---------Wild West Math Level 3--------
A 4am crack                  2017-06-20
---------------------------------------

Name: Wild West Math Level 3
Genre: educational
Year: 1990
Publisher: Micrograms Publishing
Platform: Apple ][+ or later
Media: 3 single-sided 5.25-inch disks
OS: custom
Previous cracks: none

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  no errors, but copy hangs on boot
  with a text screen full of code

Locksmith Fast Disk Backup
  ditto

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  disk volume is 000, which is unusual,
  but otherwise tracks look normal --
  16-sector, standard address fields,
  standard everything really

                 --v--

   COPY ][ PLUS BIT COPY PROGRAM 8.4
(C) 1982-9 CENTRAL POINT SOFTWARE, INC.
---------------------------------------

TRACK: 01  START: 1800  LENGTH: 3DFF

17E0: FF FF 80 80 FF FF 80 80   VIEW
17E8: FF FF 80 80 FF FF 80 80
17F0: FF FF 80 80 FF FF 80 80
17F8: FF FF 80 80 FF FF 80 80
1800: FF FF FF FF FF FF FF FF  <-1800
1808: FF FF FF FF FF D5 AA 96
                     ^^^^^^^^
                 address prologue

1810: AA AA AA AB AB AB AB AA
      V=000 T=$01 S=$03 chksm

1818: DE AA BE FF FF FF FF FF
      ^^^^^
 address epilogue

1820: FF FF D5 AA AD 96 96 96
            ^^^^^^^^
         data prologue

---------------------------------------

  A  TO ANALYZE DATA  ESC TO QUIT

  ?  FOR HELP SCREEN  /  CHANGE PARMS

  Q  FOR NEXT TRACK   SPACE TO RE-READ

                 --^--

Disk Fixer
  all tracks readable
  custom bootloader
  DOS-style disk catalog on track $02

                 --v--

-------------- DISK EDIT --------------
TRACK $02/SECTOR $0F/VOLUME $00/BYTE$01
---------------------------------------
$00: 00>02<0E 00 00 00 00 00   @BN@@@@@
$08: 00 00 00 03 0F 04 C4 C5   @@@CODDE
$10: C3 B1 B5 AE B1 B9 B8 B9   C15.1989
$18: A0 A0 A0 A0 A0 A0 A0 A0
$20: A0 A0 A0 A0 A0 A0 A0 A0
$28: A0 A0 A0 A0 02 00 04 0F       B@DO
$30: 04 D0 C9 AE D4 C9 D4 CC   DPI.TITL
$38: C5 A0 A0 A0 A0 A0 A0 A0   E
$40: A0 A0 A0 A0 A0 A0 A0 A0
$48: A0 A0 A0 A0 A0 A0 A0 22          "
$50: 00 09 0F 04 D3 D4 AE CE   @IODST.N
$58: D5 CD A0 A0 A0 A0 A0 A0   UM
$60: A0 A0 A0 A0 A0 A0 A0 A0
$68: A0 A0 A0 A0 A0 A0 A0 A0
$70: A0 A0 08 00 0A 0F 04 D3     H@JODS
$78: D4 AE C6 CF CE D4 A0 A0   T.FONT
---------------------------------------
BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL

---------------------------------------
COMMAND : _

                 --^--

Why didn't COPYA or Locksmith FDB work?
  probably a nibble check in early boot

Why *did* EDD work?
  the nibble check probably isn't very
  strong

Next steps:

  1. Trace the boot
  2. Find the protection check and
     disable it
  3. Declare victory (*)

(*) go to the gym

                   ~

               Chapter 1
      In Which We Take A Shortcut
   That Turns Out To Be Not So Short


The fastest way to find a runtime
protection check is to search for the
instruction that turns on the drive
motor. Generally this is "LDA $C089,X"
(following the convention that the X
register contains the boot slot x 16),
but it could also be hard-coded to
slot 6 like "LDA $C0E9" or some other
variant.

[Disk Fixer]
  ["F"]ind
    ["H"]ex
      "BD 89 C0"

No matches whatsoever. Which is odd.

-->   "AD E9 C0"

No matches whatsoever. WTF. Maybe it's
encrypted to prevent exactly the thing
I'm trying to do right now?

Let's try searching for the instruction
that loads the data latch to fetch a
single nibble from disk: "LDA $C08C,X".

-->   "BD 8C C0"

No matches whatsoever. This is looking
less and less like a shortcut. Maybe
the hard-coded variant "LDA $C0EC"?
After that I'm out of ideas and I'm
going to trace the boot from the
beginning.

