===> THE BASICS OF BASIC CRACKING <===
 BY : COPY/CAT OF */HI-RES<>HIJACKERS/*

THIS ARTICLE WILL ATTEMPT TO SHOW HOW T
O CRACK PROGRAMS AT THE VERY BEGINNING 
LEVEL USING EXAMPLES OF SEVERAL GAMES W
HICH ARE NOT GOOD GAMES, BUT ARE GOOD T
O DEMONSTRATE JUST HOW TO START OFF IN 
THE FIELD OF CRACKING.

DEMUFFIN PLUS IS A PROGRAM THAT WAS MAD
E FROM THE PROGRAM "MUFFIN", FOUND ON T
HE SYSTEM MASTER.  MUFFIN CONVERTS DOS 
3.2 FILES TO DOS 3.3.  DEMUFFIN PLUS, O
N THE OTHER HAND, IS MODIFIED TO CONVER
T ANY SEMI-NORMAL DOS TO DOS 3.3.  HOW 
IT DOES THIS IS AS FOLLOWS:

[1] READ FILES FROM THE PROTECTED DISK 
USING THE DOS IN MEMORY

[2] WRITE THE FILES TO A NORMAL DOS 3.3
 SINCE DEMUFFIN PLUS ITSELF HAS THE DOS
 3.3 DATA INSIDE THE PROGRAM.

YOU CAN TELL IF A PROGRAM MIGHT BE ABLE
 TO BE CRACKED WITH DEMUFFIN PLUS IF YO
U SEE THE APPLESOFT PROMPT (]) WHILE TH
E PROGRAM BOOTS.  IF IT DOES SHOW THAT 
PROMPT, DO THIS:

]BLOAD DEMUFFIN PLUS,A$6000
]PR#6 (PROTECTED DISK)

AS THE DISK BOOTS, HOLD DOWN <CTRL-C> A
ND THE REPEAT KEY.  MOST OF THE TIME YO
U WILL BREAK OUT, IF ONLY TEMPORARILY. 
 ONCE YOU GET THE APPLESOFT PROMPT AND 
THE CURSOR, TRY A CALL-151 TO GET INTO 
THE MONITOR.  AS AN EXAMPLE, KLONDIKE 2
000 CAN BE BROKEN OUT OF AND CRACKED WI
TH CTRL-C AND THE STEP LISTED BELOW.  I
F, HOWEVER, YOU TRY A CALL-151 AND THE 
PROGRAM RESTARTS OR REBOOTS (TYPICAL OF
 OLD BR0DERBUND PROTECTIONS), THEN YOU 
WILL NEED AN OLD MONITOR OR AT LEAST A 
RAMCARD (A LISTING OF THE OLD MONITOR E
MULATOR IS AT THE END OF THIS FILE).   
IF YOU HAVE EITHER THEN JUST BREAK OUT 
INTO THE MONITOR.  ONCE IN THE MONITOR 
BY ANY METHOD, DO THIS:

*803<6000.8000M N 803G

THIS COMMAND MOVES DEMUFFIN PLUS FROM $
6000 TO $803, WHERE IT CAN RUN.  NOW JU
ST USE DEMUFFIN PLUS AS IF YOU WERE USI
NG MUFFIN, EXCEPT SINCE YOU DON'T KNOW 
THE FILENAMES, YOU MUST USE THE "=" WIL
DCARD CHARACTER WHEN ASKED FOR THE FILE
NAME.  THIS SHOULD COPY ALL THE FILES T
O YOUR DOS 3.3 DISK, AND THE PROGRAM SH
OULD BE CRACKED.  IF ALL THE FILES COPY
 BUT THE PROGRAM DOESN'T WORK, THEN THE
RE MAY BE A NIBBLE COUNT OR OTHER CHECK
.  SEE PART ][.  IF THE PROGRAM CAN'T E
VEN READ ONE FILE FROM THE PROTECTED DI
SK, THEN DEMUFFIN PLUS CANNOT CRACK THA
T PROGRAM.

THE FOLLOWING STEPS ASSUME YOU HAVE AN 
APPLE ][+ (NOT ][E!) WITH A RAMCARD IN 
SLOT 0.

