Cracking Techniques


Dernière révision: dimanche 29/07/2007 (corrections à partir de l'original + rajout date/time messages à partir d'une autre source).

Un grand classique du déplombage sur Apple II au début des années 1980, à l'époque où l'image du pirate était auréolée de gloire et les publicités sur le déverrouillage logiciel paraissaient dans la presse grand public (ici une pub Nibble en 1983)!

Sur la pub, il est particulièrement croustillant (et parfaitement hypocrite) de voir figurer la note: "Not to be used for illegal purposes!" Bref: achetez mais ne consommez pas...
 

Pirates Harbor
Msg
Intro
Intro

Floppy
DOS 3.3
Download Cracking Techniques 1983 (gzipped)


Ajout du 07/07/2007 : disquette originale sans les graffitis (achat sur ebay).

Original disk


Floppy
DOS 3.3
Download Original disk: Cracking Techniques 1983 (gzipped)


Sommaire


Lien Information
Voir Table of content (Volumes I to III).
Voir Volume I (chapters 1-7).
Voir Volume II (chapters 1-4).
Voir Volume III (chapters 1-10).
Voir Various cracks.
Voir Bozo's program cracker ROM 1.1.
Voir Tricks.
Voir Using Lockbuster ][ and about NMI.
Voir Mr Xerox cracking tips I : Apple Galaxian.
Voir Mr Xerox cracking tips II : Space Raiders.
Voir Mr Xerox cracking tips III : Bug Attack.
Voir Cracking Threshold by Trystan II.
Voir Various cracks.
Voir About Demuffin and Demuffin Plus by Bozo NYC.

hr Pirates Harbor


Table of contents


          CRACKING TECHNIQUES
          (TABLE OF CONTENTS)

VOLUME I
------ -                                
CHAPTER 1 CRACKING LOCKSMITH 4.0,4.1
          AND GENERAL HINTS
                  BY: AXE MAN

CHAPTER 2 SPECIAL TECHNIQUES
                  BY EARL BESTICK

CHAPTER 3 CRACKING A.B.M. AND USING
          MUFFIN TECHNIQUES
                  BY: JIM PHELPS

CHAPTER 4 DEMUFFINS TO CRACK AND
          DEMUFFIN PLUS
                  BY RICHARD BRANDOW

CHAPTER 5 CRACKING SUPERSCRIBE
                  BY: THE CLONEMAN

CHAPTER 6 CRACKING SHADOWHAWK I
                  BY: CANDY MAN

CHAPTER 7 GENERAL TECHNIQUES
                  BY: DISK ZAPPER


VOLUME II
------ --

CAHPTER 1 CREATING A NEW MASTER OF
          SUPER-TEXT
                  BY: DISK CRACKER

CHAPTER 2 USING THE RAM CARD AS A
          MAJOR CACKING TOOL
                  BY: AXE MAN

CHAPTER 3 MODIFYING THE MICROSOFT 16K
          RAM CARD FOR WRITE PROTECT
          AND USE AS FAKE ROM
                  BY: SYSOP & AXE MAN

CHAPTER 4 MODIFYING THE ANDROMEDA RAM
          CARD FOR WRITE PROTECT
                  BY: AXE MAN

*******   MODIFYING THE APPLE RAMCARD
          MAY BE FOUND IN SOFTALK IN
          THE DECEMBER 1981 ISSUE

CHAPTER 5 SOME PLACES TO LOOK FOR GOOD
          IDEAS AND HELP ON CRACKING


VOLUME III
------ ---

CHAPTER 1 DEMUFFIN CASTLE OF DARKNESS
                  BY: BOZO NYC

CHAPTER 2 CRACKING VC-EXPAND
                  BY: RICHARD BRANDOW

CHAPTER 3 CRACKING CYBORG
                  BY: THE CLONEMAN

CHAPTER 4 CRACKING SOFTPORN
                  BY: RICHARD BRANDOW

CHAPTER 5 COPYING VISITERM
                  BY: RICHARD BRANDOW

CHAPTER 6 CRACKING VISICALC
                  BY: RICHARD BRANDOW

CHAPTER 7 CRACKING VISIDEX
                  BY: THE CLONEMAN

CHAPTER 8 CRACKING THE ELIMINATOR
                  BY: RED REBEL

CHAPTER 9 CRACKING VISIFILE
                  BY: RED REBEL

CHAPTER 10 CRACKING SUPERSCRIBE II
                  BY: RED REBEL

Retour sommaire

hr Pirates Harbor


Volume I (chapters 1-7)


MSG LEFT BY: AXE MAN

HERE IS A HEX LISTING FOR THE NEXT MSG.
 
0300:A0 00 B9 00 20 99 00 80
0308:C8 D0 F7 EE 04 08 EE 07
0310:08 AD 07 08 C9 B6 D0 EA
0318:20 93 FE 20 89 FE A9 C0
0320:85 31 A9 9B 85 33 A9 00
0328:8D 00 02 20 2F FB 20 58
0330:FC A9 06 85 22 20 58 8C
0338:20 99 8F 13 0B 20 72 8C
0340:20 99 8F 4D 08 20 99 8F
0348:3C 0B 4C 29 12 D4 C5 C3
0350:C8 A0 C9 D3 A0 C8 C5 CC
0358:CC A0 A0 AD BE A0 CF C3
0360:D4 CF C2 C5 D2 A0 B1 B3
0368:AC A0 B1 B9 B8 B1 A0 BC
0370:AD A0 8D

SPECIAL NOTE:
        THIS HAS NOW BEEN ADDED TO THE
DOWNLOAD FUNCTION.

                  ^^^ SYSOP ^^^

***************************************

MSG LEFT BY: AXE MAN


1) BOOT THE BEST COPY PROGRAM AVAILABLE
2) PRESS RESET FROM THE MAIN MENU
   CONTINUE PRESSING RESET UNTIL THE
   DISK DRIVE STOPS.
3) TYPE FROM THE MONITOR:
   2000<0800.1FFFM
   4000<8000.B5FFM
4) BOOT A 48K SLAVE (NON-MASTER)
   DISKETTE.
5) TYPE IN THE FOLLOWING:
   800<2000.37FFM
   2000<4000.75FFM
6) TYPE IN THE HEX IN THE PREVIOUS
   MESSAGE AT $0800 HEX.
7) THEN BSAVE THE PROGRAM,A$800,L$4DFF
 
     THAT'S IT.

***************************************

MSG LEFT BY: AXE MAN

AHOY YE MATIES- IT SEEMS THAT THAR
 NEW LOCKSMITH 'AS CHANGED ITS
 LOCATIONS INTERNALLY, HAR-D-HAR
 BUT WE HAVE FOUND THE CORRECT ONES
 YES. TO FIX THIS 'TECH' PATCH,
 USE THE FOLLOWING:
 
AFTER BLOADING THE PATCH AT $800,
 BUT BEFORE BSAVING THE ENTIRE
 LS PROGRAM, GET INTO MONITOR AND
 TYPE :
    
        84A:4C 3D 12
839:9B
841:9B
846:9B
 
 BE YE WARNED THIS DOESN'T WORK FOR
 4.0 BUT ONLY FOR 4.1

***************************************

MSG LEFT BY: AXE MAN

SINCE THERE SEEMS TO BE A LACK OF
ENTRIES TO THE CONTEST, HERE IS ONE:
GENERAL HINTS -
- USE A NON-AUTOSTART APPLE
- USE A RAM-CARD
  PLACE A COPY OF THE MONITOR ROM IN
  THE RAM CARD, AND PUT IN CERTAIN
  PATCHES THAT INFORM YOU OF THE CALLIN
  ADDRESS TO CERTAIN SYSTEM ROUTINES
 (LIKE THE KEYBOARD INIT, ETC)
- PUT A RESET-ROUTINE IN THE RAM CARD
  THAT MOVES LO-RAM INTO HI-RAM UPPON
  PRESSING THE BUTTON (GREAT FOR CODE
  THAT RESIDES IN THE TEXT SCREEN)
- THEN ANALYZE CODE THAT YOU CAN GET
  TO ABOVE $800.
- MOVE THE DOS BOOT PROM IMAGE TO $9600
  AND CHANGE $96F8 TO GO TO MONITOR SO
 YOU CAN SEE WHAT WAS LOADED AT $800.
- YOU CAN 'BREAKPOINT'THE ENTIRE BOOTUP
 PROCESS BY SUBSTITUTING JUMPS TO YOUR
 ROUTINES IN THEIR CODE.
- IF YOU LOSE DOS, YOU CAN SAVE MACHINE
  CODE TO TAPE, AND THEN LOAD IT IN
  LATER (PRIMITIVE, BUT WORKS GREAT !)
- WORSE COMES TO WORSE, JUST LOOK FOR
  ANYTHING INTERESTING IN THE CODE IN
  MEMORY (TRY OUT SOME ROUTINES, BUT
  OPEN THE DISK DOOR FIRST !)
 HOPE THAT HELPS........

***************************************

MSG LEFT BY: EARLE BESTICK

TRY'D & TRY'D & TRY'D TO CRACK A DISK
BUT ONLY MANAGED TO BEND ONE !
'TILL AFTER MANY TRYES, I SUCEEDED,
MY MAGIC FORMULA FOLLOWS AND WILL WORK
ON ANY DISK OF ANY MANUFACTURER.
1. PUT DISK IN DEEP FREEZ FOR 24 HRS.
2. TAKE DISK OUT OF FREEZER AND WITH
A BRISK MOVEMENT, BRING SHARPLY AGAINST
THE EDGE OF COUNTER, DESK, OR THE LIKE,
THIS WILL CRACK IT FOR SURE.

***************************************

MSG LEFT BY: JIM PHELPS

HERES ONE FROM THE I.M.F. ON CRACKING

YOU CAN CRACK A.B.M.(MUSE) BYE DOING
THE FOLLOWING:
 
1) BOOT UP THE DISK AND PRESS CTRL-C
BEFORE IT FINISHES BOOTING.
 
2)TYPE NEW AND CATALOG THE DISK(THIS
SHOULD CATALOG,IF NOT RE-BOOT AND GO
BACK TO 1)
 
3) LOAD THE BASIC PROGRAMS 1 BYE 1
SAVEING EACH ONE ON TAPE BEFORE LOADING
THE NEXT.AFTER 1 IS SAVED RE-BOOT A
SLAVE DISK,LOAD THE PROGRAM FROM THE
TAPE,MAKE SURE IT LOOKS RIGHT AND
SAVE IT UNDER THE SAMEE NAME AS ON THE
A.B.M. DISK.(DO THIS FOR EACH BASIC
PROGRAM ON THE DISK )
 
4) BLOAD THE MACHINE LANGUAGE PROGRAMS
AND EITHER MAKE NOTE OF WHERE THE START
AND THE LENGTH BY LOOKING AT LOCATIONS
AA61,AA62 FOR LENGTH AND AA72,AA73 FOR
THE STARTING ADDRESS;OR BLOAD THEM AT
LOCATION 2000 AND ESTIMATE AT THE
LENGTH.

CONTINUED AT NEXT MESSAGE

***************************************

MSG LEFT BY: JIM PHELPS

5) AFTER THAT IS DONE MOVE ONE MACHINE
PROGRAM AT A TIME INTO LOCATION 2000
AND RE-BOOT THE DISK YOUR SAVEING
THE CRACKED VERSION ON,BSAVE THE SAME
NAME AND THE LOCATION YOU PUT IT AT.
 
6) NOW YOU BLOAD THE MACHINE PROGRAM
AT THE CORRECT LOCATION IN MEMORY AND
RESAVE IT UNDER THE SAME NAME AND THE
NOW CORRECT ADDRESS AND LENGTH
 
7) YOU SHOULD NOW BE ABLE TO JUST RUN
THE HELLO PROGRAM AND THE GAME SHOULD
WORK.IF NOT SEE IF YOU CAN FIGURE OUT
WHATS WRONG AND GO BACK AND REDO THAT
PART OF IT
 
8) <<HINT>> IF YOU CANNOT FIND THE
ADDRESS AND LENGTH OF SOME OF THEE
MACHINE PROGRAMS,A FEW ARE LISTED IN
SOME OF THE BASIC PROGRAMS.

         GOOD LUCK

JIM PHELPS.

***************************************

MSG LEFT BY: JIM PHELPS


THIS IS JIM PHELPS AGAIN WITH ANOTHER
ENTRY TO THE CONTEST:
 
1) SOME DISKS CAN BE CRACKED SIMPLY
BY USEING THE MUFFIN PROGRAM.
 
2) IF THE DISK YOU HAVE SAYS 'WILL
BOOT EITHER 13 OR 16 SECTOR'THEN
THE DISK IS SET UP IN 13 SECTOR FORMAT
 
3) IF YOU HAVE A DISK LIKE THIS TRY
MUFFINING IT.SOME PROBLEMS MAY OCCUR
AFTER YOU MUFFIN IT SO HERE ARE A FEW
EXAMPLES; MISSLE DEFENSE CAN BE
MUFFINED,HOWEVER YOU MUST CHANGE A
LOCATION IN THE MACHINE PROGRAM NAMED
'MISSILES' SOMEWHERE IN THE 9000 PAGE
OF MEMORY.THESE 2 LOCATIONS ARE JSR'S
TO ANOTHER SUBROUTINE IN THE 9000 PAGE
WHICH MAKE THE PROGRAM ATTEMPT TO READ
THE DISK LOOKING FOR A NIBBLE COUNT.
IF THIS IS NOT FOUND THE PROGRAM STOPS.
SIMPLY CHANGE THESE 2 JSR'S TO "EA"'S
AND RE-BSAVE THE PROGRAM AND IT SHOULD
WORK FINE.
 
4) ANOTHER PROGRAM THAT CAN BE MUFFINED
IS SOFTPORN ADVENTURE.THIS WILL MUFFIN
O.K. BUT IN THE HELLO PROGRAM SIMPLY
DELETE LINE 378 AND IT WILL RUN FINE.

***************************************

MSG LEFT BY: JIM PHELPS
 
HERES A LITTLE EXTRA INFO ON CRACKING
A.B.M.:
THE ADDRESS TO BLOAD THE 2 CONTROL
PROGRAMS CAN BE FOUND IN THE BASIC
PROGRAM 'ADJUST'.THEY BOTH HAVE THE
SAME ADDRESS WHICH IS A$300.THEY
ALSO HAVE THE SAME LENGTH,WHICH I DONT
KNOW OFFHAND BUT THAT CAN BE FOUND NEAR
THE END OF THE LISTING IN ADJUST.
ALSO THE BASIC PROGRAM ABM MUST BE
CHANGED TO JUST MACHINE LANGUAGE.THIS
CAN BE DONE EASILY BY JUST SAVING THE
MACHINE LANGUAGE INFO BETWEEN $80F AND
$2000 TO TAPE THEN RELOADING IT ONCE
RE-BOOTED AND BSAVING IT.THE HELLO
AND ADJUST PROGRAMS MUST THEN BE
CHANGED SO THAT THEY SAY 'BRUN ABM'
INSTEAD OF 'RUN ABM'.AS FOR THE
MACHINE FILE 'PIC',ITS OBVIOUS THAT
THIS IS A PICTURE AND CAN BE SIMPLY
BLOADED (WHICH PUTS IT BETWEEN $2000
AND $4000),RE-BOOTED,AND BSAVED ON
YOUR CRACKED DISK WITH NO PROBEM
WHATSOEVER.IF THIS DOES'NT WORK LEAVE
ME ANOTHER LETTER EXPLAINING WHAT'S
WRONG AND I'LL RE-DO IT AGAIN.
               JIM PHELPS

***************************************

MSG LEFT BY: RICHARD BRANDOW

THERE ARE TWO DEMUFFINS,
1.DEMUFFIN.....WRITES 3.2 FORMAT
2.DEMUFFIN.PLUS.......3.3 FORMAT
 
1.DEMUFFIN.
   1.BLOAD MUFFIN
   2.CALL -151
   3. TYPE THE FOLLOWING
      1155:00 1E
      115B:D9 03
      1197:A0 20
      15A0:A0 D2 D3 C9 C4 C5 CE D4
      15A9:A0 C4 AE CF AE D3 AE
      15B6:B2
      15F7:C4 C5
      20A0:A9 1E 8D B9 B7 20 FD AA 48
      20A9:A9 BD 8D B9 B7 68 60
   4.BSAVE DEMUFFIN,A$803,L$1900
2.DEMUFFIN PLUS
   1.BOOT 3.3 DOS
   2 TYPE INT (FOR INTEGER)
   3.BLOAD MUFFIN
   4.CALL-151
   5.TYPE THE FOLLOWING
     A.D4D5G  (INITIALISES THE PGRM
               AID RELOCATION CODE)
     B.1900 B800.BFFF CTRL-Y
              (RELOCATES THE THE
               ROUTINE)
     C.1900 B800.BA10 CTRL-Y
     D. .BC57M
     E. .BFFF CRTL-Y
     F. 1155:00 1E
        115B:D9 03
        1197:A0 20
        15A0:A0 D2 C5 D3 C9 C4 C5 CE
        15A8:D4 A0 C4 AE CF AE D3 AE
        15F7:C4 C5
        20A0:A9 1E 8D B9 B7 20 FD AA
        20A8:48 A9 BD 8D B9 B7 68 60
  6. BSAVE DEMUFFIN PLUS,A$803,L$1900
 
EXPLANATIONS *
 
  THESE DEMUFFINS WILL CRACK MOST
  DISKETTES CONTAINING APPLESOFT PGRMS.
 USE THEM AS YOU WOULD REGULARLY BUT
 BE SURE THAT YOU ARE USING THE CORRECT
 DEMUFFIN FOR THE DOS.
  IF A FILE DOESN'T TRANSFER,TRY IT
 AGAIN, IF YOU GET AN I/O ERR 'BYPASS
 THE PROBLEMED FILE'
INSTRUCTIONS**
 1. CONVERT MUFFIN INTO DEMUFFIN.
 2. BLOAD DEMUFFIN.SAVE TO TAPE.
 3. TYPE IN THE RWTS PGRM.SAVE TO DISK
 4.PEEK AT THE VTOC LOCATION ON THE
   PROTECTED DISK.
 5.RUN MAP MOVE.
 6.BOOT THE PROTECTED DISK
7.FLIP THE INT CARD UP AND HIT RESET.
8.LOAD DEMUFFIN FROP TAPE
9.TYPE 10A1:(PUT HERE THE LOCATION OF
  THE VTOC YOU FOUND)
10. TYPE 3D0L
YOU SHOULD SEE THIS:
03D0- 4C BF 9D
03D3- 4C 84 9D
03D6- 4C FD AA
03D9- 4C B5 B7
03DC- AD OF 9D
03DF- AC 0E 9D
03E2- 60
03E3- AD C2 AA
03E6- AC C1 AA
03E9- 60
03EA- 4C 51 AA
03ED- EA
03EE- EA
03EF- 4C 59 FA
03F2- BF
03F3- 9D 38 4C
03F6- 58
03F7- FF
03F8- 4C 65 FF
03FB- 4C 65 FF  (IF IT DOESN'T THEN
       CHANGE IT SO IT DOES)
 TYPE 803G (YOU'LL BE IN DEMUFFIN)
IF YOU WANT THE MAP MOVE PGRM.(WICH IS
NOT OBLIGATORY) I'LL LEAVE IT LATER

***************************************

MSG LEFT BY: THE CLONEMAN

HOW I CRACKED SUPERSCRIBE II VER 3.2
OVER CHRISTMAS WEEKEND. BY THE CLONEMAN
 
1. FID EVERYTING TO A DOS 3.3 DISK
   NOTE: MY PIRATED COPY OF SSII CAME
   UNDER DOS 3.3, I.E. V3.2 IS NOT
   DOS 3.2!!
2. LOAD EDITORA AND NOTICE THAT PROG-
   RAM STARTS AT $4003.  BLOAD EDITOR.
   OBJ0 AND SCAN THROUGH THE CODE NO-
   TICE THE ENTRY OF $55 AND $61 AT
   VARIOUS LOCATIONS.  THESE ALLOW A
   JMP TO $6155 AT THE JMP $FF58 LINE.
3. THE CODE AT $6155 INSTRUCTS THE
   EOR'ING OF THE JUMPLED CODE FROM
   $616C-ABOUT$626F. TEMPORARILY EN-
   TER AN $00 AT $616B AND THEN DO A
   4003G TO SEE WHAT IT LOOKS LIKE.
4. THE PROGRAM GOES ON TO CHECK LOCA-
   TIONS ON TRACK 02 AND 03, I THINK.
   AND LOAD DATA INTO $9700, I THINK.
5. NOTICE THE CMP STATEMENT AT $6219.
   DISABLING THIS STATEMENT DISABLES
   THE NIBBLE COUNTER. OTHERWISE THE
   PROGRAM GOES TO $622F AND CLEARS
   MEMORY!
6. THE BEST WAY TO DISABLE THE CMP IS
   TO CHANGE IT TO COMPARE $9704,Y
   WITH ITSELF!!....GO TO NEXT MSG
   FOR MY CONCLUSION

***************************************

MSG LEFT BY: THE CLONEMAN


7. OF COURSE SIMPLY CHANGING $621A TO
   $04 WILL NOT WORK, REMEMBER THE EOR?
   YOU WILL HAVE TO FIGURE OUT YOURSELF
   WHAT VALUE WHEN EOR'ED GIVES $04!
   ENTER THAT VALUE IN A FRESHLY
   BLOADED COPY OF EDITOR.OBJ0 INTO
   LOCATION $621A. NOW SAVE THE ALTERED
   EDITOR.OBJ0.
8. RUN INTEGER AND YOUR FIDED COPY
   SHOULD WORK FINE AS LONG AS YOU
   DON'T ENTER THE PRINTOUT MODE!
9. ON-LINE MADE IT SIMPLE FOR ME SINCE
   IT USED A SIMILAR PROTECTION SCHEME
   IN THE RUNOFF.OBJ0 AS IN EDITOR.OBJ0
   HOWEVER THEY DID PLACE THE CODE AT
   A DIFFERENT LOCATION.  YOU SHOULD
   BE ABLE TO FIND THE LOCATION IN THE
   RUNOFF EASILY.  AGAIN DO A PATCH AT
   THE CMP $9700,Y STATEMENT.
 
