' +JJJJ ?\>m0M='+l> /+l  H d@hLҦ L~ L  ﵪ*i BB䵊嵰`72µ- i ư&( Rp s P  LLʬLoō 鷎귭෍ᷩ췩緈JJJJx Lȿ L8ᷭ緍췩 緍i 8 `巬 췌`x (`(8`I`B` ``>J>J>VU)?`8'x0|&HhHh VY)'&Y)xꪽ)' `Hh`V0^*^*>&` aI꽌ɪVɭ&Y&&Y& 꽌ɪ\8`&&꽌ɪɖ'*&%&,E'зЮ꽌ɪФ`+*xS&x'8*3Ixix&& 8  '  & x)*++`NG8`0($ p,&" ۿ ۿڿL흍ٿ vLQ  !"#$%&'()*+,-./0123456789:;<=>?  ( 9 +"  "*  (9"1 ( ,.(0# 2  /#0/#0 *?'#07#00/0/'#07#0:"4<*55/**5/*%5/)1/)1/)1/)'#0/#0*5/*75/**5/*:5//#0/#0'#07#0:::*::'#07#0).).*#!.*'!.8)(#/-)(#/-,,eb)++$ h( ,!!"@h !D)"E` @ $ C ` DQ &J80^݌Hh ü ü݌ ռ ռ ռA ļD ļ? ļAEDE?HJ>h Լ ռ ռ ռ`HJ>݌h Hh݌`HH ᥠ L\HIHHHHhHH݌hHhHh݌H6 VDP (FD Z $0x8x D- ܸDD# H8`?F Vk *f???0xF Hh D#-FFF8` D ܸx D - ܸx8`-0ݩ?ʥD FFF`   LDcpq` [` ~  L IH  /JJJJ"L뷩 ᷩ췩 ɛ LDLSAVBPILOCUNLOCIBPIBPIBPPRBPIBLISCALBPIBUZZOFӜsqu`".Q`pNФbptťܥm2<(-Py0\|e<6e< ~ vL~ JJJJj귍hI  aUL@ kU8  L  ^R(jQ0l^l\  OÌȌ`W ԧ H h@ [_ /QSIRb_L`LLLL`ª`LQL߼YLeLXLeLee ўQ0 L&RE;BY; Ꝥ$`( R \ZLl8 ўR HH\`\Z[YS6`LxQɿu3'RͲʎRʎ]]]ɍuL͟ɍ}RLRɍg^H8 ^hZLɍR LͲɊRR% QLܤͲ Z@ -^ ş\[Z QY\[Z8`l6Lş_Ȍb_Ͳ] )Y h( ֭ͲLɍ [LLĦ__ ^ 9 LҦ3 9 a   0LjLY u< (_9 ˭ɠuɠK_9 ?LˆʎõĵL õ ĵµ aµ`` L̦µ_bJLuLz`  ȟ QlXJ̥KlV  ȟ QlV eօ3L׭Lܫ &RL &QL d L4 We)n `@-eff L f`L . tQLѤ LҦL` OPu d L Ne)noon 8ɍ` ^f\õL ^NR  RΩLҦ\L \ şL_ NLjHv 3h`0h8` [L NС õ`A@` ŵL]Lõ`  \ 濭0 ş  Q ^\lZl^\8  ş Lȟ`fhjõĵ@OAP`u@`@&`QR`F Ls  @DAF@u`8` %@ @A@`@`@A`Mµ ) LЦ`8@AWc@8@-@HAȑ@hHȑ@ȑ@hHȑ@Ȋ@ch8&ȑ@Hȑ@Ah@LHȑ@ȑ@ htphso`hMhL`9V8U897T6S67`INILOASAVRUCHAIDELETLOCUNLOCCLOSREAEXEWRITPOSITIOOPEAPPENRENAMCATALOMONOMOPRINMAXFILEFINBSAVBLOABRUVERIF!pppp p p p p`" t""#x"p0p@p@@@p@!y q q p@ ,\Z[PRR3\ɄSɊ"RQJ(0Fw6. ^-%p 㩠RP.Q I* P\L˵B̵C8pB߮Z\ @ յյ\BIR Z-^ Jp\IZLLӜv  Ϡ@跻~!Wo*9~~~~ɬƬ~_ j ʪHɪH`Lc (L ܫ㵮赎 ɱ^_ J LsL Q(`贩紎 DǴҵԵƴѵӵµȴ 7 ַ :ŵƴѵǴҵȴµ納贍﵎ٵ്ᵭⳍڵL^ѵ-I `  4 ò-յ!  8صٵ紭ﵝ 7L (0+BC  7L HH`LgL{0 HH` õL H hBL BH [ h`Lo õ ڬL B ڬ LH hB@ յյ [L (ȴ) ȴ 7L L ( L (ȴL{ƴѵ洩ƴǴҵ 7 ^* B0 HȱBh ӵԵ 8 L8 ݲ` ܫ  / / şFD B / / ]ƴS0Jȴ ȴ)  紅D贅F B ƴ  / 0L Ν `ND8HFFhDh N ş`, ŵBѵ`, ѵB8`  XI볩쳢8 DH E𳈈췍Ȍ X0 · JLǵBȵC`,յp` 䯩 R-յյ`յ0` K R-յյ`ɵʵӵԵ` 4 K ( ѵҵLBȱBL8` DBHBH : ַ޵BȭߵBhhӵԵ RBܵmڵ޵ȱBݵm۵ߵ` 䯩LR˵̵ֵ׵`LzĪLR E( 8` R` ELRŪƪ`췌 յյI뷭鷭귭ⵍ㵍跬ª 뷰` Lf ݵܵߵ޵ ^`8ܵ i B8` 4L ֵȱB׵ ܯ䵍൭嵍 ` DȑB׵Bֵ  ַ յյ`` ᥠ hh`ĵµ`ڿ8.ڿ.ۿ`êL`õĵBCõĵ`µµ`L õBĵCصص Qƴ0"Bƴ 󮜳` 0۰ϬBƴ8`i#`ЗLw!0>ﵭ` m ﳐ 7i볍 8 ЉLw`H h ݲL~ `浍국䵍뵩嵠Jm赍嵊mjnnn浈ۭm浍浭m䵍䵩m嵍`"L ŵ8ŵH x(`F d£àĠz# u` @@A` @A@  B C BBCLCLfBL ީLhh`LLN7ɿLݍҭ -A@@i@@@i@AAݣ@ݢΩDDLeA@@lL /?@Hɷ@#@h@!ɵ@ɥͰi+hɝi@@/8e@@DAA͈@̈DDL܇@BA݅C@BAC濽տ`xxlt]iVȿQkKRE;BY;LꍁlL<ԍL WLHr7s8 LH HLݍ ,,(`l8 LH e UL׉ LH LH,, sL,,, t鍁` H `Le HL H LL H QL H Llש B\ȹ'ȹ' (LRANGWRITE PROEND DATFILE NOT FOUNVOLUMI/O ERDISK FULLOCKESYNTANO BUFFETYPE MISMATCTOO LARGNOT DIREC q`QrU`)`\N|Lي80ʭ) $% B橠 B  ` L߭ɍ_LةحW`8& 9ʩ8`WL () ~ۭ N N L,H whLZ؍^؍_`$,,L`hhhL٭0 ,0L,Ƀɛɍ8ɠnɻɺ: n(8l mnحuIn Lw8n {۠u  {ۥgh,,0۬ۍ،؍La8 L߭ u ب H بh,8m l بNۘHج,8۰h Z wةͼH h بLZ8Ѕυ Z0 Z LڭٍَٺHץ9ɾIn0 hH )? @(I7n׽Nשn I-- h+( ,,0 ,Hّ(ho Lލ ׭,0 )?( Ɉoɀ@MםH Ihh0 Lڊʰڍ,עLڍhhیڬ<۠x )ڠ8۬ڰ(HH `ȹ0,Ȍ ɍ  ɠ )?, @, LB LƠ LLւ&LݩLL#B B!P`LˆʎõĵL õ ĵµ aµ`` L̦µ_bJLuLz`  ȟ QlXJ̥KlV  ȟ QlV @ NLi   L` -e L `sr ࣭ml ࣭srLLlۿڿLգ գ ze)rs zrsLq ] Qlr L̦ `8gh ࣥhgL `8LʨM ࣥˤLµH hLħõµ µõ8`D&F`( 80 0 DDLDLDL^ t^`,tP ȟpMt-^^`DH hWLԧ d@` Lꢩ  c ȢL LlLգcl mllm ꢥFLȦAD@ C N cLuɠ% d: LꢩГcvc]ܢ @J0G eeʎd d F DUFX ЃDWcДJFgDfLH eeh) tt L [ _HH`]ɍ]ɬ` ɠ``DF ɤ<(LΡ DF`80!  eDeF eDDeFFτ֭ͲLɍ [LLĦ__ ^ 9 LҦ3 9 a   0LjLY u< (_9 ˭ɠuɠK_9 ?L+N8n 'nnnnn%YUY`48 PHA BB49- AD ED B7 LDA $B7ED BB4C- 48 PHA ; set up an RWTS read BB4D- A9 00 LDA #$00 BB4F- 8D EC B7 STA $B7EC BB52- A9 06 LDA #$06 BB54- 8D ED B7 STA $B7ED BB57- A9 01 LDA #$01 BB59B7 BB3C- 8D 3A B7 STA $B73A ; push an address to the stack BB3F- A9 B5 LDA #$B5 BB41- 48 PHA BB42- A9 18 LDA #$18 BB44- 48 PHA ; save some other values on the stack BB45- AD EC B7 LDA $B7EC BB48- More. *202F:A0 55 B9 00 BC 59 00 B8 99 00 BC 88 10 F4 60 *2000G *BB35L Finally some real code. ; cover our tracks in memory (overwrite ; the call to $BB03) BB35- A9 93 LDA #$93 BB37- 8D 39 B7 STA $B739 BB3A- A9 B7 LDA #$cryption key. *2026:59 00 B8 99 00 BB C8 D0 F4 60 *2000G *BB27L BB27- A0 55 LDY #$55 BB29- B9 00 BC LDA $BC00,Y BB2C- 59 00 B8 EOR $B800,Y BB2F- 99 00 BC STA $BC00,Y BB32- 88 DEY BB33- 10 F4 BPL $BB29 - B9 00 BB LDA $BB00,Y More. *201D:6E 1E BB 6E 25 BB B9 00 BB 60 *2000G *BB1EL BB1E- 59 00 B8 EOR $B800,Y BB21- 99 00 BB STA $BB00,Y BB24- C8 INY BB25- D0 F4 BNE $BB1B More, now using the page at $B800 as an en 6E 0F BB ROR $BB0F More. *2012:A0 27 6E 0F BB 60 *2000G *BB0FL BB0F- 6E 1B BB ROR $BB1B BB12- 6E 15 BB ROR $BB15 More. *2017:6E 1B BB 6E 15 BB 60 *2000G *BB15L BB15- 6E 1E BB ROR $BB1E BB18- 6E 25 BB ROR $BB25 BB1B L>J>J>VU)?