8L2C)pJJJJ IH(ȱH:=IH[H`@HcH  $ +   I/H`JLNGȄBȄF aK  haaFF  mJm# KKJ UJ )J ۈ) ;J3ȱJFȱJGJKaȄM  aaNNJFLGJL LL <̩̍!I0$$, / Xx%0 /$    BOOT.TRACE.IO J BOOT.TRACE.IIX SHEILAi  RDOS{ < WAYOUTT7 D  )BIT.MAP.1"@  )BIT.MAP.3%@  )INFO.DESK(  ABQ.11.THE.HEIS+ ABQ.12.CRACK.UL/ j INTRO.KRAK91( KRACK' )CATALOG.1  )CATALOG.3   *DISK.MAP.1  *DISK.MAP.3  +BLOCK.MAP.1D  +BLOCK.MAP.3 >dLԡm#i㰼m#iЕOLԡȱfg hi !dLԡ憦  Ljmkm l y`2 Lԡ8(Je稽)ʈ@LLnSOS BOOT 1.1 SOS.KERNEL SOS KRNLI/O ERRORFILE 'SOS.KERNEL' NOT FOUND%INVALID KERNEL FILE: xةw,@  ȱlmi8#)!)? &PRODOS `DaElH$?EGvѶK+`L HHLy XP LM ŠϠĠӠS)*+,+`F)) (*=GJFjJJA QE'+ '== `@ STSP8QSS8 m P o R(8R 8$!J" " $ )Ȍ / $L!$$$$8  i $0 /$  %  ,, e$ $#` $ $   !@ L <PY!I0$$$$, / XN%0 &$     >$c! " c# #J& ! ů$ )Ȍ / ij$L!$$$$8   򮠠䮍卍 Ů 렰%% % ɰ$0 ` d'$ "$H hL "$H#8 i` ` 8V$0 /$ `卍έ­ҭҭ٭έ̭ǭЭԭ֭íP P  ȱ % -$H  H h -$" # -$ # -$ # # #$0 /$hٕ  0 ȱ ALHJJJJ #h) $0L ɺi$0 멤 Ln% `鈱H) $ hFj)JJG% L!$$ !# $  e "HHHHH$H$Hȱ "h$h$hhhhh !,ɃL "ɠɃɠ, i 8$  /$)eȱ 8  8$!J" " $ )Ȍ / $L!$$$$8  i $0 /$  %  ,, e$ $#` $ $   !@L <ߌ̩̍!I0$$, / Xx%0 /$    򮠠䮍卍 Ů 렰%% % ɰ$0 ` d'$ "$H hL "$H#8 i` ` 8V$0 /$ `卍έ­ҭҭ٭έ̭ǭЭԭ֭íP P  ȱ % -$H  H h -$" # -$ # -$ # # #$0 /$hٕ  0 ȱ ALHJJJJ #h) $0L ɺi$0 멤 Ln% `鈱H) $ hFj)JJG% L!$$ !# $  e "HHHHH$H$Hȱ "h$h$hhhhh !,ɃL "ɠɃɠ, i 8$  /$)eȱ 8i $0 &$  %  ,, e$ $#` $ $   `!@'% L8!$፛$ `!# $  e 2" HHHHH$HL <Ѝ!I0)%B%/%5%, / X)ɰ;d . Ӡ͠ӠˍԠٍ L"%0 J 0 0    򮠠䮍 Ůi   /$* &$ L% 렰%% % ɰ$0 ` d'٥ɮ %褐 %L# ` i  8\$0 &$ `ፍP P PP I$͡$ $ $L"ɮ $$ %  $$ %L"$$L%`L! $|$  /$$$$ &$$$ % #`` $ ! S#݈ɮ.`) $Hȱ !h$h$hhhhh `!,ɃL!ɠɃɠ, /$  &$)eȱ 8  ȱ % $捠$$ȱ捡$$)H  &$*讠$$ %h 0x `L# $e  i $0 &$  %  ,, e$ $#` $ $   `!@'% L8!$፛$ `!# $  e 2" HHHHH$HL <ߌPY!I0$$$$, / XN%0 &$     >$c! " c# #J& ! ů$ )Ȍ / ij$L!$$$$8   򮠠䮍 Ůi   /$* &$ L% 렰%% % ɰ$0 ` d'٥ɮ %褐 %L# ` i  8\$0 &$ `ፍP P PP I$͡$ $ $L"ɮ $$ %  $$ %L"$$L%`L! $|$  /$$$$ &$$$ % #`` $ ! S#݈ɮ.`) $Hȱ !h$h$hhhhh `!,ɃL!ɠɃɠ, /$  &$)eȱ 8  ȱ % $捠$$ȱ捡$$)H  &$*讠$$ %h 0x `L# $e   " `# x# #J) E" # A% )Ȍ / E%L5"J%K%M%N%8  i W%0 J  &  ,, 12)ɳ0D E2)CB,, ",⪱0 [$pɥ [$`ߤ HH [$hhL$,ɃLB"ɠɃɠ, i $ & 8 & JHH8HHȱ褐hh ȱ hhL 8)ȱ8eɾL2%8%ȱ3%9% #)0, S` # 2% 3% .%   `L5" 4% 2%3% # #` .%ʠ  #`@i0i@`0p $ e:%l& (%#` ,% -%   "@% L!,%-% "# $  e "HHHHH,%H-%HHHȱ E"hhh-%h,%hhhhh "Lf"ȥi  " `# x# #J) E" # A% )Ȍ / E%L5"J%K%M%N%8  i W%0 J  &  ,, 12)ɳ0D E2)CB,, ",L <Ѝ!I0)%B%/%5%, / X)ɰ;d . Ӡ͠ӠˍԠٍ L"%0 J 0 0    렰9&:& 9& ɰ$0 ` d'% `堠卍P P PP 򮍍 Ů⪱0 [$pɥ [$`ߤ HH [$hhL$,ɃLB"ɠɃɠ, i $ & 8 & JHH8HHȱ褐hh ȱ hhL 8)ȱ8eɾL2%8%ȱ3%9% #)0, S` # 2% 3% .%   `L5" 4% 2%3% # #` .%ʠ  #`@i0i@`0p $ e:%l& (%#` ,% -%   "@% L!,%-% "# $  e "HHHHH,%H-%HHHȱ E"hhh-%h,%hhhhh "Lf"ȥi% `堠卍P P PP 򮍍 Ů 렰9&:& 9& ɰ$0 ` d') This program allows easy access toOthe cataloging utilities for usetwith volumes other than the one(containing the utilities.2<This program should be enteredFwith the prefix set to thePdir with BIT.MAP, etc.Z $0 ` d'HFjFjFji0h)8#1`@ P0򮠠䮍 Ů 堰 # # # ɰ$&i'0b"(0c" ^"b"c"a"a" !,ɃL ɠɃɠ, i ! != " 2 #   L5!` ` 8! `L 4ɍ I0_", / X"0 !    b"c"`"0a" !J;  ," , ed"k" L ^")0*0H)hJJJJ($0 ` d'HFjFjFji0h)8#1`@ P0򮠠䮍 Ů 堰 # # # ɰ!#i'0b"(0c" ^"b"c"a"a" !,ɃL ɠɃɠ, i ! != " 2 #   L5!` ` 8! `L 4ɍ I0_", / X"0 !    b"c"`"0a" !J;  ," , ed"k" L ^")0*0H)hJJJJ(d44096 n(4)"PREFIX"& xPF$, 9 (12):U 11)"INFORMATION DESK"] : "Output to

rinter or 80 col creen?" P$:(P$)("Z")P$((P$)32) P1:P$"S"P3:280 P$"P"250 P$: ""Select utility to run:')*.01234567 monitor upon pressing reset. Also, you should have a copy of "Advanced Demuffin" by The Stack. To crack this excellent game, we will go through four (4) steps-- I. Save Ultima's RWTS II. Make a DOS 3.3 copy of original III. "Normalize" Ul*************************************** [ How to crack Exodus: Ultima III ] By: Apple Bandit *************************************** *** Note: All you need for this is your Apple, with an old monitor ROM, to allow you to enter theikFile] $DE $00 $03 $9B $E7 $AA The first mod disables the nibble count done on the disk. The other four make Micro Lab's RWTS compatible with DOS 3.3. It's cracked! Keep on Crackin'... (C): Apple Bandit & The Burglar/MPG [An Apple Bandit Quthe disk) Then use a disk editor and edit: Track Sector Byte Was Change to ----- ------ ---- --- --------- $00 $09 $0B $38 $18 $00 $02 $9E $D5 $DE $00 $03 $35 $D5 $DE $00 $03 $91 $9E *,-ough PROSEL). It is notD 0possible to have these programs comem :back here since they use all memory Dand will destroy this little program Nas well as BASIC.SYSTEM. (13)D$"1"$ D$"1"D$"2"460K D$:DEVICE((D$)("1"))128SLOT] 48944,DEVICE P1ĺ:"Turn on the printer then hit a key.";:A$: 24096  This executes the program, which exits through the quit protocol &(i.e. thrF:F$:1 (4)"BLOAD"PF$F$;P;",TSYS,A$2000"e "CATALOG.","BIT.MAP.","DISK.MAP.","BLOCK.MAP." :"Operate on disk in slot 6";(8); S$:S$(13)S$"6" S$"3"S$"7"420 S$:SLOT((S$)("0"))16 :"Drive 1";(8); D$:D$" ,:"0. Exit program"F 6"1. Catalog (volume tree structure)"h @"2. Bit map (blocks in use)" J"3. Block usage by files" T"4. File usage by blocks": ^F$:(F$)("Z")F$((F$)32) hF(F$)("0"):F4350 rF$::FĀ |I1tima's RWTS IV. Take out any checks or checksums ====== Step I: Save Ultima's RWTS ====== Start out by booting your original Ultima III program disk. When you see the title page, press reset. While in monitor, type: 6000 EA EA EA T:$03 S:$0A B:$68-69 -=> EA EA T:$04 S:$03 B:$53-54 -=> EA EA T:$10 S:$01 B:$8F-90 -=> EA EA On side two-- T:$00 S:$0D B:$75-76 -=> EA EA T:$01 S:$03 B:$49-4A -=> EA EA T:$01 S:$04 B:$71-72 -=> EA EA Now, just boot ed Ultima III-- (T=Track, S=Sector, B=Bytes) On side one-- T:$01 S:$06 B:$38-3A -=> EA EA EA T:$01 S:$09 B:$67-68 -=> EA EA T:$01 S:$0E B:$C4-C6 -=> EA EA EA T:$03 S:$04 B:$29-2A -=> EA EA T:$03 S:$07 B:$C0-C1 -=> 0F 60 T:$03 S:$09 B:$2er will be poisoned! To alleviate this undesireable side effect (ha! ha!) there are a few major checks that should be taken out. To do this, again, use any disk-zap program such as "The Inspector" or "Zap" and change the following bytes on of your convert disk?) has anticipated our modify- ing their DOS the way we did in Step 3, so they have littered the game with little checks that compare bytes in memory with the expected value, and if the result is not correct, the game will either bomb, or your charact Sector: $03 Bytes: $11-2B Type: AD 54 B7 0A 6D 54 B7 8D 26 B4 A9 00 8D 53 B7 A9 B7 A0 50 78 20 00 BD 28 18 60 74 ======= Step IV: Take out any checks ======= Origin Systems, or perhaps rather "Van Artsdalen" (the one who protected theet the data on the original disk. We want to by-pass this, so we'll find where this routine is on the disk, and modify it. Use a disk zap utility such as "The Inspector" or "Zap" to edit the following bytes on your converted side A disk-- Track: $00 RWTS entry is at $BD00 while Ultima's is at $B610, and normal RWTS's IOB is at $B7E8, while Ultima's is at B750. The routine at $B610 while Ultima is in memory looks up a different address header for each track, from a table, and then uses them to interpr to copy-- Track $01 Sector $00 to Track $10 Sector $0F ======== Step III: "Normalize" Ultima's RWTS ======== The RWTS on your converted copy of the program will still try to read the protected format or Ultima. Normal -ing Advanced Demuffin, follow the following steps-- From menu: Select "Load new RWTS" Enter page $B0 load filename "Ultima RWTS" From menu: Select "Load new IOB module" load filename "Ultima IOB" From menu: Select "Convert Disk" change defaults 0f 8d 52 b7 ad 22 0f 8d 54 b7 ad 23 0f 8d 55 b7 ad 27 0f 8d 59 b7 ad 2a 0f 8d 5c b7 a9 0f a0 1e 4c 10 b6 00 Then, "BSAVE ULTIMA IOB,A$1400,L$F0" Tracks $01-$10 (hex!) of side A are the only protected tracks on the disk. After BRUNram to read in with Ultima's foreign DOS and write out normally. To interface Ultima's RWTS, we must first create an IOB. Here it is, all ready for you to type in-- 1400:4a 8d 22 0f 8c 23 0f 8e 27 0f a9 01 8d 20 0f 8d 2a 0f a9 0f a0 1e ad 20 ut to our disk. If you