Cracking Techniques

Dernière mise à jour: 21/11/2008 (2nde pub 1984 avec des différences)
Précédante mise à jour: dimanche 29/07/2007 (corrections à partir de l'original et compléments date/time avec autre source).

L'année suivante: 1984. On ne change pas une formule gagnante.

Cette série fut à l'origine des initiatives de disks de cracking qui suivirent.
Les cours de déplombage en furent aussi les héritiers.
Sur la pub du Nibble de 1984 l'accent est mis sur la notion de backup utilisateur par opposition au déverrouillage dans l'optique d'une diffusion de masse d'un soft commercial.

Les articles sont souvent minimalistes. Ce qui est dommage car il y aurait surement beaucoup à dire sur les méthodes utilisées (côté plombeur et côté pirate).
Signaler qu'il faut changer tel ou tel octet sur un secteur d'une piste n'est pas enrichissant.
 

Pirates Harbor
Pirates Harbor
Msg
Soft
Intro
Titre

Floppy
DOS 3.3
Download Cracking Techniques 1984 (gzipped)


Ajout du 07/07/2007 : disquette originale sans les graffitis (achat sur ebay).

Original disk

Cracking Techniques 1984
Cracking Techniques 1984
Cracking Techniques 1984
Cracking Techniques 1984


Floppy
DOS 3.3
Download Original disk: Cracking Techniques 1984 (gzipped)


Sommaire


Lien Information
Voir 01) ** INTRODUCTION **.
Voir 02) TOOLS OF THE TRADE.
Voir 03) CRACK ALL LOCK IT UP!
Voir 04) SECTMOD TUTORIAL.
Voir 05) SECTMODS CONT.
Voir 06) MORE LOCK-IT-UP.
Voir 07) MINIT  MAN CRAK!
Voir 08) CRACKING CUBIT.
Voir 09) LANGUAGE-CARD-KRAK.
Voir 10) CRISIS MOUNTAIN CRACKED!
Voir 11) DUNGEON CRACKED.
Voir 12) MUFFIN MODS.
Voir 13) ZAXXON!
Voir 14) OILS WELL & GALACTIC ATTACK.
Voir 15) HOMEWORD.
Voir 16) THE CHEAPEST ROMSWITCH!
Voir 17) INFOCOM CRACK.
Voir 18) VERSAFORM 2.1.
Voir 19) ABC #00 - OVERVIEW.
Voir 20) ABC #01 - COPY ][+.
Voir 21) CRISIS MOUNTAIN UNFINISHED!
Voir 22) MATHMAZE 1.
Voir 23) MATHMAZE 2.
Voir 24) STRIP BLACKJACK CRACKED.
Voir 25) ABQ #1 BC'S QUEST FOR TIRES.
Voir 26) ABQ #2 DINO EGGS & CRISIS MOUNTAIN.
Voir 27) ABQ $10 GENERAL MANAGER 2Y.
Voir 28) ABQ #12 APPLEWRITER //E.
Voir 29) ABQ #13 BOOT FROM DRIVE 2.
Voir 30) DUNZHIN - MY WAY.
Voir 31) DEATH IN THE CARIBBEAN!
Voir 32) INSTANT RECALL -COPYA.
Voir 33) SAMMY LIGHTFOOT & APPLE CIDER SPIDER.
Voir 34) MY WAY..........
Voir 35) MICRO LAB STUFF.
Voir 36) SAMMY LIGHTFOOT CRACKED.
Voir 37) LEARNING WITH LEEPER.
Voir 38) COPYING INCREDIBLE JACK.
Voir 39) DUNGEON CRACK.
Voir 40) SARGON III.
Voir 41) TIME IS MONEY.
Voir 42) CRACK HOMEWORD.
Voir 43) CRACK SPEAK UP.
Voir 44) CRACK SPEAK UP CONTINUED....
Voir 45) EINSTEIN MEMORY TRAINER.
Voir 46) DINO EGGS CRACKED.
Voir 47) DOS QUICKIE.
Voir 48) DOS QUICKIE CONTINUED.
Voir 49) STELLAR DEFENSE FIX.
Voir 50) EINSTEIN COMPILER VER. 5.3.
Voir 51) ATARISOFT EASIER.
Voir 52) CRACK LS5.0 !!!
Voir 53) 1 BYTE LS5 CRACK.
Voir 54) CRACK TELE-PORTER.
Voir 55) SAN FRANCISCO EARTHQUAKE.
Voir 56) KOALGRAMS.
Voir 57) CRACK BC'S QUEST.
Voir 58) MAKE & USE COPYB.
Voir 59) STANDING STONE CRACKED.


hr Pirates Harbor


01) ** INTRODUCTION **


INTRODUCTION BY
THE DISK JOCKEY


ANYONE INTERESTED IN THE APPLE SEEMS TO
BE INTRIGUED BY THE "ART OF KRAKING",
FOR A VARIETY OF REASONS. PROBABLY THE
FOREMOST IS THIS OPENS THE WAY FOR
WORRY FREE AND AMPLE SOFTWARE, THAT
ANYONE CAN USE AND TRADE. BESIDES THESE
IMMEDIATE USES, KRAKING A PROGRAM SEEMS
TO IMPRESS ALL BUT THE AUTHOR OF THE
PROGRAM.

KRAKING PROTECTED PROGRAMS REQUIRES
SEVERAL THINGS THAT YOU SHOULD TRY YOUR
BEST TO POSSESS. THE FIRST IS A GOOD
BASIC UNDERSTANDING OF THE APPLE
COMPUTER AND ITS ARCHITECTURE. READ
YOUR DOS MANUAL AND THE APPLE II
REFERENCE MANUAL FOR INFORMATIVE
DISCUSSIONS OF YOUR COMPUTER. EVEN
BETTER, PICK UP A COPY OF DON WORTH'S
"BENEATH APPLE DOS" AND STUDY IT
CAREFULLY. AFTER YOU HAVE DONE THESE
BASIC THINGS, YOU CAN PROBABLY IMPRESS
EVERYONE BUT STEVE "THE WOZ", AND TURN
THE SALESMEN AT COMPUTER LAND TO SHAME.

I CAN NOT STRESS THE IMPORTANCE OF
READING THESE WELL WRITTEN MANUALS, AND
DOING THE BEST TO UNDERSTAND THEIR
IMPLICATIONS. AFTER YOU HAVE ACHIEVED
THE KNOWLEDGE GRANTED BY THESE BOOKS,
YOU ARE WELL BEYOND 99% OF THE APPLE
USERS THAT CLAIM THEY KNOW ANYTHING
ABOUT ANYTHING.

FOR THE ULTIMATE UNDERSTANDING OF THE
APPLE, AND TO MAKE YOUR JOB AS A
"KRAKIST" EASIEST, THE NEXT STEP IS TO
LEARN THE FORBIDDEN LANGUAGE, 6502
ASSEMBLY LANGUAGE. ALTHOUGH THIS IS NOT
NECESSARY FOR A GREAT NUMBER OF KRAKING
CHORES, ANY PROGRAM THAT IS THE LEAST
BIT TRICKY WILL REQUIRE YOU TO
UNDERSTAND ASSEMBLER. THE REASON IS
SIMPLE: MOST EVERYTHING SOLD TODAY IS
WRITTEN IN ASSEMBLER. LOOK AT SOFTALK'S
TOP TEN LIST AND I BET YOU 95% OF THE
PROGRAMS ARE WRITTEN IN ASSEMBLY
LANGUAGE. THE OBVIOUS REASON FOR THIS
IS BECAUSE ASSEMBLER IS FAST, AND THIS
IS VERY IMPORTANT FOR GRAPHIC GAMES.
ALSO, BECAUSE PROTECTING A DISK ON THE
APPLE IS DONE AT THE OPERATING SYSTEM
LEVEL, THE PROTECTION REALLY HAS TO BE
WRITTEN IN ASSEMBLER.

FOR LEARNING ASSEMBLER, I WOULD SUGGEST
EITHER ROGER WAGNER'S "ASSEMBLY LINES",
OR RANDY HYDE'S "USING 6502 ASSEMBLY
LANGUAGE". BOTH OF THESE BOOKS ARE
EXCELLENT AND ARE EASY TO UNDERSTAND
FOR THE BEGINNING PROGRAMMER.

BEYOND THIS, THE NEXT BEST THING TO DO
AS TO USE YOUR NEW FOUND KNOWLEDGE.
WRITE SOME ASSEMBLY LANGUAGE PROGRAMS
TO GET FAMILIAR WITH THE LANGUAGE.
INSTEAD OF WRITING THAT "HELLO" PROGRAM
IN BASIC, DO IT IN ASSEMBLER. GET USE
TO IT, AND KEEP GOOD NOTES OF WHAT YOU
LEARN!

NOW YOUR READY FOR THE BIG TIME....
KRAKING PROGRAMS. I ASSUME YOU HAVE A
GOOD UNDERSTANDING OF THE MONITOR
COMMANDS (LIST, MOVE, VERIFY, EXECUTE)
FROM READING THE APPLE II REFERENCE
MANUAL. OF MOST IMPORTANCE IS THE "L"
COMMAND TO DISASSMBLE AND LIST CODE
PRESENTLY IN MEMORY. GET USE TO LOOKING
AT THESE DISASSEMBLIES SINCE YOU WILL
NEVER HAVE "SOURCE" CODE FROM PROTECTED
PROGRAMS TO EXAMINE. THEREFORE BE
FLUENT IN APPLE DISASSEMBLY. THE BEST
WAY TO ACHIEVE THIS IS PRACTICE, AND
NOTHING ELSE WILL SUBSTITUTE.

ALSO, BE AWARE OF THE EXISTING
DOCUMENTATION ON KRAKING. NOW JUST
ABOUT ANYONE CAN READ "COOKBOOKS" ON
HOW TO DEPROTECT A PARTICULAR PROGRAM
THAT THEY DOWN LOADED FROM PIRATE'S
HARBOR. SO YOU WANT TO TAKE A STEP
FARTHER. DON'T DISCARD OR CASUALLY
GLANCE THROUGH THESE "COOKBOOKS", BUT
GO THROUGH THEM AND UNDERSTAND THE
PROTECTION AND SEE HOW THE AUTHOR
CHOOSE TO KRAK THE PARTICULAR PROGRAM.
THIS WILL PROVE INVALUABLE BY OPENING
YOUR MIND TO PREVIOUSLY USED TECHNIQUES
THAT YOU CAN LEARN FROM. TRY AND
UNDERSTAND EVERY STEP THE EXPERIENCED
KRAKIST TOOK TO DEPROTECT THE PROGRAM,
AND MAKE CAREFUL NOTES (BOTH MENTAL AND
ON PAPER) TO GUIDE YOU IN YOUR OWN
EFFORTS.


Retour sommaire

hr Pirates Harbor


02) TOOLS OF THE TRADE.


MSG LEFT BY: RED REBEL


THE FOLLOWING TOOLS SHOULD BE IN YOUR
ARSENAL FOR CRACKING:
 
'BENEATH APPLE DOS'    QUALITY SOFTWARE
'BAG OF TRICKS'        QUALITY SOFTWARE
'APPLE MONITORS PEELED'  APPLE COMPUTER
'WHAT'S WHERE IN THE APPLE'   MICRO INK
 
INTEGER CARD             APPLE COMPUTER
MASTERDISK         MASTERWORKS SOFTWARE
MASTER DOS         MASTERWORKS SOFTWARE
D-A-R-K                      MICROSEEDS
NIBBLES AWAY      COMPUTER APPLICATIONS
LOCKSMITH 5.0                     OMEGA
INSPECTOR                         OMEGA
WATSON                            OMEGA
BEAGLE BROTHERS SOFTWARE FROM SAME
ANY OF THE VARIOUS NON MASKABLE (NMI)
 INTERRUPT CARDS SUCH AS:
     CRACK-SHOT,REPLAY II, WILDCARD
 
GOOD BOOKS ON MACHINE LANGUAGE BY:
     ROGER WAGNER & RANDY HYDE
 
CRACKING TECHNIQUES '83  PIRATES HARBOR
CRACKING-DISK JOCKEY     PIRATES HARBOR
CRACKING-APPLE BANDIT
        -THE BURGLAR     PIRATES HARBOR
 
KEEP ON CRACKING!!!
 
                    >>> RED REBEL <<<


Retour sommaire

hr Pirates Harbor


03) CRACK ALL LOCK IT UP!


MSG LEFT BY: RESET VECTOR
DATE POSTED: SAT DEC  3  1:16:14 PM

   HERE IS A FOOLPROOF AND EASY WAY TO CRACK ALL (WELL, ONE EXCEPTION) DISKS
PROTECTED WITH THE INFAMOUS LOCK IT UP.  CREDIT FOR THE LATTER STAGES OF THIS
CRACKING METHOD MUST BE SHARED WITH SOFT SECTOR.  ONCE YOU HAVE A HEARD A
DISK PROTECTED WITH LOCK IT UP (VIDEX PREBOOTS, STELLAR 7, REGATTA, BASIC
GUITAR, SONGWRITER, THE VISIBLE COMPUTER AND A MULTITUDE OF OTHERS) BOOT,
YOU WILL BE ABLE TO RECOGNIZE THE PROTECTION - IT WILL SIT ON TRACK 0 FOR
A SECOND AND THEN THE DRIVE WILL GRIND AND THEN IT WILL COMPLETE THE BOOT.
THE RHYTHM OF THE INITIAL BOOT AFTER THE GRIND IS VERY DISTINCTIVE.
   THE FIRST STEP OF THE CRACK IS TO GET THE FILES OFF THE DISK.  THIS CAN
BE DONE WITH FID AS I DESCRIBED ON BOARD 2 (BLOAD FID, CALL -151, B942:18,
BAAA:00, 803G AND FID THE FILES OFF).  THIS METHOD HAS THE DISADVANTAGE THAT
WHENEVER YOU TURN OFF THE CHECKSUM (B942:18) YOU ARE LIKELY TO GET DATA
ERRORS.  DEMUFFIN IS A MORE RELIABLE METHOD, BUT YOU CANNOT SIMPLY HIDE IT
AT $6000 AS WE USUALLY DO, BECAUSE LOCK IT UP OVERWRITES ALL OF MEMORY.  NOW,
YOU ARE GOING TO NEED A (SLIGHTLY ALTERED) COPY OF THE LOCK IT UP RWTS TO
COMPLETE THE CRACK OF MANY OF THESE DISKS, SO LET'S SAVE IT OUT NOW TO ALSO
HELP US WITH DEMUFFIN.  YOU NEED A WAY TO RESET INTO THE MONITOR, OF COURSE.
BOOT LOCK IT UP DISK
HIT RESET
4000<B700.BFFFM
BOOT SLAVE DISK
BSAVE LOCK IT UP RWTS,A$4000,L$900
NOW, FOR THE ALTERED RWTS YOU MAY NEED LATER, DO THIS:
BOOT LOCK IT UP DISK
HIT RESET
B942:18
BAAA:AA
4000<B700.BFFFM
BOOT SLAVE DISK
BSAVE ALTERED LOCK IT UP RWTS,A$4000,L$900
   TO USE DEMUFFIN TO GET THE FILES OFF, JUST DO THIS:
BLOAD DEMUFFIN
BLOAD LOCK IT UP RWTS (NOT THE ALTERED VERSION!)
CALL -151
B700<4000.4900M
803G TO START DEMUFFIN
   MANY PROGRAMS WILL WORK WITHOUT ANY MODIFICATION, BUT MOST HAVE SOME
CHECKS FOR THE LOCK IT UP DOS, AND THESE CAN BE VERY DIFFICULT TO REMOVE.
ALL YOU NEED TO DO TO MAKE THESE PROGRAMS RUN IS TO USE THE ALTERED LOCK
IT UP RWTS YOU SAVED ABOVE (THIS HAS BEEN ALTERED TO READ AND WRITE TO A
NORMAL DOS DISK).  IF THE FILES YOU JUST DEMUFFINED WON'T RUN, JUST WRITE
A SMALL EXEC FILE TO START UP THE PROGRAM:
BLOAD ALTERED LOCK IT UP RWTS
CALL -151
B700<4000.48FFM
RUN HELLO (OR WHATEVER THE HELLO PROGRAM IS)
  E ONLY EXCEPTION IS REGATTA, WHICH CALLS SOME INFORMATION
BY TRACK AND SECTOR, SO USE ADVANCED DEMUFFIN INSTEAD OF DEMUFFIN.
   COURTESY OF ->RESET VECTOR!