`8'x0|&HhHh VY)'&Y)xꪽ)' `Hh`V0^*^*>&` aI꽌ɪVD# H8`?F Vk *f???0xF Hh D#-FFF8` D ܸx D - ܸx8`-0ݩ?ʥD FFF`   LDcpq` [` ~ hh@(LH9LHH/Hh/ H-З( ܸ(& ¸$8 H` *HVDP (FD Z $0x8x D- ܸDL\HIHHHHhHH݌hHhHh݌H6 h Լ ռ ռ ռ`HJ>݌h Hh݌`HH ᥠ <=>? 1Nqn @'nnn%rȠ8:~1Hzi2H4:]詥h/>G ۝4xQhV;0h[BxFd*tY@bEX4Eo h3V5q~UjPaX$$};Q hd8 26`NG8`0($ p,&" ۿ ۿڿL흍ٿ vLQ  !"#$%&'()*+,-./0123456789:;&Y&&Y& 꽌ɪ\8`&&꽌ɪɖ'*&%&,E'зЮ꽌ɪФ`+*xS&x'8*3Ixix&& 8  '  & x)*++">J>J>VU)?`8'x0|&HhHh VY)'&Y)xꪽ)' `Hh`V0^*^*>&` aI꽌ɪV     - 4E 06 BB LSR $BB06 200E- 60 RTS *2000G *BB03L BB03- 4E 06 BB LSR $BB06 BB06- 38 SEC BB07- 6E 0A BB ROR $BB0A More self-modifying code. *200E:38 6E 0A BB 60 *2000G *BB0AL BB0A- A0 27 LDY #$27 BB0C-ce (at $BB00), then reproduce the modifications and inspect the results. Lather, rinse, repeat. 2000- A0 00 LDY #$00 2002- B9 00 2B LDA $2B00,Y 2005- 99 00 BB STA $BB00,Y 2008- C8 INY 2009- D0 F7 BNE $2002 200B Chapter 2 In Which We Learn The True Meaning Of Patience To capture this self-modifying code, I need to reproduce the modifications without running the modified code. I'll start with a pristine copy (at $2B00), copy it into plaB06 Uh oh. Self-modifying code. The 6502 processor has no instruction cache, so one instruction can literally change the next instruction in memory, and the CPU will execute the new instruction. Which is what's happening here. ~ L' +JJJJ ?\>m0M='+l> /+l  H d@hLҦ L~ L  ﵪ*i BB䵊嵰`72µ- i ư&( Rp s P  LLʬLoōD# H8`?F Vk *f???0xF Hh D#-FFF8` D ܸx D - ܸx8`-0ݩ?ʥD FFF`   LDcpq` [` ~ hh@(LH9LHH/Hh/ H-З( ܸ(& ¸$8 H` *HVDP (FD Z $0x8x D- ܸDL\HIHHHHhHH݌hHhHh݌H6 h Լ ռ ռ ռ`HJ>݌h Hh݌`HH ᥠ <=>? 1Nqn @'nnn%rȠ8:~1Hzi2H4:]詥h/>G ۝4xQhV;0h[BxFd*tY@bEX4Eo h3V5q~UjPaX$$};Q hd8 26`NG8`0($ p,&" ۿ ۿڿL흍ٿ vLQ  !"#$%&'()*+,-./0123456789:;&Y&&Y& 꽌ɪ\8`&&꽌ɪɖ'*&%&,E'зЮ꽌ɪФ`+*xS&x'8*3Ixix&& 8  '  & x)*++>J>J>VU)?`8'x0|&HhHh VY)'&Y)xꪽ)' `Hh`V0^*^*>&` aI꽌ɪV 鷎귭෍ᷩ췩緈JJJJx Lȿ L8ᷭ緍췩 緍i 8 `巬 췌`x (`(8`I`B` `` ' +JJJJ ?\>m0M='+l> /+l  H d@hLҦ L~ L  ﵪ*i BB䵊嵰`72µ- i ư&( Rp s P  LLʬLoō      any of the BASIC programs. Not sure why yet. Let's go find that nibble check. ]BLOAD BOOT1,A$2600,S5,D1 ]CALL -151 *FE89G FE93G *B600<2600.2FFFM *B700L . . nothing unusual, until... . B738- 20 03 BB JSR $BB03 *BB03L BB03- 4E 06 BB LSR $B NEEDS FOOD FOR GROWTH AND ENERGY. USES OXYGEN TO GET ENERGY FROM FOOD. MOVES TOWARD OR AWAY FROM THINGS. REPRODUCES ITS OWN KIND. MADE OF CELLS WITH CYTOPLASM. GROWS BY ADDING NEW CELLS AND CYTOPLASM ... Well, at least that works. But I can't LOAD or RUNnally identifiable information in the STUDENT ROSTER.CLASS file. Wipe it before release.) ]RUN HELLO ...computer freezes... Hmm. ]PR#5 ]LOAD HELLO,S6,D1 ...computer freezes... Double hmm. ]PR#5 ]TLIST ACT.1.DATA,S6,D1 ENERGY TO MOVE COMES FROM WITHIN.SH.SPC B 004 AMERICAN EEL.SPC B 004 AMERICAN SEA HORSE.SPC B 003 ROCK.SPC B 004 VENUS FLYTRAP.SPC B 005 EARTHWORM.SPC B 005 PARAMECIUM.SPC B 004 ATLANTIC HALIBUT.SPC B 003 HARBOR SEAL.SPC B 004 SPOTTED TURTLE.SPC (Note to self: there may be persoD.SPC B 004 SPADEFOOT TOAD.SPC B 005 GREEN TREE FROG.SPC B 004 LEOPARD FROG.SPC B 003 BULLFROG TADPOLE.SPC B 003 HAGFISH.SPC B 003 LAMPREY.SPC B 004 HAMMERHEAD SHARK.SPC B 003 GIANT DEVIL RAY.SPC B 004 RAINBOW TROUT.SPC B 003 BLACK BULLHEAD CATFIOWL.SPC B 003 BELTED KING FISHER.SPC B 003 RED-HEADED WOODPECKER.SPC B 004 BLUEJAY.SPC B 004 ANOLE LIZARD.SPC B 004 GLASS SNAKE LIZARD.SPC B 005 SCARLET KING SNAKE.SPC B 004 RED SALAMANDER.SPC B 003 SIREN.SPC B 004 NEWT.SPC B 003 GREAT PLAINS TOAABBIT.SPC B 004 WHITE-TAILED DEER.SPC B 003 HARBOR PORPOISE.SPC B 004 NINE-BANDED ARMADILLO.SPC B 004 WHITE PELICAN.SPC B 004 BALD EAGLE.SPC B 005 TURKEY.SPC B 003 AMERICAN FLAMINGO.SPC B 004 ROCK DOVE.SPC B 003 