----------------Neutrons---------------
A 4am crack                  2017-08-13
---------------------------------------

Name: Neutrons
Genre: arcade
Year: 1981 (*)
Publisher: Level-10 (a division of
  Dakin5 Corporation)
Platform: Apple ][+ or later
Media: single-sided 5.25-inch floppy
OS: DOS 3.3
Previous cracks: by Master Disk (file)

(*) There is no visible copyright date
    on the disk label or in the game,
    but I found the original trademark
    application for "Neutrons" by
    Dakin5 Corporation. It lists the
    "first use in commerce" date as
    1981-12-17.
    <https://trademarks.justia.com/733/
    45/neutrons-73345022.html>

                   ~

               Chapter 0
   In Which The Tools Do Not Save Us


This disk was automatically cracked by
Passport. Here is the transcript:

                 --v--

Reading from S6,D1
T00,S00 Found DOS 3.3 bootloader
Using disk's own RWTS
Writing to S6,D2
T00,S03,$35: AA -> DE
T00,S03,$3F: DE -> AA
T00,S02,$9E: AA -> DE
T00,S02,$A3: DE -> AA
Crack complete.

                 --^--

[Narrator]
But the crack was not complete.

The copy that Passport produces is in a
standard format, fully readable by
third-party tools. But when I boot it,
it immediately starts grinding like it
can't read itself.

Hmm.

                   ~


               Chapter 1
          It's Only Metadata


Turning, as one does, to my trusty
sector editor, I examined the RWTS code
and found an unpatched JMP. This is in
the routine that starts at $B944, which
finds the address prologue, parses the
address field, then finds the address
epilogue.

                 --v--

T00,S03 ($B900)
----------- DISASSEMBLY MODE ----------
; find first nibble of address epilogue
; as usual
008B:BD 8C C0       LDA   $C08C,X
008E:10 FB          BPL   $008B
0090:C9 DE          CMP   #$DE
0092:D0 AE          BNE   $0042
0094:EA             NOP
0095:BD 8C C0       LDA   $C08C,X
0098:10 FB          BPL   $0095

; wait, what?
009A:4C B3 B6       JMP   $B6B3

                 --^--

$B600 is loaded from T00,00.

T00,S00 ($B600)
----------- DISASSEMBLY MODE ----------
; check for standard second epilogue
; nibble ($AA)
00B3:C9 AA          CMP   #$AA
00B5:D0 0C          BNE   $00C3

; take track number (parsed from
; address field)
00B7:A5 2E          LDA   $2E
00B9:F0 04          BEQ   $00BF

; if track > 0, munge it ?!?!?
00BB:49 7E          EOR   #$7E
00BD:85 2E          STA   $2E

; clear carry on the way out (so RWTS
; doesn't complain)
00BF:A9 AA          LDA   #$AA
00C1:18             CLC
00C2:60             RTS

; oh, and if the second epilogue
; doesn't match, immediately reboot
; (friendly! but not the cause of our
; current problem)
00C3:4C 00 C6       JMP   $C600

                 --^--

What the hell is going on? To answer
that burning question, let's turn to a
raw nibble view, via the Copy II Plus
nibble editor.

                 --v--

   COPY ][ PLUS BIT COPY PROGRAM 8.4
(C) 1982-9 CENTRAL POINT SOFTWARE, INC.
---------------------------------------

TRACK: 01  START: 2C9D  LENGTH: 18A6

2C78: FF FC FF FF FF FF FF FF   VIEW
2C80: FF FF FF FF FF FF FF FF
2C88: FF FF FF FF FF AB AB AB
2C90: AB AB AB AB AB AB AB AB
2C98: AB AB AB AB AB D5 AA 96  <-2C9D
                     ^^^^^^^^
                 address prologue

2CA0: FF FE BF FF AA AA EA AB
      ^^^^^ ^^^^^ ^^^^^ ^^^^^
      V=254 T=$7F S=$00 chksm

2CA8: DE AA AB AB AB AB AB AB
      ^^^^^
 address epilogue

2CB0: AB AB AB AB D5 AA AD F2
2CB8: FA D7 D7 A6 BE FE F7 FB

                 --^--

Every track (except track 0) has
intentionally corrupted metadata -- the
track number has been XOR'd with #$7E.
Bad disk! Stop lying!

(Passport uses the disk's own RWTS to
read the disk but uses standard ProDOS
calls to write the data out to a copy.
It didn't even notice the corrupted
metadata, because it was corrupted in
exactly the way that the disk's own
code expected. But Passport didn't
fully patch the copy either. Maybe the
next version...)

Since my copy is no longer lying about
which track is which, the RWTS needs to
get with the program and stop altering
the track number of every sector.

; $B6BD: "STA $2E" -> "BIT $2E"
T00,S00,$BD: 85 -> 24

]PR#6
...works...

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 1362
------------------EOF------------------