***************************************

MSG LEFT BY: RESET VECTOR
DATE POSTED: WED DEC  7  8:19:00 PM

MESSAGE #3: LOCK IT UP ADDENDUM


ONE MORE ADDITION, YOU ALSO HAVE TO DO BA29:96 TO THE LOCK IT UP
DOS BEFORE YOU MOVE IT AND SAVE IT AS THE ALTERED DOS.
COURTESY OF ->RESET VECTOR!


Retour sommaire

hr Pirates Harbor


04) SECTMOD TUTORIAL.


MSG LEFT BY: RESET VECTOR
DATE POSTED: WED DEC  7  8:27:57 PM

IN THESE DAYS OF POWERFUL CRACKING TOOLS LIKE NMI BOARDS AND ADVANCED
DEMUFFIN, IT IS FAIRLY EASY FOR A NOVICE AT THE TRADE TO CRACK A LARGE NUMBER
OF PROGRAMS. I THINK THAT MOST NOVICES, HOWEVER, THINK THAT THE SECTMOD IS
SOMETHING RESERVED FOR THOSE CRACKING GENIUSES WHO SPEAK MACHINE LANGUAGE AS
WELL AS THEY SPEAK ENGLISH.  WELL, TO A CERTAIN EXTENT THIS IS TRUE, BUT
THERE IS NO REASON FOR THE CRACKER WITH LITTLE KNOWLEDGE OF MACHINE OR
ASSEMBLER TO GIVE UP WITHOUT TRYING.  THERE ARE CERTAIN TRICKS YOU CAN USE
TO DO SUCCESSFUL SECTMODS EVEN IF YOU KNOW HARDLY ANY MACHINE LANGUAGE AT
ALL!  NOW FOR THE ASTOUNDING TRUE CONFESSION - IF YOU HAVE BEEN READING
BOARD #2 YOU WILL HAVE SEEN QUITE A LARGE NUMBER OF SECTMODS POSTED BY ME,
AND YOU PROBABLY THINK I KNOW A LOT ABOUT PROGRAMMING.  THE TRUTH IS THAT I
KNOW ALMOST NO MACHINE LANGUAGE AT ALL!  DOING A SUCCESSFUL SECTMOD IS ON
A PAR WITH A RELIGIOUS EXPERIENCE (AT LEAST IF YOU HAVEN'T DONE A LOT OF THEM)
SO LET'S GET CRACKING...
   THERE ARE A FEW TOOLS YOU WILL NEED IN ORDER TO EMBARK UPON THIS STUDY.
FIRST OF ALL, YOU WILL NEED SOME METHOD OF SEARCHING A DISK FOR A STRING OF
HEX.  THE BEST PROGRAM FOR THIS PURPOSE IS THE TRACER FROM THE C.I.A. FILES,
BECAUSE IT ALLOWS YOU TO DO WILDCARD SEARCHES.  I ALSO USE DISK EDIT BECAUSE
IT IS VERY FAST.  THE SECOND TOOL YOU NEED IS AN NMI BOARD.  ANY BOARD THAT
GIVES YOU THE ADDRESS OF THE PROGRAM COUNTER AND THE ADDRESSES ON THE STACK
WILL DO JUST FINE (AND I THINK THEY JUST ABOUT ALL DO THIS).  REPLAY ][ IS
BY FAR MY FAVORITE BOARD, BUT WHATEVER YOU HAVE IS OK.  FINALLY YOU NEED
A SECTOR EDITOR THAT WILL ALLOW YOU TO DISASSEMBLE A SECTOR; I FIND ZAP FROM
BAG OF TRICKS THE EASIEST TO USE, BUT A LOT OF THEM ARE JUST FINE.
   NOW, THE FIRST TYPE OF DISK YOU WILL WANT TO SECTMOD IS THE ONE THAT IS
NORMALLY FORMATTED (CAN BE COPIED WITH COPYA) BUT WILL NOT BOOT WHEN COPIED.
THE EINSTEIN COMPILER (VERSION 5.2) IS A GOOD EXAMPLE OF THIS.  THE FIRST
THING TO DO IS TO COPY THE DISK AND THEN SEARCH THE DISK FOR THE HEX STRING
BD 8C C0.  THIS IS COMMONLY USED CODE TO SET UP THE DISK DRIVE AND CHECK FOR
A CERTAIN SIGNATURE (USUALLY A SEQUENCE OF BYTES) ON THE DISK.  WRITE DOWN
EACH SECTOR WHERE YOU FIND THIS SEQUENCE.  NOW EINSTEIN WAS NICE BECAUSE THIS
SEQUENCE IS FOUND ONLY ONCE ON THE WHOLE DISK.  IF YOU THEN USE YOUR SECTOR
EDITOR TO DISASSEMBLE THE AREA WHERE YOU FOUND THIS BD 8C C0, YOU WILL FIND
THAT THAT CODE IS FOLLOWED BY A BUNCH OF CMP AND BNE OR BEQ OR BPL (THE LATTER
BEING CODES DIRECTING YOUR APPLE WHERE TO BRANCH IF IT FINDS OR DOESN'T FIND
WHAT IT IS LOOKING FOR IN THE CMP - COMPARE - STATEMENT).  YOU WILL FIND
THIS ALL REPEATED SEVERAL TIMES.  GENERALLY, AT THE END OF ALL THIS YOU WILL
FIND AN RTS ("60"), AND THE FIRST WAY TO TRY TO CRACK A PROGRAM LIKE THIS IS
TO JUST MOVE THE RTS TO THE VERY START OF THAT CODE AND THEN SEE IF THE
PROGRAM WILL RUN.  HOWEVER, WITH EINSTEIN IF YOU LOOK THROUGH ALL THE CODE
IN THAT AREA, YOU WILL SEE THAT AT THE END IS A JMP INSTRUCTION; WHAT HAPPENS
IS THAT IF THE PROGRAM FINDS EVERYTHING IT IS LOOKING FOR, IT FALLS THROUGH
TO THIS JMP INSTRUCTION.  NOW, WE KNOW IT IS NOT GOING TO FIND WHAT IT IS
LOOKING FOR, BUT WE WANT IT TO EXECUTE THE JMP TO START THE PROGRAM, SO ALL
YOU DO IS MOVE THAT JMP INSTRUCTION TO THE START OF THAT AREA OF CODE AND
VOILA! - COPYA EINSTEIN COMPILER!
SEE THE NEXT MESSAGE...


Retour sommaire

hr Pirates Harbor


05) SECTMODS CONT.


MSG LEFT BY: RESET VECTOR
DATE POSTED: WED DEC  7  8:37:22 PM

   NOW, ANOTHER EXAMPLE OF A NORMALLY FORMATTED DISK THAT WON'T BOOT WHEN
IT IS COPIED IS LEARNING WITH LEEPER FROM ONLINE.  IF YOU COPY IT AND THEN
BOOT THE COPY, YOU WILL SEE THAT IT CHECKS TRACK 0 AND THEN DIES WHEN IT
DOESN'T FIND WHAT IT IS LOOKING FOR.  A SEARCH OF BD 8C C0 IS FRUITLESS
(NOWHERE ON THE DISK), SO WE HAVE TO TRY ANOTHER METHOD.  BOOT THE COPY,
AND JUST AS THE DRIVE HEADS TOWARD TRACK 0 TO CHECK THE PROTECTION, HIT YOUR
NMI SWITCH, THE WRITE DOWN THE PROGRAM COUNTER AND THE ADDRESSES ON THE
STACK.  IF YOU DO THIS SEVERAL TIMES, YOU WILL FIND A BUNCH OF ADDRESSES IN
THE $1200 RANGE.  NOW, PROTECTION ROUTINES LIKE THIS ARE GENERALLY SUBROUTINES
(ACCESSED VIA A JSR), SO IF WE LOOK FOR JSR'S ("20") IN THE $1200 RANGE,
MAYBE WE CAN DO SOMETHING ABOUT IT.  HERE IS WHERE CIA IS ESSENTIAL, BECAUSE
WE CAN DO A SEARCH FOR 20==12.  YOU WILL FIND THIS CODE IN JUST 3 LOCATIONS
ON THE DISK, AND IF YOU JUST TRY REPLACING THEM ONE BY ONE WITH EA EA EA
(NOP'S), YOU WILL FIND THAT REPLACING ONE OF THEM LEADS TO A WORKING DISK.
   THERE IS ONE FINAL VARIATION ON THIS THEME.  SOMETIMES YOU CANNOT FIND
A BD 8C C0, AND SOMETIMES YOU CANNOT FIND A JSR IN THE MEMORY RANGE YOU ARE
LOOKING FOR.  TYPICAL OF THIS IS STELLAR DEFENSE (PLEASE ALL NOTE MY
CORRECTED SECTMOD WHEN I HAVE A CHANCE TO POST IT - MY ORIGINALLY POSTED
ONE DOES NOT WORK QUITE RIGHT).  THIS DISK CAN BE COPIED WITH COPYA BUT WILL
DIE WHEN IT CHECKS TRACK 0.  YOU CANNOT FIND EITHER A BD 8C C0 (AT LEAST NOT
ONE THAT CHANGING WILL HELP!) OR A JSR INTO THE RANGE OF THE CHECKING CODE.
WELL, LET'S JUST FIND THE CODE ITSELF!  HIT YOUR NMI SWITCH WHEN THE DRIVE
GOES TO TRACK 0 TO CHECK (THIS MAY TAKE A FEW ATTEMPTS TO GET AN ADDRESS
OTHER THAN IN DOS).  EVENTUALLY YOU WILL FIND AN ADDRESS IN THE PC OR ON
THE STACK OF $3E58.  IF WE THEN USE THE MONITOR (THE REPLAY ][ MONITOR IS
REALLY HELPFUL HERE) TO LIST THIS ADDRESS, WE WILL FIND A SEQUENCE OF BYTES;
WRITE DOWN 7 OR 8 BYTES, AND THEN SEARCH THE DISK FOR THIS STRING.  YOU WILL
FIND THIS STRING ON TRACK 5 SECTOR 6, AND YOU WILL SEE SOME CODE WITH CMP'S
AND BRANCHES THAT ENDS IN AN RTS.  THE FIRST THING TO TRY IS TO MOVE THE RTS
TO THE BEGINNING OF THIS CODE; AND LOW AND BEHOLD THE DISK BOOTS UP AND RUNS.
THE ONLY PROBLEM IS THAT WHEN YOU PLAY THE GAME ALL THE ENEMY SHIPS ARE
INVISIBLE!  WELL, IF YOU LOOK AGAIN AT THIS CODE, YOU WILL SEE THAT A LOT OF
THE BRANCHES ARE TO A JMP INSTRUCTION RIGHT AFTER THE RTS.  SO TRY AND MOVE
THE JMP INSTRUCTION TO THE START - WELL, IT ACTS JUST AS IF YOU HAD MOVED THE
RTS TO THE START!  SO WHAT YOU HAVE TO DO IS PEEK AT THE CODE THAT IS BEING
JMPED TO, BY BOOTING THE DISK, HITTING THE NMI SWITCH AND THEN LISTING THE
CODE AT THE ADDRESS WHICH IS JMPED TO ($3A68).  WRITE DOWN THE STRING AND
SEARCH THE DISK - IT WILL BE FOUND ON TRACK 5 SECTOR A.  DISASSEMBLY REVEALS
ANOTHER LITTLE CHECKING ROUTINE WITH AN RTS AT THE END.  MOVE THIS RST TO
THE BEGINNING AND VOILA!  CRACKED STELLAR DEFENSE!
   WELL, NOW THAT ALL THE ADVANCED CRACKERS ARE BORED AND THE NEOPHYTES HAVE
INDIGESTION, I WILL BRING THIS TO A CLOSE.  I ONLY MEANT TO GET ACROSS SOME
GENERAL PRINCIPALS; YOU MAY NOT KNOW ANY MACHINE LANGUAGE, BUT WITH A LITTLE
HELP YOU CAN FIND THE AREA OF CODE THAT IS DOING THE CHECKING AND THEN JUST
PLAY AROUND WITH IT UNTIL SOMETHING (GOOD, I HOPE) HAPPENS.  IT WON'T MAKE
YOU A KRACOWICZ OR APPLE BANDIT OR KRAC-MAN OR FREEZE OR DISK JOCKEY OR
RED REBEL, BUT IT MIGHT MAKE YOU A BETTER CRACKER.
   COURTESY OF ->RESET VECTOR!


Retour sommaire

hr Pirates Harbor


06) MORE LOCK-IT-UP.


MSG LEFT BY: COUNT NIBBLER
DATE POSTED: WED JAN 11  1:58:17 AM

WELL AS YOU KNOW ONCE YOU MOVE THE
FILES FROM A LOC-IT-UP DISK TO A
NORMAL DOS 3.3 DISK(VIA RESET VECTORS
ROUTINES),SOMETIMES THEY WILL NOT WORK
OR WILL RE-INITIALIZE OVER THEMSELVES.
THATS BECAUSE IN MOST OF THE APPLESOFT
PROGRAMS,IT DOES SOME CHECKING!WHAT YOU
HAVE TO DO IS LOAD IN AN APPLESOFT FILE
THAT WAS TRANSFERED FROM A LOCK-IT-UP
PROTECED DISK..AND LIST IT!
LOOK FOR A CALL 47721.(THAT CALLS BACK
TO PROTECED DOS,AND IF IT AIN'T THERE
YOU GET AN ERROR) REPLACE IT WITH A
CALL 47741(SWITCH TO DOS 3.3).ANOTHER
NEAT TRICK IS: CALL PEEK(40222)+PEEK
(40223)*256+1.<-- THIS RE-INITIALIZES
A DISK IF IT DETECTS DOS 3.3....
REPLACE IT WITH A FOR NEXT LOOP SO YOU
DON'T HAVE TO BOTHER WITH RE-ARRANGING
LINE NUMBERS.WATCH FOR FP STATMENTS
IN REM LINES.LOOK FOR PEEK(512) AND
DELETETE IT...THIS IS A READ KEYBOARD
ROUTINE AND WILL CRASH THE PROGRAM.
AND ITS HELPFUL TO TAKE OUT ONERRS!
 
                  -->ENJOY<--
 
       -=+*])! COUNT NIBBLER !([*+=-


Retour sommaire

hr Pirates Harbor


07) MINIT  MAN CRAK!


MSG LEFT BY: CHANDIN WILSON
DATE POSTED: SAT FEB 18  3:21:31 AM

HERE IS MY ENTRY TO THE **CRAC
CONTEST**

DISABLE DOS CHECKSUMS:
 
CALL-151
B92518 60
B988:18 60
B942:18 60
BLOAD FID
B954:4A 49 6A D0 EF
B934:C9 DA
B990:C9 DA
803G
 
COPY OFF FILES FROM MINIT MAN DISK TO
BLANK DISK. DEPENDING ON YOUR COPY,
YOU MAY HAVE TO MODIFY A PROGRAM CALLED
"PLAYGAME PROG". THIS PROGRAM JUS
LOADS MINIT MAN INTO MEMORY.
 
HAVE FUN!!

===============>THE<================
==============>CROW<================


Retour sommaire

hr Pirates Harbor


08) CRACKING CUBIT.


MSG LEFT BY: WILLIAM KEYES
DATE POSTED: SUN FEB 19  1:24:25 PM

CUBIT:
BOOT DOS 3.3
PUT IN CUBIT DISK
CALL-151
B942:18 60
BAAA:00
BLOAD CUBIT
9465:4C 75 94
PUT IN DOS 3.3 DISK
BSAVE CUBIT,A$19FD,L$7FF0
 
NOW CUBIT IS CRACKED!
 
NOTE: SOMETIMES IT IS NECCESSARY TO DO
      A "MAXFILES1" BEFORE RUNNING OR Y
      OU WILL GET AN I/O ERROR.
 
TO CHEAT: CHANGE $4097 TO THE NUMBER OF
          CUBITS YOU WANT.
 
 
------------=> DOCTOR WHO <=-----------


Retour sommaire

hr Pirates Harbor


09) LANGUAGE-CARD-KRAK.


