------------Tangrams Puzzler-----------
A 4am crack                  2014-09-18
---------------------------------------

"Tangrams Puzzler" is a 1984
educational game developed by Ken
Coates and distributed by Milliken
Publishing Company.

COPYA fails immediately and
spectacularly(*).

(*)not actually spectacular

EDD 4 bit copy gives no read errors,
but the copy does not work. It sounds
like a standard DOS 3.3 boot, but then
it puts a "." in the top-left corner of
the screen and reboots.

Disk Fixer is a standalone sector
editor I just discovered. I've taken to
using it for most of the things I used
to do in my trusty Copy ][+ sector
editor. It's small and fast, and I can
launch it from ProDOS with the help of
DOS 3.3 Launcher.

Anyway, in Disk Fixer, in the Input/
Output Control settings (press "O"), I
turn off checksums. This ignores the
address and data epilogue bytes, and
also the checksum byte after the data
field. And lo and behold, I can read
every sector on every track! It does
indeed appear to be a modified version
of DOS 3.3. T11,S0F looks like a
standard VTOC directory sector with
filenames and pointers to track/sector
lists and whatnot.

Based on my limited experience cracking
other disks, I would guess that this
disk has

- Standard prologue bytes before the
  address and data fields [otherwise
  Disk Fixer would give read errors,
  even after ignoring checksums]

- Non-standard epilogue bytes after the
  address and data fields [otherwise
  COPYA would work]

- Some secondary protection [otherwise
  the bit copy created with EDD 4 would
  work]

Given the (relatively) weak structural
protection, I used to turn to the DOS
3.3 master disk, patch the RWTS to
ignore checksums and epilogue bytes
(changing $B942 from "SEC" to "CLC"),
and run COPYA. Then, one fine day, and
completely by accident, I came across
an original disk with a bad sector. I
suppose this shouldn't surprise me.
These floppies are decades old by now;
it's amazing any of them work at all.

The point is, I shouldn't be using
tools that ignore potentially serious
read errors. So, no more COPYA+B942:18
patch. From now on, it's Super Demuffin
or Advanced Demuffin to convert disks
to a standard format.

Since this disk looks like DOS 3.3 and
sounds like DOS 3.3, I'm going to see
what my AUTOTRACE program can do with
it.

[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

For those of you just tuning in, my
work disk uses a custom program that I
affectionately call "AUTOTRACE" to
automate the process of boot tracing as
far as possible. For some disks, this
just captures track 0, sector 0 (saved
in a file called "BOOT0") and stops.
For other disks that load in the same
way that an unprotected DOS 3.3 disk
loads, it captures the next stage of
the boot process as well (in a file
called "BOOT1"). BOOT1 contains sectors
0-9 on track 0, which are loaded into
memory at $B600..$BFFF. This generally
contains the RWTS routines which the
program uses to read the rest of the
disk.

If the RWTS is fairly normal as well
(and my AUTOTRACE program just spot-
checks a few memory locations to guess
at its "normalcy"), there's a good
chance I'll be able to use a tool
called Advanced Demuffin (written in
1983 by The Stack) to convert the disk
from whatever weird format it uses to
store its sector data into a standard
disk readable by unprotected DOS 3.3
disks or any other third-party tools.
In this case, AUTOTRACE extracts the
RWTS routines (generally loaded from
track 0, sectors 2-9 into $B800..$BFFF)
and saves *that* into a third file
called "RWTS".

If anything looks fishy or non-
standard, AUTOTRACE just stops, and I
have to check the files it saved so far
to determine why. But in this case, it
ran all the way through, automatically
capturing BOOT0, BOOT1, and RWTS files.
Now I can use Advanced Demuffin to
convert the disk to a standard format.
(It uses the disk's own RWTS to read
the original, then a standard DOS 3.3-
compatible RWTS to write out the data,
sector by sector.)

[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
...

]BRUN ADVANCED DEMUFFIN 1.5

[press "5" to switch to slot 5]

[press "R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

[press "6" to switch to slot 6]

[press "C" to convert disk]

This disk is 16 sectors, and the
default options (copy the entire disk,
all tracks, all sectors) don't need to
be changed unless something goes
horribly wrong.

