----------Alice in Wonderland----------
A 4am crack                  2015-05-04
---------------------------------------

Name: Alice in Wonderland
Genre: adventure
Year: 1985
Publisher: Windham Classics
Media: double-sided 5.25-inch floppy
OS: Pronto-DOS
Other versions: Gadget Master crack
Identical cracks:
- Gertrude's Secrets, Bumble Games,
  Juggles' Rainbow, Moptown Parade,
  Reader Rabbit, Wizard of Words,
  Moptown Hotel (The Learning Company)

- Xevious (Mindscape)

- The Notable Phantom (DesignWare)

- Animal Kingdom, Race Car 'Rithmetic,
  Magical Myths (Unicorn Software)

- Pitstop II (Epyx)

- Microzine issues 12, 13, 17, and 18
  (Scholastic)

Somebody been sellin' copy protection.

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  no errors, but copy fills screen with
  garbage and reboots

Copy ][+ nibble editor
  all tracks use standard prologues
  (address: D5 AA 96, data: D5 AA AD)
  but modified epilogues
  (address: FF FF FF, data: FF FF FF)

Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Epilogue to "FF FF FF"
    set Data Epilogue to "FF FF FF"
  Success! All tracks readable!
  T00 -> looks like a DOS 3.3 RWTS
  T11 -> DOS 3.3 disk catalog
  T01,S07 -> startup program is "HELLO"
  (probably a Pronto-DOS variant)

Why didn't COPYA work?
  modified epilogue bytes (every track)

Why didn't Locksmith FDB work?
  modified epilogue bytes (every track)

Why didn't my EDD copy work?
  probably a nibble check during boot

Next steps:

  1. AUTOTRACE to capture RWTS
  2. Advanced Demuffin to convert disk
     to standard format
  3. Patch RWTS (if necessary)
  3. Find nibble check and bypass it

                   ~

               Chapter 1
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
/!\ BOOT0 JUMPS TO $08C0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS
/!\ NIBBLE CHECK AT $BB00

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:...................................
SC6:...................................
SC7:...................................
SC8:...................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

[S6,D1=demuffin'd copy]

]PR#5
]CATALOG,S6,D1

C1983 DSR^C#254
255 FREE

 A 002 HELLO
 B 006 WINDHAM
 B 073 GAME

]PR#6
...fills screen with garbage, reboots
endlessly...

Let's go find that nibble check.

                   ~

               Chapter 2
  In Which We Run Into An Old Friend


]PR#5
]BLOAD BOOT0,A$800
]CALL -151

*801L
.
. all normal until...
.
084A-   4C C0 08    JMP   $08C0

*8C0L

08C0-   8E E9 B7    STX   $B7E9
08C3-   6C FD 08    JMP   ($08FD)

*BLOAD BOOT1,A$2600

*FE89G FE93G     ; disconnect DOS

*B600<2600.2FFFM ; move RWTS into place

*B700L

B700-   20 00 BB    JSR   $BB00

*BB00L

BB00-   A0 00       LDY   #$00
BB02-   B9 00 BB    LDA   $BB00,Y
BB05-   99 00 02    STA   $0200,Y
BB08-   88          DEY
BB09-   D0 F7       BNE   $2B02
BB0B-   60          RTS

*20C < BB0C.BBFFM

*20CL

; this subroutine seeks to track $11
; and sets the reset vector to
; something unfriendly
020C-   20 CF 02    JSR   $02CF
020F-   A9 0A       LDA   #$0A
0211-   85 2A       STA   $2A

; initialize disk motor
; (highly suspicious)
0213-   AE E9 B7    LDX   $B7E9
0216-   BD 89 C0    LDA   $C089,X
0219-   BD 8E C0    LDA   $C08E,X

; set up an address pointer
021C-   A9 C7       LDA   #$C7
021E-   85 48       STA   $48
0220-   A9 02       LDA   #$02
0222-   85 49       STA   $49

; set up the Death Counter
0224-   A9 80       LDA   #$80
0226-   85 29       STA   $29
0228-   C6 29       DEC   $29

; if the Death Counter hits zero, fail
022A-   F0 67       BEQ   $0293

; get next address field
022C-   20 44 B9    JSR   $B944
022F-   B0 62       BCS   $0293  ; fail

