--------Snack Attack and Friends-------
A 4am crack                  2016-11-08
---------------------------------------

Name: Snack Attack and Friends
Genre: arcade
Year: 1983
Author: Dan Illowsky
Publisher: Funtastic, Inc.
Platform: Apple ][+ or later
Media: single-sided 5.25-inch floppy
OS: custom
Previous cracks: none (of this
  compilation)

This disk is a compilation of three
games. Two were previously released
as individual disks by Datamost.

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  reads track $00, nothing more

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  T00 -> standard
  T01-T20 -> modified address prologue
    ("D5 AA AA" instead of "D5 AA 96")
  T21-T22 -> unformatted (hi-res disk
    scan confirms this)

Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Prologue to "D5 AA AA"
  Success! T01-T20 readable!
  T00 -> totally custom bootloader

Why didn't COPYA work?
  modified address prologue

Why didn't Locksmith FDB work?
  ditto

EDD worked. What does that tell us?
  no half or quarter tracks
  almost certainly no nibble check
  (just structural changes to prologues
  and epilogues)

Next steps:

  1. Sector-copy T00
  2. Build an RWTS to copy T01-T20
  3. Patch bootloader to read the
     now-standard address prologue

                   ~

               Chapter 1
   In Which We Use The Original Disk
      As A Weapon Against Itself
        And It Goes Swimmingly


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
...
]CALL -151

; copy RWTS
*3800<B800.BFFFM

*3944L

3944-   A0 FC       LDY   #$FC
3946-   84 26       STY   $26
3948-   C8          INY
3949-   D0 04       BNE   $394F
394B-   E6 26       INC   $26
394D-   F0 F3       BEQ   $3942
394F-   BD 8C C0    LDA   $C08C,X
3952-   10 FB       BPL   $394F
3954-   C9 D5       CMP   #$D5
3956-   D0 F0       BNE   $3948
3958-   EA          NOP
3959-   BD 8C C0    LDA   $C08C,X
395C-   10 FB       BPL   $3959
395E-   C9 AA       CMP   #$AA
3960-   D0 F2       BNE   $3954
3962-   A0 03       LDY   #$03
3964-   BD 8C C0    LDA   $C08C,X
3967-   10 FB       BPL   $3964
3969-   C9 96       CMP   #$96      <--
396B-   D0 E7       BNE   $3954

; change 3rd address prologue to match
; the original disk
*396A:AA

*BSAVE RWTS 1+,A$3800,L$800

That RWTS should be able to read tracks
$01 through $20 on the original disk.
Now, we can use Advanced Demuffin to
convert those tracks to a standard
format (on a copy of course).

*BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS 1+" from D1

["6" to switch to slot 6]

["C" to convert disk]

["Y" to change default values]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======================================


INPUT ALL VALUES IN HEX


SECTORS PER TRACK? (13/16) 16

START TRACK: $01        <-- change this
START SECTOR: $00
END TRACK: $20          <-- change this
END SECTOR: $0F

INCREMENT: 1

MAX # OF RETRIES: 0

COPY FROM DRIVE 1
TO DRIVE: 2
=======================================
16SC $01,$00-$20,$0F BY1.0 S6,D1->S6,D2

                 --^--

And here we go...

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK: ................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0: ................................
SC1: ................................
SC2: ................................
SC3: ................................
SC4: ................................
SC5: ................................
SC6: ................................
SC7: ................................
SC8: ................................
SC9: ................................
SCA: ................................
SCB: ................................
SCC: ................................
SCD: ................................
SCE: ................................
SCF: ................................
=======================================
16SC $01,$00-$20,$0F BY1.0 S6,D1->S6,D2

                 --^--

[S6,D1=non-working copy]

]PR#6
...grinds...

The disk can not read itself, because
it is still looking for the nonstandard
address prologue.

                   ~

               Chapter 2
       One Byte To Rule Them All


A quick sector search for "C9 AA" finds
the disk's (quite minimal) RWTS on
track $00.

T00,S07
----------- DISASSEMBLY MODE ----------
004C:18             CLC
004D:08             PHP
004E:BD 8C C0       LDA   $C08C,X
0051:10 FB          BPL   $004E
0053:49 D5          EOR   #$D5
0055:D0 F7          BNE   $004E
0057:BD 8C C0       LDA   $C08C,X
005A:10 FB          BPL   $0057
005C:C9 AA          CMP   #$AA
005E:D0 F3          BNE   $0053
0060:EA             NOP
0061:BD 8C C0       LDA   $C08C,X
0064:10 FB          BPL   $0061
0066:C9 AA          CMP   #$AA      <--
0068:F0 09          BEQ   $0073
006A:28             PLP
006B:90 DF          BCC   $004C
006D:49 AD          EOR   #$AD
006F:F0 25          BEQ   $0096
0071:D0 D9          BNE   $004C

This RWTS is structured like the drive
controller firmware at $C600. On the
first loop, it reads the address
prologue; on the second loop, the data
prologue. The only difference is the
third nibble, which (for the address)
is checked at byte offset $67.

T00,S07,$67: AA -> 96

]PR#6
...works...

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 896
------------------EOF------------------