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:..R................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:..R................................
SC6:...................................
SC7:...................................
SC8:...................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

The disk's own RWTS gave one read error
on track $02, but the rest of the disk
copied without a hitch. The original
disk gives no indication of a bad
sector, so either this sector is unused
(and I got lucky) or this is part of
the copy protection.

Let's see if I can launch the program
from my work disk.

]PR#5
...

]CATALOG,S6,D2

C1983 DSR^C#254
149 FREE

ERROR #8 I/O ERR


Wait, what?

I'm pretty sure I saw a disk catalog on
track $11. So where is it?

Turning to my trusty Disk Fixer sector
editor, I see the problem. Track $11
does have a catalog, but the pointer to
the first directory sector has been
intentionally corrupted.

                 --v--

-------------- DISK EDIT --------------
TRACK $11/SECTOR $00/VOLUME $FE/BYTE$00
---------------------------------------
$00: 00 F1 0F 03 00 00 FE 00   @qOC@@~@
        ^^ ^^
     track,sector
   (should be 11,0F)

$08: 00 00 00 00 00 00 00 00   @@@@@@@@
$10: 00 00 00 00 00 00 00 00   @@@@@@@@
$18: 00 00 00 00 00 00 00 00   @@@@@@@@
$20: 00 00 00 00 00 00 00 7A   @@@@@@@:
$28: 00 00 00 00 00 00 00 00   @@@@@@@@
$30: 06 FF 00 00 23 10 00 01   F.@@#P@A
$38: 00 00 00 00 00 00 00 00   @@@@@@@@
$40: 00 00 00 00 FF FF 00 00   @@@@..@@
$48: FF FF 00 00 FF FF 00 00   ..@@..@@
$50: 7F FF 00 00 00 00 00 00   ?.@@@@@@
$58: 00 00 00 00 00 00 00 00   @@@@@@@@
$60: 00 00 00 00 3F FF 00 00   @@@@?.@@
$68: 00 00 00 00 00 00 00 00   @@@@@@@@
$70: 3F FF 00 00 00 00 00 00   ?.@@@@@@
$78: 00 00 00 00 00 00 00 00   @@@@@@@@
---------------------------------------
BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL

---------------------------------------
COMMAND :

                 --^--

Third-party utilities can not catalog
this disk or work with any of its files
(every DOS file function routes through
this pointer), but the original disk
obviously has no problem. But how does
the original disk know? I scoured
"Beneath Apple DOS" until I found the
answer on page 8-28:

                 --v--

B011-B036 Read a directory sector
; (If CARRY flag is zero on entry, read
  first directory sector. If CARRY is
  one, read next)
; Memorize entry code.
; Set buffer pointers (B045).
; First or next?
; If first, get track/sector of
  directory sector from VTOC at offset
  +1,+2.
; Otherwise, get track/sector from
  directory sector at offset +1,+2. If
  track is zero, exit with error code
  (end of directory).
; Call RWTS to read sector.
; Exit with normal return code.

                 --^--

So, to read the first sector of file
names and other metadata, this routine
is supposed to look at the VTOC sector
buffer (read from T11,S00 and stored at
$B3BB..$B4BA). The VTOC says "hey, the
first sector of files and stuff is in
TF1,S0F" so DOS goes and tries to read
track $F1, sector $0F, which obviously
won't work.

But the DOS on this disk made one small
modification to that routine. (This is
stored on T01,S0F.)

B011-   08          PHP
B012-   20 45 B0    JSR   $B045
B015-   28          PLP
B016-   B0 08       BCS   $B020
B018-   AC BD B3    LDY   $B3BD
                                ------
B01B-   A2 11       LDX   #$11  << hey
B01D-   EA          NOP         << now
                                ------
B01E-   D0 0A       BNE   $B02A
B020-   AE BC B4    LDX   $B4BC
B023-   D0 02       BNE   $B027
B025-   38          SEC
B026-   60          RTS
B027-   AC BD B4    LDY   $B4BD
B02A-   8E 97 B3    STX   $B397
B02D-   8C 98 B3    STY   $B398
B030-   A9 01       LDA   #$01
B032-   20 52 B0    JSR   $B052
B035-   18          CLC
B036-   60          RTS

Instead of getting the track number
from the VTOC, it hard-codes track $11.

