|
|
|
|
DOS 3.3 |
Download Cracking Techniques 1983
(gzipped) |
DOS 3.3 |
Download Original disk: Cracking
Techniques 1983
(gzipped) |
CRACKING TECHNIQUES
(TABLE OF
CONTENTS)
VOLUME I
------
-
CHAPTER 1 CRACKING LOCKSMITH 4.0,4.1
AND GENERAL HINTS
BY: AXE MAN
CHAPTER 2 SPECIAL TECHNIQUES
BY EARL BESTICK
CHAPTER 3 CRACKING A.B.M. AND USING
MUFFIN TECHNIQUES
BY: JIM PHELPS
CHAPTER 4 DEMUFFINS TO CRACK AND
DEMUFFIN PLUS
BY RICHARD BRANDOW
CHAPTER 5 CRACKING SUPERSCRIBE
BY: THE CLONEMAN
CHAPTER 6 CRACKING SHADOWHAWK I
BY: CANDY MAN
CHAPTER 7 GENERAL TECHNIQUES
BY: DISK ZAPPER
VOLUME II
------ --
CAHPTER 1 CREATING A NEW MASTER OF
SUPER-TEXT
BY: DISK CRACKER
CHAPTER 2 USING THE RAM CARD AS A
MAJOR CACKING
TOOL
BY: AXE MAN
CHAPTER 3 MODIFYING THE MICROSOFT 16K
RAM CARD FOR
WRITE PROTECT
AND USE AS FAKE
ROM
BY: SYSOP & AXE MAN
CHAPTER 4 MODIFYING THE ANDROMEDA RAM
CARD FOR WRITE
PROTECT
BY: AXE MAN
******* MODIFYING THE APPLE RAMCARD
MAY BE FOUND IN
SOFTALK IN
THE DECEMBER
1981 ISSUE
CHAPTER 5 SOME PLACES TO LOOK FOR GOOD
IDEAS AND HELP
ON CRACKING
VOLUME III
------ ---
CHAPTER 1 DEMUFFIN CASTLE OF DARKNESS
BY: BOZO NYC
CHAPTER 2 CRACKING VC-EXPAND
BY: RICHARD BRANDOW
CHAPTER 3 CRACKING CYBORG
BY: THE CLONEMAN
CHAPTER 4 CRACKING SOFTPORN
BY: RICHARD BRANDOW
CHAPTER 5 COPYING VISITERM
BY: RICHARD BRANDOW
CHAPTER 6 CRACKING VISICALC
BY: RICHARD BRANDOW
CHAPTER 7 CRACKING VISIDEX
BY: THE CLONEMAN
CHAPTER 8 CRACKING THE ELIMINATOR
BY: RED REBEL
CHAPTER 9 CRACKING VISIFILE
BY: RED REBEL
CHAPTER 10 CRACKING SUPERSCRIBE II
BY: RED REBEL
MSG LEFT BY: AXE MAN
HERE IS A HEX LISTING FOR THE NEXT MSG.
0300:A0 00 B9 00 20 99 00 80
0308:C8 D0 F7 EE 04 08 EE 07
0310:08 AD 07 08 C9 B6 D0 EA
0318:20 93 FE 20 89 FE A9 C0
0320:85 31 A9 9B 85 33 A9 00
0328:8D 00 02 20 2F FB 20 58
0330:FC A9 06 85 22 20 58 8C
0338:20 99 8F 13 0B 20 72 8C
0340:20 99 8F 4D 08 20 99 8F
0348:3C 0B 4C 29 12 D4 C5 C3
0350:C8 A0 C9 D3 A0 C8 C5 CC
0358:CC A0 A0 AD BE A0 CF C3
0360:D4 CF C2 C5 D2 A0 B1 B3
0368:AC A0 B1 B9 B8 B1 A0 BC
0370:AD A0 8D
SPECIAL NOTE:
THIS HAS NOW BEEN ADDED TO
THE
DOWNLOAD FUNCTION.
^^^ SYSOP ^^^
***************************************
MSG LEFT BY: AXE MAN
1) BOOT THE BEST COPY PROGRAM AVAILABLE
2) PRESS RESET FROM THE MAIN MENU
CONTINUE PRESSING RESET UNTIL THE
DISK DRIVE STOPS.
3) TYPE FROM THE MONITOR:
2000<0800.1FFFM
4000<8000.B5FFM
4) BOOT A 48K SLAVE (NON-MASTER)
DISKETTE.
5) TYPE IN THE FOLLOWING:
800<2000.37FFM
2000<4000.75FFM
6) TYPE IN THE HEX IN THE PREVIOUS
MESSAGE AT $0800 HEX.
7) THEN BSAVE THE PROGRAM,A$800,L$4DFF
THAT'S IT.
***************************************
MSG LEFT BY: AXE MAN
AHOY YE MATIES- IT SEEMS THAT THAR
NEW LOCKSMITH 'AS CHANGED ITS
LOCATIONS INTERNALLY, HAR-D-HAR
BUT WE HAVE FOUND THE CORRECT ONES
YES. TO FIX THIS 'TECH' PATCH,
USE THE FOLLOWING:
AFTER BLOADING THE PATCH AT $800,
BUT BEFORE BSAVING THE ENTIRE
LS PROGRAM, GET INTO MONITOR AND
TYPE :
84A:4C 3D 12
839:9B
841:9B
846:9B
BE YE WARNED THIS DOESN'T WORK FOR
4.0 BUT ONLY FOR 4.1
***************************************
MSG LEFT BY: AXE MAN
SINCE THERE SEEMS TO BE A LACK OF
ENTRIES TO THE CONTEST, HERE IS ONE:
GENERAL HINTS -
- USE A NON-AUTOSTART APPLE
- USE A RAM-CARD
PLACE A COPY OF THE MONITOR ROM IN
THE RAM CARD, AND PUT IN CERTAIN
PATCHES THAT INFORM YOU OF THE CALLIN
ADDRESS TO CERTAIN SYSTEM ROUTINES
(LIKE THE KEYBOARD INIT, ETC)
- PUT A RESET-ROUTINE IN THE RAM CARD
THAT MOVES LO-RAM INTO HI-RAM UPPON
PRESSING THE BUTTON (GREAT FOR CODE
THAT RESIDES IN THE TEXT SCREEN)
- THEN ANALYZE CODE THAT YOU CAN GET
TO ABOVE $800.
- MOVE THE DOS BOOT PROM IMAGE TO $9600
AND CHANGE $96F8 TO GO TO MONITOR SO
YOU CAN SEE WHAT WAS LOADED AT $800.
- YOU CAN 'BREAKPOINT'THE ENTIRE BOOTUP
PROCESS BY SUBSTITUTING JUMPS TO YOUR
ROUTINES IN THEIR CODE.
- IF YOU LOSE DOS, YOU CAN SAVE MACHINE
CODE TO TAPE, AND THEN LOAD IT IN
LATER (PRIMITIVE, BUT WORKS GREAT !)
- WORSE COMES TO WORSE, JUST LOOK FOR
ANYTHING INTERESTING IN THE CODE IN
MEMORY (TRY OUT SOME ROUTINES, BUT
OPEN THE DISK DOOR FIRST !)
HOPE THAT HELPS........
***************************************
MSG LEFT BY: EARLE BESTICK
TRY'D & TRY'D & TRY'D TO CRACK A DISK
BUT ONLY MANAGED TO BEND ONE !
'TILL AFTER MANY TRYES, I SUCEEDED,
MY MAGIC FORMULA FOLLOWS AND WILL WORK
ON ANY DISK OF ANY MANUFACTURER.
1. PUT DISK IN DEEP FREEZ FOR 24 HRS.
2. TAKE DISK OUT OF FREEZER AND WITH
A BRISK MOVEMENT, BRING SHARPLY AGAINST
THE EDGE OF COUNTER, DESK, OR THE LIKE,
THIS WILL CRACK IT FOR SURE.
***************************************
MSG LEFT BY: JIM PHELPS
HERES ONE FROM THE I.M.F. ON CRACKING
YOU CAN CRACK A.B.M.(MUSE) BYE DOING
THE FOLLOWING:
1) BOOT UP THE DISK AND PRESS CTRL-C
BEFORE IT FINISHES BOOTING.
2)TYPE NEW AND CATALOG THE DISK(THIS
SHOULD CATALOG,IF NOT RE-BOOT AND GO
BACK TO 1)
3) LOAD THE BASIC PROGRAMS 1 BYE 1
SAVEING EACH ONE ON TAPE BEFORE LOADING
THE NEXT.AFTER 1 IS SAVED RE-BOOT A
SLAVE DISK,LOAD THE PROGRAM FROM THE
TAPE,MAKE SURE IT LOOKS RIGHT AND
SAVE IT UNDER THE SAMEE NAME AS ON THE
A.B.M. DISK.(DO THIS FOR EACH BASIC
PROGRAM ON THE DISK )
4) BLOAD THE MACHINE LANGUAGE PROGRAMS
AND EITHER MAKE NOTE OF WHERE THE START
AND THE LENGTH BY LOOKING AT LOCATIONS
AA61,AA62 FOR LENGTH AND AA72,AA73 FOR
THE STARTING ADDRESS;OR BLOAD THEM AT
LOCATION 2000 AND ESTIMATE AT THE
LENGTH.
CONTINUED AT NEXT MESSAGE
***************************************
MSG LEFT BY: JIM PHELPS
5) AFTER THAT IS DONE MOVE ONE MACHINE
PROGRAM AT A TIME INTO LOCATION 2000
AND RE-BOOT THE DISK YOUR SAVEING
THE CRACKED VERSION ON,BSAVE THE SAME
NAME AND THE LOCATION YOU PUT IT AT.
6) NOW YOU BLOAD THE MACHINE PROGRAM
AT THE CORRECT LOCATION IN MEMORY AND
RESAVE IT UNDER THE SAME NAME AND THE
NOW CORRECT ADDRESS AND LENGTH
7) YOU SHOULD NOW BE ABLE TO JUST RUN
THE HELLO PROGRAM AND THE GAME SHOULD
WORK.IF NOT SEE IF YOU CAN FIGURE OUT
WHATS WRONG AND GO BACK AND REDO THAT
PART OF IT
8) <<HINT>> IF YOU CANNOT FIND THE
ADDRESS AND LENGTH OF SOME OF THEE
MACHINE PROGRAMS,A FEW ARE LISTED IN
SOME OF THE BASIC PROGRAMS.
GOOD LUCK
JIM PHELPS.
***************************************
MSG LEFT BY: JIM PHELPS
THIS IS JIM PHELPS AGAIN WITH ANOTHER
ENTRY TO THE CONTEST:
1) SOME DISKS CAN BE CRACKED SIMPLY
BY USEING THE MUFFIN PROGRAM.
2) IF THE DISK YOU HAVE SAYS 'WILL
BOOT EITHER 13 OR 16 SECTOR'THEN
THE DISK IS SET UP IN 13 SECTOR FORMAT
3) IF YOU HAVE A DISK LIKE THIS TRY
MUFFINING IT.SOME PROBLEMS MAY OCCUR
AFTER YOU MUFFIN IT SO HERE ARE A FEW
EXAMPLES; MISSLE DEFENSE CAN BE
MUFFINED,HOWEVER YOU MUST CHANGE A
LOCATION IN THE MACHINE PROGRAM NAMED
'MISSILES' SOMEWHERE IN THE 9000 PAGE
OF MEMORY.THESE 2 LOCATIONS ARE JSR'S
TO ANOTHER SUBROUTINE IN THE 9000 PAGE
WHICH MAKE THE PROGRAM ATTEMPT TO READ
THE DISK LOOKING FOR A NIBBLE COUNT.
IF THIS IS NOT FOUND THE PROGRAM STOPS.
SIMPLY CHANGE THESE 2 JSR'S TO "EA"'S
AND RE-BSAVE THE PROGRAM AND IT SHOULD
WORK FINE.
4) ANOTHER PROGRAM THAT CAN BE MUFFINED
IS SOFTPORN ADVENTURE.THIS WILL MUFFIN
O.K. BUT IN THE HELLO PROGRAM SIMPLY
DELETE LINE 378 AND IT WILL RUN FINE.
***************************************
MSG LEFT BY: JIM PHELPS
HERES A LITTLE EXTRA INFO ON CRACKING
A.B.M.:
THE ADDRESS TO BLOAD THE 2 CONTROL
PROGRAMS CAN BE FOUND IN THE BASIC
PROGRAM 'ADJUST'.THEY BOTH HAVE THE
SAME ADDRESS WHICH IS A$300.THEY
ALSO HAVE THE SAME LENGTH,WHICH I DONT
KNOW OFFHAND BUT THAT CAN BE FOUND NEAR
THE END OF THE LISTING IN ADJUST.
ALSO THE BASIC PROGRAM ABM MUST BE
CHANGED TO JUST MACHINE LANGUAGE.THIS
CAN BE DONE EASILY BY JUST SAVING THE
MACHINE LANGUAGE INFO BETWEEN $80F AND
$2000 TO TAPE THEN RELOADING IT ONCE
RE-BOOTED AND BSAVING IT.THE HELLO
AND ADJUST PROGRAMS MUST THEN BE
CHANGED SO THAT THEY SAY 'BRUN ABM'
INSTEAD OF 'RUN ABM'.AS FOR THE
MACHINE FILE 'PIC',ITS OBVIOUS THAT
THIS IS A PICTURE AND CAN BE SIMPLY
BLOADED (WHICH PUTS IT BETWEEN $2000
AND $4000),RE-BOOTED,AND BSAVED ON
YOUR CRACKED DISK WITH NO PROBEM
WHATSOEVER.IF THIS DOES'NT WORK LEAVE
ME ANOTHER LETTER EXPLAINING WHAT'S
WRONG AND I'LL RE-DO IT AGAIN.
JIM PHELPS
***************************************
MSG LEFT BY: RICHARD BRANDOW
THERE ARE TWO DEMUFFINS,
1.DEMUFFIN.....WRITES 3.2 FORMAT
2.DEMUFFIN.PLUS.......3.3 FORMAT
1.DEMUFFIN.
1.BLOAD MUFFIN
2.CALL -151
3. TYPE THE FOLLOWING
1155:00 1E
115B:D9 03
1197:A0 20
15A0:A0 D2 D3 C9 C4
C5 CE D4
15A9:A0 C4 AE CF AE
D3 AE
15B6:B2
15F7:C4 C5
20A0:A9 1E 8D B9 B7
20 FD AA 48
20A9:A9 BD 8D B9 B7
68 60
4.BSAVE DEMUFFIN,A$803,L$1900
2.DEMUFFIN PLUS
1.BOOT 3.3 DOS
2 TYPE INT (FOR INTEGER)
3.BLOAD MUFFIN
4.CALL-151
5.TYPE THE FOLLOWING
A.D4D5G (INITIALISES
THE PGRM
AID RELOCATION CODE)
B.1900 B800.BFFF CTRL-Y
(RELOCATES THE THE
ROUTINE)
C.1900 B800.BA10 CTRL-Y
D. .BC57M
E. .BFFF CRTL-Y
F. 1155:00 1E
115B:D9 03
1197:A0 20
15A0:A0 D2 C5 D3 C9 C4 C5 CE
15A8:D4 A0 C4 AE CF AE D3 AE
15F7:C4 C5
20A0:A9 1E 8D B9 B7 20 FD AA
20A8:48 A9 BD 8D B9 B7 68 60
6. BSAVE DEMUFFIN PLUS,A$803,L$1900
EXPLANATIONS *
THESE DEMUFFINS WILL CRACK MOST
DISKETTES CONTAINING APPLESOFT PGRMS.
USE THEM AS YOU WOULD REGULARLY BUT
BE SURE THAT YOU ARE USING THE CORRECT
DEMUFFIN FOR THE DOS.
IF A FILE DOESN'T TRANSFER,TRY IT
AGAIN, IF YOU GET AN I/O ERR 'BYPASS
THE PROBLEMED FILE'
INSTRUCTIONS**
1. CONVERT MUFFIN INTO DEMUFFIN.
2. BLOAD DEMUFFIN.SAVE TO TAPE.
3. TYPE IN THE RWTS PGRM.SAVE TO DISK
4.PEEK AT THE VTOC LOCATION ON THE
PROTECTED DISK.
5.RUN MAP MOVE.
6.BOOT THE PROTECTED DISK
7.FLIP THE INT CARD UP AND HIT RESET.
8.LOAD DEMUFFIN FROP TAPE
9.TYPE 10A1:(PUT HERE THE LOCATION OF
THE VTOC YOU FOUND)
10. TYPE 3D0L
YOU SHOULD SEE THIS:
03D0- 4C BF 9D
03D3- 4C 84 9D
03D6- 4C FD AA
03D9- 4C B5 B7
03DC- AD OF 9D
03DF- AC 0E 9D
03E2- 60
03E3- AD C2 AA
03E6- AC C1 AA
03E9- 60
03EA- 4C 51 AA
03ED- EA
03EE- EA
03EF- 4C 59 FA
03F2- BF
03F3- 9D 38 4C
03F6- 58
03F7- FF
03F8- 4C 65 FF
03FB- 4C 65 FF (IF IT DOESN'T THEN
CHANGE IT
SO IT DOES)
TYPE 803G (YOU'LL BE IN DEMUFFIN)
IF YOU WANT THE MAP MOVE PGRM.(WICH IS
NOT OBLIGATORY) I'LL LEAVE IT LATER
***************************************
MSG LEFT BY: THE CLONEMAN
HOW I CRACKED SUPERSCRIBE II VER 3.2
OVER CHRISTMAS WEEKEND. BY THE CLONEMAN
1. FID EVERYTING TO A DOS 3.3 DISK
NOTE: MY PIRATED COPY OF SSII CAME
UNDER DOS 3.3, I.E. V3.2 IS NOT
DOS 3.2!!
2. LOAD EDITORA AND NOTICE THAT PROG-
RAM STARTS AT $4003. BLOAD EDITOR.
OBJ0 AND SCAN THROUGH THE CODE NO-
TICE THE ENTRY OF $55 AND $61 AT
VARIOUS LOCATIONS. THESE ALLOW A
JMP TO $6155 AT THE JMP $FF58 LINE.
3. THE CODE AT $6155 INSTRUCTS THE
EOR'ING OF THE JUMPLED CODE FROM
$616C-ABOUT$626F. TEMPORARILY EN-
TER AN $00 AT $616B AND THEN DO A
4003G TO SEE WHAT IT LOOKS LIKE.
4. THE PROGRAM GOES ON TO CHECK LOCA-
TIONS ON TRACK 02 AND 03, I THINK.
AND LOAD DATA INTO $9700, I THINK.
5. NOTICE THE CMP STATEMENT AT $6219.
DISABLING THIS STATEMENT DISABLES
THE NIBBLE COUNTER. OTHERWISE THE
PROGRAM GOES TO $622F AND CLEARS
MEMORY!
6. THE BEST WAY TO DISABLE THE CMP IS
TO CHANGE IT TO COMPARE $9704,Y
WITH ITSELF!!....GO TO NEXT MSG
FOR MY CONCLUSION
***************************************
MSG LEFT BY: THE CLONEMAN
7. OF COURSE SIMPLY CHANGING $621A TO
$04 WILL NOT WORK, REMEMBER THE EOR?