]CALL-151

*B800 (RETURN)

*C081 (RETURN)

*D000<D000.FFFFM (RETURN)

*FA85:4C 69 FF (RETURN)

*C080 (RETURN)

*6 (CTRL-P RETURN) TO BOOT PROTECTED DI
SK.  IF THE PROGRAM DRAINS THE RAMCARD,
 YOU MIGHT WANT TO MOVE IT TO SLOT 1 (A
ND PULL OUT YOUR PRINTER INTERFACE CARD
, IF ANY).  THEN CHANGE THE "C080" AND 
"C081" ADDRESSES TO "C090" AND "C091".

PART ][ - REMOVING NIBBLE COUNTS AND DO
S CHECKS

IF YOU FOLLOWED THE STEPS IN PART I FOR
 THE PROGRAM "DARK FOREST", BY SIRIUS, 
YOU WILL NOTICE THAT THE CRACKED PROGRA
M DOES NOT WORK.  LISTING THE BOOT PROG
RAM WILL HELP.  YOU'LL SEE A FUNNY COMM
AND IN DOS THAT YOU WON'T RECOGNIZE.  I
F YOU CATALOG THE DISK, THOUGH, YOU'LL 
SEE THAT THE FILE THE COMMAND IS TRYING
 TO ACCESS IS IN APPLESOFT.  SO, CHANGE
 THE STRANGE COMMAND TO "RUN" AND THE P
ROGRAM WILL GO.  BUT, AFTER SELECTING T
HE MAP FOR THE GAME, THE PICTURE LOADS 
BUT THEN IT REBOOTS.  STRANGE.  SO, AGA
IN YOU MUST LOAD THE LARGE MAIN FILE AN
D LIST IT UNTIL YOU FIND THE PART ABOUT
 LOADING THE PICTURE.  FINALLY YOU SHOU
LD SEE THE "BLOAD" COMMAND.  RIGHT AFTE
R THAT IS A "IF THEN" STATEMENT THAT CH
ECKS A DOS LOCATION.  WELL OBVIOUSLY TH
AT ISN'T AT ALL NECESSARY, SO REMOVE TH
AT LINE AND SAVE THE PROGRAM.  NOW THE 
WHOLE GAME WORKS, AND DARK FOREST IS CR
ACKED.  THIS EXAMPLE IS TYPICAL OF APPL
ESOFT PROTECTS THAT CHECK TO SEE IF THE
 DOS IS THE SAME AS THE ORIGINAL COPY. 
 UNFORTUNATELY, MOST DOS CHECKS ARE IN 
MACHINE LANGUAGE AND THEREFORE NOT SO O
BVIOUS.  SHADOWHAWK ONE IS A GOOD EXAMP
LE.  AFTER YOU COPY THE PROGRAM WITH CO
PYA, YOU BOOT THE DISK.  THE FIRST TITL
EPAGE GOES UP AND THERE IS A PAUSE.  SU
DDENLY THE HI-RES SCREEN IS FULL OF LIN
ES, AND WHEN YOU HIT <RESET>, YOU SEE A
 MESSAGE THAT SAYS "UNAUTHORIZED COPY".
  TO FIND OUT HOW THEY KNEW THAT, YOU M