WELL, I HOPE THIS HELPS SOME OF YOU.
IT WAS MY FIRST VENTURE INTO CRACKING
AND WAS MODIVATED BY MY INABILITY TO
BACKUP THE PROGRAM WITH EITHER NIBAW
OR LS WITH A SINGLE DRIVE.
 
     CHANGE 4E2F:51   (WAS 55)
     CHANGE 621A:51   (WAS 55)
 
***************************************

MSG LEFT BY: CANDY MAN
 
SHADOWHAWK CRACKED
 
 BLOAD HEAD.PIC
 CALL -151
 4000:60
 BSAVE HEAD.PIC,A$2000,L$2150
 BLOAD HAWK.PIC
 CALL -151
 4000:60 60 60 60 60 60 60 60
 4008<4000.4007M
 4010<4000.400FM
 4020<4000.401FM
 4040<4000.403FM
 4080<4000.407FM
 4100<4000.40FFM
 BSAVE HAWK.PIC,A$2000,L$2150
 
 THAT'S IT
 
 ANY NIBBLE COUNTER NEEDS TO ACCESS
 LOCATIONS C080-C08F+16*SLOT #
 THESE LOCATIONS CAN BE FOUND WITH
 DISKSCAN PROGRAM AVAILABLE ON D.

***************************************

MSG LEFT BY: DISK ZAPPER

THERE ARE SEVERAL 'KEY' BYTES IN THE
APPLE THAT ARE ALTERED AS SOON AS THE
*RESET* KEY IS PRESSED.  THERE ARE
ALSO BYTES WHICH ARE ALTERED AS SOON
AS A KEY IS PRESSED  AFTER RESET.
MANY PROTECTED PROGRAMS USE THESE BYTES
AS 'KEYS'- IF A CERTAIN NUMBER IS NOT
IN IT.....BOOM!
  FOR EXAMPLE, SPACE RAIDERS REQUIRES
 THAT ADDRES $21 CONTAINS A #$26.
SO, WHATCHA DO IS THIS:
     AFTER PRESSING RESET (WITH INTEGER
SET UP) LOOK THROUGH THE MACH LANG
TO SEE IF IT CHECKS CERTAIN BYTES
HERE IS A PARTIAL LIST : 20-26, 36-39,
4E-4F
SEE WHAT THE PROGRAM LOOKS FOR. THEN,
SIMPLY SET THOSE ADDRESSES TO THE
CORRECT BYTE AND FIND THE STARTING
ADDRESS (SOMETIMES SHOWN AT 3F2.3F3
BUT MOSTLY YOU'LL HAVE TO LOOK FOR IT.
SOMETIMES IT WILL HAVE A $LDA C050
WHICH IS USUALLY NEAR THE START OF
THE PROGRAM).

***************************************

MSG LEFT BY: DISK ZAPPER

ZAPPER CONTEST CONTINUED...
 THE PROGRAM MAY USE $200-2FF FOR
 STORING PROGRAM.  AS SOON AS YOU
PRESS A KEY, 200+ IS DESTROYED.
WHAT ONE CAN TRY IS TO TYPE 1FF
AND HIT RETURN. THEN BOOT THE DISK,
PRESS RESET AND RETURN.  IT MAY SHOW
200-207.  IF SO, THEN YOU ONLY HAVE
ONE BYTE (200) TO WORRY ABOUT.  IF
NOT THEN YOU CAN (A) PRESS RETURN
5000 TIMES TILL IT DOES SHOW 200-207
(B) LOOK FOR SOMETHING WHICH LOOKS
LIKE WHAT'S IN 200-2FF SOMEPLACE ELSE
(THEY SOMETIMES START ELSEWHERE AND
MOVE IT TO 200)
(C) CRY.
 AS FOR SAVING $400-7FF, THE BEST I
CAN THINK OF IS TO COPY THE TOP LINE
HOPING FOR NO ERRORS AND MAKE THE FIRST
LINE TYPED 800<400.7FFM, THEN LOOK
THROUGH 800-BFF TO CHECK IT OUT.
SOMETIMES 400-7FF WILL BE FULL OF JUNK
AND NOT BE NEEDED.
ONE HILARIOUS NOTE: SOMETIMES THEY
LEAVE THEIR RWTS SUBROUTINE INTACT
(ZORK DOES THIS) ENABLING YOU TO READ
THEM DIRECTLY.  BUT I HAVEN'T EXPLORED
THIS TOO MUCH.
          CORDIALLY YOURS
-------->           >>> DISK ZAPPER <<<


Retour sommaire

hr Pirates Harbor


Volume II (chapters 1-4)


MSG LEFT BY: DISK CRACKER

TO COPY SUPER-TEXT ALL VERSIONS FIRST
MAKE A COPY USING THE SUPER-TEXT COPY
PROGRAM. THIS COPY WILL DO EVERYTHING
EXCEPT BOOT-UP. TO MAKE IT BOOTING ALSO
USE LOCKSMITH 4.1 TO COPY TRACKS $0-$2.
COPY THEM UNSYNC, AND WITH MANUAL ERROR
RETRY.  DON'T SET HALF TRACKS EITHER
IT ALL MANUALLY.  THIS WILL MAKE A
MASTER COPY OF THE SUPER-TEXT DISK.
 
        GOOD COPYING!!!!

***************************************

MSG LEFT BY: AXE MAN

SOME OF THE ENTRIES ARE AMUSING. ESP
THE BRUTE FORCE METHOD OF CRACKING.
THERE ARE EVEN SOME THINGS LISTED THAT
WON'T WORK!!!! FIRST LET'S CLEAR UP
SOME COMMON MISCONCEPTIONS ABOUT WHAT
HAPPENS WHEN A PERSON PRESSES RESET.
1) NOTHING HAPPENS (AT ALL) TO ANY MEM-
ORY LOCATION UNTIL THE 'RESET' PROCESS
ROUTINE DOES SO.
2) THIS RESET PROCESS ROUTINE CAN BE
MADE SO THAT MEMORY IS >NOT< WIPED OUT
3) ONLY THE REGISTERS AND PROGRAM CNTR
ARE MODIFIED WHEN RESET IS PRESSED
INITIALLY.
- WHEN THE RESET KEY IS PRESSED, THE
6502 (THE LONG, SOMEWHAT WIDE CHIP
RESIDING BEHIND THE OTHER NOT SO LONG
WIDE CHIPS FOR THE UNINFORMED) TAKES
WHATEVER DATA (BYTES, NUMBERS, WHATEVER
) IN THE LOCATIONS $FFFC AND $FFFD AND
INTERPRETS THAT AS THE ADDRESS.
THEN THE 6502 JUMPS TO THAT ADDRESS TO
PROCESS THE RESET.  IF THERE IS A ROM
IN THE $FF00 PAGE, THEN THERE IS NO
CHOICE BUT TO GO TO THE REGULAR RESET
ROUTINE. HOWEVER, SHOULD YOU BE THE
LUCKY OWNER OF A RAM CARD, YOU CAN
MAKE THE RAM THINK IT IS ROM!!! THE
KEY IS IN THE NEXT MESSAGE

***************************************

MESSAGE FROM AXE MAN

NOW, MOST RAM CARDS, WHEN RESET IS
PRESSED, WILL RE-ENABLE THE ROM MONITOR
(THIS INCLUDES THE LANGUAGE CARD, MICRO
SOFT'S CARD, AND ANY OTHERS THAT DON'T
HAVE THAT SWITCH ON THE BACK) THE
ANDROMEDA RAM CARD HAS A LITTLE SWITCH
ON THE BACK THAT FORCES THE CONTENTS
OF THE RAM CARD TO ACT LIKE THE ROM
UPON RESET. NOW, DUE TO THE FACT THAT
MOST PROTECTION SCHEMES LIKE TO USE THE
NORMAL TEXT PAGE ($400-$800) TO STORE
INITIALIZATION AND BOOTUP ROUTINES THAT
ARE ESSENTIAL FOR THE PROGRAM TO RUN IN
HIGHER MEMORY, SOME WAY HAS TO BE USED
THAT DOESN'T ALTER ANY OF THE MEMORY
FROM $0-$7FF. NOW, WOULDN'T IT BE NICE
IF WE COULD, UPON RESET, MOVE ALL OF
THE MEMORY FROM $0-$7FF TO $800 AND UP
?? YES, IT WOULD. THAT WAY, WE COULD
EXAMINE IT AT OUR LEISURE TO  FIND OUT
WHAT IS GOING ON IN OUR TEXT PAGE THAT
THE PROGRAM MAKERS WANTED TO HIDE SO
BADLY. YOU CAN SAVE THIS STUFF ON A
DISKETTE (REMEMBER TO PUT IT WHERRE
THE DOS BOOTUP WON'T BOTHER IT, SAY
$5000-$57FF FOR 48K SLAVE DISKETTES)
AND THEN LOAD IN THE PROGRAM AGAIN,
THIS TIME TO GET THE STUFF IN HIGHER
MEMORY ($800-$BFFF). NOW YOU WILL HAVE
THE COMPLETE IMAGE OF THE PROGRAM IN
TWO OR MORE FILES. THE BEST WAY TO
INTERPRET THESE FILES IS TO FIND OUT
WHERE THE 2ND STAGE BOOT GOES TO (SEE
MY PREVIOUS MESSAGE ABOUT MOVING THE
DISK ROM INTO RAM) AND THEN TRACING
THE EXECUTION FROM THERE BY LOOKING
AT THE CODE YOU HAVE (REMEMBER THAT
YOUR ADDRESSES WILL BE OFFSET BY
A CERTAIN AMOUNT (I.E. $400 WILL BE
$C00 IF YOU MOVED THE MEMORY TO $800))
TO SEE WHERE THE INITIALIZATION POINT
IS. THIS IS GENERALLY WHERE THE A
X OR Y REGISTERS ARE LOADED WITH SOME
COSTANTS AND PLACED ELSEWHERE IN
MEMORY TO SET UP THE PROGRAM. ONCE THIS
LOCATION IS FOUND, ALL OF THE FILES CAN
BE LOADED IN THEIR CORRECT PLACES USING
BLOADS, AND THEN A CALL CAN BE MADE TO
THE PLACE YOU THINK THAT THE PROGRAM
STARTS.  NOTE THAT ALL OF THIS ONLY
WORKS IF THE PROGRAM DOESN'T DETECT THE
RAM CARD AND DOESN'T PUT IT'S OWN
INTERRUPT PROCESSING ROUTINE IN THE
RAM.  (ADD A SWITCH TO TRULY WRITE
PROTECT YOUR RAM CARD AND ALL WILL BE
FINE).
 HERE IS A SKELETAL ROUTINE THAT CAN
BE ASSEMBLED INTO YOUR RAM CARD.

HERE IS THE ROUTINE THAT CAN BE USED
 
RESET:  LDY #0  ;SET UP Y-REG
L1      LDA SOURCE,Y
L2      STA DEST,Y
L3      INY
        BNE L1
        INC L2-1  ;INCREMENT SOURCE LOC
        INC L3-1  ;INCREMENT DEST LOC
        LDA L3
        CMP #ENDPG ;SEE IF DONE
        BNE L1
;
; USE THIS IF YOU ARE GOING TO POP INTO
; MONITOR
;  
        LDA 0C082 ;DESELECT RAM, GET RO
;
        JMP $FF65 ; ENTER REGULAR APPLE
;                   MONITOR
;
TO INITIALIZE THIS ROUTINE, DO THIS
 
          LDA #RADDR/256
          STA $FFFD
          LDA #RADDR MOD 256
          STA $FFFC
 PPUT THAT CODE IN THE RAM CARD BY
DOING TWO READS FROM C083 AND
MOVE THE CODE UP. THE RADDR IS THE
ADDRESS OF THE RESET ROUTINE THAT MOVES
THE MEMORY, AND IS PLACED IN THE RESET
VECTOR. FOR MORE INFO ON HOW TO WWRITE
PROTECT YOUR RAM CARD, CONTACT THE
SYSOP (MAYBE HE'LL HAVE KITS....)
- - - - - - - - - - - - - - - - -  - -
GENERAL ADDITIONAL CLUES -
BDOS BASED PROGRAMS WRITTEN IN BASIC
USUALLY MAKE $D6 NON-ZERO WHICH CAUSES
ANY FP PROGRAM TO AUTO RUN UPON A
RETURN FROM THE KEYBOARD AT AN APPLESFT
PROMPT. ()() DOS 3.3 PROTECTED PROGRAMS
(REALLY 16 SECTOR) SOMETIMES CHANGE
THE CATALOG TRACK (AT $AC01) TO SOME-
THING OTHER THAT $11 (17 DEC.)
IF WHEREVER POSSIBLE, THE PROGRAM'S
DOS CAN BE USED AGAINST IT BY FINDING
WHERE IT BEGINS, AND USING THAT AS
THE ROUTINES THAT A COPY PROGRAM USES
FOR RWTS. (THE RWTS USUALLY STARTS ON
A $XD00 BOUNDARY, WITH THE FIRST TWO
INSTRUCTIONS BEING STY 48 STA 49 (HEX
CODES 84 48 85 49)) NIBBLE COUNTING
CAN BE DEFEATED BY FINDING THE ROUTINE
THAT COUNTS THE NIBBLES, AND MAKE IT
READ CORRECT NIBBLES WITHOUT EVER
ACCESSING THE DISKETTE ! BY THE WAY, IT
IS POSSIBLE TO DEFEAT LOCKSMITH, BIU,
AND OTHER NIBBLE COPIERS....

***************************************

MESSAGE FROM SYSOP AND AXE MAN

MODIFY THE 16K RAM BOARD - MICROSOFT

WRITE PROTECT:
    LIFT PIN #3 FROM U18 CHIP & CONNECT
    TO ONE SIDE OF SWITCH.
    CONNECT SOCKET AND PIN #13 74LS175
    TO CENTER OF SWITCH
    CONNECT TOP OF R3 TO OTHER SIDE OF
    THE SWITCH

R3---------------------O
                       !
                       /  NORMAL OPEN
                       !
PIN #13----------------O
74LS175                !
                       /  NORMAL CLOSED
                       !
PIN #3-----------------0
U18

CHANGES FOR RAM & ROM
    LIFT PIN #3 FROM U14 CHIP & CONNECT
    TO ONE SIDE OF SWITCH
    CONNECT SOCKET AND PIN #5 74LS175
    TO CENTER OF SWITCH
    CONNECT GROUND TO OTHER SIDE

GROUND-----------------O
                       !
                       /  NORMAL OPEN
                       !
PIN #5-----------------O
74LS175                !
                       /  NORMAL CLOSED
                       !
PIN #3-----------------O
U14

* * * * * * * W A R N I N G * * * * * *
THIS IS DONE AT YOUR OWN RISK
IT WILL VOID YOUR GUARANTEE
WE ASSUME NO RESPONSIBILITY FOR RESULTS
* * * * * * * W A R N I N G * * * * * *

***************************************

MSG LEFT BY: AXE MAN

IT SEEMS THERE'S A DEMAND FOR A W/P
SWITCH ON THE ANDROMEDA -- SO HERE IT
IS ...
 
 LOCATED ON THE ANDROMEDA RAM CARD IS
 A PIN NUMBER 25 WHICH HAPPENS TO BE
 THE POWER (+5V) PIN. IF THIS PIN IS
 FOLLOWED ONTO THE PC BOARD, THERE WILL
 BE TWO RESISTORS (SMALL TUBE-LIKE
THINGS WITH COLOR BANDS AND ONE LEAD
OUT OF EACH END). AT ONE END THE POWER
WILL GO INTO THIS RESISTOR, AT THE OTHE
R ANOTHER TRACE WILL GO OFF TO SOME
OF THE OTHER ELECTRONICS ON THE BOARD.
WE WANT TO USE THE END THAT HAS THE
TRACES GOING TO OTHER CHIPS ON THE
BOARD. (CALL THIS POINT #1 (USE EITHER
RESISTOR - THERE ARE TWO)). POINT NUMBE
R TWO IS WHERE PIN 18 FROM THE APPLE
CONNECTOR (7 PINS DOWN FROM 25 ON THE
SAME SIDE) ENTERS ONTO THE PC BOARD
AND IMMEDIATELY GOES THROUGH TO THE
OTHER SIDE (AFTER ABT 1/2 "). THIS
IS POINT #2.  IF YOU TRACE WHERE TH
E THING COMES OUT ON THE OTHER SIDE,
YOU'LL FIND OUT THAT IT POPS BACK ON
THE SIDE IT STARTED FROM ABOUT 1/2"
LATER... THIS LITTLE LINK IS WHEERE WE
CUT THE TRACE TO INSERT THE SWITCH.
(CONT'D NEXT MESSAGE)

***************************************

MSG LEFT BY: AXE MAN

OK, WE CUT THE TRACE BETWEEN THE TWO
POINTS THAT IT GOES THROUGH THE PC
BOARD. LABEL THE OTHER PLACE WHERE THE
TRACE GOES THROUGH POINT#3.  NOW WE
WILL ATTACH AN SPDT SWITCH TO THE BOARD
 SOLDER ONE WIRE TO POINT 3, AND ATTACH
IT TO THE CENTER TERMINAL OF THE SWITCH
THEN SOLDER A WIRE TO POINT 1 AND
ATTACH IT TO EITHER SIDE OF THE CENTER
SWITCH. LASTLY, TAKE A WIRE AND SOLDER
IT TO POINT 2 AND THEN TO THE UNUSED
PIN ON THE SWITCH. THERE YOU HAVE IT!
WHEN THE SWITCH HANDLE IS ON THE SAME
SIDE AS THE WIRE FROM POINT #1, REG-
ULAR OPERATION WILL TAKE PLACE. IF THE
SWITCH IS THROWN IN THE OTHER DIRECTION
THE CARD WILL BE WRITE PROTECTED.
(*PLEASE NOTE THAT THIS MODIFICATION
 WILL VOID YOUR WARRANTY AND THAT THE
USER ASSUMES AND WILL BE RESPONSIBLE
FOR ALL RISKS AND DAMAGES INCURRED IN
THE MAKING OR THE USE OF THIS MOD-
IFICATION, AND THAT THIS MODIFICATION
IS NOT GUARANTEED TO BE SUITABLE FOR
ANY PARTICULAR PURPOSE*)


Retour sommaire

hr Pirates Harbor


Volume III (chapters 1-10)


MSG LEFT BY: BOZO NYC

WELL, NOW THAT ALL OF YOU KNOW ALL
THERE IS TO KNOW ABOUT DEMUFFIN;
HERE'S A GOOD CANDIDATE!
 
