-------------Magical Myths-------------
A 4am crack 2015-01-20
---------------------------------------
Name: Magical Myths
Genre: educational
Year: 1985
Publisher: Unicorn Software
Media: single-sided 5.25-inch floppy
Authors: Jack Alexander, June Stark
OS: DOS 3.3
Other versions: none (preserved here
for the first time)
Identical cracks:
- "Gertrude's Secrets, "Bumble Games,"
"Juggles' Rainbow, "Moptown Parade,"
"Reader Rabbit," and "Wizard of
Words" by The Learning Company
- "Xevious" by Mindscape
- "The Notable Phantom" by DesignWare
- "Animal Kingdom" and "Race Car
'Rithmetic" by Unicorn Software
- "Pitstop II" by Epyx
- "Microzine" issues 12, 13, 17, and 18
by Scholastic
Somebody been sellin' copy protection.
~
Chapter 1
In Which Various Automated Tools Fail
In Interesting Ways
COPYA
immediate disk read error
Locksmith Fast Disk Backup
unable to read any track
EDD 4 bit copy (no sync, no count)
no errors, but copy fills screen with
garbage and reboots
Copy ][+ nibble editor
all tracks use standard prologues
(address: D5 AA 96, data: D5 AA AD)
but modified epilogues
(address: FF FF FF, data: FF FF FF)
Disk Fixer
["O" -> "Input/Output Control"]
set Address Epilogue to "FF FF FF"
set Data Epilogue to "FF FF FF"
Success! All tracks readable!
T00 -> looks like a DOS 3.3 RWTS
T11 -> DOS 3.3 disk catalog
T01,S07 -> startup program is "HELLO"
(probably a Pronto-DOS variant)
Why didn't COPYA work?
modified epilogue bytes (every track)
Why didn't Locksmith FDB work?
modified epilogue bytes (every track)
Why didn't my EDD copy work?
probably a nibble check during boot
Next steps:
1. capture RWTS with AUTOTRACE
2. convert disk to standard format
with Advanced Demuffin
3. find nibble check and bypass it
~
Chapter 1
In Which We Attempt To Use The Original
Disk As A Weapon Against Itself
[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]
]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
/!\ BOOT0 JUMPS TO $08C0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS
/!\ NIBBLE CHECK AT $BB00
]BRUN ADVANCED DEMUFFIN 1.5
["5" to switch to slot 5]
["R" to load a new RWTS module]
--> At $B8, load "RWTS" from drive 1
["6" to switch to slot 6]
["C" to convert disk]
--v--
ADVANCED DEMUFFIN 1.5 (C) 1983, 2014
ORIGINAL BY THE STACK UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...................................
+.5:
0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:...................................
SC6:...................................
SC7:...................................
SC8:...................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2
--^--
]PR#5
]CATALOG,S6,D2
C1983 DSR^C#254
023 FREE
A 002 HELLO
B 018 MENU.C
B 016 R.LOOKUP TABLE
B 005 B.LOOKUP TABLE
B 009 INTRO SCREEN.C
B 034 INTRO
B 007 TEXT.GLOSS.MIDAS
B 018 MIDAS
B 006 TEXT.GLOSS.PANDORA
B 009 PANDORA
B 013 P.C
B 008 P.A
B 018 MM
B 007 M.B
B 011 M.C
B 009 M.G
B 007 B
B 007 W
B 019 Q
B 016 E
B 045 Q&A.Z
B 005 GODS2
B 010 MYTH MAKER
B 050 Q&A.P
B 012 G.K
B 024 GODS
B 011 G.B
B 007 G.H
B 010 G.J
B 006 G.E
B 006 TEXT.GLOSS.GODS2
B 042 MG
B 006 TEXT.GLOSS.GODS
]RUN HELLO
...boots to title screen, but crashes
when selecting an option...
[S5,D1=DOS 3.3 master disk]
]PR#5
]CATALOG,S6,D1
...
]RUN HELLO
...everything works...
]PR#6
...fills screen with garbage, reboots
endlessly...
Let's go find that nibble check.
~
Chapter 2
Because You Know I'm All About Those
Bits, 'Bout Those Bits, No Timing
[S5,D1=my work disk]
]PR#5
]BLOAD BOOT0,A$800
]CALL -151
*801L
.
. all normal until...
.