UST LOOK AT THE MACHINE LANGUAGE FILES.
  THE HELLO PROGRAM RUNS "OBJ.HELLO", S
O BLOAD THAT FILE.  BY CHECKING BYTES $
AA72 AND $AA73 YOU SEE THAT THE FILE ST
ARTS AT $803.  LIST THE PROGRAM (803L) 
AND LOOK AT THE PROGRAM TO SEE WHAT IT 
DOES.  YOU'LL SEE A BUNCH OF ??? COMMAN
DS, WHICH USUALLY INDICATES TEXT.  BY L
OOKING AT THEIR ASCII VALUES YOU'LL SEE
 THAT IT SPELLS OUT "BLOAD HEAD.PIC" SO
 YOU KNOW WHERE YOU ARE IN TERMS OF TIM
E.  SINCE THE PROGRAM CRASHES AFTER LOA
DING THE FILE LOOK AT THE PART AFTER TH
E BLOAD.  YOU WILL SEE A JSR TO $4000 W
HICH IS STRANGE SINCE THAT'S THE END OF
 HI-RES PAGE 1. GET OUT OF THE MONITOR 
AND CATALOG THE DISK.  HMM!  THE PICTUR
ES HEAD.PIC AND HAWK.PIC ARE BOTH 35 SE
CTORS, ONE TOO LONG FOR A REGULAR PICTU
RE.  BLOADING THE PICTURE AND LOOKING A
T $4000 SHOWS A LITTLE SUBROUTINE THAT 
UPON RUNNING, RUNS THE DISK DRIVE.  VER
Y PECULIAR.  INSTEAD OF NO-OPING (EA) T
HE ENTIRE END OF BOTH PICTURE, SIMPLY L
OOK FOR JSR'S TO $4000.  IN THE FILE "O
BJ.HELLO" THERE ARE TWO; ONE AT $844 AN
D ANOTHER AT $864.  "EA" ALL THREE BYTE
S FOR BOTH LOCATIONS.  BSAVE THE FILE (
A$803,L$BD) AND BOOT THE DISK.  THIS TI
ME WE GOT TO THE SECOND TITLEPAGE BUT I
T ALSO CRASHED SO LOOK AT THE SECOND FI
LE, OBJ.DEMO.  A QUICK LISTING WILL GET
 US TO THE MAIN PROGRAM PAST ALL THE BR
K'S (00) AND THE FIRST THING YOU SEE, I
S AT 8E3 WHICH IS ANOTHER JSR TO $4000.
  "EA" THAT JSR AND SAVE THE FILE (A$80
3,L$765).  NOW BOOT ONCE AGAIN, AND THE
 GAME RUNS.  SHADOWHAWK ONE IS NOW CRAC
KED.  THIS IS THE USUAL WAY TO NIBBLE C
OUNT (JSR) BUT NOT THE USUAL WAY OF FIN
DING IT.  MOST TIMES YOU WILL NOT BE GI
VEN REGULAR DOS 3.3 AND FILES THAT CAN 
BE LOOKED OVER SO EASILY.  IT MAY TAKE 
DEMUFFIN PLUS TO CONVERT THE FILES, THE
N REMOVE THE JSR USING "EA EA EA".