CASTLE OF DARKNESS CRACKS AFTER THE
STANDARD DEMUFFIN TREATMENT...
NO PATCHING NEEDED! ------>BOZO NYC

***************************************

MSG LEFT BY: RICHARD BRANDOW

CRACKING VC-EXPAND

FOR THOSE OF YOU , LIKE ME , WHO
BOUGHT THEMSELVES A 32K RAM CARD,
THERE IS A SPECIAL PROGRAM CALLED:
VC-EXPAND ( IT EXPANDS THE VISICALC
PROGRAM) .
 
THE DISK IS PROTECTED, BUT NOT FOR
LONG! HERE IS HOW TO CRACK IT.
 
1- BOOT VC-EXPAND
2- FLIP THE INTEGER SWITCH
3- GO INTO MONITOR
4- TYPE : 4000<0900.2116M
5- BOOT A SLAVE DISK
6- TYPE : 900<4000.5FFFM
7- 9DBFG
8- BSAVE VCX.BRUN,A$900,L$1816
9- MAKE UNLIMITED BACK-UP
10- BE HAPPY, I AM.

                <>>>>> RICHARD <<<<<>
                <>>>>> BRANDOW <<<<<>

***************************************

MSG LEFT BY: THE CLONEMAN

CRACKING CYBORG:

1. FLIP SWITCH ON INTEGER CARD UP
2. BLOAD DEMUFFIN AT $6000.  SEE
   CRACKING TECHNIQUES VOL 1 CHAPTER 4.
3. BOOT CYBORG DISKETTE; PRESS RESET
   WHEN SCREEN STARTS TO FILL WITH TEXT
4. MOVE DEMUFFIN TO $803 AND RUN IT.
5. TRANSFER ALL FILES TO DOS 3.2 INIT
   DISKETTES.
6. MUFFIN ALL THOSE 3.2 FILES TO 3.3.
7. BLOAD S1,A$1000
8. 1085:03 19 02
   1088:0F 12 07 21 A0 03 12 01
   1090:03 0B 05 04 A0 02 19 A0
   1098:14 08 05 A0 03 0C 0F 0E
   10A0:05 0D 01 0E
9. BSAVE S1,A$400,L$3FF
10. THAT'S IT!

 BEST OF LUCK, THIS IS A GREAT
 ADVENTURE!   THE CLONEMAN

***************************************

MSG LEFT BY: RICHARD BRANDOW

CRACKING SOFTPORN

1- BOOT DISK
2- FLIP INTEGER SWITCH
3- RETURN TO BASIC AND RECONNECT DOS
    (CALL 976 )
4- LOAD HELLO
5- GO INTO MONITOR
6- CHANGE :     120D EA
   TO ->  :     120D:6
7- 9DBFG
8- SAVE HELLO
9- THAT'S IT
NOTE : IF YOU DON'T HAVE AN INTEGER
       CARD, YOU CAN ALWAYS GET IN
       BY DOING (CTRL)-C.
NOTE2: SOFTPORN IS IN 3.2 . IF YOU
       WANT IT IN 3.3 THEN MUFFIN IT.
 
PS: I ORDERED DAVID'S MIDNITE MAGIC
          AND ARCADE MACHINE
          AND SCRAMBLE (GEBELLI SOF.)
 HOPE TO GET THEM SOON... HOPE THIS
 HELPS.
AND BY THE WAY (MR.WIZARDRY) I'M A
PROGRAMMER (MAKING GAMES) ON THE
APPLE ][ . (AND MOST OF THE TIME, I
TRADE WITH THEM! HA!).

***************************************

MSG LEFT BY: RICHARD BRANDOW

COPYING VISITERM

HI, RICHARD BRANDOW HERE AGAIN (OH,NOT
 HI AGAIN!) ON HOW TO COPY VISITERM.

1- MAKE A REGULAR COPY VIA/ PARAMETERS
   AND THE USE OF THE LOCKSMITH.
2- I KNOW WHAT YOU'LL SAY :'IT SAYS :
   BOOT ERROR. '...WELL
3- BOOT A REGULAR 3.3 DISK
4- PUT THE VISITERM DISKETTE IN DRIVE.
5- BLOAD VISITERM
6- GO INTO MONITOR (CALL-151)
7- CHANGE:  2118: EA
   TO ->  : 2118: 60
8- GO BACK TO BASIC (9DBFG)
9- UNLOCK VISITERM
10- DELETE VISITERM
11- BSAVE VISITERM,A$2000,L$01F0
12- LOCK VISITERM.
13- THAT'S IT!
    THE NEXT TIME YOU'LL BOOT IT, IT
    WON'T SAY BOOT ERROR AND WILL
    WORK PERFECTLY.
NOTE: THIS DOES NOT CRACK VISITERM, IT
      ONLY TAKES OUT THE CHECKING
      ROUTINE. (YOU STILL NEED LS.TO
      COPY IT.)
UNTIL THE NEXT TIME, HAVE FUN AND
HAPPY TRADING....
                       RICHARD
                       BRANDOW

***************************************

MSG LEFT BY: RICHARD BRANDOW

CRACKING VISICALC

HI, RICHARD BRANDOW HERE AND A WAY TO
CRACK YOUR OWN VISICALC.

THERE ARE 5 FILES (UTILITIES) THAT YOU
WILL NEED. THEY ARE NAMED A-E.
1- EXEC THE FILE A AND SAVE IT UNDER
   THE NAME ' V#2 '. IT'S LOCATIONS
   ARE: A$= $3E0 L$=1F
2- EXEC THE FILE B AND SAVE IT UNDER
   THE NAME ' V#4 '. IT'S LOCATIONS
   ARE: A$= $F62 L$7D
3- EXEC THE FILE C AND SAVE IT UNDER
   THE NAME ' BOOT#5 '. IT'S LOCATIONS
   ARE: A$=6000 L$0152
4- EXEC THE FILE D AND SAVE IT UNDER
   THE NAME' BOOT#5.1 '. IT'S LOCATIONS
   ARE: A$8200 L$12
5- EXEC FILE E AND SAVE IT UNDER A
   BASIC PROGRAM NAME. THEN RUN IT.
   IT WILL CREATE AN EXEC FILE NAMED
   'VISICALC' WICH TAKES V#2 + V#4 +
   V#5 +PUTS VC16 IN THE LEFT HAND
   CORNER.
OK. NOW YOU ARE READY TO CRACK THE
PROGRAM.
NOTE: TO EXEC A FILE WICH IS BINARY
     YOU SHOULD TYPE: ]MON C,I,O
                      ]CALL-151
                      *EXEC'FILENAME'
    ---->>>> CONTINUE NEXT MESSAGE.

***************************************

MSG LEFT BY: RICHARD BRANDOW

OK, HERE IS WHAT YOU DO NOW ....
 
FIRST BOOT THE APPLE WITH NORMAL DOS.
THEN TYPE:   ]BLOAD BOOTV#5
             ]BLOAD BOOTV#5.1
 RIGHT AFTER THAT, TAKE THE DISK OUT
OF THE DRIVE AND PUT YOUR LOCKED
VISICALC IN IT.
THEN TYPE :
             ]CALL 24576
 
THE DRIVE WILL START, LOAD THE MAJOR
PART OF THE PROGRAM THEN STOP IN THE
MONITOR. THEN TYPE :
 
*BSAVE V#5,A$159C,L$6C00
 
THE FILE SHOULD BE AROUND 110 SECTORS.
(DON'T FORGET TO SAVE IT ON A REGULAR
 DOS DISK....THEY ARE HARD TO FIND
 THESE DAYS...)
OK YOU ARE NOW READY TO TEST IT ALL.
CLOSE THE MACHINE. MAKE SHURE YOU
HAVE :  V#2
        V#4
        V#5
        VISICALC (EXEC FILE)
ON THE SAME DISK. THEN TYPE:
      ]EXEC VISICALC     (WAIT..)
AND THAT'S IT!!. HAPPY CRACKING  RICH.

THE OTHER FILES A,B,C,D,& E WILL BE
ADDED SOON.

               ^^^ SYSOP ^^^

 03E0: 6C 2C E3 09 C4 C5 00 02
 03E8: DD FF 00 00 00 00 00 00
 03F0: 00 00 00 08 AD 00 00 00
 03F8: 4C 00 08 00 00 00 00 09
 0F62: A0 36 B9 A9 0F 99
 0F68: 6D 00 88 10 F7 AD E0 03
 0F70: 85 62 4D E1 03 85 28 A8
 0F78: AD E1 03 4D E2 03 49 AA
 0F80: 85 29 24 61 10 0E 48 18
 0F88: 98 6D E8 03 85 28 68 6D
 0F90: E9 03 85 29 A9 9C 85 63
 0F98: A9 15 85 64 AD E6 03 85
 0FA0: 65 AD E7 03 85 66 4C 6D
 0FA8: 00 A2 E0 BD 00 03 48 E8
 0FB0: D0 F9 A0 00 B1 63 91 65
 0FB8: C8 D0 F9 E6 64 E6 66 A6
 0FC0: 66 E0 04 D0 09 E6 64 E6
 0FC8: 66 C6 62 CA D0 F7 C6 62
 0FD0: D0 E0 A2 FF 68 9D 00 03
 0FD8: CA E0 E0 B0 F7 6C 28 00
6000:A2 20 A0 00 A2 03 86 3C 8A 0A 24 3C F0 10 05 3C
6010:49 FF 29 7E B0 08 4A D0 FB 98 9D 56 03 C8 E8 10
6020:E5 4C 07 61 BA BD 00 01 0A 0A 0A 0A 85 2B AA BD
6030:8E C0 BD 8C C0 BD 8A C0 BD 89 C0 A0 50 BD 80 C0
6040:98 29 03 0A 05 2B AA BD 81 C0 A9 56 20 A8 FC 88
6050:10 EB 85 26 85 3D 85 41 A9 08 85 27 18 08 BD 8C
6060:C0 10 FB 49 D5 D0 F7 BD 8C C0 10 FB C9 AA D0 F3
6070:EA BD 8C C0 10 FB C9 96 F0 09 28 90 DF 49 AD F0
6080:25 D0 D9 A0 03 85 40 BD 8C C0 10 FB 2A 85 3C BD
6090:8C C0 10 FB 25 3C 88 D0 EC 28 C5 3D D0 BE A5 40
60A0:C5 41 D0 B8 B0 B7 A0 56 84 3C BC 8C C0 10 FB 59
60B0:D6 02 A4 3C 88 99 00 03 D0 EE 84 3C BC 8C C0 10
60C0:FB 59 D6 02 A4 3C 91 26 C8 D0 EF BC 8C C0 10 FB
60D0:59 D6 02 D0 87 A0 00 A2 56 CA 30 FB B1 26 5E 00
60E0:03 2A 5E 00 03 2A 91 26 C8 D0 EE E6 27 E6 3D A5
60F0:3D CD 00 08 A6 2B 90 DB A9 40 8D 4C 08 A9 61 8D
6100:4D 08 4C 01 08 24 60 A9 C6 48 68 4C 24 60 FF FF
6110:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
6120:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
6130:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
6140:A9 4C 8D 5B 03 A9 00 8D 5C 03 A9 82 8D 5D 03 4C
6150:01 03
8200:A9 4C 8D 62 0F A9 69 8D 63 0F A9 FF 8D 64 0F 6C
8210:3E 00
50DIMF$(255)
60F$="VISICALC"
100PRINT CHR$(4)"OPEN ";F$
200PRINT CHR$(4)"WRITE ";F$
300PRINT"BLOAD V#5"
400PRINT"BLOAD V#4"
500PRINT"BLOAD V#2 "
600PRINT"CALL-936"
700PRINT"CALL-151"
800PRINT"400:D6 C3 B1 B6"
900PRINT"61:FF"
999PRINT"F62G"
1000PRINT CHR$(4)"CLOSE"
1100END

***************************************

MSG LEFT BY: THE CLONEMAN
DATE POSTED: TUE MAR  2 10:00:58 PM

MESSAGE #7: VISIDEX CRACKED!

BY THE CLONEMAN

1. BOOT A LOCKSMITH COPY OF VISIDEX
2. FLIP YOUR INTEGER CARD SWITCH UP
3. PRESS RESET
4. INSERT A NORMAL DOS 3.3 DISK
5. 8C2:EA EA EA EA EA
6. 9DBFG
7. BSAVE VD1,A$800,L$4800
8. BSAVE VD2,A$9CF0,L$10
9. BSAVE VD3,A$B600,L$100
10.  WRITE AN EXEC PROGRAM TO:
       BLOAD VD1
       BLOAD VD2
       BLOAD VD3
       CALL 2051
11. THAT'S ALL!!!

***************************************

MSG LEFT BY: THE CLONEMAN
DATE POSTED: SAT MAR  6 11:00:47 PM

MESSAGE #8: VISIDEX LOWER CASE


ARE YOU WONDERING WHY VISIDEX ISN'T
DISPLAYING LOWER CASE WITH YOUR LOWER
CASE CHIP EVEN THOUGH THE DOCUMENTATION
CLAIMS THAT IT SHOULD?  WELL IT SEEMS
THAT VISIDEX SCANS A DIFFERENT PADDLE
BUTTON THAN THE ONE MOST PEOPLE USE.
TRY THE FOLLOWING FIX TO FILE VD1 (SEE
VISIDEX CRACKED MESSAGE) CHANGE
   424B:63 (WAS 61).  THIS SHOULD GIVE
NORMAL LOWER CASE AND SHIFT FOR UPPER
CASE.  IF YOU DON'T HAVE THE SHIFT MOD
YOU'LL HAVE TO USE THE ESC KEY.  IF THE
ABOVE DOESN'T WORK, INSTEAD OF THE
ABOVE TRY 424D:10
NOTE THE ABOVE CHANGES WORK FOR THE
PAYMAR CHIP.
  I HOPE YOU ALL FIND THIS LITTLE
VISIDEX ENHANCEMENT USEFUL.     
 
             THE CLONEMAN

***************************************

MSG LEFT BY: RED REBEL
DATE POSTED: TUE MAR 16  4:53:21 PM

MESSAGE #10: HOW TO CRACK THE ELIMINATOR


INIT A NEW DISK WITH REG DOS
BLOAD DEMUFFIN PLUS,A$6000
INTEGER SWITCH UP,GET READY FOR MONITOR
BOOT THE ELIMINATOR AND HIT RESET AFTER
     THE MAIN BOOT
PUT THE NEWLY INITED DISK IN DRIVE 2
TYPE 803<6000.8000M N 803G
USE THE WILDCARD = AND COPY ALL FILES
WHEN COMPLETE REMOVE BOTH DISKS,PUT THE
     NEW DISK IN DRIVE 1 AND BOOT
TYPE BLOAD ELIM1
     BLOAD STATION
CALL -151 AND MAKE THE FOLLOWING PATCHS
     A964:FF  SO YOU CAN BSAVE A LARGE
              PROGRAM
     1927:EA EA EA TO REMOVE PROTECTION
TYPE BSAVE ELIMINATOR,A$7FD,L$8300
 
THATS IT! TYPE BRUN ELIMINATOR & ENJOY!
 
DEMUFFINPLUS IS IN VOLUME I OF THE
CRACKING TECHNIQUES. ALSO WILL BE ON
THE SPECIAL DOWNLOAD. SEE BOZO'S
CRITIQUE ON CRACKING ON HOW TO USE IT.

             YO HO HO,

                      >>> RED REBEL <<<

***************************************

CRACKING VISIFILE
         BY: RED REBEL

MAKE A COPY OF VISIFILE USING THE COPYA
PROGRAM ON YOUR SYSTEM MASTER.

THEN WITH A NIBBLE EDITOR MAKE THE
FOLOWING CHANGE:

TRK 22 SECT 04 BYTE 2D FROM 0A TO 0F

ALL DATA IN HEX

YOU NOW HAVE A COPYABLE MASTER..

***************************************

CRACKING SUPERSCRIBE
         BY: RED REBEL

MAKE A COPY OF SUPERSCRIBE USING THE
COPYA PROGRAM ON YOUR SYSTEM MASTER.

THEN WITH A NIBBLE EDITOR MAKE THE
FOLOWING CHANGES:

TRK 1A SECT 09 BYTE CB FROM AF TO 0C
TRK 18 SECT 0E BYTE E0 FROM AF TO 0C

ALL DATA IN HEX

YOU NOW HAVE A COPYABLE MASTER..


Retour sommaire

hr Pirates Harbor


Various cracks


MSG LEFT BY: TRYSTAN II

AFTER SOME TIME SPENT BROWSING AROUND
THE HARBOR, I FINALLY FOUND SOMETHING
I CAN CONTRIBUTE TO THE FINE COLLECTION
OF CRACKING TECHNIQUES THAT ARE TO BE
HAD ON THIS SYSTEM.  FOR THOSE OF YOU
WHO WOULD LIKE TO PUT EMPIRE I: WORLD
BUILDERS ON A STANDARD DOS 3.3 DISK,
TRY THE FOLLOWING:
 
   1) USE DEMUFFIN PLUS TO COPY ALL
      THE FILES TO STANDARD DOS 3.3
   2) BLOAD IF.SHAPE
   3) CALL -151
   4) *575F: A9 9E 8D 89 79 A9 2A
      *5766: 8D 87 79 60
   5) BSAVE IF.SHAPE,A$5600,L$282
 
THAT'S IT!  HAVE FUN....TRYSTAN II

***************************************

MSG LEFT BY: THE FONGUS

HOW TO CRACKED THE PROGRAMMER FROM AOS.
---------------------------------------
1)COPYA THE ORIGINAL WITH THE GOOD OL
  B925:18 60 N B988:18 60 N 9DBFG
2)PUT NORMAL DOS ON THE COPY WITH
  MASTER CREATE
3)BOOT NORMAL DOS
4)LOAD THE PROGRAMMER
5)TYPE '13RETURN'
       '14RETURN'
THIS MEANS TYPE OUT 'RETURN'!!
 
ANOTHER ONE FROM THE BEST IN THE WEST
PIRATES BAY
(415) 775-2384

***************************************

MSG LEFT BY: JIM PHELPS

TO CRACK THE MARKET ANALIZER FROM DOW
JONES DO THE FOLLOWING:
USE A SECTOR EDITOR SUCH AS THE
INSPECTOR OR DISK ZAP AND EDIT THE
FOLLOWING BYTES TO 'EA' AND THEN RE-
WRITE THHE SECTOR.
 
TRACK 1B SECTOR E EDIT BYTES
62,63,64,76,77,78
 
MAKE THESE ALL 'EA' AND YOU CAN BOOT
UP THE PROGRAM WITH NO PROBLEM.

***************************************

MSG LEFT BY: TRYSTAN II

FOR THOSE OF YOU WHO HAVE SOFTWARE DIMENSION'S ACCOUNTING PLUS ][ PACKAGE,
THIS LITTLE CRACK WILL ALLOW YOU TO RUN IT WITHOUT THE FIRMWARE CARD IT
NORMALLY REQUIRES.  THIS WAY, YOU CAN USE IT BOTH AT HOME AND IN YOUR OFFICE
WITHOUT HAVING TO TRANSPORT THE CARD BACK AND FORTH.  FOR THAT MATTER, YOU
CAN THROW THE CARD AWAY!  THE 4 DISKS THAT COME WITH THE PACKAGE ARE NOT
PROTECTED, SO YOU CAN MAKE AS MANY COPIES OF THEM AS YOU WISH.
 
