----------Sequence: Red Level----------
A 4am crack                  2018-09-05
---------------------------------------

Name: Sequence: Red Level
Genre: educational
Year: 1982
Credits: Learning Well
Publisher: Methods and Solutions
Platform: Apple ][+ or later
Media: single-sided 5.25-inch floppy
OS: DOS 3.3
Previous cracks: none

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read anything other past
  track $02

Passport
  Unable to read T22,S0F
  "Passport does not work on this disk"

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  Track $03+ use an address prologue of
  "AA D5 96" instead of "D5 AA 96"

Disk Fixer
  Track $00 looks like a DOS 3.3-shaped
  bootloader and RWTS
  ["O" -> "Input/Output Control"]
    set Address Prologue to "AA D5 96"
  Track $03+ readable
  Track $11 readable! I can even press
  "D" to get a directory and select a
  file

                 --v--

------------ DIRECTORY MODE -----------
$16:$00  HELLO
$08:$0F  Q12
$07:$0F  Q22
$06:$0F  Q32
$05:$08  Q42
$22:$0F  QB1
$22:$0D  TRUNTIME
$21:$03  START
$21:$01  TI.PIC
$1E:$0F  SONC
$1E:$0D  QB2
$1E:$0B  GY
$1E:$05  QB3
$1E:$03  QB4
$1E:$01  F12.OBJ
$17:$0C  FBEGIN.OBJ

                 --^--

Why didn't COPYA work?
  modified address prologue on T03+

Why didn't Locksmith FDB work?
  ditto

Why didn't Passport work?
  This disk must change the RWTS in a
  way that Passport doesn't support.

EDD worked. What does that tell us?
  no half or quarter tracks
  almost certainly no nibble check
  (just structural changes to prologues
  and epilogues)

Given that tracks $00-$02 are normal
and tracks $03+ are not, I'm going to
guess there is a routine that's called
exactly once that modifies the RWTS
routines in memory after DOS loads but
before it loads and runs the HELLO
program.

Next steps:

  1. Trace the boot to capture the RWTS
  2. Use Advanced Demuffin to convert
     the disk to a standard format
  3. Find and disable the code that is
     altering the RWTS after DOS loads
  4. Declare victory (*)

(*) go to the gym

                   ~

               Chapter 1
    In Which We Kick It Old School


According to a quick inspection with a
sector editor, the bootloader is like a
standard DOS 3.3 master disk. It loads
its RWTS at $3800, then DOS at $1D00,
then calls $1B03 to relocate everything
to higher memory.

[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
...

]CALL -151

*9600<C600.C6FFM

96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C
9707-   4C 01 08    JMP   $0801
970A-   A9 4C       LDA   #$4C
970C-   8D 47 37    STA   $3747
970F-   A9 1C       LDA   #$1C
9711-   8D 48 37    STA   $3748
9714-   A9 97       LDA   #$97
9716-   8D 49 37    STA   $3749
9719-   4C 00 37    JMP   $3700
971C-   4C 00 C5    JMP   $C500

*BSAVE TRACE,A$9600,L$11F
*9600G
...boots slot 6...
...boots slot 5...

]BSAVE OBJ.1B00-3FFF,A$1B00,L$2500
]CALL -151

*1D84L

; normal
1D84-   AD E9 37    LDA   $37E9
1D87-   4A          LSR
1D88-   4A          LSR
1D89-   4A          LSR
1D8A-   4A          LSR
1D8B-   8D 6A 2A    STA   $2A6A
1D8E-   AD EA 37    LDA   $37EA
1D91-   8D 68 2A    STA   $2A68

; not normal
1D94-   20 70 BA    JSR   $BA70

$BA70 is currently in memory at $3A70,
so let's take a look.

*3A70L

; second nibble of address prologue
3A70-   A9 D5       LDA   #$D5
3A72-   8D 5F B9    STA   $B95F
3A75-   8D 7F BC    STA   $BC7F

; first nibble of address prologue
3A78-   A9 AA       LDA   #$AA
3A7A-   8D 55 B9    STA   $B955
3A7D-   8D 7A BC    STA   $BC7A

; code that ought to be at $1D94
3A80-   AD 00 E0    LDA   $E000
3A83-   60          RTS

That's it. Straightforward, called
once in late boot, changes the RWTS
forever after. (Nothing else on the
disk is stored on tracks $00-$02.)