MSG LEFT BY: THE JESTERS
DATE POSTED: SAT FEB 25  2:24:28 PM

THIS IS AN OLD TECHNIQUE, BUT FOR THOSE
JUST ENTERING THE BUSINESS, IT IS AN
ESSENTIAL ONE.
 
 THE OBJECT OF THE LANGUAGE CARD CRACK
IS TO LET THE PROGRAM BOOT, THEN HIT
RESET AND HAVE THE RESET ROUTINE SAVE
THE MEMORY YOU WANT, AND LEAVE YOU IN
THE MONITOR $FF59 TO DO WHAT YOU WANT.
 SOME OF THE POORLY PROTECTED PROGRAMS
JUST HAVE A MODIFIED DOS AND YOU CAN
JUST RESET OUT OF THEM WITHOUT EVEN
MAKING A RESET ROUTINE... BUT THESE
ARE DISAPPEARING.  SOMETIMES, THE
PROGRAM NOTICES THAT THERE IS A CHANGED
RESET VECTOR AND REBOOT.
 ANYWAY, HERE IS THE TRICK:
 
WRITE ENABLE THE LANGUAGE CARD: $C081
                                $C081
COPY ALL ROM INTO CARD: D000<D000.FFFFM
 
CHANGE RESET ROUTINE TO JUMP TO
          MONITOR: FA62:4C 59 FF
WRITE PROTECT,READ ENABLE CARD: $C080
 
BOOT DISK
HIT RESET: YOU SHOULD GO TO MONITOR
FROM THE MONITOR, YOU CAN BOOT A DOS
DISK AND SAVE THE VARIOUS PARTS OF
MEMORY... THE ONLY THING THAT WAS
LOST WAS ZERO PAGE:  FOR THIS
YOU MUST WRITE A ROUTINE IN THE RESET
ROUTINE TO SAVE LOW MEMORY BEFORE GOING
TO THE MONITOR $FF59
 
IF THE PROGRAM SEES THE LANGUAGE CARD
AND REBOOTS, OR TURNS IT OFF, THE
NEXT TRICK COMES IN HANDY...  MOVE
THE LANGUAGE CARD TO A DIFFERENT SLOT
LIKE SLOT ONE OR SLOT TWO (TURN
YOUR COMPUTER OFF FIRST)
THE ENABLE AND PROTECT LOCATIONS WILL
CHANGE ACCORDINGLY :  C081 -> C0A1
                      C080 -> C0A0
                   FOR SLOT 2
FOLLOW THE STEPS ABOVE AND QUITE OFTEN
THE PROGRAM WILL NOT THINK TO CHECK
ALL OF THE SLOTS.
 -MORE- NEXT MESSAGE       THE JESTERS


Retour sommaire

hr Pirates Harbor


10) CRISIS MOUNTAIN CRACKED!


MSG LEFT BY: DOCTOR WHO
DATE POSTED: FRI MAR  3  2:52:40 PM

TO CRACK CRISIS MOUNTAIN:
 
BOOT DOS 3.3
 CALL-151
 B925:18 60
 B988:18 60
 BE48:18
 B942:18
 BAAA:00
 RUN COPYA
COPY CRISIS MOUNTAIN
WITH A SECTOR EDITOR MAKE THE FOLLOWING
CHANGES ON TRACK 0 SECTOR 5
    24:D5 (WAS EB)
    2D:AA (WAS D5)
    36:96 (WAS AA)
 
NOW ITS CRACKED
 
ANOTHER CRACK FROM-
 
------------=> DOCTOR WHO <=-----------


Retour sommaire

hr Pirates Harbor


11) DUNGEON CRACKED.


MSG LEFT BY: DOCTOR WHO
DATE POSTED: SAT MAR  4 12:28:38 PM

TO CRACK DUNGEON & THESEUS AND THE MINO
TAUR BY TSR, I HAVE A METHOD THAT REQUI
RES NO WIERD HARDWARE OR EXTRA CARDS.
THIS PROGRAM IS WRITTEN IN BASIC AND US
ES FILE NAMES TO LOAD FILES, BUT IT DOE
SN'T HAVE A CATALOG SO YOU HAVE TO CRAC
K IT ANOTHER WAY BESIDES DEMUFFIN.HERE
IS WHAT TO DO:
 
BOOT DUNGEON
WHEN IT SAYS"PLEASE WAIT" THEN PRESS RE
SET TWICE.
CALL-151
A44D:4C 69 FF
36:BD 9E 81 9E
MAXFILES1
CLOSE
LOAD HELLO
D6:0
NOW YOU CAN GO TO BASIC AND LIST THE
PROGRAM.BUT THERES MORE PROGRAMS TO THE
GAME! SO WHAT YOU HAVE TO DO IS FIND TH
E ENDING APPLESOFT ADDRESS AT $AF.B0 (L
ISTED IN REVERSE ORDER) AND USE THE MON
ITOR MOVE COMMAND TO MOVE IT INTO A SAF
E AREA.I CAN'T REMEBER THE ACTUAL ADDRE
SS FOR THE PROGRAMS, BUT I WILL GIVE YO
U THE CORRECT FORMAT FOR DOING THIS:
6000<800.[WHAT EVER IS IN $AB.F0,INREVE
RSE ORDER]M [RETURN]
THEN YOU BOOT DOS 3.3 AND MOVE IT BACK
TO THE CORRECT PLACE IN MEMORY:
800<6000.[6000+WHATEVER WAS IN AB.F0]M
 
NOW FIX THE AB.FO TO WHAT THEY WERE BEF
ORE AND SAVE THE PROGRAM!
IN AWHILE, YOU WILL HAVE IT CRACKED!
 
BY THE WAY
D6:0 - CANCELS THE THING THAT MAKES THE
       PROGRAM IN MEMORY RUN EVERY TIME
       YOU TYPE A COMMAND IN APPLESOFT.
 
A44D:4C 69 FF - MAKES IT SO WHEN YOU LO
                AD AN APPLESOFT PROGRAM
                IT PUTS YOU IN THE MONI
                TOR.
36:BD 9E 81 9E RECONNECTS DOS
 
------------=> DOCTOR WHO <=-----------


Retour sommaire

hr Pirates Harbor


12) MUFFIN MODS.


MSG LEFT BY: DOCTOR WHO
DATE POSTED: WED MAR  7  4:31:56 PM

FIRST, BLOAD MUFFIN, THEN CALL-151
 
 
AVANT-GARDE:(EXEPT JUMP JET)
1A63:18 N 803G
 
HAYDEN:
1A77:EA EA N 1FF6:EA EA N 803G
 
MUSE:(ABM, SUPERTEXT, SOME OTHERS)
1AA9:18 66 2D 60
 
------------=> DOCTOR WHO <=-----------


Retour sommaire

hr Pirates Harbor


13) ZAXXON!


MSG LEFT BY: DOCTOR WHO
DATE POSTED: WED MAR  7  4:39:18 PM

THERE ARE CURRENTLY 3 CRACKS FOR ZAXXON
, THE LAST ONE WORKED FOR ME.
 
LOAD COPYA
71POKE770,24:POKE863,24:POKE47426,24
RUN
 
THEN WITH A SECTOR EDITOR, MAKE ONE OF
THE FOLLOWING SET OF CHANGES:
 
---------------------------------------
 
T0 S4 4F:DE
T0 S7 B0:4C C0 08
T0 S1 35:10
      2B:10
      4D:10
 
 
---------------------------------------
T0 S8 47:EA EA EA
      8D:15
      90:C4
      92:C2
      94:AA BF AA AE
T0 S4 00:18
 
---------------------------------------
 
T0 S4 00:18
      4F:DE
T0 S8 47:EA EA
 
---------------------------------------
 
------------=> DOCTOR WHO <=-----------
 
PS I DIDN'T THINK UP THE FIRST TWO, CRE
DIT GOES TO -> GUMBY DAMMIT <-
THE 3RD GOES TO FALLEN ANGEL & MYSELF
I DON'T REMEMBER WHERE I GOT THE FIRST
ONE.

------------=> DOCTOR WHO <=-----------


Retour sommaire

hr Pirates Harbor


14) OILS WELL & GALACTIC ATTACK.


MSG LEFT BY: THE PROWLER
DATE POSTED: WED MAR  7  7:01:50 PM

HERE'S A COUPLE ONE BYTE CRACKS FOR YOU
 
OILS WELL
---------
 
COPY ORIGINAL WITH COPYA
WITH A SECTOR EDITOR, CHANGE TRACK 10,
SECTOR A,BYTE 06 FROM 6C TO 60
 
 
GALACTIC ATTACK (NEW VERS.)
---------------------------
 
COPY DISK WITH DISK MUNCHER AND IGNORE
READ ERRORS ON TRACK 22 (YOU MAY NOT)
WITH A SECTOR EDITOR, CHANGE TRACK 19,
SECTOR 0B, BYTE 9D FROM 38 TO 18.
 
THIS PROBABLY WON'T WORK ON THE OLD
VERSION, BUT IF THERE'S ANY ONE WHO
WOULD LIKE THE OLD VERSION DONE, JUST
LEAVE ME E-MAIL.
 
COMING SOON...ODESTA CHESS 7.0 CRACKED!
 
UNTIL LATER
 
                  -?- THE PROWLER -?-


Retour sommaire

hr Pirates Harbor


15) HOMEWORD.


MSG LEFT BY: DOCTOR WHO
DATE POSTED: SAT MAR 17  7:27:23 PM

TO KRAK HOMEWORD---
 
 
COPYA THE DISK
 
SECTOR EDIT T$10 S$A
            BYTE 9:60 EA
 
 
-----------=> DOCTOR WHO <=------------


Retour sommaire

hr Pirates Harbor


16) THE CHEAPEST ROMSWITCH!


MSG LEFT BY: THE WISE CRACKER
DATE POSTED: WED MAR 28  5:29:27 PM

HERE'S HOW TO MAKE A SUPER ROMSWITCH!
 
OBTAIN AN OLD MONITOR ROM AND MAKE
SURE YOU HAVE AN APPLE LANGUAGE CARD.
 
REMOVE THE LANGUAGE CARD AND LOCATE
CHIP#5, TTL 74LS20. LOCATED AT THE
TOP OF THE FIRST ROW NEXT TO THE ROM.
 
BEND OUT PIN SIX (DON'T BREAK IT OFF!)
 
OBTAIN AN SPST SWITCH. SOLDER ONE LEAD
FROM A POLE TO THE PIN BENT OUT. SOLDER
THE OTHER TO THE BOTTOM OF THE CARD
WHERE THE HOLE 6 IS. NOW REMOVE THE
AUTOSTART ROM FROM THE LANGUAGE CARD
AND REPLACE IT WITH THE MONITOR ROM.
 
NOW YOU CAN SWITCH BETWEEN THE AUTO-
START ROM ON THE MOTHERBOARD AND THE
MONITOR ROM ON THE CARD BY FLIPPING
A SWITCH! OR BURN YOUR OWN 2716, MAKE
A JUMPER SOCKET, AND PUT IT ON THE
LC FOR A SUPER CRACKING ROM!
 
THIS PUBLIC SERVICE MESSAGE HAS BEEN
BROUGHT TO YOU BY THE WISE CRACKER!


Retour sommaire

hr Pirates Harbor


17) INFOCOM CRACK.


MSG LEFT BY: DOCTOR WHO
DATE POSTED: SUN APR  1  1:50:53 PM

TO CRACK INFOCOM LOAD COPYA
CALL -151
B925:18 60
B988:18 60
BE48:18
B8FB:29 00
CTRL-C
RUN
AFTER COPYING RUN A SECTOR EDITOR
TR-0 SEC-2
CHANGE BYTE 5D TO AD
            FB TO 29
            FC TO 00
                     DOCTOR WHO.


Retour sommaire

hr Pirates Harbor


18) VERSAFORM 2.1.


MSG LEFT BY: THE SMUGGLER
DATE POSTED: WED APR 11 11:38:31 AM

 
 WELL WELL, IT TOOK ME ABOUT 5-10 MIN.
 TO CRACK IT. IT WAS KIND OF HARD BUT
 ANYWAY I FINALLY DID IT. MAYBE/PROBABL
 Y SOMEONE DID IT BEFORE ME CUZ IT'S A
 (C) 1981, BUT ANYWAY I GOT AN ORIGINAL
 IN MY HAND FOR A WEEK, SO I DECIDED TO
 CRACK IT.
 
HERE'S THE FASTEST WAY TO DO IT.
 
1) EDIT: TRACK: 13 SECTOR: 0F
         BYTE#: A9 FROM: '9E' TO 'A6'.
2) BOOT PASCAL#1 THAN DO A FIX BLOCK.
   1- F)ILE
   2- X)EXAMINE
RANGE: FROM '0' TO '280'. (0-280)
3) THAN INIT YOUR DISK.... NO I WAS
   JUST KIDDING... THAT'S IT!!!
 
HERE'S ANYTHOR WAY TO DO IT IF YOU DON'
T WANT TO CRASH YOUR ORIGINAL.
 
1) DO A COPY WITH LOCKSMITH/COPY II PLU
   S/NBII/EDD... ETC...
   (PS: YOU MIGHT GET AN ERROR ON TRACK
        #11)
 
2) THAN EDIT T$13,S$0F
        BYTE# A9 FROM 9E TO A6
3) THAN FIX ALL BLOCK.
 
  THAT'S ALL FOR NOW FOLKS..
 
-----> THE SMUGGLER DID IT AGAIN <-----


Retour sommaire

hr Pirates Harbor


19) ABC #00 - OVERVIEW.


MSG LEFT BY: PIRATE'S GUILD

 
ABCABCABCABCABCABCABCABCABCABCABCABCABC
B                                     B
C      APPLE BANDIT'S CRAKFILES       A
A                                     C
B   OVERVIEW -- THE CRAKFILE SERIES   B
C                                     A
ABCABCABCABCABCABCABCABCABCABCABCABCABC
 
 
WITH THE END OF THE INFAMOUS KRACKOWICZ'S KRACKING KORNER, IT HAS BECOME
APPARENT TO ME, AFTER MANY MONTHS, THAT THERE IS A DEFINITE NEED FOR A GOOD
SERIES OF CRACKING TUTORIALS TO CONTINUE. I WAS ASKED BY KRACKOWICZ TO
'GUEST-WRITE' FOR THE KRACKING KORNER SOME TIME AGO. NOW, THE TIME HAS COME HAS
PICK UP WHERE KRACKOWICZ LEFT OFF -- THAT IS, IF IT'S POSSIBLE. KRACKOWICZ HAS
BEAUTIFULLY COVERED MOST MAJOR AREAS OF BASIC CRACKING. HOWEVER, I'LL BE
CONCENTRATING MAINLY ON SPECIFIC PROGRAMS RATHER THAN GENERAL TECHNIQUES, WHICH
WILL SERVE TO BRING TOGETHER MANY ASPECTS OF CRACKING. MANY OF THE "CRAKFILES"
THAT WILL FOLLOW MAY BE QUITE BASIC; AFTER ALL, ITS THE BEGINNING CRACKIST THAT
WILL BENEFIT MOST FROM THIS SERIES. EXPERIENCED CRACKERS ARE ENCOURAGED TO SKIM
THROUGH THE ARTICLES, NOTING THAT THE ACTUAL STEPS IN TH CRACKING PROCESS ARE
PRECEEDED WITH THE '->' SYMBOL.
 
THE CRAKFILES THAT FOLLOW WILL CONSIST OF TWO MAIN PARTS: [1] STEP-BY-STEP
PROCEDURE OF CRACKING, AND [2] THEORY BEHIND THE METHODS USED. THE STEP-BY-STEP
PORTION WILL ASSUME THAT YOU HAVE A FAIRLY GOOD UNDERSTANDING OF DOS AND YOU
SHOULD BE COMFORTABLE WITH THE APPLE'S MONITOR. ALSO, IF YOU ARE TO GAIN
ANYTHING FROM THE SERIES, I SUGGEST YOU HAVE A FAIRLY STRONG BACKROUND IN
ASSEMBLY LANGUAGE PROGRAMMING. YOUR KNOWLEDGE OF MACHINE LANGUAGE IS REALLY
THE KEY TO CRACKING, SINCE PROTECTIONS SCHEMES =>ARE<= MACHINE LANGUAGE.
 
