---------------Roundabout--------------
A 4am crack                  2018-01-31
---------------------------------------

Name: Roundabout
Genre: arcade
Year: 1983
Credits: Gumby Bitworks
Publisher: Datamost
Platform: Apple ][+ or later
Media: single-sided 5.25-inch floppy
OS: DOS 3.3

This disk was automatically converted
to a standard format by Passport.
Here is the transcript:

                 --v--

READING FROM S6,D1
T00,S00 FOUND DOS 3.3 BOOTLOADER
USING DISK'S OWN RWTS
T22 IS UNFORMATTED
WRITING TO S5,D2
T21 IS UNFORMATTED
T20 IS UNFORMATTED
T1F IS UNFORMATTED
T1E IS UNFORMATTED

THE DISK WAS COPIED SUCCESSFULLY, BUT
PASSPORT DID NOT APPLY ANY PATCHES.

POSSIBLE REASONS:
- THE SOURCE DISK IS NOT COPY PROTECTED.
- THE TARGET DISK WORKS WITHOUT PATCHES.
- THE DISK USES AN UNKNOWN PROTECTION,
  AND PASSPORT CAN NOT HELP ANY FURTHER.

                 --^--

More information and source code is
available at
https://archive.org/details/Passport4am

                   ~

The copy does not, in fact, work. It
boots and immediately starts grinding
as though it is unable to read itself.

Turning to my trusty Disk Fixer sector
editor, I see a mostly standard DOS 3.3
shaped bootloader with some custom
code in T00,S01 to load the game after
the RWTS is in place. All RWTS prologue
and epilogue code is normal, so there
must be some code elsewhere that is
changing it.

Aha! Found it. At $B9A0, which is the
main entry point for the track seek
routine (to change to a different track
for any reason), I see this:

                 --v--

T00,S03
----------- DISASSEMBLY MODE ----------
00A0:4C AF BE       JMP   $BEAF
00A3:2A             ROL
00A4:CD 78 04       CMP   $0478
00A7:F0 53          BEQ   $00FC

                 --^--

The "2A" byte at offset $A3 is actually
part of the code that belongs there --
it's normally "STX $2B / STA $2A" --
which tells me that this JMP opcode has
been grafted on top of the normal DOS
routine.

$BEAF is loaded from T00,S08, so let's
look there.

                 --v--

T00,S08
----------- DISASSEMBLY MODE ----------
; code that was original at $B9A0
00AF:85 2A          STA   $2A
00B1:86 2B          STX   $2B

; set epilogue
00B3:A9 DE          LDA   #$DE
00B5:8D 9E B8       STA   $B89E
00B8:8D AE BC       STA   $BCAE
00BB:8D 35 B9       STA   $B935
00BE:8D 91 B9       STA   $B991

; check track (actually phase, which is
; track x2)
00C1:A5 2A          LDA   $2A

; track $11 or above?
00C3:C9 22          CMP   #$22

; yes, branch
00C5:B0 15          BCS   $00DC

; no, fall through and change epilogues
; again
00C7:A9 DF          LDA   #$DF
00C9:8D 9E B8       STA   $B89E
00CC:8D AE BC       STA   $BCAE
00CF:8D 35 B9       STA   $B935
00D2:8D 91 B9       STA   $B991

; continue with regular code
00D5:A6 2B          LDX   $2B
00D7:A5 2A          LDA   $2A
00D9:4C A4 B9       JMP   $B9A4

; execution continues here (from $BEC5)
; add 1 to the phase
00DC:18             CLC
00DD:69 01          ADC   #$01
00DF:85 2A          STA   $2A

; and continue with regular code
00E1:4C A4 B9       JMP   $B9A4

                 --^--

Oh wow. The first half of the disk is
relatively normal (modified epilogues
but nothing crazy). The second half --
track $11 and above -- stores data one
half track higher than usual. So data
on track $11 is really on $11.5.

Examining the original disk with the
Copy II Plus nibble editor confirms
this analysis:

                 --v--

   COPY ][ PLUS BIT COPY PROGRAM 8.4
(C) 1982-9 CENTRAL POINT SOFTWARE, INC.
---------------------------------------

TRACK: 11.50  START: 1800  LENGTH: 3DFF
       ^^^^^
    half-track

1910: 96 96 96 96 96 96 96 96   VIEW
1918: 96 96 96 96 96 96 96 96
1920: 96 96 DE AA EB FA F9 FE
1928: FF FF FF FF FF FF FF FF
1930: FF FF FF FF FF D5 AA 96  <-1935
                     ^^^^^^^^
                 address prologue

1938: FF FE AA BB AE AF FB EA
      ^^^^^ ^^^^^ ^^^^^ ^^^^^
      V=254 T=$11 S=$0D chksm

1940: DE AA E9 FF FF 9E FF FF
      ^^^^^
 address epilogue

1948: FF FF FF D5 AA AD 96 96
               ^^^^^^^^
             data prologue

                 --^--

The funny thing is that, because the
half-track shift is handled entirely
within the RWTS, Passport was able to
normalize the disk. The data on track
$11.5 was read from track $11.5 and
written out to track $11, and so on.
The RWTS knows how to read the entire
disk, and that's exactly what Passport
did.

The only thing left to do is restore
the original code at $B9A0 instead of
jumping to $BEAF:

T00,S03,$A0: 4CAFBE -> 862B85

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 1654
------------------EOF------------------