don't have a copy of The Stack's "Advanced Demuffin", you should call up a good BBS and download it (try The Safehouse at 612/724-7066). Otherwise, you'll have to write a small program, or use "The Inspector" or other disk- zap progI. Then use any normal disk copy program, or even "The Inspector" if you have to, to copy-- Track: $00 and Tracks $11-$22 Now, we want to use Ultima's RWTS to read the program off the original disk, and then use normal DOS 3.3 to write the program ove Ultima's RWTS down to lower memory so we can save it and use it later. Now boot a regular DOS 3.3 disk, and type: BSAVE ULTIMA RWTS,A$6000,L$1000 ======= Step II: Make a DOS 3.3 copy ======= Use COPYA to copy side B of your original Ultima IIit up.....and have fun! Written: 09/02/83 By -- Apple Bandit -- === Call The Safehouse 612/724-7066 === >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >> << >> AN INTRODUCTION TO CRACKING << >> ll be discussed later on. In any case, the other handy items are all software. The most important of these is a disk Zap program, some utility for editing a disk sector-by-sector. The best one of these that I have come across is Zap, from Bag of Trickmonitor ROM on your language card and an Autostart ROM on your motherboard, and switch between them as you like. This is very handy indeed, since you can have either one you want, whenever you want, simply by flicking a switch. The uses of a monitor ROM wi card contains an Autostart ROM image, which actually takes precedence over the ROM on the motherboard. However, you can easily construct a switch, which will allow you to choose between your motherboard ROM and your language card ROM. Thus, you can put a us places. Another way to get a monitor ROM is by simply buying one and installing it on your motherboard in place of your old Autostart ROM. Or, a similar modification, you can put it on your language card. Some of you may not know that your language several ways. The first of these is putting a monitor ROM image in a language card, and write-protecting the language card. This is a somewhat involved hardware modification that I will not go into here, but instructions for it can be found in numeroot *absolutely* necessary, for basic cracking. But if you're going to get a whole lot done, it will become needed. In order to have a monitor ROM, however, you do *not* have to own an Apple II. Those of you with an Apple II+ or Apple //e can come by one int someone else did! There are a few 'tools of the trade' which, although not absolutely necessary, will make your life a whole lot easier if you have them around. These tools include as one of the most helpful items a monitor ROM. Like I said, it is ne experienced programmers, but have never really gotten into the unprotection racket. In fact, knowing how to program is necessary if you're going to get very far in cracking software. There is no help for it, since the whole point is undoing something thaackers, you will probably not find a lot herein to spark your interest (although you can never be sure) -- this is especially for those new to the field. This does not necessarily mean that you don't know how to program -- there are many people who ar << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Greetings to all, and welcome to the wonderful world of Apple software unprotection! Those of you who are long-established hackers and cr << >> << >> by The Necromancer << >> 8:;<=>?@ABCDEFGHIJKLM << >> A treatise for the neophytes in the Apple world, << >> who are full of questions with no one to answer << >> them. s. The other useful utilities are a variety of cracking utilities, from the various Muffin-type programs to other disk-viewing programs. The Muffins are for copying programs from protected disks to normal disks, and the disk viewers are for deciphering what on Earth these people have done to their disks. Now then, down to business. What good is a monitor ROM, some of you may be asking? Well, you should know that when you press reset on an Apple with an Autostart ROM, you are at the mercy of a few cracking -- when working, always have one or two blank, initialized disks handy, with a normal slave DOS on them. Let's say you have found the starting location to Program X -- what to do? Well, let's look at memory for a moment. Free memory starts, , then perhaps the protectors have tried some sneakier tricks, which will be gone into in later columns. Once you have found the starting location, then what? Then it's time to transfer the program to your own disk. Remember one of the prime rules ofhese turns up an9thing, then it may be necessary to try some likely places at random -- it can turn up useful information sometimes, although it's not exactly recommended practice. Look for initialization routines, or jump tables. If all of this fails that will turn on the hi-res pages for display -- look for addresses like $C050, $C055, $C052, the graphics soft switches. Look for a keyboard read -- games will often show a title picture and wait for a keypress, reading the strobe at $C000. If none of tre, the program isn't there. Try C055 to see page 2 of hi-res. If there is a picture on page one and not on page two, $4000 is a very possible starting location. There are hints for finding the starting location of a program. Look for a sequencery an 800G in the monitor. If it starts up, great! If not, time to look again. Try the various page boundaries, particularly $2000, $4000, $6000, etc. Check the hires pages with a C050 , C057 to see the first hi-res page. If it has a title pictuSay you've got Program X, and you've pressed reset into the monitor. It is a single-loading game, so all of it is in memory there somewhere. Where does it start? Good question. A frequent place is at $800, or sometimes $7FD, three bytes before $800. Tme a cinch to crack. Basically, any single-loading program (usually games) can almost always be cracked simply by pressing reset and rebooting onto another disk. Some notes, however... Before you can do anything with it, you have to know how it runs. er will cause the program in memory to be run. This is a common location to set, so if you are attempting to crack a basic program, it is likely to be set. To defeat it, simply set it to any value less than 128. With a monitor ROM, some programs beco go on in and wade about in their code, to decipher what they're doing. By the way, for reference's sake, there is another location which is handy to know about, which is the Applesoft run flag at $D6. If this is set, any command given to the DOS parsmakes it easy on software protectors. All they have to do is tell the Apple where to go when the reset key is pressed. With a monitor ROM, you will always go to the same place -- the monitor -- when the reset key is pressed. This means that you are free tol perform a cold start. This is how you can make the machine reboot on a reset, by the way -- simply poke a value like zero into either $3F3 or $3F4. Anyway, what does all this have to do with a monitor ROM? Well, this dependency of the Autostart ROM ssed, and $3F4 contains the exclusive-or of the value in $3F3 with an $A5. This third byte is used by the Apple for checking whether it has just been turned on. If this byte does not contain the XOR of $3F3 with an $A5, when you press reset the monitor wil memory locations in page 3 of memory. These locations are $3F2-$3F4 (we are going to stick with hexadecimal numbers here -- get used to them, you'll be seein3fqof them!). $3F2 and $3F3 contain the address (lo-byte, hi-byte) to jump to when reset is prebasically, at $800, above the text page (it is possible to use this area, but that's a subject for later), and goes until $9600, on a normal disk. However, it is more than likely that this disk you're cracking has no DOS. That upper limit of $9600 is for a disk with normal DOS. Assuming this program is a single-loading game, it undoubtedly has no DOS. Thus, this program is free to go until $BFFF, really. But if you boot your slave disk now, it will wipe out memory from $800 to $900, and $9600-$BFFNPQRSTUVOWING INFORMATION WAS RECEIVED FROM VARIOUS OTHER BOARDS, INCLUDING PIRATE'S COVE, PIRATE'S HARBOR, ETC. FIRST OF ALL, LET'S GET SOME THINGS STRAIGHT. THIS METHOD OF CRACKING WILL GENERALLY WORK ON MOST SOFTWARE, BUT IT REQUIRES A LOT OF PATIENCE, DED >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< AN INTRODUCTION TO BOOT-TRACING FROM THE NECROMANCER I WANT TO MENTION THAT SOME OF THE FOLLhe Cracker's Guild<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< n cracking........ May your cracks be forever successful! >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>The Necromancer<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >> << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Tan $7FFF in length, DOS will not let you save it in one file. Change location A964 in DOS to $FF and you won't have any problems (why this restriction is there, *I* don't know!). Next time I will get into DOS and what modifications there are to help iuring out what is really necessary of what you just saved. Once you have done that, you can just save the whole thing into a single file, give yourself credit, and give the program to everyone you know. One more item: if the program becomes greater th$400 or above $9600. If it does not use memory much above $9600, note that you can save over 1K with a maxfiles command, since from $9600 to $9D00 are the DOS buffers. Assuming the program works, you just have the chore of cutting down the size by figor above $9600, obviously. Try checking the code near the entry point, and see if you can find any clues to what locations it might access. In either case, though, it becomes more complicated, since you can't just BRUN something that requires memory below 000,L$5600. At this point, test your Program X by BLOADing the two pieces and running it. If it still works, you're in business. If not, the likelihood is that the program requires some other pieces of memory. Either the piece it needs is below $800, Now reboot the Program X disk, and press reset again. Now to save the rest. We are going to assume that Program X only goes up to $9600, to make life easy for now. So just reboot again, and save part two of Program X with a BSAVE PROGRAM X (4000-9600),A$4 4000 up. Then do a 6 to reboot. Now save segment one of the program to disk, after moving it down: CALL -151 800<4000.7800M BSAVE PROGRAM X (800-3FFF),A$800,L$3800 And you have a good part of the program.F. Therefore, we must split Program X into smaller pieces. The first piece is from $800-$4000. To put it onto your disk, first move it up to protect it from your booting. Move it up to $4000 with a *4000<800.3FFFM. This moves everything from 800 to 3FFF toICATION, AND ASSEMBLY LANGUAGE KNOWLEDGE. OBVIOUSLY, IN ORDER TO RUN, A DISK HAS TO BE ABLE TO BOOT. HOW DOES THIS OCCUR? WHEN YOU TYPE PR#6 OR 6CTRL-P, THE APPLE JUMPS TO THE DISK CONTROLLER CARD ROUTINE AT $C600. THIS SHORT ROUTINE LOADS IN THE NEXT>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >>> <<< >>> BOOT TRACING PART II <<< >>> ..... >>>>>>>>>>>>>>>>>>>>>>>THE NECROMANCER<<<<<<<<<<<<<<<<<<<<<<<<<<< N ACTUAL EXAMPLE OF BOOT-TRACING, BUT IN THE MEANTIME GIVE IT A LOOK. IT CAN BE A VERY PRACTICAL WAY OF CRACKING, ESPECIALLY FOR THOSE OF YOU WHO DON'T HAVE ACCESS TO A MONITOR ROM MACHINE OR A MODIFIED ROM, SUCH AS THE LOCKBUSTER ROM. HAVE FUN.....ITH A LDA C050, LDA C054, AND SIMILAR INSTRUCTIONS. THESE WILL OBVIOUSLY BE ACCESSED BEFORE THE PROGRAM ACTUALLY STARTS, OR JUST AS IT STARTS. IF YOU FIND THOSE INSTRUCTIONS, YOU'VE FOUND THE PROGRAM, IN ALL PROBABILITY. WELL, I MAY SOON RETURN WITH AOOT STAGES, SOME MAY JUMP FROM THE SECOND STAGE STRAIGHT INTO THE PROGRAM. THERE'S NO TELLING, EXCEPT BY EXPERIMENTING. TRY EACH STAGE, UNTIL YOU FIND THE ONE THAT STARTS THE PROGRAM. ONE GOOD THING TO LOOK FOR IS THE TURNING ON OF THE HI-RES PAGES, WLOCATION CAN BE ANYWHERE - FOR APPLE GALAXIAN IT IS 0300, FOR ANOTHER PROGRAM IT MIGHT BE 2000, ETC. BUT THIS STAGE WILL OFTEN BE THE LAST ONE, THE ONE THAT LOADS IN THE PROGRAM ITSELF. SOFTWARE VARIES A LOT, THOUGH -- SOME PROGRAMS MAY HAVE FOUR OR MORE BLY THE DISK DRIVE WILL CONTINUE SPINNING, SO STOP IT AGAIN LIKE BEFORE, WITH A C0E8. NOW, REMEMBERING WHERE THE JUMP FROM THE SECOND STAGE BOOT WAS TO, LIST THAT LOCATION. FOR INSTANCE, IF THE JUMP FROM THE 800 PAGE WAS TO 300, LIST WITH A 300L. THIS ANGE THE JUMP AT 96F8 TO A JMP 9801 WITH A 96F8:4C 01 98, AND TYPE 9600G. BUT FIRST, IF COURSE, CHANGE THE JUMP FROM THE SECOND STAGE BOOT TO SOMETHING HARMLESS, LIKE JMP FF69. REMEMBER WHERE THE JUMP WAS TO, HOWEVER, SO YOU CAN CHECK IT. AGAIN, USUALILL ALMOST ALWAYS BE FORCED TO DO SOME CHANGING WITH THIS STAGE OF THE BOOT, HOWEVER, TO MAKE IT RUN AT THE NEW LOCATION, SO CHANGE THE LOCATION THAT ACCESS LOCATIONS IN THE 800 PAGE OF MEMORY SO THAT THEY ACCESS THE NEW LOCATIONS IN THE 9800 PAGE. THEN CHST IT WITH AN 801L. YOU WILL BE ABLE TO SEE WHAT THE PROGRAM DOES AS IT ENTERS THIS STAGE OF THE BOOT. TRACING IT ALONG, YOU WILL EVENTUALLY COME TO THE NEXT JUMP. SINCE YOU WANT TO INTERCEPT THIS, MOVE THIS STAGE OF THE BOOT UP WITH A 9800<800.8FFM. YOU WYOU WILL EXIT TO THE MONITOR. OF COURSE, THE DISK DRIVE WILL KEEP SPINNING, SINCE NOTHING TOLD IT TO QUIT. YOU CAN STOP IT IF YOU WANT, WITH JUST TYPING 'C0E8 '. NOW THE NEXT STAGE BOOT IS IN MEMORY FOR YOU TO EXAMINE. IT LOADS IN AT $0801, SO LIE $FF69 (MONITOR). PUT IN THE DISK YOU WANT TO CRACK. SOME GOOD ONES ARE APPLE GALAXIAN, OR NEARLY ANY OTHER GAME-TYPE SOFTWARE THAT DOESN'T ACCESS THE DISK AFTER IT LOADS. THEN TYPE 9600G. THE DISK WILL START TO BOOT, MOVING THE ARM ACROSS, BUT THEN , LIKE YOUR SYSTEM MASTER, AND ENTER THE MONITOR. THEN MOVE THE FIRST STAGE BOOT DOWN TO $9600 WITH A 9600>> BY THE NECROMANCER <<< >>> <<< >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< I HAVE RWYZ[\]^_`abcdefgEY CAN GET FAR MORE COMPLEX, BUT THERE IS NO NEED FOR SOMETHING ELEGANT IN THIS SITUATION. ANOTHER POINT THAT WAS BROUGHT TO MY ATTENTION BY SOMEONE WAS THE FACT THAT BOOTS OFTEN USE INDIRECT JUMPS, WHICH MAKE BOOT TRACING THEM A BIT MORE COMPLEX. T0,X INX BNE LOOP JMP $FF59 THIS CODE PRETTY OBVIOUSLY PERFORMS A MEMORY MOVE, MOVING THE TEXT PAGE UP TO $8000, THEN JUMPING TO THE MONITOR (I LIKE TO USE A JMP $FF59 RATHER THAN $FF69, SO I GET A BEEP). IT IS A VERY SIMPLE MOVE -- TH THIS TO A JMP $6000 AND THEN PLACING THE FOLLOWING CODE AT $6000 ALLOWS YOU TO EXAMINE THE CODE AT YOUR LEISURE: LDX #0 LOOP LDA $400,X STA $8000,X LDA $500,X STA $8100,X LDA $600,X STA $8200,X LDA $700,X STA $830RM SOME INTERESTING FEATS, INCLUDING ERASING WHATEVER MIGHT BE IN A LANGUAGE CARD UPON BOOTING (NASTY FOLKS, AREN'T THEY!), AND THEN MOVE SOME INSTRUCTIONS OVER THE TEXT PAGE, WHERE THEY ARE EXECUTED BY A JMP $789 (IF I REMEMBER CORRECTLY). SIMPLY CHANGING AS ALWAYS, AND LOADS IN MORE DATA DIRECTLY AFTER IT, STARTING AT $900. AFTER THE DATA IS LOADED IN, IT BRANCHES TO $881, WHERE IT STARTS MORE INITIALIZING, AND CONTINUES EXECUTING THROUGH THE INSTRUCTIONS THAT WERE LOADED AT $900. THESE INSTRUCTIONS PERFO THE PROBLEM. THIS DOESN'T ALWAYS SOLVE EVERYTHING, BUT IT HELPS. SIMPLY PRESSING RESET FROM WITHIN THE PROGRAM WOULD LOSE THE TOP LINE OF DATA. A MORE RECENT RELEASE, PENSATE, FROM PENGUIN SOFTWARE, DOES A SIMILAR THING. THE BOOT1 LOADS IN AT $800,OT THE SUBJECT HERE. WHEN BOOT TRACING, IT IS NOT HARD TO AVOID THE ABOVE PROBLEM. IN GORGON, FOR INSTANCE, DATA WAS LOADED OVER THE TEXT SCREEN BY THE BOOT. SIMPLY MODIFYING THE BOOT IN MEMORY TO LOAD IT AND THEN MOVE IT TO A SAFE PLACE WOULD AVOIDOW. PERHAPS THE MOST COMMON IS