My latest conquest is Reading Pack 1 by Highlight Software. This was one of several similar titles sent to me by Dave_E from this thread viewtopic.php?f=32&t=9040
There was multi-level protection on the disc;
- 1. The disc was a 40/80T hybrid, designed to run on 40T,
2. Only tracks 0 and 29 to 39 in 80T mode were formatted and included data,
3. Track 11 in 40T mode contained only one sector and that had a Data CRC error. The Track ID was also phoney, announcing itself as Track 22. (This corresponded to tracks 22 and 23 in 80T mode.)
4. The disc title contained VDU23 commands that slowly faded the screen and hung the machine.
5. The filenames on the disk all had top-bit-set characters so they would not appear on the catalogue.
6. There were only three files appearing on the disc.
7. The disc size had been wrongly set.
8. The BASIC programs were hidden on the formatted part of the disc and encrypted as well.
9. The BASIC programs had machine code sections below PAGE and above TOP
The first line of attack was to examine !BOOT which was machine code. Amongst other things this program loaded code from &4000 to &57FF and decrypted it by EORing with &35. It then placed *BASIC|MPAGE=&4300|MOLD|MVDU6|MRUN|M into the keyboard buffer. !BOOT did not check for the Data CRC error or that other tracks were not formatted.
Extracting the code that !BOOT loaded allowed me to work out that it loaded one of two other programs directly from the disc surface and that it did not check for faulty formatting either.
The entry to cracking the protection was now clear. Using ADI and switching both my disc drives to 80T I copied Track 0 to a newly formatted 80T disc. I then copied tracks 29 to 39 inclusive.
Using the copied disk in 80T mode the software loaded and ran properly. It would not, however copy nor would it make an archive. Again using ADI I edited the catalogue sectors to remove the VDU23 trap in the disc title and I reset the disc size in T0 S1 to reflect the 80T size. Exporting to USB using my datacentre produced the SSD archive.
I did not change the filenames so that when *CAT is performed the disc looks blank. Kind of cute I thought.