----------------Pie-Man----------------
A 4am crack                  2017-08-08
---------------------------------------

Name: Pie-Man
Genre: arcade
Year: 1982
Credits: Eagle Berns and Michael Kosaka
Publisher: Penguin Software
Platform: Apple ][+ or later
Media: single-sided 5.25-inch floppy
OS: DOS 3.3
Previous cracks: file crack (no title)

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  read errors on T12+ but copy works

Copy ][+ nibble editor
  T12+ appear unformatted
  disk volume 000
  other tracks use "DA AA EB" for both
    address and data field epilogue
  odd-numbered tracks: non-standard
    address prologue ("D4 AA 96")

                 --v--

   COPY ][ PLUS BIT COPY PROGRAM 8.4
(C) 1982-9 CENTRAL POINT SOFTWARE, INC.
---------------------------------------

TRACK: 01  START: 21A2  LENGTH: 1879

2C38: BB AC B4 A6 9E DB F2 9D   VIEW
2C40: BA 9A D6 F2 FB DA AA EB
2C48: 99 B4 B4 B4 B4 9C FF F9
2C50: FF DC 97 F4 BE B6 DD 96
2C58: 94 FE FF FF FF D4 AA 96
                     ^^^^^^^^
                 address prologue

2C60: AA AA AA AB AB AF AB AE
      ^^^^^ ^^^^^ ^^^^^ ^^^^^
      V=000 T=$01 S=$07 chksm

2C68: DA AA EB 99 B4 B4 B4 E5
      ^^^^^^^^
  address epilogue

2C70: E5 FF FF FF FF D5 AA AD
                     ^^^^^^^^
                  data prologue

2C78: E7 CE D9 B9 AB D9 B3 EB

                 --^--

Disk Fixer
  bootloader looks like DOS 3.3;
  given the proper prologue and
  epilogue parameters, track $11 is
  readable and looks like a normal disk
  catalog with one file ("HELLO") which
  is also listed as the startup program

Why didn't COPYA work?
  modified prologues and epilogues

Why didn't Locksmith FDB work?
  ditto

EDD worked. What does that tell us?
  No half or quarter tracks, because I
  didn't even try to copy those. Just
  the structural changes (prologues and
  epilogues) and an RWTS patched to
  read them.

Next steps:

  1. Convert disk to standard format
     with Passport or Advanced Demuffin
  2. Patch RWTS to read standard format
  3. Declare victory (*)

(*) Go to the gym

                   ~

               Chapter 1
         Bit Math Is Best Math


Passport successfully captures the RWTS
and converts the disk to a standard
format, but the bootloader is just
different enough that it refuses to
apply any patches. So I am stuck with
the task of patching the RWTS by hand
like some kind of 20th century peasant.

T00,S01,$9E: DA -> DE
T00,S02,$35: DA -> DE
T00,S02,$91: DA -> DE
T0C,S0C,$C2: DA -> DE

There's no need to patch the address
prologue, because it's flexible enough
to read a standard disk already. That's
a neat trick! Here's how it works:

                 --v--

; original code on T00,S03, loaded into
; memory at $B900
B944-   A0 FC       LDY   #$FC
B946-   84 26       STY   $26
B948-   C8          INY
B949-   D0 04       BNE   $B94F
B94B-   E6 26       INC   $26
B94D-   F0 F3       BEQ   $B942

; find prologue nibble #1
B94F-   BD 8C C0    LDA   $C08C,X
B952-   10 FB       BPL   $B94F
B954-   4A          LSR
B955-   49 6A       EOR   #$6A
B957-   D0 EF       BNE   $B948

; find prologue nibble #2
B959-   BD 8C C0    LDA   $C08C,X
B95C-   10 FB       BPL   $B959
B95E-   C9 AA       CMP   #$AA
B960-   D0 F2       BNE   $B954
B962-   A0 03       LDY   #$03

; find prologue nibble #3
B964-   BD 8C C0    LDA   $C08C,X
B967-   10 FB       BPL   $B964
B969-   C9 96       CMP   #$96
B96B-   D0 E7       BNE   $B954

                 --^--

The code to find prologue nibble #1
explains how this disk can read its
odd-numbered tracks (with non-standard
address prologue "D4 AA 96").

Normal address prologue byte 1 is $D5.
In binary: $D5 = 1101 0101
After LSR:       0110 1010 = $6A

Odd-numbered tracks use $D4 instead.
In binary: $D4 = 1101 0100
After LSR:       0110 1010 = $6A

So this code will match either prologue
and work on both odd and even tracks.

Furthermore, RWTS code is time-critical
between reading the last bit of one
nibble and reading the first bit of the
next. If it's too fast or too slow, it
will get out of phase (because the disk
spins independently of the CPU).