IF YOU DON'T OWN A COPY OF QUALITY SOFTWARE'S 'BENEATH APPLE DOS', I HIGHLY
RECOMMEND YOU PICK UP A COPY; IT IS KNOWN TO SOME AS THE BIBLE OF DOS. THERE
ARE ALSO MANY GOOD BOOKS ON THE SUBJECT OF APPLE MACHINE LANGUAGE, INCLUDING
ROGER WAGNER'S 'ASSEMBLY LINES'.
 
THERE ARE SOME BASIC AREAS I HOPE TO EVENTUALLY COVER IN THIS SERIES. THEY
INCLUDE:
 
  -> EXAMPLES OF CRACKS USING ADVANCED DEMUFFIN, FASTLOADER & MINI-RWTS
  -> DATA COMPRESSION & PICTURE PACKING
  -> PASCAL PROTECTION SCHEMES
  -> CRACKING ON THE APPLE //E
  -> USING NMI'S AS A LAST RESORT
  -> EMPHASIS OF THE BOOT-TRACING PROCESS
  -> CRACKING OF SELECTED 'OLDIE BUT TUFFIES'


Retour sommaire

hr Pirates Harbor


20) ABC #01 - COPY ][+.


MSG LEFT BY: PIRATE'S GUILD

 
ABCABCABCABCABCABCABCABCABCABCABCABCABC
B                                     B
C    APPLE BANDIT'S CRAKFILE - #01    A
A                                     C
B  COPY ][+ 4.4B - SINGLE LOAD CRACK  B
C                                     A
ABCABCABCABCABCABCABCABCABCABCABCABCABC
 
 
FIRST OF ALL, LET ME JUST SAY THAT THIS IS NOT A 'HARD' CRACK. IF YOU'RE AN
EXPERIENCED CRACKER, YOU MAY JUST WANT TO SKIM THIS ARTICLE, WATCHING FOR THE
'->' SYMBOLS, WHICH PRECEDES THE STEP-BY-STEP PROCEDURE FOR THE CRACK.
 
COPY ][+ 4.4B IS CENTRAL POINT SOFTWARE'S NEWEST VERSION OF THEIR POPULAR COPY
UTILITY. THE PROGRAM ITSELF IS COMPRISED OF TWO PARTS: [1] A UTILITY PROGRAM
WHICH ALLOWS YOU TO CATALOG, COPY, DELETE, LOCK/UNLOCK FILES, ETC., AND [2] A
BIT COPY PROGRAM, WHICH IS ONE OF THE BEST BIT COPIERS OUT ON THE MARKET. AS
THE PROGRAM IS FIRST BOOTED, THE UTILITY MENU IS LOADED. IF YOU WISH TO USE THE
BIT COPIER, YOU MAY SELECT IT FROM THIS MENU, AND IT IS LOADED IN SEPERATELY.
 
THE USUAL APPROACH TO A PROGRAM WITH MULTIPLE DISK ACCESS WOULD BE TO USE
ADVANCED DEMUFFIN, BY 'THE STACK' OF CORRUPT COMPUTING. WE WOULD USE ADVANCED
DEMUFFIN TO READ DATA FROM THE COPY ][+ ORIGINAL, AND WRITE IT OUT TO OUR BLANK
DOS 3.3 DISK. HOWEVER, SINCE THE DISK ACCESS IN COPY ][+ IS MINIMAL, IT WOULD
BE FEASIBLE TO JUST SAVE THE BIT COPIER AND UTILITY PROGRAMS SEPERATELY.
ADDITIONALLY, SINCE BOTH PARTS RESIDE IN 'NORMAL' PARTS OF MEMORY (WITHIN THE
NORMAL 48K OF THE APPLE AND NOT BELOW $800), THESE TWO PARTS CAN EASILY BE
SAVED OUT AS BINARY FILES, WHICH CAN BE INDIVIDUALLY BRUN'ED BY THE USER. THE
ONLY SACRIFICE IN THIS METHOD IS THAT WE DON'T GET THE FAST-BOOTING THAT THE
ORIGINAL PROGRAM HAD, AND THAT WHEN WE SELECT THE 'BIT COPY' OPTION FROM THE
UTILITY MENU, IT DOESN'T LOAD. IT WOULD BE POSSIBLE TO WRITE A BOOT ROUTINE FOR
THE UTILITY PROGRAM, AND WRITE ANOTHER SMALL ROUTINE TO DIRECTLY USE RWTS TO
LOAD IN THE BIT COPIER UPON SELECTION FROM THE UTILITY MENU, BUT THAT IS BEYOND
THE SCOPE OF THIS CRAKFILE. HERE WE WILL TRADE SPEED AND EASE OF USE FOR DISK
SPACE AND THE ABILITY TO HAVE THE PROGRAMS IN THE FORMAT OF A FILE, WHICH ARE
TWO OF THE MAIN REASONS OF CRACKING IN GENERAL. ANYWAY, ON WITH THE SHOW...
 
AFTER BOOTING COPY ][+ 4.4B, YOU WILL SOON SEE THE UTILITY MENU. AT THIS POINT
WE WOULD LIKE TO STOP THE PROGRAM, AND SAVE IT AS A FILE. TO DO THIS, WE HAVE A
FEW OPTIONS: [1] WE CAN PRESS <RESET> ON OUR APPLE ][+ OR APPLE //E OR OTHER
COMPUTER WITH AUTOSTART ROM (AS OPPOSED TO THE 'OLD MONITOR' ROM) AND DISCOVER
THAT THIS ONLY CAUSES THE PROGRAM TO CLEAR MEMORY AND RE-BOOT; [2] WE CAN
BOOT-TRACE THE DISK UP TO THE POINT WHERE THE PROGRAM BEGINS EXECUTION; [3] WE
CAN USE A CRACKSHOT, WILDCARD, OR OTHER NMI BOARD TO HALT THE EXECUTION OF THE
PROGRAM AND LEAVE US IN THE APPLE'S MONITOR; [4] WE CAN PRESS <RESET> IF WE
HAVE INSTALLED  AN OLD MONITOR F8 ROM OR OTHER MODIFIED ROM THAT LEAVES US IN
MONITOR UPON PRESSING THAT KEY; OR [5] IF WE DO NOT HAVE AN OLD MONITOR OR
OTHER MODIFIED F8 ROM AVAILABLE, WE CAN USE THE RAM CARD TO SIMULATE ONE, SINCE
COPY ][+ IGNORES THE TOP 16K OF A 64K APPLE.




WHICH METHOD SHOULD WE USE? WELL OPTION #1 ISN'T GOING TO HELP TOO MUCH, OPTION
#2 (BOOT-TRACING) IS AN ART IN ITSELF (WHICH WILL BE THE TOPIC OF A FUTURE
CRAKFILE), AND OPTION #3 (USING A CRACKING/NMI BOARD) IS NOT THE EASIEST, SO
WE'LL CONCENTRATE ON THE LAST TWO OPTIONS. IF YOU HAVE AN F8 ROM TO DUMP YOU
INTO MONITOR UPON <RESET> USE THAT -- OTHERWISE YOU CAN EASILY MAKE YOUR 16K
LANGUAGE CARD LOOK LIKE ONE. (UNLESS YOU'RE USING A //E. IF THIS IS THE CASE,
THE LANGUAGE CARD TRICK WILL NOT WORK BECAUSE PRESSING <RESET> ON THE //E WILL
AUTOMATICALLY TURN OFF THE 'BUILT-IN' LANGUAGE CARD; YOU'RE STUCK WITH EITHER
BOOT-TRACING OR USING A CRACKING CARD).
 
USING THE LANGUAGE CARD TO RESET INTO MONITOR:
 
]CALL-151  (GO INTO MONITOR)
*C081 N C081 (WRITE-ENABLE LANGUAGE CARD)
*D000<D000.FFFFM (COPY YOUR ROM'S TO THE LANGUAGE CARD)
*C083 N C083 (TURN ON LANGUAGE CARD AND IGNORE THE ROM'S)
*FFFC:59 FF (SET THE 6502 RESET LOCATON TO JUMP INTO MONITOR)
 
NOW WE COME TO THE ACTUAL CRACKING PROCESS OF COPY ][+ 4.4B:
 
 -> CLEAR MEMORY BY TYPING FROM MONITOR:
    0<CTRL-P> 0<CTRL-K> N 300:0 N 301<300.BFFFM
 -> BOOT YOUR ORIGINAL COPY ][+ DISK
 -> AT THE UTILITY MENU, BREAK OUT INTO MONITOR USING YOUR OLD MONITOR ROM,
    MODIFIED LANGUAGE CARD, OR CRACKING CARD
 
NOW WE CAN TELL WHAT PARTS OF MEMORY ARE ACTUALLY USED BY THE PROGRAM BY USING
THE MEMORY DUMP COMMAND FROM MONITOR. IF YOU TYPE "800.BFFF" YOU WILL SEE THE
PROGRAM WHIZ BY, UNTIL IT REACHES THE $4C00 RANGE OF MEMORY. HERE YOU FIND ALL
ZERO'S UNTIL $B000, WHERE $B000-$BFFF SEEMS TO BE USED. KNOWING THAT $800-$4C00
AND $B000-$BFFF IS USED, WE CAN SAVE THE PROGRAM TO OUR DOS 3.3 DISK IN FILE
FORMAT THE FOLLOWING WAY:
 
 -> FROM MONITOR, TYPE "4C00<B000.BFFFM" TO SAVE THE RANGE OF MEMORY UP AT
    $B000-$BFFF SO IT WON'T INTERFERE WITH WHERE DOS NORMALLY RESIDES
 -> TYPE "6000<800.900M" TO SAVE THE RANGE OF MEMORY FROM $800-$900 WHICH
    WILL GET OVER-WRITTEN WHEN DOS IS BOOTED.
 -> BOOT A DOS DISK WHICH YOU HAVE PREVIOUSLY INIT'ED AND DELETED THE HELLO
    PROGRAM FROM
 -> GO INTO MONITOR AND TYPE "800<6000.60FFM" TO RESTORE $800-$900
 
NOW, WE OBVIOUSLY CAN'T JUST MOVE THE $B000-$BFFF RANGE BACK UP, BECAUSE IT
WILL INTERFERE WITH DOS, SO WE'LL HAVE TO WRITE A SHORT ROUTINE TO MOVE THE
RANGE FROM WHERE IT IS NOW LOCATED (AT $4C00-5C00) UP TO THE DESTINATION.
SCANNING THROUGH THE $800 PAGE, WE FIND A JMP $11AD. THIS IS THE ACTUAL START
OF THE PROGRAM, SO WE HAVE SOME EXTRA SPACE BEFORE THAT POINT TO PUT OUR MOVE
ROUTINES. HERE IS THE ROUTINE, ALL READY TO TYPE IN:
 
 -> 82B:A9 00 85 00 85 02 A9 4C 85 01 A9 B0 85 03 A0 00 B1 00 91 02 C8 D0
         F9 E6 01 E6 03 A5 01 C9 5C D0 EF A9 60 8D FF 02




NOTE: UPON EXAMINATION OF THE COPY ][+ PROGRAM, IT CAN BE FOUND THAT THE
      PROGRAM USES LOCATION $2FF TO STORE THE SLOT NO. TIMES 16. THE LAST 5
      BYTES OF THE ABOVE ROUTINE TAKE CARE OF THIS.
 
NOW, BEFORE WE SAVE THE PROGRAM, THERE IS ONE OTHER FEATURE WE CAN ADD. SINCE
WE CAN NO LONGER RUN THE BIT COPY PROGRAM DIRECTLY FROM THE UTILITY MENU, IT
WOULD BE NICE TO DISABLE THE OPTION COMPLETELY. THE FOLLOWING MOD WILL TAKE
CARE OF THIS: 1A90:60. ON OUR CRACK, THE BURGLAR PUT A SMALL ROUTINE AT $1A90
THAT CLEARED THE SCREEN AND WENT INTO MONITOR. THEN HE SEARCHED MEMORY FOR THE
MENU, AND CHANGED THE 'BIT COPY' TEXT TO 'MONITOR '. YOU MAY THINK OF SOMETHING
ELSE INTERESTING TO PUT HERE...
 
NOW, THE MOMENT WE'VE BEEN WAITING FOR! YOU CAN FINALLY SAVE YOUR CRACKED COPY:
 
  -> BSAVE COPY ][+ 4.4B UTILITY,A$82B,L$53FB
 
NOW FOR THE BIT COPY PORTION. THE PROCESS IS ALMOST EXACTLY THE SAME:
 
  -> BOOT YOUR ORIGINAL COPY ][+ AND SELECT THE "BIT COPY" OPTION
  -> WHEN BIT COPY IS LOADED, HIT <RESET> (OR WHATEVER METHOD YOU ARE USING)
 
NOW, WE MAY NOT BE ABLE TO TELL BY JUST SCANNING MEMORY THIS TIME, BUT BY
EXPERIMENTING WE CAN TELL THAT THE ONLY PORTION OF MEMORY USED BY THE BIT
COPIER IS $800-$3300. THIS WILL MAKE OUR JOB EASIER...
 
  -> TYPE "6000<800.900" TO SAVE RANGE FROM $800-900
  -> BOOT YOUR DOS SLAVE DISKETTE W/NO HELLO PROGRAM (THE SAME DISK AS BEFORE)
  -> FROM MONITOR, TYPE "800<6000.60FF" TO RESTORE RANGE $800-900
  -> TYPE "808:A9 60 8D FF 02 4C 00 09" TO SET $2FF WHICH IS USED BY THE
     PROGRAM, AND TO JUMP TO THE STARTING LOCATION AT $900
  -> BSAVE COPY ][+ 4.4B BIT COPY,A$808,L$2AFB
 
CONGRATULATIONS...IT'S A 1ST CLASS CRACK!
 
COMING SOON: ABC #2 - HOW I CRACKED "SUNDOG", A NEW PASCAL GRAPHIC ADVENTURE.
 
APPLE BANDIT & THE BURGLAR OF MIDWEST PIRATE'S GUILD [MPG]


Retour sommaire

hr Pirates Harbor


21) CRISIS MOUNTAIN UNFINISHED!


MSG LEFT BY: THE SHADOW
DATE POSTED: SUN APR 15  1:40:45 AM

     DOCTOR WHO, YOUR CRACK FOR CRISIS
MOUNTAIN WILL NOT WORK WHEN YOU GET A
HIGH SCORE!! YOU FORGOT TO CHANGE THE
WRITE ROUTINE AND THE TRANSLATION TABLE
OVERWRITE T0,S2 WITH THE SAME SECTOR
FROM A NORMAL DISK AND CHANGE BYTES 29
AND AA IN SECTOR 4 TO THEIR NORMAL
VALUES!!  THAT SHOULD DO IT!
 
     THE SHADOW AND THE PUSMAN


Retour sommaire

hr Pirates Harbor


22) MATHMAZE 1.