    PART /// - HIDDEN NIBBLE COUNTS

NOW THAT YOU HAVE SEEN HOW NIBBLE COUNT
S USUALLY OPERATE, WE WILL GO INTO THE 
AREA OF HIDDEN NIBBLE COUNTS.  THE BEST
 EXAMPLE OF A HIDDEN NIBBLE COUNT IS IN
 THE SCOTT ADAMS ADVENTURE SERIES.  ALT
HOUGH I PERSONALLY HAVE ONLY SEEN SAGA 
#3, CRACKER JACK HAS TOLD ME THAT IN #2
 A SIMILAR PROTECTION WAS USED.  IN ANY
 EVENT, SAGA #3 CAN BE EASILY DEMUFFINE
D TO A DOS 3.3 DISK.  ONCE YOU HAVE DON
E THAT (USING THE STEPS IN PART I) TRY 
BOOTING UP THE DISK.  IT WILL SEEM TO W
ORK FINE, BUT TRY GOING WEST TWICE TO T
HE LOCKER ROOM.  IN THE ROOM IS A PAIL.
  PICK IT UP (NO, THIS ISN'T A SOLVER F
ILE).  THE DISK DRIVE WILL RUN NORMALLY
, THEN MAKE A FUNNY "SHLOOK"    NOISE. 
 THIS IS ALWAYS IS A SIGN OF A NIBBLE C
OUNT (ESPECIALLY THE ADVENTURE INTERNAT
IONAL TYPE).  IT WILL BEEP AND SAY "O.K
." AND REBOOT.  WELL NOW ALL YOU HAVE T
O DO IS FIND THE NIBBLE COUNT AND REMOV
E IT.  EASIER SAID THAN DONE.  BY LOOKI
NG AT THE LOADER PROGRAM, YOU WILL FIND
 THAT THE MAIN FILES ARE M1, M2 AND M3.
  LET THE LOADER PROGRAM LOAD THEM IN A
T THE CORRECT PLACES FOR YOU, THEN GO I
NTO THE MONITOR.  SINCE THE WAY THE PRO
GRAM ACCESSES THESE FILES IS IN MACHINE
 LANGUAGE, THERE ISN'T TOO MUCH TO DO E
XCEPT LOOK AT THE BEGINNING OF EACH FIL
E AND POKING AROUND.  AFTER SEVERAL ATT
EMPTS AT RUNNING LIKELY SUBROUTINES BY 
DOING A ####G AT THE STARTS OF ROUTINES
, YOU WILL FIND THAT THE NIBBLE COUNT I
S SIMPLY NOT THERE.  IN FACT, THERE IS 
VERY LITTLE ACTUAL PROGRAM IN MEMORY.  
NOW THE POSSIBILITY OF THE NIBBLE COUNT
 BEING IN ANOTHER FILE SEEMS LIKELY.  I
NSTEAD OF LOADING ALL HUNDRED OR SO PIC
TURE FILES, A GOOD WAY TO LOOK IS TO LE
T THE ADVENTURE LOAD IT IN FOR YOU.  SO
 BOOT IT AGAIN AND PLAY UP TO THE ROOM 
WITH THE PAIL.  TYPE "GET PAIL", AND WH
EN THE DRIVE STARTS MAKING THAT FUNNY S
OUND AGAIN, HIT <RESET>.  NOW WE CAN LO
OK AT MEMORY THAT IS PRESENT DURING THE
 ACTUAL NIBBLE COUNT.  AFTER SEVERAL FR
UITLESS ATTEMPTS AT RUNNING SUBROUTINES
, YOU SHOULD EVENTUALLY FIND THAT THE N
IBBLE COUNT'S STARTING LOCATION IS AT $
1E7B.  SINCE WE DON'T KNOW WHAT FILE LO
ADED IN $1E7B, WE LOOK AT THE THREE ORI
GINAL FILES (M1, M2, M3) TO SEE IF ANY 
OF THEM CONTAIN THE ADDRESS (NOT NECESS
ARILY THE ACTUAL NIBBLE COUNT) WHERE TH
E NIBBLE COUNT STARTS.  YOU WILL FIND T
HAT "M1" RUNS OVER THE LOCATIONS AROUND
 $1E7B.  NOW LIST FROM $1E70 TO THE PRI
NTER.  THEN WE CAN COMPARE THAT TO THE 
SAME LISTING AFTER THE NIBBLE COUNT APP
EARS.  A QUICK EXAMINATION SHOWS THAT T
HE LOCATIONS $1E70 THROUGH $1E7A ARE TH
E SAME.  WHILE IT LOOKS LIKE GARBAGE, W
HEN THE NIBBLE COUNT ROUTINE APPEARS AT
 LOCATION $1E7B IT IS ACTUALLY PART OF 
THE PROGRAM.  NOW WE HAVE TWO OPTIONS. 
 THE FIRST WOULD BE TO FIND WHERE THE M
AIN ADVENTURE JSR'S TO $1E70 OR THEREAB
OUTS.  THE SECOND IS TO SKIP OVER THE N
IBBLE COUNT SUBROUTINE AND RETURN WITHO
UT ACTUALLY DOING THE NIBBLE COUNT.  SI
NCE THE ADVENTURE MAY JSR TO THE NIBBLE
 COUNT MORE THAN ONCE, IT WOULD BE WISE
R TO USE THE SECOND OPTION.  TO MAKE TH
E ROUTINE RETURN WITHOUT DOING ANYTHING
, JUST PUT AN "EA" (NOP OR NO OPERATION
) AT LOCATION $1E70 AND A "60" (RTS OR 
RETURN FROM SUBROUTINE) AT LOCATION $1E
71.  BSAVE M1 TO THE DISK AND RUN THE G
AME.  THE PAIL CAN NOW BE PICKED UP WIT
HOUT ANY DISK DRIVE ACCESS, AND THE GAM