YOU WILL HAVE TO FIGURE OUT YOURSELF
WHAT VALUE WHEN EOR'ED GIVES $04!
ENTER THAT VALUE IN A FRESHLY
BLOADED COPY OF EDITOR.OBJ0 INTO
LOCATION $621A. NOW SAVE THE ALTERED
EDITOR.OBJ0.
8. RUN INTEGER AND YOUR FIDED COPY
SHOULD WORK FINE AS LONG AS YOU
DON'T ENTER THE PRINTOUT MODE!
9. ON-LINE MADE IT SIMPLE FOR ME SINCE
IT USED A SIMILAR PROTECTION SCHEME
IN THE RUNOFF.OBJ0 AS IN EDITOR.OBJ0
HOWEVER THEY DID PLACE THE CODE AT
A DIFFERENT LOCATION. YOU SHOULD
BE ABLE TO FIND THE LOCATION IN THE
RUNOFF EASILY. AGAIN DO A PATCH AT
THE CMP $9700,Y STATEMENT.
WELL, I HOPE THIS HELPS SOME OF YOU.
IT WAS MY FIRST VENTURE INTO CRACKING
AND WAS MODIVATED BY MY INABILITY TO
BACKUP THE PROGRAM WITH EITHER NIBAW
OR LS WITH A SINGLE DRIVE.
CHANGE
4E2F:51 (WAS 55)
CHANGE
621A:51 (WAS 55)
***************************************
MSG LEFT BY: CANDY MAN
SHADOWHAWK CRACKED
BLOAD HEAD.PIC
CALL -151
4000:60
BSAVE HEAD.PIC,A$2000,L$2150
BLOAD HAWK.PIC
CALL -151
4000:60 60 60 60 60 60 60 60
4008<4000.4007M
4010<4000.400FM
4020<4000.401FM
4040<4000.403FM
4080<4000.407FM
4100<4000.40FFM
BSAVE HAWK.PIC,A$2000,L$2150
THAT'S IT
ANY NIBBLE COUNTER NEEDS TO ACCESS
LOCATIONS C080-C08F+16*SLOT #
THESE LOCATIONS CAN BE FOUND WITH
DISKSCAN PROGRAM AVAILABLE ON D.
***************************************
MSG LEFT BY: DISK ZAPPER
THERE ARE SEVERAL 'KEY' BYTES IN THE
APPLE THAT ARE ALTERED AS SOON AS THE
*RESET* KEY IS PRESSED. THERE ARE
ALSO BYTES WHICH ARE ALTERED AS SOON
AS A KEY IS PRESSED AFTER RESET.
MANY PROTECTED PROGRAMS USE THESE BYTES
AS 'KEYS'- IF A CERTAIN NUMBER IS NOT
IN IT.....BOOM!
FOR EXAMPLE, SPACE RAIDERS REQUIRES
THAT ADDRES $21 CONTAINS A #$26.
SO, WHATCHA DO IS THIS:
AFTER PRESSING RESET (WITH
INTEGER
SET UP) LOOK THROUGH THE MACH LANG
TO SEE IF IT
CHECKS
CERTAIN BYTES
HERE IS A PARTIAL LIST : 20-26, 36-39,
4E-4F
SEE WHAT THE PROGRAM LOOKS FOR. THEN,
SIMPLY SET THOSE ADDRESSES TO THE
CORRECT BYTE AND FIND THE STARTING
ADDRESS (SOMETIMES SHOWN AT 3F2.3F3
BUT MOSTLY YOU'LL HAVE TO LOOK FOR IT.
SOMETIMES IT WILL HAVE A $LDA C050
WHICH IS USUALLY NEAR THE START OF
THE PROGRAM).
***************************************
MSG LEFT BY: DISK ZAPPER
ZAPPER CONTEST CONTINUED...
THE PROGRAM MAY USE $200-2FF FOR
STORING PROGRAM. AS SOON AS YOU
PRESS A KEY, 200+ IS DESTROYED.
WHAT ONE CAN TRY IS TO TYPE 1FF
AND HIT RETURN. THEN BOOT THE DISK,
PRESS RESET AND RETURN. IT MAY SHOW
200-207. IF SO, THEN YOU ONLY HAVE
ONE BYTE (200) TO WORRY ABOUT. IF
NOT THEN YOU CAN (A) PRESS RETURN
5000 TIMES TILL IT DOES SHOW 200-207
(B) LOOK FOR SOMETHING WHICH LOOKS
LIKE WHAT'S IN 200-2FF SOMEPLACE ELSE
(THEY SOMETIMES START ELSEWHERE AND
MOVE IT TO 200)
(C) CRY.
AS FOR SAVING $400-7FF, THE BEST I
CAN THINK OF IS TO COPY THE TOP LINE
HOPING FOR NO ERRORS AND MAKE THE FIRST
LINE TYPED 800<400.7FFM, THEN LOOK
THROUGH 800-BFF TO CHECK IT OUT.
SOMETIMES 400-7FF WILL BE FULL OF JUNK
AND NOT BE NEEDED.
ONE HILARIOUS NOTE: SOMETIMES THEY
LEAVE THEIR RWTS SUBROUTINE INTACT
(ZORK DOES THIS) ENABLING YOU TO READ
THEM DIRECTLY. BUT I HAVEN'T EXPLORED
THIS TOO MUCH.
CORDIALLY YOURS
-------->
>>> DISK ZAPPER <<<
MSG LEFT BY: DISK CRACKER
TO COPY SUPER-TEXT ALL VERSIONS FIRST
MAKE A COPY USING THE SUPER-TEXT COPY
PROGRAM. THIS COPY WILL DO EVERYTHING
EXCEPT BOOT-UP. TO MAKE IT BOOTING ALSO
USE LOCKSMITH 4.1 TO COPY TRACKS $0-$2.
COPY THEM UNSYNC, AND WITH MANUAL ERROR
RETRY. DON'T SET HALF TRACKS EITHER
IT ALL MANUALLY. THIS WILL MAKE A
MASTER COPY OF THE SUPER-TEXT DISK.
GOOD COPYING!!!!
***************************************
MSG LEFT BY: AXE MAN
SOME OF THE ENTRIES ARE AMUSING. ESP
THE BRUTE FORCE METHOD OF CRACKING.
THERE ARE EVEN SOME THINGS LISTED THAT
WON'T WORK!!!! FIRST LET'S CLEAR UP
SOME COMMON MISCONCEPTIONS ABOUT WHAT
HAPPENS WHEN A PERSON PRESSES RESET.
1) NOTHING HAPPENS (AT ALL) TO ANY MEM-
ORY LOCATION UNTIL THE 'RESET' PROCESS
ROUTINE DOES SO.
2) THIS RESET PROCESS ROUTINE CAN BE
MADE SO THAT MEMORY IS >NOT< WIPED OUT
3) ONLY THE REGISTERS AND PROGRAM CNTR
ARE MODIFIED WHEN RESET IS PRESSED
INITIALLY.
- WHEN THE RESET KEY IS PRESSED, THE
6502 (THE LONG, SOMEWHAT WIDE CHIP
RESIDING BEHIND THE OTHER NOT SO LONG
WIDE CHIPS FOR THE UNINFORMED) TAKES
WHATEVER DATA (BYTES, NUMBERS, WHATEVER
) IN THE LOCATIONS $FFFC AND $FFFD AND
INTERPRETS THAT AS THE ADDRESS.
THEN THE 6502 JUMPS TO THAT ADDRESS TO
PROCESS THE RESET. IF THERE IS A ROM
IN THE $FF00 PAGE, THEN THERE IS NO
CHOICE BUT TO GO TO THE REGULAR RESET
ROUTINE. HOWEVER, SHOULD YOU BE THE
LUCKY OWNER OF A RAM CARD, YOU CAN
MAKE THE RAM THINK IT IS ROM!!! THE
KEY IS IN THE NEXT MESSAGE
***************************************
MESSAGE FROM AXE MAN
NOW, MOST RAM CARDS, WHEN RESET IS
PRESSED, WILL RE-ENABLE THE ROM MONITOR
(THIS INCLUDES THE LANGUAGE CARD, MICRO
SOFT'S CARD, AND ANY OTHERS THAT DON'T
HAVE THAT SWITCH ON THE BACK) THE
ANDROMEDA RAM CARD HAS A LITTLE SWITCH
ON THE BACK THAT FORCES THE CONTENTS
OF THE RAM CARD TO ACT LIKE THE ROM
UPON RESET. NOW, DUE TO THE FACT THAT
MOST PROTECTION SCHEMES LIKE TO USE THE
NORMAL TEXT PAGE ($400-$800) TO STORE
INITIALIZATION AND BOOTUP ROUTINES THAT
ARE ESSENTIAL FOR THE PROGRAM TO RUN IN
HIGHER MEMORY, SOME WAY HAS TO BE USED
THAT DOESN'T ALTER ANY OF THE MEMORY
FROM $0-$7FF. NOW, WOULDN'T IT BE NICE
IF WE COULD, UPON RESET, MOVE ALL OF
THE MEMORY FROM $0-$7FF TO $800 AND UP
?? YES, IT WOULD. THAT WAY, WE COULD
EXAMINE IT AT OUR LEISURE TO FIND OUT
WHAT IS GOING ON IN OUR TEXT PAGE THAT
THE PROGRAM MAKERS WANTED TO HIDE SO
BADLY. YOU CAN SAVE THIS STUFF ON A
DISKETTE (REMEMBER TO PUT IT WHERRE
THE DOS BOOTUP WON'T BOTHER IT, SAY
$5000-$57FF FOR 48K SLAVE DISKETTES)
AND THEN LOAD IN THE PROGRAM AGAIN,
THIS TIME TO GET THE STUFF IN HIGHER
MEMORY ($800-$BFFF). NOW YOU WILL HAVE
THE COMPLETE IMAGE OF THE PROGRAM IN
TWO OR MORE FILES. THE BEST WAY TO
INTERPRET THESE FILES IS TO FIND OUT
WHERE THE 2ND STAGE BOOT GOES TO (SEE
MY PREVIOUS MESSAGE ABOUT MOVING THE
DISK ROM INTO RAM) AND THEN TRACING
THE EXECUTION FROM THERE BY LOOKING
AT THE CODE YOU HAVE (REMEMBER THAT
YOUR ADDRESSES WILL BE OFFSET BY
A CERTAIN AMOUNT (I.E. $400 WILL BE
$C00 IF YOU MOVED THE MEMORY TO $800))
TO SEE WHERE THE INITIALIZATION POINT
IS. THIS IS GENERALLY WHERE THE A
X OR Y REGISTERS ARE LOADED WITH SOME
COSTANTS AND PLACED ELSEWHERE IN
MEMORY TO SET UP THE PROGRAM. ONCE THIS
LOCATION IS FOUND, ALL OF THE FILES CAN
BE LOADED IN THEIR CORRECT PLACES USING
BLOADS, AND THEN A CALL CAN BE MADE TO
THE PLACE YOU THINK THAT THE PROGRAM
STARTS. NOTE THAT ALL OF THIS ONLY
WORKS IF THE PROGRAM DOESN'T DETECT THE
RAM CARD AND DOESN'T PUT IT'S OWN
INTERRUPT PROCESSING ROUTINE IN THE
RAM. (ADD A SWITCH TO TRULY WRITE
PROTECT YOUR RAM CARD AND ALL WILL BE
FINE).
HERE IS A SKELETAL ROUTINE THAT CAN
BE ASSEMBLED INTO YOUR RAM CARD.
HERE IS THE ROUTINE THAT CAN BE USED
RESET: LDY #0 ;SET UP Y-REG
L1 LDA SOURCE,Y
L2 STA DEST,Y
L3 INY
BNE L1
INC L2-1 ;INCREMENT
SOURCE LOC
INC L3-1 ;INCREMENT
DEST LOC
LDA L3
CMP #ENDPG ;SEE IF DONE
BNE L1
;
; USE THIS IF YOU ARE GOING TO POP INTO
; MONITOR
;
LDA 0C082 ;DESELECT RAM, GET
RO
;
JMP $FF65 ; ENTER REGULAR
APPLE
;
MONITOR
;
TO INITIALIZE THIS ROUTINE, DO THIS
LDA #RADDR/256
STA $FFFD
LDA #RADDR MOD
256
STA $FFFC
PPUT THAT CODE IN THE RAM CARD BY
DOING TWO READS FROM C083 AND
MOVE THE CODE UP. THE RADDR IS THE
ADDRESS OF THE RESET ROUTINE THAT MOVES
THE MEMORY, AND IS PLACED IN THE RESET
VECTOR. FOR MORE INFO ON HOW TO WWRITE
PROTECT YOUR RAM CARD, CONTACT THE
SYSOP (MAYBE HE'LL HAVE KITS....)
- - - - - - - - - - - - - - - - - - -
GENERAL ADDITIONAL CLUES -
BDOS BASED PROGRAMS WRITTEN IN BASIC
USUALLY MAKE $D6 NON-ZERO WHICH CAUSES
ANY FP PROGRAM TO AUTO RUN UPON A
RETURN FROM THE KEYBOARD AT AN APPLESFT
PROMPT. ()() DOS 3.3 PROTECTED PROGRAMS
(REALLY 16 SECTOR) SOMETIMES CHANGE
THE CATALOG TRACK (AT $AC01) TO SOME-
THING OTHER THAT $11 (17 DEC.)
IF WHEREVER POSSIBLE, THE PROGRAM'S
DOS CAN BE USED AGAINST IT BY FINDING
WHERE IT BEGINS, AND USING THAT AS
THE ROUTINES THAT A COPY PROGRAM USES
FOR RWTS. (THE RWTS USUALLY STARTS ON
A $XD00 BOUNDARY, WITH THE FIRST TWO
INSTRUCTIONS BEING STY 48 STA 49 (HEX
CODES 84 48 85 49)) NIBBLE COUNTING
CAN BE DEFEATED BY FINDING THE ROUTINE
THAT COUNTS THE NIBBLES, AND MAKE IT
READ CORRECT NIBBLES WITHOUT EVER
ACCESSING THE DISKETTE ! BY THE WAY, IT
IS POSSIBLE TO DEFEAT LOCKSMITH, BIU,
AND OTHER NIBBLE COPIERS....
***************************************
MESSAGE FROM SYSOP AND AXE MAN
MODIFY THE 16K RAM BOARD - MICROSOFT
WRITE PROTECT:
LIFT PIN #3 FROM U18 CHIP &
CONNECT
TO ONE SIDE OF SWITCH.
CONNECT SOCKET AND PIN #13 74LS175
TO CENTER OF SWITCH
CONNECT TOP OF R3 TO OTHER SIDE OF
THE SWITCH
R3---------------------O
!
/ NORMAL OPEN
!
PIN #13----------------O
74LS175
!
/ NORMAL CLOSED
!
PIN #3-----------------0
U18
CHANGES FOR RAM & ROM
LIFT PIN #3 FROM U14 CHIP &
CONNECT
TO ONE SIDE OF SWITCH
CONNECT SOCKET AND PIN #5 74LS175
TO CENTER OF SWITCH
CONNECT GROUND TO OTHER SIDE
GROUND-----------------O
!
/ NORMAL OPEN
!
PIN #5-----------------O
74LS175
!
/ NORMAL CLOSED
!
PIN #3-----------------O
U14
* * * * * * * W A R N I N G * * * * * *
THIS IS DONE AT YOUR OWN RISK
IT WILL VOID YOUR GUARANTEE
WE ASSUME NO RESPONSIBILITY FOR RESULTS
* * * * * * * W A R N I N G * * * * * *
***************************************
MSG LEFT BY: AXE MAN
IT SEEMS THERE'S A DEMAND FOR A W/P
SWITCH ON THE ANDROMEDA -- SO HERE IT
IS ...
LOCATED ON THE ANDROMEDA RAM CARD IS
A PIN NUMBER 25 WHICH HAPPENS TO BE
THE POWER (+5V) PIN. IF THIS PIN IS
FOLLOWED ONTO THE PC BOARD, THERE WILL
BE TWO RESISTORS (SMALL TUBE-LIKE
THINGS WITH COLOR BANDS AND ONE LEAD
OUT OF EACH END). AT ONE END THE POWER
WILL GO INTO THIS RESISTOR, AT THE OTHE
R ANOTHER TRACE WILL GO OFF TO SOME
OF THE OTHER ELECTRONICS ON THE BOARD.
WE WANT TO USE THE END THAT HAS THE
TRACES GOING TO OTHER CHIPS ON THE
BOARD. (CALL THIS POINT #1 (USE EITHER
RESISTOR - THERE ARE TWO)). POINT NUMBE
R TWO IS WHERE PIN 18 FROM THE APPLE
CONNECTOR (7 PINS DOWN FROM 25 ON THE
SAME SIDE) ENTERS ONTO THE PC BOARD
AND IMMEDIATELY GOES THROUGH TO THE
OTHER SIDE (AFTER ABT 1/2 "). THIS
IS POINT #2. IF YOU TRACE WHERE TH
E THING COMES OUT ON THE OTHER SIDE,
YOU'LL FIND OUT THAT IT POPS BACK ON
THE SIDE IT STARTED FROM ABOUT 1/2"
LATER... THIS LITTLE LINK IS WHEERE WE
CUT THE TRACE TO INSERT THE SWITCH.
(CONT'D NEXT MESSAGE)
***************************************
MSG LEFT BY: AXE MAN
OK, WE CUT THE TRACE BETWEEN THE TWO
POINTS THAT IT GOES THROUGH THE PC
BOARD. LABEL THE OTHER PLACE WHERE THE
TRACE GOES THROUGH POINT#3. NOW WE
WILL ATTACH AN SPDT SWITCH TO THE BOARD
SOLDER ONE WIRE TO POINT 3, AND ATTACH
IT TO THE CENTER TERMINAL OF THE SWITCH
THEN SOLDER A WIRE TO POINT 1 AND
ATTACH IT TO EITHER SIDE OF THE CENTER
SWITCH. LASTLY, TAKE A WIRE AND SOLDER
IT TO POINT 2 AND THEN TO THE UNUSED
PIN ON THE SWITCH. THERE YOU HAVE IT!
WHEN THE SWITCH HANDLE IS ON THE SAME
SIDE AS THE WIRE FROM POINT #1, REG-
ULAR OPERATION WILL TAKE PLACE. IF THE
SWITCH IS THROWN IN THE OTHER DIRECTION
THE CARD WILL BE WRITE PROTECTED.
(*PLEASE NOTE THAT THIS MODIFICATION
WILL VOID YOUR WARRANTY AND THAT THE
USER ASSUMES AND WILL BE RESPONSIBLE
FOR ALL RISKS AND DAMAGES INCURRED IN
THE MAKING OR THE USE OF THIS MOD-
IFICATION, AND THAT THIS MODIFICATION
IS NOT GUARANTEED TO BE SUITABLE FOR
ANY PARTICULAR PURPOSE*)
MSG LEFT BY: BOZO NYC
WELL, NOW THAT ALL OF YOU KNOW ALL
THERE IS TO KNOW ABOUT DEMUFFIN;
HERE'S A GOOD CANDIDATE!
CASTLE OF DARKNESS CRACKS AFTER THE
STANDARD DEMUFFIN TREATMENT...