MSG LEFT BY: RESET VECTOR
DATE POSTED: SUN APR 15 11:14:13 PM

WELL, APPLE BANDIT, WHO IS CERTAINLY A MORE TALENTED CRACKER THAN I, HAS
HEATED UP THIS COMPETITION WITH HIS ABOVE CRACKING TUTORIALS.  SO HERE IS
ANOTHER TUTORIAL FROM ->RESET VECTOR!  IN A SIMILAR FASHION TO APPLE BANDIT,
I AM GOING TO DESCRIBE THE PROCEDURE USED TO CRACK A PARTICULAR PROGRAM -
IN THIS CASE AN EDUCATIONAL GAME FROM DESIGNWARE CALLED MATHMAZE.  ALTHOUGH
THE PROGRAM ITSELF MAY NOT BE OF ANY GREAT INTEREST, SOME OF THE TECHNIQUES
USED HERE WILL HAVE MORE GENERAL APPLICATION.  IN PARTICULAR, THE METHODS USED
TO MOVE THE VTOC AND FIND/MARK FREE SECTORS ARE OFTEN CONFUSING TO BEGINNERS
AND THIS EXPLANATION AND STEP BY STEP PROCEDURE MAY PROBE HELPFUL.
   MATHMAZE IS ONE OF A LARGE NUMBER OF PROTECTED PROGRAMS THAT IS NORMALLY
FORMATTED AND CAN BE COPIED WITH COPYA, BUT THE COPY WILL NOT BOOT.  HOWEVER,
IF YOU BOOT WITH THE ORIGINAL, YOU CAN THEN PUT IN A COPYA COPY AND THE GAME
WILL RUN JUST FINE.  SO THE TRICK HERE IS TO GET THE BOOT OUT AS A FILE AND
THEN FIT IT ON THE DISK WITH THE DATA PARTS OF THE ORIGINAL DISK.  NOW, THE
FOLLOWING DISCUSSION ASSUMES THAT YOU HAVE A FEW CRACKING TOOLS.  YOU NEED
A WAY TO RESET INTO THE MONITOR (SEE APPLE BANDIT'S DISCUSSION ABOVE) PLUS
YOU NEED A WAY TO SAVE PAGES 00 THROUGH 07 (UP TO $800).  FOR THIS PURPOSE I
USE APPLESOFT 0 FROM MASTER KEY+.  IF YOU ATTEMPT TO GET THE BOOT FILE OUT
WITH SOMETHING LIKE REPLAY, YOU WILL FIND THAT IT IS TOO LONG TO PACK INTO
A FILE (IT EXTENDS FROM 0800-9600 AND B700-C000, ALTHOUGH YOU COULD PROBABLY
DO WITHOUT THE B700-C000 PART WHICH IS THE RWTS).  SO WE ARE FORCED TO DO THIS
MANUALLY.  THE EASIEST WAY IS TO USE FASTLOADER (BY THE STACK), WHICH LETS
US CREATE VERY LONG FILES THAT WILL RUN UNDER 48K, AND IT DOES A LOT OF THE
WORK FOR US.  THE ONLY HARD PART, REALLY, ABOUT USING FASTLOADER IS THAT IT
REQUIRES US TO FIND THE STARTING ADDRESS OF THE PROGRAM.  THERE ARE MANY
WAYS TO DO THIS (NONE OF THEM REALLY EASY!), BUT MATHMAZE IS AN EXAMPLE OF
A PROGRAM WHERE THE PROTECTORS MADE IT EASY FOR US.  IF YOU BOOT UP MATHMAZE
AND TRY HITTING RESET (WITH THE AUTOSTART MONITOR), YOU WILL FIND THAT THE
PROGRAM JUST GOES BACK TO DISK AND RESTARTS ITSELF (SOME PROGRAMS WILL RESTART
THEMSELVES WITHOUT THE DISK ACCESS).  THIS MAKES LIFE REALLY EASY FOR US,
BECAUSE ALL WE HAVE TO DO IS FIND THE RESET VECTOR (I ALWAYS KNEW MY NAME
HAD A REAL PURPOSE HERE) AND USE THAT FOR THE STARTING ADDRESS.  THE RESET
VECTOR WILL BE STORED IN BACKWARDS FORMAT AT BYTES 3F2-3F3, WHICH IN THIS
CASE WILL BE 04 08, MEANING THE STARTING ADDRESS WE WILL USE IS $804.
   NOW, WITH THAT OUT OF THE WAY, WE CAN CRACK THE BOOT INTO A FILE.  I FIND
THAT FASTLOADER GETS A LITTLE FLAKY IF THE FILES YOU USE ARE TOO LONG, SO HERE
ARE THE FILES I TOOK OUT TO CRACK MATHMAZE.  I AM GOING TO ASSUME SOME
KNOWLEDGE ON YOUR PART HERE.  AS DESCRIBED IN PART BY APPLE BANDIT, YOU HAVE
TO BOOT THE ORIGINAL, HIT RESET AND THEN BOOT A SLAVE DISK AND SAVE THE FILES.
IF YOU ARE SAVING A FILE THAT STARTS AT $800, THEN YOU HAVE TO MOVE THE $800
PAGE OUT OF THE WAY BEFORE YOU BOOT THE SLAVE DISK, AND IF YOU ARE SAVING A
FILE ABOUT $9500 YOU HAVE TO MOVE IT DOWN IN MEMORY BEFORE YOU BOOT THE SLAVE.
HERE ARE THE FILES:FILE1 IS 0000-0800  FILE2 IS 0800-3700  FILE 3 IS 3800-6700
FILE 4 IS 6800-9500 (LENGTH 2E00) AND FILE 5 IS B700-C000 (LENGTH 900).  NOW
JUST PLUG THESE INTO FASTLOADER WITH A STARTING ADRESS AND YOU WILL HAVE
CRACKED THE BOOT INTO 165 SECTORS.  NOW ON TO THE NEXT MESSAGE.


Retour sommaire

hr Pirates Harbor


23) MATHMAZE 2.


MSG LEFT BY: RESET VECTOR
DATE POSTED: SUN APR 15 11:21:20 PM

   NOW THAT YOU HAVE THE BOOT CRACKED, YOU HAVE TO FIT IT ON A COPY OF THE
ORIGINAL DISK.  YOU WILL HAVE TO FIND FREE SPACE ON THE DISK AND MARK IT
FREE IN THE VTOC AND THEN MOVE THE VTOC TO SOMEWHERE OTHER THAN TRACK 11,
WHICH IS USED FOR DATA BY THE ORIGINAL.  NOW, IF YOU WATCH THE ORIGINAL BOOT,
YOU WILL SEE THAT IT USES TRACKS 0-9 FOR THE BOOT.  SO WE KNOW THAT WE CAN
PUT A NORMAL DOS ON THE DISK AND FREE UP THESE TRACKS.  BUT THIS WILL NOT BE
QUITE ENOUGH ROOM, SO FOLLOW THE FOLLOWING PROCEDURE.
1. INIT A BLANK DISK
2. MAKE A COPYA COPY OF THE ORIGINAL AND COPY TRACKS 0-2 (THE DOS TRACKS) AND
TRACK 11 (THE VTOC/CATALOG TRACK) FROM THE INITED BLANK DISK ON TO THIS COPY
OF THE ORIGINAL DISK.
3. NOW YOU NEED A VTOC EDITOR.  I USE DISK FIXER FOR THE BI CHANGES AND
WATSON (WHICH WILL BE ESSENTIAL HERE) FOR THE INDIVIDUAL SECTORS, ALTHOUGH
YOU CAN USE WATSON FOR THE WHOLE THING.  TAKE THE DISK YOU HAVE CREATED AND
USE THE VTOC EDITOR (REMEMBER CTRL-L IN WATSON CHANGES THE STATUS OF A SECTOR)
TO FREE UP SECTORS 5-F OF TRACK 2 (UNUSED BY DOS) AND TO MARK ALL OF TRACKS
A-22 AS USED.  ALSO MARK AS USED SECTORS 0 AND F OF TRACK 9, WHICH IS WHERE
WE WILL EVENTUALLY MOVE THE VTOC, AND WHILE YOU ARE AT IT EDIT TRACK 1
SECTOR B BYTE 01 FROM 11 TO 09 TO TELL DOS WHERE THE VTOC WILL BE.
4. NOW USE WATSON TO SCAN THE DISK SECTOR BY SECTOR STARTING AT TRACK A
SECTOR 0, AND EVERY TIME YOU FIND A SECTOR THAT IS ALL THE SAME VALUE (IN THIS
CASE USUALLY "20" ALTHOUGH SOMETIMES "00") HIT CTRL-L TO FREE UP THE SECTOR.
DO THIS UNTIL YOU HAVE 165 FREE SECTORS (JUST HIT "M" OCCASIONALLY TO SEE HOW
YOU ARE PROGRESSING).
5.  YOU ARE ALMOST DONE.  JUST USE FID OR COPY ][+ OR WHATEVER TO TRANSFER
THE CRACKED BOOT FILE TO THIS DISK.  COPY ][+ IS NICE BECAUSE YOU CAN THEN
JUST CHANGE BOOT PROGRAM AND IT WILL AUTOMATICALLY MAKE THE DOS BRUN YOUR
CRACKED FILE.
6. NOW USE YOUR SECTOR EDITOR (WATSON OR WHATEVER) TO MOVE TRACK 11 SECTOR 0
TO TRACK 9 SECTOR 0 AND TRACK 11 SECTOR F TO TRACK 9 SECTOR F, THEREBY MOVING
THE VTOC AND CATALOG.  YOU WILL HAVE TO EDIT BYTE 01 OF SECTOR 0 FROM 11 TO 09
AND BYTES 01-02 OF SECTOR F TO 00 00.
7. FINALLY, USE YOUR COPY PROGRAM (I USE FAST COPY WHICH ALLOWS ME TO COPY
A RANGE OF NORMAL TRACKS, BUT YOU CAN USE A NIBBLE COPIER) TO COPY TRACK 11
FROM THE ORIGINAL DISK ON TO THE DISK YOU HAVE CREATED.
   THAT'S IT!  I KNOW THAT THE VTOC EDITING AND MOVING CAN BE CONFUSING AS ALL
HELL AT FIRST, BUT THEY ARE ESSENTIAL FOR CRACKING A MULTITUDE OF DIFFERENT
PROGRAMS, SO KEEP ON CRACKING!
COURTESY OF ->RESET VECTOR!


Retour sommaire

hr Pirates Harbor


24) STRIP BLACKJACK CRACKED.


MSG LEFT BY: THE PROWLER
DATE POSTED: MON APR 23 12:29:50 PM

THIS ONE IS PRETTY SIMPLE, JUST RUN
ADVANCED DEMUFFIN, EXIT TO MONITOR AND
TYPE --> B991:DF <RETURN>
THEN TYPE -->  800G <RETURN> AND
YOU SHOULD BE BACK IN ADVANCED DEM.
CONVERT BOTH SIDES OF STRIP BLACKJACK
(IT WILL COPY NO PROBLEM NOW) AND THEN
BOOT UP A SECTOR EDITOR (ANY ONE WILL
DO).
CHANGE TRACK 0,SECTOR 3,BYTE 91
                 FROM $DF TO $DE
ON BOTH SIDES OF THE DISK.
VOILA, CRACKED AND EASY TO COPY!
 
                -?- THE PROWLER -?-


Retour sommaire

hr Pirates Harbor


25) ABQ #1 BC'S QUEST FOR TIRES.


MSG LEFT BY: PIRATE'S GUILD


CRACKING BC'S QUEST FOR TIRES
=============================
 
TRACK $21 (HEX) IS A NIBBLE COUNT TRACK
AND CONTAINS NO DATA NEEDED BY THE
GAME. OTHERWISE, THE DISK FORMAT IS
STANDARD DOS 3.3...SO...
 
COPY THE DISK (SKIPPING TRACK $21)
ONTO A BLANK. OR, IF YOU WANT TO MODIFY
YOUR ORIGINAL, JUST USE BAG OF TRICKS'
"INIT" OR SIMILAR UTILITY, AND FORMAT
TRACK $21 ON THE ORIGINAL DISK.
 
NOW, THE DISK CAN BE COPIED BY COPYA,
BUT IT WON'T BOOT BECAUSE OF THE
NIBBLE COUNT. WE CAN JUST NOP THE JSR
TO THE NIBBLE COUNT BY CHANGING THE
FOLLOWING BYTES WITH ZAP OR INSPECTOR:
 
   TRACK  SECTOR  BYTE  FROM  TO:
   -----  ------  ----  ----  ---
    $06    $07    $E8   $20   $EA
    $06    $07    $E9   $00   $EA
    $06    $07    $EA   $96   $EA
 
THERE...IT'S CRACKED! (EASY, EH?)
 
(C): THE BURGLAR OF PIRATE'S GUILD
     [AN APPLE BANDIT QUIKFILE]


Retour sommaire

hr Pirates Harbor


26) ABQ #2 DINO EGGS & CRISIS MOUNTAIN.


MSG LEFT BY: PIRATE'S GUILD


CRACK MICRO LAB'S DINO EGGS & CRISIS MT
=======================================
 
MICRO LAB'S PROTECTION SCHEME ON THEIR
DINO EGGS, AND CRISIS MOUNTAIN IS VERY
MINIMAL. TO CONVERT IT TO A COPYA
FORMAT, JUST LOAD COPYA, GO INTO MONITOR
AND DISABLE THE RWTS ADDRESS MARKER
CHECKSUM:
 
*B942:18  (A VERY BASIC TECHNIQUE THAT
            WILL COPY MANY PROGRAMS..)
 
THEN MAKE A COPY OF THE DINO EGGS OR
CRISIS MOUNTAIN ORIGINAL WITH COPYA...
 
NOW, THEIR ROUTINES STILL TRY TO READ
IN THE OLD ADDRESS MARKS. TO MODIFY THE
READADDR ROUTINE TO READ NORMAL DOS 3.3
JUST MAKE THE FOLLOWING MODS ON
TRACK $00, SECTOR $09 -->
 
   BYTE  FROM  TO:
   ----  ----  ---
   $35   $D5   $DE
   $91   $9E   $DE
   $94   $18   $EA
   $95   $60   $BD
   $9B   $E7   $AA
 
NOW, THEIR MODIFIED RWTS STILL DE-
NIBBLIZES THE DATA ABNORMALLY, SO TO
NORMALIZE IT, MAKE THE FOLLOWING MODS
ON TRACK $00, SECTOR $0C -->
 
   BYTE  FROM  TO:
   ----  ----  ---
   $FB   $BF   $BC
   $FC   $1A   $19
 
AND ON TRACK $00, SECTOR $0E -->
 
   BYTE  FROM  TO:
   ----  ----  ---
   $38   $4C   $08
   $39   $00   $B0
   $3A   $BB   $8E
 
(C): THE BURGLAR AND APPLE BANDIT/MPG
      [AN APPLE BANDIT QUIKFILE]


Retour sommaire

hr Pirates Harbor


27) ABQ $10 GENERAL MANAGER 2Y.


MSG LEFT BY: PIRATE'S GUILD


CRACKING GENERAL MANAGER //E (V2.0Y)
====================================
 
THE GENERAL MANAGER, VERSION 2.0Y, BY
SIERRA ON-LINE IS VERY EASY TO CRACK;
THAT IS, ONCE YOU KNOW HOW. THE DISK
IS IN STANDARD DOS 3.3 FORMAT, AND
THEREFORE CAN BE COPIED WITH COPYA.
HOWEVER, THE PROGRAM WILL NOT WORK DUE
TO A SMALL NIBBLE COUNT ROUTINE
CLEVERLY HIDDEN IN ONE OF THE FILES ON
THE DISK...
 
TO DISABLE THE NIBBLE COUNT, JUST
TYPE THE FOLLOWING:
 
]BLOAD GENERAL MANAGER
]CALL-151
*631C:2C
*6322:2C
*BASVE GENERAL MANAGER,A$6000,L$6F0
 
IT'S CRACKED...
 
(C): APPLE BANDIT OF PIRATE'S GUILD
      [AN APPLE BANDIT QUIKFILE]


Retour sommaire

hr Pirates Harbor


28) ABQ #12 APPLEWRITER //E.


MSG LEFT BY: PIRATE'S GUILD

CRACKING APPLEWRITER //E
========================
 
ACCORDING TO THE BURGLAR, THIS IS ALL
THERE IS TO IT...
 
[1]  COPYA THE DISK
 
[2]  SECTOR MOD:
 
     TRACK $04, SECTOR $0C
     BYTES $B1-B3 = EA EA EA
 
IT JUST DISABLES A SMALL DISK ROUTINE.
 
(C): THE BURGLAR AND APPLE BANDIT/MPG
      [AN APPLE BANDIT QUIKFILE]


Retour sommaire

hr Pirates Harbor


29) ABQ #13 BOOT FROM DRIVE 2.


MSG LEFT BY: PIRATE'S GUILD


HOW TO BOOT FROM DRIVE 2
========================
 
WELL, HERE'S AN INTERESTING TECHNIQUE
THAT SOMETIMES COMES IN HANDY WHEN
DRIVE SPEED SEEMS TO BE CRITICAL IN
A PROTECTION SCHEME, AND YOU CAN'T
PULL OUT THE CONTROLLER CARDS AND SWAP
THEM BECAUSE YOUR COMPUTER DESK IS FULL
OF PRINTOUTS AND OTHER GARBAGE...
 
]CALL-151
*8600<C600.C700M (MOVE BOOT0 ROUTINE
                  FROM CONTROLLER CARD
                  DOWN INTO RAM WHERE
                  WE CAN MODIFY IT.)
*8636:8B (ADDRESS FOR DRIVE 2. WAS SET
          PREVIOUSLY TO "8A" FOR D1.)
 