ROADRUNNER.SPC B 004 GREAT HORNED 05 COMMON WATER SNAKE.SPC B 005 GREEN TURTLE.SPC B 005 ALLIGATOR.SPC B 004 CROCODILE.SPC B 005 SHORT-HORNED LIZARD.SPC B 004 OPOSSUM.SPC B 004 CALIFORNIA MOLE.SPC B 004 BIG BROWN BAT.SPC B 005 SCUBA DIVER.SPC B 004 BEAVER.SPC B 004 ANTELOPE JACKREMENTS.DATA T 005 ACT.3.CLASS STATEMENTS T 012 ACT.3.SPECIFIC STATEMENTS A 019 CREDITS + NAME ENTRY B 002 UNPACK B 009 LOGO T 018 VERT.GLOS T 003 HELP SCREEN.MW A 013 MAIN MENU T 011 STUDENT ROSTER.CLASS A 042 ACT.1 A 045 ACT.2 A 052 ACT.3 B 0 ]CATALOG,S6,D1 C1983 DSR^C#254 014 FREE A 003 HELLO B 002 INPUT.OBJ0 B 014 PICDRAWL B 010 HRCGL B 002 SOUND B 002 GLOSSARY PAGE.SPC T 009 ACT.1.DATA A 017 REVIEW RESULTS B 002 ACT.2.SPC T 003 ACT.3.CLASS STATEMENTS.DATA T 006 ACT.3.SPEC. STATtarts, Then Our Adventure Begins In Earnest [S6,D1=original disk] [S5,D1=my work disk] ]PR#5 ... CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS Maybe a nibble check that sabotages the boot on failure? Next steps: 1. Capture bootloader with AUTOTRACE 2. Find nibble check and disable it 3. There is no step 3 ~ Chapter 1 In Which We Have A Few False S sync, no count) ditto Copy ][+ nibble editor nothing suspicious Disk Fixer T00,S00 -> standard DOS 3.3 boot0 T00-02 -> looks like DOS 3.3 T01,S09 -> startup program is blank?! T11 -> DOS 3.3 disk catalog Why didn't any of my copies work? (' +JJJJ ?\>m0M='+l> /+l  H d@hLҦ L~ L  ﵪ*i BB䵊嵰`72µ- i ư&( Rp s P  LLʬLoō {_________________________} ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA no errors, but the copy boots DOS and stops Locksmith Fast Disk Backup ditto EDD 4 bit copy (no you must } { learn patience." } { "Yeah yeah yeah, } { patience. How long } { will that take?" } { } { Boot to the Head } { The Frantics } l Cooper (artist) Publisher: D.C. Heath and Company Media: single-sided 5.25-inch floppy OS: Diversi-DOS Other versions: none (preserved here for the first time) _________________________ { } { "Ed Gruberman,---Classifying Animals with Backbones-- A 4am crack 2015-01-30 --------------------------------------- Name: Classifying Animals with Backbones Genre: educational Year: 1985 Authors: John Boeschen & Co., David Lee, James Grandy, Danie                                   ! ! ! !!!!!!!!!""" 53)73ı<KEY(8454): FEATURING AUTOTRACEL RWTS EXTRACTION,` IOB CREATION,~ NIBBLE CHECK DETECTION, RWTS AUTO-DECRYPTION 2015-01-26 CMD(256) CHECKSUM(257) CMD128CHECKSUM37100: SAVE BOOT0' 9(10169)32ı((10170)0ı3RWTS19j CHECK FOR SIMPLE DECRYPTION LOOP AT $B700 (KEY<>0 ON EXIT IF FOUND)KEY0((8448)160ı)(8449)26ı*(8450)185ı5(8451)0ı6(8452)183ı 7(84(9984)132ı!(9985)72ı5(9986)133ıH(9987)73ıd "SEC; RTS" AT $B942?w(9026)56ı(9027)96ı "LDA $C08C,X" AT $B94F?(9039)189ı(9040)140ı(9041)192ı "JSR $XX00" AT $BDBT1 DECRYPTED,A$2000,L$A00"+RWTS0:12009RWTS250C1000U RESET FLAGS[q256,255:257,255w CHECK IF BOOT1 CONTAINS A NORMAL-SHAPED RWTS (RWTS=1 ON EXIT IF FOUND)RWTS0 "STY $48; STA $49" AT $BD00?NG BOOT1"$(4)"BLOAD AUTOTRACE"1XX9472>38767,XM38772,X1\38777,X2~38649,90:38650,151:38400:XX1:X97286201000 DECRYPTED BOOT1 WAS CAPTURED, NOW SAVE IT"SAVING BOOT1 DECRYPTED"(4)"BSAVE BOOXX1:X9728520W1000<X TRY TO AUTO-DECRYPT BOOT1fY (SCAN FOR JMP ($08FD) OR JMP $B700)Z (IF FOUND, PATCH IT AND REBOOT)bX9472l(X)76(X)108690v(X1)0(X1)253690(X2)183(X2)8690 "DECRYPTI500XX1:X9728420(1000? ENCRYPTED BOOT1?y (SCAN FOR EOR ($F8),Y; STA ($F8),Y IN $BB00 RANGE)X9472(X)81590(X1)248590(X2)145590&(X3)2485900"/!\ BOOT1 IS ENCRYPTED":600N141,34,15,140,35,15,142,39,15,169,1,141,32,15,141,42,15,169,48,141,241,28,169,15,160,30,76,0y NIBBLE CHECK AT $BB00? (SCAN FOR LDA $C089,X)X9472(X)189490(X1)137490(X2)192490"/!\ NIBBLE CHECK AT $BB00",A$2200,L$800";  $BDBB HOLDS HIGH BYTE OF START OF RWTSO  (USUALLY $B8)e(10171)184400 NON-STANDARD RWTS START LOCATIONI768796:X:I,X:I797,(10171)5""SAVING IOB"'(4)"BSAVE IOB,A$300,L$1E"+1000\, 74,1300:KEY0220A "/!