To capture the RWTS in its native
position in memory, I'm going to let
the relocation routine do its thing and
save the result.

; disconnect DOS
*FE89G FE93G

; jump back to monitor instead of
; continuing the boot process
*1D84:4C 59 FF

; relocate
*1B03G

<beep>

OK, now the RWTS should be in place in
higher memory, as it would be if we had
booted the original disk. Now I can
manually call the one-time RWTS swapper
at $BA70...

*BA70G

...and the RWTS should be ready to read
tracks $03-$22.

*B944L

B944-   A0 FC       LDY   #$FC
B946-   84 26       STY   $26
B948-   C8          INY
B949-   D0 04       BNE   $B94F
B94B-   E6 26       INC   $26
B94D-   F0 F3       BEQ   $B942
B94F-   BD 8C C0    LDA   $C08C,X
B952-   10 FB       BPL   $B94F
B954-   C9 AA       CMP   #$AA      <--
B956-   D0 F0       BNE   $B948
B958-   EA          NOP
B959-   BD 8C C0    LDA   $C08C,X
B95C-   10 FB       BPL   $B959
B95E-   C9 D5       CMP   #$D5      <--
B960-   D0 F2       BNE   $B954
B962-   A0 03       LDY   #$03
B964-   BD 8C C0    LDA   $C08C,X
B967-   10 FB       BPL   $B964
B969-   C9 96       CMP   #$96
B96B-   D0 E7       BNE   $B954

Excellent. Let's move that down to
lower memory and reboot my work disk
to save it. (I had to disconnect DOS
in order for the relocation routine to
work.)

*3800<B800.BFFFM

*C500G
...reboots slot 5...

]BSAVE RWTS 3+,A$3800,L$800

                   ~

               Chapter 2
  In Which We Attempt To Use The Disk
      As A Weapon Against Itself


Using Locksmith Fast Disk Backup, I
copied tracks $00-$02 from the original
disk to a freshly formatted blank disk
in slot 6, drive 2. Now I can use
Advanced Demuffin to copy the rest of
the disk.

Advanced Demuffin is a cracker's tool
to convert disks to a standard format.
It takes a copy of the original disk's
RWTS (which you must supply), uses that
to read the original, while using its
own copy of a standard RWTS to write
out a copy in a standard format, sector
by sector.

I've included the latest version of
Advanced Demuffin on my work disk.

]PR#5
...
]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS 3+" from D1

["6" to switch to slot 6]

["C" to convert disk]

[press "Y" to change default values]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======================================


INPUT ALL VALUES IN HEX


SECTORS PER TRACK? (13/16) 16

START TRACK: $03        <-- change this
START SECTOR: $00

END TRACK: $22
END SECTOR: $0F

INCREMENT: 1

MAX # OF RETRIES: 0

COPY FROM DRIVE 1
TO DRIVE: 2
=======================================
16SC $03,$00-$22,$0F BY$01 S6,D1->S6,D2

                 --^--

And here we go...

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======================================
TRK:   ................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:   ................................
SC1:   ................................
SC2:   ................................
SC3:   ................................
SC4:   ................................
SC5:   ................................
SC6:   ................................
SC7:   ................................
SC8:   ................................
SC9:   ................................
SCA:   ................................
SCB:   ................................
SCC:   ................................
SCD:   ................................
SCE:   ................................
SCF:   ................................
=======================================
16SC $03,$00-$22,$0F BY$01 S6,D1->S6,D2

                 --^--

This is the power and the genius of
Advanced Demuffin. Every disk must be
able to read itself. So, let it read
itself, then capture the data and write
it out in a standard format.

                   ~

               Chapter 3
            We Patch Along


Now we have a disk that has all the
data from the original disk, but it
still expects tracks $03-$22 to be in
a protected format. A routine at $BA70
sets that up in late boot. That routine
is called from $9D94, which is stored
on track $00, sector $0C. I can replace
the JSR with "LDA $E000", which was the
original code at that address. The RWTS
can already read unprotected sectors,
so if we don't change it, it will be
able to read the rest of the disk now
that it is also unprotected.

T00,S0C,$94: 2070BA -> AD00E0

]PR#6
...works...

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 1795
------------------EOF------------------
