-----------Circus Subtraction----------
A 4am crack                  2016-03-01
---------------------------------------

Name: Circus Subtraction
Genre: educational
Year: 1986
Publisher: The Continental Press
Media: single-sided 5.25-inch floppy
OS: Diversi-DOS (T02,S02 has the string
  "C1983 DSR" backwards)
Previous cracks: none

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  modified data epilogue
  ("BF AA EB" instead of "DE AA EB")

Disk Fixer
  ["O" -> "Input/Output Control"]
    set Data Epilogue to "BF AA EB"
  all tracks readable
  T00 -> looks like a DOS 3.3 RWTS
  T11 -> DOS 3.3 disk catalog
  T01,S09 -> startup program is "HELLO"

Why didn't COPYA work?
  modified epilogue bytes (every track)

Why didn't Locksmith FDB work?
  modified epilogue bytes (every track)

EDD worked. What does that tell us?
  no half or quarter tracks
  almost certainly no nibble check
  (just structural changes to epilogue)

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. patch RWTS to read standard format

                   ~

               Chapter 1
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS
SAVING IOB

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:...................................
SC6:...................................
SC7:...................................
SC8:...................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

]PR#5
...
]CATALOG,S6,D2

C1983 DSR^C#254
045 FREE

*B 003 CHAIN
*A 027 CIRCUS.SUB
*T 008 CIRCUS.SUB.LFILE
*T 010 CIRCUS.SUB.VFILE
*A 015 BEG
*T 003 HELLO.LFILE
*T 007 HELLO.VFILE
*B 011 INTRO
*B 017 PW.CHARS
*B 033 PW.CS.TI
*B 049 PW.SUB.SCREEN.1
*B 050 PW.SUB.SCREEN.2
*B 043 PW.SUB.SCREEN.3
*B 041 PW.SUB.SCREEN.4
*B 044 PW.SUB.SCREEN.5
*B 051 PW.SUB.SCREEN.6
*T 026 PW.SUPPORT
*B 005 PW.SUPPORT.OBJ0
*B 002 SPACE.TABLES
*B 002 Y/N.CHARS
*A 004 HELLO

]RUN HELLO
...works...

[S6,D1=demuffin'd copy]

]PR#6
...grinds...

My copy can't read itself yet. This is
not unusual.

                   ~

               Chapter 2
 In Which We Remove All Traces Of Copy
Protection Using An Automated Tool That
   I Wrote For Just Such An Occasion


[S6,D1=demuffin'd copy]
[S5,D1=my work disk]

]PR#5
]BRUN PDP

T00,S03,$35 change BF to DE
T00,S02,$9E change BF to DE

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 625
------------------EOF------------------