\ BOOT1 IS ENCRYPTED":"DECRYPTING BOOT1"W 38826,KEY:38820 (4)"RENAME BOOT1,BOOT1 ENCRYPTED" "SAVING BOOT1" (4)"BSAVE BOOT1,A$2000,L$A00" RWTS0:1200 RWTS0400 "SAVING RWTS"(4)"BSAVE RWTS0316)81000& STANDARD BOOT0, SO< AUTOTRACE BOOT1B Y "CAPTURING BOOT1"t (4)"BLOAD AUTOTRACE" 38649,22:38650,151:38400: BOOT1 WAS CAPTURED, NOW SAVE IT "SAVING BOOT1" (4)"BSAVE BOOT1,A$2000,L$A00" KEY0:(10314)76(10315)240(10316)182ĺ"/!\ BOOT0 JUMPS TO $B6F0":130 u(10314)76(10315)192(10316)8ĺ"/!\ BOOT0 JUMPS TO $08C0":130 v(10314)76(10315)240(10316)8ĺ"/!\ BOOT0 JUMPS TO $08F0":130 x(10314)108(10315)253(1 d BOOT0 WAS CAPTURED, NOW SAVE IT* e> i"SAVING BOOT0"b n(4)"BSAVE BOOT0,A$2800,L$100" r(10314)108(10315)254(10316)187ĺ"/!\ BOOT0 JUMPS TO ($BBFE)":130 s(10314)76(10315)0(10316)187ĺ"/!\ BOOT0 JUMPS TO $BB00":130G t CMD129CHECKSUM36200: SAVE BOOT1` CMD130CHECKSUM39700: SAVE AUTO-DECRYPTED BOOT1i 90 ((4)"BLOAD BOOT0,A$9800" 2(4)"CATALOG" <1000 Z FIRST RUN [216,0: CLEAR ONERR ^"CAPTURING BOOT0" _(4)"BRUN AUTOTRACE"$ 4AM WORK DISK5 FEATURING AUTOTRACEL RWTS EXTRACTION,` IOB CREATION,~ NIBBLE CHECK DETECTION, RWTS AUTO-DECRYPTION 2015-01-26 CMD(256) CHECKSUM(257) CMD128CHECKSUM37100: SAVE BOOT0'         ƭ󍭠卍䠣±䠣󍠠󍍱䠣Š󍭠󍍱卍ǍͬԠƠҠΠΠȠōŠҠŠŠҠҠӍΠŠŮ䠣µ󍍱Ԡ􍠠čϠŠӠƠ٬ӠҠҠŠčԮΠϠԠ̠ōӠҠԠӠŠōҠ٠ͬӠҠҍ٬ҠΠΠΠƍԬԠҠŬ󺍍宍ŠŠӠĠӠӢԠ٠Ơ٠ĬӍҠĬǠԠԠԠ嬠嬠謠嬍嬠嬠﬍󮍍㩠퍍䬠嬠堢墩䩍箠󍍭󩍠箠㬠󍍠Р󠱰䠱宠ԍ宠嬠卍Ӡ箠̭ͭ占ᠨ󩍠箠캠󬍠퍍󺍍堨󩍠箠ᠲ堨󩍠箠䍠􍍭堨󩍠箠Яӯ묠򠮲宠Ӡ󮍍堠련᩠Р뮍ԠӮР嬠뮍Рԩ뮠䮍嬠ήР묠ȠΠ̠ˮР𮍍Р宠ӬӠӠӮΠЬ讍䮠占ᬍӬ򍭠򍭠䡍報􍠠󍠠ɠ򍠠󡍍占􍠠뮢Р򍠠Ӡ᭭򭭭렠򢠨Рɠ              iiHh`.!2! 2!`D![!w!HH`- ` `L'.!  `L .!  (`,H h ȑȑȑȑi  88`.!J m3!4!7!6!i5!.! %! 5!5!6!` ō O@ǭ$8`ihheHH08$`H ԰hH  hH hi  hheHH  ȱ  0P`,,-hh  P4HIH[H` Ű OL H & :  &x0 P+ Ұ° OxLkm &)] &)O &)A)n & &L °L O*&G &L ´H OI' & L'ʊm-0,8-'ʊL= µ O&J &l ōK O^1 &L P &H@A &`+ = 'H ° O鷥X & J &鷩xH+3' & h+ (` ñ O鷥'  &L ´  O7RJ &LD &xH+1' & h+ ( ñč" O%J@( &ȑ L  ̱ōd ON &l= &`& M &L  аÍ N O4* &JJJJx  ·9 OB & 4 &鷢P  Oޥ: &. &  & Ų׍ O: &. &  & ų׍ O: &. &  & Ŵ׍ O/ &i@9ȥLI ų׍ O:R &.T & S &Ր б׍S Oե:W &.Y & X & в׍X O:\ &.^ & ] & г׍] O: &. &  &ސ űנ & в׍ O: &. & ռ  & г׍ O: &. & ռ  &ސ ű׍ Oޥ: &. & ռ  & Ų׍ O: &. & ռ  & & гҍ O?/ &ɰ.6 & 5 &ސ űҍ5 Oޥ?9 &ɰ.@ &\8 ? & Ųҍ? O:y &.{ & ռ z &Ր б׍z Oե:~ &. & ռ ҍ Oޥ? &ɰ. &Ф  & Ųҍ O? &I. &  &Ր бҍ Oե@ &ɰ/ &V  & вҍ O> &ɰ- & ?O &ɰ.V & U &Ր бҍU Oե@Y &ɰ/` & _ & вҍ_ O>d &ɰ-k & j & гҍj O? &ɰ. &Ю  &ސ  OЩi O ü ü O1 &݌ЩL ư O꽌ɪgH &Hh LꩰLY & =^ & / ±I OR O _ O; &꽌ɭLʾ#  OVɭ1 &8L2C)pJJJJ IH(ȱH:=IH[H` &`L i=L\Ʃ8m@ &аa &Ui, &H*J)j4]hiHx+i &L  &i< ԍ@ O'+l> /+8 &鷎귭෍ᷩ췩緈JJJJx8 &77777777777JJJJx@ &HIHHHHhHH݌hHI  H  JJJJ  U  I  M  ,Ɉɋɕ1Ɋ-ɍ$8 X /(`8pLiɀLJ &' +JJJJ ?\>m0M=L` LsL- LLC   / X  4   ʊ >!?! ,L)- ` @  ҠȠΠ̠ˠA    $            =ʼn_ &xBbעBO1K1bBaXF?F@`HXFYF$eF% "h D` ժުժު>B?2@5 K5.@B"9<KI!#LԲ2rB r@5>M rl$ r茉0̃baRw!b/=oavwR';axorVwBCEbec'.BCov000?"2>!mImI3axovwR';mArϏB'/=bצJbצfJfBarwBO1K1b4o?Bbf0B%%_u&=.;& !:<)= z}}) }|<ɂ} }=զy }|z 2z }|zi`hhw[ɂTqPYL< Wyi  f Q)? (}Zs p}Yɂ^_ p^_L =<<<=`x / Xi i$8i (i)iH/?2 fk 2i )?0('((QQ?)JJJJJJ?@ H)h H)h @Ң6<=7BC>?HHL,<=<' .< <ȄB<C!=8? , /LĩŠӠ̠ō ɱ %O P Vɲ KO P F ĠȠƠ̺ h> # &C BB >O ?P   ! `yy`8` # &6` . 1Vv` L` L ````<= 8<<=< <=8<<==Ȱ<}<=}=(8 0й(` d d''H hL:)`#jjm jkik0 ΁ ` [((L_JJ_) _)ȩ_)Ȅ` ` [I1((΁ `HJJJ h) e)i)` J%H$HH  (<)=<ɠi@ (   hh$h [L?H$ [hL x` `FG8`0($ p,&"m 귈x c` d`  6s LdQ X !  > Es .'PWSPsn  : m _ -ɛ!jW@kX Lɛ L Nm >, BL^ ( fWjXk  "` 0:9` @ 6Lu BL'Hȅb -h  +bLJ*b)bJH8  h Fbb*V&b'8*1Ibib&& 8  ' & &  Lb)*++`bjj#F8 8    bnLjcJx2`LLB8 [<=<(ȱ L  (֠ҠŠn st A L 3L "ŠȠΠΠ®ؠˠ!#JJJJ )  ݩjЅk ݩj؅kL@mljש׭`j j )j`8`h K< K=< b``a`` ` Y >` h ɮȹɵɷɲɷ`LjЅk hL h T?؅k h@ h T3 үΠԠġLH_)Ji=_J(jI<<h<`8 ɚ L#ɛL (ɠ`ɛ,LYɚ, ` ɛLYɚ ɕ(ɍ ` Ɉ0 ` H HL? ˠ_ LHJJ h)L%Puj8]hk^i` 0 `j   )` @`, ` E c V M jWSN kXT ? ( sn  : X Y LLHh Hh`%H$H  $h$hL[ LX $#xӠŠϠ!L! ]m ]^i^` $$$$`,,, ԠŠ` ` (!Ӡ"!Ϡԍ`stwuv`,rs0t rrLjntrrtst ErHIht H mh`H nj轊mh` >Ps  sPt  t` źP  Lw %H$H  $#L   ! Ԡst Ƞ  Lhr ԠLe Ԡ w ! $h$h%L"  (' ɠ @( (ΠԠ  s  s t  t  [  l `ܱj`M jN kƠ,snLjcb_ -`n  :ȅb_ -` mS  (ԠȠŠ Ԡ JJJJ Š   l `  # (Ǻ("ӠȠΠӠ(ΠŠԠˮ! `_ m/ _. _`8` ˭Ժ!$$ s HJJ$ h- ĺ!$$ s HJJ$ h. - . , ú!$$ s HJJ"$ h/ `j kk8`jj`ejjkik`jk0j`8`jkUjVk8`j`jk$kp귭 , jhhl LZ 2м```  Q` "(   ` ! ` L  ɛLYɚ Llhi>hi?>l ȥqȱ>H>Hqȱ>ȱ> e $ zlq` - _ `0 NOL,)`HH$()? @(hh``LBLB LB H轳 轳 h k kj аNjHjCk ` ` 轳 k͂ #} ͂ j̓ j̓ jō췭k Ok l  K  аL_췍 k뷍"!Ҡ"!Ҡàq ք]ÍT6 ; L ;L BL  B L @ ;f L ; L ;L 6 1 @ L L L 6 1 @ -L  B 1 zL ; @ L @ PL @ ;L @ 6L 췩뷩 , L 췩аѭL  !