THE BASIC CONCEPT IS THAT WE WILL SAVE THE CODE THAT IS ON THE FIRMWARE CARD
ONTO A DISK FILE AND THEN HAVE THE PROGRAM LOAD IT IN RAM BEFORE IT STARTS
EXECUTION.  BY CHANGING A COUPLE OF BYTES IN THE FILE CALLED "APII.CODE"
WE FOOL IT INTO THINKING THE FIRMWARE CARD IS PLUGGED INTO A SLOT, WHEN
IN ACTUALITY, IT IS RESIDING UP IN HIGH RAM MEMORY!
 
HERE'S ALL YOU DO---
 
     1) PUT THE FIRMWARE CARD IN ANY SLOT YOU LIKE (EXCEPT 0).
 
     2) TYPE: CALL-151
              BSAVE FIRMWARE,A$CX00,L$100  ( X=SLOT NUMBER OF CARD )
 
     3) NOW ALL WE DO IS ADD 2 LINES TO THE HELLO PROGRAM CALLED
        "SYSHELLO.PROG":
        TYPE:
            LOAD SYSHELLO.PROG
            22 HIMEM:36863
            24 PRINT CHR$(4);"BLOAD FIRMWARE,A$9000"
            SAVE SYSHELLO.PROG
 
     4) THE LAST STEP IS TO MAKE 2 QUICK CHANGES TO "APII.CODE" AND WE'RE
        DONE.  TO ACCOMPLISH THIS, TYPE--
             BLOAD APII.CODE
             CALL -151
             197C:1D
             1B72:C3
             BSAVE APII.CODE,A$800,L$1406
 
YOU NOW HAVE A VERSION OF ACCOUNTING PLUS ][ THAT NO LONGER NEEDS THE
FIRMWARE CARD.  ENJOY!!
 
*****  NOTE:  THIS APPLIES ONLY TO VERSION 1.3 OF THE SOFTWARE  *****
*****         BUT THE TECHNIQUE WORKS FOR OTHER VERSIONS..ONLY  *****
*****         THE LINE NUMBERS AND/OR LOCATIONS ARE DIFFERENT.  *****
 
                      << TRYSTAN II >>

***************************************

MSG LEFT BY: THE MARAUDER
 
)=>CRACKING PRISONER II<=(

     P R I S O N E R  I I
     --------------------
   BY INTERACTIVE FANTASIES
 
CRACKED BY THE SOFTWARE UNDERGROUND
 
THE FOLLOWING IS A STEP BY STEP
PROCEDURE TO CRACK PRISONER II VERY
EASILY.
 
(1)-=> COPY-A THE ORIGINAL DISK
 
(2)-=> UNLOCK "IF.SHAPE" ON COPY
 
(3)-=> BLOAD "IF.SHAPE"
 
(4)-=> CALL -151
 
(5)-=> TYPE IN THHE FOLLOWING IN
       THE MONITOR.
 
          57A2:78 5B 61
 
(6)-=> CTRL-C OR 9BDFG
 
(7)-=> BSAVE "IF.SHAPE,A$5600,L$26E"
 
(8)-=> LOCK "IF.SHAPE"
 
 AND THERE YOU HAVE IT............
 
 A CRACKED AND FIDABLE ------>
 
     P R I S O N E R  I I
     --------------------

========== SEE YA LATER ==============

           THE MARAUDER

==========              ==============

<<<<<<THE SOFTWARE UNDERGROUND>>>>>>>

***************************************

MSG LEFT BY: RESET VECTOR

COPYA AZTEC!

AZTEC IS A GREAT NEW GAME FROM DATAMOST BY THE AUTHOR OF SWASHBUCKLER,
AND IT IS A LOT LIKE CASTLE WOLFENSTEIN.  IT CAN BE CRACKED INTO COPYA
FORM WITH GREAT EASE, JUST LIKE MOST OF THE DATAMOST STUFF.  IT ACCESS
THE DISK A LOT, SO THIS IS THE MOST PRACTICAL WAY TO CRACK IT:
BOOT SYSTEM MASTER
CALL-151
B925:18 60
B988:18 60
BE48:18
B942:18
RUN COPYA AND COPY THE DISK.
NOW USE A SECTOR EDITOR AND ACCESS TRACK 0 SECTOR 3 AND CHANGE BYTE 42
FROM 38 TO 18.  THAT'S IT!
KEEP ON CRACKING!
     ->RESET VECTOR!

***************************************

MSG LEFT BY: RESET VECTOR

MESSAGE #49: CRACKING SOFTERM

THIS ONE IS REALLY MORONICALLY SIMPLE.  JUST DEMUFFIN IT.  THE CATCH IS THAT
YOU WILL SEE 4 FILES.  JUST IGNORE ALL OF THEM EXCEPT "SOFTERM" - ALL YOU
HAVE TO DO IS "BRUN SOFTERM".
COMPLIMENTS OF ->RESET VECTOR!

***************************************

MSG LEFT BY: RESET VECTOR

MESSAGE #50: CRACKING DATA*TRANS

DATA*TRANS IS A NEW TERMINAL PPROGRAM WHICH I HAVE VERY MIXED FEELINGS ABOUT;
IT IS BASICALLY A SOUPED UP DATA CAPTURE.  IT IS VERY EASY TO CRACK.  YOU CAN
DEMUFFIN IT, BUT IT APPEARS TO LIKE ITS OWN DOS, SO THE EASY WAY IS TO JUST
BOOT DOS, CALL-151, B942:18, RUN COPYA AND COPY DISK, THEN CHANGE TRACK 0
SECTOR 3 BYTE 42 FROM 38 TO 18.  YOU CAN THEN CHANGE THE FILE NAME IN THE
CATALOG THAT  CONTAINS THE SERIAL NUMBER.  I TRIED THE PROGRAM WITH TDE DOS
AND IT BOMBED ME INTO THE MONITOR AT A CERTAIN POINT, BUT OTHER FAST DOSES
MIGHT WORK...
   COMPLIMENTS OF ->RESET VECTOR!

***************************************

MSG LEFT BY: THE WOODPECKER

....WANT TO BE ABLE TO READ HALF-
TRACKS AND WRITE THEM OUT ON WHOLE
TRACKS (OR VISA VERSA)?  WELL, ADDING
THE FOLLOWING PATCHES  TO YOUR DOS
WILL LET YOU DO THE JOB.  IT IS
ESPECIALLY USEFUL IF YOU ARE USING
RWTS  DIRECTLY TO CONVERT PROTECTED
DISKS TO STANDARD.
    THE APPLE STEPPER MOTOR REQUIRES
TWO PULSES TO MOVE ONE WHOLE TRACK,
SO IF WE SEND OUT ONE MORE PULSE, WE
WILL MOVE THE ARM 1/2 TRACK BEYOND THE
NORMAL POSITION FOR THAT TRACK.
    THE ROUTINE THAT POSITIONS THE
HEAD IS LOCATED IN DOS STARTING AT
B9A0 SO RIGHT THERE WE MAKE IT JSR TO
OUR HALF-TRACK ROUTINE WHICH WE WILL
PUT AT $0300.  SO CALL  -151 AND:
B9A0:20 00 03 EA
0300:86 2B 85 2A C9 XX 90 02
0308:E6 2A AD 78 04 C9 XX 90
0310:03 EE 78 04 A5 2A 60
WHERE XX IS THE HEX VALUE EQUAL TO
TWICE THE TRACK NUMBER OF THE FIRST
TRACK YOU WANT TO HALF TRACK.       
REMEMBER YOU NEED TWO PULSES PER   
TRACK.        AFTER YOU HAVE READ THE
TRACK AND ARE READY TO WRITE ON A WHOLE
TRACK, JUST CHANGE $0304 FROM C9 TO 60
SO THAT THE ROUTINE IS BY-PASSED AND
THE TRACK WILL BE WRITTEN ONTO A WHOLE
TRACK.
     HAVE FUN
                  ........WOODY

***************************************

MSG LEFT BY: CAPTAIN NIBBLE

HERES A CRACK FOR WAR BY ADVENTURE
INTERNATIONAL
 
INIT A DOS 3.3 DISK
CALL-151
*B925:18 60
*B988:18 60
*3D0G
BRUN FID
NOW FID THE FILES ONTO THE NEW DISK
BOOT THE NEW DISK
LOAD HELO
SAVE HELLO
BLOAD WAR
CALL-151
*802:65
*3D0G
BSAVE WAR,A$800,L$6C00
 
NOW YOU HAVE A COPYA-ABLE COPY

ANOTHER GOODIE FROM CAPTAIN NIBBLE

***************************************

MSG LEFT BY: MANUEL VELOSO

CRACK ALL PLATO

I'VE BEEN FIDDLING AROUND WITH THIS,
& HAVE COME UP WITH A WAY.
1) BOOT DISK
2) FLIP INT.SWITCH UP & RESET
3) 7800<B800.BFFFM
4) BOOT SLAVE
5) BLOAD MUFFIN (FROM ANOTHER DISK)
6) 1900<7800.7FFFM
7) 803G
8) CONVERT
 
MOST OF YOU PROBABLY RECOGNIZE THIS
FROM THE JOLLY ROGER, ON DEMUFFIN
TECHNIQUES. WELL, AFTER THIS YOU
CAN BSAVE PLATO CRACKER,A$803,L$1900
FOR A PERMANENT CRACKER.

***************************************

MSG LEFT BY: THE BEAST

FLOCKLAND ISLANDS
 
THIS IS REALLY A CRUMMY GAME AND THEIR
PROTECTION SCHEME IS JUST AS BAD.
THE PROGRAM IS ONE OF THOSE 3.2/3.3
BOOTERS. THEY ALSO HAVE PUT THE VTOC
ON TRACK $10 (LOOK OUT WORLD!,THEY
PROBABLY GOT THEIR HANDS ON AN OLD
BEAGLE BROTHERS TIP BOOK).SO IF YOU
BOOT A 3.2 DISK AND *AC01:10 YOU CAN
READ THEIR FILES. THIS BRINGS UP A
POINT ABOUT USING DEMUFFIN, NAMELY
THAT THE DIRECTORY TRACK (AFTER
MOVING IT TO $803) IS AT $10A1
(NORMALLY $11). NOW THE BEST WAY THAT
I HAVE FOUND TO HANDLE THESE DISKS
IS TO BOOT A 3.3 DISK, CHANGE *AC01:10
(OR WHAT EVER VALUE THEIR DIRECTORY
IS ON) THEN INITIALIZE THE DISK (NOTE
THAT IF YOU WANT TO FIND THE NAME OF
THE HELLO PROGRAM FOR DOS 3.3 IT'S
ON TRACK 1 SECTOR 9, FOR STANDARD
DOS 3.2 IT'S ON TRACK 1 SECTOR C, AND
ON A WOZBOOT13(THE OLD UTILITY THAT
CONVERTS 3.2 DISK SO THEY WILL BOOT
ON 3.2 AND 3.3) IT'S ON TRACK 1
SECTOR B WHERE WE FIND IN THIS CASE
IT'S "BOOT.B"). NOTE THAT IF YOU
CHANGE $AC01 FROM $11 TO SOMETHING
ELSE DOS WILL ONLY WRITE THE VTOC ON
THE NEW TRACK AND AIM THE CATALOG TRACK
TO $11. ALSO NOTE THAT IT WILL NOT LOCK
THE SECTOR OF THE VTOC, SO IT MIGHT
GET CLOBBERED (WHILE DEMUFFINING) IF
YOU DON'T LOCK IT YOURSELF.
SO ANYWAY, MUFFIN OR DEMUFFIN THE FILES
TO YOUR NEW DISK AND WITH A SECTOR
EDITOR READ TRACK $10 SECTOR 0 AND
WRITE IT TO TRACK $11 SECTOR 0 (WHICH
WAS LOCKED WHEN YOU INITED THE DISK).
THEN YOU CAN EITHER INIT ANOTHER DISK
(WITH STANDARD DOS) AND FID THE FILES
OR YOU MIGHT JUST USE A SECTOR EDITOR
AND CHANGE T$1 S$B LOCATION $01 FROM
$10 TO $11.
 
             --->>> THE BEAST <<<---

***************************************

MSG LEFT BY: THE BEAST

ZOOM GRAFIX CRACK

THERE ARE TWO VERSIONS OF ZOOM GRAFIX.
TO TELL THEM APART 'LOAD GRAFIX':
OLD VERSION:LINE 100 HAS REM 13-NOV-81
NEW VERSION:LINE 100 HAS REM 9APR82
THE PROTECTION & UNPROTECTION ON EACH
IS SLIGHTLY DIFFERENT.
TO BEGIN WITH BOOT IT & GO INTO THE
MONITOR.NOW THE FILES WILL NOT
DIRECTLY DEMUFFIN. HOWEVER:
*6800<B800.BFFFM
 (INSERT SLAVE DISK WITH HELLO PROG
  DELETED)
*6 (CTRL-P)
]BLOAD DEMUFFIN,A$4000
]CALL-151
*B800<6800.6FFFM
*803<4000.6000M
*803G
AND PROCEED AS USUAL.YOU MIGHT WANT TO
INIT A DISK WITH A FAST DOS USING
'GRAFIX' TO RECEIVE THE FILES.
NEXT 'LOAD GRAFIX' (BOTH VERSIONS)
]101 GR : PRINT CHR$(4)"MAXFILES1"
]102 POKE 2049,97:KB=49152:KS=KB+16:
     NORMAL
]104
(DELETE IT)
]150 VTAB 21:POKE 103,1:POKE 104,96:
    POKE 24576,0:POKE 36873,0:DR=36864
]SAVE GRAFIX
NEXT 'LOAD GRAFIX PART ]['
OLD VERSION:
]1395 LM=0
NEW VERSION:
]1405 LM=0
THEN 'SAVE GRAFIX PART ]['
NEXT 'LOAD GRAFIX SET-UP'
OLD VERSION:
]105 POKE 47094,0
NEW VERSION:
]102 POKE 47094,0
THEN 'SAVE GRAFIX SET-UP'
 
THIS SEEMS TO TAKE CARE OF ALL OF THE
TRAPS.CREDIT FOR THIS GOES TO GREGG
BURMAN, WHO POSTED THE CRACK FOR THE
OLD VERSION ON BOARD 12.NOTE THAT THE
NEW VERSION HAS SEVERAL ENHANCEMENTS.
              >>> THE BEAST <<<

***************************************

MSG LEFT BY: JOEL BRENNER

WIZMAKER!

THERE IS A NEW WIDARDRY UTILITY ON THE MARKET THAT ALLOWS YOU TO EDIT YOUR
CHARACTERS WITH THE GREATEST OF EASE.  IT IS CALLED "WIZMAKER" AND IT IS
EASY TO COPY:
USE NIBBLES AWAY ][
TRACK START D5 AA 96
INSERT MARK DE AA EB FD
SYNC SIZE 0A
COPY TRACKS 0-22
KEEP ON CRACKING!   JOEL BRENNER

***************************************

MSG LEFT BY: SHAWN ROBERTS
 
WHEN YOU WANT TO CRACK ONLINE SOFTWARE,
THERE IS A SPECIAL TEQNIQUE. FIRST OF
ALL, THE DOPES AT ONLINE FAIL TO
REALIZE THAT WHEN THEY PROTECT A DISK
DONT DO IT THE SAME EVERY TIME. 99%
OF ONLINE SOFTWARE IS COPYA-ABLE WITH
THIS ONE MODIFICATION. GO INTO THE
MONITOR.
CALL-151
*B942:18
THIS ALLOWS APPLE DOS TO COPY THE DISK
VIA COPYA
THEN AFTER THE DISK IS COPYA'D, YOU
HAVE TO LOOK AROUNG THE CATALOG TRACK
FOR AN ABNORMAL HEX#. SUCH AS 9D OR 8B
CHANGE THIS TO ITS PROPER EQUIVELANT
LIKE FOR 8B YOU WOULD CHANGE THE BYTE
TO 60. IF YOU LOOK IN YOUR APPLESOFT
MANUEL OR ONE OF THOSE BOOKS, YOU WILL
SEE A CHART OF 6502 VALIENCES. THE
NORMAL VALIENCE FOR A CATALOG TRACK
IS USUALLY I GAP WITH 2 SECONDARY GAPS.
ONLINE DOESNT INCORPORAT GAPS INTO THE
TRACK(11). THEN ALL YOU NEED TO DO IS
CHANGE THE BYTE AND CATALOG ONCE BEFORE
YOU TRY THE GAME, AND BAMMO. INSTANT
COPYA VERSION OF WHAT-HAVE YOU. CRACKED
IS WHAT YOU CALL IT. ALSO, RENAME THEW
CATALOG FILES AS THEY HAVE CONTROL
CHARACTERS EMBEDDED IN THEM.
ALSO, FOR THOSE OF YOU WITH RAM CARDS,
MAY I RECOMMEND "C" LAUNGUAGE FOR COPY-
ING **ALL** RUNTIME PASCAL BUT YOU STIL
HAVE TO NIBBLE COUNT WIZARDRY. OH WELL

***************************************

MSG LEFT BY: LONG JOHN SILVER

OK, MORE AND MORE PROGRAMS ARE BEING
PROTECTED WITH APPLES PROTECTION SCHEME
CALLED DOS 3.3P (P=PROTECTED), WELL
HERE IS HOW TO CRACK ANY DISK PROTECTED
WITH DOS 3.3P,
 
]CALL-151
*B6B3:A0 0A B9 D6 B6
*B6B8:99 F6 B8 88 10 F7 60 BD
*B6C0:8C C0 10 FB 49 AD F0 09
*B6C8:BC 8C C0 10 FB B9 00 BA
*B6D0:2C A9 00 A0 56 60 20 BF
*B6D8:B6 EA EA EA EA EA EA EA
*B6E0:EA
*BSAVE CRACK DOS 3.3P,A$B6B3,L$2E
 
JUST BRUN THIS PROGRAM AND FID ALL THE
FILES OF THE PROTECTED DISK!!, YOU WILL
FIND A LOT OF SOFTWARE IS PROTECTED
WITH DOS 3.3P, MOST OF IT SEEMS TO BE
EDUCATIONAL SOFTWARE SUCH AS THE
SEASAME STREET STUFF, SPECIAL DELIVERY
SOFTWARE, ALSO SPELLING DEMONS AND MUCH
MUCH MORE SOOOO... HAVE FUN,
 
                LONG-JOHN SILVER
 
 
ALSO I AM LOOKING FOR INFO ON CP/M
AND APPLE PASCAL BIOS, I HAVE BEEN
DISASSEMBLING THE CP/M ONE AND IT
SEEMS TO BE STRAIT FORWARD, BUT I
DO NOT KNOW ABOUT THE PASCAL ONE?
I AM PRIMARILY INTERESTED IN THE
APPLE DISK DRIVERS (I AM WRITING
SOFTWARE FOR A BIG RAM-CARD)
 
***************************************

MSG LEFT BY: MISTER C

TO CRACK VISIBLE COMPUTER 6502:
 
STEP1: GET THE FILES OFF OF THE DISK.
ONE METHOD IS TO BOOT AN ORIGINAL
VIDEX VISICALC PRE-BOOT, LOAD DEMUFFIN,
PUT IN VC6502 AND GO (I DONT KNOW MY
WAY AROUND SUPER DOS OR I COULD MAKE
THIS CLEANER), DO THIS ONTO A DISK
INITED WITH THE NAME 'STARTUP'
(PREFERABLY WITH A FAST DOS).
 
