--------Who What Where When Why--------
A 4am crack                  2017-10-20
---------------------------------------

Name: Who What Where When Why
Version: 02.05.86
Genre: educational
Year: 1986
Publisher: Hartley Courseware, Inc.
Platform: Apple ][+ or later
Media: single-sided 5.25-inch floppy
OS: DOS 3.3
Previous cracks: none (of this version)

This disk was automatically cracked by
Passport. Here is the transcript:

                 --v--

READING FROM S6,D1
T00,S00 FOUND DIVERSI-DOS BOOTLOADER
USING DISK'S OWN RWTS
WRITING TO S5,D2
T00,S03,$91: DA -> DE
T00,S03,$35: DA -> DE
T00,S06,$AE: DA -> DE
T00,S02,$9E: DA -> DE
T00,S08 RWTS REQUIRES A NON-STANDARD
DISK VOLUME NUMBER.
T00,S08,$12: B148 -> A900
CRACK COMPLETE.

                 --^--

[Narrator]
But the crack was not complete.

                   ~

The copy that Passport produces is in a
standard format, fully readable by
third-party tools (and itself, after
the RWTS patches). But when I boot it,
I get this message:

                 --v--

MAK
IF YOU WISH TO PURCHASE A BACK-UP COPY
OF THIS PROGRAM, PLEASE CONTACT:

        HARTLEY COURSEWARE, INC.

                 --^--

Oh.

Someone noticed that I copied it.

I hate when that happens.

Turning to my trusty Disk Fixer sector
editor, I look through the bootloader
on my non-working copy. T00,S00 is
identical to a standard unprotected
disk. T00,S01 is... just slightly
different.

                 --v--

T00,S01
----------- DISASSEMBLY MODE ----------
0000:20 7B B7       JSR   $B77B
.
.
.
007B:8E E9 B7       STX   $B7E9

; set RUN flag
007E:A9 90          LDA   #$90
0080:85 D6          STA   $D6

; set reset vector
0082:8D F2 03       STA   $03F2
0085:A9 B7          LDA   #$B7
0087:8D F3 03       STA   $03F3
008A:49 A5          EOR   #$A5
008C:8D F4 03       STA   $03F4
008F:60             RTS

; standard
0003:8E F7 B7       STX   $B7F7
0006:A9 01          LDA   #$01
0008:8D F8 B7       STA   $B7F8
000B:8D EA B7       STA   $B7EA
000E:AD E0 B7       LDA   $B7E0
0011:8D E1 B7       STA   $B7E1
0014:A9 02          LDA   #$02
0016:8D EC B7       STA   $B7EC
0019:A9 04          LDA   #$04
001B:8D ED B7       STA   $B7ED
001E:AC E7 B7       LDY   $B7E7
0021:88             DEY
0022:8C F1 B7       STY   $B7F1
0025:A9 01          LDA   #$01
0027:8D F4 B7       STA   $B7F4
002A:8A             TXA
002B:4A             LSR
002C:4A             LSR
002D:4A             LSR
002E:4A             LSR
002F:AA             TAX
0030:A9 00          LDA   #$00
0032:9D F8 04       STA   $04F8,X
0035:9D 78 04       STA   $0478,X

; load DOS (still standard)
0038:20 93 B7       JSR   $B793
003B:A2 FF          LDX   #$FF
003D:9A             TXS
003E:8E EB B7       STX   $B7EB

; do some machine identification
; (not shown, but still standard)
0041:4C C8 BF       JMP   $BFC8
0044:20 89 FE       JSR   $FE89

; here we go
0047:4C BB B3       JMP   $B3BB

                 --^--

At $B747, I would expect to see a JMP
to $9D84, which initializes DOS and
loads the startup program. Instead,
we are jumping to $B3BB for some
nefarious purpose.

$B3xx is loaded from track 2, sector 2,
as part of the call to $B793 that loads
DOS.

                 --v--

T02,S02
----------- DISASSEMBLY MODE ----------
; clear screen
00BB:20 58 FC       JSR   $FC58

; print "MAK" (someone's initials?)
00BE:A9 CD          LDA   #$CD
00C0:20 ED FD       JSR   $FDED
00C3:A9 C1          LDA   #$C1
00C5:20 ED FD       JSR   $FDED
00C8:A9 CB          LDA   #$CB
00CA:20 ED FD       JSR   $FDED

; set up RWTS parameter table
00CD:A9 00          LDA   #$00
00CF:8D EB B7       STA   $B7EB

; sector 0
00D2:8D ED B7       STA   $B7ED

; track $23 (!)
00D5:A9 23          LDA   #$23
00D7:8D EC B7       STA   $B7EC

; into $2300
00DA:8D F1 B7       STA   $B7F1
00DD:A9 01          LDA   #$01
00DF:8D F5 B7       STA   $B7F5

; do it
00E2:A0 E8          LDY   #$E8
00E4:A9 B7          LDA   #$B7
00E6:20 00 BD       JSR   $BD00

; branch if read was successful
00E9:90 03          BCC   $00EE

; otherwise jump to failure path
00EB:4C 00 B4       JMP   $B400

; now try to read another sector (9)
00EE:A9 09          LDA   #$09
00F0:8D ED B7       STA   $B7ED

; do it
00F3:A9 B7          LDA   #$B7
00F5:A0 E8          LDY   #$E8
00F7:20 00 BD       JSR   $BD00

; this time, the read is supposed to
; fail -- if RWTS returns "success,"
; branch to failure path
00FA:90 03          BCC   $00FF

; if all is as expected, continue to
; initialize DOS as usual
00FC:4C 84 9D       JMP   $9D84
00FF:EA             NOP
.
. this falls through to $B400, on the
. next sector
.
; wipe previous routine from memory
0000:A0 00          LDY   #$00
0002:99 00 B3       STA   $B300,Y
0005:C8             INY
0006:D0 FA          BNE   $0002

; print error message
0008:A0 00          LDY   #$00
000A:B9 1F B4       LDA   $B41F,Y
000D:C9 FF          CMP   #$FF
000F:D0 03          BNE   $0014

; hang forever
0011:4C 11 B4       JMP   $B411
0014:20 ED FD       JSR   $FDED
0017:C8             INY
0018:4C 0A B4       JMP   $B40A

                 --^--

So 2 reads on track $23 -- one needs to
succeed, the other needs to fail. So
simply initializing track $23 will not
work -- you would need to bit copy
track $23 in order to pass the entire
protection check. It's relatively weak
(any bit copier would work), but you
would need to know to try it, and to
have the proper tool to do it, and to
use the proper mode.

And nobody did, because here we are in
2017, and there are no copies of this
disk online anywhere.

There are no side effects; the program
immediately overwrites the hi-res
screen where this sector was stored.
We can bypass the routine altogether
and jump directly to the success path
at $B3FC.

T00,S01,$48: BB -> FC

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 1482
------------------EOF------------------