͠Ժ h訾 H H B / Xhh  LL佂L  !Ԡκ "!ҠԠˠ"!Ҡl"!ˠ"!Š"!"̭!Ԡ^"!Ԡl"!,f0L!Ʃq     ɢ$d v]ΫD Ժt   ճ G c$ T k  f$ BL! BL BLl  K 鷩귭n >   "!Я^"!Ԡl"!Ҡ "!ˠ^"!Ġ͠l"! "!Ԡ^"!Ġl"!Π"!Ԡ^"!٠l"!Ӡ"!Ӡ"!ӳ^"!ˠ Q ) 0       `֩'   z,  :l L 2 Q  ժުժժުHIӠ٠پ ժު ժǍ΍߿ϟժުժު &;:נˠŠנԁgŠԠˠtԠӠˠΠŠ`  W! W! W!  WӠˠĠȠׁԠˠ` ԯ XU3O Q _KJԠY S)( ϾYG KJtE ŠΠ3O c ͮΠ3K 1 Fsz ǮMKJNKJOKJ E~z   KJ~z sz  > ʊHiʊH`?\>m0M='+l> /+l  H d@hLҦ L~ L  ﵪ*i BB䵊嵰`72µ- i ư&( Rp s P  LLʬLoō                          z"#    °Ġ!´Ġ ͠ˠm ԰Ա Ӡ Ԡ°ŲԲ%Ԡµ ϠŠ ĠΠĠΠӠҠΠA Р РӠ`NG8`0($ p,&" ۿ ۿڿL흍ٿ vLQ  !"#$%&'()*+,-./0123456789:;&Y&&Y& 꽌ɪ\8`&&꽌ɪɖ'*&%&,E'зЮ꽌ɪФ`+*xS&x'8*3Ixix&& 8  '  & x)*++>J>J>VU)?`8'x0|&HhHh VY)'&Y)xꪽ)' `Hh`V0^*^*>&` aI꽌ɪV 鷎귭෍ᷩ췩緈JJJJxLLȿ L8ᷭ緍췩 緍i 8 `巬 췌`x (`(8`I`B` ` `' +JJJJ ?\>m0M='+l> /+l  H d@hLҦ L~ L  ﵪ*i BB䵊嵰`72µ- i ư&( Rp s P  LLʬLoōD6b^_0* \:L>M3'Nqn!@>n&2n,5nEE =˸ٷi]Gh]ʉ 3&1 368ZDehq4ÿ)N쑊  j%<T;j]!`֐K(j+FbIؾ^;bpJBŒ~NȤ6HM8K;n!*8mbQ̲/ /%>ݎaj`浍국䵍뵩嵠Jm赍嵊mjnnn浈ۭm浍浭m䵍䵩m嵍`"L ŵ8ŵH x(` # d£àĠz#ƴ 󮜳` 0۰ϬBƴ8`i#`ЗLw!0>ﵭ` m ﳐ 7i볍 8 ЉLw`H h ݲL~  B8` 4L ֵȱB׵ ܯ䵍൭嵍 ` DȑB׵Bֵ  ַ յյ`` ᥠ hh`ĵµ`ڿ8.ڿ.ۿ`êL`õĵBCõĵ`µµ`L õBĵCصص Qƴ0"BLzĪLR E( 8` R` ELRŪƪ`췌 յյI뷭鷭귭ⵍ㵍跬ª 뷰` Lf ݵܵߵ޵ ^`8ܵ i · JLǵBȵC`,յp` 䯩 R-յյ`յ0` K R-յյ`ɵʵӵԵ` 4 K ( ѵҵLBȱBL8` DBHBH : ַ޵BȭߵBhhӵԵ RBܵmڵ޵ȱBݵm۵ߵ` 䯩LR˵̵ֵ׵` 紅D贅F B ƴ  / 0L Ν `ND8HFFhDh N ş`, ŵBѵ`, ѵB8`  XI볩쳢8 DH E𳈈췍Ȍ X0(ȴ) ȴ 7L L ( L (ȴL{ƴѵ洩ƴǴҵ 7 ^* B0 HȱBh ӵԵ 8 L8 ݲ` ܫ  / / şFD B / / ]ƴS0Jȴ ȴ)  `  4 ò-յ!  8صٵ紭ﵝ 7L (0+BC  7L HH`LgL{0 HH` õL H hBL BH [ h`Lo õ ڬL B ڬ LH hB@ յյ [L J"#' *L̠٠ŠˠӠ٠ͱàƠ٠ӶıӶIJӠ٠٠ϠŽԠŠĠӠԠԠĠӠΠŠġӠӢϠԠҬâϠJi# c NO SUCH BINARY FILE EXISTS! L08"'&"#* &` c PLEASE INSERT CORRECT DISK CORRECTLY IN THE CORRECT DRIVE AND PRESS Q ɍLYI`ĠΠéL X c LOAD IOB MODULE- 0'   ;L c PLEASE TYPE THE NAME OF THE FILE TO LOAD FILE: c _ Q Ɉɍ'ɠ  c  c PL c ,D_ Q ɱɲ ) K 4 +. JJ)ȱJ!JHȱJh9! *!B c UNABLE TO FORMAT! PRESS RETURN TO GO BACK TO MENU Q ɍL X c LOAD RWTS MODULE- PAGE TO LOAD AT (MUST BE A 2-DIGIT HEX NUMBER):   L  Ɉ L LL c 0L''J ;'LJh`K H Kh`) ɺi``/`،#'J" * *+E8@' c  Q hh L 0'` X c FORMAT DISK IN DRIVE: _ Q ɱɲ )  c INSERT DISK AND PRESS RETURN Q ɍ* `KJ ɮAJ   Ɉ3 LHJ JhJJ$ c P  ɈJJJJJIJJ*JJ  (KJJJJJJ JJ J`JJ J`JJJJ JJ J` c _ Q ɍɮɈɰǰɺ)H h(`H Q ɸLɱIp76 c 80NJ J G&J (J c Lɛ`,ɛ`hhLh&h'&'&H h'H&H`i G'&)?&`'& )&`LHJh``i GJi&&` GJi& 婮 LG 0к m(  L K Q ɍ  I K 3 06. m( KKL P c  c TRK: +.5: 0123456789ABCDEF0123456789ABCDEF0123SC0: SC1: SC2: SC3: SC4: SC5: SC6: SC7: SC8: SC9: SCA: SCB: SCC:  c SCD: SCE: SCFKn Q ɍ  I K  KK ND SECTOR: $  2* c BACKWARDS COPYING NOT SUPPORTEDL c INCREMENT:  c P c MAX # OF RETRIES: _   c COPY FROM DRIVE 1 TO DRIVE: Q ɱɲ) X) c INSERT DISKS AND PRESS RETURN Q ɍ XLLUȌȌD c CHANGE DEFAULT VALUES Q L X c INPUT ALL VALUES IN HEX SECTORS PER TRACK? (13/16) 1_ Q ɳɶ  c START TRACK:   c START SECTOR: $  c END TRACK:  c Exة67  / X'(P"# - c (C)ONVERT DISK LOAD NEW (R)WTS MODULE LOAD NEW (I)OB MODULE (F)ORMAT TARGET DISK E(X)IT TO MONITOR L?ɍɈɕ  ޢ X / XX LYL         (ILũLJ4KL:5L :=ILũLJlKLLL~L ILŠ!I!*` < $<VDP (ED Z $0x8x D- DLHIHHHHhHH݌hHhHh݌H6 h    `HJ>݌h Hh݌` ﶵBD <=>?>>!`FG8`0($ p,&"h8 흠 BȱBȭۿHۿ ȿL߼  !"#$%&'()*+,-./0123456789:;&Y&&Y& 꽌ɪ\8`&&꽌ɪɖ'*&%&,E'зЮ꽌ɪФ`+*xS&x'8*3Ixix&& 8  '  & x)*++>J>J>VU)?`8'x0|&HhHh    VY)'&Y)xꪽ)'     `Hh`V0^*^*>&` aI꽌ɪVɺ련򠲩報䠲ԠӠĠӠ΢報堲堢ӍǠԠġԺؠƠӿ٠͠ŠϠŠ뺠뺠򺠤򺠤ƍ뺠뺠򺠠Ơ򺠠Ʃ򮍍堭썠ᠢ뮍ԠҺĠ˺ĠҺᠱ뮠堢ӠҠˢ뮩Ԡ˺ᠢ堍ᠢ련Ӡᠢ련Ӡ󠱳򠱶蠱à묠멠堲΢٢󮍍ӠҠ˿ᠱ İŠԠӿ려򠤰려򠤰Ƭ荱Ԡˠ뮠ԠˢήӠ ԠϠҺ堢󮠠ήΠӠ뮍Ġנ źӍӠ뮠ԠԠ˺嬠ӠԠ˺뮠占묠㮍ĠנӠźӠ련Ӡ󮍍à΍󺍍堢쬠嬠뮠堢󢮠򮠠ẢӠ嬠¸¸ӧ¸Ӡ䠤ƮǠӠӍӠӠ뮠堢ĠנӠŢŠύĠԠԠŠԠؠҩ묠Ӣââ䢬庍ˠŭġӠӢϠԠҬâϠō뮠뮍Ң𠭭䮍ע𠭭󺍍Ң䮍ע󮠠卢Ң堢ע뮠堢Ңע򮠠󮠠宍󮠠󮍍宠򠱶򩬠򬠠쮩蠢ˢ󮠠።렠󮠠𮠠嬠퍤󠤰려˺ưưðñòóôõö÷øùºúĺźƺàƠ٠ӶıӶIJ𮍍ŠӠٍ󺍍ĠΠé̠٠ŠˠӠ٠͍卍Ӡ٠٠ϠŢ󠱭󩬠ԠԠˠĠӠ΢Ӡ󠵠뮍䬠ή䠱嬠ԠŠˠĠӠ΢ή련̭î̭à占à䮍蠢̭򠢴¸͢占ŧӠᠢ墠宠ɠɠ䡩̭î占Ӡ󍠠Ӡ󮠠Э٭Рō٠Ǡ˺占򮍍ҠӠ嬠󍠠䍠Ҡ占ӮӠ򍠠嬠栤İӠ占䮍Ӡ嬠栤¸ 􍠠䍠 䬠䍠䮍Ӡ䍠 ƠŠ٠ŠàĠРİӍ 庍Ӡ٠Ʋ򍱴ŠƠؠƲ򍱴íĠƠƲ򍱴ƭĠƠƲ危ƠӠ ̍Ҡ堣렣ĠƠƲ򍱴àƠ٠ؠ報 嬠묠Ӡ 嬠í® Ǡ Ӎ Ӯ ӠӠ ®ᠢŠԠĢ򮍍ŠԠŠԠˠ٠ΠԠŠŠĠӍξӮŠŠōŠƠŠŠϠĢ宠άᠱᠲ󺍍ϠȠ٠Šӡ䮠󍠠ưӠӧӠ宍бӧ堠ӠӠ宠䍠፠􍠠Ƞ宠占ư􍠠宠􍠠Ӯӧ󬍠Ӡ󮍍̠̠Ƞӧ占󮍍̠堲􍠠ȠԠ󍠠󮠠𠳠䍠퍠Ӡ蠲Р堲Рͬ͠占占Ӡ٠Ӎ󺍍嬠Ӡ󮍍۫ɬӠ뮠䍢ϢϢϠ򮍍􍲭󩮠㱢堢Ӡ٠٠ϠŢ덠󠱳󮩍堢󮍍ᠢ宍嬠򠢠ӠҠ˿려򠤰려򠤰î占󠱮려䍠ŧӠ󠰭ԲӰà婮占ήԠˢή󮍍묠ᠢӠ荠ŠŭӬ̤ΠĠנӠŢήӠ¸ᠢ墠蠶̭Р捠婮Ԡݩ󮠠ϢŧӮᠠƱź  ƲŠ ƲŠ Ʋˠ ƲҠ 뮍 堨³堨宍 󺍍占ƱŠ Ӡ󠠠ԱԬìà嬠፠𠳠占堲ɠĬԠ占Ԡ̠ȍЩᠤԠ宍԰占ӮƠፍ٠嬠䍠堳䠲Ӎ󩬠 󍠠󍠠堢䍠̭٠䮠፠򍠠砢ԠϠҢƠ䠠ùᠤ䠤ōƮƵàƸà䬠썠򮠠䬠ù婠䠤Š婠ԍ砤䍠獠穬堲፠䮍ƲԠƵ󍠠Ԡ䍠Ӡ 䮠󍠠ӬӠŠ獠ﮠؠ򍠠 Ơ堲䍠 вٍàгԡӠ􍠠Ġд󠤴¬荠 뮠ŰҠᠤàᠤƠ򠱳䠱򠩍 ӠӬ荠󮍠ᮍ  嬠宠 占à쮍íƠ䠠嬠󮍠嬠 ͠ 宠砢Ġנ Ţ 􍠠䮠򍠠 î占덠ƷŭҠӠ𠲠󍠤ƸР̠򍠤ƸΠҠӍƸɠŠ 䩍íƠ栠㍠ƷРó忍ƷѠΠ荠ƷРij򿍠ƷŠٱƷí󍠤Ʒĭ򍠤ƶҲ٠򍠤ƶβ٠򍠤ƶٍƶִ̠ƶ­ҠԠ󍠤ƶŭ ƷٱҠΠ򿍠Ƶà􍠤ƵŠӴ􍠤Ƶ٠䍠Ƶíִұ٠占Ƶƭα٠ҠӠӠ􍠤ƴ­䍠ƴĭŠ占ƵҠ򍠤ƵàӴ占ƵРˠ􍠤Ƴĭ֠렣󍠤ƴŠƴŠ占ƴŠ􍠤ƴ Ӡ󮠠󺍍Ƴ³٠Ҡ򍠤ƳؠǠ򍠤ƳҠ堣렣Ƴ􍠠獠Ӡ ԬݍƳ³占砤ƱƠ捠宠󠱭򮠠䍠Ҡ Ʋú ƲƺԠ ƳƠĸ ƬĸƲƠƠנԍƲ̠ ƲǠ Ʋ ƲŠ Ʋº䬠捠䠱宠荠嬠䠹䍠样Ӡ󍠠Ӡ􍠠Ӡ 󩮠򮠠宠󠤹Ԡ󠤲󩬠䍠Ʈ°󍠠򮠠ᠤ􍠠ƱΠΠ占򮍠뮍Π䮠퍠報 ﮍĭƠ䩍ưԠԠ占٠󍠠ﮍà֠󠤰򠤰덠፠٠ٮ 嬠٠䮍ﬠ፠宍٠􍠠󠤰 ٠퍠򠰰렰堤ŮŸӠì婍ŹӠ占󠤰፠퍠堰򠰰󍠠󩮠ӠàŠ䠤荠렰󮍠宠報占堨󩬍ӠàᠤŶà䍠ᮍŷààӠӮŴààᬠ占ӮŵӠ䍠ᮍ려ŲӠӠӠ􍠠ᮍųààᬠ占űӠ퍠뮠䍠ᠤ렰嬠Ǻư堢ĠƠùƠ°àĠӬŬȠӠ荠뮠󠱮򠠠Πٍ퍍䠴Ӡݍݍݍðҍ͠򩍤ƸͲƠԍõōĸŠԍĠԍưԱƵҍ占ӮӧǠӠ栤¸٠Ԡİ䍠Ӡ뮍ðĠɯϠ 䍠堤İ􍠠Ӡ占 嬠٠Ԡ􍠠䍠宍İӠӮ䍠Ӡ፠뮠Ӡ 嬠䍠宠􍠠򮠠䍠Ӡ 󮩍ĸŭƠ䬠󩍍ưà􍠠󮠠Щ占󠱭z      󮍍IJĠԠݠ򍠠ƱƩijƠӠݠ謍󠤸뮩ӧ箠򍠠ƹƩ󍠠Ӡ笠捠ӠíƮӠ󍠠쭤Ơ፠Ӡ占Ӡ占Ʃ󍠠ӠӍƲƠ䩍İǠݠӍL\HIHHHHhHH݌hHhHh݌H6 h Լ ռ ռ ռ`HJ>݌h Hh݌`HH ᥠ <=>?