Apple II Magazines (DO)

home *** CD-ROM | disk | FTP | other *** search

/ Apple II Magazines (DO) / Bootlegger Magazine (1983)(Bootleg).zip / Bootlegger Magazine (1983)(Bootleg).do / CRACKING-PART 5.txt < prev next >

Wrap

Text File | 1996-12-24 | 8KB | 261 lines

5 *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* KRAKING SHEILA THE PURPOSE OF THIS ESSAY IS NOT TO PRO VIDE YOU WITH A COOKBOOK FOR CRACKING SHEILA. RATHER, I AM GOING TO DESCRIBE THE GENERAL APPROACH I TOOK, IN THE HOPE THAT IT WILL BE OF USE TO YOU IN CRACKING SIMILAR PROGRAMS. STEP 1: CASE THE JOINT! THE FIRST STEP OF CRACKING ANY PRO GRAM IS TO GET AN IDEA OF THE NATURE OF THE PROTECTION. DOES THE PRO GRAM ACCESS THE DISK? IF SO, ARE THE DISK ACCESSES NECESSARY TO THE PROGRAMS FUNCTION, PART OF THE PROTECTION, OR BOTH? DOES THE PROGRAM USE A CUSTOM ROUTINE TO READ THE DISK, OR A MODIFIED VERSION OF THE STANDARD DOS? IF THE LATTER, WHAT SORT OF MODIFICATIONS HAVE BEEN MA DE? SHEILA IS AN ARCADE-STYLE ADVENTUR E. THERE ARE 5 MAZES, AND THE DISK IS ACCESSED EACH TIME YOU ENTER A NEW MAZE AND FOR A HI-RES CAS- TLE AT THE BEGINNING). IF YOU OPEN THE DRIVE DOOR WHILE IT'S TRYING TO LOAD A MAZE, IT RECALIBRATES AND TRI ES AGAIN; THIS SUGGESTED TO ME A FAIRLY NORMAL RWTS, SINCE MANY CUSTOM ROUTINES DON'T BOTHER WITH THIS.THE BOOT WAS MANIFESTLY ABNORMAL, WITH MUCH HEAD MOVEMENT AND 3 RE -CALIBRATIONS. FURTHERMORE, THE DISK W OULD NOT BOOT UNLESS WRITE ENABLED. SUCH A BOOT OFFERS MUCH OPPORT UNITY FOR CHICANERY, SO I RESOLVED TO USE BOOT TRACING ONLY AS A LAST RESORT. NIBBLE COPIES WOULD NOT BOOT, BUT I FOUND THAT I COUL D SWITCH TO A COPY ONCE THE PROGRAM WAS GOING, INDICATING THAT THE MAJOR PROTECTION WAS IN THE BOOT. EXAMINING A NIBBLE DUMP OF THE DI SK (USING THE INSPECTOR), I CONCLUDED THAT MOST TRACKS WERE NEARLY NORMAL 3.2, BUT WITH A MODIFIED SECTOR HEADER. STEP 2:GET IT OUT OF MEMORY. HAVING FIGURED OUT AS MUCH AS I CO ULD FROM 'OUTSIDE', I DECIDED THAT IT WAS TIME TO GET A LOOK INSIDE T HE PROGRAM. THE TRICK IN GETTING A PROGRAM OUT OF MEMORY IS TO P RESERVE $0.7FF, MUCH OF WHICH IS MODIFIED BY A STANDARD RESET. AS YOU PROBABLY KNOW THIS CAN BE DONE EITHER BY TRACING THE BOOT (WHICH I HOPED TO AVOID) OR BY THE USE OF A MODIFIED MONITOR. TYPICALLY, T HE MONITOR IS MODIFIED SO THAT THE RESET VECTOR AT FFFC POINTS AT A ME MORY MOVE ROUTINE WHICH RELO- CATES PAGE S 0-8 SOMEWHERE OUT OF THE WAY. THE MOD IFIED MONITOR CAN THEN BE INSTALLED IN A RAMCARD. IT IS GENERALLY NECESSARY TO PROTECT THE RAMCARD IN SOME WAY SO THAT THE PRO GRAM CANNOT ERASE IT OR TURN IT OFF (MY CARD HAS BEEN MODIFIED FOR T HIS PURPOSE, BUT I UNDERSTAND THAT IT IS POSSIBLE TO FOOL MANY PROGRA MS BY PUTTING THE CARD IN SLOT 1 INSTEAD OF 0). THERE ARE SEVERAL OF T HESE CRACKING MONITORS GOING AROUND, INCLUDING VERSIONS BY BOZO AND LOCKBUSTER, AND A