Antoine Vignau

Gertrude's secrets v1.2
(c) 1982-84, The Learning Company
(k) 20/DEC/2011, LoGo

Gertrude's secrets is an educational software. Help Gertrude, the
goose, solve puzzles and earn treasures.

In the archive, you will find the following files:
- *asimov.rtf
This file
- *cracked.dsk
The playable and unprotected diskette
- *diskette.jpeg
A scan (in color) of the original diskette
- *howtocrack.rtf
A step-by-step guide to help you copy your original diskette
- *protected.dsk
A raw 16-sec diskette, not the original NIB diskette, but one with no
bytes changed and thus with the protection check included!

A later revision of the archive will contain a scan of the box and the
manual.

On Asimov, the archive will be found under /images/educational/ (I
have just uploaded it)
Until then, it is can downloaded from http://www.brutaldeluxe.fr/public/

Antoine "LoGo" Vignau
Brutal Deluxe Software

Steve Nickolas

On Tue, 20 Dec 2011, Antoine Vignau wrote:

> Gertrude's secrets v1.2
> (c) 1982-84, The Learning Company
> (k) 20/DEC/2011, LoGo

Funny there's so much on the disk for what I'm 99% sure is a
single-loader. (And a 48K one at that... which doesn't even use
$0400-$07FF, and can easily handle having the HGR screen 1 repurposed at
boot...)

I wonder if the version I remember was a later version. I don't remember
the ] or "Gertrude is flying to her nest" being there. (The differences
are comparable to the two different editions of Rocky's Boots.)

Tricks I adopted originally with Dapple and ApplePC as cracking tools, I
am now perfecting with AppleWin. xD

(I suppose one of these days I'm gonna have to acquire a copy of Juggles'
Rainbow to crack the damn thing...my attempt to backport it from the PC
failed miserably.)

-uso.

N.N. Thayer

On Dec 20, 3:39*pm, Antoine Vignau <antoine.vig...@laposte.net> wrote:
> Gertrude's secrets v1.2
> (c) 1982-84, The Learning Company
> (k) 20/DEC/2011, LoGo
>
> Gertrude's secrets is an educational software. Help Gertrude, the
> goose, solve puzzles and earn treasures.
>
> In the archive, you will find the following files:
> - *asimov.rtf
> * * * * This file
> - *cracked.dsk
> * * * * The playable and unprotected diskette
> - *diskette.jpeg
> * * * * A scan (in color) of the original diskette
> - *howtocrack.rtf
> * * * * A step-by-step guide to help you copy your original diskette
> - *protected.dsk
> * * * * A raw 16-sec diskette, not the original NIB diskette, butone with no
> bytes changed and thus with the protection check included!
>
> A later revision of the archive will contain a scan of the box and the
> manual.
>
> On Asimov, the archive will be found under /images/educational/ (I
> have just uploaded it)
> Until then, it is can downloaded fromhttp://www.brutaldeluxe.fr/public/
>
> Antoine "LoGo" Vignau
> Brutal Deluxe Software

Fantastic, sir! After many years, this one can finally be taken off
Asimov's (and several people's) want-lists.

The date and aesthetic of the game match those of the Gertrude's
Puzzles that I uploaded a few years ago. If there were indeed
multiple versions, this would appear to be the first one - usually the
best one to have, at least from an archival perspective.

N.N. Thayer

For convenience, here's Antoine's full method from howtocrack.rtf:

********************

1. Check the format
- Launch Copy II+, bit-copy mode and edit all tracks
=> Epilog markers are all changed and give the following information:
- Header markers: D5AA96 Fx Fx EB (instead of D5AA96 DEAAEB)
- Data markers: D5AAAD Fx Fx EB (instead of D5AAAD DEAAEB)
=> The diskette is not entirely formatted
- Only tracks $00 to $12 are formatted, the rest is garbage


2. Make a copy
As epilog markers were changed, we can either enter the usual B942:18
thing or bypass the check of the epilog markers (it speeds up the
copy)
- Launch Advanced Demuffin 1.4
- Go to the monitor
- B930: 18 60
- B98B: 18 60
- Press CTRL-Y
- Copy 16-sec tracks $00 to $12


3. Test the copy
Boot the copy, beep, it reboots, there's a check…


4. Please boot trace (on a IIgs)
- Go to the monitor (CALL -151)
- 9600<C600.C6FFM
- 96FB: A9 59 8D 84B A9 FF 8D 84C 4C 801
- 9600G
(beep)

Now, let's analyze the code at the usual RWTS place (from
$B700..$BFFF): at $B700, there is a call to $BB00.

At $BB00, a routine moves the $BB00..$BBFF area to $0200 and returns
from the subroutine. Weird…

Let's analyze the code at $BB0C (real address $020C)… It is a
desynchro protection, similar to the Epyx ones (funny, another shared
protection)

The principle is easy: the code reads some valid nibbles, adds some
cycles to desync the Logic State Sequencer and then reads other non-
valid nibbles (here E7 E7 EE). Then it reads eight nibbles and compare
them to the ones in its table (E7 FC EE E7 FC EE EE FC)

It the values are found, we have an original diskette. If not, it is a
copy, it clears the RAM area and reboots.

If it is an original disk, it patches values in RAM and puts #$80 at
$9E4E and #$A1 at $9E4F and jumps to $9E4D (note 1 for later)


5. How to remove the check
We know the first boot steps: $0801 (boot1) then $B700 then $BB00
(install the check) then the usual DOS 3.3 steps.

We need to find where the $020C routine is called. We have three major
ways: a JSR, a JMP or an indirect call.

To ease our life, we will search for the following pattern 0C 02
(instead of 4C 0C 02 or 20 0C 02)
- Launch Disk Fixer
- Press F (Find)
- Press H (Hexa)
- Enter 0C02
=> We have three results:
- Track 0 / Sector B / Offset 4E
- Track 10/F/31
- Track 12/D/3C
=> The last two findings are parts of a track/sector list of a DOS 3.3
file. We will focus on the first entry.

- Press R (Read) to read T0 / SB with Disk Fixer
- Move to offset 38 and press L to disassemble
=> At $4D, we have a 4C 0C 02 (JMP $020C)

We have found it! We replace 4C 0C 02 with 4C 80 A1 (see note 1
above)

6. Make a clean crack
We may also want to save cycles by bypassing the installation of the
protection check!
- Launch Disk Fixer
- Read T0/S1
- At offset $0, replace 20 00 BB (JSR $BB00) with 2C 00 BB (BIT $BB00)
- Save the sector back to disk


7. Are there other ways to crack it?
Yes, rewrite the $BB00 (real address $0200) routine. Or install a real
DOS 3.3 (not tested)


Reboot and enjoy!

Antoine "LoGo" Vignau
Brutal Deluxe Software

Sean Fahey

On Tuesday, December 20, 2011 3:39:12 PM UTC-6, Antoine Vignau wrote:

> Gertrude's secrets v1.2
> - *howtocrack.rtf

I guess Gertrude's Secrets aren't secret anymore. Nice hack.

D Finnigan

Sean Fahey wrote:
> On Tuesday, December 20, 2011 3:39:12 PM UTC-6, Antoine Vignau wrote:
>
>> Gertrude's secrets v1.2
>> - *howtocrack.rtf
>
> I guess Gertrude's Secrets aren't secret anymore. Nice hack.
>

You naughty boy! ;-)