렯獍卍ƭ􍠠栤İ栤򮍍堢堢Ԣ栢٢箍ӮƠ󩮠􍠠󠱮䬠䍠򮍍堤 堨獠󮍍򮠠占宠󍠠𮩠笠썠䠢̭ɸ堤䠤ԠϠҢ̭٠䠦宠፠婮󠤱ư䠤ƱŠĠ ŮӠӠ􍠠Ӡ蠢ĠנӍŢР 䬠퍠Ӡ렯笠򍍭묠ĠӠϢ¢򩍤ư堢Ģ멍堢򩍤Š堢â􍍭󩍠źàϠƠ٠Ϡ֠àƠ٠ӶıӶIJ 堢멍ķ堢àӺà堢ĢàƠĢ荤ijƠ󠱭荤İӠîƠԺ 堢âĠĢ荤IJĠƱƩ􍠠A3 18 60 03 8A A3 4C B4C0- 82 A5 32 7E A5 4C 84 9D B4C8- 20 71 A4 A5 68 48 A5 67 B4D0- 48 38 AE 61 AA AC 60 AA B4D8- D0 01 CA 88 8A E8 6D 73 B4E0- AA 85 68 AD 72 AA 85 67 B4E8- C6 68 20 BC A3 CA D0 F8 B4F0- 68 85 67 68 85 68 60 02 B4F8- 51 A3 9A A3 02 5A A A5 4C B478- 36 9E 30 49 B7 60 A0 20 B480- B9 59 B7 99 00 03 88 10 B488- F7 4C 00 03 A9 BF 85 01 B490- A0 00 84 00 91 00 C8 D0 B498- FB C6 01 A5 01 C9 08 B0 B4A0- F3 AD 81 C0 20 93 FE 20 B4A8- 89 FE 4C 00 E0 01 C1 B7 B4B0- 60 03 72 9E 4B B7 12 02 B4B8- 96 8 A5 B0 E5 68 AA E8 65 B438- 68 85 68 C6 68 20 BC A3 B440- CA D0 F8 68 85 68 6C 60 B448- 9D 12 BB A3 98 49 AA 51 B450- 67 91 67 88 C0 FF D0 F4 B458- 60 A9 01 20 B1 A4 13 2F B460- 9E A9 80 85 D6 30 0B AD B468- 00 C0 C9 83 F0 F9 4C D2 B470- D7 EA A9 06 03 02 Once decrypted, the raw patch records look like this: *B400.B519 B400- 1E 74 AA C8 C5 CC CC CF B408- A0 A0 A0 A0 A0 A0 A0 A0 B410- A0 A0 A0 A0 A0 A0 A0 A0 B418- A0 A0 A0 A0 A0 A0 A0 A0 B420- A0 01 26 A4 A1 21 4C A4 B428- A5 68 48 38 A5 AF E5 67 B430- A0 (pointed to by ($00)) and continuing until the first byte of the record is $00 (compared at $B583). The general format of each record is +0 [1 byte] length of data, or $00 +1 [2 bytes] starting address (-1) +3 [variable] data to write in memory4 02 LDY $02 B597- 65 00 ADC $00 B599- 85 00 STA $00 B59B- 90 D9 BCC $B576 B59D- E6 01 INC $01 B59F- D0 D5 BNE $B576 B5A1- 60 RTS Each patch is a variable-length record, starting at $B4002 STA $02 B587- C8 INY B588- B1 00 LDA ($00),Y B58A- 8D 79 B5 STA $B579 B58D- C8 INY B58E- B1 00 LDA ($00),Y B590- 8D 7A B5 STA $B57A B593- 98 TYA B594- 18 CLC B595- A B576- B1 00 LDA ($00),Y B578- 99 FF FF STA $FFFF,Y B57B- 88 DEY B57C- D0 F8 BNE $B576 B57E- A4 02 LDY $02 B580- C8 INY B581- B1 00 LDA ($00),Y B583- F0 1C BEQ $B5A1 B585- 85 hange various memory ; locations, based on a list of patches ; at $B400 B56A- A9 00 LDA #$00 B56C- 85 00 STA $00 B56E- A9 B4 LDA #$B4 B570- 85 01 STA $01 B572- A0 00 LDY #$00 B574- F0 0B BEQ $B581 *B55BL Finally some real code. ; set reset vector B55B- A9 4B LDA #$4B B55D- 8D F2 03 STA $03F2 B560- A9 B7 LDA #$B7 B562- 8D F3 03 STA $03F3 B565- 49 A5 EOR #$A5 B567- 8D F4 03 STA $03F4 ; a loop to cY B54B- 10 F4 BPL $B541 B54D- A0 00 LDY #$00 B54F- B9 00 B4 LDA $B400,Y B552- 59 00 B8 EOR $B800,Y B555- 99 00 B4 STA $B400,Y B558- 88 DEY B559- D0 F4 BNE $B54F *2030VDP (FD Z $0x8x D- ܸD $9E36 9E3D- 4C D2 D7 JMP $D7D2 9E40- EA NOP 9E41- A9 06 LDA #$06 This part of late-stage boot usually sets the reset vector to something useful. Instead, this patch will set the Applesoft RUN flag (zero page $D6), which makes73 end up at $9E30 (part of the late-stage boot), and they look like this: 9E30- A9 80 LDA #$80 9E32- 85 D6 STA $D6 9E34- 30 0B BMI $9E41 9E36- AD 00 C0 LDA $C000 9E39- C9 83 CMP #$83 9E3B- F0 F9 BEQ ork disk: the files themselves are encrypted. Location | Description | Value -------------+------------------+------ $B45E | length of data | $13 $B45F/$B460 | starting address | $9E2F $B461..$B473 | data The $12 bytes from $B461..$B40 B1 A4 JSR $A4B1 This is an on-the-fly decryption that occurs as Applesoft BASIC programs are loaded. ($67) points to the BASIC program in memory. This explains why I couldn't LOAD or RUN any of the BASIC programs on this disk when booting from my w TYA A3BD- 49 AA EOR #$AA A3BF- 51 67 EOR ($67),Y A3C1- 91 67 STA ($67),Y A3C3- 88 DEY A3C4- C0 FF CPY #$FF A3C6- D0 F4 BNE $A3BC A3C8- 60 RTS A3C9- A9 01 LDA #$01 A3CB- 2scription | Value -------------+------------------+------ $B449 | length of data | $12 $B44A/$B44B | starting address | $A3BB $B44C..