084A- 4C C0 08 JMP $08C0
*8C0L
08C0- 8E E9 B7 STX $B7E9
08C3- 6C FD 08 JMP ($08FD)
*BLOAD BOOT1,A$2600
*FE89G FE93G ; disconnect DOS
*B600<2600.2FFFM ; move RWTS into place
*B700L
B700- 20 00 BB JSR $BB00
*BB00L
BB00- A0 00 LDY #$00
BB02- B9 00 BB LDA $BB00,Y
BB05- 99 00 02 STA $0200,Y
BB08- 88 DEY
BB09- D0 F7 BNE $2B02
BB0B- 60 RTS
*20C<BB0C.BBFFM
*20CL
; this subroutine seeks to track $11
; and sets the reset vector to
; something unfriendly
020C- 20 CF 02 JSR $02CF
020F- A9 0A LDA #$0A
0211- 85 2A STA $2A
; initialize disk motor
; (highly suspicious)
0213- AE E9 B7 LDX $B7E9
0216- BD 89 C0 LDA $C089,X
0219- BD 8E C0 LDA $C08E,X
; set up an address pointer
021C- A9 C7 LDA #$C7
021E- 85 48 STA $48
0220- A9 02 LDA #$02
0222- 85 49 STA $49
; set up the Death Counter
0224- A9 80 LDA #$80
0226- 85 29 STA $29
0228- C6 29 DEC $29
; if the Death Counter hits zero, fail
022A- F0 67 BEQ $0293
; get next address field
022C- 20 44 B9 JSR $B944
022F- B0 62 BCS $0293 ; fail
; loop until we find sector $0D (in
; zero page $2D after routine at $B944)
0231- A5 2D LDA $2D
0233- C9 0D CMP #$0D
0235- D0 F1 BNE $0228
; here we go
0237- A0 00 LDY #$00
0239- BD 8C C0 LDA $C08C,X
023C- 10 FB BPL $0239
023E- 88 DEY
023F- F0 52 BEQ $0293 ; fail
; Search for a specific sequence of
; nibbles in the "dead zone" between
; the address field and data field.
; This area is normally not important,
; so COPYA didn't copy it precisely
; because normal disks don't care.
; (Actually, it's even more evil than
; that, because the original disk is
; written with timing bits in specific
; non-standard places between the
; nibbles in the dead zone. This code
; not only requires the right nibbles
; in the right order, it reads them
; just slightly slower than normal. So
; the timing bits need to be in the
; right places too, or else this code
; will read the wrong nibble values
; while it's out of sync. This will
; trip up even the best bit copiers.
; And you can forget about making a
; disk image for emulators -- those
; don't store timing bits at all.)
0241- C9 D5 CMP #$D5
0243- D0 F4 BNE $0239
0245- A0 00 LDY #$00
0247- BD 8C C0 LDA $C08C,X
024A- 10 FB BPL $0247
024C- 88 DEY
024D- F0 44 BEQ $0293 ; fail
024F- C9 E7 CMP #$E7
0251- D0 F4 BNE $0247
0253- BD 8C C0 LDA $C08C,X
0256- 10 FB BPL $0253
0258- C9 E7 CMP #$E7
025A- D0 37 BNE $0293 ; fail
025C- BD 8C C0 LDA $C08C,X
025F- 10 FB BPL $025C
0261- C9 E7 CMP #$E7
0263- D0 2E BNE $0293 ; fail
; kill some time to get out of sync
; with the "proper" start of nibbles)
0265- BD 8D C0 LDA $C08D,X
0268- A0 10 LDY #$10
026A- 24 06 BIT $06
; now start looking for nibbles that
; don't really exist (except they do,
; because we're out of sync and reading
; timing bits as data)
026C- BD 8C C0 LDA $C08C,X
026F- 10 FB BPL $026C
0271- 88 DEY
0272- F0 1F BEQ $0293 ; fail
0274- C9 EE CMP #$EE
0276- D0 F4 BNE $026C
; check for nibble sequence stored
; in reverse order at $2C7
0278- A0 07 LDY #$07
027A- BD 8C C0 LDA $C08C,X
027D- 10 FB BPL $027A
027F- D1 48 CMP ($48),Y
0281- D0 10 BNE $0293
0283- 88 DEY
0284- 10 F4 BPL $027A
; success path falls through to here
0286- A9 80 LDA #$80
0288- 8D 4E 9E STA $9E4E
028B- A9 A1 LDA #$A1
028D- 8D 4F 9E STA $9E4F
0290- 4C 4D 9E JMP $9E4D
That last section at $0286..$0290 is
interesting. After the nibble check
passes, it replaces two bytes at $9E4E
and $9E4F, then immediately jumps to
$9E4D. That implies that this nibble
check is called from $9E4D via an
unconditional jump (not a JSR). With my
trusty Disk Fixer sector editor, I
searched the disk for "4C 0C 02" and
lo and behold! Track $00, sector $0B,
byte $4D contains a "JMP $020C".
I should be able to change that JMP
back to its original target ($A180) and
bypass the nibble check altogether.
~
Chapter 3
In Which We Remove All Traces Of Copy
Protection Using An Automated Tool That
I Wrote For Just Such An Occasion
[S6,D1=demuffin'd copy]
[S5,D1=my work disk]
]PR#5
]BRUN PDP
T00,S0B,$4E change 0C02 to 80A1
(It turns out the RWTS is flexible
enough to read disks in a standard
format, so no RWTS patches necessary.)
Quod erat liberandum.
---------------------------------------
A 4am crack No. 192
------------------EOF------------------