MSG LEFT BY: RESET VECTOR NOW, ANOTHER EXAMPLE OF A NORMALLY FORMATTED DISK THAT WON'T BOOT WHEN IT IS COPIED IS LEARNING WITH LEEPER FROM ONLINE. IF YOU COPY IT AND THEN BOOT THE COPY, YOU WILL SEE THAT IT CHECKS TRACK 0 AND THEN DIES WHEN IT DOESN'T FIND WHAT IT IS LOOKING FOR. A SEARCH OF BD 8C C0 IS FRUITLESS (NOWHERE ON THE DISK), SO WE HAVE TO TRY ANOTHER METHOD. BOOT THE COPY, AND JUST AS THE DRIVE HEADS TOWARD TRACK 0 TO CHECK THE PROTECTION, HIT YOUR NMI SWITCH, THE WRITE DOWN THE PROGRAM COUNTER AND THE ADDRESSES ON THE STACK. IF YOU DO THIS SEVERAL TIMES, YOU WILL FIND A BUNCH OF ADDRESSES IN THE $1200 RANGE. NOW, PROTECTION ROUTINES LIKE THIS ARE GENERALLY SUBROUTINES (ACCESSED VIA A JSR), SO IF WE LOOK FOR JSR'S ("20") IN THE $1200 RANGE, MAYBE WE CAN DO SOMETHING ABOUT IT. HERE IS WHERE CIA IS ESSENTIAL, BECAUSE WE CAN DO A SEARCH FOR 20==12. YOU WILL FIND THIS CODE IN JUST 3 LOCATIONS ON THE DISK, AND IF YOU JUST TRY REPLACING THEM ONE BY ONE WITH EA EA EA (NOP'S), YOU WILL FIND THAT REPLACING ONE OF THEM LEADS TO A WORKING DISK. THERE IS ONE FINAL VARIATION ON THIS THEME. SOMETIMES YOU CANNOT FIND A BD 8C C0, AND SOMETIMES YOU CANNOT FIND A JSR IN THE MEMORY RANGE YOU ARE LOOKING FOR. TYPICAL OF THIS IS STELLAR DEFENSE (PLEASE ALL NOTE MY CORRECTED SECTMOD WHEN I HAVE A CHANCE TO POST IT - MY ORIGINALLY POSTED ONE DOES NOT WORK QUITE RIGHT). THIS DISK CAN BE COPIED WITH COPYA BUT WILL DIE WHEN IT CHECKS TRACK 0. YOU CANNOT FIND EITHER A BD 8C C0 (AT LEAST NOT ONE THAT CHANGING WILL HELP!) OR A JSR INTO THE RANGE OF THE CHECKING CODE. WELL, LET'S JUST FIND THE CODE ITSELF! HIT YOUR NMI SWITCH WHEN THE DRIVE GOES TO TRACK 0 TO CHECK (THIS MAY TAKE A FEW ATTEMPTS TO GET AN ADDRESS OTHER THAN IN DOS). EVENTUALLY YOU WILL FIND AN ADDRESS IN THE PC OR ON THE STACK OF $3E58. IF WE THEN USE THE MONITOR (THE REPLAY ][ MONITOR IS REALLY HELPFUL HERE) TO LIST THIS ADDRESS, WE WILL FIND A SEQUENCE OF BYTES; WRITE DOWN 7 OR 8 BYTES, AND THEN SEARCH THE DISK FOR THIS STRING. YOU WILL FIND THIS STRING ON TRACK 5 SECTOR 6, AND YOU WILL SEE SOME CODE WITH CMP'S AND BRANCHES THAT ENDS IN AN RTS. THE FIRST THING TO TRY IS TO MOVE THE RTS TO THE BEGINNING OF THIS CODE; AND LOW AND BEHOLD THE DISK BOOTS UP AND RUNS. THE ONLY PROBLEM IS THAT WHEN YOU PLAY THE GAME ALL THE ENEMY SHIPS ARE INVISIBLE! WELL, IF YOU LOOK AGAIN AT THIS CODE, YOU WILL SEE THAT A LOT OF THE BRANCHES ARE TO A JMP INSTRUCTION RIGHT AFTER THE RTS. SO TRY AND MOVE THE JMP INSTRUCTION TO THE START - WELL, IT ACTS JUST AS IF YOU HAD MOVED THE RTS TO THE START! SO WHAT YOU HAVE TO DO IS PEEK AT THE CODE THAT IS BEING JMPED TO, BY BOOTING THE DISK, HITTING THE NMI SWITCH AND THEN LISTING THE CODE AT THE ADDRESS WHICH IS JMPED TO ($3A68). WRITE DOWN THE STRING AND SEARCH THE DISK - IT WILL BE FOUND ON TRACK 5 SECTOR A. DISASSEMBLY REVEALS ANOTHER LITTLE CHECKING ROUTINE WITH AN RTS AT THE END. MOVE THIS RST TO THE BEGINNING AND VOILA! CRACKED STELLAR DEFENSE! WELL, NOW THAT ALL THE ADVANCED CRACKERS ARE BORED AND THE NEOPHYTES HAVE INDIGESTION, I WILL BRING THIS TO A CLOSE. I ONLY MEANT TO GET ACROSS SOME GENERAL PRINCIPALS; YOU MAY NOT KNOW ANY MACHINE LANGUAGE, BUT WITH A LITTLE HELP YOU CAN FIND THE AREA OF CODE THAT IS DOING THE CHECKING AND THEN JUST PLAY AROUND WITH IT UNTIL SOMETHING (GOOD, I HOPE) HAPPENS. IT WON'T MAKE YOU A KRACOWICZ OR APPLE BANDIT OR KRAC-MAN OR FREEZE OR DISK JOCKEY OR RED REBEL, BUT IT MIGHT MAKE YOU A BETTER CRACKER. COURTESY OF ->RESET VECTOR!