NOW PUT THE DISK IN DRIVE 2, AND TYPE:
 
*8600G
 
IT WILL BOOT UP. IF YOU WANTED TO BOOT
FROM A DIFFERENT SLOT OTHER THAN 6,
JUST MOVE THE BOOT ROUTINE FROM C600 TO
8000+SLOT*256. (I.E. SLOT 5 WOULD BE
$8500, SLOT 4 $8400, ETC.)
 
JUST A LITTLE TID-BIT FROM...
 
APPLE BANDIT OF MIDWEST PIRATE'S GUILD.


Retour sommaire

hr Pirates Harbor


30) DUNZHIN - MY WAY.


MSG LEFT BY: DOCTOR WHO


K PIRATES GUILD BUT WHAT IF YOU DON'T
HAVE ADVANCED DEMUFFIN?
LOAD COPYA
CALL-151
B942:18
BAAA:18
CTRL-C
RUN80
COPY DISK
USE MASTER CREATE TO PUT NORMAL DOS
ON THE DISK
NO YOU HAVE A CRACKED DUNZHIN!!
 
------------=> DOCTOR WHO <=-----------


Retour sommaire

hr Pirates Harbor


31) DEATH IN THE CARIBBEAN!


MSG LEFT BY: RESET VECTOR
DATE POSTED: SAT JUL  2  6:20:34 PM

MESSAGE #78: DEATH IN THE CARIBBEAN!

THIS ONE IS REAL EASY TO CRACK.  THE EASIEST WAY IS TO USE ADVANCED DEMUFFIN
ON TRACKS 3-22, BOTH SIDES, AND THEN JUST PUT NORMAL DOS ON THE DISK.  THE
PROTECTION IS SO MARGINAL, THAT YOU COULD PROBABLY USE COPYA CHANGING THE
BYTES IN DOS TO CHANGE THE ADDRESS AND DATA HEADERS OR USE DISK EDIT 2.0.
COURTESY OF ->RESET VECTOR!.


Retour sommaire

hr Pirates Harbor


32) INSTANT RECALL -COPYA.


MSG LEFT BY: GREGG BURMAN
DATE POSTED: WED JUL 20  3:09:50 AM

MESSAGE #79: INSTANT RECALL - COPYA

INSTANT RECALL WAS ANOTHER TRIVIAL
PROGRAM TO CRACK, ITS MAIN PROTECTION
SCHEME CONSISTED OF NONE OTHER THAN
THE MODIFIED RWTS. THERE A COUPLE
OTHER MINOR PROTECTION SCHEMES...
IF YOU USED DEMUFFIN PLUS YOU WOULD
NOT GET THE DATA THAT IS JUST ON THE
DISK BUT NOT IN A FILE, AND THEY ALSO
CHANGE A FEW DOS COMMANDS.
 
IN ORDER TO CRACK IT, JUST USE ANY RWTS
CONVERTER PROGRAM LIKE COPYB OR
ADVANCED DEMUFFIN TO CONVERT IT TO DOS
3.3 FORMAT. THEN CHANGE THE DOS
COMMANDS IN THE FOLLOWING LINES BACK TO
NORMAL. (IN THIS CASE BECAUSE THERE ARE
SO FEW DOS COMMANDS IT WAS EASIER TO
MODIFY ALL THE PROGRAMS TO WORK WITH
NORMAL DOS RATHER THAN MODIFYING NORMAL
DOS TO FIT THEIR PROGRAMS.)
 
LOAD SAMS               LOAD I.R.DEMO
LINE 20 (RUN)           LINE 2400 (RUN)
LINE 30 (RUN)           LINE 2410 (RUN)
 
LOAD XPLAIN +           LOAD XPLAIN E
LINE 190 (BRUN)         LINE 190 (BRUN)
 "   3000 (BLOAD)        " 3000 (BLOAD)
 "   3090 (BSAVE)        " 3090 (BSAVE)
 "   4000 (RUN)          "  4000 (RUN)
 
ANY QUESTIONS? LEAVE E-MAIL.
 
                      GREGG BURMAN


Retour sommaire

hr Pirates Harbor


33) SAMMY LIGHTFOOT & APPLE CIDER SPIDER.


MSG LEFT BY: GREGG BURMAN
DATE POSTED: SUN JUL 24  9:18:11 PM

FOR QUITE SOME TIME NOW SIERRA ON-LINE
HAS BEEN PUTTING OUT SOFTWARE IN A DOS
3.3 FORMAT EXCEPT FOR A NIBBLE COUNT ON
ONE OF THE TRACKS. THIS INCLUDES SUCH
PROGRAMS AS SCREENWRITER II, DICTIONARY
AND MORE.
 
RECENTLY THEY HAVE PUT OUT TWO NEW ONES
APPLE CIDER SPIDER AND SAMMY LIGHTFOOT,
YES, THEY TOO ARE IN A COPY-A FORMAT,
BUT THEY WON'T RUN WITHOUT REMOVING THE
NASTY NIBBLE COUNT.
 
TO FIND THE NIBBLE COUNT ON THESE TWO
NEW ONES, AND POSSIBLY FUTURE RELEASES
SEARCH THE DISK WITH DISK EDITOR OR
SOME OTHER UTILITY FOR THE FOLLOWING
HEX STRING:
 
            CE 03 09 EF 03
 
WHEN YOU FIND IT CHANGE THE FIRST TWO
BYTES TO:
 
          60 AD
 
THE 60 IS AN RTS THAT NULLIFIES THE
NIBBLE COUNT SUBROUTINE, AND THE AD
MAKES THE CHECKSUM COME UP WITH THE
CORRECT VALUE.
 
HERE ARE THE PATCHES FOR LIGHTFOOT, AND
CIDER SPIDER, BUT YOU MAY BE ABLE TO
USE THE ABOVE PROCEDURE ON THEIR NEXT
RELEASE?
 
      A.C.S.            S.L.
      ------            ----
TRACK 12 SECTOR 1    TRACK 5 SECTOR E
BYTES 0-1            BYTES 0-1
CHANGE TO 60 AD      CHANGE TO 60 AD
 
THAT SHOULD DO IT! THEY ARE NOW REALLY
COPY-A-ABLE.
 
                    GREGG BURMAN


Retour sommaire

hr Pirates Harbor


34) MY WAY..........


MSG LEFT BY: MR. KRAC-MAN
DATE POSTED: MON JUL 25  1:54:00 AM

MY MODS TO CRACK THESE TWO........
 
SAMMY
TD S0 B9B->EA EA EA
 
APPLE CIDER
T13 S5 B18->EA EA EA
T12 S1 B0->60
 
THEY WORK AS FAR AS I CAN SEE!


Retour sommaire

hr Pirates Harbor


35) MICRO LAB STUFF.


MSG LEFT BY: GREGG BURMAN
DATE POSTED: WED JUL 27  1:24:47 AM

U.S. CONSTITUTION TUTOR, AND SAT
ENGLISH #1 AND PRETTY OLD NOW, BUT
I JUST RECENTLY GOT HOLD OF ORIGINALS,
AND THOUGHT I WOULD PASS THIS INFO
ALONG.
 
MICRO LAB USES A MODIFIED DOS FOR
PROTECTION LIKE SO MANY OTHERS WE
HAVE SEEN IN THE PAST. FROM THE START
IT LOOKS LIKE A STANDARD DEMUFFIN TYPE
CRACK, ALTHOUGH WHEN YOU TRY IT THE
DRIVE COMES ON, AND YOU SEE:
 
            I/O ERROR
 
HMMM...
 
WELL MICRO LAB USES INDIRECT COMPARES
WITH ZERO PAGE LOCATIONS IN THEIR RWTS
ROUTINE (I.E. CMP $D6) RATHER THAN THE
STANDARD CMP #$D5. THE PROBLEM WITH
THIS IS THAT SOME OF THESE LOCATIONS
ARE CHANGED WHEN WE RESET OUT OF THE
PROGRAM, OR LIKE BYTE $D6, THE APPLE-
SOFT RUN FLAG, IT IS OFTEN CHANGED
PURPOSEL


Retour sommaire

hr Pirates Harbor


36) SAMMY LIGHTFOOT CRACKED.


MSG LEFT BY: MR. XEROX
DATE POSTED: WED AUG  3  7:07:45 PM

TO CRACK SAMMY LIGHTFOOT:
 
 A) COPY THE DISK WITH COPYA
 
 B) USE THE INSPECTOR TO EDIT:
 
              TRACK-5
             SECTOR-E
 
 C) CHANGE BYTE 00 FROM $CE TO $60
 
 D) CHANGE BYTE 28 FROM $60 TO $CE
 
 
        THAT'S IT  !!!!!!
 
 YOUR FRIEND,
         
           MR. XEROX


Retour sommaire

hr Pirates Harbor


37) LEARNING WITH LEEPER.


MSG LEFT BY: RESET VECTOR
DATE POSTED: WED AUG 17  8:49:57 AM

MESSAGE #86: LEARNING WITH LEEPER


THE SECTMOD TO CRACK THIS ONE TO COPYA IS THIS:
TRACK 3 SECTOR F  CHANGE BYTES 2C-2E FROM 20 00 12 TO EA EA EA.
THAT'S IT!
COURTESY OF ->RESET VECTOR!


Retour sommaire

hr Pirates Harbor


38) COPYING INCREDIBLE JACK.


MSG LEFT BY: JIM PHELPS
DATE POSTED: THU SEP  8  8:39:20 AM

TO COPY THE INCREDIBLE JACK, ALL YOU
HAVE TO DO IS USE NIBBLES AWAY II B
AND COPY T0-22 PRESERVE NIBBLE COUNT.
 
IF IT GETS HUNG UP ON T21 TRYING TO
WRITE WITH D=000 AND P DECREASING BY
2'S THEN JUST HIT THE SPACE BAR AND IT
WILL CONTINUE.
 
THEN WITH A SECTOR EDITOR,CHANGE THE
INFORMATION ON B9,BA,AND BB ON TRACKS
21,F 21,E 21,A 21,8 21,4 21,2 AND 22,E
TO FF FF FF.THAT'S IT.NOW WRITE PROTECT
IT AND BOOT IT.REMEMBER YOU MUST HAVE
 
64K FOR IT TO BOOT UP!!!!
 
HAVE FUN.
 
                        JIM PHELPS


Retour sommaire

hr Pirates Harbor


39) DUNGEON CRACK.


MSG LEFT BY: CLINT CAPEHART
DATE POSTED: SAT OCT 15  8:18:20 AM

 
THERE'S GOT TO BE A BETTER WAY TO DO
THIS , BUT ANYWAY...
GET YOUR FAVORITE IO BLOCK PROGRAM
THAT ALLOWS YOU TO CHANGE HEADERS
AND WRITE ONE TRACK AT A TIME. I USED
DISC-O-DOC II.NOW READ IN TRACKS
WITH THE FOLLOWING DATA HEADERS,
CHANGE THEM TO NORMAL AND WRITE THEM
BACK OUT ONTO A DISK INITIALIZED
UNDER DOS 3.3
T:0-4 -> D5 AA AD (NORMAL)
T:5,6,8,C,E,11,12,16,19,1A,1D,1E,1F,
 AND 21 -> D5 AA F7
T:7,9,D,F,13,15,17,22 -> D5 AA B7
T:A,B,10,14,18,1B,1C,20 -> D5 AA F5
IF THERE'S A PATTERN THERE I CAN'T
SEE IT.
ANYWAY THEN BOOT YOUR FAVORITE DOS
(NORMAL OR FAST) AND DO THE MAGIC
TO EXEC ON BOOT (USUALLY
POKE 40514,20) THEN INSERT A BLANK
DISK AND ']INIT TSR' THEN
']DELETE TSR' THEN FID ALL THE FILES
OFF OF YOUR PREPARED DISK.
THEY HAVE A REALLY FUNNY DOS SOME OF
WHICH LIES ON TRACK 4! (THAT'S WHERE
I FOUND 'TSR', INIT-ING WITH HELLO
CAUSES PROBLEMS). INCIDENTALLY ,OF
COURSE, DEMUFFIN DOESN'T FLY AT ALL
WITH THIS LOSER.TILL THEN ...
 
                -> THE BEAST <-


Retour sommaire

hr Pirates Harbor


40) SARGON III.


MSG LEFT BY: RESET VECTOR
DATE POSTED: SUN OCT 30  6:05:35 PM

THE JUST RELEASED SARGON III IS BY FAR THE BEST APPLE CHESS GAME AVAILABLE,
PLAYING A MUCH STRONGER GAME OF CHESS THAT CHESS 7.0.  IT HAS A PROTECTED
BOOT THAT THEN READS DATA OFF OF THE UNPROTECTED PART OF THE DISK, AND IT
IS QUITE EASY TO CRACK.  YOU WILL, HOWEVER, NEED FASTLOADER CREATE PLUS
SOME MEANS OF SAVING PAGES $00-$08 (I USE APPLESOFT 0 FROM MASTER KEY+ BUT
THERE ARE OTHER WAYS).  IF YOU HAVE THE RIGHT TOOLS, THE ONLY HARD PART IS
FINDING THE STARTING ADDRESS; THE ADDRESS GIVEN HERE STARTS UP THE PROGRAM
JUST AT THE END OF THE PROTECTED BOOT AND THEN GOES ON TO READ FROM THE NORMAL
PART OF THE DISK.  YOU CAN THUS TAKE OUT LESS MEMORY IN THE CRACKED FILE, AND
THIS IS IMPORTANT BECAUSE THERE IS LIMITED SPACE ON THE DISK.
   FIRST INIT A BLANK DISK WITH VOLUME NUMBER 205.  NOW COPY TRACKS C-22 FROM
THE SARGON III ORIGINAL TO THIS DISK.  THEN USE A VTOC EDITOR (DISK FIXER OR
DISK EDIT) TO FREE UP TRACKS 3-B ON THIS DISK (AND PART OF TRACK 2 ALSO IF
YOU WANT).  NOW CRACK THE SARGON BOOT FILE BY TAKING OUT THE FOLLOWING CHUNKS
OF MEMORY (NONE ARE LONGER THAN $3000 BECAUSE FASTLOADER GETS A LITTLE FLAKY
WITH LONGER MEMORY CHUNKS...):$00-$08 (LENGTH 08 PAGES),$08-$0C (LENGTH
04 PAGES),$1B-$20 (LENGTH 05 PAGES),$40-$70 (LENGTH 30),$70-$A0 (LENGTH 30),
$A0-$C0 (LENGTH 20). NOW USE FASTLOADER CREATE TO MAKE THESE INTO A BINARY
FILE WITH A STARTING ADDRESS OF $1B33.  IF YOU DID EVERYTHING RIGHT YOU
SHOULD HAVE A 151 SECTOR FILE THAT WILL FIT ON THE DISK YOU MADE WITH ROOM
TO SPARE IF YOU FREE UP SECTORS 5-F OF TRACK 2.  YOU WILL ALSO HAVE A FEW
SECTORS LEFT OVER FOR AN IN
SECTORS LEFT OVER FOR AN INSTRUCTION FILE IF YOU WISH (MINE CONTAINS ALL
OF THE SARGON COMMANDS).
COURTESY OF ->RESET VECTOR!


Retour sommaire

hr Pirates Harbor


41) TIME IS MONEY.


MSG LEFT BY: RESET VECTOR
DATE POSTED: SUN NOV  6  7:15:32 PM

THIS DISK IS NORMALLY FORMATTED TRACKS 0 - 21 AND THEN HAS A FUNNY TRACK 22.
JUST COPY TRACKS 0-21 WITH ANYTHING (FAST COPY OR DISK MUNCHER PREFERABLE
ALTHOUGH YOU COULD USE NIBBLES AWAY IN A PINCH), INIT TRACK 22 WITH BAG
OF TRICKS, AND THEN DO THIS SECTMOD:
TRACK 5 SECTOR F BYTE 19, CHANGE FROM BD TO 60.  IT IS NOW COPYA!
COURTESY OF ->RESET VECTOR!


Retour sommaire

hr Pirates Harbor


42) CRACK HOMEWORD.