SIMPLY PLACING DATA ON THE TEXT PAGE. WHEN YOU PRESS RESET, ALTHOUGH YOU EXIT TO THE MONITOR, YOU LOSE THE TOP LINE OF TEXT, AND ARE LIKELY TO LOSE ALL OF THE TEXT SCREEN. WITH A SPECIAL ROM THIS CAN BE AVOIDED, BUT THAT IS N VERSUS A MONITOR ROM. THOSE WHO HAD ACCESS TO ONE WERE ABLE TO CRACK PRACTICALLY ANYTHING ON THE MARKET. AH, FOR THE GOOD OLD DAYS. BUT THERE ARE WAYS TO STOP A MONITOR ROM, AND THEY ARE BEING IMPLEMENTED IN ALMOST EVERY PIECE OF SOFTWARE BEING RELEASED NT FOR SINGLE-LOADING GAMES AND UTILITIES, BOOT TRACING CAN BE ONE OF THE EASIEST WAYS. IF YOU ARE THE OWNER OF A MONITOR ROM, SIMPLY PRESSING RESET CAN DO THE JOB, ALTHOUGH THOSE DAYS ARE COMING TO AN END. PREVIOUSLY, SOFTWARE HAD NO REAL PROTECTIONISK HAS A SPECIAL DOS ON IT, OR REALLY ANY DOS AT ALL, IT IS CERTAINLY NOT THE EASIEST WAY. WHENEVER A DISK HAS A DOS ON IT, PULLING THE FILES OFF THE DISK IS FAR EASIER THAN BOOT TRACING IT, AND IN FACT BOOT TRACING A DISK OF THAT KIND IS RATHER SILLY. BUE TO DO IT. NOT SO. IT DOES REQUIRE A LOT Og PATIENCE, TENACITY, AND OF COURSE A GOOD WORKING KNOWLEDGE OF ASSEMBLY LANGUAGE. IN OTHER WORDS, NO MORE THAN ANY OTHER METHOD OF CRACKING. BOOT TRACING IS NOT USEFUL FOR EVERY PIECE OF SOFTWARE. IF THE DECEIVED SOME REQUESTS FOR A CONTINUATION OF MY PREVIOUS COLUMN ON BOOT TRACE CRACKING, SO HERE IT IS, FOLKS! PEOPLE HAVE A TENDENCY TO THINK THAT BOOT TRACING IS SOMETHING EXTREMELY DIFFICULT, THAT ONE HAS TO BE ONE OF THE "GREAT CRACKERS" TO BE ABLHIS IS TRUE, BUT THEY ARE USUALLY PRETTY EASY TO GET AROUND. ONE POSSIBLE SOLUTION IS TO SIMPLY PUT A BRK INSTRUCTION WHERE THE JUMP IS, AND WHEN IT REACHES THE BRK EXAMINE THE MEMORY LOCATIONS WHICH WERE TO BE USED FOR THE JMP. FOR EXAMPLE, ONE COMMON JUMP IS A JMP ($08FE) ONE CAN REPLACE THE $6C WITH A $00, AND WHEN THE PROGRAM HITS THE BRK, LOOK AT LOCATIONS 8FE AND 8FF TO FIND THE ADDRESS THE JUMP WAS HEADING FOR. THE PROBLEM WITH THIS APPROACH IS THAT A BRK DOESN'T ALWAYS DO WHAT SOFTWARE TO THE GENERAL PUBLIC. >>>>>>>>>>>>>>>>>>>>>>>>>>>THE NECROMANCER<<<<<<<<<<<<<<<<<<<<<<<<<<<< >>>>>>>>>>>>>>>>>>>>>>>>>THE CRACKER'S GUILD<<<<<<<<<<<<<<<<<<<<<<<<<< BE A BIG PROBLEM IF YOU HAVEN'T MADE ANY PRINTOUTS OR ANY NOTES. WRITE DOWN THE LOCATIONS YOU CHANGE. IF YOU'RE WRONG, YOU CAN BACKTRACK, WITH GOOD NOTES. THAT'S ALL FOR THIS TIME. I HOPE SOME OF YOU CAN MAKE GOOD USE OF THIS, AND PRESENT SOME NEW THEREBY ENABLING YOU TO PRESS RESET ONCE THE PROGRAM HAS STARTED. MAKE PRINTOUTS WHEN YOU ARE BOOT TRACING. IT IS OFTEN POSSIBLE TO MISS SOMETHING, AND FIND THE DISK BOOTING COMPLETELY. WHEN THIS HAPPENS YOU HAVE TO GO BACK AND START OVER, WHICH CANN IF A BOOT IS TOO COMPLICATED FOR YOU TO FOLLOW (WHICH CAN INDEED HAPPEN), IT IS POSSIBLE TO GET SOMETHING OUT OF IT. IF YOU HAVE AN AUTOSTART ROM, SOMETIMES YOU CAN FIND THE PART OF THE PROGRAM THAT CHANGES THE RESET VECTOR, AND MAKE IT SKIP THE CHANGE, ED. THUS, IF AN INDIRECT JUMP OF JMP ($8FF) IS DONE, THE ADDRESS TO JUMP TO IS NOT TAKEN FROM 8FF AND 900, IT IS TAKEN FROM 8FF AN 800! THIS SHOULD ALWAYS BE IN THE BACK OF YOUR HEAD -- ALWAYS BE SUSPICIOUS OF INDIRECT JUMPS. SOME FURTHER NOTES. EVE ADDRESS FROM THE SPECIFIED LOCATION, THEN INCREMENTS THAT LOCATION, AND GETS THE HI-BYTE. HOWEVER, WHEN THAT INCREMENT IS DONE, NO CHECK OF AN OVERFLOW IS DONE. THIS MEANS THAT IF THE INCREMENT CAUSES A CHANGE FROM $FF TO $00, THE HI-BYTE IS NOT INCREMENTR MOVED BOOT1. ONE MORE NOTE ABOUT THESE INDIRECT JUMPS. YOU SHOULD ALL BE AWARE OF A BUG IN THE 6502, WHICH HAS ON OCCASION BEEN USED BY SOFTWARE PROTECTORS (YES, OUR ARCH-ENEMIES!). WHEN THE 6502 FINDS AN INDIRECT JUMP, IT TAKES THE LO-BYTE OF THE THOUGH. AS YOU SHOULD RECALL FROM THE PREVIOUS COLUMN, THE BASIS OF BOOT TRACING IS MOVING THE BOOT0 DOWN AND CHANGING THE JUMP. WELL, INSTEAD OF LETTING BOOT1 JUMP TO $C65C, WE CAN CHANGE THAT INDIRECT JUMP TO $965C, WHICH WHEN IT IS DONE WILL JUMP TO OUHAT, SO IT CALLS ON SOME OF THE BOOT0 CODE TO HELP IT OUT. THIS IS THE SECTOR READ ROUTINE AT $C65C. HOWEVER, IF WE WANT TO BOOT-TRACE THE DISK, WE CAN'T LET THAT JUMP OCCUR, SINCE ONCE THE ROUTINE IS DONE IT JUMPS ONCE AGAIN TO $801. WE CAN FIX THIS,EANT TO LOAD IN THE NEXT 9 SECTORS FROM TRACK 0. THESE SECTORS CONTAIN THE RWTS AND SOME CODE WHICH WILL LOAD IN THE REST OF DOS, AND JUMP TO THE DOS START LOCATION. BUT THE BOOT1 IS ONLY A PAGE LONG, AND CAN'T HANDLE THE ENTIRE DUTY OF LOADING IN ALL OF THIS ROUTINE WILL DISPLAY THE ADDRESS THAT THE JUMP WAS HEADING FOR. IF THE BOOT IS RELATIVELY NORMAL, YOU ARE LIKELY TO SEE A C65C. YOU MAY WONDER WHAT THE BOOT IS DOING JUMPING TO SUCH A LOCATION. WELL, A NORMAL BOOT1 (RARE ENOUGH THESE DAYS!) IS MT OUT FOR YOU THE ADDRESS THAT BOOT IS JUMPING TO. REPLACE THE JMP ($003E) WITH A JMP $6000, OR SOME OTHER SAFE LOCATION. THEN WRITE THE SHORT ROUTINE BELOW AT THAT LOCATION: LDA $3F JSR $FDDA LDA $3E JSR $FDDA JMP $FF59 TMOST COMMON OF THESE IS $003E. IF YOU TRY THE BRK METHOD OR THE JMP $FF59 METHOD, YOU ARE LIKELY TO FIND SOME NONSENSE ADDRESS RATHER THAN WHAT YOU'RE LOOKING FOR. WHAT DO YOU DO IN THIS CIRCUMSTANCE? WHAT YOU CAN DO IS WRITE A SMALL ROUTINE TO PRINYOU WANT IT TO. YOU CAN ALSO, HOWEVER, MAKE THE JMP A JMP TO $FF59, AND THEN EXAMINE THE ADDRESSES. AGAIN, HOWEVER, THERE IS A PROBLEM. SOMETIMES THE NASTY FOLKS BEHIND ALL OUR PROBLEMS CHOOSE AN ADDRESS THAT ISN'T ALWAYS WHAT IT APPEARS TO BE. THE *************************************** * * * KRAKOWICZ'S KRACKING KORNER * * * * =>SHIELA<= * * * ****************HES THE STATUS REGISTER AND PROGRAM COUNTER ONTO THE STACK, THEN JUMPS VIA $FFFA. THIS I'VE MODIFIED TO TO LEAD TO A ROUTINE (INSIDE THE MONITOR) WHICH MOVES PAGES 0-8 TO $2100.29FF, THEN JUMPS TO THE OLD MONITOR RESET ROUTINE. AFTER GETTING INSIDE THE PRERKEY+. A MODEST REFINEMENT OF THIS METHOD IS TO USE A NONMASKABLE INTERRUPT (NMI) INSTEAD OF OF A RESET. TO GENERATE A NMI, YOU JUST ADD A SWITCH TO CONNECT PERIPHERAL PIN #29 (ANY CARD) TO PIN #26 THRU A 100 OHM RESISTOR. WHEN THE 6502 SEES A NMI, IT PUSTHIS PURPOSE, BUT I UNDERSTAND THAT IT IS POSSIBLE TO FOOL MANY PROGRAMS BY PUTTING THE CARD IN SLOT 1 INSTEAD OF 0). THERE ARE SEVERAL OF THESE CRACKING MONITORS GOING AROUND, INCLUDING VERSIONS BY BOZO AND LOCKBUSTER, AND A COMMERCIAL VERSION CALLED MAST WHICH RELO- CATES PAGES 0-8 SOMEWHERE OUT OF THE WAY. THE MODIFIED MONITOR CAN THEN BE INSTALLED IN A RAMCARD. IT IS GENERALLY NECESSARY TO PROTECT THE RAMCARD IN SOME WAY SO THAT THE PROGRAM CANNOT ERASE IT OR TURN IT OFF (MY CARD HAS BEEN MODIFIED FOR MODIFIED BY A STANDARD RESET. AS YOU PROBABLY KNOW THIS CAN BE DONE EITHER BY TRACING THE BOOT (WHICH I HOPED TO AVOID) OR BY THE USE OF A MODIFIED MONITOR. TYPICALLY, THE MONITOR IS MODIFIED SO THAT THE RESET VECTOR AT FFFC POINTS AT A MEMORY MOVE ROUTINEFIED SECTOR HEADER. STEP 2:GET IT OUT OF MEMORY. HAVING FIGURED OUT AS MUCH AS I COULD FROM 'OUTSIDE', I DECIDED THAT IT WAS TIME TO GET A LOOK INSIDE THE PROGRAM. THE TRICK IN GETTING A PROGRAM OUT OF MEMORY IS TO PRESERVE $0.7FF, MUCH OF WHICH IS OOT, BUT I FOUND THAT I COULD SWITCH TO A COPY ONCE THE PROGRAM WAS GOING, INDICATING THAT THE MAJOR PROTECTION WAS IN THE BOOT. EXAMINING A NIBBLE DUMP OF THE DISK (USING THE INSPECTOR), I CONCLUDED THAT MOST TRACKS WERE NEARLY NORMAL 3.2, BUT WITH A MODIESTLY ABNORMAL, WITH MUCH HEAD MOVEMENT AND 3 RECALIBRATIONS. FURTHERMORE, THE DISK WOULD NOT BOOT UNLESS WRITE ENABLED. SUCH A BOOT OFFERS MUCH OPPORT UNITY FOR CHICANERY, SO I RESOLVED TO USE BOOT TRACING ONLY AS A LAST RESORT. NIBBLE COPIES WOULD NOT BEW MAZE AND FOR A HI-RES CASTLE AT THE BEGINNING). IF YOU OPEN THE DRIVE DOOR WHILE IT'S TRYING TO LOAD A MAZE, IT RECALIBRATES AND TRIES AGAIN; THIS SUGGESTED TO ME A FAIRLY NORMAL RWTS, SINCE MANY CUSTOM ROUTINES DON'T BOTHER WITH THIS.THE BOOT WAS MANIFGRAM USE A CUSTOM ROUTINE TO READ THE DISK, OR A