Microtype IIgs (South-Western, 1989)

[toinet]

#937 - The IIgs specific version of the keyboard learning program by South-Western Publishing. Cool!

Disk structure
This is a standard 3.5" ProDOS disk that can be copied apart from block 8. It is interesting to note that the catalog displays a set of 51 MicroType sub-folders only. That is weird!

How to copy
Use ZZCopy or Photonix II to copy your original disk TWICE. Then, store it in a dry and safe place.

Boot trace
When you boot your copy, the following message is displayed: "This diskette does not allow the making of a back-up copy."
So, I tried to catalog the disk. As the catalog was empty (I consider that 51 MicroType sub-folders means it is not the right main folder that is displayed, I browsed the entire disk to try locate the real volume folder. I found it at block $63B (pfew, that was long)
So, with Block.Warden, I read block #$63B, I saved it at block 2 and modified the first bytes (00 00 3C 06 -> 00 00 00 00) which contain the previous and next volume folder and then I played with my disk.

As it is a ProDOS disk, the boot process is ProDOS > BASIC.System (the first .SYSTEM file in the root directory) then STARTUP in our case. A read of the code loaded at $810 shows that it loads the BASIC1/HELLO file.

At line 10600, there is an init. The GSID file is loaded, a CALL 2073 is performed and if the result of PEEK(0)+PEEK(1)*258=18 we can go on, otherwise we display the "The diskette does not..." message.

So, what do we have at 2073 ($819): a jump to $924. There, the stack is preserved, X/Y (a pointer to the volume name) is passed to a routine at $00/3000 (that is the load address of the GSID file) and the return value (in A) is stored at addresses $00..$01. That is cool.

How to crack
We do not need to call the protection. We just need to bypass it and say that the return value is 18. So, we'll patch the STARTUP file only!

Launch Block.Warden
Insert the unmodified root directory copy (remember, I told you to copy it two times)
Change to Slot 5, drive 1
Read block #$44
At offset $12D:A0 00 00 22 -> A9 12 00 8F
Save the block back onto disk.

What I did is change the LDY #$0000 (A0 00 00) and JSL (22) with LDA #$0012 (A9 12 00) STAL (8F)

Exercise for the reader - One alternate crack could have been a change of the BASIC1/HELLO program at line 10640 by replacing the GOTO 10640 with a GOTO 11000...

How to normalize
As the root directory is moved to another block (#$63B instead of #$0002), I've decided to normalize the disk.
The actions performed:
1. Copy block #$63B at block #$0002,
2. Update the root directory pointers at offset $0000:00 00 00 00
3. Copy the files onto another disk
4. Replace the ProDOS 1.4 of the disk with a REAL ProDOS file system from Apple.
5. Done.

Why a REAL ProDOS file system? Because this is in that file that we have the routines to read the root directory. This is at two places and parameters are in X (high block pointer of the root directory) and A (low block pointer of the root directory). That is used at two places: offset $138C and $1933 of the ProDOS file. You can exercise and try the changes.

The disk images are available at http://www.brutaldeluxe.fr/crack/

Reboot and... enjoy,

LoGo
9/2017

[toinet]

Some code...

[toinet]

The BASIC1/HELLO program

[toinet]

The Block.Warden view