----------------ColorMe---------------- A 4am crack 2014-04-29 --------------------------------------- ColorMe: The Computer Coloring Kit is a double hi-res paint program, marketed as "a computer coloring program especially for children." It was released in 1985 and distributed by Mindscape, Inc. under the "Sprout" software brand ("Fun learning software for ages 4 and up"). COPYA immediately fails to read the disk. EDD 4 bit copy gives no read errors, but the copy does not work. It boots, ponders the meaning of life, then reboots. My trusty Copy ][+ nibble editor shows standard address and data prologue on all tracks, but a non-standard epilogue. My trusty Copy ][+ sector editor, when patched to ignore epilogues and checksums ("P" to get to "Sector Editor Patcher," then select "DOS 3.3 Patched"), is able to read every sector on every track. That means I should be able to convert this to a standard disk with a $B942 patch. [S6D1=DOS 3.3 master disk] ]PR#6 ]CALL -151 *B942:18 <-- ignore errors on address and data epilogues *3D0G ]RUN COPYA [S6D1=original disk] [S6D2=blank disk] ...read read read... ...grind grind grind... ...write write write... OK, COPYA finished successfully. COPYA is very proud of itself. COPYA is a good boy. COPYA gets a gold star and a participation trophy. Of course, the copy that it creates doesn't actually work (it reboots, just like the bit copy I made with EDD 4), but COPYA is blissfully ignorant of its failure. The Dunning-Kruger effect in all its 8-bit glory. Time to bring out the big guns. [S6D1=original disk] [S5D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 ]CALL -151 *800<2800.28FFM *801L 0801- A5 27 LDA $27 0803- C9 09 CMP #$09 0805- D0 13 BNE $081A 0807- 8D 0C C0 STA $C00C 080A- 8D 00 C0 STA $C000 080D- 8A TXA 080E- 4A LSR 080F- 4A LSR 0810- 4A LSR 0811- 4A LSR 0812- 09 C0 ORA #$C0 0814- 85 3F STA $3F 0816- A9 5C LDA #$5C 0818- 85 3E STA $3E 081A- CE 75 08 DEC $0875 081D- 30 03 BMI $0822 081F- 6C 3E 00 JMP ($003E) 0822- 4C 00 16 JMP $1600 Interesting. An entirely custom boot0 routine. It reuses the disk controller ROM routine at $C65C to read more sectors from track 0, in ascending order, into ascending memory addresses. *875 0875- 0F Looks like it's reading the entire rest of track 0 into $0900..$17FF. Let's see what's at $1600. *9600<C600.C6FFM 96F8- A9 4C LDA #$4C 96FA- 8D 22 08 STA $0822 96FD- A9 0A LDA #$0A 96FF- 8D 23 08 STA $0823 9702- A9 97 LDA #$97 9704- 8D 24 08 STA $0824 9707- 4C 01 08 JMP $0801 970A- AD E8 C0 LDA $C0E8 970D- A2 10 LDX #$10 970F- B9 00 08 LDA $0800,Y 9712- 99 00 28 STA $2800,Y 9715- C8 INY 9716- D0 F7 BNE $970F 9718- EE 11 97 INC $9711 971B- EE 14 97 INC $9714 971E- CA DEX 971F- D0 EE BNE $970F 9721- 4C 00 C5 JMP $C500 *BSAVE TRACE1,A$9600,L$124 *9600G ...reboots slot 6... ...reboots slot 5... ]BSAVE BOOT1,A$2800,L$1000 ]CALL -151 *800<2800.37FFM *1600L ; save some zero page state 1600- A2 FF LDX #$FF 1602- B5 00 LDA $00,X 1604- 9D 00 30 STA $3000,X 1607- CA DEX 1608- D0 F8 BNE $1602 160A- A9 0A LDA #$0A 160C- 85 50 STA $50 ; turn on the disk motor and go into ; read mode 160E- A6 2B LDX $2B 1610- BD 89 C0 LDA $C089,X 1613- BD 8E C0 LDA $C08E,X 1616- A9 96 LDA #$96 1618- 85 48 STA $48 161A- A9 16 LDA #$16 161C- 85 49 STA $49 161E- A9 80 LDA #$80 1620- 85 51 STA $51 ; looks like the beginnings of a nibble ; check, with the failure path leading ; to $168F 1622- C6 51 DEC $51 1624- F0 69 BEQ $168F 1626- 20 9E 16 JSR $169E 1629- B0 64 BCS $168F 162B- A5 2D LDA $2D 162D- C9 0D CMP #$0D 162F- D0 F1 BNE $1622 ; search for "D5" nibble 1631- A0 00 LDY #$00 1633- BD 8C C0 LDA $C08C,X 1636- 10 FB BPL $1633 1638- 88 DEY 1639- F0 54 BEQ $168F 163B- C9 D5 CMP #$D5 163D- D0 F4 BNE $1633 ; several "E7" nibbles 163F- A0 00 LDY #$00 1641- BD 8C C0 LDA $C08C,X 1644- 10 FB BPL $1641 1646- 88 DEY 1647- F0 46 BEQ $168F 1649- C9 E7 CMP #$E7 164B- D0 F4 BNE $1641 164D- BD 8C C0 LDA $C08C,X 1650- 10 FB BPL $164D 1652- C9 E7 CMP #$E7 1654- D0 39 BNE $168F 1656- BD 8C C0 LDA $C08C,X 1659- 10 FB BPL $1656 165B- C9 E7 CMP #$E7 165D- D0 30 BNE $168F 165F- BD 8D C0 LDA $C08D,X 1662- A0 10 LDY #$10 1664- 24 06 BIT $06 ; "EE" 1666- BD 8C C0 LDA $C08C,X 1669- 10 FB BPL $1666 166B- 88 DEY 166C- F0 21 BEQ $168F 166E- C9 EE CMP #$EE 1670- D0 F4 BNE $1666 ; more nibbles (sequence is stored ; at $1696) 1672- A0 07 LDY #$07 1674- BD 8C C0 LDA $C08C,X 1677- 10 FB BPL $1674 1679- D1 48 CMP ($48),Y 167B- D0 12 BNE $168F 167D- 88 DEY 167E- 10 F4 BPL $1674 ; restore zero page state 1680- A2 FF LDX #$FF 1682- BD 00 30 LDA $3000,X 1685- 95 00 STA $00,X 1687- CA DEX 1688- D0 F8 BNE $1682 ; success path continues execution $ at $1706 168A- A2 60 LDX #$60 168C- 4C 06 17 JMP $1706 ; failure path eventually reboots 168F- C6 50 DEC $50 1691- D0 8B BNE $161E 1693- 4C 00 C6 JMP $C600 That explains the behavior I saw on my non-working copy: boot, pause, reboot. The pause was a combination of the boot0 code reading track 0 (slowly and inefficiently) and this routine failing a nibble check (relatively quick, but still takes some time). *1706L 1706- A2 60 LDX #$60 1708- 9D 80 C0 STA $C080,X 170B- A2 63 LDX #$63 170D- 9D 80 C0 STA $C080,X 1710- A9 60 LDA #$60 1712- 20 76 0A JSR $0A76 That's manually moving the drive stepper motors, probably to advance to track 1 so it can load the rest of the disk. Interestingly, LDX is set to $60 twice in a row -- once at $168A (just before the jump) and once at $1706 (just after). Combine that with the fact that the nibble check has no long-term side effects, and I bet I can just bypass the whole thing by jumping to $1706 instead of $1600 back in the boot0 code in T00,S00. T00,S00,$23 change "00 16" to "06 17" Success! The rest of the program loads and runs without complaint. There doesn't appear to be any further copy protection. I also have two picture disks designed to be used with ColorMe. - ColorMe "Hugga Bunch" picture disk (two sides) - ColorMe "Tink!Tonk!" picture disk (two sides) These disks are not bootable (well, technically they boot long enough to display a message that they're just data disks and that you should boot the program disk instead), but they use the same non-standard epilogue sequences as the ColorMe program disk. Using the $B942:18 trick allows COPYA to convert each of the picture disks to a standard format. Quod erat liberandum. --------------------------------------- A 4am crack No. 25 -------------------EOF-----------------