STEP2: LOAD VC (DON'T LIST IT !!!!!)
DELETE LINE 20730 (THIS INITIALIZES
THE DISK IF YOU DON'T HAVE THEIR DOS
IN MEMORY). SAVE VC.
 
DONE.
 
YOU CAN ALSO COMPILE VC IF YOU'RE
IMPATIENT( WATCH OUT FOR HI-RES PAGE 1)
 
THIS LOOKS LIKE A FUN PROGRAM.
IF ANYONE HAS THE DOX FOR IT, I WOULD
BE INTERESTED IN OBTAINING A COPY OF
THEM.
 
                   MISTER C


Retour sommaire

hr Pirates Harbor


Bozo's program cracker ROM 1.1


TY (12)CL1993>MYROM
***************************************
*     BOZO'S PROGRAM CRACKER ROM      *
*            REVISION 1.1             *
***************************************
*
* NOTE: THIS PGM WILL NOT WORK UNLESS 'TO', 'FROM', AND 'STOP' ALL EQUATE TO
*       PAGE BOUNDRIES (E.G. 2000, 4400, ETC)
*
*****************************************************************************
* THE BASIS OF THIS LITTLE PROGRAM IS THE USE OF ABSOLUTE INDEXED INCREMENT *
* ADDRESSING  (E.G.  LDA  400,X   STA 2400,X   INX). TO KEEP THE LENGTH  AS *
* SHORT AS POSSIBLE,  SELF-MODIFYING CODE IS USED.   THE  ABSOLUTE INDEXING *
* MODE CAN ONLY  MOVE 1 PAGE AT A TIME,   THE SELF-MODIFICATION PART ALLOWS *
* ONE TO MOVE MORE THAN 1 PAGE, WITHOUT HAVING TO DUPLICATE THE CODE OVER & *
* AND  OVER FOR EACH  PAGE ($FF BYTES).   SINCE SELF-MODIFYING CODE MUST BE *
* RAM  BASED,  THE FIRST PART OF THIS PGM MOVES THE SECOND  PART  FROM  ROM *
* INTO RAM; IT THEN JUMPS TO THE BEGINNING OF THE CODE IT JUST MOVED....... *
* !!!!! WARNING !!!!!  NOTE THAT MOST ASSEMBLERS WILL CODE THE:  LDA FROM,X *
* INCORRECTLY WHEN FROM EQUATES IN THE ZERO PAGE;   THIS WILL RESULT IN TWO *
* OP-CODES  BEING GENERATED INSTEAD  OF  THREE,  AND WILL MESS UP THE SELF- *
* MODIFYING PART.  THIS SOURCE IS MEANT MOSTLY AS AN AID  TO UNDERSTANDING; *
* USE THE OBJECT CODE WHICH FOLLOWS,  WHEN MODIFYING YOUR F8 MONITOR.       *
* --------------->BOZO<----------------------------->NYC<------------------ *
******************----*******************************---*********************
*
*        ORG $FCC9 ;THIS IS THE TAPE WRITE SECTION OF F8 ROM
*                  ;AND THE BEGINNING OF ROM BASED CODE
    FROM EQU $0000 ;BEGINNING OF MEMORY TO SAVE
      TO EQU $2000 ;LOCATION TO BEGIN SAVING CODE
    STOP EQU $2800 ;LOCATION + 1 TO STOP SAVING CODE
    CODE EQU $2800 ;BEGINNING OF RELOCATED (RAM) BASED CODE
   RESET EQU $FF59
*                  ;!!! PROGRAM START !!!
         CLD
         LDX #0
   LOOP1 LDA MOVE,X
         STA CODE,X
         INX
         CPX #$1B ;LENGTH OF ROM CODE TO MOVE
         BNE LOOP1
         JMP CODE
    MOVE LDY #/STOP
         LDX #0
   LOOP2 LDA FROM,X
         STA TO,X
         INX
         BNE LOOP2
         INC CODE+6
         INC CODE+9
         CPY CODE+9
         BNE LOOP2
         JMP RESET
         END

HERE'S THE ASSEMBLED OBJECT,  READY TO DROP IN AT $FCC9.  THIS IS
THE  ONE OF THE TAPE WRITE ROUTINES IN THE F8 ROM;  SINCE I DON'T
USE TAPE, AND I WANTED TO PRESERVE THE ROM ROUTINES, I CHOSE THIS
LOCATION.   IF YOU WANT TO LOCATE IT SOMEWHERE ELSE,  FEEL  FREE,
BUT BEWARE THAT IT IS NOT RELOCATABLE WITHOUT A FEW CHANGES.


FCC9: D8 A2 00 BD DA FC 9D 00
FCD1: 28 E8 E0 1B D0 F5 4C 00
FCD9: 28 A0 28 A2 00 BD 00 00
FCE1: 9D 00 20 E8 D0 F7 EE 06
FCE9: 28 EE 09 28 CC 09 28 D0
FCF1: EC 4C 59 FF
                                        HAVE FUN (?)


Retour sommaire

hr Pirates Harbor


Tricks


>>>>>  D O S     T R I C K S <<<<<

***************************************

MSG LEFT BY: MIGHTY COLOSSUS


TRY THIS TO SEE ANY DOS, REMOVE THE
REAR MOST SET OF RAM CHIPS FROM YOUR
APPLE (THE ONES NEAR THE I/O SLOTS).
THEN INIT A DISK, REPLACE THE RAM AND
BOOT UP UNDER THE PROGRAM YOU WISH TO
DEPROTECT. THEN FORCE A REBOOT WITH THE
DISK YOU INITED IN DRIVE 1. THE DOS
FROM THE PROTECTED DISK WILL (IN MOST
CASES) STILL BE IN THE RAM UP TOP....
 
THIS NEW DOS IS A SLAVE AT 32 K AND
THE OLD (AND PROTECTED DOS) IS STILL
AT 48 K. THIS WILL WORK ON ABOUT 50%
OF THE PROGRAMS.  ENJOY
 
YOU CAN ALSO REMOVE THE TOP 32K AND
GET TWICE AS MUCH.

***************************************

MSG LEFT BY: RANDY UBILLOS
DATE POSTED: SUN FEB 21 12:53:19 AM

MESSAGE #4: CHECKSUM TRICK

A  VERY  HANDY TECHNIQUE FOR  TAKING  A
LOOK AT THE DATA ON A PROTECTED DISK IS
TO  DISABLE  THE CHECKSUM IN THE  RWTS.
THE  FORMATS  OF MANY  PROTECTED  DISKS
VARY ONLY IN THIS CHECKSUM,  SO TURNING
IT   OFF  SHOULD  ALLOW  ANY   STANDARD
TRACK/SECTOR  UTILITY  TO LOOK  AT  THE
DISK!  TO DO THIS, BOOT UP THE DOS THAT
YOU WISH TO USE, AND ENTER THE MONITOR.
THEN  ENTER   B942:18 FOR  DOS  3.3  OR
B963:18  FOR DOS 3.2.   THIS CHANGES  A
SET  CARRY INSTRUCTION TO A CLEAR CARRY
INSTRUCTION.  NOW RETURN TO DOS AND RUN
YOUR  EDITOR.   IF  THE  DISK  YOU  ARE
LOOKING  AT  IS  PROTECTED  WITH   THIS
SYSTEM,  YOU  SHOULD BE ABLE TO READ IT
NOW. TO MAKE  THIS CHANGE TO A DOS ON A
DISK, THIS DATA IS CONTAINED IN TRACK 0
SECTOR  3,  AT EITHER BYTE $42 OR  BYTE
$63, FOR DOS 3.3 OR 3.2, RESPECTIVELY.
GOOD LUCK.......
                     RANDY

***************************************

LETTER FROM: AXE MAN
DATE MAILED: WED FEB 24  6:42:18 PM

MESSAGE #5: DOS LANGUAGE CARD TRICK


TO AVOID RE-LOADING THE LANGUAGE CARD
ON BOOTUP ( A MAJOR IRRITATION )
CHANGE THE FOLLOWING :
 
IN A 48K SYSTEM, CHANGE $BFCC TO 00 AND
$BFCF TO 00 : THIS WILL PREVENT THE
LANGUAGE CARD FROM BEING WRITTEN TO.
(INITIALIZE A DISKETTE WITH THIS DO
 TO MAKE IT BOOT UP IN THIS FASHION)
 
(IF YOU LOOK AT THE CODE, YOU CAN MAKE
THE SAME MODS IN A COPY OF A SYST
MASTER ON THE DISK ITSELF, SO A MASTER
CREATE WILL PUT THIS DOS ON A DISKETTE.
CHANGE THE CODE THAT SAYS LDA C081 WITH
LDA C000 -- THAT SSHOULD WORK FINE).

 AXE MAN.

***************************************

MSG LEFT BY: DISK ZAPPER
DATE POSTED: THU FEB 25 10:47:09 PM

MESSAGE #6: >>>  D O S  T R I C K  <<<


GET INTO MONITOR FROM A NORMAL DISK.
TYPE:   400<A800.ABFFM
 
POOF THERE YOU HAVE ALL THE DOS COMANDS
NOTICE THAT ALL THE LETTERS IN THE
COMAND ARE FLASHING BUT THE LAST ONE
THAT IS TO TELL YOU WHERE THE COMAND
ENDS. NOW NOTICE WHERE THE INIT,LOAD,
BLOAD,SAVE,BSAVE,CATALOG, ETC...
THEN BOOT SOMETHING LIKE BRAIN SURGEON
OR SOMETHING THAT HAS SOMETHING LIKE
A NORMAL FORMAT THEN TYPE THAT LINE
AND THEN YOU CAN SEE IF THEY CHANGED
ANY OF THE COMANDS!
 
HAPPY ZAPPING!!!


Retour sommaire

hr Pirates Harbor


Using Lockbuster ][ and about NMI


MSG LEFT BY: LOCK BUSTER

                          USING LOCKBUSTER ][
 
 
  IN SAVING THE CONTENTS OF A 48K MACHINE TO DISK, SEVERAL PROBLEMS ARISE:
 
  1)  IN ORDER TO GET CONTROL AWAY FROM A PROGRAM, THE RESET KEY MUST BE USED.
  WHEN RESET IS HIT, THO, ESSENTIAL PARTS OF MEMORY (PAGE ZERO, THE STACK, THE
  KEYBOARD BUFFER AND THE SCREEN) GET CLOBBERED.
 
  2)  TYPICALLY,  DOS  ISN'T IN THE MACHINE AND NEEDS TO BE  LOADED,  AND  THE
  PROCESS OF LOADING IN DOS WIPES OUT MORE PARTS OF MEMORY.
 
  3) ONCE DOS IS LOADED, IT WON'T ALLOW BSAVES LONGER THAN $7FFF BYTES
 
  LOCKBUSTER ][ ADDRESSES THE FIRST PROBLEM.  THE CONTENTS OF PAGES 0  THRU  7
  (LOCATONS  $0-$7FF) ARE MOVED UP TO $800-$FFF BEFORE ANYTHING ELSE IS  DONE.
  THIS  PRESERVES  A COPY OF EVERYTHING WHICH NORMALLY GETS WIPED OUT (BUT  OF
  COURSE DESTROYS WHATEVER WAS IN $800-$FFF).
 
  SAVING  THE ENTIRE CONTENTS OF MEMORY (WORSE CASE!) IS A MULTI-STEP PROCESS,
  SINCE  NO MATTER WHAT YOU DO, SOMETHING'S GONNA GET WIPED OUT.  THE  PROCESS
  DESCRIBED  HERE  WILL  SAVE OUT FOUR CHUNKS OF MEMORY TO THE  DISK.    THESE
  CHUNKS RESIDE IN THE FOLLOWING RANGES:
       $0000-$07FF
       $0800-$08FF
       $0900-$97FF
       $9800-$BFFF
 
  IN  ORDER TO SAVE OUT 48K, YOU'LL NEED AN OLD MONITOR ROM (NOT THE AUTOSTART
  ROM),  LOCKBUSTER, AND A 48K SLAVE DISK.  THE WORSECASE PROCEDURE FOR SAVING
  48K  FOLLOWS  (YOU'LL  SELDOM NEED TO SAVE ALL 48K, BUT THIS  IS  THE  'FULL
  BLOWN' PROCEDURE):
 
  1)  INITIALIZE  A 48K SLAVE DISK TO BE USED TO SAVE THE CONTENTS OF  MEMORY.
  IT  CANNOT  BE  A MASTER DISK (SEE DOS MANUAL FOR DETAILS), SINCE  A  MASTER
  WIPES  OUT  MEMORY  IN THE RANGE $1B00-$3FFF, WHILE A SLAVE DOES NOT.    THE
  SLAVE  STILL WIPES OUT MEMORY $0-8FF AND $9800-$BFFF, BUT WE CAN WORK AROUND
  THAT.
 
  2)  INSTALL THE LOCKBUSTER ROM IN PLACE OF THE MONITOR ROM (TURN THE MACHINE
  OFF, FIRST, THO!).
 
  3) FILL MEMORY WITH WHATEVER YOU WANT TO SAVE.
 
  4)  WHEN MEMORY IS FULL, HIT RESET, AND YOU'LL FIND YOURSELF IN THE MONITOR,
  WITH THE ASTERISK (*) PROMPT.  ENTER
       1800<800.FFFM
  TO MOVE THE OLD CONTENTS OF $0-7FF UP TO WHERE THEY WON'T GET WIPED OUT WHEN
  YOU BOOT YOUR SLAVE DISK.
 
  5) BOOT THE SLAVE DISK (6 CTRL/P), AND ENTER
       BSAVE CHUNK0-7FF,A$1800,L$800
 
  6)  POWER  THE MACHINE DOWN AND REPLACE LOCKBUSTER WITH THE OLD MONITOR  ROM
  (YOU'RE DONE WITH LOCKBUSTER FOR NOW).
 
  7) REFILL MEMORY WITH WHAT YOU WANT TO SAVE
 
  8) HIT RESET, AND ENTER:
       1800<800.8FFM
 
  9) BOOT THE SLAVE DISKETTE AND ENTER:
       BSAVE CHUNK800-8FF,A$1800,L$100
 
  10) FILL MEMORY (AGAIN), HIT RESET, BOOT THE SLAVE DISKETTE, AND ENTER:
       CALL -151
       A964:FF         (THIS LETS YOU BSAVE FILES LONGER THAN 32K)
       3D0G
       BSAVE CHUNK900-97FF,A$900,L$8F00
 
  11) FILL MEMORY (LAST TIME!), HIT RESET, AND ENTER:
       1800<9800.BFFFM
 
  12) BOOT THE SLAVE DISKETTE, AND ENTER:
       BSAVE CHUNK9800-BFFF,A$1800,L$2800
 
  NOTE:  SOME PROGRAMS CHECK TO SEE THAT THE MONITOR ROM ISN'T SOMETHING FUNNY
  (LIKE  LOCKBUSTER), AND WHEN THEY SEE SOMETHING  THEY DON'T LIKE, REBOOT THE
  DISK.   ONE DANGEROUS WAY AROUND THIS PROBLEM IS TO LEAVE THE MONITOR ROM IN
  THE  MACHINE  WHILE THE PROGRAM IS LOADING, THEN HOLD DOWN RESET  WHILE  YOU
  SWITCH  TO  THE  LOCKBUSTER  ROM, THEN RELEASE AND REHIT  RESET.    I  DON'T
  RECOMMEND THIS, ALTHO I DO IT ALL THE TIME.
 
  NOW  THAT  MEMORY IS SAVED, THE SLEUTHING BEGINS... YOU'LL NEED TO FIND  THE
  STARTING ADDRESS (A GOOD PLACE TO START IS $800, OR LOOK AT THE OLD CONTENTS
  OF  $3F2-3F3, WHICH CONTAIN THE RESET VECTOR USED BY THE AUTOSTART ROM),  AS
  WELL  AS FIGURE OUT WHAT PARTS OF MEMORY AREN'T BEING USED. A GOOD WAY TO DO
  THE  LATTER  IS  TO  FILL MEMORY WITH A GIVEN BYTE (LIKE FF),  LOAD  IN  THE
  PROGRAM, HIT RESET, AND SEE WHAT PAGES STILL HAVE FF IN THEM.
 
  AFTER  ALL  THAT  GETS  SORTED OUT (THE FIRST TIME, IT  WILL  PROBABLY  TAKE
  SEVERAL  HOURS, OR EVEN DAYS, BUT THE SECOND TIME IT GOES MUCH QUICKER), THE
  PROBLEM  REMAINS OF HOW TO LOAD IT BACK IN.  MANY TIMES THIS CAN BE DONE  BY
  SHUFFLING  THE CHUNKS AROUND IN MEMORY SO THEY FIT IN THE 'SAFE' MEMORY AREA
  $800-95FF,  WHERE  THEY  CAN  THEN BE BSAVED AS ONE LARGE CHUNK.    A  SMALL
  ROUTINE  SHOULD  THEN BE ADDED TO PUT THINGS BACK WHERE THEY SHOULD BE,  AND
  JUMP TO THE STARTING ADDRESS.
 
  ALL  IN ALL, THIS IS AN INVOLVED PROCESS, BUT IT DOES BECOME ROUTINE AFTER A
  FEW TIMES.  A DETAILED EXPLANATION OF ALL THE STEPS COULDN'T POSSIBLY BE FIT
  ON  THESE  FEW PAGES, AND REALLY WOULDN'T TEACH YOU MUCH ANYWAY,  SINCE  THE
  ONLY  WAY  TO LEARN HOW TO DO IT IS TO DO IT, FIGURING THINGS OUT AS YOU  GO
  ALONG.
 
  SOME HANDY TOOLS TO HAVE ARE:
 
        'THE DOS 3.3 MANUAL', PUBLISHED BY APPLE COMPUTER TELLS YOU HOW TO USE
  DOS,  AS  WELL  AS  HOW TO USE THE RWTS ROUTINE, HOW  THE  CONTENTS  OF  THE
  CATALOG,  VTOC,  TRACK/SECTOR LISTS, AND DIFFERENT FILE TYPES ARE  ARRANGED.
  DOESN'T  DELVE TOO DEEPLY INTO THE INTERNAL WORKINGS OF DOS, FOR THAT YOU'LL
  NEED....
 
       'BENEATH APPLE DOS' BY WORTH AND LECHNER, PUBLISHED BY QUALITY SOFTWARE
  GIVES  A  DETAILED  DECRIPTION OF WHAT GOES ON INSIDE DOS.  IF  SOMEONE  WAS
  REALLY  AMBITIOUS,  THE COMMENTS THEY GIVE ABOUT EACH DOS ROUTINE  COULD  BE
  PLACED IN A DISASSEMBLY OF DOS.
 
         A PROGRAM TO SEARCH MEMORY FOR BYTES AND STRINGS, AND WHICH  DISPLAYS
  MEMORY  IN HEX AND ASCII. SEVERAL COMPANIES OFFER PROGRAMS TO DO THIS, BUT A
  QUICK-AND-DIRTY ONE WOULDN'T TAKE VERY LONG TO WRITE.
 