$B45D | data The $12 bytes from $B44C..$B45D end up at $A3BC, and they look like this: A3BC- 98 nds past $A450, which is normally the part of DOS that handles loading Integer BASIC programs. It also adds a call to $A3BC, which is normally a test for Integer BASIC, but which I'm guessing is about to get overwritten in a later patch. Location | De3BC A465- CA DEX A466- D0 F8 BNE $A460 A468- 68 PLA A469- 85 68 STA $68 A46B- 6C 60 9D JMP ($9D60) This is changing the behavior of the LOAD command for loading Applesoft BASIC programs into memory. It exte $67 A455- A8 TAY A456- A5 80 LDA $80 A458- E5 68 SBC $68 A45A- AA TAX A45B- E8 INX A45C- 65 68 ADC $68 A45E- 85 68 STA $68 A460- C6 68 DEC $68 A462- 20 BC A3 JSR $A | starting address | $A44C $B428..$B448 | data The $21 bytes from $B428..$B448 end up at $A44D, and they look like this: A44D- A5 68 LDA $68 A44F- 48 PHA A450- 38 SEC A451- A5 AF LDA $AF A453- E5 67 SBC patch munges one branch instruction in the middle of the LOAD command handler at $A413 (c.f. "Beneath Apple DOS" p. 8-12). Location | Description | Value -------------+------------------+------ $B425 | length of data | $21 $B426/$B427 ws immediately; there is no record separator. Location | Description | Value -------------+------------------+------ $B421 | length of data | $01 $B422/$B423 | starting address | $A426 $B424..$B424 | data | $A1 The second | length of data | $1E $B401/$B402 | starting address | $AA74 $B403..$B420 | data The first patch sets the name of the startup program, which is blank on disk (T01,S09) but is now patched in memory (at $AA75) as "HELLO". The second record follo3 A6 B500- A3 15 96 A3 EA 18 60 8D B508- 61 AA 8C 60 AA 20 E0 A3 B510- 4C 85 A5 20 FF A3 4C 85 B518- A5 00 Which translates to a series of patches all throughout DOS: Location | Description | Value -------------+------------------+------ $B400 NEN8n!>n&n2n,n5n<YYY`t does nothing but claims to have succeeded. Location | Description | Value -------------+------------------+------ $B4BC | length of data | $03 $B4BD/$B4BE | starting address | $A38A $B4BF..$B4C1 | data This patch adds a "JMP $A582" . Location | Description | Value -------------+------------------+------ $B4B7 | length of data | $02 $B4B8/$B4B9 | starting address | $A396 $B4BA..$B4BB | data | 18 60 This patch neutralizes the SAVE handler at $A397 so iue -------------+------------------+------ $B4B1 | length of data | $03 $B4B2/$B4B3 | starting address | $9E72 $B4B4..$B4B6 | data This modifies DOS's image of the page 3 jump vectors so that will jump to $B74B, a.k.a. The Badlandsength of data | $01 $B4AE/$B4AF | starting address | $B7C1 $B4B0 | data | $60 This puts an RTS instruction at $B7C2, which would normally set up the RWTS parameters for writing DOS after INIT. Location | Description | Val $FE93 B774- 20 89 FE JSR $FE89 B777- 4C 00 E0 JMP $E000 Looks like this is going to be The Badlands routine that wipes main memory and exits. Location | Description | Value -------------+------------------+------ $B4AD | l STA ($00),Y B763- C8 INY B764- D0 FB BNE $B761 B766- C6 01 DEC $01 B768- A5 01 LDA $01 B76A- C9 08 CMP #$08 B76C- B0 F3 BCS $B761 B76E- AD 81 C0 LDA $C081 B771- 20 93 FE JSR 750- 99 00 03 STA $0300,Y B753- 88 DEY B754- 10 F7 BPL $B74D B756- 4C 00 03 JMP $0300 B759- A9 BF LDA #$BF B75B- 85 01 STA $01 B75D- A0 00 LDY #$00 B75F- 84 00 STY $00 B761- 91 00at $B47D end up at $B74A, which is normally the part of the disk initialization routine that writes DOS to a freshly initialized disk. The new code looks like this: B74A- 60 RTS B74B- A0 20 LDY #$20 B74D- B9 59 B7 LDA $B759,Y Bd ensure you couldn't do anything useful. Defense in depth!) Location | Description | Value -------------+------------------+------ $B47A | length of data | $30 $B47B/$B47C | starting address | $B749 $B47D..