Bookends v1 and v1.1 (Sensible software, 1983)

[toinet]

#988 - This is a utility software to manage your library. Search data thanks to advanced features.

Note that I've generated v1.1 from the .FDI copy provided by Jorma H. and I've copied the files onto my fresh crack of v1.0. What is v1.1 is the program, not the protection

Disk structure
This is a weird disk. Single-sided but the noise made by the disk drive is frightening. The disk does not boot on a IIgs with the smartport interface, it relies on the open phase of the Disk II interface card. But I had a IIe with such an interface card.
Tracks 2-3 and F-22 can be copied, the others are not readable.
From T15, we have the executable and sample data. So, we believe that the first tracks contain the boot code and prevent the rest from running fine.

Protection type
This is a weird disk. I knew that Sensible Software made heavy protections and I was not disappointed but they are made to prevent boot tracing and once you have the correct data in memory, the game is over!
What do we find?
- encoded data (boot 2 at $300 uses key #$99)
- nibbles read in memory and decyphered once loaded (thanks to the same key)
- nibble count (two because two is better than one)
- load addresses not in RAM but stored in nibbles! You know, like EDD!
- key generated from the firmware ROM (grrr, not good for compatibility but now it runs on a IIgs)
- mandatory data stored in the keyboard buffer at $200..$202
- load code in the text screen at $400..$7FF
Arrgghh!

Boot trace
Note that there are some code in the next messages of this thread but I have not disassembled all of them, I will over time.
We start with our usual move:
9600<C600.C6FFM
96F8:20 DA FD 60
9600G
01
We run the first part of the crack on a //e because it does not boot on a IIgs
The code is moved to $200 (just like DOS 3.2) and it loads the next stage at $300 where we find the first encoded data from $33F to $3FF. The key is stored at $200 and is the value of the first byte of the sector: #$99
96F8:A9 98 8D 43 08 4C 01 08
9800:A9 00 8D 31 03 4C 01 03
9600G
*beep*
At $331 restore the A9 value.

Now, the code searches for the nibbles DB B7 and loads the following nibbles at $7800..$7FFF. The code at $35F "unpacks" them at $400..$7FF and jumps to $400.

Now, the code (the one is the next messages) moves the arm, checks the nibbles, moves the arm, etc. and then loads the following data:
- the intro picture at $4000..$5FFF
- the boot code at $88C.$108B
- the DOS 3.3 image at $9D00..$BFFF
by loading nibbles at $9000..$9AFF, decyphering them and putting them at the right place.

What I did is disassemble the code at $400..$7FF and rewrite some parts of it to load the mandatory data in memory, save the mandatory values ($200..$202) and send control to me. That part was done on a IIgs, so I could save memory through a bit of 16-bit code (my modified code at $300..$7FF in bank $10 copied to bank $00 and executed there).

It WORKED!

So, in memory I have:
- the boot code at $88C..$108B
- the boot image at $4000..$5FFF
- the DOS 3.3 image at $9D00..$BFFF
I moved the data in bank $20 of my IIgs

How to normalize
First, I INIT HELLO,D2 a blank disk
Then, I copied TF-T22,D1 to my blank disk,D2
Then, I booted the disk
It did not find the HELLO file (it does not exist yet)

[toinet]

The original code at $400..$7FF

[toinet]

And my modified code, still at $400:

[toinet]

The original and modified code at $0300.
The one that reads nibbles from T0 at $7800..$7FFF

[toinet]

And my modified code to decypher the nibbles from $7800..$7FFF and put the data at $400..$7FF