Now that I've identified the problem,
the fix is straightforward. If I change
the VTOC header (T11,S00) to point to
the actual first directory sector
(T11,S0F), DOS 3.3 or any other copy
utility should be able to read the
entire catalog. This disk doesn't care
either way, since it never looks at it.

T11,S00,$01 change "F1" to "11"

Now I should be able to catalog it from
my work disk.

]PR#5
...

]CATALOG,S6,D2

C1983 DSR^C#254
149 FREE

*A 011 BOOT
*B 010 JCODE.2048
*B 005 CS4
*A 019 MANAGER.BAS
*B 012 INS1
*B 009 INS2
*B 015 T.TPGS
*B 017 PLAY.DATA
*B 017 DATA.EDIT
*T 002 INTERFACE
*B 058 OBJ.PLAY
*B 057 OBJ.EDIT
 B 007 EDIT.DATA
 T 002 STDTAN
 T 065 STDTA
 B 034 PIC.LOGO
 B 007 A.LOGO

]RUN BOOT

The game loads without complaint. (It
even runs from drive 2!) There doesn't
appear to be any further protection
beyond the custom RWTS and DOS.

There are two problems with this copy:

1. Depending on how the original RWTS
   was written, a demuffin'd disk may
   not be able to read itself. Some
   developers just patch the RWTS to
   ignore epilogue bytes, while others
   patch the RWTS to look for specific
   non-standard epilogue bytes.
   Demuffin'd disks in the latter
   category will grind immediately on
   boot, since as soon as the RWTS is
   loaded, all further disk reads will
   look for the original (non-standard)
   epilogue bytes and not find them.

2. Even if it can read itself, it won't
   run. The copies I tried to make --
   even the bit copies -- just rebooted
   endlessly, which means there is some
   code being executed during boot to
   check if the disk is original.
   (Hint: it's not.)

This disk appears to be in the "strict
RWTS" category. My demuffin'd copy just
grinds on boot, which tells me that the
RWTS is looking for specific (non-
standard) epilogue bytes and failing to
find them. So I need to patch the RWTS
to undo the modifications and look for
the standard epilogue bytes instead.

For future reference (mostly mine),
here's a nice chart of the memory
locations for all the prologues and
epilogues in a DOS 3.3-shaped RWTS. If
the RWTS stores $B700 in T00,S01 (most
do), then $B8xx will be in T00,S02;
$B9xx in T00,S03; and so on.


                0x |  read | write
    ---------------+-------+-------
                D5 | $B955 | $BC7A
      prologue  AA | $B95F | $BC7F
     /          96 | $B96A | $BC84
    ADDRESS -------+-------+-------
     \          DE | $B991 | $BCAE
      epilogue  AA | $B99B | $BCB3
                EB |       | $BCB8
    ---------------+-------+-------
                D5 | $B8E7 | $B853
      prologue  AA | $B8F1 | $B858
     /          AD | $B8FC | $B85D
    DATA ----------+-------+-------
     \          DE | $B935 | $B89E
      epilogue  AA | $B93F | $B8A3
                EB |       | $B8A8
    ---------------+-------+-------


I spent way too much time making that.

Here are the patches to normalize the
RWTS. (Note to self: make an RWTS
comparison tool.)

T00,S02,$9E change "DF" to "DE"
T00,S03,$35 change "DF" to "DE"
T00,S03,$91 change "DF" to "DE"
T00,S06,$AE change "DF" to "DE"

Now my demuffin'd copy boots, loads
DOS, puts a "." in the top-left of the
screen, then -- and I am not making
this up -- displays the following
message and hangs:

                 --v--

      ATTENTION!

