---------Word Mentor: Homonyms---------
A 4am crack                  2016-01-08
---------------------------------------

Name: Word Mentor: Homonyms
Genre: educational
Year: 1985
Publisher: Criterion Micro Soft
Media: single-sided 5.25-inch floppy
OS: DOS 3.3
Previous cracks: none

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  fatal read error on first pass

Locksmith Fast Disk Backup
  can't read anything beyond track $00

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  T01+ use modified address prologue
    (AA D5 96)

Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Prologue to "AA D5 96"
  Success! T01+ readable
  T01-02 -> looks like a full copy of
    DOS 3.3, but shifted so the entire
    thing is on tracks $01 and $02
  T11 -> DOS 3.3 disk catalog
  T02,S02 -> startup program is "HELLO"

Why didn't COPYA work?
  modified address prologue

Why didn't Locksmith FDB work?
  modified address prologue

EDD worked. What does that tell us?
  no half or quarter tracks
  almost certainly no nibble check
  (just structural changes to prologues
  and epilogues)

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. patch RWTS to read standard format

                   ~

               Chapter 1
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS
SAVING IOB

Ah! My automatic boot tracer detected
that this RWTS is at $3800, not $B800,
so we got an IOB module for free. The
IOB module tells Advanced Demuffin how
to call the RWTS. (See the docs on my
work disk for more about IOB modules.)

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $38, load "RWTS" from drive 1

[press "I" to load a new IOB module]
  --> load "IOB" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

[press "Y" to change default values]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======================================


INPUT ALL VALUES IN HEX


SECTORS PER TRACK? (13/16) 16

START TRACK: $01        <-- change this
START SECTOR: $00

END TRACK: $22
END SECTOR: $0F

INCREMENT: 1

MAX # OF RETRIES: 0

COPY FROM DRIVE 1
TO DRIVE: 2
=======================================
16SC $01,$00-$22,$0F BY$01 S6,D1->S6,D2

                 --^--

And here we go...

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======================================
TRK: ..................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0: ..................................
SC1: ..................................
SC2: ..................................
SC3: ..................................
SC4: ..................................
SC5: ..................................
SC6: ..................................
SC7: ..................................
SC8: ..................................
SC9: ..................................
SCA: ..................................
SCB: ..................................
SCC: ..................................
SCD: ..................................
SCE: ..................................
SCF: ..................................
=======================================
16SC $01,$00-$22,$0F BY$01 S6,D1->S6,D2

                 --^--

This is the power and the genius of
Advanced Demuffin. Every disk must be
able to read itself. So, let it read
itself, then capture the data and write
it out in a standard format.

]PR#5
...
]CATALOG,S6,D2

C1983 DSR^C#254
320 FREE

 T 000 [02/24/85]
*B 014 ALTCOMMA.SF
*B 026 H.IIC
 A 003 HELLO
*T 005 HOM.A
*T 005 HOM.B
*T 005 HOM.C
*T 005 HOM.D
*T 005 HOM.E
*T 005 HOM.F
*T 005 HOM.G
*T 006 HOM.H
 A 028 HOMONYMS.M
*B 002 LOMEM:
 A 018 MGR
*B 033 PI.HOM
*B 002 ST.ALIEN
*B 002 ST.UFO
 T 006 SFILE

]RUN HELLO
...works...

                   ~

               Chapter 2
      In Which We Finish The Job
        And Declare Victory(*)


(*) take a nap

Of course my copy doesn't boot on its
own yet, because I'm still missing
track $00. Let's fix that. It is the
only track that is not protected (even
COPYA could copy it).

[Copy ][+ 8.4]
  --> "COPY"
    --> "BIT COPY"
      --> "MANUAL SECTOR COPY"
        --> from SLOT 6, DRIVE 1
        -->   to SLOT 6, DRIVE 2
        --> track $00 only

[S6,D1=my copy]
[S5,D1=my work disk]

]PR#6
...grinds and crashes...

Now I have a new problem: my copy can't
read itself because the RWTS is still
looking for the non-standard address
prologue on tracks $01 and above. This
is not unusual. Never fear, I have a
tool for that too.

]PR#5
...
]BRUN PDP

T00,S03,$55 change AA to D5
T00,S03,$5F change D5 to AA
T00,S06,$7A change AA to D5
T00,S06,$7F change D5 to AA

After swapping the address prologue
bytes back to their standard values,
the disk boots on its own and seems as
happy as a disk can be. There doesn't
appear to be any further protection.

Quod erat liberandum.

                   ~

           Acknowledgements


Many thanks to LoGo for supplying the
the original floppy disk.

---------------------------------------
A 4am crack                     No. 558
------------------EOF------------------