MODIFIED VERSION OF THE STANDARD DOS? IF THE LATTER, WHAT SORT OF MODIFICATIONS HAVE BEEN MADE? SHEILA IS AN ARCADE-STYLE ADVENTURE. THERE ARE 5 MAZES, AND THE DISK IS ACCESSED EACH TIME YOU ENTER A NE THE JOINT! THE FIRST STEP OF CRACKING ANY PROGRAM IS TO GET AN IDEA OF THE NATURE OF THE PROTECTION. DOES THE PROGRAM ACCESS THE DISK? IF SO, ARE THE DISK ACCESSES NECESSARY TO THE PROGRAMS FUNCTION, PART OF THE PROTECTION, OR BOTH? DOES THE PROhjklmnopqrstuvwxy*********************** THE PURPOSE OF THIS ESSAY IS NOT TO PROVIDE YOU WITH A COOKBOOK FOR CRACKING SHEILA. RATHER, I AM GOING TO DESCRIBE THE GENERAL APPROACH I TOOK, IN THE HOPE THAT IT WILL BE OF USE TO YOU IN CRACKING SIMILAR PROGRAMS. STEP 1: CASOG RAM IN THIS WAY, I MANUALLY MOVED $9600.9CFF TO $2A00.30FF AND $9D00.BFFF TO $D000.F2FF ON THE RAMCARD, THUS CLEARING THE WAY FOR A SLAVE BOOT. I THEN SAVED ALL THE PIECES OF THE PROGRAM ONTO A NORMAL 3.3 DISK. AS A TEST, I WROTE A ROUTINE TO MOVE EVERYTHING BACK, RELOAD THE REGISTERS, AND DO A RTI (RETURN FROM INTERRUPT). THE PROGRAM RESTARTED AS EXPECTED, THEN BOMBED OUT TRYING TO READ THE DISK. INSPECTION OF THE CODE REVEALED A FAIRLY STANDARD DOS IN THE USUAL PLACE. IT SEEMED TO BE PATCHED RATHER IED THAT THE PROGRAM RAN CORRECTLY WITH THE 3.3 DATA DISK. STEP 5: PUTTING IT ALL TOGETHER. THE FINAL TASK WAS TO GET SHEILA ONTO T HE DISK WITH THE DATA. THERE WAS ONE PROBLEM; ONE OF THE DATA TRACKS WAS $11, NORMAL LOCATION OF THE CATALOG AND VTOC. C REPLACE SHEILA'S RWTS, I DECIDED TO MOVE IN ONLY THE READ ROUTINES FROM MY REASSEMBLED RWTS, SINCE I KNEW SHEILA DIDN'T WRITE TO DISK. THE AREAS SWITCHED WERE AS FOLLOWS: B800.B8C1, BA29.BA95, BB00.BCFF, AND BEAF.BFFF. I THEN RESTARTED SHEILA, AND VERIFSO MOVED THE SECTOR INTERLEAVING TABLE, NORMALLY AT BFB8.BFC7, TO RESIDE AT BCF0.BCFF, IN CASE SHEILA WAS USING THAT AREA FOR SOMETHING ELSE (3.2 RWTS DOESN'T HAVE A SECTOR INTERLEAVING TABLE). I THEN REASSEMBLED RWTS USING LISA 2.5. RATHER THAN COMPLETELYING THROUGH RWTS, I NOTICED THAT LOCATIONS BCE0 TO BCFF WERE APPARENTLY UNUSED BY BOTH THE NORMAL 3.3 AND SHEILA RWTS. IT WAS A SIMPLE TASK TO EDIT THE DOSSOURCE RWTS LISTING TO USE THIS AREA INSTEAD OF THE TEXT PAGE REGION. AT LONG-JOHN'S SUGGESTION, I ALDOSSOURCE LISTINGS. SURE ENOUGH, RWTS STORES DATA IN LOCATIONS $478, $4F8, $578, $5F8, AND $6F8 (THESE ARE IN THE TEXT PAGE AREA, BUT THEY DO NOT SHOW ON THE SCREEN). CLEARLY, IT WAS GOING TO BE NECESSARY TO MODIFY THE RWTS TO ELIMINATE THE CONFLICT. LOOK.3 RWTS. AT FIRST IT LOOKED GOOD; THE PROGRAM LOADED THE FIRST MAZE FROM MY 3.3 DATA DISK. UNFORTUNATELY, THE MINUTE I HIT A KEY IT LOCKED UP. A POSTMORTEM INDICATED THAT A KEYBOARD INPUT ROUTINE ON PAGE 4 HAD MYSTERIOUSLY TURNED TO GARBAGE. OUT CAME THE PORTION OF SHEILA RWTS TO MATCH NORMAL DOS 3.2 (D5 AA DD) AND IT WOULD HAPPILY READ DATA OFF THE 3.2 DISK THAT I HAD MADE. UNFORTUNATELY, I WANTED 3.3. MY FIRST ATTEMPT AT CONVERSION TO 3.3 WAS SIMPLY TO REPLACE THE ENTIRE RWTS FROM SHEILA WITH A NORMAL 3S TO MODIFY THE SHEILA RWTS SO THAT IT WOULD READ FROM A NORMAL FORMAT DISK. SINCE SHEILA'S DOS SEEMED ALMOST 3.2, I DECIDED FIRST TO SEE IF I COULD GET IT TO READ THE 3.2 DATA DISK. THIS WAS SURPRISINGLY EASY; I JUST PATCHED THE SECTOR HEADER IN THE READ ON A DOS 3.3 DISK, UNTIL I HAD CONVERTED ALL THE TRACKS I COULD READ. I THEN REPEATED THE PROCESS WITH A 32K 3.2 RWTS, SO THAT WHEN I FINISHED I HAD BOTH A 3.3 AND A 3.2 DISK WITH THE DATA TRACKS FROM SHEILA. STEP 4: CONVERT THE DOS. THE NEXT STEP WA THE RWTS VECTOR AT $3DC.3DE TO POINT TO $BD00. THEN I READ IN SOME SECTORS OF SHEILA, SAVING THEM IN MEMORY (BEING CAREFUL NOT TO OVERWRITE EITHER RWTS). NEXT I SWITCHED TO RWTS VECTOR TO $B700, AND WROTE THE SECTORS I HAD READ TO THE CORRESPONDING TRACKSE USUAL LOCATION: $BD00. THEN I BOOTED A 32K DOS 3.3 SLAVE (WHICH I HAD MADE BY PULLING OUT THE LAST ROW OF RAM CHIPS, BOOTING A MASTER AND ITIT-ING A SLAVE). NOW I HAD SHEILA RWTS AT $BD00, AND DOS 3.3 RWTS AT $7D00. THEN I ENTERED THE INSPECTOR, AND SETEXAMINATION OF THE TOP OF THE STACK INDICATED THAT THE PROGRAM CO UNTER WAS IN RWTS. STEP 3: CONVERT THE DATA TRACKS. THERE WERE STILL THOSE DISK LOADS TO CONTEND WITH. POKING AROUND INSIDE SHEILA, I FOUND A SOMEWHAT MODIFIED RWTS WITH AN ENTRY AT THL DISK, BUT I COULDN'T SEE ANYTHING RESEMBLING A CATALOG. THIS SUGGESTED THAT THE PROGRAM WAS LOADING DATA FROM KNOWN DISK LOCATIONS USING RWTS DIRECTLY. TO TEST THIS HYPOTHESIS, I INTERRUPTED WHILE THE PROGRAM WAS TRYING TO ACCESS THE DISK. AS EXPECTED, THAT REASSEMBLED, SINCE I SAW SEVERAL ROUTINES WHICH I WAS FAIRLY CERTAIN THAT THE PROGRAM DIDN'T NEED. RWTS WAS IN ITS USUAL HOME ($B800.BFFF). USING THE INSPECTOR IN CONJUNCTION WITH SHEILA'S RWTS, I WAS NOW ABLE TO READ MOST OF THE TRACKS ON THE ORIGINALEARLY IT WOULD BE NECESSARY TO MODIFY EITHER SHEILA OR DOS TO ELIMINATE THE CONFLICT. TAKING THE PATH OF LEAST RESISTANCE, I ELECTED TO MODIFY DOS TO USE TRACK $15 INSTEAD OF $11. THIS MEANT THAT NORMAL DOS WOULD BE UNABLE TO FIND THE CATALOG, BUT IT WLDN'T INTERFERE WITH COPYA, WHICH DOESN'T MAKE USE OF THE CATALOG. TO DO THIS, I CHANGED LOCATION $AC01 IN DOS FROM $11 TO $15, THEN INITIALIZED A DISK. THIS PLACED THE VTOC ON TRACK $15. THEN, USING THE INSPECTOR, I CHANGED TRACK $15, SECTOR $0, BYTE $1 " (I KNOW, I KNOW -- I PROMISE THAT I'LL WRITE A COMPLETE COLUMN ON BOOT-TRACING SOON. IF YOU JUST CAN'T WAIT, TRY TO GET HOLD OF THE HARDCORE MAGAZINE UPDATE 3.1, PAGES 6-15. IT HAS A LUCID, WELL-EXAMPLED DISCUSSION OF THE BOOT-TRACING PROCESS). WHEN YOUROUGH ALL THE APPLESOFT PROGRAMS. THE AMOUNT OF EFFORT REQUIRED TO DO THIS HAS KEPT KRACKISTS AT BAY, AT LEAST UNTIL NOW. FIRST, HOW TO APPROACH THIS TYPE OF KRACKING JOB? THE SEVENTH LAW OF KRACKING SAYS: "WHEN YOU'RE TOTALLY LOST, BOOT-TRACE A DOS WHICH WAS: A. DOS 3.3 COMPATIBLE, B. AS SHORT AS RDOS ($B100-$BFFF), SINCE THE PROGRAMS FREQUENTLY USE ALL OF THE FREE SPACE, AND C. CAPABLE OF CORRECTLY INTERPRETING THE AMPERSAND COMMANDS WHICH ARE LIBERALLY SPRINKLED TH'S ANSWER TO THIS PROBLEM WAS NOT ONLY TO WRITE AN EXTENSIVELY REVISED DOS, BUT TO COUPLE IT WITH "ENHANCEMENTS" TO APPLESOFT USING THE AMPERSAND VECTOR (MORE ON THIS LATER). THIS WAY, EVEN IF YOU COULD STRIP THE FILES OFF THE DISK, YOU WOULD NEED TO WRITE SOME SORT OF DOS MODIFICATION. DOS MODIFICATIONS ARE USUALLY NOT TOO SUCCESSFUL, SINCE SOME ENTERPRISING PERSON OUT IN PIRATELAND WILL SOONER OR LATER FIGURE A WAY TO COPY ALL THE FILES ONTO A NORMAL DOS DISK, MAKING ALL THE DISK PROTECTION WORTHLESS. SSIAMES WHICH HAVE A LITTLE REDEEMING SOCIAL MERIT: EPIDEMIC, RINGSIDE SEAT, AND GALACTIC ADVENTURES. AS WE'VE DISCUSSED IN THE BASICS OF KRACKING SERIES, YOU CAN EITHER PROTECT A PROGRAM BY VARIOUS MEANS, OR YOU CAN PROTECT A DISK FULL OF PROGRAMS WITHS. WITH THAT IN MIND, AND BECAUSE WE ALL LOVE A CHALLENGE, WE WILL TAKE A LONG LOOK AT THE APPROACH USED BY STRATEGIC SIMULATIONS, INC. (SSI) IN PROVIDING COPY PROTECTION FOR THEIR SERIES OF WAR SIMULATIONS AND "RAPID-FIRE" SERIES, AS WELL AS SOME RECENT Gz|}~*********************** IT'S REALLY NOT FAIR WHEN ONE PUBLISHER HAS A SYSTEM THAT KEEPS THEIR SOFTWARE FROM BEING CONVENIENTLY BACKED UP, ESPECIALLY WHEN SO MANY OF THE OTHER "PROTECTION" SCHEMES HAVE FALLEN TO THE GROWING CORPS OF TALENTED KRACKIST*************************************** * * * KRAKOWICZ'S KRACKING KORNER * * * * SSI'S RDOS * * * ****************THE PIECES OF SHEILA INTO A SINGLE FILE, AND PREFACED IT WITH A MEMORY MOVE TO PUT EVERYTHING BACK WHERE IT BELONGED. FINALLY, I BOOTED THE DATA DISK (WITH CATALOG ON TRACK $15) AND BSAVED SHEILA. THIS COMPLETED THE CONVERSION OF SHEILA TO COPYA FORMAT. FROM $11 TO $15, SO THAT DOS WOULD KNOW TO USE TRACK $15 FOR THE CATALOG. THEN, I COPIED THE DATA TRACKS FROM MY SHEILA 3.3 DATA DISK ONTO THE NEW DISK, AND CHANGED THE SECTOR-USE BITMAP TO