NO PATCHING NEEDED! ------>BOZO NYC
***************************************
MSG LEFT BY: RICHARD BRANDOW
CRACKING VC-EXPAND
FOR THOSE OF YOU , LIKE ME , WHO
BOUGHT THEMSELVES A 32K RAM CARD,
THERE IS A SPECIAL PROGRAM CALLED:
VC-EXPAND ( IT EXPANDS THE VISICALC
PROGRAM) .
THE DISK IS PROTECTED, BUT NOT FOR
LONG! HERE IS HOW TO CRACK IT.
1- BOOT VC-EXPAND
2- FLIP THE INTEGER SWITCH
3- GO INTO MONITOR
4- TYPE : 4000<0900.2116M
5- BOOT A SLAVE DISK
6- TYPE : 900<4000.5FFFM
7- 9DBFG
8- BSAVE VCX.BRUN,A$900,L$1816
9- MAKE UNLIMITED BACK-UP
10- BE HAPPY, I AM.
<>>>>> RICHARD
<<<<<>
<>>>>> BRANDOW
<<<<<>
***************************************
MSG LEFT BY: THE CLONEMAN
CRACKING CYBORG:
1. FLIP SWITCH ON INTEGER CARD UP
2. BLOAD DEMUFFIN AT $6000. SEE
CRACKING TECHNIQUES VOL 1 CHAPTER 4.
3. BOOT CYBORG DISKETTE; PRESS RESET
WHEN SCREEN STARTS TO FILL WITH TEXT
4. MOVE DEMUFFIN TO $803 AND RUN IT.
5. TRANSFER ALL FILES TO DOS 3.2 INIT
DISKETTES.
6. MUFFIN ALL THOSE 3.2 FILES TO 3.3.
7. BLOAD S1,A$1000
8. 1085:03 19 02
1088:0F 12 07 21 A0 03 12 01
1090:03 0B 05 04 A0 02 19 A0
1098:14 08 05 A0 03 0C 0F 0E
10A0:05 0D 01 0E
9. BSAVE S1,A$400,L$3FF
10. THAT'S IT!
BEST OF LUCK, THIS IS A GREAT
ADVENTURE! THE CLONEMAN
***************************************
MSG LEFT BY: RICHARD BRANDOW
CRACKING SOFTPORN
1- BOOT DISK
2- FLIP INTEGER SWITCH
3- RETURN TO BASIC AND RECONNECT DOS
(CALL 976 )
4- LOAD HELLO
5- GO INTO MONITOR
6- CHANGE : 120D EA
TO ->
: 120D:6
7- 9DBFG
8- SAVE HELLO
9- THAT'S IT
NOTE : IF YOU DON'T HAVE AN INTEGER
CARD, YOU
CAN ALWAYS GET IN
BY DOING
(CTRL)-C.
NOTE2: SOFTPORN IS IN 3.2 . IF YOU
WANT IT IN
3.3 THEN MUFFIN IT.
PS: I ORDERED DAVID'S MIDNITE MAGIC
AND ARCADE
MACHINE
AND SCRAMBLE
(GEBELLI SOF.)
HOPE TO GET THEM SOON... HOPE THIS
HELPS.
AND BY THE WAY (MR.WIZARDRY) I'M A
PROGRAMMER (MAKING GAMES) ON THE
APPLE ][ . (AND MOST OF THE TIME, I
TRADE WITH THEM! HA!).
***************************************
MSG LEFT BY: RICHARD BRANDOW
COPYING VISITERM
HI, RICHARD BRANDOW HERE AGAIN (OH,NOT
HI AGAIN!) ON HOW TO COPY VISITERM.
1- MAKE A REGULAR COPY VIA/ PARAMETERS
AND THE USE OF THE LOCKSMITH.
2- I KNOW WHAT YOU'LL SAY :'IT SAYS :
BOOT ERROR. '...WELL
3- BOOT A REGULAR 3.3 DISK
4- PUT THE VISITERM DISKETTE IN DRIVE.
5- BLOAD VISITERM
6- GO INTO MONITOR (CALL-151)
7- CHANGE: 2118: EA
TO -> : 2118: 60
8- GO BACK TO BASIC (9DBFG)
9- UNLOCK VISITERM
10- DELETE VISITERM
11- BSAVE VISITERM,A$2000,L$01F0
12- LOCK VISITERM.
13- THAT'S IT!
THE NEXT TIME YOU'LL BOOT IT, IT
WON'T SAY BOOT ERROR AND WILL
WORK PERFECTLY.
NOTE: THIS DOES NOT CRACK VISITERM, IT
ONLY TAKES OUT THE
CHECKING
ROUTINE. (YOU STILL
NEED LS.TO
COPY IT.)
UNTIL THE NEXT TIME, HAVE FUN AND
HAPPY TRADING....
RICHARD
BRANDOW
***************************************
MSG LEFT BY: RICHARD BRANDOW
CRACKING VISICALC
HI, RICHARD BRANDOW HERE AND A WAY TO
CRACK YOUR OWN VISICALC.
THERE ARE 5 FILES (UTILITIES) THAT YOU
WILL NEED. THEY ARE NAMED A-E.
1- EXEC THE FILE A AND SAVE IT UNDER
THE NAME ' V#2 '. IT'S LOCATIONS
ARE: A$= $3E0 L$=1F
2- EXEC THE FILE B AND SAVE IT UNDER
THE NAME ' V#4 '. IT'S LOCATIONS
ARE: A$= $F62 L$7D
3- EXEC THE FILE C AND SAVE IT UNDER
THE NAME ' BOOT#5 '. IT'S LOCATIONS
ARE: A$=6000 L$0152
4- EXEC THE FILE D AND SAVE IT UNDER
THE NAME' BOOT#5.1 '. IT'S LOCATIONS
ARE: A$8200 L$12
5- EXEC FILE E AND SAVE IT UNDER A
BASIC PROGRAM NAME. THEN RUN IT.
IT WILL CREATE AN EXEC FILE NAMED
'VISICALC' WICH TAKES V#2 + V#4 +
V#5 +PUTS VC16 IN THE LEFT HAND
CORNER.
OK. NOW YOU ARE READY TO CRACK THE
PROGRAM.
NOTE: TO EXEC A FILE WICH IS BINARY
YOU SHOULD TYPE: ]MON C,I,O
]CALL-151
*EXEC'FILENAME'
---->>>>
CONTINUE NEXT MESSAGE.
***************************************
MSG LEFT BY: RICHARD BRANDOW
OK, HERE IS WHAT YOU DO NOW ....
FIRST BOOT THE APPLE WITH NORMAL DOS.
THEN TYPE: ]BLOAD BOOTV#5
]BLOAD BOOTV#5.1
RIGHT AFTER THAT, TAKE THE DISK OUT
OF THE DRIVE AND PUT YOUR LOCKED
VISICALC IN IT.
THEN TYPE :
]CALL 24576
THE DRIVE WILL START, LOAD THE MAJOR
PART OF THE PROGRAM THEN STOP IN THE
MONITOR. THEN TYPE :
*BSAVE V#5,A$159C,L$6C00
THE FILE SHOULD BE AROUND 110 SECTORS.
(DON'T FORGET TO SAVE IT ON A REGULAR
DOS DISK....THEY ARE HARD TO FIND
THESE DAYS...)
OK YOU ARE NOW READY TO TEST IT ALL.
CLOSE THE MACHINE. MAKE SHURE YOU
HAVE : V#2
V#4
V#5
VISICALC (EXEC FILE)
ON THE SAME DISK. THEN TYPE:
]EXEC
VISICALC
(WAIT..)
AND THAT'S IT!!. HAPPY CRACKING RICH.
THE OTHER FILES A,B,C,D,& E WILL BE
ADDED SOON.
^^^ SYSOP ^^^
03E0: 6C 2C E3 09 C4 C5 00 02
03E8: DD FF 00 00 00 00 00 00
03F0: 00 00 00 08 AD 00 00 00
03F8: 4C 00 08 00 00 00 00 09
0F62: A0 36 B9 A9 0F 99
0F68: 6D 00 88 10 F7 AD E0 03
0F70: 85 62 4D E1 03 85 28 A8
0F78: AD E1 03 4D E2 03 49 AA
0F80: 85 29 24 61 10 0E 48 18
0F88: 98 6D E8 03 85 28 68 6D
0F90: E9 03 85 29 A9 9C 85 63
0F98: A9 15 85 64 AD E6 03 85
0FA0: 65 AD E7 03 85 66 4C 6D
0FA8: 00 A2 E0 BD 00 03 48 E8
0FB0: D0 F9 A0 00 B1 63 91 65
0FB8: C8 D0 F9 E6 64 E6 66 A6
0FC0: 66 E0 04 D0 09 E6 64 E6
0FC8: 66 C6 62 CA D0 F7 C6 62
0FD0: D0 E0 A2 FF 68 9D 00 03
0FD8: CA E0 E0 B0 F7 6C 28 00
6000:A2 20 A0 00 A2 03 86 3C 8A 0A 24 3C F0 10 05 3C
6010:49 FF 29 7E B0 08 4A D0 FB 98 9D 56 03 C8 E8 10
6020:E5 4C 07 61 BA BD 00 01 0A 0A 0A 0A 85 2B AA BD
6030:8E C0 BD 8C C0 BD 8A C0 BD 89 C0 A0 50 BD 80 C0
6040:98 29 03 0A 05 2B AA BD 81 C0 A9 56 20 A8 FC 88
6050:10 EB 85 26 85 3D 85 41 A9 08 85 27 18 08 BD 8C
6060:C0 10 FB 49 D5 D0 F7 BD 8C C0 10 FB C9 AA D0 F3
6070:EA BD 8C C0 10 FB C9 96 F0 09 28 90 DF 49 AD F0
6080:25 D0 D9 A0 03 85 40 BD 8C C0 10 FB 2A 85 3C BD
6090:8C C0 10 FB 25 3C 88 D0 EC 28 C5 3D D0 BE A5 40
60A0:C5 41 D0 B8 B0 B7 A0 56 84 3C BC 8C C0 10 FB 59
60B0:D6 02 A4 3C 88 99 00 03 D0 EE 84 3C BC 8C C0 10
60C0:FB 59 D6 02 A4 3C 91 26 C8 D0 EF BC 8C C0 10 FB
60D0:59 D6 02 D0 87 A0 00 A2 56 CA 30 FB B1 26 5E 00
60E0:03 2A 5E 00 03 2A 91 26 C8 D0 EE E6 27 E6 3D A5
60F0:3D CD 00 08 A6 2B 90 DB A9 40 8D 4C 08 A9 61 8D
6100:4D 08 4C 01 08 24 60 A9 C6 48 68 4C 24 60 FF FF
6110:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
6120:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
6130:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
6140:A9 4C 8D 5B 03 A9 00 8D 5C 03 A9 82 8D 5D 03 4C
6150:01 03
8200:A9 4C 8D 62 0F A9 69 8D 63 0F A9 FF 8D 64 0F 6C
8210:3E 00
50DIMF$(255)
60F$="VISICALC"
100PRINT CHR$(4)"OPEN ";F$
200PRINT CHR$(4)"WRITE ";F$
300PRINT"BLOAD V#5"
400PRINT"BLOAD V#4"
500PRINT"BLOAD V#2 "
600PRINT"CALL-936"
700PRINT"CALL-151"
800PRINT"400:D6 C3 B1 B6"
900PRINT"61:FF"
999PRINT"F62G"
1000PRINT CHR$(4)"CLOSE"
1100END
***************************************
MSG LEFT BY: THE CLONEMAN
DATE POSTED: TUE MAR 2 10:00:58 PM
MESSAGE #7: VISIDEX CRACKED!
BY THE CLONEMAN
1. BOOT A LOCKSMITH COPY OF VISIDEX
2. FLIP YOUR INTEGER CARD SWITCH UP
3. PRESS RESET
4. INSERT A NORMAL DOS 3.3 DISK
5. 8C2:EA EA EA EA EA
6. 9DBFG
7. BSAVE VD1,A$800,L$4800
8. BSAVE VD2,A$9CF0,L$10
9. BSAVE VD3,A$B600,L$100
10. WRITE AN EXEC PROGRAM TO:
BLOAD VD1
BLOAD VD2
BLOAD VD3
CALL 2051
11. THAT'S ALL!!!
***************************************
MSG LEFT BY: THE CLONEMAN
DATE POSTED: SAT MAR 6 11:00:47 PM
MESSAGE #8: VISIDEX LOWER CASE
ARE YOU WONDERING WHY VISIDEX ISN'T
DISPLAYING LOWER CASE WITH YOUR LOWER
CASE CHIP EVEN THOUGH THE DOCUMENTATION
CLAIMS THAT IT SHOULD? WELL IT SEEMS
THAT VISIDEX SCANS A DIFFERENT PADDLE
BUTTON THAN THE ONE MOST PEOPLE USE.
TRY THE FOLLOWING FIX TO FILE VD1 (SEE
VISIDEX CRACKED MESSAGE) CHANGE
424B:63 (WAS 61). THIS SHOULD GIVE
NORMAL LOWER CASE AND SHIFT FOR UPPER
CASE. IF YOU DON'T HAVE THE SHIFT MOD
YOU'LL HAVE TO USE THE ESC KEY. IF THE
ABOVE DOESN'T WORK, INSTEAD OF THE
ABOVE TRY 424D:10
NOTE THE ABOVE CHANGES WORK FOR THE
PAYMAR CHIP.
I HOPE YOU ALL FIND THIS LITTLE
VISIDEX ENHANCEMENT
USEFUL.
THE CLONEMAN
***************************************
MSG LEFT BY: RED REBEL
DATE POSTED: TUE MAR 16 4:53:21 PM
MESSAGE #10: HOW TO CRACK THE ELIMINATOR
INIT A NEW DISK WITH REG DOS
BLOAD DEMUFFIN PLUS,A$6000
INTEGER SWITCH UP,GET READY FOR MONITOR
BOOT THE ELIMINATOR AND HIT RESET AFTER
THE MAIN BOOT
PUT THE NEWLY INITED DISK IN DRIVE 2
TYPE 803<6000.8000M N 803G
USE THE WILDCARD = AND COPY ALL FILES
WHEN COMPLETE REMOVE BOTH DISKS,PUT THE
NEW DISK IN DRIVE 1 AND BOOT
TYPE BLOAD ELIM1
BLOAD STATION
CALL -151 AND MAKE THE FOLLOWING PATCHS
A964:FF SO YOU CAN
BSAVE A LARGE
PROGRAM
1927:EA EA EA TO REMOVE
PROTECTION
TYPE BSAVE ELIMINATOR,A$7FD,L$8300
THATS IT! TYPE BRUN ELIMINATOR & ENJOY!
DEMUFFINPLUS IS IN VOLUME I OF THE
CRACKING TECHNIQUES. ALSO WILL BE ON
THE SPECIAL DOWNLOAD. SEE BOZO'S
CRITIQUE ON CRACKING ON HOW TO USE IT.
YO HO HO,
>>> RED REBEL <<<
***************************************
CRACKING VISIFILE
BY: RED REBEL
MAKE A COPY OF VISIFILE USING THE COPYA
PROGRAM ON YOUR SYSTEM MASTER.
THEN WITH A NIBBLE EDITOR MAKE THE
FOLOWING CHANGE:
TRK 22 SECT 04 BYTE 2D FROM 0A TO 0F
ALL DATA IN HEX
YOU NOW HAVE A COPYABLE MASTER..
***************************************
CRACKING SUPERSCRIBE
BY: RED REBEL
MAKE A COPY OF SUPERSCRIBE USING THE
COPYA PROGRAM ON YOUR SYSTEM MASTER.
THEN WITH A NIBBLE EDITOR MAKE THE
FOLOWING CHANGES:
TRK 1A SECT 09 BYTE CB FROM AF TO 0C
TRK 18 SECT 0E BYTE E0 FROM AF TO 0C
ALL DATA IN HEX
YOU NOW HAVE A COPYABLE MASTER..
MSG LEFT BY: TRYSTAN II
AFTER SOME TIME SPENT BROWSING AROUND
THE HARBOR, I FINALLY FOUND SOMETHING
I CAN CONTRIBUTE TO THE FINE COLLECTION
OF CRACKING TECHNIQUES THAT ARE TO BE
HAD ON THIS SYSTEM. FOR THOSE OF YOU
WHO WOULD LIKE TO PUT EMPIRE I: WORLD
BUILDERS ON A STANDARD DOS 3.3 DISK,
TRY THE FOLLOWING:
1) USE DEMUFFIN PLUS TO COPY ALL
THE FILES TO
STANDARD DOS 3.3
2) BLOAD IF.SHAPE
3) CALL -151
4) *575F: A9 9E 8D 89 79 A9 2A
*5766: 8D 87 79 60
5) BSAVE IF.SHAPE,A$5600,L$282
THAT'S IT! HAVE FUN....TRYSTAN II
***************************************
MSG LEFT BY: THE FONGUS
HOW TO CRACKED THE PROGRAMMER FROM AOS.
---------------------------------------
1)COPYA THE ORIGINAL WITH THE GOOD OL
B925:18 60 N B988:18 60 N 9DBFG
2)PUT NORMAL DOS ON THE COPY WITH
MASTER CREATE
3)BOOT NORMAL DOS
4)LOAD THE PROGRAMMER
5)TYPE '13RETURN'
'14RETURN'
THIS MEANS TYPE OUT 'RETURN'!!
ANOTHER ONE FROM THE BEST IN THE WEST
PIRATES BAY
(415) 775-2384
***************************************
MSG LEFT BY: JIM PHELPS
TO CRACK THE MARKET ANALIZER FROM DOW
JONES DO THE FOLLOWING:
USE A SECTOR EDITOR SUCH AS THE
INSPECTOR OR DISK ZAP AND EDIT THE
FOLLOWING BYTES TO 'EA' AND THEN RE-
WRITE THHE SECTOR.
TRACK 1B SECTOR E EDIT BYTES
62,63,64,76,77,78
MAKE THESE ALL 'EA' AND YOU CAN BOOT
UP THE PROGRAM WITH NO PROBLEM.
***************************************
MSG LEFT BY: TRYSTAN II
FOR THOSE OF YOU WHO HAVE SOFTWARE DIMENSION'S ACCOUNTING PLUS ][
PACKAGE,
THIS LITTLE CRACK WILL ALLOW YOU TO RUN IT WITHOUT THE FIRMWARE CARD IT
NORMALLY REQUIRES. THIS WAY, YOU CAN USE IT BOTH AT HOME AND
IN
YOUR OFFICE
WITHOUT HAVING TO TRANSPORT THE CARD BACK AND FORTH. FOR THAT
MATTER, YOU
CAN THROW THE CARD AWAY! THE 4 DISKS THAT COME WITH THE
PACKAGE
ARE NOT
PROTECTED, SO YOU CAN MAKE AS MANY COPIES OF THEM AS YOU WISH.
THE BASIC CONCEPT IS THAT WE WILL SAVE THE CODE THAT IS ON THE FIRMWARE
CARD
ONTO A DISK FILE AND THEN HAVE THE PROGRAM LOAD IT IN RAM BEFORE IT
STARTS
EXECUTION. BY CHANGING A COUPLE OF BYTES IN THE FILE CALLED
"APII.CODE"
WE FOOL IT INTO THINKING THE FIRMWARE CARD IS PLUGGED INTO A SLOT, WHEN
IN ACTUALITY, IT IS RESIDING UP IN HIGH RAM MEMORY!
