-------------Word Invasion-------------
A 4am crack                  2015-12-27
---------------------------------------

Name: Word Invasion
Genre: educational
Year: 1983
Authors: Jerry Chaffin, Bill Maxwell,
  B. Thompson
Publisher: Developmental Learning
  Materials (DLM)
Media: single-sided 5.25-inch floppy
OS: Diversi-DOS (T02,S02 has the string
  "C1983 DSR" backwards)
Previous cracks: none

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  copy works

Copy ][+ nibble editor
  all tracks use standard prologues
  (address: D5 AA 96, data: D5 AA AD)
  but modified address + data epilogues
  (AA DE EB instead of DE AA EB)

Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Epilogue to "AA DE EB"
    set Data Epilogue to "AA DE EB"
  Success! All tracks readable!
  T00 -> looks like a DOS 3.3 RWTS
  T11 -> DOS 3.3 disk catalog
  T01,S09 -> startup program is "HELLO"

Why didn't COPYA work?
  modified epilogue bytes (every track)

Why didn't Locksmith FDB work?
  modified epilogue bytes (every track)

EDD worked. What does that tell us?
  no half or quarter tracks
  almost certainly no nibble check
  (just structural changes to prologues
  and epilogues)

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. patch RWTS to read standard format

                   ~

               Chapter 1
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:...................................
SC6:...................................
SC7:...................................
SC8:...................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

]PR#5
]CATALOG,S6,D2

C1983 DSR^C#254
259 FREE

*A 002 HELLO
*B 018 AO1
*B 010 WORD TABLE
*B 002 DIGITS
*B 003 BIG LETTERS
*B 019 AO-CONTROL.OBJ
*B 017 AO-STARTUP.OBJ
*B 002 SASM
*B 034 LOGO3
*B 031 AO-GAME.OBJ
*B 003 LITTLE LETTERS
*B 034 LOGO2
*B 003 BL3.OBJ0
*B 034 LOGO1
*B 017 RUNTIME
*B 002 BLAST
*B 006 AO2

]RUN HELLO
...works...

[S6,D1=demuffin'd copy]

]PR#6
...grinds then crashes...

The demuffin'd disk can't read itself.
This is not unusual. I need to patch
the RWTS to read a standard disk.

                   ~

               Chapter 2
 In Which We Remove All Traces Of Copy
Protection Using An Automated Tool That
   I Wrote For Just Such An Occasion


[S6,D1=demuffin'd copy]
[S5,D1=my work disk]

]PR#5
]BRUN PDP

; restore original RWTS epilogue bytes
T00,S03,$91 change AA to DE
T00,S03,$9B change DE to AA
T00,S03,$35 change AA to DE
T00,S03,$3F change DE to AA
T00,S06,$AE change AA to DE
T00,S06,$B3 change DE to AA
T00,S02,$9E change AA to DE
T00,S02,$A3 change DE to AA

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 544
------------------EOF------------------