PROTECT THE DATA SECTORS AND THE CATALOG. I THEN ASSEMBLED ALL OF LOAD T0, S0 INTO $800, YOU WILL IMMEDIATELY SEE THE FAMILIAR "BRODY LOADY" (NAMED AFTER THAT FUN-LOVING BUNCH OF SCANDAHOOVIANS AT BR0DERBUND) WHICH MOVES THE ENTIRE PAGE DOWN TO PAGE 2 AND JUMPS TO $20F TO COMPLETE THE BOOT. THIS IS A FAIRLY TRICKY BOOT WHICH HAS BEEN USED FOR ALL TYPES OF PROTECTION SCHEMES, BUT IF YOU PUZZLE OVER IT LONG ENOUGH, YOU'LL SEE THAT THE JMP ($003E) AT LOCATION 343 DOUBLES AS A JUMP TO THE SECTOR READ ROUTINE, THEN AS A JUMP TO THE PROGRAM START WHEN ALL THE SECTORS ARE READ AN BE SEEN THAT THE ROUTINES HAVE BEEN LIFTED ALMOST VERBATIM FROM DOS 3.2, WITH THE ADDRESS MARKER CHANGED TO D4 AA B7 (IN MOST CASES). AHA! MAYBE WE CAN SNEAK IN THE APPROPRIATE ROUTINES FROM DOS 3.3 AND MAKE IT DO D5 AA 96'S? TO MAKE A LENGTHY STORY SHO PLACE TO START. THE FIRST ENCOUNTER IS AT $BB6B, WHICH IS CLEARLY A "WRITE" SECTION-- $C08F,X = OUTPUT; $C08E,X = SENSE WRITE PROTECT. IT'S FOLLOWED BY A READ SECTOR ROUTINE AT $BBFD-BC64, AND READ ADDRESS ROUTINE AT $BC65-BCC0. ON CLOSE EXAMINATION, IT CSTING THAT CONTINUES UP TO $BFFF. THE ONLY WAY TO GET THERE IS TO CALL UP THE INFANTRY AND SLOG OUR WAY THROUGH THE CODE, BRUTE FORCE. SINCE IT'S A DOS, THERE MUST BE READ AND WRITE CODE OF SOME SORT, SO LOOKING AROUND FOR DISK ACCESSES ($C08C,X) IS A GOOD670 CHG RTN FROM & AS YOU CAN SEE, NOT ALL HAVE BEEN CHASED DOWN. INTERESTED PARTIES ARE INVITED TO INVESTIGATE AND SHARE THE RESULTS WITH US ALL. BUT THIS, TOO HAS ONLY A LIMITED VALUE, SINCE WE RUN OUT OF INFORMATIVE TOKENS AT ABOUT $B679 IN A LI6 B56C WRITE TO TEXTFILE READ 87 135 B582 READ TEXT FILE END 80 128 B5A9 CLOSE A FILE DEL 85 133 B5AE DELETE A FILE LEN E3 227 B5CD ? D 44 68 B620 DRIVE? S 53 83 B62E SLOT? NEW BF 191 B64F ? USR D5 213 BB6 182 B371 LOAD APLSFT FILE RUN AC 172 B446 RUN APLSFT FILE GOTO AB 171 B44C EXEC (?) SAVE B7 183 B48D SAVE APLSFT FILE STORE A8 168 B511 BSAVE (WITH A,L) RECALL A7 167 B52B BLOAD, A OPTIONAL DEF B8 184 B544 ? PRINT BA 18UMULATOR, AND THEN DECIDES WHAT TO DO NEXT. THE TOKENS, WITH THEIR VALUE, SUBROUTINE ADDRESS START, AND FUNCTION ARE SHOWN BELOW: & --- HEX DEC ADDR FUNCTION IN RDOS ----- --- --- ---- ---------------- C 43 67 B353 CATALOG (&C AT) LOAD HE SYSOP MIGHT BE PERSUADED TO INCLUDE THEM ON HIS APPLE TREK KRACKING DISK #2. NOW WE'RE STARTING TO MAKE PROGRESS. EACH TIME THE & COMMAND IS ENCOUNTERED, APPLESOFT OBLIGINGLY JUMPS UP TO $B303 WITH THE HEX VALUE OF THE NEXT BASIC TOKEN IN THE ACCODE LISTINGS, IN BIG MAC FORMAT, FOR BOTH THE ORIGINAL AND DOS 3.3 COMPATIBLE VERSIONS OF RDOS. THE DISK ALSO CONTAINS OBJECT CODE FOR RDOS 3.3 AND LISTINGS OF THE OTHER PROGRAMS USED FOR SECONDARY PROTECTION AND INITIALIZING. IF THERE'S ENOUGH INTEREST, T, AND THE ADDRESS OF THE ROUTINE TO BE EXECUTED IS PICKED UP FROM A TABLE IN $B331-$B352. YOU CAN EASILY SEE ALL THIS CODE BY RESETTING ANY OF THE RDOS SSI GAMES, AND IF YOU'RE REALLY INTERESTED, YOU CAN CONTACT YOUR LOCAL PIRATE FOR A COPY OF THE SOURCE CION $3F5. LOOKING AT THAT LOCATION WILL TELL YOU WHERE THE AMPERSAND EVALUATION ROUTINE IS LOCATED; IN THIS CASE, IT CONTAINS 4C 03 B3 OR JMP $B303. EXAMINATION OF THE CODE THERE REVEALS THAT THE ACCUMULATOR IS COMPARED TO A TABLE OF NUMBERS IN $B320-$B330IATELY STRUCK BY A WHOLE NEW LIST OF COMMANDS THAT MOTHER APPLE NEVER TOLD YOU ABOUT. THESE ARE AMPERSAND (&) COMMANDS WHICH HAVE BEEN ADDED TO IMPLEMENT THE RDOS COMMANDS, AND THEY WORK AS FOLLOWS: WHENEVER THE "&" IS ENCOUNTERED, APPLESOFT JUMPS TO LOCATT THE BOOT-TRACE HAS TOLD US IS THAT THE DOS CODE LIVES FROM $B300 TO $BFFF, AND IS NOT STRAIGHTFORWARD, "LINEAR" CODE. YOU MAY RECALL THAT WE DESCRIBED HOW TO LIST AN RDOS APPLESOFT FILE IN BASICS 103: RESET, D6:00, C081, CTRL-C, "LIST". YOU WILL BE IMMEDIN. THE PROGRAM START IN THIS CASE IS $B300, WHICH IS A JMP $B974 THAT DROPS YOU INTO A DISCOURAGINGLY COMPLEX SERIES OF JSR'S AND JMP'S. AT THIS POINT, DISCRETION IS THE BETTER PART OF VALOR (REMEMBER THE SECOND LAW: THERE'S ALWAYS ANOTHER WAY). WHART, THE ANSWER IS YES, BUT. DOS 3.2 USES, AS YOU PROBABLY KNOW, "6+2" NIBBLIZING IN STORING DATA ON THE DISK, WHILE 3.3 USES "5+3". THE END RESULT IS THAT THE PRE- AND POST-NIBBLIZING ROUTINES MUST BE TRANSPLANTED FROM DOS 3.3, AS WELL AS BOTH READ AND WRITE BYTE TRANSLATE TABLES. THE ADDRESS MARKERS AND THE SIZE OF THE NIBBLE BUFFERS MUST ALSO BE ADJUSTED. WHEN THIS IS DONE (WITH MUCH WAILING AND GNASHING OF TEETH), THE END RESULT IS A FUNCTIONAL, DOS 3.3 COMPATIBLE RDOS: RDOS 3.3. (AS A BRIEF ASIDE, IS REALLY 001A, WHICH IS DECIMAL 26, OR TRACK 2, SECTOR 0). IF YOU LOOK THROUGH THE CATALOG TRACK WITH THE INSPECTOR, YOU FIND THE BEGINNING OF THE CATALOG AS EXPECTED IN T1,S0. LOOKING FOR THE CONTINUATION IN T1,S1, HOWEVER, BRINGS YOU TO THE NEXT SURPRI / / FIRST NAME / / BLOCK / NUMBER STARTING OF LOCATION BLOCKS THE STARTING BLOCK IS EQUAL TO THE TRACK NUMBER MULTIPLIED BY 13 PLUS THE SECTOR NUMBER (1A00 I G 10- H T 1 9 8 1 B 1A0010 001A0000 20- S Y S T E M B O O T 30- T 0100B1 00011A00 40- R E G 1 / B 0A6009 DC091B00 / / \ / \ /\ / / FILE TYPE \/ \/ \/ PROGRAM A,T,B ING BLOCK ON THE DISK: TRACK 01 SECTOR 0 SLOT 6 DRIVE 1 BUFFER 0800 DOS 16 2BCC ======================================= 0 1 2 3 4 5 6 7 8 9 A B C D E F --------------------------------------- 00- R D O S 2 . 1 C O P Y ROS 3.2 RWTS" FILE, BUT YOU STILL NEED TO USE THE "RDOS WRITE" RWTS FOR THE WRITING ROUTINE. RDOS USES TRACK 1 FOR THE CATALOG, AND IDENTIFIES FILES VIA A 24-CHARACTER ALPHANUMERIC NAME, A LENGTH IN "BLOCKS" AS IN PASCAL, AND THE LOCATION OF THE STARTCOPY (WHEN YOU'RE FINISHED, YOU'LL HAVE A 16-SECTOR DISKETTE WITH ONLY 13 SECTORS OCCUPIED PER TRACK, BUT YOU WON'T NOTICE IT IN USE). SOME OF THE SSI GAMES USE THE NORMAL DOS 3.2 ADDRESS MARKER BYTES OF D5 AA B5. THESE SHOULD BE READ IN USING THE "D THE FILES; WRITING ON TOP OF OPERATING CODE CAN LEAD TO VERY UNPLEASANT RESULTS). RETURN TO BASIC, DELETE LINE FIVE, AND TYPE 'RUN'. ANSWER THE QUESTION "13 SECTOR", ENTER THE APPROPRIATE SLOTS AND DRIVES, AND YOU'RE OFF AND RUNNING TO CREATE AN RDOS 3.3 AA B7, BLOAD THE FILE CALLED "RDOS READ RWTS" (IT GOES INTO $8000 AS THE DEFAULT LOCATION). NEXT, BLOAD "RDOS WRITE",A$7000, THEN MOVE IT TO THE NORMAL RWTS LOCATIONS WITH B700<7000.78FFM (THIS IS NECESSARY BECAUSE YOU'RE USING THE RWTS ROUTINES TO READ INOPYING PROCESS WITH TRACK ONE. TO REITERATE THE COPYB INSTRUCTIONS, RUN COPYB, THE TYPE CTRL-C OR RESET WHEN THE PROMPT FOR SOURCE DISK COMES UP. GET INTO THE MONITOR AND TYPE 22E:1 TO SET THE STARTING TRACK TO 1, THEN, IF THE ADDRESS MARKER BYTES WERE D4 IDED BELOW. ARMED WITH RDOS 3.3 AND COPYB, IT IS NOW POSSIBLE TO BEGIN ATTACKING ONE OF THE SSI PROTECTED DISKS. SINCE RDOS IS BASED ON DOS 3.2, THE DISKS ARE ALL 13-SECTOR FORMAT, AND SINCE THE DOS IS ALL ON TRACK ZERO, YOU WANT TO BEGIN THE TRACK CSION OF COPYB IN GENERAL CIRCULATION INCLUDES RWTS ROUTINES WHICH HAVE BEEN MODIFIED FOR READING AND WRITING RDOS. REASONABLE DIRECTIONS ARE INCLUDED ON THE DISK, SO IT SHOULD BE POSSIBLE TO BACK UP YOUR OWN SSI DISKS, USING THE ADDITIONAL INFORMATION PROVES AN AUTOMATED APPROACH (THEY WERE SUPPOSED TO WORK FOR ->US<-, REMEMBER?). THE ANSWER TO THIS PROBLEM WAS THE PROGRAM NOW KNOWN AS COPYB - A HIGHLY MODIFIED VERSION OF COPYA WHICH DOES THE RWTS SWAP FOR YOU, AND EVEN INITIALIZES DISKS AS A BONUS. THE VER DISK WITH MODIFIED RWTS ROUTINES BY USING ITS OWN RWTS AND THE INSPECTOR, THEN SWAPPING RWTS ROUTINES TO STANDARD DOS 3.3 AND WRITING THEM OUT AGAIN ON A FORMATTED DISK. THE PROSPECT OF DOING ALL THE SSI GAMES BY HAND BOGGLES THE MIND, HOWEVER, AND REQUIR THE ESSENTIAL TOOLS IN THIS TASK ARE (OF COURSE), BENEATH APPLE DOS, AND THE DOSSOURCE COMMENTED LISTING OF ALL THE DOS CODE). NOW, WE KNOW FROM PREVIOUS GAMES LIKE CRISIS MOUNTAIN AND MING'S CHALLENGE THAT WE CAN READ THE