HERE'S ALL YOU DO---
1) PUT THE FIRMWARE CARD IN
ANY SLOT YOU LIKE
(EXCEPT 0).
2) TYPE: CALL-151
BSAVE FIRMWARE,A$CX00,L$100 ( X=SLOT NUMBER OF CARD )
3) NOW ALL WE DO IS ADD 2
LINES TO THE HELLO
PROGRAM CALLED
"SYSHELLO.PROG":
TYPE:
LOAD
SYSHELLO.PROG
22
HIMEM:36863
24
PRINT CHR$(4);"BLOAD FIRMWARE,A$9000"
SAVE
SYSHELLO.PROG
4) THE LAST STEP IS TO MAKE 2
QUICK CHANGES TO
"APII.CODE" AND WE'RE
DONE. TO ACCOMPLISH
THIS, TYPE--
BLOAD APII.CODE
CALL -151
197C:1D
1B72:C3
BSAVE APII.CODE,A$800,L$1406
YOU NOW HAVE A VERSION OF ACCOUNTING PLUS ][ THAT NO LONGER NEEDS THE
FIRMWARE CARD. ENJOY!!
***** NOTE: THIS APPLIES ONLY TO VERSION 1.3 OF THE
SOFTWARE *****
*****
BUT THE TECHNIQUE
WORKS FOR OTHER VERSIONS..ONLY *****
*****
THE LINE NUMBERS
AND/OR LOCATIONS ARE DIFFERENT. *****
<< TRYSTAN II >>
***************************************
MSG LEFT BY: THE MARAUDER
)=>CRACKING PRISONER II<=(
P R I S O N E R I I
--------------------
BY INTERACTIVE FANTASIES
CRACKED BY THE SOFTWARE UNDERGROUND
THE FOLLOWING IS A STEP BY STEP
PROCEDURE TO CRACK PRISONER II VERY
EASILY.
(1)-=> COPY-A THE ORIGINAL DISK
(2)-=> UNLOCK "IF.SHAPE" ON COPY
(3)-=> BLOAD "IF.SHAPE"
(4)-=> CALL -151
(5)-=> TYPE IN THHE FOLLOWING IN
THE
MONITOR.
57A2:78 5B 61
(6)-=> CTRL-C OR 9BDFG
(7)-=> BSAVE "IF.SHAPE,A$5600,L$26E"
(8)-=> LOCK "IF.SHAPE"
AND THERE YOU HAVE IT............
A CRACKED AND FIDABLE ------>
P R I S O N E R I I
--------------------
========== SEE YA LATER ==============
THE MARAUDER
==========
==============
<<<<<<THE SOFTWARE
UNDERGROUND>>>>>>>
***************************************
MSG LEFT BY: RESET VECTOR
COPYA AZTEC!
AZTEC IS A GREAT NEW GAME FROM DATAMOST BY THE AUTHOR OF SWASHBUCKLER,
AND IT IS A LOT LIKE CASTLE WOLFENSTEIN. IT CAN BE CRACKED
INTO
COPYA
FORM WITH GREAT EASE, JUST LIKE MOST OF THE DATAMOST STUFF.
IT
ACCESS
THE DISK A LOT, SO THIS IS THE MOST PRACTICAL WAY TO CRACK IT:
BOOT SYSTEM MASTER
CALL-151
B925:18 60
B988:18 60
BE48:18
B942:18
RUN COPYA AND COPY THE DISK.
NOW USE A SECTOR EDITOR AND ACCESS TRACK 0 SECTOR 3 AND CHANGE BYTE 42
FROM 38 TO 18. THAT'S IT!
KEEP ON CRACKING!
->RESET VECTOR!
***************************************
MSG LEFT BY: RESET VECTOR
MESSAGE #49: CRACKING SOFTERM
THIS ONE IS REALLY MORONICALLY SIMPLE. JUST DEMUFFIN
IT.
THE CATCH IS THAT
YOU WILL SEE 4 FILES. JUST IGNORE ALL OF THEM EXCEPT
"SOFTERM" -
ALL YOU
HAVE TO DO IS "BRUN SOFTERM".
COMPLIMENTS OF ->RESET VECTOR!
***************************************
MSG LEFT BY: RESET VECTOR
MESSAGE #50: CRACKING DATA*TRANS
DATA*TRANS IS A NEW TERMINAL PPROGRAM WHICH I HAVE VERY MIXED FEELINGS
ABOUT;
IT IS BASICALLY A SOUPED UP DATA CAPTURE. IT IS VERY EASY TO
CRACK. YOU CAN
DEMUFFIN IT, BUT IT APPEARS TO LIKE ITS OWN DOS, SO THE EASY WAY IS TO
JUST
BOOT DOS, CALL-151, B942:18, RUN COPYA AND COPY DISK, THEN CHANGE TRACK
0
SECTOR 3 BYTE 42 FROM 38 TO 18. YOU CAN THEN CHANGE THE FILE
NAME
IN THE
CATALOG THAT CONTAINS THE SERIAL NUMBER. I TRIED
THE
PROGRAM WITH TDE DOS
AND IT BOMBED ME INTO THE MONITOR AT A CERTAIN POINT, BUT OTHER FAST
DOSES
MIGHT WORK...
COMPLIMENTS OF ->RESET VECTOR!
***************************************
MSG LEFT BY: THE WOODPECKER
....WANT TO BE ABLE TO READ HALF-
TRACKS AND WRITE THEM OUT ON WHOLE
TRACKS (OR VISA VERSA)? WELL, ADDING
THE FOLLOWING PATCHES TO YOUR DOS
WILL LET YOU DO THE JOB. IT IS
ESPECIALLY USEFUL IF YOU ARE USING
RWTS DIRECTLY TO CONVERT PROTECTED
DISKS TO STANDARD.
THE APPLE STEPPER MOTOR REQUIRES
TWO PULSES TO MOVE ONE WHOLE TRACK,
SO IF WE SEND OUT ONE MORE PULSE, WE
WILL MOVE THE ARM 1/2 TRACK BEYOND THE
NORMAL POSITION FOR THAT TRACK.
THE ROUTINE THAT POSITIONS THE
HEAD IS LOCATED IN DOS STARTING AT
B9A0 SO RIGHT THERE WE MAKE IT JSR TO
OUR HALF-TRACK ROUTINE WHICH WE WILL
PUT AT $0300. SO CALL -151 AND:
B9A0:20 00 03 EA
0300:86 2B 85 2A C9 XX 90 02
0308:E6 2A AD 78 04 C9 XX 90
0310:03 EE 78 04 A5 2A 60
WHERE XX IS THE HEX VALUE EQUAL TO
TWICE THE TRACK NUMBER OF THE FIRST
TRACK YOU WANT TO HALF
TRACK.
REMEMBER YOU NEED TWO PULSES PER
TRACK.
AFTER YOU HAVE READ THE
TRACK AND ARE READY TO WRITE ON A WHOLE
TRACK, JUST CHANGE $0304 FROM C9 TO 60
SO THAT THE ROUTINE IS BY-PASSED AND
THE TRACK WILL BE WRITTEN ONTO A WHOLE
TRACK.
HAVE FUN
........WOODY
***************************************
MSG LEFT BY: CAPTAIN NIBBLE
HERES A CRACK FOR WAR BY ADVENTURE
INTERNATIONAL
INIT A DOS 3.3 DISK
CALL-151
*B925:18 60
*B988:18 60
*3D0G
BRUN FID
NOW FID THE FILES ONTO THE NEW DISK
BOOT THE NEW DISK
LOAD HELO
SAVE HELLO
BLOAD WAR
CALL-151
*802:65
*3D0G
BSAVE WAR,A$800,L$6C00
NOW YOU HAVE A COPYA-ABLE COPY
ANOTHER GOODIE FROM CAPTAIN NIBBLE
***************************************
MSG LEFT BY: MANUEL VELOSO
CRACK ALL PLATO
I'VE BEEN FIDDLING AROUND WITH THIS,
& HAVE COME UP WITH A WAY.
1) BOOT DISK
2) FLIP INT.SWITCH UP & RESET
3) 7800<B800.BFFFM
4) BOOT SLAVE
5) BLOAD MUFFIN (FROM ANOTHER DISK)
6) 1900<7800.7FFFM
7) 803G
8) CONVERT
MOST OF YOU PROBABLY RECOGNIZE THIS
FROM THE JOLLY ROGER, ON DEMUFFIN
TECHNIQUES. WELL, AFTER THIS YOU
CAN BSAVE PLATO CRACKER,A$803,L$1900
FOR A PERMANENT CRACKER.
***************************************
MSG LEFT BY: THE BEAST
FLOCKLAND ISLANDS
THIS IS REALLY A CRUMMY GAME AND THEIR
PROTECTION SCHEME IS JUST AS BAD.
THE PROGRAM IS ONE OF THOSE 3.2/3.3
BOOTERS. THEY ALSO HAVE PUT THE VTOC
ON TRACK $10 (LOOK OUT WORLD!,THEY
PROBABLY GOT THEIR HANDS ON AN OLD
BEAGLE BROTHERS TIP BOOK).SO IF YOU
BOOT A 3.2 DISK AND *AC01:10 YOU CAN
READ THEIR FILES. THIS BRINGS UP A
POINT ABOUT USING DEMUFFIN, NAMELY
THAT THE DIRECTORY TRACK (AFTER
MOVING IT TO $803) IS AT $10A1
(NORMALLY $11). NOW THE BEST WAY THAT
I HAVE FOUND TO HANDLE THESE DISKS
IS TO BOOT A 3.3 DISK, CHANGE *AC01:10
(OR WHAT EVER VALUE THEIR DIRECTORY
IS ON) THEN INITIALIZE THE DISK (NOTE
THAT IF YOU WANT TO FIND THE NAME OF
THE HELLO PROGRAM FOR DOS 3.3 IT'S
ON TRACK 1 SECTOR 9, FOR STANDARD
DOS 3.2 IT'S ON TRACK 1 SECTOR C, AND
ON A WOZBOOT13(THE OLD UTILITY THAT
CONVERTS 3.2 DISK SO THEY WILL BOOT
ON 3.2 AND 3.3) IT'S ON TRACK 1
SECTOR B WHERE WE FIND IN THIS CASE
IT'S "BOOT.B"). NOTE THAT IF YOU
CHANGE $AC01 FROM $11 TO SOMETHING
ELSE DOS WILL ONLY WRITE THE VTOC ON
THE NEW TRACK AND AIM THE CATALOG TRACK
TO $11. ALSO NOTE THAT IT WILL NOT LOCK
THE SECTOR OF THE VTOC, SO IT MIGHT
GET CLOBBERED (WHILE DEMUFFINING) IF
YOU DON'T LOCK IT YOURSELF.
SO ANYWAY, MUFFIN OR DEMUFFIN THE FILES
TO YOUR NEW DISK AND WITH A SECTOR
EDITOR READ TRACK $10 SECTOR 0 AND
WRITE IT TO TRACK $11 SECTOR 0 (WHICH
WAS LOCKED WHEN YOU INITED THE DISK).
THEN YOU CAN EITHER INIT ANOTHER DISK
(WITH STANDARD DOS) AND FID THE FILES
OR YOU MIGHT JUST USE A SECTOR EDITOR
AND CHANGE T$1 S$B LOCATION $01 FROM
$10 TO $11.
--->>> THE BEAST <<<---
***************************************
MSG LEFT BY: THE BEAST
ZOOM GRAFIX CRACK
THERE ARE TWO VERSIONS OF ZOOM GRAFIX.
TO TELL THEM APART 'LOAD GRAFIX':
OLD VERSION:LINE 100 HAS REM 13-NOV-81
NEW VERSION:LINE 100 HAS REM 9APR82
THE PROTECTION & UNPROTECTION ON EACH
IS SLIGHTLY DIFFERENT.
TO BEGIN WITH BOOT IT & GO INTO THE
MONITOR.NOW THE FILES WILL NOT
DIRECTLY DEMUFFIN. HOWEVER:
*6800<B800.BFFFM
(INSERT SLAVE DISK WITH HELLO PROG
DELETED)
*6 (CTRL-P)
]BLOAD DEMUFFIN,A$4000
]CALL-151
*B800<6800.6FFFM
*803<4000.6000M
*803G
AND PROCEED AS USUAL.YOU MIGHT WANT TO
INIT A DISK WITH A FAST DOS USING
'GRAFIX' TO RECEIVE THE FILES.
NEXT 'LOAD GRAFIX' (BOTH VERSIONS)
]101 GR : PRINT CHR$(4)"MAXFILES1"
]102 POKE 2049,97:KB=49152:KS=KB+16:
NORMAL
]104
(DELETE IT)
]150 VTAB 21:POKE 103,1:POKE 104,96:
POKE 24576,0:POKE 36873,0:DR=36864
]SAVE GRAFIX
NEXT 'LOAD GRAFIX PART ]['
OLD VERSION:
]1395 LM=0
NEW VERSION:
]1405 LM=0
THEN 'SAVE GRAFIX PART ]['
NEXT 'LOAD GRAFIX SET-UP'
OLD VERSION:
]105 POKE 47094,0
NEW VERSION:
]102 POKE 47094,0
THEN 'SAVE GRAFIX SET-UP'
THIS SEEMS TO TAKE CARE OF ALL OF THE
TRAPS.CREDIT FOR THIS GOES TO GREGG
BURMAN, WHO POSTED THE CRACK FOR THE
OLD VERSION ON BOARD 12.NOTE THAT THE
NEW VERSION HAS SEVERAL ENHANCEMENTS.
>>> THE BEAST <<<
***************************************
MSG LEFT BY: JOEL BRENNER
WIZMAKER!
THERE IS A NEW WIDARDRY UTILITY ON THE MARKET THAT ALLOWS YOU TO EDIT
YOUR
CHARACTERS WITH THE GREATEST OF EASE. IT IS CALLED "WIZMAKER"
AND
IT IS
EASY TO COPY:
USE NIBBLES AWAY ][
TRACK START D5 AA 96
INSERT MARK DE AA EB FD
SYNC SIZE 0A
COPY TRACKS 0-22
KEEP ON CRACKING! JOEL BRENNER
***************************************
MSG LEFT BY: SHAWN ROBERTS
WHEN YOU WANT TO CRACK ONLINE SOFTWARE,
THERE IS A SPECIAL TEQNIQUE. FIRST OF
ALL, THE DOPES AT ONLINE FAIL TO
REALIZE THAT WHEN THEY PROTECT A DISK
DONT DO IT THE SAME EVERY TIME. 99%
OF ONLINE SOFTWARE IS COPYA-ABLE WITH
THIS ONE MODIFICATION. GO INTO THE
MONITOR.
CALL-151
*B942:18
THIS ALLOWS APPLE DOS TO COPY THE DISK
VIA COPYA
THEN AFTER THE DISK IS COPYA'D, YOU
HAVE TO LOOK AROUNG THE CATALOG TRACK
FOR AN ABNORMAL HEX#. SUCH AS 9D OR 8B
CHANGE THIS TO ITS PROPER EQUIVELANT
LIKE FOR 8B YOU WOULD CHANGE THE BYTE
TO 60. IF YOU LOOK IN YOUR APPLESOFT
MANUEL OR ONE OF THOSE BOOKS, YOU WILL
SEE A CHART OF 6502 VALIENCES. THE
NORMAL VALIENCE FOR A CATALOG TRACK
IS USUALLY I GAP WITH 2 SECONDARY GAPS.
ONLINE DOESNT INCORPORAT GAPS INTO THE
TRACK(11). THEN ALL YOU NEED TO DO IS
CHANGE THE BYTE AND CATALOG ONCE BEFORE
YOU TRY THE GAME, AND BAMMO. INSTANT
COPYA VERSION OF WHAT-HAVE YOU. CRACKED
IS WHAT YOU CALL IT. ALSO, RENAME THEW
CATALOG FILES AS THEY HAVE CONTROL
CHARACTERS EMBEDDED IN THEM.
ALSO, FOR THOSE OF YOU WITH RAM CARDS,
MAY I RECOMMEND "C" LAUNGUAGE FOR COPY-
ING **ALL** RUNTIME PASCAL BUT YOU STIL
HAVE TO NIBBLE COUNT WIZARDRY. OH WELL
***************************************
MSG LEFT BY: LONG JOHN SILVER
OK, MORE AND MORE PROGRAMS ARE BEING
PROTECTED WITH APPLES PROTECTION SCHEME
CALLED DOS 3.3P (P=PROTECTED), WELL
HERE IS HOW TO CRACK ANY DISK PROTECTED
WITH DOS 3.3P,
]CALL-151
*B6B3:A0 0A B9 D6 B6
*B6B8:99 F6 B8 88 10 F7 60 BD
*B6C0:8C C0 10 FB 49 AD F0 09
*B6C8:BC 8C C0 10 FB B9 00 BA
*B6D0:2C A9 00 A0 56 60 20 BF
*B6D8:B6 EA EA EA EA EA EA EA
*B6E0:EA
*BSAVE CRACK DOS 3.3P,A$B6B3,L$2E
JUST BRUN THIS PROGRAM AND FID ALL THE
FILES OF THE PROTECTED DISK!!, YOU WILL
FIND A LOT OF SOFTWARE IS PROTECTED
WITH DOS 3.3P, MOST OF IT SEEMS TO BE
EDUCATIONAL SOFTWARE SUCH AS THE
SEASAME STREET STUFF, SPECIAL DELIVERY
SOFTWARE, ALSO SPELLING DEMONS AND MUCH
MUCH MORE SOOOO... HAVE FUN,
LONG-JOHN SILVER
ALSO I AM LOOKING FOR INFO ON CP/M
AND APPLE PASCAL BIOS, I HAVE BEEN
DISASSEMBLING THE CP/M ONE AND IT
SEEMS TO BE STRAIT FORWARD, BUT I
DO NOT KNOW ABOUT THE PASCAL ONE?
I AM PRIMARILY INTERESTED IN THE
APPLE DISK DRIVERS (I AM WRITING
SOFTWARE FOR A BIG RAM-CARD)
***************************************
MSG LEFT BY: MISTER C
TO CRACK VISIBLE COMPUTER 6502:
STEP1: GET THE FILES OFF OF THE DISK.
ONE METHOD IS TO BOOT AN ORIGINAL
VIDEX VISICALC PRE-BOOT, LOAD DEMUFFIN,
PUT IN VC6502 AND GO (I DONT KNOW MY
WAY AROUND SUPER DOS OR I COULD MAKE
THIS CLEANER), DO THIS ONTO A DISK
INITED WITH THE NAME 'STARTUP'
(PREFERABLY WITH A FAST DOS).
STEP2: LOAD VC (DON'T LIST IT !!!!!)
DELETE LINE 20730 (THIS INITIALIZES
THE DISK IF YOU DON'T HAVE THEIR DOS
IN MEMORY). SAVE VC.
DONE.
YOU CAN ALSO COMPILE VC IF YOU'RE
IMPATIENT( WATCH OUT FOR HI-RES PAGE 1)
THIS LOOKS LIKE A FUN PROGRAM.
IF ANYONE HAS THE DOX FOR IT, I WOULD
BE INTERESTED IN OBTAINING A COPY OF
THEM.