COMMERCIAL VERSION CALLED MASTERKEY+. A MODEST REFINEMENT OF THIS METHOD IS TO USE A N ONMASKABLE INTERRUPT (NMI) INSTEAD OF OF A RESET. TO GENERATE A NMI, YOU JUST ADD A SWITCH TO CONNECT PERIPHERAL PIN #29 (ANY CARD) TO PIN #26 THRU A 100 OHM RESISTOR. WHEN THE 6502 SEES A NMI, IT PUSHES THE STATUS REGISTER AND PROGRAM COUNTER ONTO THE S TACK, THEN JUMPS VIA $FFFA. THIS I'VE MODIFIED TO TO LEAD TO A ROUT INE (INSIDE THE MONITOR) WHICH MOVES PAGES 0-8 TO $2100.29FF, THEN JUM PS TO THE OLD MONITOR RESET ROUTINE. AFTER GETTING INSIDE THE PROG RAM IN THIS WAY, I MANUALLY MOVED $9600.9CFF TO $2A00.30FF AND $9D0 0.BFFF TO $D000.F2FF ON THE RAMCARD, THUS CLEARING THE WAY FOR A SL AVE BOOT. I THEN SAVED ALL THE PIECES OF THE PROGRAM ONTO A NORMAL 3.3 DISK. AS A TEST, I WROTE A ROUTINE TO MOVE EVERYTHING BACK, RELOAD THE REGISTERS, AND DO A RTI (RETURN FROM INTERRUPT). THE PROGRAM RE STARTED AS EXPECTED, THEN BOMBED OUT TRYING TO READ THE DISK. INS PECTION OF THE CODE REVEALED A FAIRLY STANDARD DOS IN THE USUAL PLACE. IT SEEMED TO BE PATCHED RATHER THAT REASSEMBLED, SINCE I SAW SE VERAL ROUTINES WHICH I WAS FAIRLY CERTAIN THAT THE PROGRAM DIDN'T NEED. RWTS WAS IN ITS USUAL HOME ($B800.BFFF). USING THE INSPECTOR IN CONJUNCTION WITH SHEILA'S RWTS, I WAS NOW ABLE TO READ MOST OF TH E TRACKS ON THE ORIGINAL DISK, BUT I COULDN'T SEE ANYTHING RESEMBLING A CATALOG. THIS SUGGESTED THAT THE PROGRAM WAS LOADING DATA FROM KNOWN DISK LOCATIONS USING RWTS DIRECTLY. TO TEST THIS HYPOTHESIS, I I NTERRUPTED WHILE THE PROGRAM WAS TRYING TO ACCESS THE DISK. AS EXPEC TED, EXAMINATION OF THE TOP OF THE STACK INDICATED THAT THE PROGRAM CO UNTER WAS IN RWTS. STEP 3: CONVERT THE DATA TRACKS. THERE WERE STILL THOSE DISK LOADS TO CONTEND WITH. POKING AROUND INSIDE SHEILA, I FOUND A SOMEWHAT MODIF IED RWTS WITH AN ENTRY AT THE USUAL LOCATION: $BD00. THEN I BOOTED A 32K DOS 3.3 SLAVE (WHICH I HAD MADE BY PULLING OUT THE LAST ROW OF RAM CHIPS, BOOTING A MASTER AND ITIT-ING A SLAVE). NOW I HAD SHEILA RW TS AT $BD00, AND DOS 3.3 RWTS AT $7D00. THEN I ENTERED THE INSPECTOR , AND SET THE RWTS VECTOR AT $3DC.3DE TO POINT TO $BD00. THEN I READ IN SOME SECTORS OF SHEILA, SAVING THEM IN MEMORY (BEING CAREFUL NO T TO OVERWRITE EITHER RWTS). NEXT I SWITCHED TO RWTS VECTOR TO $B700 , AND WROTE THE SECTORS I HAD READ TO THE CORRESPONDING TRACKS ON A D OS 3.3 DISK, UNTIL I HAD CONVERTED ALL THE TRACKS I COULD READ. I THEN REPEATED THE PROCESS WITH A 32K 3.2 RWTS, SO THAT WHEN I FIN ISHED I HAD BOTH A 3.3 AND A 3.2 DISK WITH THE DATA TRACKS FROM SHEI LA. STEP 4: CONVERT THE DOS. THE NEXT STEP WAS TO MODIFY THE SHEIL A RWTS SO THAT IT WOULD READ FROM A NORMAL FORMAT DISK. SINCE SHEIL A'S DOS SEEMED ALMOST 3.2, I DECIDED FIRST TO SEE IF I COULD GET IT TO READ THE 3.2 DATA DISK. THIS WAS SURPRISINGLY EASY; I JUST PATC HED THE SECTOR HEADER