; loop until we find sector $0D (in
; zero page $2D after routine at $B944)
0231-   A5 2D       LDA   $2D
0233-   C9 0D       CMP   #$0D
0235-   D0 F1       BNE   $0228

; here we go
0237-   A0 00       LDY   #$00
0239-   BD 8C C0    LDA   $C08C,X
023C-   10 FB       BPL   $0239
023E-   88          DEY
023F-   F0 52       BEQ   $0293  ; fail

; Search for a specific sequence of
; nibbles in the "dead zone" between
; the address field and data field.
; This area is normally not important,
; so COPYA didn't copy it precisely
; because normal disks don't care.
; (Actually, it's even more evil than
; that, because the original disk is
; written with timing bits in specific
; non-standard places between the
; nibbles in the dead zone. This code
; not only requires the right nibbles
; in the right order, it reads them
; just slightly slower than normal. So
; the timing bits need to be in the
; right places too, or else this code
; will read the wrong nibble values
; while it's out of sync. This will
; trip up even the best bit copiers.
; And you can forget about making a
; disk image for emulators -- those
; don't store timing bits at all.)
0241-   C9 D5       CMP   #$D5
0243-   D0 F4       BNE   $0239
0245-   A0 00       LDY   #$00
0247-   BD 8C C0    LDA   $C08C,X
024A-   10 FB       BPL   $0247
024C-   88          DEY
024D-   F0 44       BEQ   $0293  ; fail
024F-   C9 E7       CMP   #$E7
0251-   D0 F4       BNE   $0247
0253-   BD 8C C0    LDA   $C08C,X
0256-   10 FB       BPL   $0253
0258-   C9 E7       CMP   #$E7
025A-   D0 37       BNE   $0293  ; fail
025C-   BD 8C C0    LDA   $C08C,X
025F-   10 FB       BPL   $025C
0261-   C9 E7       CMP   #$E7
0263-   D0 2E       BNE   $0293  ; fail

; kill some time to get out of sync
; with the "proper" start of nibbles)
0265-   BD 8D C0    LDA   $C08D,X
0268-   A0 10       LDY   #$10
026A-   24 06       BIT   $06

; now start looking for nibbles that
; don't really exist (except they do,
; because we're out of sync and reading
; timing bits as data)
026C-   BD 8C C0    LDA   $C08C,X
026F-   10 FB       BPL   $026C
0271-   88          DEY
0272-   F0 1F       BEQ   $0293  ; fail
0274-   C9 EE       CMP   #$EE
0276-   D0 F4       BNE   $026C

; check for nibble sequence stored
; in reverse order at $2C7
0278-   A0 07       LDY   #$07
027A-   BD 8C C0    LDA   $C08C,X
027D-   10 FB       BPL   $027A
027F-   D1 48       CMP   ($48),Y
0281-   D0 10       BNE   $0293
0283-   88          DEY
0284-   10 F4       BPL   $027A

; success path falls through to here
0286-   A9 80       LDA   #$80
0288-   8D 4E 9E    STA   $9E4E
028B-   A9 A1       LDA   #$A1
028D-   8D 4F 9E    STA   $9E4F
0290-   4C 4D 9E    JMP   $9E4D

That last section at $0286..$0290 is
interesting. After the nibble check
passes, it replaces two bytes at $9E4E
and $9E4F, then immediately jumps to
$9E4D. That implies that this nibble
check is called from $9E4D via an
unconditional jump (not a JSR). With my
trusty Disk Fixer sector editor, I
searched the disk for "4C 0C 02" and
lo and behold! Track $00, sector $0B,
byte $4D contains a "JMP $020C".

I should be able to change that JMP
back to its original target ($A180) and
bypass the nibble check altogether.

                   ~

               Chapter 3
 In Which We Remove All Traces Of Copy
Protection Using An Automated Tool That
   I Wrote For Just Such An Occasion


[S6,D1=demuffin'd copy]
[S5,D1=my work disk]

]PR#5
]BRUN PDP

T00,S0B,$4E change 0C02 to 80A1

It turns out the RWTS is flexible
enough to read disks in a standard
format; no RWTS patches are required.

Side B is not bootable, but it uses the
same RWTS. Advanced Demuffin converts
it without error, and the game reads it
without patches.

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 301
------------------EOF------------------