MISTER C
TY (12)CL1993>MYROM
***************************************
* BOZO'S PROGRAM CRACKER
ROM *
*
REVISION
1.1
*
***************************************
*
* NOTE: THIS PGM WILL NOT WORK UNLESS 'TO', 'FROM', AND 'STOP' ALL
EQUATE TO
* PAGE
BOUNDRIES (E.G. 2000, 4400,
ETC)
*
*****************************************************************************
* THE BASIS OF THIS LITTLE PROGRAM IS THE USE OF ABSOLUTE INDEXED
INCREMENT *
* ADDRESSING (E.G. LDA
400,X STA
2400,X INX). TO KEEP THE LENGTH AS *
* SHORT AS POSSIBLE, SELF-MODIFYING CODE IS
USED.
THE ABSOLUTE INDEXING *
* MODE CAN ONLY MOVE 1 PAGE AT A TIME,
THE
SELF-MODIFICATION PART ALLOWS *
* ONE TO MOVE MORE THAN 1 PAGE, WITHOUT HAVING TO DUPLICATE THE CODE
OVER & *
* AND OVER FOR EACH PAGE ($FF
BYTES). SINCE
SELF-MODIFYING CODE MUST BE *
* RAM BASED, THE FIRST PART OF THIS PGM MOVES THE
SECOND PART FROM ROM *
* INTO RAM; IT THEN JUMPS TO THE BEGINNING OF THE CODE IT JUST
MOVED....... *
* !!!!! WARNING !!!!! NOTE THAT MOST ASSEMBLERS WILL CODE
THE: LDA FROM,X *
* INCORRECTLY WHEN FROM EQUATES IN THE ZERO PAGE;
THIS WILL
RESULT IN TWO *
* OP-CODES BEING GENERATED INSTEAD OF
THREE,
AND WILL MESS UP THE SELF- *
* MODIFYING PART. THIS SOURCE IS MEANT MOSTLY AS AN
AID TO
UNDERSTANDING; *
* USE THE OBJECT CODE WHICH FOLLOWS, WHEN MODIFYING YOUR F8
MONITOR. *
*
--------------->BOZO<----------------------------->NYC<------------------
*
******************----*******************************---*********************
*
*
ORG $FCC9 ;THIS IS THE TAPE
WRITE SECTION OF F8 ROM
*
;AND THE BEGINNING OF ROM BASED CODE
FROM EQU $0000 ;BEGINNING OF MEMORY TO
SAVE
TO EQU $2000
;LOCATION TO BEGIN SAVING
CODE
STOP EQU $2800 ;LOCATION + 1 TO STOP
SAVING CODE
CODE EQU $2800 ;BEGINNING OF RELOCATED
(RAM) BASED
CODE
RESET EQU $FF59
*
;!!! PROGRAM START !!!
CLD
LDX #0
LOOP1 LDA MOVE,X
STA CODE,X
INX
CPX #$1B ;LENGTH OF
ROM CODE TO MOVE
BNE LOOP1
JMP CODE
MOVE LDY #/STOP
LDX #0
LOOP2 LDA FROM,X
STA TO,X
INX
BNE LOOP2
INC CODE+6
INC CODE+9
CPY CODE+9
BNE LOOP2
JMP RESET
END
HERE'S THE ASSEMBLED OBJECT, READY TO DROP IN AT
$FCC9.
THIS IS
THE ONE OF THE TAPE WRITE ROUTINES IN THE F8 ROM;
SINCE I
DON'T
USE TAPE, AND I WANTED TO PRESERVE THE ROM ROUTINES, I CHOSE THIS
LOCATION. IF YOU WANT TO LOCATE IT SOMEWHERE
ELSE,
FEEL FREE,
BUT BEWARE THAT IT IS NOT RELOCATABLE WITHOUT A FEW CHANGES.
FCC9: D8 A2 00 BD DA FC 9D 00
FCD1: 28 E8 E0 1B D0 F5 4C 00
FCD9: 28 A0 28 A2 00 BD 00 00
FCE1: 9D 00 20 E8 D0 F7 EE 06
FCE9: 28 EE 09 28 CC 09 28 D0
FCF1: EC 4C 59 FF
HAVE FUN (?)
>>>>>
D O
S T R I C K S
<<<<<
***************************************
MSG LEFT BY: MIGHTY COLOSSUS
TRY THIS TO SEE ANY DOS, REMOVE THE
REAR MOST SET OF RAM CHIPS FROM YOUR
APPLE (THE ONES NEAR THE I/O SLOTS).
THEN INIT A DISK, REPLACE THE RAM AND
BOOT UP UNDER THE PROGRAM YOU WISH TO
DEPROTECT. THEN FORCE A REBOOT WITH THE
DISK YOU INITED IN DRIVE 1. THE DOS
FROM THE PROTECTED DISK WILL (IN MOST
CASES) STILL BE IN THE RAM UP TOP....
THIS NEW DOS IS A SLAVE AT 32 K AND
THE OLD (AND PROTECTED DOS) IS STILL
AT 48 K. THIS WILL WORK ON ABOUT 50%
OF THE PROGRAMS. ENJOY
YOU CAN ALSO REMOVE THE TOP 32K AND
GET TWICE AS MUCH.
***************************************
MSG LEFT BY: RANDY UBILLOS
DATE POSTED: SUN FEB 21 12:53:19 AM
MESSAGE #4: CHECKSUM TRICK
A VERY HANDY TECHNIQUE FOR
TAKING A
LOOK AT THE DATA ON A PROTECTED DISK IS
TO DISABLE THE CHECKSUM IN THE RWTS.
THE FORMATS OF MANY PROTECTED
DISKS
VARY ONLY IN THIS CHECKSUM, SO TURNING
IT OFF SHOULD ALLOW
ANY
STANDARD
TRACK/SECTOR UTILITY TO LOOK AT
THE
DISK! TO DO THIS, BOOT UP THE DOS THAT
YOU WISH TO USE, AND ENTER THE MONITOR.
THEN ENTER B942:18 FOR
DOS 3.3 OR
B963:18 FOR DOS 3.2. THIS
CHANGES A
SET CARRY INSTRUCTION TO A CLEAR CARRY
INSTRUCTION. NOW RETURN TO DOS AND RUN
YOUR EDITOR. IF THE
DISK YOU
ARE
LOOKING AT IS PROTECTED
WITH THIS
SYSTEM, YOU SHOULD BE ABLE TO READ IT
NOW. TO MAKE THIS CHANGE TO A DOS ON A
DISK, THIS DATA IS CONTAINED IN TRACK 0
SECTOR 3, AT EITHER BYTE $42 OR BYTE
$63, FOR DOS 3.3 OR 3.2, RESPECTIVELY.
GOOD LUCK.......
RANDY
***************************************
LETTER FROM: AXE MAN
DATE MAILED: WED FEB 24 6:42:18 PM
MESSAGE #5: DOS LANGUAGE CARD TRICK
TO AVOID RE-LOADING THE LANGUAGE CARD
ON BOOTUP ( A MAJOR IRRITATION )
CHANGE THE FOLLOWING :
IN A 48K SYSTEM, CHANGE $BFCC TO 00 AND
$BFCF TO 00 : THIS WILL PREVENT THE
LANGUAGE CARD FROM BEING WRITTEN TO.
(INITIALIZE A DISKETTE WITH THIS DO
TO MAKE IT BOOT UP IN THIS FASHION)
(IF YOU LOOK AT THE CODE, YOU CAN MAKE
THE SAME MODS IN A COPY OF A SYST
MASTER ON THE DISK ITSELF, SO A MASTER
CREATE WILL PUT THIS DOS ON A DISKETTE.
CHANGE THE CODE THAT SAYS LDA C081 WITH
LDA C000 -- THAT SSHOULD WORK FINE).
AXE MAN.
***************************************
MSG LEFT BY: DISK ZAPPER
DATE POSTED: THU FEB 25 10:47:09 PM
MESSAGE #6: >>> D O S T R I C
K <<<
GET INTO MONITOR FROM A NORMAL DISK.
TYPE: 400<A800.ABFFM
POOF THERE YOU HAVE ALL THE DOS COMANDS
NOTICE THAT ALL THE LETTERS IN THE
COMAND ARE FLASHING BUT THE LAST ONE
THAT IS TO TELL YOU WHERE THE COMAND
ENDS. NOW NOTICE WHERE THE INIT,LOAD,
BLOAD,SAVE,BSAVE,CATALOG, ETC...
THEN BOOT SOMETHING LIKE BRAIN SURGEON
OR SOMETHING THAT HAS SOMETHING LIKE
A NORMAL FORMAT THEN TYPE THAT LINE
AND THEN YOU CAN SEE IF THEY CHANGED
ANY OF THE COMANDS!
HAPPY ZAPPING!!!
MSG LEFT BY: LOCK BUSTER
USING LOCKBUSTER ][
IN SAVING THE CONTENTS OF A 48K MACHINE TO DISK, SEVERAL
PROBLEMS ARISE:
1) IN ORDER TO GET CONTROL AWAY FROM A PROGRAM,
THE RESET
KEY MUST BE USED.
WHEN RESET IS HIT, THO, ESSENTIAL PARTS OF MEMORY (PAGE
ZERO,
THE STACK, THE
KEYBOARD BUFFER AND THE SCREEN) GET CLOBBERED.
2) TYPICALLY, DOS ISN'T IN THE
MACHINE AND
NEEDS TO BE LOADED, AND THE
PROCESS OF LOADING IN DOS WIPES OUT MORE PARTS OF MEMORY.
3) ONCE DOS IS LOADED, IT WON'T ALLOW BSAVES LONGER THAN
$7FFF
BYTES
LOCKBUSTER ][ ADDRESSES THE FIRST PROBLEM. THE
CONTENTS OF
PAGES 0 THRU 7
(LOCATONS $0-$7FF) ARE MOVED UP TO $800-$FFF
BEFORE
ANYTHING ELSE IS DONE.
THIS PRESERVES A COPY OF EVERYTHING
WHICH NORMALLY
GETS WIPED OUT (BUT OF
COURSE DESTROYS WHATEVER WAS IN $800-$FFF).
SAVING THE ENTIRE CONTENTS OF MEMORY (WORSE CASE!)
IS A
MULTI-STEP PROCESS,
SINCE NO MATTER WHAT YOU DO, SOMETHING'S GONNA GET
WIPED
OUT. THE PROCESS
DESCRIBED HERE WILL SAVE OUT
FOUR CHUNKS OF
MEMORY TO THE DISK. THESE
CHUNKS RESIDE IN THE FOLLOWING RANGES:
$0000-$07FF
$0800-$08FF
$0900-$97FF
$9800-$BFFF
IN ORDER TO SAVE OUT 48K, YOU'LL NEED AN OLD
MONITOR ROM
(NOT THE AUTOSTART
ROM), LOCKBUSTER, AND A 48K SLAVE DISK.
THE
WORSECASE PROCEDURE FOR SAVING
48K FOLLOWS (YOU'LL SELDOM
NEED TO SAVE ALL
48K, BUT THIS IS THE 'FULL
BLOWN' PROCEDURE):
1) INITIALIZE A 48K SLAVE DISK TO BE
USED TO SAVE
THE CONTENTS OF MEMORY.
IT CANNOT BE A MASTER DISK
(SEE DOS MANUAL FOR
DETAILS), SINCE A MASTER
WIPES OUT MEMORY IN THE RANGE
$1B00-$3FFF,
WHILE A SLAVE DOES NOT. THE
SLAVE STILL WIPES OUT MEMORY $0-8FF AND
$9800-$BFFF, BUT
WE CAN WORK AROUND
THAT.
2) INSTALL THE LOCKBUSTER ROM IN PLACE OF THE
MONITOR ROM
(TURN THE MACHINE
OFF, FIRST, THO!).
3) FILL MEMORY WITH WHATEVER YOU WANT TO SAVE.
4) WHEN MEMORY IS FULL, HIT RESET, AND YOU'LL FIND
YOURSELF IN THE MONITOR,
WITH THE ASTERISK (*) PROMPT. ENTER
1800<800.FFFM
TO MOVE THE OLD CONTENTS OF $0-7FF UP TO WHERE THEY WON'T
GET
WIPED OUT WHEN
YOU BOOT YOUR SLAVE DISK.
5) BOOT THE SLAVE DISK (6 CTRL/P), AND ENTER
BSAVE
CHUNK0-7FF,A$1800,L$800
6) POWER THE MACHINE DOWN AND REPLACE
LOCKBUSTER
WITH THE OLD MONITOR ROM
(YOU'RE DONE WITH LOCKBUSTER FOR NOW).
7) REFILL MEMORY WITH WHAT YOU WANT TO SAVE
8) HIT RESET, AND ENTER:
1800<800.8FFM
9) BOOT THE SLAVE DISKETTE AND ENTER:
BSAVE
CHUNK800-8FF,A$1800,L$100
10) FILL MEMORY (AGAIN), HIT RESET, BOOT THE SLAVE DISKETTE,
AND
ENTER:
CALL -151
A964:FF
(THIS LETS YOU
BSAVE FILES LONGER THAN 32K)
3D0G
BSAVE
CHUNK900-97FF,A$900,L$8F00
11) FILL MEMORY (LAST TIME!), HIT RESET, AND ENTER:
1800<9800.BFFFM
12) BOOT THE SLAVE DISKETTE, AND ENTER:
BSAVE
CHUNK9800-BFFF,A$1800,L$2800
NOTE: SOME PROGRAMS CHECK TO SEE THAT THE MONITOR
ROM
ISN'T SOMETHING FUNNY
(LIKE LOCKBUSTER), AND WHEN THEY SEE
SOMETHING THEY
DON'T LIKE, REBOOT THE
DISK. ONE DANGEROUS WAY AROUND THIS
PROBLEM IS TO
LEAVE THE MONITOR ROM IN
THE MACHINE WHILE THE PROGRAM IS
LOADING, THEN HOLD
DOWN RESET WHILE YOU
SWITCH TO THE
LOCKBUSTER ROM, THEN
RELEASE AND REHIT RESET.
I DON'T
RECOMMEND THIS, ALTHO I DO IT ALL THE TIME.
NOW THAT MEMORY IS SAVED, THE SLEUTHING
BEGINS...
YOU'LL NEED TO FIND THE
STARTING ADDRESS (A GOOD PLACE TO START IS $800, OR LOOK AT
THE
OLD CONTENTS
OF $3F2-3F3, WHICH CONTAIN THE RESET VECTOR USED
BY THE
AUTOSTART ROM), AS
WELL AS FIGURE OUT WHAT PARTS OF MEMORY AREN'T
BEING USED.
A GOOD WAY TO DO
THE LATTER IS TO
FILL MEMORY WITH A
GIVEN BYTE (LIKE FF), LOAD IN THE
PROGRAM, HIT RESET, AND SEE WHAT PAGES STILL HAVE FF IN
THEM.
AFTER ALL THAT GETS
SORTED OUT (THE
FIRST TIME, IT WILL PROBABLY TAKE
SEVERAL HOURS, OR EVEN DAYS, BUT THE SECOND TIME
IT GOES
MUCH QUICKER), THE
PROBLEM REMAINS OF HOW TO LOAD IT BACK
IN. MANY
TIMES THIS CAN BE DONE BY
SHUFFLING THE CHUNKS AROUND IN MEMORY SO THEY FIT
IN THE
'SAFE' MEMORY AREA
$800-95FF, WHERE THEY
CAN THEN BE BSAVED
AS ONE LARGE CHUNK. A SMALL
ROUTINE SHOULD THEN BE ADDED TO PUT
THINGS BACK
WHERE THEY SHOULD BE, AND
JUMP TO THE STARTING ADDRESS.
ALL IN ALL, THIS IS AN INVOLVED PROCESS, BUT IT
DOES
BECOME ROUTINE AFTER A
FEW TIMES. A DETAILED EXPLANATION OF ALL THE STEPS
COULDN'T POSSIBLY BE FIT
ON THESE FEW PAGES, AND REALLY WOULDN'T
TEACH YOU
MUCH ANYWAY, SINCE THE
ONLY WAY TO LEARN HOW TO DO IT IS TO DO
IT, FIGURING
THINGS OUT AS YOU GO
ALONG.
SOME HANDY TOOLS TO HAVE ARE:
'THE DOS 3.3 MANUAL',
PUBLISHED BY APPLE COMPUTER TELLS YOU HOW TO USE
DOS, AS WELL AS HOW
TO USE THE RWTS
ROUTINE, HOW THE CONTENTS OF
THE
CATALOG, VTOC, TRACK/SECTOR LISTS, AND
DIFFERENT
FILE TYPES ARE ARRANGED.
DOESN'T DELVE TOO DEEPLY INTO THE INTERNAL
WORKINGS OF
DOS, FOR THAT YOU'LL
NEED....
'BENEATH
APPLE DOS' BY WORTH AND
LECHNER, PUBLISHED BY QUALITY SOFTWARE
GIVES A DETAILED DECRIPTION OF
WHAT GOES ON
INSIDE DOS. IF SOMEONE WAS
REALLY AMBITIOUS, THE COMMENTS THEY GIVE
ABOUT EACH
DOS ROUTINE COULD BE
PLACED IN A DISASSEMBLY OF DOS.
A PROGRAM TO SEARCH
MEMORY FOR BYTES AND STRINGS, AND WHICH DISPLAYS
MEMORY IN HEX AND ASCII. SEVERAL COMPANIES OFFER
PROGRAMS
TO DO THIS, BUT A
QUICK-AND-DIRTY ONE WOULDN'T TAKE VERY LONG TO WRITE.
***************************************
MSG LEFT BY: LONG JOHN SILVER
HI HO
THIS I
LONG JOHN SILVER
WITH A NEW CRACKING METHOD.IT INVOLVES
THAT LITTLE USED FUNCTION IN THE APPLE
CALLED INTERUPTS, SPECIFICLY THE NMI (
NON MASKABLE INTERUPT). NON MASKABLE IS
WHAT IT SOUNDS LIKE, THERE IS NO WAY TO
PREVENT ONE FROM SOFTWARE SO THAT ANY
PROGRAM NOMATTER WHAT IT IS CAN BE
STOPPED AND FORCED TO JMP TO THE ADDR
AT $FFFA. NOW I KNOW A LOT OF YOU OUT
THERE ARE SAYING SOWHAT THATS JUST WHAT
A RESET DOES.WELL THERE IS ONE BIG
DIFFERENCE, WHEN YOU GENERATE AN
INTERUPT THE 6502 SHOVES THE PROGRAM
COUNTER AND THE STATUS REG. ONTO THE
STACK. SO IF YOU HAVE A RAM CARD YOU
WRITE A LITTLE ROUTINE TO GRAB ALL THAT
MEMORY FROM $0000 TO $0800 AND SHOVE IT
INTO THE RAM CARD ALONG WITH A,X,Y
REGS,SP WITHOUT ALTERING THE STACK.THEN
PUT THE ADDR OF THIS ROUTINE AT $FFFA
MAKING SURE THAT THIS PROGRAM WILL NOT
GET RUN OVER BY THE MEMORY YOUR MOVING.
THEN BOOT UP THE PROTECTED DISK AND AT
A GOOD TIME SEND A NMI ON THE BUS.