***************************************

MSG LEFT BY: LONG JOHN SILVER

               HI HO

       THIS I LONG JOHN SILVER

 WITH A NEW CRACKING METHOD.IT INVOLVES
THAT LITTLE USED FUNCTION IN THE APPLE
CALLED INTERUPTS, SPECIFICLY THE NMI (
NON MASKABLE INTERUPT). NON MASKABLE IS
WHAT IT SOUNDS LIKE, THERE IS NO WAY TO
PREVENT ONE FROM SOFTWARE SO THAT ANY
PROGRAM NOMATTER WHAT IT IS CAN BE
STOPPED AND FORCED TO JMP TO THE ADDR
AT $FFFA. NOW I KNOW A LOT OF YOU OUT
THERE ARE SAYING SOWHAT THATS JUST WHAT
A RESET DOES.WELL THERE IS ONE BIG
DIFFERENCE, WHEN YOU GENERATE AN
INTERUPT THE 6502 SHOVES THE PROGRAM
COUNTER AND THE STATUS REG. ONTO THE
STACK. SO IF YOU HAVE A RAM CARD YOU
WRITE A LITTLE ROUTINE TO GRAB ALL THAT
MEMORY FROM $0000 TO $0800 AND SHOVE IT
INTO THE RAM CARD ALONG WITH A,X,Y
REGS,SP WITHOUT ALTERING THE STACK.THEN
PUT THE ADDR OF THIS ROUTINE AT $FFFA
MAKING SURE THAT THIS PROGRAM WILL NOT
GET RUN OVER BY THE MEMORY YOUR MOVING.
THEN BOOT UP THE PROTECTED DISK AND AT
A GOOD TIME SEND A NMI ON THE BUS.
 NOW COMES THE GRUESOME PART THAT YOU
HAVE TO DO DIFFERANTLY FOR EVERY DISK
YOU BREAK. YOU MUST SOME HOW BREAKDOWN
THE ENTIRE CONTENTS OF MEMORY AT THE
TIME THE PROGRAM WAS RUNNING AND PUT IT
ON DISK SO THAT IT CAN BE LOADED.THEN
YOU HAVE TO WRITE SOME SPECIAL MOVE
SUBROUTS TO MOVE EVERYTHING BACK INTO
IT'S CORRECT PLACE WITHOUT MESSING UP
THE STACK THEN ADD SOME LINES TO RSTORE
A,X,Y REGS,SP AND PUT A 'RTI' OPCODE
AT THE END. RTI STANDS FOR, YES YOU
GUESSED IT RETURN FROM INTERUPT,IT
RESTORES THE STATUS REG FROM THE STACK
AND DOES AN RTS WHICH CAUSES A RETURN
TO THE POINT WHERE THE PROGRAM STOPPED.
THE ADVANTAGE OF USING THE NMI OVER THE
RESET IS THAT YOU DON'T HAVE TO FIGURE
OUT THE STARTING ADDR OF THE CRACKED
CODE TO BREAK IT.

 THE USE OF THE NMI HAS THE SAME LIMITS
AS ANY 'GRAB IT FROM MEMORY' TYPE OF
CRACKNG WHERE YOU DON'T KNOW WHATS CODE
,WHATS DATA AND WHATS GARBAGE. MANY
TIMES YOU MAY RUN INTO A PROBLEM OF NOT
BEING ABLE TO LOAD THE ENTIRE PROGRAM
USING DOS WHEN THE PROGRAM IS TO BIG.

 TO GENERATE A NMI OBTAIN A 100-OHM OR
NEAR 100-OHM RESISTOR AND CONNECT PIN29
TO PIN26 ON ANY SLOT USING THE RESISTOR
( A DIAGRAM OF WHICH PIN IS WHICH CAN
    BE FOUND ON PAGE 106 OF THE
    APPLE II REFERANCE MANUAL )



 EXAMPLE OF CODE NEEDED :
--------------------------------

MONITOR   EQU $FF59
          ORG $D000
          OBJ $8000
*
*   SELECT WRITE TO RAM CARD
*     WITHOUT CHANGING ANY REGS
*
          BIT $C083
          BIT $C083
*
*   SAVE ACC,X,Y IN RAM CARD
*
          STA $E800
          STX $E801
          STY $E802
*
*   SET UP STARTING ADDR OF MOVE
*
          LDA #0
          STA LOAD+1
          STA LOAD+2
          STA STORE+1
          LDA #$E0
          STA STORE+2
LOAD      LDA $FFFF
STORE     STA $E000
          INC LOAD+1
          INC STORE+1
          BNE LOAD
          INC LOAD+2
          INC STORE+2
          LDA LOAD+2
          CMP #$08
          BNE LOAD
*
*   WRITE PROTECT RAM CARD
*
          LDA $C080
*
*   EXIT THROUGH THE MONITOR
*
          JMP MONITOR

***************************************

MSG LEFT BY: LONG JOHN SILVER

 THE CODE GIVEN DOES NOT SAVE THE
STACK POINTER TO DO SO ADD THESE
LINES AFTER THE LINE THAT IS
 
          STY $E802
 
 NEW CODE :
---------------
 
          TSX
          STX $E803


Retour sommaire

hr Pirates Harbor


Mr Xerox cracking tips I : Apple Galaxian


***************************************
***   MR. XEROX CRACKING TIPS I     ***
**    BOOT TRACE CRACKING            **
**    CRACKING APPLE GALAXIAN        **
***                                 ***
***************************************

NOTE: I CHOSE APPLE GALAXIN HERE BECAUSE
      IT IS A WIDELY DISTRIBUTED PROGRAM,
      AND IT ENCOMPASSES THE BASIC IDE
      AS IN BOOT TRACE CRACKING.
      FOR ALL THOSE INTRESTED PIRATES OUT THERE,
      YES THERE IS ANOTHER WAY TO CRACK PROGRAMS.
YOU DON'T NEED ANY RAM-CARDS,PROM BURNERS, OR FOREIGN TO REGULAR DOS PROGRAMS, ANYBODY WHO IS NOT A CLOWN, WITH  SOME MACHINE  LANGUAGE PROGRAMMING ABILITY CAN TRACE A BOOT.  THIS METHOD OF CRACKING, TRACEING THE BOOT, IS IN A TRUE SENSE, CRACKING THE CODE. YOU SEE, FOR ALL DISKS, THEY MUST FIRST BOOT UP TO START RUNNING.  AFTER THE FIRST STAGE BOOT (AT LOCATION $C600), THEY JUMP TO  SECOND STAGE BOOT PROGRAM (AT $800), AND THEN TO A THIRD, AND SOME EVEN A FORTH, BUT THERE COMES A POINT WHERE THE LOADING OF THE PROGRAM FROM DISK STOPS, AND THE RUNNING OF THE PROGRAM BEGINS. IF  YOU CAN TRACE THIS, AND STOP IT AFTER IT IS FINISHED LOADING, AND SAVE ALL THE MEMORY LOCATIONS THAT CONTAIN THE PROGRAM ONTO A NORMAL 3.3 DISK, YOU HAVE CRACKED THE PROGRAM.  THIS METHOD IS MOST USEFUL FOR CRACKING THE "SINGLE-SHOT" BOOTING  PROGRAMS SUCH AS APPLE PANIC, RASTER BLASTER, AND GORGON. THESE DISKS DON'T CONTAIN ANY STANDARD DOS, BUT RATHER THEIR OWN. THIS DOS HAS JUST ONE PURPOSE, AND THAT IS TO LOAD THE PROGRAM INTO THE COMPUTER, FROM THE DISK, AND START ITS EXECUTION.  NOW, THIS IS NOT AS SIMPLE AS IT SOUNDS, AS THE SOFTWARE PROTECTORS ARE NOT DUMB, THEY TRY TO MAKE IT TOUGH FOR YOU TO TRACE.  HOWEVER, IT IS NOT IMPOSSIBLE, SINCE THE DISK MUST BOOT UP, AND SINCE IT MUST HAVE SOME BOOTING PROCESS, THAT IS  TRACEABLE.
     LET ME TRY AND SHOW YOU AN EXAMPLE OF HOW TO TRACE A BOOT OF A PROGRAM.LET ME SHOW YOU HOW TO TRACE APPLE GALAXIAN.  THE FIRST STAGE BOOT STARTS AT $C600. IF YOU TURN YOUR APPLE ON, AND   TYPE "CALL-151 (RETURN)" AND "C600G (RETURN)", THE DISK WILL PROCEED TO START AND BOOT THE DISK IN THE DRIVE. THIS IS BECAUSE $C600 CONTAINING THE PROGRAM FOR THE DISK TO BOOT FIRST.  IF, YOU EXAMINE THIS PROGRAM BY TYPING "CALL-151 (RETURN)", AND "C600LLLLLLL (RETURN)", YOU WILL SOON COME ACROSS A JMP $801, NEAR THE END, SPECIFICALLY, AT $C6F8. THIS IS THE LINK TO THE NEXT STAGE OF THE BOOT WHAT WE MUST DO IS ALLOW THE FIRST STAGE TO LOAD IN AT $800, BUT INSTEAD OF LETTING IT RUN (CONTINUE TO BOOT, AND GO TO $800), STOP THE COMPUTER, AND EXAMINE WHAT IS AT $800. TO DO THIS LETS  MOVE $C600 DOWN TO $9600.TYPE "CALL-151 (RETURN)" AND "9600<C600.C700M (RETURN)" THIS MOVES C600 DOWN FOR YOU. THEN TYPE"96F8:4C 59 FF (RETURN)", THIS WILL, INSTEAD OF HAVING THE BOOT GOTO $800, WILL MAKE IT JUMP TO $FF59 (THE RESET LOCATION). THEN TYPE "9600G". YOUR DISK SHOULD  BOOT UP FOR A SECOND OR SO, AND THEN YOU SHOULD HEAR BELL, AND THE MONITOR CURSOR WILL APPEAR AT THE BOTTOM OF THE SCREEN.THE NEXT STEP IS TO EXAMINE THE BOOT AT LOCATION $800. IF YOU LOOK AT THIS BY TYPING "800L (RETURN)" YOU WILL SEE THE SECOND STAGE BOOT OF APPLE GALAXIAN. BY TYPING "800LLLLLLL (RETURN)", YOU CAN SEE WHAT GOES ON NEXT IN THE BOOT STEP. WHAT HAPPENS NEXT, IS THAT IT TAKES THE MEMORY THAT IS STORED AT $800, AND MOVES IT DOWN TO $200, AND SOME OTHER STUFF, LIKE LOADING THE NEXT STAGE OF THE BOOT, AND THEN, IF YOU LOOK AT LOCATION $841, YOU WILL SEE A JUMP TO $301. THIS IS THE NEXT STAGE IN THE BOOT. SO, WE MUST MOVE WHAT IS IN MEMORY UP, OUT OF $800, BECAUSE THE NEXT TIME WE BOOT THE DISK, THE LOCATIONS AT $800 WILL BE CHANGED, SO TYPE "9800<800.900M (RETURN)", AND THAT WILL DO THE MOVE. THE NEXT THING TO DO, IS TO CHANGE WHAT IS AT $9800, THE STUFF WE JUST MOVED UP, SO THAT IT WILL RUN AT $9800, INSTEAD OF ITS NORMAL LOCATION OF $800. TO DO THIS, TYPE " 9803:BD 0 98 (RETURN)" AND "9841:4C 01 93 (RETURN)". THEN TYPE "9301:4C 59 FF", BECAUSE WE CHANGED IT TO RUN AT $9800, AND ALSO CHANGED IT TO STOP AFTER DOING THIS INSTEAD OF JUMPING TO THE NEXT BOOT STAGE, AT $300. WE TOLD IT TO JUMP TO $9300, AND AT $9300, WE PUT A JMP $FF59 (JUMP TO RESET). AND FINALLY, CHANGE THE JMP AT $96F8 FROM $FF59 TO $9801 BY TYPING "96F8:4C 01 98". NOW AGAIN TYPE $9600G.
     THIS TIME, WE ARE ONE STAGE FARTHER, IF YOU NOW MOVE THE STUFF AT $300 UP TO $9300, AND CHANGE IT TO WORK AT $9300 BY TYPING "9300<300.400M (RETURN)" AND "9313:AD CC 93 (RETURN), AND "933C:AD CC 93 (RETURN)", THIS WILL BE COMPLETED. BUT NOW, THERE IS A PROBLEM. THE JUMP OUT IS AT $9343, AND IT JUMPS NOT TO THE NEXT STAGE IMMEDIATELY, BUT TO A CERTAIN AMOUNT OF SUBROUTINES, AND AFTER THEM , THROUGH THE SAME JUMP, JUMPS TO THE NEXT STAGE. HOW DO WE GET AROUND THAT YOU ASK ? THE ANSWER IS TO WRITE A PROGRAM THAT CHECKS TO SEE WHERE IT IT JUMPING TO, AND IF IT IS NOT JUMPING TO WHERE IT NORMALLY JUMPS TO, THEN STOP, BECAUSE WE KNOW THAT THE NEXT JUMP IS NOT TO A SUBROUTINE, BUT TO THE NEXT STAGE OF THE BOOT. THIS MAY SOUND COMPLICATED, BUT JUST TYPE THIS ROUTINE IN AT $9400, "9400:A5 3E C9 5D D0 03 6C 3E 00 4C 59 FF", AND "9343:4C 00 94 (RETURN)". THAT WILL TAKE CARE OF THIS STAGE. NOW CHECK TO SEE THAT YOU HAVE TYPED IN EVERYTHING CORRECTLY, AND THEN TYPE "9600G", TO RESTART THE BOOT.
     NOW, THE DISK SPINS FOR A LITTLE WHILE LONGER, AND THEN IT STOPS, WE HAVE COME TO THE LAST STEP OF THIS BOOT PROCESS. THIS STEP LOADS THE PROGRAM IN FROM DISK, AND THEN JUMPS TO THE BEGINNING OF IT .BY TYPING "93CC (RETURN)", THE COMPUTER WILL DISPLAY THE PAGE-1 OF THE NEXT STAGE BOOT. IT WILL DISPLAY "B6", AND YOU ADD ONE TO IT, AND GET $B7, SO TYPE "B700L". AND PRESTO, WE HAVE THE NEXT STAGE OF THIS BOOT. THIS BOOT FROM HERE DOES THE PROGRAM LOADING, ALONG WITH TURNING ON THE GRAPHICS, AND JUMPS TO THE BEGINNING OF IT. IF YOU CAN SEE IT, THE BEGINNING OF IT IS AT $600, AND THERE IS A JUMP TO $600 AT LOCATION $B759. SO, ALL WE HAVE TO DO IS TO HAVE IT DO ALL THE LOADING, AND INSTEAD OF HAVING IT JUMP TO $600, STOP IT THERE. BUT THERE IS A PROBLEM CONNECTED WITH THIS (ARN'T THERE ALWAYS !). THE PROBLEM IS THAT IF WE STOP IT HERE, LOCATION $600 IS IN TEXT VIDEO MEMORY, SO WE MUST NOT HAVE IT JUMP TO $FF59 (STOP), BUT JUMP TO A ROUTINE THAT RELOCATES EVERYTHING FROM $0000-$0800, AND THEN STOP. I WILL PROVIDE YOU WITH THIS. JUST TYPE "B500:A2 00 B5 00 9D 00 20 BD 00 01 9D 00 21 BD 00 02 9D 00 22 BD 00 03 9D 00 23 BD 00 04 9D 00 24 BD 00 05 9D 00 25 BD 00 06 9D 00 26 BD 00 07 9D 00 27 E8 D0 CE 4C 59 FF (RETURN)" THIS WILL TAKE CARE OF MOVEING EVERYTHING FROM $0-$800 TO $2000-$2800. BUT NOW CHANGE $B759 TO JUMP TO THIS SMALL PROGRAM BY TYPING "B759:4C 00 B5" BUT WE ALSO HAVE TO CHANGE SOME OTHER LOCATIONS. LOCATION $93CC MUST BE CHANGED TO $D6, SO TYPE "93CC:D6 (RETURN), AND INSTEAD OF JUMPING TO $FF59 AT $8409, AND STOPPING AT THAT STAGE OF THE BOOT, JUMP TO THE BEGINNING OF THIS BOOT AT $B700, BY TYPING "9409:4C 00 B7 (RETURN)". THAT TAKES CARE OF MOST ALL PREPERATIONS FOR THE FINAL CRACK. NOW CHECK TO SEE THAT YOU HAVE TYPED IN EVERYTHING CORRECTLY, AND IF YOU ARE READY, TYPE "9600G"
     IF EVERYTHING WORKED CORRECTLY, IT SHOULD BOOT UP FOR ABOUT 10 SECONDS, AND YOU SHOULD SEE THE HI-RES PICTURE LOADING IN, AND THEN YOUR SPEAKER SHOULD BEEP, AND YOU SHOULD SEE, ON THE SCREEN A BUNCH OF LETTERS. IF THIS DIDN'T HAPPEN, CHECK ALL THESE STEPS, AND REPEAT THE PROCESS. IF IT HAS, THEN YOU ARE JUST ABOUT FINISHED. IF YOU WANT TO CHECK TO SEE IF IT HAS WORKED, ASSEMBLE THIS PROGRAM, AND TYPE IT IN AT $B560, IF NOT, GO ON TO THE NEXT STEP.

      OBJ $B560
BEGIN LDX #$00
AGAIN LDA $2000,X
      STA $00,X
      LDA $2100,X
      STA $100,X
      LDA $2200,X
      STA $200,X
      LDA $2300,X
      STA $300,X
      LDA $2400,X
      STA $400,X
      LDA $2500,X
      STA $500,X
      LDA $2600,X
      STA $600,X
      LDA $2700,X
      STA $700,X
      INX
      BNE AGAIN    ;LOOP
      JMP $0600    ;BEGINNING OF PGM NOW
BOOT UP A NORMAL DOS DISK, AND SAVE EVERYTHING FROM $2000-$2800, WHICH REPRESENT LOCATIONS $0-$8 MOVED UP BY $2000.YOU SHOULD THEN REPEAT THE WHOLE BOOT TRACE, AND PROCEED TO THE NEXT STEP.EXAMINE THE MEMORY OF YOU APPLE, YOU WILL SHOULD SAVE ALL THE INFORMATION FROM $800-$A000 ON A NORMAL DOS DISK, THEN LINK THE FILES THAT YOU HAVE SAVED ON THE DOS DISK TOGATHER, AND MAKE THE FILE A B-RUNABLE FILE, THAT LOADS EVERYTHING IN, AND  MOVES THE $00-$800 IMAGE BACK DOWN IN MEMORY, AND THEN JUMPS TO LOCATION $600, THE BEGINNING OF THE PROGRAM.
     IF YOU HAVE ANY QUESTIONS ON THIS, YOU MAY MAIL THEM TO ME. ALSO, I HAVE RECENTLY CRACKED MANY GOOD PROGRAMS SUCH AS STAR BLAZER, TWERPS, SNAKE BYTE, GUARDIAN, FOOSBALL, DUNG BEETLES, AND LOCKSMITH 4.1. IF YOU ARE IN NEED OF ANY OF THESE, LEAVE ME MAIL ON THIS BOARD. LOOK FOR SOME NEW ARTICALS SOON, ON HOW TO CRACK OTHER PROGRAMS, AND UNTIL THEN KEEP ON CRACKING !
IF ANY ONE OF YOU ARE UNFAMILIAR WITH HOW TO SAVE EVERYTHING, AND YOU NEED SOME HELP, HERE IS HOW TO DO IT:
 FOLLOW THE DIRECTIONS FOR TRACEING THE BOOT, AND  TYPE "2800<9600.A000M (RETURN)" AND "3200<800.900M (RETURN)" ALSO, WE NEED A PROGRAM TO MOVE EVERYTHING THAT WE JUST RELOCATED BACK INTO THEIR ORIGINAL LOCATIONS. SO WE NEED A PROGRAM LIKE THIS:
      ORG $3400
      LDX #$00
LOOP1 LDA $2000,X
      STA $00,X
      LDA $2100,X
      STA $100,X
      LDA $2200,X
      STA $200,X
      LDA $2300,X
      STA $300,X
      LDA $2400,X
      STA $400,X
      LDA $2500,X
      STA $500,X
      LDA $2600,X
      STA $600,X
      LDA $2700,X
      STA $700,X
      NOP
      LDA $3200,X
      STA $800,X
      LDA $3300,X
      STA $900,X
      NOP
      LDA $2800,X
      STA $9600,X
      LDA $2900,X
      STA $9700,X
      LDA $2A00,X
      STA $9800,X
      LDA $2B00,X
      STA $9900,X
      LDA $2C00,X
      STA $9A00,X
      LDA $2D00,X
      STA $9B00,X
      LDA $2E00,X
      STA $9C00,X
      LDA $2F00,X
      STA $9D00,X
      LDA $3000,X
      STA $9E00,X
      LDA $3100,X
      STA $9F00,X
      NOP
      INX
      BNE LOOP1
      LDA $C057
      LDA $C054
      LDA $C052
      LDA $C050    ;GRAPHICS
      JMP $600     ;BGN OF PGM.