$B4AC | data The $30 bytes It's just a JMP to the code that was just patched earlier: A503- 4C 36 9E JMP $9E36 Thus, trying to break to the prompt during boot will hang until you press something else. (Even if you did manage to get to the prompt, the RUN flag wouln | Description | Value -------------+------------------+------ $B474 | length of data | $03 $B475/$B476 | starting address | $A502 $B477..$B479 | data The 3 bytes at $B477 end up at $A503, which is the tail end of the RUN entry point. any command typed from the BASIC prompt RUN the current program in memory instead. The rest of the new code (at $9E36) checks for and hangs until you press something else. That part is skipped for now, but I'm guessing it's called later. LocatioL\1N8n 'nnnnn%YUY9:HHHH췩jL詷 HhhL)ཉhh췠Ș)HhIȘ)oHh꽌ʴHHhhٴl꽌hhLF ) )) j880^݌Hh ü ü݌ ռ ռ ռA ļD ļ? ļAEDE?HJ>h Լ ռ ռ ռ`HJ>݌h Hh݌`HH ᥠ + 1N8n 'nnnnn%YUY9:HHHH췩jL詷 HhhL)ཉhh췠Ș)HhIȘ)oHh꽌ʴHHhhٴ  messed up DOS that is maximally unfriendly to prying eyes and maximally incompatible with any other version of DOS. It decrypts both BASIC and binary files on the fly, traps , traps , sets the RUN flag, and disables the SAVE command. in memory through the routine at $A3FF, which serves as both an encryption and decryption routine (it's just XOR after all). That's it. The next byte is $00, so the BEQ at $B583 branches and the patch loop exits gracefully via RTS. The result is a reallyE0 A3A3- 4C 85 A5 JMP $A585 A3A6- 20 FF A3 JSR $A3FF A3A9- 4C 85 A5 JMP $A585 It looks like this *encrypts* binary files on-the-fly. One branch of the BSAVE handler jumps to $A39A; the other jumps to $A3A6. The latter routes the data ytes at $B504 end up at $A397, overwriting the SAVE command handler. They look like this: A397- EA NOP A398- 18 CLC A399- 60 RTS A39A- 8D 61 AA STA $AA61 A39D- 8C 60 AA STY $AA60 A3A0- 20 E0 A3 JSR $A3 sets up a jump to $A3A6 at the end of the BSAVE command handler. Location | Description | Value -------------+------------------+------ $B501 | length of data | $15 $B502/$B503 | starting address | $A396 $B504..$B518 | data The $15 b $A39A in the middle of the BSAVE command handler. Location | Description | Value -------------+------------------+------ $B4FC | length of data | $02 $B4FD/$B4FE | starting address | $A35A $B4FF..$B500 | data | A6 A3 Thisas well. Encrypt all the things! Location | Description | Value -------------+------------------+------ $B4F7 | length of data | $02 $B4F8/$B4F9 | starting address | $A351 $B4FA..$B4FB | data | 9A A3 This sets up a jump to 85 68 STA $68 A5B0- 60 RTS The previous patch set up a jump to $A582 at the end of the BLOAD handler. It looks like this is reusing the on-the-fly decryption routine at $A3BC (already used for Applesoft programs) for binary programs AD 72 AA LDA $AA72 A5A0- 85 67 STA $67 A5A2- C6 68 DEC $68 A5A4- 20 BC A3 JSR $A3BC A5A7- CA DEX A5A8- D0 F8 BNE $A5A2 A5AA- 68 PLA A5AB- 85 67 STA $67 A5AD- 68 PLA A5AE- AE 61 AA LDX $AA61 A58F- AC 60 AA LDY $AA60 A592- D0 01 BNE $A595 A594- CA DEX A595- 88 DEY A596- 8A TXA A597- E8 INX A598- 6D 73 AA ADC $AA73 A59B- 85 68 STA $68 A59D- at $B4C5 end up at $A57F, where they look like this: A57F- 4C 84 9D JMP $9D84 A582- 20 71 A4 JSR $A471 A585- A5 68 LDA $68 A587- 48 PHA A588- A5 67 LDA $67 A58A- 48 PHA A58B- 38 SEC A58C-to the end of the BLOAD command handler that starts at $A35D. Location | Description | Value -------------+------------------+------ $B4C2 | length of data | $32 $B4C3/$B4C4 | starting address | $A57E $B4C5..$B4F6 | data The $32 bytestϠ&!LhH8ghehhh hhl`IQgg` /0 ɃLL60I` YL L`rK`L2~L qhHgH8a`ʈmshrgh hghh`QZ`a` L LN8n!>n&n2n,n5n<YYYKI ȱȱyȱze` `HhrfuV0c*^*<&` aI꽌ɪVc$tϠ&!LhH8ghehhh hhl`IQgg` /0 ɃLL60I` YL L`rK`L2~L qhHgH8a`ʈmshrgh hghh`Q!! ! o. 204 ------------------EOF------------------ LDA #$18 BB08- 48 PHA BB09- 4C 93 B7 JMP $B793 T00,S05,$03 change "4E 06 BB 71 6E 0A BB 40 27" to "A9 B5 48 A9 18 48 4C 93 B7" Quod erat liberandum. --------------------------------------- A 4am crack NIt does not, however, hinder copying the disk itself. The only patch I need to bypass the copy protection is at $BB03, to unconditionally push $B5/$18 to the stack and jump to $B793. BB03- A9 B5 LDA #$B5 BB05- 48 PHA BB06- A9 18