NOW COMES THE GRUESOME PART THAT YOU
HAVE TO DO DIFFERANTLY FOR EVERY DISK
YOU BREAK. YOU MUST SOME HOW BREAKDOWN
THE ENTIRE CONTENTS OF MEMORY AT THE
TIME THE PROGRAM WAS RUNNING AND PUT IT
ON DISK SO THAT IT CAN BE LOADED.THEN
YOU HAVE TO WRITE SOME SPECIAL MOVE
SUBROUTS TO MOVE EVERYTHING BACK INTO
IT'S CORRECT PLACE WITHOUT MESSING UP
THE STACK THEN ADD SOME LINES TO RSTORE
A,X,Y REGS,SP AND PUT A 'RTI' OPCODE
AT THE END. RTI STANDS FOR, YES YOU
GUESSED IT RETURN FROM INTERUPT,IT
RESTORES THE STATUS REG FROM THE STACK
AND DOES AN RTS WHICH CAUSES A RETURN
TO THE POINT WHERE THE PROGRAM STOPPED.
THE ADVANTAGE OF USING THE NMI OVER THE
RESET IS THAT YOU DON'T HAVE TO FIGURE
OUT THE STARTING ADDR OF THE CRACKED
CODE TO BREAK IT.
THE USE OF THE NMI HAS THE SAME LIMITS
AS ANY 'GRAB IT FROM MEMORY' TYPE OF
CRACKNG WHERE YOU DON'T KNOW WHATS CODE
,WHATS DATA AND WHATS GARBAGE. MANY
TIMES YOU MAY RUN INTO A PROBLEM OF NOT
BEING ABLE TO LOAD THE ENTIRE PROGRAM
USING DOS WHEN THE PROGRAM IS TO BIG.
TO GENERATE A NMI OBTAIN A 100-OHM OR
NEAR 100-OHM RESISTOR AND CONNECT PIN29
TO PIN26 ON ANY SLOT USING THE RESISTOR
( A DIAGRAM OF WHICH PIN IS WHICH CAN
BE FOUND ON PAGE 106 OF THE
APPLE II REFERANCE MANUAL )
EXAMPLE OF CODE NEEDED :
--------------------------------
MONITOR EQU $FF59
ORG $D000
OBJ $8000
*
* SELECT WRITE TO RAM CARD
* WITHOUT CHANGING ANY REGS
*
BIT $C083
BIT $C083
*
* SAVE ACC,X,Y IN RAM CARD
*
STA $E800
STX $E801
STY $E802
*
* SET UP STARTING ADDR OF MOVE
*
LDA #0
STA LOAD+1
STA LOAD+2
STA STORE+1
LDA #$E0
STA STORE+2
LOAD LDA $FFFF
STORE STA $E000
INC LOAD+1
INC STORE+1
BNE LOAD
INC LOAD+2
INC STORE+2
LDA LOAD+2
CMP #$08
BNE LOAD
*
* WRITE PROTECT RAM CARD
*
LDA $C080
*
* EXIT THROUGH THE MONITOR
*
JMP MONITOR
***************************************
MSG LEFT BY: LONG JOHN SILVER
THE CODE GIVEN DOES NOT SAVE THE
STACK POINTER TO DO SO ADD THESE
LINES AFTER THE LINE THAT IS
STY $E802
NEW CODE :
---------------
TSX
STX $E803
***************************************
*** MR. XEROX CRACKING TIPS
I ***
** BOOT TRACE
CRACKING
**
** CRACKING APPLE
GALAXIAN
**
***
***
***************************************
NOTE: I CHOSE APPLE GALAXIN HERE BECAUSE
IT IS A WIDELY
DISTRIBUTED PROGRAM,
AND IT ENCOMPASSES
THE BASIC IDE
AS IN BOOT TRACE
CRACKING.
FOR ALL THOSE
INTRESTED PIRATES OUT
THERE,
YES THERE IS ANOTHER
WAY TO CRACK
PROGRAMS.
YOU DON'T NEED ANY RAM-CARDS,PROM BURNERS, OR FOREIGN TO REGULAR DOS
PROGRAMS, ANYBODY WHO IS NOT A CLOWN, WITH SOME
MACHINE
LANGUAGE PROGRAMMING ABILITY CAN TRACE A BOOT. THIS METHOD OF
CRACKING, TRACEING THE BOOT, IS IN A TRUE SENSE, CRACKING THE CODE. YOU
SEE, FOR ALL DISKS, THEY MUST FIRST BOOT UP TO START RUNNING.
AFTER THE FIRST STAGE BOOT (AT LOCATION $C600), THEY JUMP TO
SECOND STAGE BOOT PROGRAM (AT $800), AND THEN TO A THIRD, AND SOME EVEN
A FORTH, BUT THERE COMES A POINT WHERE THE LOADING OF THE PROGRAM FROM
DISK STOPS, AND THE RUNNING OF THE PROGRAM BEGINS. IF YOU CAN
TRACE THIS, AND STOP IT AFTER IT IS FINISHED LOADING, AND SAVE ALL THE
MEMORY LOCATIONS THAT CONTAIN THE PROGRAM ONTO A NORMAL 3.3 DISK, YOU
HAVE CRACKED THE PROGRAM. THIS METHOD IS MOST USEFUL FOR
CRACKING
THE "SINGLE-SHOT" BOOTING PROGRAMS SUCH AS APPLE PANIC,
RASTER
BLASTER, AND GORGON. THESE DISKS DON'T CONTAIN ANY STANDARD DOS, BUT
RATHER THEIR OWN. THIS DOS HAS JUST ONE PURPOSE, AND THAT IS TO LOAD
THE PROGRAM INTO THE COMPUTER, FROM THE DISK, AND START ITS
EXECUTION. NOW, THIS IS NOT AS SIMPLE AS IT SOUNDS, AS THE
SOFTWARE PROTECTORS ARE NOT DUMB, THEY TRY TO MAKE IT TOUGH FOR YOU TO
TRACE. HOWEVER, IT IS NOT IMPOSSIBLE, SINCE THE DISK MUST
BOOT
UP, AND SINCE IT MUST HAVE SOME BOOTING PROCESS, THAT IS
TRACEABLE.
LET ME TRY AND SHOW YOU AN
EXAMPLE OF HOW TO
TRACE A BOOT OF A PROGRAM.LET ME SHOW YOU HOW TO TRACE APPLE
GALAXIAN. THE FIRST STAGE BOOT STARTS AT $C600. IF YOU TURN
YOUR
APPLE ON, AND TYPE "CALL-151 (RETURN)" AND "C600G
(RETURN)", THE DISK WILL PROCEED TO START AND BOOT THE DISK IN THE
DRIVE. THIS IS BECAUSE $C600 CONTAINING THE PROGRAM FOR THE DISK TO
BOOT FIRST. IF, YOU EXAMINE THIS PROGRAM BY TYPING "CALL-151
(RETURN)", AND "C600LLLLLLL (RETURN)", YOU WILL SOON COME ACROSS A JMP
$801, NEAR THE END, SPECIFICALLY, AT $C6F8. THIS IS THE LINK TO THE
NEXT STAGE OF THE BOOT WHAT WE MUST DO IS ALLOW THE FIRST STAGE TO LOAD
IN AT $800, BUT INSTEAD OF LETTING IT RUN (CONTINUE TO BOOT, AND GO TO
$800), STOP THE COMPUTER, AND EXAMINE WHAT IS AT $800. TO DO THIS
LETS MOVE $C600 DOWN TO $9600.TYPE "CALL-151 (RETURN)" AND
"9600<C600.C700M (RETURN)" THIS MOVES C600 DOWN FOR YOU. THEN
TYPE"96F8:4C 59 FF (RETURN)", THIS WILL, INSTEAD OF HAVING THE BOOT
GOTO $800, WILL MAKE IT JUMP TO $FF59 (THE RESET LOCATION). THEN TYPE
"9600G". YOUR DISK SHOULD BOOT UP FOR A SECOND OR SO, AND
THEN
YOU SHOULD HEAR BELL, AND THE MONITOR CURSOR WILL APPEAR AT THE BOTTOM
OF THE SCREEN.THE NEXT STEP IS TO EXAMINE THE BOOT AT LOCATION $800. IF
YOU LOOK AT THIS BY TYPING "800L (RETURN)" YOU WILL SEE THE SECOND
STAGE BOOT OF APPLE GALAXIAN. BY TYPING "800LLLLLLL (RETURN)", YOU CAN
SEE WHAT GOES ON NEXT IN THE BOOT STEP. WHAT HAPPENS NEXT, IS THAT IT
TAKES THE MEMORY THAT IS STORED AT $800, AND MOVES IT DOWN TO $200, AND
SOME OTHER STUFF, LIKE LOADING THE NEXT STAGE OF THE BOOT, AND THEN, IF
YOU LOOK AT LOCATION $841, YOU WILL SEE A JUMP TO $301. THIS IS THE
NEXT STAGE IN THE BOOT. SO, WE MUST MOVE WHAT IS IN MEMORY UP, OUT OF
$800, BECAUSE THE NEXT TIME WE BOOT THE DISK, THE LOCATIONS AT $800
WILL BE CHANGED, SO TYPE "9800<800.900M (RETURN)", AND THAT WILL
DO
THE MOVE. THE NEXT THING TO DO, IS TO CHANGE WHAT IS AT $9800, THE
STUFF WE JUST MOVED UP, SO THAT IT WILL RUN AT $9800, INSTEAD OF ITS
NORMAL LOCATION OF $800. TO DO THIS, TYPE " 9803:BD 0 98 (RETURN)" AND
"9841:4C 01 93 (RETURN)". THEN TYPE "9301:4C 59 FF", BECAUSE WE CHANGED
IT TO RUN AT $9800, AND ALSO CHANGED IT TO STOP AFTER DOING THIS
INSTEAD OF JUMPING TO THE NEXT BOOT STAGE, AT $300. WE TOLD IT TO JUMP
TO $9300, AND AT $9300, WE PUT A JMP $FF59 (JUMP TO RESET). AND
FINALLY, CHANGE THE JMP AT $96F8 FROM $FF59 TO $9801 BY TYPING "96F8:4C
01 98". NOW AGAIN TYPE $9600G.
THIS TIME, WE ARE ONE STAGE
FARTHER, IF YOU
NOW MOVE THE STUFF AT $300 UP TO $9300, AND CHANGE IT TO WORK AT $9300
BY TYPING "9300<300.400M (RETURN)" AND "9313:AD CC 93 (RETURN),
AND
"933C:AD CC 93 (RETURN)", THIS WILL BE COMPLETED. BUT NOW, THERE IS A
PROBLEM. THE JUMP OUT IS AT $9343, AND IT JUMPS NOT TO THE NEXT STAGE
IMMEDIATELY, BUT TO A CERTAIN AMOUNT OF SUBROUTINES, AND AFTER THEM ,
THROUGH THE SAME JUMP, JUMPS TO THE NEXT STAGE. HOW DO WE GET AROUND
THAT YOU ASK ? THE ANSWER IS TO WRITE A PROGRAM THAT CHECKS TO SEE
WHERE IT IT JUMPING TO, AND IF IT IS NOT JUMPING TO WHERE IT NORMALLY
JUMPS TO, THEN STOP, BECAUSE WE KNOW THAT THE NEXT JUMP IS NOT TO A
SUBROUTINE, BUT TO THE NEXT STAGE OF THE BOOT. THIS MAY SOUND
COMPLICATED, BUT JUST TYPE THIS ROUTINE IN AT $9400, "9400:A5 3E C9 5D
D0 03 6C 3E 00 4C 59 FF", AND "9343:4C 00 94 (RETURN)". THAT WILL TAKE
CARE OF THIS STAGE. NOW CHECK TO SEE THAT YOU HAVE TYPED IN EVERYTHING
CORRECTLY, AND THEN TYPE "9600G", TO RESTART THE BOOT.
NOW, THE DISK SPINS FOR A
LITTLE WHILE LONGER,
AND THEN IT STOPS, WE HAVE COME TO THE LAST STEP OF THIS BOOT PROCESS.
THIS STEP LOADS THE PROGRAM IN FROM DISK, AND THEN JUMPS TO THE
BEGINNING OF IT .BY TYPING "93CC (RETURN)", THE COMPUTER WILL DISPLAY
THE PAGE-1 OF THE NEXT STAGE BOOT. IT WILL DISPLAY "B6", AND YOU ADD
ONE TO IT, AND GET $B7, SO TYPE "B700L". AND PRESTO, WE HAVE THE NEXT
STAGE OF THIS BOOT. THIS BOOT FROM HERE DOES THE PROGRAM LOADING, ALONG
WITH TURNING ON THE GRAPHICS, AND JUMPS TO THE BEGINNING OF IT. IF YOU
CAN SEE IT, THE BEGINNING OF IT IS AT $600, AND THERE IS A JUMP TO $600
AT LOCATION $B759. SO, ALL WE HAVE TO DO IS TO HAVE IT DO ALL THE
LOADING, AND INSTEAD OF HAVING IT JUMP TO $600, STOP IT THERE. BUT
THERE IS A PROBLEM CONNECTED WITH THIS (ARN'T THERE ALWAYS !). THE
PROBLEM IS THAT IF WE STOP IT HERE, LOCATION $600 IS IN TEXT VIDEO
MEMORY, SO WE MUST NOT HAVE IT JUMP TO $FF59 (STOP), BUT JUMP TO A
ROUTINE THAT RELOCATES EVERYTHING FROM $0000-$0800, AND THEN STOP. I
WILL PROVIDE YOU WITH THIS. JUST TYPE "B500:A2 00 B5 00 9D 00 20 BD 00
01 9D 00 21 BD 00 02 9D 00 22 BD 00 03 9D 00 23 BD 00 04 9D 00 24 BD 00
05 9D 00 25 BD 00 06 9D 00 26 BD 00 07 9D 00 27 E8 D0 CE 4C 59 FF
(RETURN)" THIS WILL TAKE CARE OF MOVEING EVERYTHING FROM $0-$800 TO
$2000-$2800. BUT NOW CHANGE $B759 TO JUMP TO THIS SMALL PROGRAM BY
TYPING "B759:4C 00 B5" BUT WE ALSO HAVE TO CHANGE SOME OTHER LOCATIONS.
LOCATION $93CC MUST BE CHANGED TO $D6, SO TYPE "93CC:D6 (RETURN), AND
INSTEAD OF JUMPING TO $FF59 AT $8409, AND STOPPING AT THAT STAGE OF THE
BOOT, JUMP TO THE BEGINNING OF THIS BOOT AT $B700, BY TYPING "9409:4C
00 B7 (RETURN)". THAT TAKES CARE OF MOST ALL PREPERATIONS FOR THE FINAL
CRACK. NOW CHECK TO SEE THAT YOU HAVE TYPED IN EVERYTHING CORRECTLY,
AND IF YOU ARE READY, TYPE "9600G"
IF EVERYTHING WORKED
CORRECTLY, IT SHOULD BOOT
UP FOR ABOUT 10 SECONDS, AND YOU SHOULD SEE THE HI-RES PICTURE LOADING
IN, AND THEN YOUR SPEAKER SHOULD BEEP, AND YOU SHOULD SEE, ON THE
SCREEN A BUNCH OF LETTERS. IF THIS DIDN'T HAPPEN, CHECK ALL THESE
STEPS, AND REPEAT THE PROCESS. IF IT HAS, THEN YOU ARE JUST ABOUT
FINISHED. IF YOU WANT TO CHECK TO SEE IF IT HAS WORKED, ASSEMBLE THIS
PROGRAM, AND TYPE IT IN AT $B560, IF NOT, GO ON TO THE NEXT STEP.
OBJ $B560
BEGIN LDX #$00
AGAIN LDA $2000,X
STA $00,X
LDA $2100,X
STA $100,X
LDA $2200,X
STA $200,X
LDA $2300,X
STA $300,X
LDA $2400,X
STA $400,X
LDA $2500,X
STA $500,X
LDA $2600,X
STA $600,X
LDA $2700,X
STA $700,X
INX
BNE
AGAIN ;LOOP
JMP
$0600 ;BEGINNING
OF PGM NOW
BOOT UP A NORMAL DOS DISK, AND SAVE EVERYTHING FROM $2000-$2800, WHICH
REPRESENT LOCATIONS $0-$8 MOVED UP BY $2000.YOU SHOULD THEN REPEAT THE
WHOLE BOOT TRACE, AND PROCEED TO THE NEXT STEP.EXAMINE THE MEMORY OF
YOU APPLE, YOU WILL SHOULD SAVE ALL THE INFORMATION FROM $800-$A000 ON
A NORMAL DOS DISK, THEN LINK THE FILES THAT YOU HAVE SAVED ON THE DOS
DISK TOGATHER, AND MAKE THE FILE A B-RUNABLE FILE, THAT LOADS
EVERYTHING IN, AND MOVES THE $00-$800 IMAGE BACK DOWN IN
MEMORY,
AND THEN JUMPS TO LOCATION $600, THE BEGINNING OF THE PROGRAM.
IF YOU HAVE ANY QUESTIONS ON
THIS, YOU MAY
MAIL THEM TO ME. ALSO, I HAVE RECENTLY CRACKED MANY GOOD PROGRAMS SUCH
AS STAR BLAZER, TWERPS, SNAKE BYTE, GUARDIAN, FOOSBALL, DUNG BEETLES,
AND LOCKSMITH 4.1. IF YOU ARE IN NEED OF ANY OF THESE, LEAVE ME MAIL ON
THIS BOARD. LOOK FOR SOME NEW ARTICALS SOON, ON HOW TO CRACK OTHER
PROGRAMS, AND UNTIL THEN KEEP ON CRACKING !
IF ANY ONE OF YOU ARE UNFAMILIAR WITH HOW TO SAVE EVERYTHING, AND YOU
NEED SOME HELP, HERE IS HOW TO DO IT:
FOLLOW THE DIRECTIONS FOR TRACEING THE BOOT, AND
TYPE
"2800<9600.A000M (RETURN)" AND "3200<800.900M (RETURN)"
ALSO, WE
NEED A PROGRAM TO MOVE EVERYTHING THAT WE JUST RELOCATED BACK INTO
THEIR ORIGINAL LOCATIONS. SO WE NEED A PROGRAM LIKE THIS:
ORG $3400
LDX #$00
LOOP1 LDA $2000,X
STA $00,X
LDA $2100,X
STA $100,X
LDA $2200,X
STA $200,X
LDA $2300,X
STA $300,X
LDA $2400,X
STA $400,X
LDA $2500,X
STA $500,X
LDA $2600,X
STA $600,X
LDA $2700,X
STA $700,X
NOP
LDA $3200,X
STA $800,X
LDA $3300,X
STA $900,X
NOP
LDA $2800,X
STA $9600,X
LDA $2900,X
STA $9700,X
LDA $2A00,X
STA $9800,X
LDA $2B00,X
STA $9900,X
LDA $2C00,X
STA $9A00,X
LDA $2D00,X
STA $9B00,X
LDA $2E00,X
STA $9C00,X
LDA $2F00,X
STA $9D00,X
LDA $3000,X
STA $9E00,X
LDA $3100,X
STA $9F00,X
NOP
INX
BNE LOOP1
LDA $C057
LDA $C054
LDA $C052
LDA
$C050 ;GRAPHICS
JMP
$600 ;BGN OF
PGM.