SECTORS INTO MEMORY FROM ASE HELD BY RDOS: THERE IS NO SECTOR INTERLEAVING IN SOFTWARE; IT IS ALL DONE BY THE SECTOR NUMBER SEQUENCING DURING SSI'S INITIALIZE ROUTINE. THE IMPORTANCE OF SECTOR INTERLEAVING IS DISCUSSED IN "BAG OF TRICKS", AND IN A SOFTALK ARTICLE ABOUT A YEAR AGO BY WORTH AND LECHNER. (DOS USES A LOOKUP TABLE AT $BFA8 TO CHANGE THE SECTOR NUMBER READ FROM THE VALUE READ OFF THE DISK ("PHYSICAL SECTOR") TO THE NUMBER IT THINKS IT SHOULD BE ("LOGICAL SECTOR"). SSI USES AN "ASCENDING 7" INTERLEAVE SCHEME, WHICH MEANS TTE IT INTO THE SSI.INIT PROGRAM. THE CODE FROM $851 TO $86B NEEDS MORE ALTERATION THAN I HAD PATIENCE FOR (THERE'S ROOM FOR A PATCH IN $9D7-9FF), AND WOULD BE WORTH THE EFFORT IF SOME AMBITIOUS KRACKIST OUT THERE COULD FIND THE TIME... FINALLY, AS A VE USED BY SSI (THE DISK MUST MAKE AN ALMOST AN ENTIRE REVOLUTION FOR EACH SECTOR THAT IS READ IN). IT IS FAIRLY EASY TO ADD AN INTERLEAVE LOOKUP TABLE TO RDOS 3.3 (IT'S CALLED RDOS 3.3A ON THE DISK), BUT BAD THINGS HAPPENED DURING MY ATTEMPTS TO INCORPORAD4 AA B7 (OR D5 AA B5) ADDRESS MARKER BYTE WITH D5 AA 96: CHANGE BYTES $8F5 TO $D5 AND $8FF TO $96. NOW FOR THE BAD NEWS: WHILE RDOS IS FAST, PRIMARILY BECAUSE ALL FILES ARE STORED IN SEQUENCIAL BLOCKS, RDOS 3.3 IS SLOW BECAUSE OF THE SECTOR INTERLEA800-AFF (IT IS USUALLY ACCESSED VIA A 'CALL 2800' FROM A BASIC PROGRAM). SINCE IT ONLY WRITES ADDRESS FIELDS, AND NOT DATA SECTORS (WITH NO VERIFY), IT IS A VERY FAST INIT. ALL THAT'S NECESSARY TO GENERATE A DISK COMPATIBLE WITH RDOS 3.3 IS TO REPLACE THE HE ENTRY POINT OF $A0F0 WILL AVOID THE ENTIRE ISSUE AND MAKE THE COPYA VERSION RUN. THE FINAL (I HOPE) HURDLE TO USING RDOS 3.3 IS THE PROGRAM WHICH INITIALIZES A SAVE GAME DISKETTE IN AN RDOS-COMPATIBLE FORMAT. IT IS CALLED SSI.INIT AND LOADS INTO $TIRE TRACK AND OBLITERATE DATA ON ANY ADJACENT HALF-TRACK. AFTER READING IN THE DATA, THE MEMORY VALUES ARE EXCLUSIVE-ORED WITH THE ADDRESS (1000 CONTAINS 00, 1001 CONTAINS 01, ETC.), AND IF AN ERROR IS FOUND, IT REBOOTS THE DISK. PLACING AN RTS ($60) AT TTHE DATA ON THE NEXT HALF-TRACK (AS WITH ALL THESE PROTECTION TECHNIQUES, THE "SECTORS" ARE SKEWED SO THAT THERE IS NEVER VALID DATA OVERLAPPING ON ADJACENT HALF-TRACKS). THIS APPROACH EFFECTIVELY DEFEATS COPIERS LIKE NA II AND LOCKSMITH, WHICH WRITE AN ENG" OR "SPIRALLING". THIS VERSION OF QWERTY READS IN FOUR PAGES OF SEQUENCIAL BYTES FROM EACH OF THE FOUR ADJACENT HALF-TRACKS FROM 20.5 TO 22.0, STORING THEM AT $1000-1FFF. THE THREE BYTES FOLLOWING THE FOUR PAGES WORTH ARE USED AS THE ADDRESS MARKER FOR ELD ON ANY TRACK, AND REBOOTS IF IT'S NOT FOUND. THE REMEDY HERE IS TO PUT A9 00 IN BYTES $20-21. RECENTLY, A MUCH MORE SOPHISTICATED TECHNIQUE HAS BEEN USED (GALACTIC GLADIATORS, ROAD TO GETTYSBURG), WHICH DOES THE SSI EQUIVALENT OF "QUARTER-TRACKINE TRACK. IF IT FINDS IT, A 0 IS STORED IN LOCATION 0, OTHERWISE THE DISK SPINS FOREVER. BY CHANGING BYTES $28-29 TO A9 00, THIS ANNOYANCE IS REMOVED. A SIMILAR ROUTINE, SEEN ONLY ONCE OR TWICE, IS CALLED QWERTY, LOOKS FOR AN $ AA FOLLOWING THE ADDRESS FIRE SEVERAL DIFFERENT SECONDARY PROTECTION SCHEMES USED TO DEFEAT VARIOUS COPIERS, USUALLY GOING UNDER THE INNOCUOUS NAME OF "QWERTY". THE MOST COMMON OF THESE READS IN AN ADDRESS FIELD FROM TRACK 0, DELAYS A BIT, AND LOOKS FOR AN $EE AS THE NEXT BYTE ON THISK (OR TRACK 0 OF ANY OF THE RECENTLY UNPROTECTED SSI SERIES) ONTO TRACK ZERO, SECTORS 0-D. YOU WOULD EXPECT TO HAVE A WORKING COPY OF THE GAME AT THIS POINT, BUT THERE ARE STILL A COUPLE OF SURPRISES IN STORE FOR YOU (I SAID IT WAS A CHALLENGE!). THERE A USE THE "RDOS WRITE" RWTS FROM THE COPYB DISK, OR CHANGE BYTES $BE2A-BE2D TO $EA'S WITH THE INSPECTOR. THIS OMITS THE TABLE LOOKUP AND MAKES THE SECTOR NUMBERS FOLLOW THE SEQUENCE AS USED BY RDOS. NEXT, COPY THE FILE CALLED RDOS 3.3 FROM THE COPYB DHAT THE SEQUENCE OF SECTORS ON THE DISK, AS READ BY DOS 3.3 WITH ITS INTERLEAVE TABLE, IS: 0,7,E,6,D,5,C,4,B,3,A,2,9,1,8,F. THE SECOND CATALOG SECTOR, THEN, APPEARS TO BE SECTOR 7. IF YOU INTEND TO DO ANY AMOUNT OF PLAYING AROUND WITH ONE OF THESE DISKS,TYPICAL EXAMPLE OF MURPHY'S LAW ("IF ANYTHING CAN GO WRONG, IT WILL, AND AT THE WORST POSSIBLE MOMENT), THAT AFTER DOING ALL THIS AND CONVERTING SOME 20 GAMES, THE VERY LAST ONE I TRIED WAS GERMANY 1985. THIS IS A FAIRLY RECENT PUBLICATION OF SSI WHICH IS COMPLETELY WRITTEN IN MACHINE LANGUAGE, DOES NOT USE RDOS AT ALL, AND WILL REQUIRE A TOTALLY DIFFERENT APPROACH TO UNPROTECTION. IN THE WORDS OF RICKY SKAGGS ("HEARTBROKE", FROM HIS "HIGHWAYS AND HEARTACHES" ALBUM): "PRIDE, WHEN YOU'RE RICH, IRACK. THIS IS THE KIND OF COUNT THAT NA II EATS FOR BREAKFAST, SO IT'S NOT HARD TO GET AROUND. TRACK 22, ON THE OTHER HAND, SHOWS THAT SIRIUS HAS BEEN READING THE DOCS ON THE MAJOR NIBBLE COPIERS - WE SURE HOPE THEY BOUGHT THEM ALL, RIGHT? IN ORDER TO DOTWO JSR'S TO NOP'S. BUT BEFORE WE DO THAT, LET'S TAKE A MINUTE TO LOOK AT THE COPY PROTECTION SCHEMES ON THESE TWO TRACKS. TRACK 21 HAS A GOOD, OLD-FASHIONED NIBBLE COUNT WHERE THEY DETERMINE THE NUMBER OF BYTES BETWEEN THE TWO OCCURRANCES OF 'AA' ON THE TDRESSES TAKEN FROM A LOOKUP TABLE JUST LIKE BANDITS AND CYCLOD. FOLLOWING THAT, AT 9811 AND 9814 ARE JSR'S TO DIFFERENT NIBBLE COUNT ROUTINES FOR TRACKS 21 AND 22. IN THIS FIRST PART, WE WILL MAKE THE DISK COPY WITH NA II BY CHANGING THE SIX BYTES FOR THE G BOOT (THEY STILL READ IN ALL THE TRACKS FROM 0 TO 1C TO "CHECK YOUR APPLE"), AND CHECKING THE END OF THE BOOT SECTOR AT 890 SHOWS THAT THE STARTING LOCATION IN THE LOADER IS 979B. A SHORT ROUTINE READS THROUGH ALL THE TRACKS, LOADING THEM AT STARTING ADAIGHTFORWARD LOADER FROM THE REST OF TRACK 0 INTO $9600 UP. THEY PUT IT THERE RATHER THE 400-7FF SCREEN MEMORY IN ORDER TO DO THE RIPPLE VISUAL EFFECT BANNER (THAT'S ALL IN LO-RES COLOR, BY THE WAY). THE LOADER IS VISIBLE WHEN YOU RESET DURING THE LOOOON WILL DESCRIBE THE REMOVAL OF THE NIBBLE COUNTS FROM THE DISK TO MAKE IT COPY WITH NA II, AND IN PART B WE'LL COVER THE CONVERSION OF THE PROGRAM TO A TOTALLY COPYA VERSION. TRACK 0, SECTOR 0 LOADS, OF COURSE, INTO 800-8FF, AND BRINGS IN A FAIRLY STROURAGING TO SEE THE PUTRID LITTLE DOS COMMAND CHANGE ON ESCAPE FROM RUNGISTAN. WAY OUT IS ABOUT HALFWAY BETWEEN THE TWO, WITH ENOUGH CHALLENGE TO MAKE IT INTERESTING, AND ENOUGH DISK ACCESS TO MAKE IT DIFFERENT. IN THE FIRST HALF OF THIS EPISODE, WE*********************** WELCOME BACK - IT'S BEEN A LONG WEEK SINCE THE LAST INSTALLMENT, SO LET'S GET RIGHT TO THE BUSINESS OF KRACKING WAY OUT. AFTER THE EXCELLENT AND CHALLENGING PROTECTION THAT SIRIUS PUT ON THE BANDITS/CYCLOD GROUP, IT WAS DISC*************************************** * * * KRAKOWICZ'S KRACKING KORNER * * * * =>WAY OUT<= * * * **************** EASY, WE ALL HAVE OUR WEAK SIDES AND NEED SOME GOOD TOUCHIN'. NOBODY SAID THAT IT WOULD NOT BE WORTH IT, THE HUMAN CONDITIONS -- CONTINUE AS SUCH." S A BORE WHEN YOU'RE LONELY, STILL MADNESS PREVAILS UPON REASON TO YIELD. BUT ALL IS NOT LOST, IT IS ONLY MISTAKEN, IT'S A SMALL CONSOLATION, BUT I KNOW JUST HOW YOU FEEL. NOBODY SAID IT WAS GOING TO BE A NIBBLE COUNT, A COPIER HAS TO KNOW WHERE TO START COUNTING AND SOMETIMES WHERE TO ADD OR DELETE THE SPARE NIBBLES. TO DO THIS, NA II ALLOWS YOU TO ENTER AN 8-BYTE ADDRESS MARKER, WHILE LS 4.1 ALLOWS 9 BYTES TO INCLUDE A NORMAL 3-BYTE HEADER, VOL #, TRACK#, AND SECTOR # AT TWO BYTES EACH. THIS TRACK HAS SEVERAL SECTIONS WITH NORMAL "GAPS" JUST LIKE NA AND LS LOVE TO FIND, ALL BEGINNING WITH THE BYTE SEQUENCE AA, D5, D5, FF, D6, FF, FD, FD, DD. THE PROGRAM, HOWEVER, LOOKS FOR THE NEXT THREE BYTES AS WEL A E 5 A F 6 B E 7 B F 8 E A 9 E B A F A B F B C MAT TRACK NIBBLES: FIRST SECOND BYTE HALF HALF ---- ----- ------ 0 A A 1 A B 2 B A 3 B B 4 THE VERY GORY DETAILS, A BYTE HAS ITS FIRST HALF IN ONE TRACK NIBBLE, AND ITS SECOND HALF IN THE NEXT: -------SECOND BYTE / / EA