-->   "AD EC C0"

                 --v--

------------- DISK SEARCH -------------

$00/$05-$3F   $00/$05-$5C   $00/$05-$65
$00/$05-$6F   $00/$05-$86   $00/$05-$8E
$00/$05-$EF   $00/$05-$F8   $00/$06-$01

             PRESS [RETURN]

                 --^--

Praise be. Let's see what we found:

                 --v--

T00,S05
----------- DISASSEMBLY MODE ----------
; match standard prologue ($D5 $AA $96
; for address field, $D5 $AA $AD for
; data field, depending on carry bit --
; same technique as the drive firmware
; at $C600 uses)
005C:AD EC C0       LDA   $C0EC
005F:10 FB          BPL   $005C
0061:49 D5          EOR   #$D5
0063:D0 F1          BNE   $0056
0065:AD EC C0       LDA   $C0EC
0068:10 FB          BPL   $0065
006A:C9 AA          CMP   #$AA
006C:D0 F3          BNE   $0061
006E:EA             NOP
006F:AD EC C0       LDA   $C0EC
0072:10 FB          BPL   $006F
0074:C9 96          CMP   #$96
0076:F0 09          BEQ   $0081
0078:28             PLP
0079:90 D0          BCC   $004B
007B:49 AD          EOR   #$AD
007D:F0 2E          BEQ   $00AD
007F:D0 CA          BNE   $004B

; parse address field
0081:A0 03          LDY   #$03
0083:8D 21 0D       STA   $0D21
0086:AD EC C0       LDA   $C0EC
0089:10 FB          BPL   $0086
008B:2A             ROL
008C:85 F9          STA   $F9
008E:AD EC C0       LDA   $C0EC
0091:10 FB          BPL   $008E
0093:25 F9          AND   $F9
0095:88             DEY
0096:D0 EB          BNE   $0083
0098:28             PLP
0099:8D 22 0D       STA   $0D22
009C:C5 EC          CMP   $EC
009E:D0 AB          BNE   $004B
00A0:AD 21 0D       LDA   $0D21
00A3:C5 EB          CMP   $EB
00A5:B0 A5          BCS   $004C
00A7:0A             ASL
00A8:85 ED          STA   $ED
.
. [regular 6-and-2 encoding, not shown]
.
; switch to text screen 2, turn off
; drive motor, and hang (I think this
; is where I ended up on my non-working
; copy)
00E3:2C 51 C0       BIT   $C051
00E6:2C 55 C0       BIT   $C055
00E9:2C E8 C0       BIT   $C0E8
00EC:4C EC 0E       JMP   $0EEC

; match standard epilogue ($DE $AA)
00EF:AD EC C0       LDA   $C0EC
00F2:10 FB          BPL   $00EF
00F4:C9 DE          CMP   #$DE
00F6:D0 E4          BNE   $00DC
00F8:AD EC C0       LDA   $C0EC
00FB:10 FB          BPL   $00F8
00FD:C9 AA          CMP   #$AA
00FF:D0 EE          BNE   $00EF

[continuing on T00,S06]

; match... a third epilogue nibble?!?
0001:AD EC C0       LDA   $C0EC
0004:10 FB          BPL   $0001
0006:C9 BE          CMP   #$BE
0008:D0 E5          BNE   $FFEF

                 --^--

Oh wow. That's not what I was expecting
at all, but that's the problem. There
is no protection check. The protection
is purely structural -- this RWTS code
is super-strict and requires a third
(non-standard) epilogue nibble.

Technically, both the address epilogue
and the data epilogue are three nibbles
$DE $AA $EB. But even standard DOS 3.3
never checks more than the first two.
(ProDOS only checks the first one.)
Literally nothing checks the third
nibble of the epilogue.

Except this disk.

And it's non-standard ($BE instead of
$EB).

So the disk looks like it's unprotected
(even copies with COPYA), but the copy
can't read itself because the third
epilogue nibble is wrong.

The solution is to patch this RWTS so
it ignores the third epilogue nibble.
The least invasive way to do that is to
change the "BNE" after "CMP #$BE" so it
branches to the next instruction,
effectively making it a NOP.

T00,S06,$09: E5 -> 00

]PR#6
...works...

                   ~

               Chapter 2
                Et Alii


I've added support for this patch to
Passport, my automated disk verifier
and auto-cracker. The transcript will
look like this:

                 --v--

READING FROM S6,D1
T00,S00 FOUND MICROGRAMS BOOTLOADER
USING BUILT-IN RWTS
WRITING TO S6,D2
T00,S06,$09: E5 -> 00
CRACK COMPLETE.

                 --^--

More information and source code is
available at
https://archive.org/details/Passport4am

Disks 2 & 3 have identical protection.

Quod erat liberandum.

---------------------------------------
A 4am crack                    No. 1266
------------------EOF------------------
