-----------The Decades Game 2----------
A 4am crack                  2016-01-26
---------------------------------------

Name: The Decades Game 2
Genre: educational
Year: 1983
Credits:
  written by Charles S. Goldstein
  computer graphics by Paul Kuhrman
  program edited by Mark Feldman
Publisher: BrainBank, Inc.
Media: single-sided 5.25-inch floppy
OS: DOS 3.3
Previous cracks: none

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  modified address prologue/epilogue on
  every track, no particular pattern,
  each track is different (!)

Disk Fixer
  ["O" -> "Input/Output Control"]
    set CHECKSUM ENABLED to "NO"
  T00 readable
  looks like a standard DOS 3.3 boot0,
  but the RWTS is missing or rearranged
  (for example, T00,S02 is entirely
  empty)

Why didn't COPYA work?
  modified prologues and epilogues

Why didn't Locksmith FDB work?
  ditto

EDD worked. What does that tell us?
  probably just structural protection
  (modified epilogue), no nibble check

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. patch RWTS to read standard format

                   ~

               Chapter 1
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself
       And Go On A Slight Detour


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1

Hmm, we got boot0 and boot1, but my
AUTOTRACE script can't find a DOS 3.3-
shaped RWTS. Which is not surprising,
since I couldn't find it either when I
looked with a sector editor.

Let's see what we have.

]BLOAD BOOT1,A$3600
]CALL -151

*FE89G FE93G
*B600<3600.3FFFM
*B700L
.
. [absolutely bog standard]
.

*B793L
.
. [absolutely bog standard]
.

*B7B5L
.
. [absolutely bog standard]
.

*BD00L

; looks like the standard RWTS entry
; point
BD00-   84 48       STY   $48
BD02-   85 49       STA   $49
BD04-   A9 02       LDA   #$02

; these addresses are non-standard
; (usually use holes in the text page)
BD06-   85 46       STA   $46
BD08-   0A          ASL
BD09-   8D 19 BA    STA   $BA19
BD0C-   A0 01       LDY   #$01
BD0E-   B1 48       LDA   ($48),Y
BD10-   8D 10 BA    STA   $BA10
BD13-   AA          TAX
BD14-   BD 8E C0    LDA   $C08E,X
BD17-   BD 8C C0    LDA   $C08C,X
BD1A-   BD 89 C0    LDA   $C089,X
BD1D-   A0 08       LDY   #$08
BD1F-   B1 48       LDA   ($48),Y
BD21-   85 3E       STA   $3E
BD23-   C8          INY
BD24-   B1 48       LDA   ($48),Y
BD26-   85 3F       STA   $3F
BD28-   A0 02       LDY   #$02

Poking around further, I stumbled upon
the non-standard entry points to read
the address prologue and epilogue. The
prologue matcher is the same as DOS 3.3
(but in a different memory location),
which leads me to believe there is some
sort of per-track routine that pokes in
the proper prologue values. But the
epilogue matcher looks like this:

*BBB4L

; get current sector
BBB4-   A4 2D       LDY   $2D
BBB6-   BD 8C C0    LDA   $C08C,X
BBB9-   10 FB       BPL   $BBB6

; part of the nibble translate table --
; so this disk actually has per-SECTOR
; epilogues, even within the same track
BBBB-   D9 21 BA    CMP   $BA21,Y
BBBE-   D0 AB       BNE   $BB6B
BBC0-   EA          NOP
BBC1-   BD 8C C0    LDA   $C08C,X
BBC4-   10 FB       BPL   $BBC1

; another part of the same table
BBC6-   D9 31 BA    CMP   $BA31,Y
BBC9-   D0 A0       BNE   $BB6B
BBCB-   18          CLC
BBCC-   60          RTS

I dunno, it looks normal enough that I
could just call it with an RWTS table
to read a sector. You know, like
Advanced Demuffin does.

*C500G
...
]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B6, load "BOOT1" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:...................................
SC6:...................................
SC7:...................................
SC8:...................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

]PR#5
...
]CATALOG,S6,D2

C1983 DSR^C#254
202 FREE

*A 007 HELLO
*A 059 AH7/NEW*#
*A 057 AH8/NEW*#
*A 056 AH9/NEW*#
*A 056 AH10/NEW*#
*A 059 AH6/NEW*#

]RUN HELLO
...works...

Now to make the disk be able to read
itself (remember, it still has the
original RWTS on it)...

Using Copy ][+, I can "copy DOS" from a
freshly initialized DOS 3.3 disk onto
the demuffin'd copy. This function of
Copy ][+ just sector-copies tracks 0-2
from one disk to another, but it's
easier than setting that up manually in
some other copy program.

Copy ][+
  --> COPY
    --> DOS
      --> from slot 6, drive 2
      -->   to slot 6, drive 1

[S6,D1=demuffin'd copy]
[S6,D2=newly formatted DOS 3.3 disk]

...read read read...
...write write write...

]PR#6
...works...

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 589
------------------EOF------------------
