is
apparently part of "FS T-MENU".

]PR#6
...
<Ctrl-C>

]LOAD FS T-MENU
.
.
.
 9900  REM CAT
 9905 U = 218:Y8 = 0
 9909  HOME : POKE 44512,208: POKE
     44513,67: POKE 44515,160
 9910  ONERR  GOTO 9920
 9912  POKE  - 17234,U: POKE  - 1
     8031,U: POKE  - 18123,U: POKE
      - 18274,U: IF Y8 THEN 9980
 9915  PRINT D$"CATALOG":Y8 = 1:U
      = 218: GOTO 9912
 9920  POKE 216,0:U = U + 4: ONERR
      GOTO 9940
 9921  GOTO 9912

Different logic, but same result: we're
altering the RWTS based on the value of
U, which changes on line 9920.

Using a sector editor, I follow the "FS
T-MENU" file and change all those POKE
commands on line 9912 to colons
(command separators, which do nothing
but allow later commands on the same
line).

T1A,S07,$F1
  -> 3A3A3A3A3A3A3A3A3A3A3A3A3A3A3A
T03,S00,$00
  -> 3A3A3A3A3A3A3A3A3A3A3A3A3A3A3A3A
     3A3A3A3A3A3A3A3A3A

Here's what that looks like:

]PR#6
...
<Ctrl-C>

BREAK
]LOAD FS T-MENU
]LIST 9912

 9912 :::::::::::::::::::::::::::
     ::::::::::::: IF Y8 THEN 998
     0

After seconds of extensive testing, I'm
confident there is no other RWTS code
to patch.

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 979
------------------EOF------------------