MSG LEFT BY: GREGG BURMAN
DATE POSTED: MON NOV  7  9:00:23 PM

TO CRACK HOMEWORD, JUST COPYA THE
ORIGINAL DISK, THEN MAKE THE
FOLLOWING SECTMOD:

PATCH:

 TRACK $10
 SECTOR $0A
 BYTES $00 - $01  CHANGE FROM $CE $03
                           TO $60 $AD

THAT IS ALL! IT IS NOW COPYA.


                      GREGG BURMAN


Retour sommaire

hr Pirates Harbor


43) CRACK SPEAK UP.


MSG LEFT BY: THE WISE CRACKER
DATE POSTED: SAT NOV 12 12:30:10 AM

IF YOU HAVE SPEAK-UP, A HUMAN VOICE
GENERATOR FOR THE ECHO II, YOU MAY BE
WONDERING WHY ONLY THE DATA FILES AP-
PEAR IN THE DIRECTORY? WELL, THEY HIDE
THE REST ON TRACK 3. BUT A GOOD OL'
POKE 44033,3 WON'T DO THE TRICK. HERE'S
WHAT YOU GOTTA DO TO CRACK THIS GREAT
PROGRAM. BOOT THE SPEAK UP DISK, AND
WAIT UNTIL YOU SEE THAT APPLESOFT
PROMPT. THEN, BREAK OUT. WHATEVER IS
YOUR PREFERENCE. GO TO MONITOR, TYPE
 
*D6:00
*3F2:BF 9D 38
 
HIT RESET. TYPE
]CATALOG,V96
 
VOILA, LE DIRECTORIE DE SPEAK UP EST
ICI!
 
NOW, FOR THE APPLESOFT FILES, JUST
LOAD XXXXXXX,V96, PUT IN A BLANK, AND
SAVE XXXXXX (NO V96). FOR BINARY FILES,
BLOAD XXXXXXX,V96
GET THE ADDRESSES AND LENGTH FROM DOS,
AND BSAVE XXXXXXXX. THEN, FID THE DATA
FILES YOU CAN USUALLY SEE TO THE DISK.
 
NOW, USE COPYA, OR ANY OTHER COPIER,
AND COPY THE DISK. NOW, INIT THE FIRST
COPY WITH A VOLUME OF 96. NOW, FID THE
FILES FROM THE SECOND COPY TO THE NEWLY
INITTED DISK. NOW, BLOAD RESET, AND
LIST THE CODE. IF YOU WANT, MODIFY THE
ADDRESSES (YOU KNOW HOW TO GET START
AND LENGTH ADDRESSES FROM DOS. RIGHT??)
 
WELL, NOW BLOAD BHELLO, AND YOU'LL SEE,
THAT THE FIRST THING IT DOES IS
 
 
LDA #$80
STA $D6
 
CHANGE IT TO
 
CONTINUED NEXT MESSAGE


Retour sommaire

hr Pirates Harbor


44) CRACK SPEAK UP CONTINUED....


MSG LEFT BY: THE WISE CRACKER
DATE POSTED: SAT NOV 12 12:32:39 AM

CONT'D
 
TO
 
LDA #$00
STA $D6
 
SAVE IT.....
 
NOW, WRITE A HELLO PROG TO BRUN BHELLO.
 
DONE.......
 
HAPPY KRAKIN'
 
                  THE WISE CRACKER
 
P.S. IF YOU DON'T KNOW HOW TO GET DOS
START AND LENGTH ADDRESSES, HERE....
 
AA72:LOW ORDER BYTE OF START
AA73:HIGH  "    "   "    "
 
AA60:LOW ORDER BYTE OF LENGTH
AA61:HIGH  "     "  "    "


Retour sommaire

hr Pirates Harbor


45) EINSTEIN MEMORY TRAINER.


MSG LEFT BY: RESET VECTOR
DATE POSTED: FRI NOV 18 10:02:16 PM

THE FOLLOWING CHANGES ARE PROBABLY A BIT MORE EXTENSIVE THAN ARE ABSOLUTELY
NECESSARY TO CRACK THIS PROGRAM, BUT THEY WORK, AND IT WAS EASIER THIS WAY
THAN NARROWING IT DOWN FURTHER.  JUST COPYA THE DISK (ONLY DISK A IS
PROTECTED), THEN USE A SECTOR EDITOR ON THE FOLLOWING SECTORS AND CHANGE
ALL OF THE LISTED BYTES TO 60'S:
TRACK F SECTOR 0 BYTES 00-93
TRACK 8 SECTOR 7 BYTES 00-9C
TRACK 4 SECTOR C BYTES 40-FF
TRACK F SECTOR 1 BYTES F7-FF
THAT SHOULD DO IT!
COURTESY OF ->RESET VECTOR!


Retour sommaire

hr Pirates Harbor


46) DINO EGGS CRACKED.


MSG LEFT BY: CAPTAIN NIBBLE
DATE POSTED: SUN NOV 27 11:11:49 AM

HERES AN EASY WAY TO CRACK DINO EGGS
BY MICRO LAB
 
LOAD A 3.3 DOS
CALL-151
*B942:18
*3D0G
RUN COPY A
 
NOW CHANGE THE FOLLOWING ON YOUR NEW
COPY
 
TRACK 0 SECT B BYTE 75 FROM 38 TO 18
TRACK 0 SECT 9 BYTE 42 FROM 38 TO 18
 
THATS ALL THERE IS TO IT
 
ANOTHER GOODIE FROM
           CAPTAIN NIBBLE


Retour sommaire

hr Pirates Harbor


47) DOS QUICKIE.


MSG LEFT BY: COUNT NIBBLER
DATE POSTED: MON DEC  5 10:11:51 AM

     MOST OF YOU PRESUMABLY KNOW ABOUT
HOW TO DISABLE THE DOS CHECKSUMS FOR
CRACKING. THIS WILL UNPROTECT A GOOD
NUMBER OF RECENT PROGRAMS. HOWEVER,
SOME OF THEM DO SOME ADDITIONAL CHANGES
WHICH MAKE THIS METHOD UNUSABLE.
     BY PRESSING RESET, EVEN WITH AN
AUTOSTART ROM, YOU CAN TAKE A LOOK AT
THE DOS IN MOST OF THESE PROGRAMS (WITH
AN AUTOSTART ROM, JUST KEEP PRESSING
RESET UNTIL THE DRIVE STOPS WHEN THE
PROGRAM TRIES TO REBOOT, AS MOST OF
THEM DO). THERE ARE A FEW KEY LOCATIONS
THAT CAN BE CHANGED TO OFTEN MAKE THE
FILES COPYABLE FROM THE PROTECTED DISK.
THIS WORKS ON SUCH PIECES OF SOFTWARE
AS THE QUEST, AND MANY OTHERS.
     PENGUIN SOFTWARE'S PROTECTION OF
ITS ADVENTURE PROGRAMS SEEMS TO BE ALL
THE SAME. THEY CHANGE VARIOUS ADDRESS
AND DATA MARKERS, ETC, ENOUGH SO THAT
THE CHECKSUMS METHOD ALONE WILL NOT
WORK, BUT NEITHER WILL THE MUFFIN13/
MUFFIN16 METHOD. TRY BOOTING ONE OF
THEM, AND PRESSING RESET UNTIL IT STOPS
IN BASIC (IT WILL TRY REBOOTING AND
ERASING MEMORY, BUT KEEP PRESSING
RESET). IF YOU HAVE A MONITOR ROM, THEN
NO PROBLEM. IN ANY CASE, ENTER THE
MONITOR AND TAKE A LOOK AT DOS. IN
PARTICULAR, THE FOLLOWING LOCATIONS ARE
DIFFERENT:
 
ADDR:     DOS 3.3:         PENGUIN'S:
----      -------          ---------
B934L C9 DE  CMP #$DE  C9 DA  CMP #$DA
 
B990L C9 DE  CMP #$DE  C9 DA  CMP #$DA
 
B954L C9 D5  CMP #$D5  4A     LSR
      D0 F0  BNE $B948 49 6A  EOR #$6A
      EA     NOP       D0 EF  BNE $B948
 
 
                   TO BE CONTINUED
 
          -=+*])! COUNT NIBBLER !([*+=-


Retour sommaire

hr Pirates Harbor


48) DOS QUICKIE CONTINUED.


MSG LEFT BY: COUNT NIBBLER
DATE POSTED: MON DEC  5 10:19:29 AM

IF THIS IS TO MAKE ANY SENSE AT ALL
READ THE FIRST MESSAGE.
 
IF YOU BOOT YOUR SYSTEM MASTER AND
DISABLE THE CHECKSUM VIA:
 
CALL-151
B925:1860
B988:1860
B942:1860
 
YOU CAN BLOAD FID AND MAKE CHANGES IN
THE RESIDENT DOS TO MAKE THE DOS THE
SAME AS PENGUINS:
 
B954:4A 49 6A D0 EF
B934:C9 DA
B990:C9 DA
 
THEN WITH A 803G BRUN FID AND COPY THE
FILES OFF THE PROTECTED DISK ONTO YOUR
OWN!!!
 
                        ** ENJOY **
 
          -=+*])! COUNT NIBBLER !([*+=-


Retour sommaire

hr Pirates Harbor


49) STELLAR DEFENSE FIX.


MSG LEFT BY: RESET VECTOR

FIX IT...  THE PROPER CRACK IS:
COPY DISK WITH COPYA
CHANGE TRACK 5 SECTOR 6 BYTES 55-57 FROM A9 20 8D (60 20 8D IF PREVIOUSLY
ALTERED) TO 4C 68 3A
CHANGE TRAC 5 SECTOR A BYTE 6C FROM A9 TO 60
THAT'S IT - IT SHOULD NOW WORK PERFECTLY
COURTESY OF ->RESET VECTOR


Retour sommaire

hr Pirates Harbor


50) EINSTEIN COMPILER VER. 5.3.


MSG LEFT BY: RESET VECTOR
DATE POSTED: SUN DEC 11 10:10:42 PM

CRACKS WITH SAME SECTMOD AS THE EARLIER VERSION, BUT IN A DIFFERENT PLACE.
COPY WITH COPYA THEN EDIT TRACK 8 SECTOR 4 BYTES A9-AB FROM BD 8C C0 TO
4C E2 91.  CRACKED!
COURTESY OF ->RESET VECTOR!


Retour sommaire

hr Pirates Harbor


51) ATARISOFT EASIER.


MSG LEFT BY: RESET VECTOR
DATE POSTED: SUN DEC 11 10:13:41 PM

DON'T KNOW IF THIS IS REALLY WORTH POSTING, BUT THAT LONG MESSAGE ON HOW
TO CRACK ATARISOFT WAS REALLY A BIT MUCH.  EVERY SINGLE ONE OF THERE GAMES
WILL DEMUFFIN WITH THE GREATEST OF EASE, SO WHY GO TO ALL THE TROUBLE OF THAT
OTHER PROCEDURE???
->RESET VECTOR!


Retour sommaire

hr Pirates Harbor


52) CRACK LS5.0 !!!


MSG LEFT BY: BOZO NYC
DATE POSTED: WED JAN 18  3:32:31 AM

THE CRACK WAS NOT DONE BY ME, BUT WAS DONE BY THE WOMBAT.  I JUST DUG THRU HIS
WORK (HIS CRACKED COPY) AND HERE'S THE NITTY-GRITTY.  THE SERIAL NUMBERS ARE
NOT REMOVED, BUT EVERYTHING SEEMS TO WORK.
 
CRACKING LOCKSMITH 5.0
-------- --------- ---
 
1) USE ANY COPYA TYPE COPIER.
2) TRACK-0 SECTOR-D BYTE-E3
   CHANGE TO 90 A8
3) TRACK-1 SECTOR-7 BYTE-90
   CHANGE TO A9 EA 8D 72 19
   8D 71 19 4C 00 20
 
 
THAT'S IT!
 
 
BOZONYC


Retour sommaire

hr Pirates Harbor


53) 1 BYTE LS5 CRACK.


MSG LEFT BY: BOZO NYC
DATE POSTED: THU JAN 19  2:41:33 AM

WELL, AFTER DIGGING AROUND SOME MORE, I FOUND A 1 BYTE PATCH TO CRACK
LOCKSMITH 5.0!
 
AGAIN, THANKS TO THE WOMBAT FOR THE ORIGINAL CRACKED DISK THAT LEAD ME TO THIS
1 BYTE CRACK.
 
 
USE A COPYA PROGRAM TO COPY LS5.0
 
USE A TRACK/SECTOR EDITOR TO CHANGE THE FOLLOWING:
 
TK=F SK=E BYTE=71
WAS: F4
CHANGE TO: D4
 
 
THAT'S REALLY ALL!
 
BOZONYC


Retour sommaire

hr Pirates Harbor


54) CRACK TELE-PORTER.


MSG LEFT BY: RIP_EM_OFF SOFTWARE
DATE POSTED: SUN FEB  5  1:10:24 AM

TO CRACK SENSIBLE'S NEW COMM PROGRAM
 
HERE IS WHAT YOU DO:
1)  DISABLE CHECKING ON END OF ADDRESS
    MARKERS.
2)  COPY ENTIRE DISK EXCEPT FOR TRK $F.
3)  MODIFY THESE TRKS AND SCTRS.
TRK SEC   FROM       TO
 00  03    ED        DE   BYTE ($35)
 02  02    90        D0   BYTE ($E9)
 02  03   00 BF    84 9D  BYTE ($61-62)
 0B  0F   D0 0B    EA EA  BYTE ($12-13)
 10  08   D0 01    EA EA  BYTE ($5E-5F)
 
MAKE SURE VOLUME NUMBER ON DEST DISK IS
4!  PROGRAM MAY NOT RUN WITHOUT THIS,SO
WATCH IT!


Retour sommaire

hr Pirates Harbor


55) SAN FRANCISCO EARTHQUAKE.


MSG LEFT BY: RESET VECTOR
DATE POSTED: SAT FEB 11 10:02:33 PM

HERE IS HOW TO CRACK THIS ADVENTURE FROM ADVENTURE INTERNATIONAL.  THE FLIP
SIDE IS ALREADY UNPROTECTED; YOU JUST HAVE TO CRACK THE BOOT SIDE.  CONVERT
THE WHOLE DISK EXCEPT FOR TRACK 22 WITH ADVANCED DEMUFFIN (I SUGGEST YOU
USE THEIR DOS ALSO SO CONVERT TRACKS 0-21).  THEN DO THE FOLLOWING:
BLOAD M1
CALL -151
B01:60
BSAVE M1,A$80D,L$1785
CRACKED!
COURTESY OF ->RESET VECTOR!


Retour sommaire

hr Pirates Harbor


56) KOALGRAMS.


MSG LEFT BY: RESET VECTOR
DATE POSTED: SUN MAR  5 12:45:55 AM

EASY CRACK.  JUST COPYA THE DISK THEN CHANGE TRACK B SECTOR 4 BYTE F3
FROM BD TO 60.  CRACKED!
Courtesy of ->Reset Vector!


Retour sommaire

hr Pirates Harbor


57) CRACK BC'S QUEST.


MSG LEFT BY: X - RAY
DATE POSTED: FRI APR 13 10:40:58 AM

TO CRACK BC'S QUEST FOR TIRES REQUIRES
A SECTOR MOD. AFTER COPYING THE DISK
WITH A STANDARD COPY PROGRAM SUCH AS
COPY A. THE MODIFICATION TO MAKE IS ON
TRACK 6 , SECTOR 7 . THE CHANGE IS MADE
ON BYTES E7 THRU E9 CHANGED FROM 20 00
96 TO EA EA EA. THAT'S IT .
 
HAVE FUN....THE X-RAY.


Retour sommaire

hr Pirates Harbor


58) MAKE & USE COPYB.


COPYB DOCUMENTATION FILE. BY THE DISK
JOCKEY.