THE DISK DRIVE YOU ARE USING IS
OPERATING AT AN UNSAFE SPEED.

OPERATION OF THIS PROGRAM ON THIS DRIVE
MAY DESTROY THE PROGRAM.

PLEASE HAVE YOUR DRIVE SPEED CHECKED,
OR USE ANOTHER DISK DRIVE.

                 --^--

I should note at this point that my
"demuffin'd copy" is actually a disk
image being managed by a CFFA 3000
card. I copied the disk image back to a
physical floppy and booted it, and it
displayed the behavior I was expecting
(load DOS, print ".", then reboot --
just like my failed bit copy). Then I
copied the disk image to a modern PC
and ran it in two different emulators;
each time, it gave me the message about
the drive operating at an unsafe speed.

I'm about to give up on this DOS and
just blow it away and replace it with a
fresh copy of DOS 3.3. I've already
confirmed that the program itself loads
when I boot from my work disk. But now
I want to know whether this DOS is
really checking the drive speed, or if
that's just bullshit and misdirection.

So here we go.

]PR#5
...

]BLOAD BOOT0
]CALL -151

*801L
.
. nothing unusual
.

*BLOAD BOOT1

*FE89G FE93G     ; disconnect DOS

*B600<2600.2FFFM ; move RWTS into place

*B700L
.
. nothing unusual, until
.
B747-   4C 03 9B    JMP   $9B03

This usually jumps to $9D84, the DOS
cold start vector. I don't know what's
at $9B03 yet, but I can find out.

*C500G    ; because I overwrote DOS
...

]CALL -151

*9600<C600.C6FFM

; set up first callback
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C

; start the boot
9707-   4C 01 08    JMP   $0801

; first callback is here -- set up
; second callback
970A-   A9 17       LDA   #$17
970C-   8D 48 B7    STA   $B748
970F-   A9 97       LDA   #$97
9711-   8D 49 B7    STA   $B749

; continue the boot
9714-   4C 00 B7    JMP   $B700

; second callback is here -- copy all
; of DOS to lower memory so it will
; survive a reboot
9717-   A2 25       LDX   #$25
9719-   A0 00       LDY   #$00
971B-   B9 00 9B    LDA   $9B00,Y
971E-   99 00 2B    STA   $2B00,Y
9721-   C8          INY
9722-   D0 F7       BNE   $971B
9724-   EE 1D 97    INC   $971D
9727-   EE 20 97    INC   $9720
972A-   CA          DEX
972B-   D0 EE       BNE   $971B

; reboot to my work disk
972D-   4C 00 C5    JMP   $C500

*BSAVE TRACE2,A$9600,L$130

*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT2,A$2B00,L$2500
]CALL -151

*FE89G FE93G

*9B00<2B00.4FFFM

*9B03L

; well that explains the "." in the
; top-left corner of the screen
9B03-   A9 AE       LDA   #$AE
9B05-   8D 00 04    STA   $0400
9B08-   4C 99 AD    JMP   $AD99

*AD99L

; read T11,S00...
AD99-   A9 11       LDA   #$11
AD9B-   8D EC B7    STA   $B7EC
AD9E-   A0 00       LDY   #$00
ADA0-   8C ED B7    STY   $B7ED
ADA3-   8C F0 B7    STY   $B7F0
ADA6-   8C EB B7    STY   $B7EB
ADA9-   C8          INY
ADAA-   8C F4 B7    STY   $B7F4
ADAD-   C8          INY

; ...into $0200..$02FF
ADAE-   8C F1 B7    STY   $B7F1
ADB1-   A9 B7       LDA   #$B7
ADB3-   A0 E8       LDY   #$E8
ADB5-   20 00 BD    JSR   $BD00

; not sure why we're checking the last
; byte of the sector we just read, but
; it appears to always be $00, so this
; branch will not be taken
ADB8-   AD FF 02    LDA   $02FF
ADBB-   30 03       BMI   $ADC0
ADBD-   4C 0B 9B    JMP   $9B0B