THIS TIME, I WILL ASSEMBLE IT FOR YOU, ALL YOU HAVE TO DO IS TYPE "3400:A2 0 BD
00 20 95 00 BD 00 21 9D 00 01 BD 00 22 9D 00 02 BD 00 23 9D 0 03 BD 00 24 9D 0 4
 BD 0 25 9D 0 5 BD 0 26 9D 0 6 BD 0 27 9D 0 7 EA (RETURN)" AND "3432:BD 0 32 9D
0 8 BD 0 33 9D 0 9 EA (RETURN)" AND "343F:BD 0 28 9D 0 96 BD 0 29 9D 0 97 BD 0 2
A 9D 0 98 BD 0 2B 9D 0 99 BD 00 2C 9D 0 9A BD 0 2D 9D 0 9B BD 0 2E 9D 0 9C BD 0
2F 9D 0 9D BD 0 30 9D 0 9E BD 0 31 9D 0 9F (RETURN)" AND "347B:E8 D0 84 EA AD 57
 C0 AD 54 C0 AD 52 C0 AD 50 C0 EA 4C 00 06 (RETURN)". THIS WILL TAKE CARE OF THE
 SMALL PROGRAM THAT WE NEED TO MOVE EVERTHING BACK. BUT WE ALSO NEED TO PUT A
JMP $3400 IN THE BEGINNING, BECAUSE WHEN IT BRUNS, IT MUST JUMP TO THIS SMALL
PROGRAM FIRST. NOW YOU CAN BOOT UP YOU 3.3 DISK, AND TYPE "CALL-151 (RETURN)",
"9FD:4C 00 34 (RETURN)","A964:FF (RETURN)", AND
"BSAVE GALAXIAN,A$9FD,L$8C03 (RETURN)", AND NOW YOU ARE FINISHED.


Retour sommaire

hr Pirates Harbor


Mr Xerox cracking tips II : Space Raiders


***************************************
***  MR. XEROX'S CRACKING TIPS II   ***
**     CRACKING SPACE RAIDERS        **
**      BOOT-TRACE  CRACKING         **
***                                 ***
***************************************


     SPACE RAIDERS, BY PAUL LUTUS OF USA,IS A PRETTY CRUMMY GAME IN MY OPINION,
 BUT IT IS VERY EASY TO CRACK. ITS BOOT CONTAINS ONLY ONE STAGE, AND THE PROTEC
TION AGAINST CRACKING IT IS MINIMAL.  IT SHOULD GIVE YOU ANOTHER BASIC EXAMPLE
OF HOW TO "BOOT TRACE" CRACK PROGRAMS.

     IF YOU REMEMBER FROM THE LAST CRACKING TIPS ARTICLE, THE FIRST STAGE BOOT
S AT $C600. AT $C6F8, THE BOOT PROCEEDS TO $801, THE NEXT STAGE OF THE BOOT. SO
, WHAT WE MUST DO IS HAVE IT LOAD THE SECOND STAGE BOOT IN, STOP, AND THEN EXAM
INE IT FOR THE JUMP TO THE NEXT STAGE, OR THE START OF THE PROGRAM. LETS START
BY  MOVING THE BOOT FROM $C600 DOWN IN MEMORY TO $9600. TO DO THIS TYPE "9600<C
600.C700M (RETURN)", THIS WILL DO THE MOVE, AND NOW WE MUST HAVE IT STOP THERE
INSTEAD OF GOING ONTO $801, SO TYPE "96F8:4C 59 FF (RETURN)". NOW WE ARE READY
TO TO INITIATE THE FIRST STAGE OF THE BOOT, AND WE DO SO BY TYPING "9600G (RETU
RN)". THE DRIVE WOULD GO FOR A SPLIT SECOND, AND THEN THE MONITOR CURSOR SHOULD
 APPEAR IN THE LOWER LEFT CORNER OF THE SCREEN, IF THIS HAS NOT HAPPENED, REPEA
T THESE STEPS. NOW WE CAN EXAMINE THE NEXT STAGE OF THE BOOT.

     TYPE "801LLL" TO SEE THE NEXT STAGE OF THE BOOT. IF YOU EXAMINE IT, AND TR
ACE IT IN YOU BRAIN (REMEMBER YOU HAVE ONE, NOT LIKE SOME BOZO S), SOON YOU WIL
L SEE A JMP $4000, AND THAT IS THE THE END OF THIS BOOT. AFTER IT LOADS EVERYTH
ING IN, IT THEN JUMPS TO THE STUFF IT HAS JUST LOADED IN, WHICH IS AT $4000. $4
000 JUST HAPPENS TO BE THE BEGINNING OF THE PROGRAM. SO NOW THAT WE HAVE THIS S
TAGE IN, WE MUST MOVE IT UP IN MEMORY, AND CHANGE ITS JMP FROM $4000 TO $FF59,
TO STOP IT THERE, AND ALLOW US TO SAVE EVERYTHING ONTO A NORMAL 3.3 DISK. YOU C
AN DO THAT BY TYPING "9800<800.900M (RETURN)", AND "9885:4C 59 FF (RETURN)" AND
 "96F8:4C 01 98 (RETURN)" THEN, REBOOT THE DISK BY TYPING "9600G"

     NOW, WHEN THE MONITOR CURSOR APPEARS AT THE BOTTOM OF THE SCREEN AGAIN, WE
 KNOW THAT THE BOOT IS FINISHED. YOU CAN CHECK TO SEE IF THE PROGRAM RUNS BY NO
W TYPING "4000G". BUT WAIT, WHAT HAPPENED ?. THE SCREEN FILLED UP WITH A BUNCH
OF INVERSE '@'S. THIS IS THEIR PROTECTION FROM LETTING YOU STOP IT, AND THEN TY
PING $4000G. YOU SEE, WHEN AT LOCATION $9885, WHERE WE HAD THE JUMP TO $FF59, T
HE RESET LOCATION, THE BOOT PROCEEDED TO JUMP TO THAT LOCATION IN ROM.  BUT AT
THAT PROGRAM IN ROM, THE VALUE OF CERTAIN ZERO PAGE LOCATIONS WERE CHANGED. ONE
 OF THE LOCATIONS THAT IT CHANGED WAS LOCATION $21. IF YOU LOOK AT TO SECOND ST
AGE BOOT AGAIN, AND LOOK AT THE TWO COMMANDS JUST BEFORE THE JUMP TO $FF59, YOU
 WILL SEE SOMETHING LIKE:
     LDA #$26
     STA $21
     JMP $FF59
CAN YOU SEE THAT IF YOU REPEAT THE WHOL
E BOOT THAT I JUST EXPLAINED, AND INSTEAD OF TESTING IT IMMEDIATELY BY TYPING "
4000G (RETURN)", TYPE "21:26 (RETURN)", AND THEN "4000G", IT WILL RUN. IF YOU H
AVE NOT TESTED IT, THEN YOU HAVE MY GUARANTEE THAT IT WILL. YOU SEE, SOME WHERE
 IN THE PROGRAM THAT STARTS AT $4000, IT CHECKS TO SEE IF THERE IS A #$26 IN LO
CATION $21, IF THERE IS NOT, THEN IT WILL CRAP OUT, IF THERE IS  THEN IT WILL R
UN.
     NOW WE ARE JUST ABOUT FINISHED, WE JUST NEED A SMALL PROGRAM THAT WILL GO
BEFORE THE PROGRAM AT $4000, THAT WILL PUT AT #$26 INTO LOCATION $21. SO TYPE "
3FF0:A9 26 85 21 4C 00 40 (RETURN)". THIS SMALL PROGRAM LOOKS LIKE:

     LDA #$26
     STA $21
     JMP $4000
THEN BOOT UP A NORMAL DISK, AND DO A BS
AVE LIKE THIS - "BSAVE SPACE RAIDERS,A$3FF0,L$4100", AND YOU WILL BE FINISHED.


Retour sommaire

hr Pirates Harbor


Mr Xerox cracking tips III : Bug Attack


***************************************
***  MR. XEROX'S CRACKING TIPS III  ***
**   BOOT TRACE CRACKING             **
**   CRACKING BUG ATTACK             **
**   AND DEFEATING A NIBBLE COUNT    **
***                                 ***
***************************************

   IF YOU HAVE READ MY LAST TWO ARTICLES,YOU SHOULD BE AT LEAST FAMILIAR WITH HOW TO "BOOT-TRACE" CRACK PROGRAMS, IF YOU HAVE NOT READ EITHER THAN YOU WILL BE COMPLETELY LOST IN THIS ONE, SO GET A HOLD OF ONE OF THEM, AND STUDY IT BEFORE PROCEEDING WITH THIS ONE. APPLE GALAXIAN AND SPACE RAIDERS WERE FAIRLY EASY TO CRACK, BUT NOW COME THE TOUGHER ONES. THE PROTECTORS CAN MAKE THINGS COMPLICATED BY ADDING NIBBLE COUNTS TO THE SOFTWARE. IF ANY OF YOU ARE NOT FAMILIAR WITH WHAT A NIBBLE COUNT IS, IT IS A CERTAIN TRACK THAT CONTAINS A SPECIFIC AMOUNT OF A CERTAIN BYTE. THE PROGRAM THAT IS PROTECTED ON THE DISK, SOMETIME DURING ITS RUN, GOES BACK TO DISK TO READS ALL OF THESE NIBBLES BACK. IF THE PROGRAM DOESN'T FIND THESE BYTES, OR THE RIGHT NUMBER OF THEM, IT WILL CRAP OUT. BUG ATTACK IS ONE OF THESE PROGRAMS. AFTER THE TITLE PAGE COMES ON, AND THERE IS THE EXPLOSION OF DOTS, IT WAITS FOR YOU TO PRESS A KEY, OR PUSH A BUTTON. AFTER YOU PRESS A KEY, IT GOES BACK TO DISK, AND DOES A NIBBLE COUNT. IF IT CAN READ ALL THESE NIBBLES, AND EVERYTHING CHECKS OUT, IT WILL CONTINUE WITH THE GAME. BUT, OF IT DOESN'T, WELL YOUR IN TROUBLE. SO, IF THIS IS TO BE CRACKED, AND PUT ONTO A NORMAL 3.3 DISK THAT CONTAINS NO TRACK DEDICATED TO CONTAINING THOSE BYTES THAT SHOULD BE READ, WE WILL NEED TO DEFEAT THE NIBBLE COUNT.LETS FIRST CRACK THE PROGRAM, AND THEN I WILL LATER SHOW YOU HOW TO DEFEAT THIS SPECIFIC COUNT.

     TO CRACK THIS, FIRST TURN YOUR APPLE ON, AND PRESS "RESET" TO STOP THE DRIVE FROM BOOTING THE DISK, AND GET INTO THE MONITOR BY TYPING "CALL-151 (RETURN)" IF YOU HAVE AN APPLE II PLUS, IF YOU HAVE AN APPLE II, THEN BY PRESSING RESET YOU WILL AUTOMATICALLY BE PLACED INTO TO MACHINE LANGUAGE MONITOR. THEN TYPE "8600<C600.C700M (RETURN)", TO MOVE BOOT  FROM THE PROM, AND INTO RAM,AND "86F8:4C 01 88 (RETURN)", TO MAKE TO BOOT CONTINUE AT LOCATION $8801 INSTEAD OF $801, AND "8801:4C 59 FF (RETURN)", TO FORCE THE BOOT TO STOP HERE INSTEAD ON CONTINUING IN MEMORY. THEN START IT UP BY TYPING "8600G (RETURN)". NOW MOVE THE SECOND STAGE THAT IS AT $800 UP TO $8800 BY TYPING "8800<800.900M (RETURN)", AND MODIFY IT SO IT WILL RUN AT $8800 BY TYPING "8803:BD 00 88 (RETURN) AND "8841:4C 01 83 (RETURN)", THEN TYPE "8301:4C 59 FF", AND FINALLY REBOOT BY TYPING "8600G (RETURN)" AGAIN. NOW WE ARE AT THE THIRD STAGE THAT IS AT $300, SO MOVE THAT STUFF UP TO $8300 BY TYPING "8300<300.400M (RETURN)" AND MODIFY THIS STUFF TO RUN AT $8300 BY TYPING "8313:AD CC 83 (RETURN)" AND "833C:AD CC 83 (RETURN) AND "8343:4C 0 84 (RETURN)" .NOW WE WILL RUN INTO THE SAME TROUBLE THAT WE HAD IN GALAXIAN IN THAT THE JUMP OUT OF THIS STAGE IS NOT IMMEDIATE, BUT ONLY AFTER MANY JUMPS TO A CERTAIN SUBROUTINE, SO WE NEED THAT PROGRAM AT $8400 AGAIN THAT CHECKS TO SEE IF IT IS GOING TO THE SUBROUTINE, OR TO THE BEGINNING OF THE PROGRAM. IF IT IS GOING TO THE SUBROUTINE, THEN LET IT CONTINUE, IF NOT THEN STOP. SO TYPE "8400:A5 3E C9 D5 D0 03 6C 3E 00 4C 59 FF (RETURN)", AND REBOOT AGAIN BY TYPING "8600G (RETURN)". NOW TO FIND OUT WHERE THE NEXT STAGE JUST LOADED IN, TYPE "83CC (RETURN)" YOU WILL SEE AN $A1, SO ADD ONE TO THAT, AND YOU GET $A2, SO TYPE "A200L (RETURN)". WE ARE NOW AT THE FINAL STAGE OF THE BOOT.

     IN THIS STAGE, THE BOOT TURNS ON THE GRAPHICS, LOADS THE PROGRAM, AND JUMPS TO THE BEGINNING OF IT. IF YOU TYPE "L" A FEW TIMES, YOU WILL COME ACROSS A POINT WHERE THIS STAGE ENDS, AND THE JUMP TO THE BEGINNING OF THE PROGRAM IS LOCATED. THE JUMP IS AT LOCATION $A2F8, AND IT IS AN INDIRECT ONE TO $1FF. IF YOU DON'T KNOW, AN INDIRECT JUMP TO $1FF DOESN'T JUMP TO THE LOCATIONS THAT $1FF AND $200 POINT TO, BUT TO THE LOCATIONS THAT $1FF AND $100 POINT TO. SO, TO FIND OUT WHERE THIS JUMP IS TO, TYPE "A2F8:4C 59 FF (RETURN)" AND "8409:4C 00 A2(RETURN)" AND "83CC:D2 (RETURN)", AND FINALLY REBOOT BY TYPING "8600G (RETURN)". NOW WE CAN EXAMINE LOCATIONS $100 BY TYPING "100 (RETURN)" AND LOCATION $1FF BY TYPING "1FF (RETURN)". FROM THIS INFORMATION YOU NOW KNOW THAT THE JUMP IS TO LOCATION $4D36.
     YOU HAVE NOW CRACKED THE PROGRAM, BUT ONE MORE MAJOR OBSTACLE REMAINS IN OUR WAY. THE PROGRAM CONTAINS A NIBBLE COUNT. IF YOU BOOT THE ORIGINAL, AND PRESS BUTTON (0), YOU WILL SEE THAT IT GOES BACK TO DISK FOR A SECOND AND DOES THE COUNT. SO THE WAY TO GET RID OF THE NIBBLE COUNT IS TO FIND WHERE IT IS IN MEMORY, AND JUST AVOID IT WHEN THE PROGRAM IS RUN. I HAVE EXAMINED THE PROGRAM AND FOUND THAT AFTER THE TITLE PAGE IS DISPLAYED, AND THE DOT GRAPHICS EXPLOSION TAKES PLACE, THERE IS A JUMP, AT $4E24 THAT GOES TO THE NIBBLE COUNT ROUTINE AT $4A33. AFTER THE NIBBLE COUNT IS DONE, THERE IS A JUMP OUT OF IT AT $4A88. THIS JUMP IS TO THE BEGINING OF THE GAME, LOCATION $494A. NOW, WE CAN MODIFY THE WHOLE NIBBLE ROUTINE AT $4A33 JUST TO SKIP TURNING ON THE DRIVE, AND JUMP DIRECTLY TO THE BEGINNING OF THE PROGRAM, BUT LIKE ALWAYS, THEY (THE PROTECTORS) HAVE STEALTHILY HID A ROUTINE IN THE MIDDLE OF THE GAME THAT CHECKS TO SEE IF THE NIBBLE COUNT ROUTINE  HAS BEEN CHANGED IN ANY WAY. IF IT HAS THAN THE PROGRAM WILL CRAP OUT, IF NOT THEN IT WILL CONTINUE WITH THE GAME. PRETTY SNEAKY OF THE PROTECTORS, HUH ? (THOSE LOW-LIFE ROTTEN BASTARDS WHO MAKE EVERYTHING SO G-DDAM TOUGH). SO TO GET AROUND THIS PROBLEM, WE MUST SIMPLY TAKE THE JUMP AT $4E24 THAT SAYS TO GO TO THE NIBBLE COUNT PART AT $4A33, AND CHANGE IT TO JUMP TO THE BEGINNING OF THE PROGRAM AT $49A4. SO MAKE THE CHANGE BY TYPING "4E24:4C 49 A4 (RETURN)".
     AFTER THIS CHANGE HAS BEEN MADE, THE PROGRAM IS IN A FORM ABLE TO BE SAVED TO A NORMAL 3.3 DISK. DON'T FORGET TO SAVE PAGES $0-$8 WITH THE REST OF THE FILE, AND LOAD THEM BACK INTO MEMORY WHEN YOU BLOAD THE FILE BACK IN NORMAL 3.3 DOS. IF YOU HAVE JUST READ ALL THIS, AND YOU DON'T BELIEVE THAT IT WILL ALL WORK, TRY THIS, HERE IS A PROGRAM THAT WILL DO THE NIBBLE COUNT CHANGES AND WILL SHOW YOU THAT THE NIBBLE COUNT WAS REALLY DEFEATED.
      ORG $A800
START STA $AF00  ;STA TEMP
      LDA #$4C   ;JMP BYTE
      STA $4E24  ;JMP LOCATION
      LDA #$A4   ;LOW BYTE
      STA $4E25  ;JMP LOCATION+1
      LDA #$49   ;HIGH BYTE
      STA $4E26  ;JMP LOCATION+2
      LDA $AF00  ;GET OLD A VAL BACK
      JMP $4D36  ;BEGINNING OF THE PROG
                 ;THIS WILL DO THE JMP
                 ;TO PROVE THE DEFEAT
                 ;OF THE NIBBLE COUNT.

THE ASSEMBLED VERSION IS "A800:8D 00 AF A9 4C 8D 24 4E A9 A4 8D 25 4E A9 49 8D 2
6 4E AD 00 AF 4C 36 4D (RETURN)", AND WE NEED TO JUMP TO THIS LOCATION INSTEAD O
F ($1FF), SO TYPE "A2F8:4C 00 A8 (RETURN)". THIS MUST BE DONE IN THE BOOT TRACE INSTEAD OF ENTERING "A2F8:4C 59 FF".  WHEN YOU RUN THE BOOT, THE GAME WILL PROCEED NORMALLY, BUT THE DISK WILL NEVER BE ACCESSED, AND THUS WE HAVE DEFEATED THE NIBBLE COUNT !


Retour sommaire

hr Pirates Harbor


Cracking Threshold by Trystan II


MSG LEFT BY: TRYSTAN II


THIS AND  THE FOLLOWING  MESSAGE ARE  BOTH  FORMATTED  FOR 80  COLUMNS.  BE
SURE TO USE THE VIDEO COMMAND TO CHANGE YOUR SCREEN WIDTH!
 
THRESHOLD IS THE FIRST GAME PROGRAM WHICH USES DISK ACCESS DURING PLAY THAT
I  HAVE  BEEN  ABLE  TO  CRACK.   I HOPE THE TECHNIQUE DESCRIBED BELOW WILL
ENABLE SOME OF THE OTHER DISK-BASED GAMES TO UNFOLD THEIR  MANIFEST  CHARMS
TO THE WORLD OF DOS 3.3!
 
