------------The Math Doctor------------
A 4am crack                  2017-01-20
---------------------------------------

Name: The Math Doctor
Genre: educational
Year: 1984
Credits: Barbara Signer
Publisher: Modern Education Corporation
Platform: Apple ][+ or later
Media: single-sided 5.25-inch floppy
OS: DOS 3.3
Previous cracks: none

                   ~

               Chapter 0
   In Which The Tools Almost Save Us


This disk was partially cracked by
Passport. Here is the transcript:

                 --v--

READING FROM S6,D1
T00,S00 FOUND DOS 3.3 BOOTLOADER
USING DISK'S OWN RWTS
WRITING TO S5,D2
T00,S03,$91: AA -> DE
T00,S03,$35: AA -> DE
T00,S06,$AE: AA -> DE
T00,S02,$9E: AA -> DE
CRACK COMPLETE.

                 --^--

More information and source code is
available at
https://archive.org/details/Passport4am

The disk now boots, which is definitely
the sort of thing you want a disk to
do. However, it also has the capability
to save data to a user-supplied disk in
a standard format, which means...

Dun dun dun...

An RWTS swapper!

After selecting <F>ILE from the main
menu, then <RETURN> to go back to the
main menu, the program presents the
following error:

                 --v--

     UNABLE TO LOCATE MATH DOCTOR

MAKE SURE THAT MATH DOCTOR IS IN

DISK DRIVE 1, THEN PRESS ANY KEY.

                 --^--

So let's see what we can do about that.

                   ~

               Chapter 1
             We POKE Along


Attempts to break out of the program
with <Ctrl-C> or <Ctrl-Reset> are
unsuccessful. However, since the disk
is now in a standard format, I can boot
any third-party disk and poke around.

[S6,D1=DOS 3.3 system master]
[S6,D2=non-working copy]

]PR#6
...

]CATALOG,D2

DISK VOLUME 254

*A 007 HELLO
*B 034 MEC F.PIC
*B 034 MD3.PIC
*A 005 MAIN MENU
*A 073 MATH DOCTOR
*A 004 TITLE PAGES
*T 002 NUM CON
*T 002 ADDITION
*T 002 SUBTRACTION
*T 002 INTERM
*T 002 MULTIPLY
*T 002 DIVISION
*T 003 FRACTIONS
*A 020 FILE

                 --^--

]LOAD MAIN MENU
]LIST
...

 70  GET AN$
 75  PRINT AN$
 77  VTAB 23: HTAB 19: PRINT " ":
      VTAB 23: HTAB 19
 78  IF AN$ <  > "T" AND AN$ <  >
     "F" THEN 70
 79  HOME : VTAB 12: HTAB 10: PRINT
     "LOADING ---- PLEASE WAIT"
 80  IF AN$ = "T" THEN  PRINT D$;
     "RUN MATH DOCTOR"
 90  IF AN$ = "F" THEN  PRINT D$;
     "RUN FILE"
 100  GOTO 70


Nothing RWTS-related here, but we're
either running MATH DOCTOR or FILE,
depending on the user's choice.

]LOAD FILE
]LIST

 0  REM  ONE MOMENT PLEASE ------
     -FP
 1  POKE 214,255: DIM D$(20): POKE
     47262,222: POKE 47505,222: POKE
     47413,222: POKE 48302,222
 2  GOSUB 2000
 3  ONERR  GOTO 3
 4 MS = 1
 5  POKE 34,0: POKE 47262,222: POKE
     47505,222: POKE 47413,222: POKE
     48302,222
 7  REM  ONE MOMENT PLEASE ------
     -FP
.
.
.
 154  POKE 47262,170: POKE 47505,
     170: POKE 47413,170: POKE 48
     302,170
 155  PRINT  CHR$ (4);"RUN MAIN M
     ENU, D1"


Aha! Those POKE commands in the 47xxx
and 48xxx range are hitting DOS areas.

47262 = $B89E
47505 = $B991
47413 = $B935
48302 = $BCAE

Those four memory locations correspond
to the four patches that Passport made.
Lines 1 and 5 set the RWTS to standard
values (#$DE as the first epilogue).
Line 154 sets them to protected values
(#$AA for the first epilogue) to read
the original disk.

Since our disk is no longer "original,"
we no longer need to POKE the RWTS back
and forth.

In the spirit of making my changes as
minimal as possible (even if it makes
my job harder), I decided to change the
"POKE" commands to "REM". I don't think
this disk does anything fancy with
embedding hidden code within the BASIC
programs, but altering and "SAVE"ing a
program is surprisingly disruptive, so
let's do this in a hex editor.

Turning to my trusty Copy ][+ sector
editor (version 5.5, which can follow
files), I follow the "FILE" program and
see the underlying Applesoft opcodes
look like this:

                 --v--

SECTOR EDITOR                    DISK B

00- AC 12 24 08 00 00 B2 20  ,R$H@@2
08- 4F 4E 45 20 4D 4F 4D 45  ONE MOME
10- 4E 54 20 50 4C 45 41 53  NT PLEAS
18- 45 20 2D 2D 2D 2D 2D 2D  E ------
20- 2D 04 46 50 00 65 08 01  -DFP@%HA
28- 00 B9 32 31 34 2C 32 35  @9214,25
30- 35 3A 86 44 24 28 32 30  5:.D$(20
38- 29 3A B9 34 37 32 36 32  ):947262
          ^^ ^^^^^^^^^^^^^^
         POKE    47262

40- 2C 32 32 32 3A B9 34 37  ,222:947
48- 35 30 35 2C 32 32 32 3A  505,222:
50- B9 34 37 34 31 33 2C 32  947413,2
58- 32 32 3A B9 34 38 33 30  22:94830
60- 32 2C 32 32 32 00 6F 08  2,222@/H
68- 02 00 B0 32 30 30 30 00  B@02000@
70- 77 08 03 00 A5 AB 33 00  7HC@%+3@
78- 80 08 04 00 4D 53 D0 31  .HD@MSP1
80- 00 B6 08 05 00 B9 33 34  @6HE@934


TRACK $05, SECTOR $A    DOS 3.3

[?]-HELP SCREEN

                 --^--

Changing byte $3A from $B9 to $B2 will
change the "POKE" on line 1 to a "REM"
statement, which will disable that POKE
and all the other commands on line 1.
The POKE on line 5 is at byte $8B.
Following the file, I find the POKE on
line 154 is at T15,S0F,$5C.

Scanning the rest of the disk for the
hex sequence "B9 34 37 32 36 32" (the
opcodes for "POKE 47262"), I discover
that there are similar POKE commands in
the "MATH DOCTOR" program.

All told, these patches will disable
all RWTS-related POKEs:

T05,S0A,$3A: B9 -> B2  \
T05,S0A,$8B: B9 -> B2   } FILE program
T15,S0F,$5C: B9 -> B2  /

T14,S05,$5C: B9 -> B2  \  MATH DOCTOR
T15,S07,$BA: B9 -> B2  /  program

After extensive testing, I can find no
other RWTS-related code.

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 978
------------------EOF------------------