*9B0BL

; get slot number (x16)
9B0B-   AE F8 05    LDX   $05F8

; turn on drive motor (suspicious)
9B0E-   BD 89 C0    LDA   $C089,X

; this subroutine is a wait loop
9B11-   A9 0A       LDA   #$0A
9B13-   20 3A 9B    JSR   $9B3A

; this subroutine looks for the next
; available address field and does
; some suspicious bit math
9B16-   A9 05       LDA   #$05
9B18-   85 03       STA   $03
9B1A-   20 4E 9B    JSR   $9B4E

*9B4EL

; look for address prologue
9B4E-   AE F8 05    LDX   $05F8
9B51-   BD 8C C0    LDA   $C08C,X
9B54-   10 FB       BPL   $9B51
9B56-   C9 D5       CMP   #$D5
9B58-   D0 F7       BNE   $9B51
9B5A-   BD 8C C0    LDA   $C08C,X
9B5D-   10 FB       BPL   $9B5A
9B5F-   C9 AA       CMP   #$AA
9B61-   D0 F3       BNE   $9B56
9B63-   BD 8C C0    LDA   $C08C,X
9B66-   10 FB       BPL   $9B63
9B68-   C9 96       CMP   #$96
9B6A-   D0 EA       BNE   $9B56

; capture address field in $0200..$0205
9B6C-   A0 00       LDY   #$00
9B6E-   BD 8C C0    LDA   $C08C,X
9B71-   10 FB       BPL   $9B6E
9B73-   99 00 02    STA   $0200,Y
9B76-   C8          INY
9B77-   C0 06       CPY   #$06
9B79-   90 F3       BCC   $9B6E
9B7B-   AD 02 02    LDA   $0202
9B7E-   38          SEC
9B7F-   2A          ROL
9B80-   2D 03 02    AND   $0203
9B83-   85 06       STA   $06

; do some bit math on the sector number
; (result is in accumulator on exit)
9B85-   AD 04 02    LDA   $0204
9B88-   2A          ROL
9B89-   2D 05 02    AND   $0205
9B8C-   60          RTS

Backtracking to $9B1D...

*9B1DL

; store the result of the suspicious
; bit math
9B1D-   85 01       STA   $01

; another wait loop
9B1F-   A2 A8       LDX   #$A8
9B21-   A9 07       LDA   #$07
9B23-   20 3A 9B    JSR   $9B3A

; another call to the subroutine that
; looks for an address field
9B26-   20 4E 9B    JSR   $9B4E

; compare the two results and branch to
; $9B37 if they're different
9B29-   85 02       STA   $02
9B2B-   C5 01       CMP   $01
9B2D-   D0 08       BNE   $9B37

; do this whole thing several times
9B2F-   C6 03       DEC   $03
9B31-   D0 E7       BNE   $9B1A
9B33-   EA          NOP

; success path is here
9B34-   4C AC 9B    JMP   $9BAC

; failure path is here
9B37-   4C 10 9C    JMP   $9C10

*9C10L

; turn off drive motor
9C10-   AE F8 05    LDX   $05F8
9C13-   9D 88 C0    STA   $C088,X

; clear screen
9C16-   20 58 FC    JSR   $FC58

; this subroutine prints a zero-
; terminated string that follows, then
; resets the program counter to
; continue execution after the string
9C19- 20 8D 9B      JSR   $9B8D

*9B8DL

9B8D-   68          PLA
9B8E-   85 04       STA   $04
9B90-   68          PLA
9B91-   85 05       STA   $05
9B93-   E6 04       INC   $04
9B95-   D0 02       BNE   $9B99
9B97-   E6 05       INC   $05
9B99-   A0 00       LDY   #$00
9B9B-   B1 04       LDA   ($04),Y
9B9D-   F0 06       BEQ   $9BA5
9B9F-   20 F0 FD    JSR   $FDF0
9BA2-   4C 93 9B    JMP   $9B93
9BA5-   A5 05       LDA   $05
9BA7-   48          PHA
9BA8-   A5 04       LDA   $04
9BAA-   48          PHA
9BAB-   60          RTS