Compare DOS 3.3 (cycle count in margin)

B94F-   BD 8C C0    LDA   $C08C,X
B952-   10 FB       BPL   $B94F
B954-   C9 D5       CMP   #$D5    | 2
B956-   D0 F0       BNE   $B948   | 2 *
B958-   EA          NOP           | 2
B959-   BD 8C C0    LDA   $C08C,X
B95C-   10 FB       BPL   $B959

(*) on the time-critical path, this
    branch is not taken, so always 2

...and this disk's RWTS:

B94F-   BD 8C C0    LDA   $C08C,X
B952-   10 FB       BPL   $B94F
B954-   4A          LSR           | 2
B955-   C9 6A       CMP   #$6A    | 2
B957-   D0 EF       BNE   $B948   | 2 *
B959-   BD 8C C0    LDA   $C08C,X
B95C-   10 FB       BPL   $B959

Despite being more "flexible" (matching
$D5 or $D4), this disk's RWTS uses the
same number of bytes of code and runs
in the same number of cycles. Nice.

So we're done, right? Not quite. Now my
copy boots, loads DOS, sounds like it
loads that HELLO program, then grinds
and reboots. Perhaps there is another
RWTS embedded inside the HELLO program?
Or something more sinister?

                   ~

               Chapter 2
     I Like My Sinister-ness Mild,
            Not Extra Spicy


Booting from a DOS 3.3 system master,
I can get a disk catalog of this non-
working disk.

]CATALOG

DISK VOLUME 254

 B 000 HELLO

Despite the obviously faked file length
on the HELLO program, the BLOAD command
does work as expected.

]BLOAD HELLO
]CALL -151

*AA72.AA73

AA72- 00 1C

*1C00L

; machine initialization stuff
1C00-   78          SEI
1C01-   20 2F FB    JSR   $FB2F
1C04-   20 84 FE    JSR   $FE84
1C07-   20 89 FE    JSR   $FE89
1C0A-   20 93 FE    JSR   $FE93
1C0D-   20 58 FC    JSR   $FC58

; test for Applesoft in ROM
1C10-   2C 80 C0    BIT   $C080
1C13-   A9 4C       LDA   #$4C
1C15-   CD 00 E0    CMP   $E000
1C18-   F0 30       BEQ   $1C4A
1C1A-   2C 81 C0    BIT   $C081
1C1D-   48          PHA
1C1E-   68          PLA
1C1F-   CD 00 E0    CMP   $E000
1C22-   F0 26       BEQ   $1C4A

If it doesn't find Applesoft, it prints
an error (not shown here).

*1C4AL

; clear part of main memory
1C4A-   A2 18       LDX   #$18
1C4C-   A0 02       LDY   #$02
1C4E-   98          TYA
1C4F-   99 00 B4    STA   $B400,Y
1C52-   C8          INY
1C53-   D0 FA       BNE   $1C4F
1C55-   CE 51 1C    DEC   $1C51
1C58-   CA          DEX
1C59-   D0 F4       BNE   $1C4F

; hmm
1C5B-   A2 20       LDX   #$20
1C5D-   A9 88       LDA   #$88
1C5F-   A0 1C       LDY   #$1C
1C61-   20 9E 1C    JSR   $1C9E

*1C9EL

; save input registers (minus 3,
; apparently)
1C9E-   D8          CLD
1C9F-   CA          DEX
1CA0-   86 1A       STX   $1A
1CA2-   38          SEC
1CA3-   E9 03       SBC   #$03
1CA5-   85 18       STA   $18
1CA7-   B0 01       BCS   $1CAA
1CA9-   88          DEY
1CAA-   84 19       STY   $19

; set some RWTS parameters
1CAC-   A0 00       LDY   #$00
1CAE-   8C F0 B7    STY   $B7F0
1CB1-   8C EB B7    STY   $B7EB
1CB4-   C8          INY
1CB5-   8C F4 B7    STY   $B7F4
1CB8-   A0 B5       LDY   #$B5
1CBA-   8C F1 B7    STY   $B7F1

; oh dear
1CBD-   A9 DA       LDA   #$DA
1CBF-   8D 91 B9    STA   $B991
1CC2-   8D 35 B9    STA   $B935

And there's our problem: the HELLO
program is resetting the patches I made
to the RWTS on disk. Further RWTS calls
will fail because they're looking for
the non-standard epilogues ("DA AA EB")
which I've since standardized.

Returning to my trusty Disk Fixer
sector editor, I press "D" for
directory mode and follow the "HELLO"
file to track $0C.

T0C,S0C,$C2: DA -> DE

]PR#6
...works..

Quod erat liberandum.

                   ~

            Acknowledgments


Thanks to Ian Baronofsky for lending me
the original disk at Kansasfest 2017.

---------------------------------------
A 4am crack                    No. 1356
------------------EOF------------------