THIS TIME, I WILL ASSEMBLE IT FOR YOU, ALL YOU HAVE TO DO IS TYPE
"3400:A2 0 BD
00 20 95 00 BD 00 21 9D 00 01 BD 00 22 9D 00 02 BD 00 23 9D 0 03 BD 00
24 9D 0 4
BD 0 25 9D 0 5 BD 0 26 9D 0 6 BD 0 27 9D 0 7 EA (RETURN)" AND
"3432:BD 0 32 9D
0 8 BD 0 33 9D 0 9 EA (RETURN)" AND "343F:BD 0 28 9D 0 96 BD 0 29 9D 0
97 BD 0 2
A 9D 0 98 BD 0 2B 9D 0 99 BD 00 2C 9D 0 9A BD 0 2D 9D 0 9B BD 0 2E 9D 0
9C BD 0
2F 9D 0 9D BD 0 30 9D 0 9E BD 0 31 9D 0 9F (RETURN)" AND "347B:E8 D0 84
EA AD 57
C0 AD 54 C0 AD 52 C0 AD 50 C0 EA 4C 00 06 (RETURN)". THIS
WILL
TAKE CARE OF THE
SMALL PROGRAM THAT WE NEED TO MOVE EVERTHING BACK. BUT WE
ALSO
NEED TO PUT A
JMP $3400 IN THE BEGINNING, BECAUSE WHEN IT BRUNS, IT MUST JUMP TO THIS
SMALL
PROGRAM FIRST. NOW YOU CAN BOOT UP YOU 3.3 DISK, AND TYPE "CALL-151
(RETURN)",
"9FD:4C 00 34 (RETURN)","A964:FF (RETURN)", AND
"BSAVE GALAXIAN,A$9FD,L$8C03 (RETURN)", AND NOW YOU ARE FINISHED.
***************************************
*** MR. XEROX'S CRACKING TIPS II ***
** CRACKING SPACE
RAIDERS
**
**
BOOT-TRACE
CRACKING
**
***
***
***************************************
SPACE RAIDERS, BY PAUL LUTUS
OF USA,IS A
PRETTY CRUMMY GAME IN MY OPINION,
BUT IT IS VERY EASY TO CRACK. ITS BOOT CONTAINS ONLY ONE
STAGE,
AND THE PROTEC
TION AGAINST CRACKING IT IS MINIMAL. IT SHOULD GIVE YOU
ANOTHER
BASIC EXAMPLE
OF HOW TO "BOOT TRACE" CRACK PROGRAMS.
IF YOU REMEMBER FROM THE LAST
CRACKING TIPS
ARTICLE, THE FIRST STAGE BOOT
S AT $C600. AT $C6F8, THE BOOT PROCEEDS TO $801, THE NEXT STAGE OF THE
BOOT. SO
, WHAT WE MUST DO IS HAVE IT LOAD THE SECOND STAGE BOOT IN, STOP, AND
THEN EXAM
INE IT FOR THE JUMP TO THE NEXT STAGE, OR THE START OF THE PROGRAM.
LETS START
BY MOVING THE BOOT FROM $C600 DOWN IN MEMORY TO $9600. TO DO
THIS
TYPE "9600<C
600.C700M (RETURN)", THIS WILL DO THE MOVE, AND NOW WE MUST HAVE IT
STOP THERE
INSTEAD OF GOING ONTO $801, SO TYPE "96F8:4C 59 FF (RETURN)". NOW WE
ARE READY
TO TO INITIATE THE FIRST STAGE OF THE BOOT, AND WE DO SO BY TYPING
"9600G (RETU
RN)". THE DRIVE WOULD GO FOR A SPLIT SECOND, AND THEN THE MONITOR
CURSOR SHOULD
APPEAR IN THE LOWER LEFT CORNER OF THE SCREEN, IF THIS HAS
NOT
HAPPENED, REPEA
T THESE STEPS. NOW WE CAN EXAMINE THE NEXT STAGE OF THE BOOT.
TYPE "801LLL" TO SEE THE NEXT
STAGE OF THE
BOOT. IF YOU EXAMINE IT, AND TR
ACE IT IN YOU BRAIN (REMEMBER YOU HAVE ONE, NOT LIKE SOME BOZO S), SOON
YOU WIL
L SEE A JMP $4000, AND THAT IS THE THE END OF THIS BOOT. AFTER IT LOADS
EVERYTH
ING IN, IT THEN JUMPS TO THE STUFF IT HAS JUST LOADED IN, WHICH IS AT
$4000. $4
000 JUST HAPPENS TO BE THE BEGINNING OF THE PROGRAM. SO NOW THAT WE
HAVE THIS S
TAGE IN, WE MUST MOVE IT UP IN MEMORY, AND CHANGE ITS JMP FROM $4000 TO
$FF59,
TO STOP IT THERE, AND ALLOW US TO SAVE EVERYTHING ONTO A NORMAL 3.3
DISK. YOU C
AN DO THAT BY TYPING "9800<800.900M (RETURN)", AND "9885:4C 59
FF
(RETURN)" AND
"96F8:4C 01 98 (RETURN)" THEN, REBOOT THE DISK BY TYPING
"9600G"
NOW, WHEN THE MONITOR CURSOR
APPEARS AT THE
BOTTOM OF THE SCREEN AGAIN, WE
KNOW THAT THE BOOT IS FINISHED. YOU CAN CHECK TO SEE IF THE
PROGRAM RUNS BY NO
W TYPING "4000G". BUT WAIT, WHAT HAPPENED ?. THE SCREEN FILLED UP WITH
A BUNCH
OF INVERSE '@'S. THIS IS THEIR PROTECTION FROM LETTING YOU STOP IT, AND
THEN TY
PING $4000G. YOU SEE, WHEN AT LOCATION $9885, WHERE WE HAD THE JUMP TO
$FF59, T
HE RESET LOCATION, THE BOOT PROCEEDED TO JUMP TO THAT LOCATION IN
ROM. BUT AT
THAT PROGRAM IN ROM, THE VALUE OF CERTAIN ZERO PAGE LOCATIONS WERE
CHANGED. ONE
OF THE LOCATIONS THAT IT CHANGED WAS LOCATION $21. IF YOU
LOOK AT
TO SECOND ST
AGE BOOT AGAIN, AND LOOK AT THE TWO COMMANDS JUST BEFORE THE JUMP TO
$FF59, YOU
WILL SEE SOMETHING LIKE:
LDA #$26
STA $21
JMP $FF59
CAN YOU SEE THAT IF YOU REPEAT THE WHOL
E BOOT THAT I JUST EXPLAINED, AND INSTEAD OF TESTING IT IMMEDIATELY BY
TYPING "
4000G (RETURN)", TYPE "21:26 (RETURN)", AND THEN "4000G", IT WILL RUN.
IF YOU H
AVE NOT TESTED IT, THEN YOU HAVE MY GUARANTEE THAT IT WILL. YOU SEE,
SOME WHERE
IN THE PROGRAM THAT STARTS AT $4000, IT CHECKS TO SEE IF
THERE IS
A #$26 IN LO
CATION $21, IF THERE IS NOT, THEN IT WILL CRAP OUT, IF THERE
IS
THEN IT WILL R
UN.
NOW WE ARE JUST ABOUT
FINISHED, WE JUST NEED A
SMALL PROGRAM THAT WILL GO
BEFORE THE PROGRAM AT $4000, THAT WILL PUT AT #$26 INTO LOCATION $21.
SO TYPE "
3FF0:A9 26 85 21 4C 00 40 (RETURN)". THIS SMALL PROGRAM LOOKS LIKE:
LDA #$26
STA $21
JMP $4000
THEN BOOT UP A NORMAL DISK, AND DO A BS
AVE LIKE THIS - "BSAVE SPACE RAIDERS,A$3FF0,L$4100", AND YOU WILL BE
FINISHED.
***************************************
*** MR. XEROX'S CRACKING TIPS III ***
** BOOT TRACE
CRACKING
**
** CRACKING BUG
ATTACK
**
** AND DEFEATING A NIBBLE
COUNT **
***
***
***************************************
IF YOU HAVE READ MY LAST TWO ARTICLES,YOU SHOULD
BE AT
LEAST FAMILIAR WITH HOW TO "BOOT-TRACE" CRACK PROGRAMS, IF YOU HAVE NOT
READ EITHER THAN YOU WILL BE COMPLETELY LOST IN THIS ONE, SO GET A HOLD
OF ONE OF THEM, AND STUDY IT BEFORE PROCEEDING WITH THIS ONE. APPLE
GALAXIAN AND SPACE RAIDERS WERE FAIRLY EASY TO CRACK, BUT NOW COME THE
TOUGHER ONES. THE PROTECTORS CAN MAKE THINGS COMPLICATED BY ADDING
NIBBLE COUNTS TO THE SOFTWARE. IF ANY OF YOU ARE NOT FAMILIAR WITH WHAT
A NIBBLE COUNT IS, IT IS A CERTAIN TRACK THAT CONTAINS A SPECIFIC
AMOUNT OF A CERTAIN BYTE. THE PROGRAM THAT IS PROTECTED ON THE DISK,
SOMETIME DURING ITS RUN, GOES BACK TO DISK TO READS ALL OF THESE
NIBBLES BACK. IF THE PROGRAM DOESN'T FIND THESE BYTES, OR THE RIGHT
NUMBER OF THEM, IT WILL CRAP OUT. BUG ATTACK IS ONE OF THESE PROGRAMS.
AFTER THE TITLE PAGE COMES ON, AND THERE IS THE EXPLOSION OF DOTS, IT
WAITS FOR YOU TO PRESS A KEY, OR PUSH A BUTTON. AFTER YOU PRESS A KEY,
IT GOES BACK TO DISK, AND DOES A NIBBLE COUNT. IF IT CAN READ ALL THESE
NIBBLES, AND EVERYTHING CHECKS OUT, IT WILL CONTINUE WITH THE GAME.
BUT, OF IT DOESN'T, WELL YOUR IN TROUBLE. SO, IF THIS IS TO BE CRACKED,
AND PUT ONTO A NORMAL 3.3 DISK THAT CONTAINS NO TRACK DEDICATED TO
CONTAINING THOSE BYTES THAT SHOULD BE READ, WE WILL NEED TO DEFEAT THE
NIBBLE COUNT.LETS FIRST CRACK THE PROGRAM, AND THEN I WILL LATER SHOW
YOU HOW TO DEFEAT THIS SPECIFIC COUNT.
TO CRACK THIS, FIRST TURN YOUR
APPLE ON, AND
PRESS "RESET" TO STOP THE DRIVE FROM BOOTING THE DISK, AND GET INTO THE
MONITOR BY TYPING "CALL-151 (RETURN)" IF YOU HAVE AN APPLE II PLUS, IF
YOU HAVE AN APPLE II, THEN BY PRESSING RESET YOU WILL AUTOMATICALLY BE
PLACED INTO TO MACHINE LANGUAGE MONITOR. THEN TYPE
"8600<C600.C700M
(RETURN)", TO MOVE BOOT FROM THE PROM, AND INTO RAM,AND
"86F8:4C
01 88 (RETURN)", TO MAKE TO BOOT CONTINUE AT LOCATION $8801 INSTEAD OF
$801, AND "8801:4C 59 FF (RETURN)", TO FORCE THE BOOT TO STOP HERE
INSTEAD ON CONTINUING IN MEMORY. THEN START IT UP BY TYPING "8600G
(RETURN)". NOW MOVE THE SECOND STAGE THAT IS AT $800 UP TO $8800 BY
TYPING "8800<800.900M (RETURN)", AND MODIFY IT SO IT WILL RUN AT
$8800 BY TYPING "8803:BD 00 88 (RETURN) AND "8841:4C 01 83 (RETURN)",
THEN TYPE "8301:4C 59 FF", AND FINALLY REBOOT BY TYPING "8600G
(RETURN)" AGAIN. NOW WE ARE AT THE THIRD STAGE THAT IS AT $300, SO MOVE
THAT STUFF UP TO $8300 BY TYPING "8300<300.400M (RETURN)" AND
MODIFY
THIS STUFF TO RUN AT $8300 BY TYPING "8313:AD CC 83 (RETURN)" AND
"833C:AD CC 83 (RETURN) AND "8343:4C 0 84 (RETURN)" .NOW WE WILL RUN
INTO THE SAME TROUBLE THAT WE HAD IN GALAXIAN IN THAT THE JUMP OUT OF
THIS STAGE IS NOT IMMEDIATE, BUT ONLY AFTER MANY JUMPS TO A CERTAIN
SUBROUTINE, SO WE NEED THAT PROGRAM AT $8400 AGAIN THAT CHECKS TO SEE
IF IT IS GOING TO THE SUBROUTINE, OR TO THE BEGINNING OF THE PROGRAM.
IF IT IS GOING TO THE SUBROUTINE, THEN LET IT CONTINUE, IF NOT THEN
STOP. SO TYPE "8400:A5 3E C9 D5 D0 03 6C 3E 00 4C 59 FF (RETURN)", AND
REBOOT AGAIN BY TYPING "8600G (RETURN)". NOW TO FIND OUT WHERE THE NEXT
STAGE JUST LOADED IN, TYPE "83CC (RETURN)" YOU WILL SEE AN $A1, SO ADD
ONE TO THAT, AND YOU GET $A2, SO TYPE "A200L (RETURN)". WE ARE NOW AT
THE FINAL STAGE OF THE BOOT.
IN THIS STAGE, THE BOOT TURNS
ON THE GRAPHICS,
LOADS THE PROGRAM, AND JUMPS TO THE BEGINNING OF IT. IF YOU TYPE "L" A
FEW TIMES, YOU WILL COME ACROSS A POINT WHERE THIS STAGE ENDS, AND THE
JUMP TO THE BEGINNING OF THE PROGRAM IS LOCATED. THE JUMP IS AT
LOCATION $A2F8, AND IT IS AN INDIRECT ONE TO $1FF. IF YOU DON'T KNOW,
AN INDIRECT JUMP TO $1FF DOESN'T JUMP TO THE LOCATIONS THAT $1FF AND
$200 POINT TO, BUT TO THE LOCATIONS THAT $1FF AND $100 POINT TO. SO, TO
FIND OUT WHERE THIS JUMP IS TO, TYPE "A2F8:4C 59 FF (RETURN)" AND
"8409:4C 00 A2(RETURN)" AND "83CC:D2 (RETURN)", AND FINALLY REBOOT BY
TYPING "8600G (RETURN)". NOW WE CAN EXAMINE LOCATIONS $100 BY TYPING
"100 (RETURN)" AND LOCATION $1FF BY TYPING "1FF (RETURN)". FROM THIS
INFORMATION YOU NOW KNOW THAT THE JUMP IS TO LOCATION $4D36.
YOU HAVE NOW CRACKED THE
PROGRAM, BUT ONE MORE
MAJOR OBSTACLE REMAINS IN OUR WAY. THE PROGRAM CONTAINS A NIBBLE COUNT.
IF YOU BOOT THE ORIGINAL, AND PRESS BUTTON (0), YOU WILL SEE THAT IT
GOES BACK TO DISK FOR A SECOND AND DOES THE COUNT. SO THE WAY TO GET
RID OF THE NIBBLE COUNT IS TO FIND WHERE IT IS IN MEMORY, AND JUST
AVOID IT WHEN THE PROGRAM IS RUN. I HAVE EXAMINED THE PROGRAM AND FOUND
THAT AFTER THE TITLE PAGE IS DISPLAYED, AND THE DOT GRAPHICS EXPLOSION
TAKES PLACE, THERE IS A JUMP, AT $4E24 THAT GOES TO THE NIBBLE COUNT
ROUTINE AT $4A33. AFTER THE NIBBLE COUNT IS DONE, THERE IS A JUMP OUT
OF IT AT $4A88. THIS JUMP IS TO THE BEGINING OF THE GAME, LOCATION
$494A. NOW, WE CAN MODIFY THE WHOLE NIBBLE ROUTINE AT $4A33 JUST TO
SKIP TURNING ON THE DRIVE, AND JUMP DIRECTLY TO THE BEGINNING OF THE
PROGRAM, BUT LIKE ALWAYS, THEY (THE PROTECTORS) HAVE STEALTHILY HID A
ROUTINE IN THE MIDDLE OF THE GAME THAT CHECKS TO SEE IF THE NIBBLE
COUNT ROUTINE HAS BEEN CHANGED IN ANY WAY. IF IT HAS THAN THE
PROGRAM WILL CRAP OUT, IF NOT THEN IT WILL CONTINUE WITH THE GAME.
PRETTY SNEAKY OF THE PROTECTORS, HUH ? (THOSE LOW-LIFE ROTTEN BASTARDS
WHO MAKE EVERYTHING SO G-DDAM TOUGH). SO TO GET AROUND THIS PROBLEM, WE
MUST SIMPLY TAKE THE JUMP AT $4E24 THAT SAYS TO GO TO THE NIBBLE COUNT
PART AT $4A33, AND CHANGE IT TO JUMP TO THE BEGINNING OF THE PROGRAM AT
$49A4. SO MAKE THE CHANGE BY TYPING "4E24:4C 49 A4 (RETURN)".
AFTER THIS CHANGE HAS BEEN
MADE, THE PROGRAM
IS IN A FORM ABLE TO BE SAVED TO A NORMAL 3.3 DISK. DON'T FORGET TO
SAVE PAGES $0-$8 WITH THE REST OF THE FILE, AND LOAD THEM BACK INTO
MEMORY WHEN YOU BLOAD THE FILE BACK IN NORMAL 3.3 DOS. IF YOU HAVE JUST
READ ALL THIS, AND YOU DON'T BELIEVE THAT IT WILL ALL WORK, TRY THIS,
HERE IS A PROGRAM THAT WILL DO THE NIBBLE COUNT CHANGES AND WILL SHOW
YOU THAT THE NIBBLE COUNT WAS REALLY DEFEATED.
ORG $A800
START STA $AF00 ;STA TEMP
LDA
#$4C ;JMP BYTE
STA $4E24
;JMP LOCATION
LDA
#$A4 ;LOW BYTE
STA $4E25
;JMP LOCATION+1
LDA
#$49 ;HIGH BYTE
STA $4E26
;JMP LOCATION+2
LDA $AF00
;GET OLD A VAL BACK
JMP $4D36
;BEGINNING OF THE PROG
;THIS WILL DO THE JMP
;TO PROVE THE DEFEAT
;OF THE NIBBLE COUNT.
THE ASSEMBLED VERSION IS "A800:8D 00 AF A9 4C 8D 24 4E A9 A4 8D 25 4E
A9 49 8D 2
6 4E AD 00 AF 4C 36 4D (RETURN)", AND WE NEED TO JUMP TO THIS LOCATION
INSTEAD O
F ($1FF), SO TYPE "A2F8:4C 00 A8 (RETURN)". THIS MUST BE DONE IN THE
BOOT TRACE INSTEAD OF ENTERING "A2F8:4C 59 FF". WHEN YOU RUN
THE
BOOT, THE GAME WILL PROCEED NORMALLY, BUT THE DISK WILL NEVER BE
ACCESSED, AND THUS WE HAVE DEFEATED THE NIBBLE COUNT !
MSG LEFT BY: TRYSTAN II
THIS AND THE FOLLOWING MESSAGE ARE
BOTH
FORMATTED FOR 80 COLUMNS. BE
SURE TO USE THE VIDEO COMMAND TO CHANGE YOUR SCREEN WIDTH!