INTRODUCTION:

THERE ARE PROBABLY HUNDREDS OF WAYS TO
PROTECT A PROGRAM FROM BEING COPIED.
BUT GENERALLY SPEAKING, PROTECTION
FALLS UNDER TWO CATEGORIES: PROTECT THE
ACTUAL PROGRAM (BY VARIOUS MEANS), OR
PROTECT A DISK FULL OF PROGRAMS WITH
SOME SORT OF DOS MODIFICATION. DOS
MODIFICATIONS ARE THE MOST COMMON SINCE
THEY ARE THE EASIEST TO DEAL WITH (FROM
THE PUBLISHER'S POINT OF VIEW). DOS
MODIFICATIONS ARE ALSO THE LEAST
SUCCESSFUL OF PROTECTION, SINCE SOMEONE
ALWAYS SEEMS TO FIND A WAY TO COPY ALL
THE FILES ONTO A NORMAL DOS DISK,
ELUDING ALL THE PROTECTION. THE CLASSIC
PROGRAM FOR DEALING WITH MODIFIED DOS'S
IS DEMUFFIN PLUS. IT WORKS MUCH THE
SAME WAY AS APPLE'S MUFFIN PROGRAM
WORKS. MUFFIN WAS WRITTEN TO READ FILES
FROM A DOS 3.2 DISK AND THEN WRITE THEM
TO A DOS 3.3 DISK. DEMUFFIN WAS A
VARIATION OF MUFFIN, ALLOWING THE
HARDCORE 3.2 USER TO COPY FILES FROM
DOS 3.3 TO DOS 3.2. DEMUFFIN PLUS
OPERATES ON THE SAME PRINCIPLE, BUT
USES WHATEVER DOS IS IN MEMORY TO READ
THE DISK, AND THEN WRITES OUT TO AN
INITIALIZED DOS 3.3 DISK. WHILE THIS IS
A POWERFUL UTILITY, IT ONLY WORKS WITH
PROGRAMS THAT ARE BASED ON DOS FILE
STRUCTURES AND THAT HAVE A CATALOG
TRACK.

INTRODUCING COPYB:

COPYB IS A HIGHLY MODIFIED VERSION OF
COPYA WHICH CONVERTS A PROTECTED DISK
THAT USES A MODIFIED DOS AND/OR RWTS TO
NORMAL DOS 3.3 FORMAT. THE PROTECTED
DISK MAY HAVE A NORMAL DOS FILE
STRUCTURE, OR IT MAY NOT. SINCE COPYB
COPIES ON A TRACK BY TRACK BASIS, THIS
DOES NOT MATTER. THIS MAKES COPYB A FAR
MORE FLEXIBLE TOOL THAN DEMUFFIN PLUS.

COPYB USES THE PROTECTED DISK'S RWTS TO
READ IN THE TRACKS AND THEN USES NORMAL
DOS 3.3 TO WRITE THEM BACK OUT TO AN
INITIALIZED DISK. UNLESS OTHERWISE
INSTRUCTED, COPYB COPIES TRACK $03 TO
TRACK $22, SECTOR $0F TO SECTOR $00 OF
EACH TRACK. HERE ARE THE PARAMETERS FOR
COPYB:


LOCATION                   NORMALLY
HEX DEC     DESCRIPTION     HEX DEC NT.
---------------------------------------
22E 558 FIRST TRACK TO READ   03 03 (1)
236 556 FIRST SECTOR TO READ  0F 15 (2)
365 869 RESET SECTOR NUMBER   0F 15 (2)
3A1 929 STOP ON ERROR($18=NO) 38 56 (3)
302 770 TRK TO STOP READING+1 23 35 (4)
35F 863 TRK TO STOP READING+1 23 35 (4)


NOTES (NT.):

1) THIS IS THE FIRST TRACK THAT COPYB
STARTS READING AT. THIS IS NORMALLY SET
AT TRACK 3, SO NOT TO COPY THE
PROTECTED DOS WHICH NORMALLY RESIDES ON
TRACK 0 THROUGH TRACK 2.

2) THESE TWO PARAMETERS ARE NORMALLY
SET TO $0F FOR 16 SECTOR DISKS. CHANGE
THESE TWO PARAMETERS TO $0C FOR 13
SECTOR DISKS. MOST OF TODAY'S
PROTECTION SCHEMES ARE BASED ON 16
SECTORS. YET THERE ARE STILL A FEW
USING 13 SECTORS (SUCH AS MUSE).
INTERESTINGLY ENOUGH, THERE IS A
HANDFUL OF AUTHORS THAT ALSO US
SECTORING OTHER THAN 13 OR 16 SECTORS
PER TRACK. AN EXAMPLE OF THIS IS
"THIEF" FROM DATAMOST. THIS PROGRAM
USES 11 SECTORS PER TRACK. COPYB CAN
ALSO ACCOMMODATE THESE PROGRAMS.

3) THIS PARAMETER IS NORMALLY SET SO
THAT UPON READING A 'BAD SECTOR' COPYB
WILL STOP AND DISPLAY AN ERROR. TO LET
COPYB KEEP GOING AFTER A READ ERROR,
CHANGE THIS BYTE TO $18 (24 IN
DECIMAL). THE EQUIVALENT SECTOR ON THE
COPIED DISK WILL BE WRITTEN BLANK.

4) THESE TWO PARAMETER DETERMINE WHERE
COPYB WILL STOP READING THE PROTECTED
DISK. NORMALLY, THIS IS SET TO THE LAST
TRACK, $22 (34 IN DECIMAL) , PLUS ONE.
TO CHANGE THIS, ADD ONE TO THE LAST
TRACK YOU WANT TO COPY AND CHANGE THESE
TWO PARAMETERS.

CREATING COPYB:

AFTER ENTERING OR DOWNLOADING THE BASIC
PROGRAM, SAVE THE PROGRAM BY TYPING:

]SAVE COPYB

NOW YOU MUST ENTER THE ASSEMBLY
LANGUAGE SUBROUTINES THAT COPYB USES.
COPYB USES THE MAIN SUBROUTINES THAT
COPYA USES, SO WE ONLY HAVE TO MODIFY
THE FILE COPY.OBJ0 THAT IS ON THE DOS
3.3 SYSTEM MASTER. BUT FIRST I WILL
EXPLAIN THE ADDED SUBROUTINES THAT
COPYB NEEDS.

REMEMBER THAT COPYB USES THE PROTECTED
PROGRAM'S RWTS TO READ THE DISK BY
MOVING IT FROM $8000 TO $B700 - $BFFF.
AFTER COPYB IS DONE READING THE
PROTECTED DISK, NORMAL RWTS IS MOVED
BACK UP TO $B700 - $BFFF FROM $8900 TO
WRITE TO A NORMAL DOS DISK. THIS IS
HANDLED BY SOME SUBROUTINES WHICH WILL
ADD TO THE EXISTING FILE COPY.OBJ0.
HERE ARE THE ROUTINES (FORMATTED IN 80
COLUMNS):


0220-   20 B0 02    JSR   $02B0  :SAVE THE REGISTERS.
0223-   A0 B7       LDY   #$B7   :BOTTOM PAGE TO MOVE FROM.
0225-   A9 89       LDA   #$89   :DESTINATION PAGE TO MOVE TO.
0227-   20 80 02    JSR   $0280  :COPY NORMAL RWTS FROM $B700-BFFF
                                  TO 8900-91FF.
022A-   20 B4 03    JSR   $03B4  :SUBROUTINE TO LOCATE RWTS ($3E3).
022D-   A9 03       LDA   #$03   :STARTING TRACK TO READ FROM.
022F-   8D D1 02    STA   $02D1  :STORE TRACK.
0232-   8D D2 02    STA   $02D2  :STORE TRACK.
0235-   A9 0F       LDA   #$0F   :STARTING SECTOR TO READ FROM.
0237-   8D D3 02    STA   $02D3  :STORE SECTOR.
023A-   8D D4 02    STA   $02D4  :STORE SECTOR.
023D-   4C E7 02    JMP   $02E7  :JUMP TO READ ROUTINE.
0240-   20 B0 02    JSR   $02B0  :SAVE THE REGISTERS.
0243-   A0 80       LDY   #$80   :BOTTOM PAGE TO MOVE FROM.
0245-   A9 B7       LDA   #$B7   :DESTINATION PAGE TO MOVE TO.
0247-   20 80 02    JSR   $0280  :MOVE NORMAL RWTS FROM $8900 BACK TO
                                  $B700-BFFF.
024A-   4C F7 02    JMP   $02F7  :JUMP TO WRITE ROUTINE.


0260-   20 B0 02    JSR   $02B0  :SAVE THE REGISTERS.
0263-   A0 89       LDY   #$89   :BOTTOM PAGE TO MOVE FROM.
0265-   A9 B7       LDA   #$B7   :DESTINATION PAGE TO MOVE TO.
0267-   20 80 02    JSR   $0280  :MOVE NORMAL RWTS FROM $8900 BACK TO
                                  $B700-BFFF.
026A-   4C 17 03    JMP   $0317  :JUMP TO WRITE ROUTINE


0270-   20 B0 02    JSR   $02B0  :SAVE THE REGISTERS.
0273-   A0 89       LDY   #$89   :BOTTOM PAGE TO MOVE FROM.
0275-   A9 B7       LDA   #$B7   :DESTINATION PAGE TO MOVE TO.
0277-   20 80 02    JSR   $0280  :MOVE NORMAL RWTS FROM $8900 TO
                                  $B700-BFFF.
027A-   4C BC 03    JMP   $03BC  :RESTORE THE REGISTERS AND EXIT.


0280-   84 07       STY   $07    :STORE ORIGINAL PAGE TO MOVE FROM.
0282-   85 09       STA   $09    :STORE DESTINATION PAGE TO MOVE TO.
0284-   A2 09       LDX   #$09   :LOAD X WITH NUMBER OF PAGES TO MOVE.
0286-   A9 00       LDA   #$00   :LOAD ACCUM WITH $00.
0288-   A8          TAY          :TRANSFER #$00 TO Y.
0289-   85 06       STA   $06    :STORE #$00 AT $06.
028B-   85 08       STA   $08    :STORE #$00 AT $08.
028D-   B1 06       LDA   ($06),Y:LOAD ACCUM WITH THE ADDRESS POINTED
                             TO BY LOCATIONS $06 & $07 (LO-HI ORDER),
                             INDEXED BY Y.
028F-   91 08       STA   ($08),Y:STORE ACCUM AT THE ADDRESS POINTED
                             TO BY LOCATIONS $07 & $08 (LO-HI ORDER)
                             INDEXED BY Y.
0291-   C8          INY          :INCREMENT Y.
0292-   D0 F9       BNE   $028D  :CONTINUE UNTIL END OF PAGE.
0294-   E6 07       INC   $07    :INCREMENT ORIGINAL PAGE.
0296-   E6 09       INC   $09    :INCREMENT DESTINATION PAGE.
0298-   CA          DEX          :DECREMENT X.
0299-   D0 F2       BNE   $028D  :IF HAVEN'T MOVED 9 PAGES, DO AGAIN.
029B-   60          RTS          :RETURN FROM SUBROUTINE.


02B0-   8D C7 03    STA   $03C7  :STORE ACCUMULATOR AT $3C7.
02B3-   8E C8 03    STX   $03C8  :STORE X-REGISTER AT $3C8.
02B6-   8C C9 03    STY   $03C9  :STORE Y-REGISTER AT $3C9.
02B9-   60          RTS          :RETURN FROM SUBROTINE.


SO TO CREATE THE OBJECTIVE FILE FOR
COPYB, WE SHOULD FIRST ENTER THE
MONITOR BY TYPING:

]CALL-151

NEXT WE SHOULD INITIALIZE THE MEMORY
AREA BY TYPING:

*220:FF N 221<220.2CDM

NOW BLOAD THE FILE COPY.OBJ0 FROM THE
DOS 3.3 SYSTEM MASTER BY TYPING:

*BLOAD COPY.OBJ0

NOW TYPE IN THE NEW CODE AND SOME
CHANGES:

*228:80 02 20 B4 03 A9 03 8D
*230:D1 02 8D D2 02 A9 0F 8D
*238:D3 02 8D D4 02 4C E7 02
*240:20 B0 02 A0 80 A9 B7 20
*248:80 02 4C F7 02
*260:20 B0 02 A0 89 A9 B7 20
*268:80 02 4C 17 03
*270:20 B0 02 A0 89 A9 B7 20
*278:80 02 4C BC 03
*280:84 07 85 09 A2 09 A9 00
*288:A8 85 06 85 08 B1 06 91
*290:08 C8 D0 F9 E6 07 E6 09
*298:CA D0 F2 60
*2B0:8D C7 03 8E C8 03 8C C9
*2B8:03 60
*2C1:20
*2C4:40
*2C7:60 02
*2CB:13 7F B0 60
*2D0:01 03 03 0F 0F
*2D8:B4
*2DD:02
*2F8:B4
*318:B4
*3C7:02 9D C0 B3 C4 C4
*220:20 B0 02 A0 B7 A9 89 20


AFTER ENTERING THESE CHANGES, SAVE THE
FILE BY TYPING:

*BSAVE COPYB.OBJ,A$220,L$1AB


USING COPYB:

TO USE COPYB, YOU MUST CAPTURE THE
FOREIGN RWTS AND PUT IT AT LOCATIONS
$8000 THROUGH $88FF. YOU CAN DO THIS
ONE OF TWO WAYS:

1) BOOT THE PROTECTED DISK AND AFTER
THE FOREIGN DOS IS LOADED, RESET INTO
THE MONITOR. THE FOREIGN DOS WILL
USUALLY BE LOADED A FEW SECONDS AFTER
THE BOOT STARTS. YOU CAN TELL THIS
BECAUSE MANY TIMES A BASIC PROMPT WILL
APPEAR AT THE BOTTOM OF THE TEXT
SCREEN. USE THE MONITOR MOVE COMMAND TO
MOVE RWTS DOWN TO $8000 AS SO:

*8000<B700.BFFFM

NOW BOOT A 48K SLAVE DISK (THIS WILL
NOT DESTROY MEMORY FROM $900 TO $95FF)
AND RUN COPYB.

2) READ IN TRACK 0, SECTOR 1 THROUGH
TRACK 0 SECTOR 9 OF THE PROTECTED DISK
INTO MEMORY $8000 TO $88FF WITH A
SECTOR EDITOR SUCH AS 'THE INSPECTOR'.
THEN RUN COPYB.


ENTERING THE PARAMETERS AND RUNNING
COPYB:

RUN COPYB BY TYPING:

]RUN COPYB

THE PROGRAM WILL COME UP AND ASK WHAT
PARAMETERS TO USE, ALL DESCRIBED ABOVE.
COPYB WILL POKE IN THE VALUES YOU HAVE
ENTERED FOR YOU. ENTER ALL VALUES IN
DECIMAL.

AFTER ENTERING THE PARAMETERS, YOU WILL
BE ASKED IF YOUR SELECTIONS ARE
CORRECT. IF YOU ANSWER YES, THE NEXT
SET OF PROMPTS WILL APPEAR, WHICH
SHOULD LOOK FAMILIAR. ENTER THE
ORIGINAL AND DESTINATION DRIVE AND SLOT
NUMBERS, JUST LIKE IN COPYA. LASTLY,
YOU WILL BE ASKED IF YOU WANT THE
DESTINATION DISK TO BE INITIALIZED,
RESPOND YES OR NO. NOW PRESS THE RETURN
KEY TO START THE COPY.

WHEN THE COPY IS COMPLETED, ASSUMING
ALL WENT CORRECTLY, YOU WILL HAVE A
NORMAL DOS 3.3 VERSION OF YOUR
PROTECTED DISK WHICH MAY RUN OR BE
EXAMINED AND CHANGED MORE EASILY THEN
THE ORIGINAL DISK.

THIS METHOD OF DEPROTECTION IS MORE
DEPENDABLE THAT USING DEMUFFIN PLUS AND
COVERS MORE TYPES OF PROGRAMS. I AM
SURE YOU WILL FIND COPYB AN EXCELLANT
UTILITY TO HAVE.


Retour sommaire

hr Pirates Harbor


59) STANDING STONE CRACKED.


MSG LEFT BY: CAPTAIN NIBBLE
DATE POSTED: THU DEC  1  4:41:39 PM

HERES HOW TO CRACK THE STANDING STONE
BY ELECTRONIC ARTS
 
RUN COPYA ON BOTH SIDES OF THE DISK
 
NOW ON THE BOOT SIDE CHANGE THE
FOLLOWING
 
TRACK 11 SECTOR 3 BYTES 68 & 69
TO 18 60
 
THATS ALL THERE IS TO IT
ENJOY
CAPTAIN NIBBLE


Retour sommaire