💾 Archived View for mirrors.apple2.org.za › active › 4am › images › games › action › Stargate%20(4am… captured on 2023-05-24 at 23:05:22.

View Raw

More Information

⬅️ Previous capture (2023-01-29)

-=-=-=-=-=-=-

----------------Stargate---------------
A 4am crack                  2015-03-06
---------------------------------------

Name: Stargate
Genre: arcade
Year: 1983
Publisher: Atari, Inc.
Media: single-sided 5.25-inch floppy
OS: DOS 3.3
Other versions: Asimov has an
  uncredited file crack and an
  uncracked .nib image

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  modified addres and data epilogue
    bytes ("AA DE EB" for each)
  
Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Epilogue to "AA DE EB"
    set Data Epilogue to "AA DE EB"
  all tracks readable
  T00 -> looks like a DOS 3.3 RWTS
  T11 -> DOS 3.3 disk catalog
  T01,S09 -> startup program is "HELLO"

Why didn't COPYA work?
  modified epilogue bytes (every track)

Why didn't Locksmith FDB work?
  modified epilogue bytes (every track)

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. there is no step 3 (I hope)

                   ~

               Chapter 1
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:...................................
SC6:...................................
SC7:...................................
SC8:...................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

]PR#5
]CATALOG,S6,D2

C1983 DSR^C#254
336 FREE

 A 002 HELLO

 B 154 STARGATE

]RUN HELLO

ERROR #11 SYNTAX

BREAK IN 10

]LIST

 10  HOME : CLEAR : PRINT "MAXFIL
     ES1": PRINT "BNSTARGATE"

Ah, OK. The DOS on the original disk
redefines the DOS commands. It uses
"BN" instead of "BRUN".

]BRUN STARGATE
...works...

There we go.

[S6,D1=demuffin'd copy]

]PR#6
...grinds...

My copy can't read itself yet. I have a
tool to fix that.

                   ~

               Chapter 2
 In Which We Remove All Traces Of Copy
Protection Using An Automated Tool That
   I Wrote For Just Such An Occasion
      And Then It Crashes Anyway


[S6,D1=demuffin'd copy]
[S5,D1=my work disk]

]PR#5
]BRUN PDP

T00,S03,$91 change AA to DE
T00,S03,$9B change DE to AA
T00,S03,$35 change AA to DE
T00,S03,$3F change DE to AA
T00,S06,$AE change AA to DE
T00,S06,$B3 change DE to AA
T00,S02,$9E change AA to DE
T00,S02,$A3 change DE to AA

]PR#6
...crashes at $9D86...

Wait, what?

After minutes of furious investigation,
I hit upon the source of the problem:
the disk volume number. The original
disk uses disk volume 100, but the
process of converting it with Advanced
Demuffin gives me a (non-working) copy
with disk volume 254. (This is encoded
in every sector's address field.)

Why is this a problem?  Well, besides
appearing in every sector's address
field, the volume number is stored in
four different places when a disk is
initialized:

1. $B7EB (T00,S01,$EB), in the RWTS
   parameter table used by boot1 to
   load DOS from tracks 0-2 ["Beneath
   Apple DOS", p. 8-35]

2. $B7F6 (T00,S01,$F6), also in the
   RWTS parameter table, as the "last
   found" disk volume
   
3. $AA66 (T01,S09,$66), in the parsed
   keyword table used by DOS to load
   the startup program (and every other
   file loaded after that) [ibid.,
   p. 8-21]

4. $B3C1 (T11,S00,$06), in the VTOC
   header [ibid., p. 8-32]

My (non-working) copy has a $64 in each
of those locations. Since this doesn't
match the actual disk volume number in
the address fields, every sector read
fails and DOS never loads. (Why did it
work when I booted from my work disk?
Because that loaded DOS from a separate
disk that was already disk volume 254,
thus matching up with the actual disk
volume number in my non-working copy's
address fields.)

Using my trusty Disk Fixer sector
editor, I changed each of the
aforementioned locations to $FE.

T00,S01,$EB change 64 to FE
T00,S01,$F6 change 64 to FE
T01,S09,$66 change 64 to FE
T11,S06,$06 change 64 to FE

Success! My copy finally boots and runs
on its own. There doesn't appear to be
any further copy protection.

(Note to self: add this to a future
version of Post-Demuffin Patcher.)

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 243
------------------EOF------------------