THRESHOLD IS THE FIRST GAME PROGRAM WHICH USES DISK ACCESS DURING PLAY
THAT
I HAVE BEEN ABLE TO
CRACK. I
HOPE THE TECHNIQUE DESCRIBED BELOW WILL
ENABLE SOME OF THE OTHER DISK-BASED GAMES TO UNFOLD THEIR
MANIFEST CHARMS
TO THE WORLD OF DOS 3.3!
FIRST, THE SIMPLE PART--THAT OF GETTING THE MAIN CODE INTO A NORMAL DOS
3.3
BINARY FILE:
1)
BOOT THRESHOLD NORMALLY. WHEN YOU GET TO THE POINT WHERE IT
ASKS YOU WHETHER YOU WANT TO USE PADDLES OR KEYBOARD, PRESS
RESET. THIS IS
WHERE THE GAME WILL START ONCE IT'S BROKEN. THE LOGO IS NICE,
BUT USELESS
AND, SINCE THRESHOLD USES RAM FROM $800
TO $B600, YOU
DON'T HAVE ROOM TO
LOAD IT WITH NORMAL DOS.
2)
YOU NOW HAVE TO SAVE EVERYTHING IN MEMORY FROM 0 TO
$98FF,
EXCEPT FOR HI-RES PAGE 1 ($2000-$3FFF).
SAVING PAGES
0-7 IS THE HARDEST,
SINCE RESET LIKES TO WALK ALL OVER VARIOUS PARTS OF IT.
BECAUSE OF THIS,
YOU NEED TO USE SOMETHING TO RELOCATE THE FIRST 8
PAGES OF
MEMORY UP TO A
LOCATION LIKE $1000 OR SO, WHICH WILL ENABLE YOU
TO
RE-BOOT NORMAL DOS
WITHOUT WIPING IT OUT. I USED MASTER KEY+ TO SAVE ALL THE
PARTS,
INCLUDING
PAGE 0-7. FROM WHAT I GATHER, ONE OF THE TWO CRACKING ROMS IN
THE
DOWNLOAD
SECTION WILL ALSO RELOCATE PAGES 0-7 UPON HITTING RESET.
3) ONCE YOU HAVE SAVE PAGES 0-7, YOU NEED TO
RE-BOOT
THRESHOLD
IN ORDER TO SAVE PAGES 8 THRU $97 ($800-$97FF). THIS IS A BIT
EASIER, BUT
YOU HAVE TO REMEMBER
TO MOVE PAGE 8
OUT OF THE WAY BEFORE YOU RE-BOOT
NORMAL DOS BECAUSE IT GETS CLOBBERED. YOU SHOULD DO THIS IN
TWO
STAGES IN
ORDER TO MAKE THE RELOCATION
PROCESS (DESCRIBED
BELOW) EASIER. I FIRST
SAVED $800-$1FFF, THEN RE-BOOTED THRESHOLD, AND MOVED
$4000-$97FF
DOWN TO
$2000 BEFORE SAVING IT.
4)
NOW ALL YOU DO IS BLOAD THE THREE PIECES LIKE SO:
A) BLOAD THE $800-$1FFF FILE AT $800
B) BLOAD THE PAGE 0-7 FILE AT $2000
C) BLOAD THE $4000-$97FF FILE AT $2800
THE PROGRAM NOW RESIDES IN MEMORY FROM $800-$80FF.
THE ONLY
THING LEFT IS
TO WRITE A LITTLE ASSEMBLY LANGUAGE ROUTINE TO RELOCATE PAGES 0-7 AND
$2800-$80FF TO THEIR PROPER ADDRESSES. HINT: USE
THE MOVE
ROUTINES IN THE
MONITOR! I PUT MY CODE RELOCATOR AT $8100 AND ADDED A JUMP TO
IT
AT $7FD.
FINALLY, ADD A JUMP TO THE
STARTING ADDRESS OF
$6B00 AT THE END OF YOUR
RELOCATION ROUTINE. THEN, A BSAVE THRESHOLD,A$7FD,L$7A03 WILL
SAVE IT ALL
IN ONE EXECUTABLE CHUNK. BY USING A LENGTH OF $7A03, YOU GIVE
YOURSELF 255
BYTES IN WHICH TO WRITE YOUR RELOCATION CODE.
THE TECHNIQUE OF PULLING THE PIECES OF
THE
DISK ACCESSED DURING PLAY
FOLLOWS IN THE NEXT MESSAGE.
***************************************
MSG LEFT BY: TRYSTAN II
THE MOST DIFFICULT PART OF CRACKING THRESHOLD IS SAVING
THE
VARIOUS BITS
AND PIECES OF THE DISK THAT IT ACCESSES DURING PLAY.
THE CODE STARTING AT $9383 SETS UP THE IOB AND CALLS THE RWTS
TO
LOAD IN 3
SEPARATE "FILES" EACH TIME YOU ADVANCE TO A NEW
LEVEL. FORTUNATELY, THE
RWTS IN THRESHOLD IS NOT TOO HEAVILY MODIFIED, SO YOU CAN USE THE
INSPECTOR
TO READ THE THRESHOLD DISK. BEFORE YOU START READING
THE
THRESHOLD DISK,
YOU WILL HAVE TO CHANGE LOCATION $3D9 TO
JUMP TO THE
RWTS AT $B7B5 (I.E.
3D9:4C B5 B7) AND THEN CHANGE THE RESET VECTOR TO JUMP
TO
SOME INNOCUOUS
LOCATION SO THAT YOU CAN RESET OUT OF THE INSPECTOR.
STARTING AT $9383, YOU WILL FIND 3 CALLS
TO $7AB0
(WHICH, IN TURN, CALLS
THE RWTS). JUST BEFORE EACH OF THESE CALLS, THE IOB
IS
SET UP WITH THE
STARTING TRACK/SECTOR, THE LOAD ADDRESS AND THE NUMBER OF
SECTORS
TO READ.
THE TRACK/SECTOR TABLE IS AT $65D0-$65F3. HERE IS WHAT IT
LOOKS
LIKE:
65D0:03 05 07 09 0C 0E 00 04
65D8:08 0C 03 07 12 12 13 13
65E0:14 15 00 08 03 0B 06 01
65E8:16 16 16 16 16 16 00 02
65F0:04 06 08 0A
THE FIRST 6 BYTES ARE THE TRACK NUMBERS FOR THE FIRST "FILE"
FOR EACH OF
THE SIX LEVELS. THE NEXT SIX
BYTES ARE THE
CORRESPONDING SECTOR NUMBERS
FOR THE FIRST "FILE". THE NEXT SET OF TWELVE
BYTES
ARE FOR THE SECOND
"FILE" AND THE THIRD
SET IS
FOR THE LAST OF THE THREE "FILES". FOR
EXAMPLE, WHEN YOU START THRESHOLD, YOU ARE AT LEVEL ONE. THE
3
FILES START
AT T3-S0, T12-S0 AND T16-S0, RESPECTIVELY. AT LEVEL TWO, THE
3
FILES START
AT T5-S4, T12-S8 AND T16-S2. THE VALUES ABOVE ARE NOT WHAT
YOU
WILL SEE ON
YOUR THRESHOLD DISK. THEY ARE THE LOCATIONS I USED
TO SAVE
THE FILES ONTO
NORMAL DOS. THE INTERPRETATION OF THE TABLE IS THE SAME,
HOWEVER.
THE NUMBER OF SECTORS TO READ FOR
EACH OF
THE THREE "FILES" ARE AT
LOCATIONS $93A1, $93C7 AND $93ED
RESPECTIVELY. THE
TOTAL IS 240 SECTORS!
USE THE INSPECTOR TO READ IN EACH OF THE 18 (6 LEVELS * 3
FILES) "FILES",
ONE AT A TIME, AND THEN RE-BOOT NORMAL
DOS AND WRITE
THEM BACK OUT. YOU
WILL HAVE TO USE A SECTOR EDITOR TO MODIFY THE VTOC
OF
YOUR TARGET DISK
BECAUSE THEY WILL NOT EXIST AS NORMAL DOS FILES. IN
ORDER
TO PREVENT THEM
FROM ACCIDENTAL ERASURE, YOU SHOULD FLAG THOSE SECTORS IN THE VTOC AS
BEING
IN USE. I FOUND DISK FIXER TO BE THE EASIEST FOR THIS
PURPOSE. YOU COULD,
OF COURSE, MAKE THESE NORMAL DOS FILES, BUT THEN YOU WOULD
HAVE
TO MODIFY
THE MAIN CODE TO READ FILES INSTEAD OF A SERIES OF SECTORS.
CHALK
IT UP TO
LAZINESS ON MY PART COUPLED WITH THE FACT THAT THE PROGRAM
RUNS
FASTER IF
IT DOESN'T HAVE TO GO THRU THE DOS FILE MANAGER!
HOPE THIS HELPS.
=== TRYSTAN II ===
MSG LEFT BY: DR. NIBBLEMASTER
CRACKIN CONGO
BOOT NORMAL 3.3
RESET INTO MONITOR
C091 C091 D000<9000.BFFFM
MAKE SURE 16K CARD IS IN SLOT 1
FFFC:59 FF N C091
BOOT CONGO
RESET INTO MONTIOR
7FD:4C 0 B
9DBFG
16CA:4C 00 48
A964:FF
BSAVE CONGO,A$7FD,L8F03
THATS IT NOW YAA HAVE A CRACKED CONGO!
ANOTHER HELPFUL CRACK ROM:
DR. NIBBLEMASTER
THANKS TO ALL PIRATES WHO MADE THIS
CRACK POSSIBLE!
***************************************
MSG LEFT BY: DR. NIBBLEMASTER
TO ALL YE PIRATES:
HOW TO CRACK GOLD RUSH!
BOOT 3.3
RESET INTO MONITOR
C091 C091 D000<9000.BFFFM
16K CARD IN SLOT 1
FFFC:59 FF N C091
BOOT GAME
RESET INTO MONITOR
C090 9D00<D000.F2FFMN C091
7FD:4C 0 B
9DBFG
16CA:4C 00 48
A964:FF
BSAVE GOLD RUSH,A$7FD,L$8FF0F
NOW YOU HAVE A CRACKED GOLD RUSH!
A HELPFUL CRACK FROM DR. NIBBLEMASTER!
***************************************
MSG LEFT BY: THE MIMIC
BOOT APPLE AIDS...A UTILITY FOR CRACKIN
USE Q^CHOICE #7....SECTOR EDITOR
TYPE L(LOAD)3(TRACK)0(SECTOR)
TYPE A(ASCII)
THE PLUS KEY GOES FORWARD IN THE DISK
WHEN YOU COME ACROSS A SECTOR THAT HAS
A STRING OF 8 OR MORE BYTES OF THE FF
MAKE A NOTE OF THIS SECTOR
AND CONTINUE
WHEN YOU ARE DONE...TAKE A DISK AND
USE NIBBLES AWAY II TO COPY TRACKS
0-3 THEN COPY THE ENTIRE DISK ELIMI.
NATING THE SECTORS YOU JOTTED DOWN...
THEN FILL THOES SECTORS WITH '@@@'
(NULLS) THAT ENABLES YOU TO CATALOG
THE DISKETTE
THEN JUST TRANSFER THE PROGRAMS ONE BY
ONE
THE ONLY PROBLEM IS THAT THEY(THE INDIV
PROGRAMS) CHECK TO SEE IT THEY ARE
ON THE CORRECT PLACE ON THE DISKETTE
THERE IS NO WAY TO AVOIDE THIS
.....THE MIMIC
***************************************
MSG LEFT BY: RED REBEL
MESSAGE #12: CRACKING ALIEN AMBUSH!!!
THIS IS SO EASY IT IS ABSURD!!
1.BOOT THE GAME
2.AFTER GAME STARTS INTERRUPT AND ENTER
THE MONITOR.
3.BOOT NORMAL DOS USING 6^P <RETURN>
4.BSAVE ALIEN AMBUSH,A$4000,L$4000
THAT'S IT. RIDICULOUS ISN'T IT??
YO HO HO,
>>> RED REBEL <<<
***************************************
MSG LEFT BY: LONG JOHN SILVER
MESSAGE #20: FIX DISK
TO FIX YOUR DISK IF IT GIVES IO ERRORS
TRY THIS-
]CALL-151
*B925:18 60
*B988:18 60
*BE48:18
*RUN COPYA
IT WILL MOAN AND GROAN AT ERRORS BUT IT
WILL COPY THE DISK AND YOU CAN THEN
TAKE A LOOK AT THE COPY (IT WILL
CONTAIN WHAT WAS EVER LEFT ON THE
ORIGINAL THAT WAS RECOVERABLE AND BE
READABLE).
ALSO IF THE CATALOG SHOWS UP BLANK
USE THE HIGHLY USEFUL UTILITY CALL
FIXCAT WHICH IS ON THE BAG OF TRICKS
DISK.
SEND ANY QUESTIONS HERE OR ON THE
PIRATES COVE AND I'LL GET BACK TO YOU.
***************************************
MSG LEFT BY: AXE MAN
MY FRIEND, THE BIG TOE, INFORMS ME
THAT APPLE LOGO (US VERSION) IS
EASILY CRACKED - ALL THAT IS REQUIRED
IS THE FOLLOWING PATCHES
(NOTE THE SIMILARITY TO THE CANADA
CRACK)
TRACK 00 SECTOR 0A
BYTE (OFFSET FROM 0000)
0029:EA EA
0035:EA EA
003F:EA EA
0045:EA EA
0079:EA EA EA
(AND THAT IS IT !)
MESSAGE FROM:BOZO NYC
**************************************
DEMUFFIN AND DEMUFFIN PLUS IS ONE OF
THE EASIEST AND BEST
METHODS FOR
CRACKING THOSE DISCS WHICH HAVE A DOS
(AS OPPOSED TO A 'QUICK-LOADER') THIS
LETTER WILL HELP YOU DETERMINE IF THE
DISC YOU WANT
TO CRACK
CAN BE
DEMUFFINED, AND IF SO, HOW
TO USE
DEMUFFIN TO CRACK IT.
IF YOU GET A BASIC PROMPT, EVEN ONCE,
DEMUFFIN WILL WORK (ALTHOUGH YOU STILL
WILL OFTEN HAVE TO REWRITE PORTIONS OF
SOME OF THE PROGRAMS YOU TRANSFER, OR
RECOVER BITS OF ASSEMBLY PROGRAMS THAT
ARE ON THE ORIGINAL, BUT NOT IN THE
DIRECTORY...REMEMBER, THE PEOPLE THAT
WRITE GOOD PROGRAMS ARE NOT STUPID,
THEY WILL USE EVERY TRICK TO TRY AND
MAKE CRACKING THEIR PROGRAM IMPOSSIBLE
...YOUR JOB AS A CRACKER IS NO EASY
ONE!!!...A TRULY PROFICIENT CRACKER
MUST BE FLUENT IN ASSEMBLY LANGUAGE).
IF YOU CAN GET A CATALOG BY ANY METHOD
FROM THE ORIGINAL, DEMUFFIN WILL WORK.
ONCE YOU HAVE DETERMINED DEMUFFIN WILL
WORK, BUT BEFORE YOU USE IT, YOU MUST
UNDERSTAND WHAT IT IS... MUFFIN IS AN
ASSEMBLY PROGRAM WHICH READS ONE DISC
FORMAT AND THEN WRITES ANOTHER. APPLE
DESIGNED MUFFIN TO READ 13 SECTOR AND
WRITE 16 SECTOR. THEN SOME PROGRAMMER
DECIDED THAT IT MIGHT BE USEFUL
TO
READ 16 SECTOR AND WRITE 13 SECTOR...
THUS NIFFUM WAS BORN. NOW SOME CLEVER
PIRATE THOUGHT 'WHY NOT READ WITH THE
DOS THAT IS ALREADY IN THE MACHINE AND
WRITE WITH 13 SECTOR'. THIS PROGRAM
(WHICH WE KNOW AS DEMUFFIN) TAKES THE
DOS WHICH YOU LOADED
IN WHEN YOU
BOOTED THE ORIGINAL AND USES THIS RWTS
TO READ; DEMUFFIN HAS 13 SECTOR RWTS
BUILT IN AND USES THIS TO WRITE OUT IN
STANDARD 13 SECTOR FORMAT. DEMUFFIN
PLUS DOES EXACTLY THE SAME THING, ONLY
ITS INTERNAL RWTS WRITES OUT IN
16
SECTOR.
NOW THAT YOU KNOW A LITTLE ABOUT WHAT
DEMUFFIN IS...ON TO THE NITTY GRITTY.
NOTE THAT ALL REFERENCES TO DEMUFFIN
APPLY TO DEMUFFIN
PLUS AS
WELL;
REMEMBER THAT BOTH PROGRAMS DO
THE
SAME THING, DEMUFFIN OUTPUTS IN
13
SECTOR WHILE DEMUFFIN PLUS OUTPUTS IN
16 SECTOR.
THE 'SECRET' TO USING
DEMUFFIN IS
REMEMBERING THAT IT IS AN
ASSEMBLY
PROGRAM DESIGNED TO OPERATE
AT A
SPECIFIC LOCATION IN MEMORY ($803). IF
YOU LOAD IT IN SOMEWHERE ELSE AND TRY
TO RUN IT, IT WON'T WORK. THIS WOULD
NOT EVEN REQUIRE MENTIONING
EXCEPT
THAT THE AREA AT $800 IS DESTROYED BY
A BOOT! KEEP IN MIND THAT
DEMUFFIN
MUST BE IN MEMORY BEFORE YOU BOOT THAT
PROTECTED DISC YOU'RE TRYING TO CRACK.
ONCE YOU'VE BOOTED THE PROTECTED DISC
YOU WILL BE OPERATING UNDER THEIR DOS
AND YOU WILL NOT BE ABLE TO READ THE
DISC THAT CONTAINS DEMUFFIN (YOUR DISC
HAS STANDARD
DOS...REMEMBER?)...SO
WHAT ARE WE TO DO?
THERE ARE TWO
CHOICES: ONE IS TO USE TAPE (UGH!);
THE OTHER IS TO FIRST LOAD DEMUFFIN IN
SOMEWHERE THAT THE BOOT WON'T DESTROY
IT. THIS IS THE METHOD I RECOMMEND
FIRST BOOT YOUR DOS AND BLOAD DEMUFFIN
AT $6000 [I CHOSE $6000...THERE ARE
MANY 'CORRECT LOCATIONS']
SECOND BOOT THE ORIGINAL (PGM TO BE
CRACKED) AND RESET
AFTER DOS HAS
LOADED AND THE FIRST
PROGRAM HAS
STARTED TO LOAD IN. PROPER RESETING
DEPENDS ON MANY THINGS SUCH AS WHICH
MONITOR YOU HAVE AND HOW AND WHEN THE
ORIGINAL SETS YOUR RESET VECTOR
AT
$3F2-$3F3. I WILL
DISCUSS PROPER
RESET METHODS IN THE NEXT LETTER.
THIRD GET INTO THE MONITOR (CALL -151
OR RESET ON THE F8
ROM) AND TYPE
803<6000.8000M N
803G THIS
WILL
MOVE DEMUFFIN BACK WHERE IT BELONGS
AND START IT RUNNING.
FOURTH FOLLOW THE INSTRUCTIONS...
-------------------------------------
************>BOZO NYC<***************