9C1C..9CEF is the ATTENTION message

9CF0-   A9 00       LDA   #$00
9CF2-   8D F4 03    STA   $03F4
9CF5-   20 C8 AD    JSR   $ADC8
9CF8-   10 03       BPL   $9CFD
9CFA-   4C 03 9C    JMP   $9C03
9CFD-   4C AC 9B    JMP   $9BAC

That seems to be the path that my disk
image takes on both the CFFA 3000 card
and under emulation. It really is using
a timing loop and repeated sector reads
to check the drive speed. The fact that
it fails under emulation is a result of
imperfect emulation, not any malice on
the part of the author. He honestly
cares about my drive speed. He never
even gets as far as checking if my disk
is original.

If the drive speed check passes,
execution continues at $9BAC. This is
the actual copy protection.

; position drive on track $02
9BAC-   A9 02       LDA   #$02
9BAE-   8D EC B7    STA   $B7EC

; don't actually read, just seek
9BB1-   A9 00       LDA   #$00
9BB3-   8D F4 B7    STA   $B7F4
9BB6-   A9 B7       LDA   #$B7
9BB8-   A0 E8       LDY   #$E8
9BBA-   20 00 BD    JSR   $BD00
9BBD-   B0 44       BCS   $9C03

; look for address prologue
9BBF-   20 4E 9B    JSR   $9B4E

; if not T02,S05, try again
9BC2-   C9 05       CMP   #$05
9BC4-   D0 F9       BNE   $9BBF

Aha! Remember that one unreadable
sector on track $02? The one that even
the disk's own RWTS couldn't read? It
turns out that sector is part of the
copy protection.

; look for a prologue
9BC6-   A0 63       LDY   #$63
9BC8-   AE F8 05    LDX   $05F8
9BCB-   BD 8C C0    LDA   $C08C,X
9BCE-   10 FB       BPL   $9BCB
9BD0-   C9 D5       CMP   #$D5
9BD2-   D0 F7       BNE   $9BCB
9BD4-   BD 8C C0    LDA   $C08C,X
9BD7-   10 FB       BPL   $9BD4
9BD9-   C9 AA       CMP   #$AA
9BDB-   D0 F3       BNE   $9BD0
9BDD-   BD 8C C0    LDA   $C08C,X
9BE0-   10 FB       BPL   $9BDD
9BE2-   C9 AD       CMP   #$AD
9BE4-   D0 EA       BNE   $9BD0
9BE6-   BD 8C C0    LDA   $C08C,X
9BE9-   10 FB       BPL   $9BE6
9BEB-   C9 AD       CMP   #$AD
9BED-   F0 F7       BEQ   $9BE6

; look for an unreasonable number of
; sync bytes (64) in a row
9BEF-   C9 FF       CMP   #$FF

; anything else just fails immediately
9BF1-   D0 10       BNE   $9C03
9BF3-   BD 8C C0    LDA   $C08C,X
9BF6-   10 FB       BPL   $9BF3
9BF8-   C9 FF       CMP   #$FF

; fail immediately
9BFA-   D0 07       BNE   $9C03
9BFC-   88          DEY
9BFD-   D0 F4       BNE   $9BF3

; ultimate success path is here -- jump
; to the DOS cold start vector and
; continue the boot as normal
9BFF-   EA          NOP
9C00-   4C 84 9D    JMP   $9D84

; failure path is here -- calculate the
; boot slot and reboot
9C03-   8A          TXA
9C04-   4A          LSR
9C05-   4A          LSR
9C06-   4A          LSR
9C07-   4A          LSR
9C08-   09 C0       ORA   #$C0
9C0A-   8D 0F 9C    STA   $9C0F
9C0D-   4C 00 C6    JMP   $C600

There are no side effects to this copy
protection. If it succeeds, it jumps to
$9D84 as usual. I can safely bypass the
entire thing by changing the JMP that
started it all, at $B747.

T00,S01,$48 change "03 9B" to "84 9D"

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 139
------------------EOF------------------