IN THE READ PORTION OF SHEILA RWTS TO MATCH NO RMAL DOS 3.2 (D5 AA DD) AND IT WOULD HAPPILY READ DATA OFF THE 3.2 DIS K THAT I HAD MADE. UNFORTUNATELY, I WANTED 3.3. MY FIR ST ATTEMPT AT CONVERSION TO 3.3 WAS SIMPLY TO REPLACE THE ENTIRE RW TS FROM SHEILA WITH A NORMAL 3 .3 RWTS. AT FIRST IT LOOKED GOOD; THE PROGRAM LOADED THE FIRST MAZE FROM MY 3.3 DATA DISK. UNFORTUNATELY, THE MINUTE I HIT A KEY I T LOCKED UP. A POSTMORTEM INDICATED THAT A KEYBOARD INPUT ROUTINE ON PAGE 4 HAD MYSTERIOUSLY TURNED TO GARBAGE. OUT CAME THE DOSSOU RCE LISTINGS. SURE ENOUGH,RWTS STORES D ATA IN LOCATIONS $478, $4F8, $578, $5F8, AND $6F8 (THESE ARE IN THE TEXT PAGE AREA, BUT THEY DO NOT SHOW ON THE SCREEN). CLEARLY, IT WAS GOING TO BE NECESSARY T O MODIFY THE RWTS TO ELIMINATE THE CONFLICT. LOOKING THROUGH RWTS, I N OTICED THAT LOCATIONS BCE0 TO BCFF WERE APPARENTLY UNUSED BY BOTH THE NORMAL 3.3 AND SHEILA RWTS. IT WAS A SIMPLE TASK TO EDIT THE DOSSOU RCE RWTS LISTING TO USE THIS AREA INSTEAD OF THE TEXT PAGE REGION. A T LONG-JOHN'S SUGGESTION, I ALSO MOVED THE SECTOR INTERLEAVING TABL E, NORMALLY AT BFB8.BFC7, TO RESIDE AT BCF0.BCFF, IN CASE SHEILA WAS USING THAT AREA FOR SOMETHING ELSE (3.2 RWTS DOESN'T HAVE A SECTOR I NTERLEAVING TABLE). I THEN REASSEMBLED RWTS USING LISA 2.5. RATHER THAN COMPLETELY REPLACE SHEILA'S RWTS, I DECIDED TO MOVE IN ONL Y THE READ ROUTINES FROM MY REASSEMBLED RWTS, SINCE I KNEW SHEILA D IDN'T WRITE TO DISK. THE AREAS SWITCHED WERE AS FOLLOWS: B800.B8C1, BA29.BA95, BB00.BCFF, AND BEAF.BFFF. I THEN RESTARTED SHEILA, AN D VERIFIED THAT THE PROGRAM RAN CORRECTLY WITH THE 3.3 DATA DISK. STEP 5: PUTTING IT ALL TOGETHER. THE FINAL TASK WAS TO GET SHEILA ONTO T HE DISK WITH THE DATA. THERE WAS ONE PROBLEM; ONE OF THE DATA TRACKS WAS $11, NORMAL LOCATION OF THE CATALOG AND VTOC. CLEARLY IT WO ULD BE NECESSARY TO MODIFY EITHER SHEILA OR DOS TO ELIMINATE THE C ONFLICT. TAKING THE PATH OF LEAST RESISTANCE, I ELECTED TO MODIFY D OS TO USE TRACK $15 INSTEAD OF $11. THIS MEANT THAT NORMAL DOS WOULD B E UNABLE TO FIND THE CATALOG, BUT IT WOULDN'T INTERFERE WITH COPYA, W HICH DOESN'T MAKE USE OF THE CATALOG. TO DO THIS, I CHANGED LOCATION $AC01 IN DOS FROM $11 TO $15, THEN INITIALIZED A DISK. THIS PLACED T HE VTOC ON TRACK $15. THEN, USING THE INSPECTOR, I CHANGED TRACK $1 5, SECTOR $0, BYTE $1 FROM $11 TO $15, SO THAT DOS WOULD KNOW TO USE T RACK $15 FOR THE CATALOG. THEN, I COPIED THE DATA TRACKS FROM MY SHEILA 3.3 DATA DISK ONTO THE NEW DISK, AND CHANGED THE SECTOR-USE BI TMAP TO PROTECT THE DATA SECTORS AND THE CATALOG. I THEN ASSEMBL ED ALL OF THE PIECES OF SHEILA INTO A SINGLE FILE, AND PREFACED IT WIT H A MEMORY MOVE TO PUT EVERYTHING BACK WHERE IT BELONGED. FINA LLY, I BOOTED THE DATA DISK (WITH CATALOG ON TRACK $15) AND BSAVED SHEILA. THIS COMPLETED THE CONVERSION OF SHEILA TO COPYA FORMAT.