FA / / ------------FIRST BYTE THE TABLE BELOW IS USED TO "BUILD UP" THE SIRIUS-FORROM 'D0 02' TO TWO NOP'S: 'EA EA'. THE DATA NIBBLES ALLOWED ON THE DISK UNDER THIS SYSTEM MUST HAVE THE MOST SIGNIFICANT BIT SET, AND AT LEAST EVERY SECOND BIT SET TO ONE: THE ONLY VALID NIBBLES ARE A (1010), B (1011), E (1110), AND F(1111). SPARING LOOK AT THE INSTRUCTIONS AT $9887. THEY ARE 'EOR $F5, BNE 988D', OR BRANCH TO A RE-READ ROUTINE IF THE EXCLUSIVE-OR BETWEEN THE ACCUMULATOR AND THE CHECKSUM IN LOCATION F5 IS NOT ZERO. WE CAN GET AROUND THIS RE-READ IF WE CHANGE THE BYTES FOR 'BNE 988D' FORY AS A FULL BYTE. IN ORDER TO CHANGE A BYTE ON THE TRACK, IT'S NECESSARY TO RECONSTRUCT THE NIBBLES AS THEY WILL APPEAR ON THE TRACK AND FIND THEM WITH A NIBBLE EDITOR. FOR EXAMPLE, TO FIND THE BYTES WHICH CORRESPOND TO THE CHECKSUM ROUTINE, WE NEED TOE OF INSTRUCTIONS WHICH PERFORM THE DECODING WAS LISTED IN KKK #1; BUT BRIEFLY, THE FIRST NIBBLE (BYTE) IS READ IN, THE CARRY BIT IS SET, AND THE RESULT IS ROTATED LEFT ONCE. THIS SHIFTED NIBBLE IS "ANDED" WITH THE NEXT NIBBLE, AND THE RESULT STORED IN MEM OF A BYTE ONTO A DISK 'NIBBLE'. IN ALMOST ALL CASES, ON THE APPLE, INFORMATION IS RECOVERED FROM THE DISK IN A SERIES OF EIGHT-BIT BYTES WHICH THEN MUST BE FURTHER PROCESSED TO DECODE THE REAL BINARY INFORMATION CONTAINED IN THEM). THE FULL SEQUENCACCESS. IT FORMALLY REFERS TO EITHER THE LEFT-HAND OR RIGHT-HAND FOUR BITS OF A BYTE, AND HAS BEEN CONTINUED IN USAGE FOR THE UNITS OF INFORMATION STORAGE ON A DISK, EVEN THOUGH MANY SCHEMES, LIKE DOS 3.3, USE A VERY DIFFERENT METHOD OF ENCODING THE 8 BITSADDRESS MARKER OF AD DA DD (THE SIRIUS TRADEMARK), EVERY BYTE IS ENCODED IN A 4+4 FORMAT WHERE HALF THE INFORMATION IS STORED IN EACH NIBBLE (A BRIEF ASIDE - THE USE OF THE TERM 'NIBBLE' IS CONFUSING AND A LITTLE BIT ERRONEOUS WHEN USED IN DESCRIBING DISK AT THE TECHNIQUE USED BY SIRIUS TO ENCODE INFORMATION ON THE DISK, SO LET'S REVIEW FOR A MINUTE. REMEMBER THAT MOST PROTECTED SIRIUS SOFTWARE DOES NOT USE REGULAR SECTORS, BUT AN UNSEGMENTED STREAM EQUIVALENT TO C00 BYTES OF DATA ON EACH TRACK. AFTER THE ANY ALTERATION WILL CHANGE THE CHECKSUM FOR THE TRACK, SO WE FIRST HAVE TO NEGATE THE CHECKSUM COMPARISON ROUTINE. THE SAME PROCESS IS USED FOR THE ACTUAL REMOVAL OF THE NIBBLE COUNT, SO WE'LL DO THE EASY ONE FIRST. IT'S BEEN A WHILE SINCE WE LOOKED THE 64K BYTES READ IN MUST AGREE WITH THE ONE IN THE PROGRAM, OR THE DISK REBOOTS. DEVIOUS ENOUGH, BUT QUITE VISIBLE IN A LOADER THAT WASN'T WELL HIDDEN. TO CHANGE THOSE NIBBLE COUNT JSR'S TO NOP'S, WE HAVE TO ALTER THE ACTUAL NIBBLES ON THE TRACK. L, AND THESE MUST BE EA, B5, F7. ALL BUT ONE OF THESE 9-BIT SEQUENCES HAVE OTHER BYTES FOR THE NEXT THREE, AND THESE WILL BE INCORRECTLY CHOSEN FOR THE ADDRESS MARKER BY ANY OF THE POPULAR COPIERS. THE ENTIRE TRACK IS READ 16 TIMES, AND THE CHECKSUM FOR E E D E F E F E F F F TO BUILD UP 'D0', FOR EXAMPLE, USE E- F- FOR THE 'D' AND -A -A FOR THE ZERO, THEN COMBINE THEM TO GIVE EA FA FOR 'D0'. THE '02' BYTE IS THEN A- A- PLUS -B -A TO MAKE AB AA. THE COMPLETE NIBBLE STRING FOR 'D0 02' IS EA FA AB AA. TO DO THE NIBBLE EDITING THAT FOLLOWS, THE BEST UTILITY IS PROBABLY THE TRACK/BIT EDITOR OF NIBBLES AWAY II. LOAD NA II, ENTER D5 AA 96 FOR THE ADDRESS MARKER, SELECT THEACK AND DO TRACKS 9-D BY ALTERING THEIR LOAD LOCATIONS AND SAVING THEM. THE SAVED GAME PICTURE CAN BE SAVED OUT SIMILARLY BY RESETTING AFTER RESTARTING THE SAVED GAME. SAVE THE PICTURE ANYWHERE SAFE; TRACKS 1F AND 20 ARE OK. YOUR DOS DISK NOW CONTAINS ALL 0E TO 1C SO THE LOAD WILL END AFTER THE GAME TRACKS ARE IN. WHEN YOU BOOT THE GAME DISK WITH THESE ALTERED LOCATIONS, THE GAME TRACKS WILL LOAD OBEDIENTLY WHERE THEY'RE TOLD. SAVE THESE ONTO THE SAME TRACKS ON THE DOS 3.3 DISK WITH THE INSPECTOR, THEN GO BONTAIN THE TABLE OF STARTING ADDRESSES FOR EACH TRACK. USE THE NIBBLE ALTERATION SCHEME DISCUSSED IN PART A TO ALTER THE LOCATIONS SO THAT EACH TRACK LOADS INTO AN EVEN 1000 ADDRESS -- T1 TO 1000, T2 TO 2000, ETC., UP TO T8 AT 8000. ALSO CHANGE LOCATION 98 PROGRAM ONTO THE DISK USING CONTROL-W, CONTROL-I-REPEAT, ONTO TRACK E, SECTOR 0 TO TRACK 18, SECTOR 3. THE 13 DATA TRACKS THAT COMPRISE THE MAZES SHOULD NEXT BE TRANSFERRED TO TRACKS 1-D OF THE NEW DISK. LOCATIONS 988F-98AB OF THE ORIGINAL LOADER CD DISK WITH THE INSPECTOR (THE INSPECTOR IN ROM AT D800, PREFERABLY WITH WATSON AT D000, IS AN ABSOLUTE MUST FOR EFFICIENT KRACKING OF TODAY'S SOFTWARE). REMEMBER TO CHANGE LOCATIONS 3D9-3DB TO '4C 00 BD' TO ALLOW THE INSPECTOR TO FIND RWTS, THEN WRITE THEOT A DOS 3.3 DISK BEFORE YOU BOOT THE GAME, AND HIT RESET AFTER THE GAME IS COMPLETELY LOADED (THIS ASSUMES THAT YOU HAVE A NON-AUTOSTART ROM IN THE F8 SOCKET). RWTS WILL STILL BE INTACT AT B700-BFFF, AND YOU CAN WRITE THE ENTIRE PROGRAM ONTO AN INITIALIZE DOING IT THIS WAY SAVES SOME PROGRAMMING TIME, AND SPEEDS THE LOAD, SINCE NO SEPARATE LOAD IS NEEDED FOR THE APPROPRIATE PICTURE AND SAVED GAME. THIS MAIN PROGRAM IS A TOTAL OF A4 (164) SECTORS, RUNNING FROM 800 TO ABFF. A GOOD WAY TO SET THIS UP IS TO BOORY FOR THE RWTS ROUTINES (900 HEX), AND THE INDIVIDUAL READ AND WRITE SUBROUTINES WILL FIT EASILY INTO THE SPACE OF THE ORIGINAL ONES. THE EASIEST WAY TO GET THE MAIN PROGRAM LOADED IN IS AS A SINGLE FILE, USING THE ROUTINE BUILT INTO THE DOS BOOT. ED INTO A000-ABFF AND THE CRUCIAL INFORMATION RELOCATED TO SOME SLOTS AT 1A00-1C34. THE DATA F OR THE 26 MAZES ARE STORED TWO TO A TRACK IN TRACKS 1-D; THESE ARE ALSO LOADED INTO THE A000 SPACE FOR TRANSFER TO 1A00 AND UP. FORTUNATELY, THERE IS ROOM IN MEMTWEEN 800-1FFF AND 6000-9BFF; AND TWO HI-RES PICTURES (START GAME AND SAVED GAME) WHICH LOAD AT DIFFERENT TIMES INTO 4000-5FFF. TRACK 1B CONTAINS BEST SCORES AND INITIALS, AND TRACK 1C CONTAINS INFORMATION FOR THE SAVED GAME. BOTH OF THESE TRACKS ARE LOAD WOULD USE D5 AA 96 AS AN ADDRESS MARKER, AND TRACKS 1-1C USE AD DA DD. THIS PART OF THE KORNER IS DEVOTED TO MAKING WAY OUT (AND HOPEFULLY SIMILAR GAMES IN THE FUTURE) COPYA. WAY OUT IS STRUCTURED IN THE FOLLOWING WAY: IT HAS A MAIN PROGRAM SPLIT BEFF EA, AND WRITE IT TO A BLANK DISK WITH THE 'W' KEY. WITH THE CHECKSUM SAFELY REMOVED, YOU CAN FOLLOW THE SAME GENERAL PROCEDURE TO REMOVE THE NIBBLE COUNT JSR'S AT 9811 AND 9814, ALLOWING YOU TO MAKE A WORKING COPY OF WAY OUT WITH NA II. TRACK ZERO SEQUENCE IN A PROGRAM IS RISKY, WHILE A FOUR-BYTE SEQUENCE IS PRETTY SAFE. IN THIS CASE, YOU REALLY SHOULD ADD THE PRECEDING TWO BYTES 45 F5, WHICH TRANSLATE TO BA EF FA FF). WHEN THIS STRING IS LOCATED, REPLACE IT WITH THE EQUIVALENT OF TWO EA'S: FF EA TRACK EDITOR AND READ IN TRACK ZERO. TYPE 'Z' TO ALLOW THE PROGRAM TO ANALYZE THE TRACK, THEN MOVE THE CURSOR TO THE PAGE CONTAINING THE POINTER (USUALLY 6700). TYPE 'S' FOR STRING SEARCH AND ENTER EA FA AB AA (AS A GENERAL RULE, SEARCHING FOR A TWO-BYTETHE DATA FOR THE GAME, AND ALL YOU NEED ARE A FEW QUICK READ AND WRITE SUBROUTINES. TO USE THE DOS BOOT ROUTINE TO LOAD THE BIG PART, READ IN T0, S1 FROM A STANDARD DOS 3.3 DISK. MAKE THE FOLLOWING CHANGES, AND WRITE IT BACK OUT TO YOUR DISK: LOCATION MEANING NEW VALUE -------- ------- --------- 15 FIRST TRACK 18 1A FIRST SECTOR 03 E0 # OF SECTORS A4 E7 FIRST STORAGE PAGE+1 AC WHEN THE DISK IS BOOTED, STAGE 1 THINKES, WHICH HAS NO CONNECTION WHATEVER WITH THE WELL-KNOWN KRACKIST OF THE SAME NAME. M OR 400<1000.13FFM, AND SO ON. THESE WILL PUT THE FILE ON THE SCREEN FOR YOUR PERUSAL. THIS REMINDS ME OF LOCKING YOUR VALUABLES IN A SAFE AND THEN WRITING THE COMBINATION ON THE DOOR! THE PROTECTION SCHEME, BY THE WAY, WAS WRITTEN BY ZERO PAGE ENTERPRIZPROTECTION SCHEME EMPLOYED. IF YOU READ THROUGH THE MEMORY AT C00-1FFF, YOU WILL FIND LARGE CHUNKS OF AN ASCII FILE WITH SUCH GEMS AS "JSR NBLCNT", ETC. YOU CAN ALSO SEE IT BY LOADING AND RESETTING THE PROGRAM, THEN TYPING THE MONITOR COMMANDS 400