--------------Copy II Plus-------------
A 4am crack                  2023-12-11
---------------------------------------

Name: Copy II Plus
Version: 1.0
Genre: disk
Year: 1981
Credits: Michael A. Brown
Publisher: Central Point Software
Platform: Apple ][ (48K)
Media: 5.25-inch disk
Sides: 1
OS: custom
Previous cracks: none (of this version)

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  copies track 0 but errors on all
  other tracks

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  track 1 appears to a standard 16-
  sector structure with altered address
  and data prologues
  $E5 $AA $96 / $E5 $AA $AD
  track 2+ is unformatted

Disk Fixer
  setting the address and data prologue
  appropriately does allow me to read
  the sectors on track 1

Next steps:

  1. Super Demuffin to convert track 1
  2. Manual sector copy for track 0
  3. Patch bootloader to read the
     converted track 1

                   ~

               Chapter 1
      In Which We Rummage Through
       Our Old Toolbox And Find
      The Right Tool For The Job


When you first run Super Demuffin, it
asks for the parameters of the original
disk. I enter the ones I saw in the
Copy ][+ nibble editor. (The changes
are highlighted below.)

                 --v--

      SUPER-DEMUFFIN AND FAST COPY
Modified by: The Saltine/Coast to Coast


   Address prologue: E5 AA 96
                     ^^

   Address epilogue: DE AA EB    DISK
                               ORIGINAL

      Data prologue: E5 AA AD
                     ^^

      Data epilogue: DE AA EB

                 --^--

Pressing "G" switches to the Locksmith
Fast Disk Copy UI. It assumes that both
disks are in slot 6, and that drive 1
is the original and drive 2 is the
copy.

[S6,D1=original disk]
[S6,D2=blank disk]

                 --v--

     LOCKSMITH 7.0  FAST DISK BACKUP


   R*.*********************************
   W***********************************
HEX 00000000000000001111111111111111222
TRK 0123456789ABCDEF0123456789ABCDEF012
   0A.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   1A.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   2A.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   3A.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   4A.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   5A.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   6A.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   7A.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   8A.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   9A.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   AA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   BA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   CA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   DA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
12 EA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
   FA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[               ] PRESS [RESET] TO EXIT

                 --^--

As expected, it only copies track 1.
Track 0 is unprotected, and higher
tracks are unformatted and unused.

Now I can use Copy II Plus (a later
version, natch) to copy track 0 to the
same disk. It's unprotected, so I'll
use "manual sector copy" mode.

                 --v--

   COPY ][ PLUS BIT COPY PROGRAM 8.4
(C) 1982-9 CENTRAL POINT SOFTWARE, INC.
---------------------------------------

  ORIGINAL  DRIVE:    1
  DUPLICATE DRIVE:    2

  ENTER START TRACK:  0
  ENTER END   TRACK:  0   <--

  TRACK INCREMENT:    1

  USING SECTOR COPY



---------------------------------------
               COPY STATUS
HEX 00000000000000001111111111111111222
TRK 0123456789ABCDEF0123456789ABCDEF012
---------------------------------------
ERR 0
+.5
            PRESS RETURN...

                 --^--

To patch the bootloader, you must first
become the bootloader. Wait, no, that's
Kung Fu Panda. To patch the bootloader,
I'll use my favorite sector editor to
disassemble the (very short) custom
code on track 0. It loads 2 sectors
into $800 and $900 respectively. The
second sector is literally a copy of
the boot firmware from $C600, which the
first sector patches on the fly.

                 --v--

T00,S00
----------- DISASSEMBLY MODE ----------
; PR#0/IN#0
0001:20 89 FE       JSR   $FE89
0004:20 93 FE       JSR   $FE93

; set reset vector
0007:A9 01          LDA   #$01
0009:8D F2 03       STA   $03F2
000C:A9 08          LDA   #$08
000E:8D F3 03       STA   $03F3
0011:49 A5          EOR   #$A5
0013:8D F4 03       STA   $03F4

; wait
0016:A9 AA          LDA   #$AA
0018:85 0A          STA   $0A
001A:20 58 FC       JSR   $FC58
001D:A0 00          LDY   #$00

; change RWTS code to look for $E5 as
; the first nibble of both the address
; and data prologues
001F:A9 E5          LDA   #$E5
0021:8D 64 09       STA   $0964

; change RWTS code to return to caller
; instead of jumping to $801
0024:A9 60          LDA   #$60
0026:8D EB 09       STA   $09EB

                 --^--

When I say it's patching on the fly, I
really mean it's patching on the fly.
Anyway, now that Super Demuffin has
standardized the structure of track 1,
the only change required is to use the
standard first nibble ($D5) instead of
the custom one ($E5).

T00,S00,$20: E5 -> D5

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 3208
------------------EOF------------------