FIRST, THE SIMPLE PART--THAT OF GETTING THE MAIN CODE INTO A NORMAL DOS 3.3
BINARY FILE:
 
           1)  BOOT THRESHOLD NORMALLY.  WHEN YOU GET TO THE POINT WHERE IT
ASKS YOU WHETHER YOU WANT TO USE PADDLES OR KEYBOARD, PRESS RESET.  THIS IS
WHERE THE GAME WILL START ONCE IT'S BROKEN.  THE LOGO IS NICE, BUT  USELESS
AND,  SINCE  THRESHOLD  USES RAM FROM $800 TO $B600, YOU DON'T HAVE ROOM TO
LOAD IT WITH NORMAL DOS.
 
           2)  YOU NOW HAVE TO SAVE EVERYTHING IN MEMORY FROM 0  TO  $98FF,
EXCEPT  FOR  HI-RES PAGE 1 ($2000-$3FFF).  SAVING PAGES 0-7 IS THE HARDEST,
SINCE RESET LIKES TO WALK ALL OVER VARIOUS PARTS OF IT.  BECAUSE  OF  THIS,
YOU  NEED  TO USE SOMETHING TO RELOCATE THE FIRST 8 PAGES OF MEMORY UP TO A
LOCATION LIKE $1000 OR SO, WHICH WILL ENABLE  YOU  TO  RE-BOOT  NORMAL  DOS
WITHOUT WIPING IT OUT.  I USED MASTER KEY+ TO SAVE ALL THE PARTS, INCLUDING
PAGE 0-7.  FROM WHAT I GATHER, ONE OF THE TWO CRACKING ROMS IN THE DOWNLOAD
SECTION WILL ALSO RELOCATE PAGES 0-7 UPON HITTING RESET.
             3)   ONCE YOU HAVE SAVE PAGES 0-7, YOU NEED TO RE-BOOT THRESHOLD
IN ORDER TO SAVE PAGES 8 THRU $97 ($800-$97FF).  THIS IS A BIT EASIER,  BUT
YOU  HAVE  TO  REMEMBER  TO  MOVE  PAGE 8 OUT OF THE WAY BEFORE YOU RE-BOOT
NORMAL DOS BECAUSE IT GETS CLOBBERED.  YOU SHOULD DO THIS IN TWO STAGES  IN
ORDER  TO  MAKE  THE  RELOCATION PROCESS (DESCRIBED BELOW) EASIER.  I FIRST
SAVED $800-$1FFF, THEN RE-BOOTED THRESHOLD, AND MOVED $4000-$97FF  DOWN  TO
$2000 BEFORE SAVING IT.
 
           4)  NOW ALL YOU DO IS BLOAD THE THREE PIECES LIKE SO:
               
               A)  BLOAD THE $800-$1FFF FILE AT $800
               B)  BLOAD THE PAGE 0-7 FILE AT $2000
               C)  BLOAD THE $4000-$97FF FILE AT $2800
 
THE  PROGRAM NOW RESIDES IN MEMORY FROM $800-$80FF.  THE ONLY THING LEFT IS
TO WRITE A LITTLE ASSEMBLY LANGUAGE ROUTINE TO RELOCATE PAGES 0-7 AND
$2800-$80FF  TO THEIR PROPER ADDRESSES.  HINT: USE THE MOVE ROUTINES IN THE
MONITOR!  I PUT MY CODE RELOCATOR AT $8100 AND ADDED A JUMP TO IT AT  $7FD.
FINALLY,  ADD  A  JUMP  TO THE STARTING ADDRESS OF $6B00 AT THE END OF YOUR
RELOCATION ROUTINE.  THEN, A BSAVE THRESHOLD,A$7FD,L$7A03 WILL SAVE IT  ALL
IN ONE EXECUTABLE CHUNK.  BY USING A LENGTH OF $7A03, YOU GIVE YOURSELF 255
BYTES IN WHICH TO WRITE YOUR RELOCATION CODE.
 
THE TECHNIQUE OF PULLING THE  PIECES  OF  THE  DISK  ACCESSED  DURING  PLAY
FOLLOWS IN THE NEXT MESSAGE.


***************************************

MSG LEFT BY: TRYSTAN II


THE MOST DIFFICULT PART OF CRACKING THRESHOLD IS SAVING  THE  VARIOUS  BITS
AND PIECES OF THE DISK THAT IT ACCESSES DURING PLAY.
 
THE  CODE STARTING AT $9383 SETS UP THE IOB AND CALLS THE RWTS TO LOAD IN 3
SEPARATE "FILES" EACH TIME YOU ADVANCE TO A NEW  LEVEL.   FORTUNATELY,  THE
RWTS IN THRESHOLD IS NOT TOO HEAVILY MODIFIED, SO YOU CAN USE THE INSPECTOR
TO READ THE THRESHOLD DISK.  BEFORE YOU START READING THE  THRESHOLD  DISK,
YOU  WILL  HAVE  TO CHANGE LOCATION $3D9 TO JUMP TO THE RWTS AT $B7B5 (I.E.
3D9:4C B5 B7) AND THEN CHANGE THE RESET VECTOR TO JUMP  TO  SOME  INNOCUOUS
LOCATION SO THAT YOU CAN RESET OUT OF THE INSPECTOR.
 
STARTING  AT  $9383,  YOU WILL FIND 3 CALLS TO $7AB0 (WHICH, IN TURN, CALLS
THE RWTS).  JUST BEFORE EACH OF THESE CALLS, THE IOB IS  SET  UP  WITH  THE
STARTING  TRACK/SECTOR, THE LOAD ADDRESS AND THE NUMBER OF SECTORS TO READ.
THE TRACK/SECTOR TABLE IS AT $65D0-$65F3.  HERE IS WHAT IT LOOKS LIKE:
 
              65D0:03 05 07 09 0C 0E 00 04 
              65D8:08 0C 03 07 12 12 13 13 
              65E0:14 15 00 08 03 0B 06 01 
              65E8:16 16 16 16 16 16 00 02 
              65F0:04 06 08 0A 
 
THE FIRST 6 BYTES ARE THE TRACK NUMBERS FOR THE FIRST "FILE"  FOR  EACH  OF
THE  SIX  LEVELS.   THE NEXT SIX BYTES ARE THE CORRESPONDING SECTOR NUMBERS
FOR THE FIRST "FILE".  THE NEXT SET OF TWELVE  BYTES  ARE  FOR  THE  SECOND
"FILE"  AND  THE  THIRD  SET  IS  FOR  THE  LAST OF THE THREE "FILES".  FOR
EXAMPLE, WHEN YOU START THRESHOLD, YOU ARE AT LEVEL ONE.  THE 3 FILES START
AT T3-S0, T12-S0 AND T16-S0, RESPECTIVELY.  AT LEVEL TWO, THE 3 FILES START
AT T5-S4, T12-S8 AND T16-S2.  THE VALUES ABOVE ARE NOT WHAT YOU WILL SEE ON
YOUR  THRESHOLD DISK.  THEY ARE THE LOCATIONS I USED TO SAVE THE FILES ONTO
NORMAL DOS.  THE INTERPRETATION OF THE TABLE IS THE SAME, HOWEVER.
 
THE NUMBER OF SECTORS TO  READ  FOR  EACH  OF  THE  THREE  "FILES"  ARE  AT
LOCATIONS  $93A1,  $93C7 AND $93ED RESPECTIVELY.  THE TOTAL IS 240 SECTORS!
USE THE INSPECTOR TO READ IN EACH OF THE 18 (6 LEVELS * 3  FILES)  "FILES",
ONE  AT  A  TIME, AND THEN RE-BOOT NORMAL DOS AND WRITE THEM BACK OUT.  YOU
WILL HAVE TO USE A SECTOR EDITOR TO MODIFY THE VTOC  OF  YOUR  TARGET  DISK
BECAUSE  THEY WILL NOT EXIST AS NORMAL DOS FILES.  IN ORDER TO PREVENT THEM
FROM ACCIDENTAL ERASURE, YOU SHOULD FLAG THOSE SECTORS IN THE VTOC AS BEING
IN USE.  I FOUND DISK FIXER TO BE THE EASIEST FOR THIS PURPOSE.  YOU COULD,
OF COURSE, MAKE THESE NORMAL DOS FILES, BUT THEN YOU WOULD HAVE  TO  MODIFY
THE MAIN CODE TO READ FILES INSTEAD OF A SERIES OF SECTORS.  CHALK IT UP TO
LAZINESS ON MY PART COUPLED WITH THE FACT THAT THE PROGRAM RUNS  FASTER  IF
IT DOESN'T HAVE TO GO THRU THE DOS FILE MANAGER!
 
HOPE  THIS  HELPS.
 
                       ===  TRYSTAN  II  ===


Retour sommaire

hr Pirates Harbor


Various cracks


MSG LEFT BY: DR. NIBBLEMASTER

CRACKIN CONGO

BOOT NORMAL 3.3
RESET INTO MONITOR
C091 C091 D000<9000.BFFFM
MAKE SURE 16K CARD IS IN SLOT 1
FFFC:59 FF N C091
BOOT CONGO
RESET INTO MONTIOR
7FD:4C 0 B
9DBFG
16CA:4C 00 48
A964:FF
BSAVE CONGO,A$7FD,L8F03
 
THATS IT NOW YAA HAVE A CRACKED CONGO!

ANOTHER HELPFUL CRACK ROM:
 
            DR. NIBBLEMASTER
 
THANKS TO ALL PIRATES WHO MADE THIS
CRACK POSSIBLE!

***************************************

MSG LEFT BY: DR. NIBBLEMASTER

TO ALL YE PIRATES:

HOW TO CRACK GOLD RUSH!
 
BOOT 3.3
RESET INTO MONITOR
C091 C091 D000<9000.BFFFM
16K CARD IN SLOT 1
FFFC:59 FF N C091
BOOT GAME
RESET INTO MONITOR
C090 9D00<D000.F2FFMN C091
7FD:4C 0 B
9DBFG
16CA:4C 00 48
A964:FF
BSAVE GOLD RUSH,A$7FD,L$8FF0F
 
NOW YOU HAVE A CRACKED GOLD RUSH!

A HELPFUL CRACK FROM DR. NIBBLEMASTER!

***************************************

MSG LEFT BY: THE MIMIC

BOOT APPLE AIDS...A UTILITY FOR CRACKIN
USE Q^CHOICE #7....SECTOR EDITOR
TYPE L(LOAD)3(TRACK)0(SECTOR)
TYPE A(ASCII)
THE PLUS KEY GOES FORWARD IN THE DISK
WHEN YOU COME ACROSS A SECTOR THAT HAS
A STRING OF 8 OR MORE BYTES OF THE FF
MAKE A NOTE OF THIS SECTOR
AND CONTINUE
 
WHEN YOU ARE DONE...TAKE A DISK AND
USE NIBBLES AWAY II TO COPY TRACKS
0-3 THEN COPY THE ENTIRE DISK ELIMI.
NATING THE SECTORS YOU JOTTED DOWN...
 
THEN FILL THOES SECTORS WITH '@@@'
(NULLS) THAT ENABLES YOU TO CATALOG
THE DISKETTE
THEN JUST TRANSFER THE PROGRAMS ONE BY
ONE
 
THE ONLY PROBLEM IS THAT THEY(THE INDIV
PROGRAMS) CHECK TO SEE IT THEY ARE
ON THE CORRECT PLACE ON THE DISKETTE
 
THERE IS NO WAY TO AVOIDE THIS
 
.....THE MIMIC

***************************************

MSG LEFT BY: RED REBEL

MESSAGE #12: CRACKING ALIEN AMBUSH!!!

THIS IS SO EASY IT IS ABSURD!!
 
1.BOOT THE GAME
2.AFTER GAME STARTS INTERRUPT AND ENTER
  THE MONITOR.
3.BOOT NORMAL DOS USING 6^P <RETURN>
4.BSAVE ALIEN AMBUSH,A$4000,L$4000
 
THAT'S IT. RIDICULOUS ISN'T IT??

YO HO HO,

          >>> RED REBEL <<<

***************************************

MSG LEFT BY: LONG JOHN SILVER

MESSAGE #20: FIX DISK

TO FIX YOUR DISK IF IT GIVES IO ERRORS
 
TRY THIS-
 
]CALL-151
*B925:18 60
*B988:18 60
*BE48:18
*RUN COPYA
 
IT WILL MOAN AND GROAN AT ERRORS BUT IT
WILL COPY THE DISK AND YOU CAN THEN
TAKE A LOOK AT THE COPY (IT WILL
CONTAIN WHAT WAS EVER LEFT ON THE
ORIGINAL THAT WAS RECOVERABLE AND BE
READABLE).
 
ALSO IF THE CATALOG SHOWS UP BLANK
USE THE HIGHLY USEFUL UTILITY CALL
FIXCAT WHICH IS ON THE BAG OF TRICKS
DISK.

SEND ANY QUESTIONS HERE OR ON THE
PIRATES COVE AND I'LL GET BACK TO YOU.

***************************************

MSG LEFT BY: AXE MAN

MY FRIEND, THE BIG TOE, INFORMS ME
THAT APPLE LOGO (US VERSION) IS
EASILY CRACKED - ALL THAT IS REQUIRED
IS THE FOLLOWING PATCHES
(NOTE THE SIMILARITY TO THE CANADA
 CRACK)
 
TRACK 00 SECTOR 0A
BYTE (OFFSET FROM 0000)
0029:EA EA
0035:EA EA
003F:EA EA
0045:EA EA
0079:EA EA EA
 
(AND THAT IS IT !)


Retour sommaire

hr Pirates Harbor


About Demuffin and Demuffin Plus by Bozo NYC


MESSAGE FROM:BOZO NYC

**************************************
DEMUFFIN  AND DEMUFFIN PLUS IS ONE  OF
THE   EASIEST  AND  BEST  METHODS  FOR
CRACKING THOSE DISCS WHICH HAVE A  DOS
(AS  OPPOSED TO A 'QUICK-LOADER') THIS
LETTER WILL HELP YOU DETERMINE IF  THE
DISC   YOU   WANT  TO  CRACK  CAN   BE
DEMUFFINED,  AND  IF SO,  HOW  TO  USE
DEMUFFIN TO CRACK IT.
IF YOU GET A BASIC PROMPT,  EVEN ONCE,
DEMUFFIN WILL WORK (ALTHOUGH YOU STILL
WILL OFTEN HAVE TO REWRITE PORTIONS OF
SOME OF THE PROGRAMS YOU TRANSFER,  OR
RECOVER BITS OF ASSEMBLY PROGRAMS THAT
ARE  ON THE ORIGINAL,  BUT NOT IN  THE
DIRECTORY...REMEMBER,  THE PEOPLE THAT
WRITE  GOOD  PROGRAMS ARE NOT  STUPID,
THEY  WILL USE EVERY TRICK TO TRY  AND
MAKE CRACKING THEIR PROGRAM IMPOSSIBLE
...YOUR  JOB AS A CRACKER IS  NO  EASY
ONE!!!...A  TRULY  PROFICIENT  CRACKER
MUST  BE FLUENT IN ASSEMBLY LANGUAGE).
IF YOU CAN GET A CATALOG BY ANY METHOD
FROM THE ORIGINAL, DEMUFFIN WILL WORK.
ONCE YOU HAVE DETERMINED DEMUFFIN WILL
WORK,  BUT BEFORE YOU USE IT, YOU MUST
UNDERSTAND WHAT IT IS...  MUFFIN IS AN
ASSEMBLY  PROGRAM WHICH READS ONE DISC
FORMAT AND THEN WRITES ANOTHER.  APPLE
DESIGNED MUFFIN TO READ 13 SECTOR  AND
WRITE 16 SECTOR.  THEN SOME PROGRAMMER
DECIDED  THAT  IT MIGHT BE  USEFUL  TO
READ  16 SECTOR AND WRITE 13 SECTOR...
THUS NIFFUM WAS BORN.  NOW SOME CLEVER
PIRATE THOUGHT 'WHY NOT READ WITH  THE
DOS THAT IS ALREADY IN THE MACHINE AND
WRITE  WITH 13 SECTOR'.  THIS  PROGRAM
(WHICH  WE KNOW AS DEMUFFIN) TAKES THE
DOS  WHICH  YOU  LOADED  IN  WHEN  YOU
BOOTED THE ORIGINAL AND USES THIS RWTS
TO READ;  DEMUFFIN HAS 13 SECTOR  RWTS
BUILT IN AND USES THIS TO WRITE OUT IN
STANDARD  13 SECTOR FORMAT.   DEMUFFIN
PLUS DOES EXACTLY THE SAME THING, ONLY
ITS  INTERNAL  RWTS WRITES OUT  IN  16
SECTOR.
NOW THAT YOU KNOW A LITTLE ABOUT  WHAT
DEMUFFIN  IS...ON TO THE NITTY GRITTY.
NOTE  THAT ALL REFERENCES TO  DEMUFFIN
APPLY   TO  DEMUFFIN  PLUS  AS   WELL;
REMEMBER  THAT  BOTH PROGRAMS  DO  THE
SAME  THING,  DEMUFFIN OUTPUTS  IN  13
SECTOR  WHILE DEMUFFIN PLUS OUTPUTS IN
16 SECTOR.
THE  'SECRET'  TO  USING  DEMUFFIN  IS
REMEMBERING  THAT  IT IS  AN  ASSEMBLY
PROGRAM  DESIGNED  TO  OPERATE  AT   A
SPECIFIC LOCATION IN MEMORY ($803). IF
YOU  LOAD IT IN SOMEWHERE ELSE AND TRY
TO RUN IT,  IT WON'T WORK.  THIS WOULD
NOT  EVEN  REQUIRE  MENTIONING  EXCEPT
THAT THE AREA AT $800 IS DESTROYED  BY
A  BOOT!   KEEP IN MIND THAT  DEMUFFIN
MUST BE IN MEMORY BEFORE YOU BOOT THAT
PROTECTED DISC YOU'RE TRYING TO CRACK.
ONCE  YOU'VE BOOTED THE PROTECTED DISC
YOU WILL BE OPERATING UNDER THEIR  DOS
AND  YOU WILL NOT BE ABLE TO READ  THE
DISC THAT CONTAINS DEMUFFIN (YOUR DISC
HAS   STANDARD   DOS...REMEMBER?)...SO
WHAT  ARE  WE  TO DO?  THERE  ARE  TWO
CHOICES:  ONE  IS TO USE TAPE  (UGH!);
THE OTHER IS TO FIRST LOAD DEMUFFIN IN
SOMEWHERE THAT THE BOOT WON'T  DESTROY
IT.  THIS IS THE METHOD I RECOMMEND
FIRST BOOT YOUR DOS AND BLOAD DEMUFFIN
AT   $6000 [I CHOSE $6000...THERE  ARE
MANY 'CORRECT LOCATIONS']
SECOND  BOOT THE ORIGINAL (PGM  TO  BE
CRACKED)   AND  RESET  AFTER  DOS  HAS
LOADED  AND  THE  FIRST  PROGRAM   HAS
STARTED  TO LOAD IN.  PROPER  RESETING
DEPENDS  ON MANY THINGS SUCH AS  WHICH
MONITOR  YOU HAVE AND HOW AND WHEN THE
ORIGINAL  SETS  YOUR RESET  VECTOR  AT
$3F2-$3F3.    I  WILL  DISCUSS  PROPER
RESET METHODS IN THE NEXT LETTER.
THIRD GET INTO THE MONITOR (CALL  -151
OR  RESET  ON  THE F8  ROM)  AND  TYPE
803<6000.8000M  N 803G      THIS  WILL
MOVE  DEMUFFIN  BACK WHERE IT  BELONGS
AND START IT RUNNING.
FOURTH FOLLOW THE INSTRUCTIONS...
-------------------------------------

************>BOZO NYC<***************


Retour sommaire