|
|
|
|
|
|
|
|
DOS 3.3 |
Download Cracking Techniques 1984
(gzipped) |
|
|
|
|
DOS 3.3 |
Download Original disk: Cracking
Techniques 1984
(gzipped) |
INTRODUCTION BY
THE DISK JOCKEY
ANYONE INTERESTED IN THE APPLE SEEMS TO
BE INTRIGUED BY THE "ART OF KRAKING",
FOR A VARIETY OF REASONS. PROBABLY THE
FOREMOST IS THIS OPENS THE WAY FOR
WORRY FREE AND AMPLE SOFTWARE, THAT
ANYONE CAN USE AND TRADE. BESIDES THESE
IMMEDIATE USES, KRAKING A PROGRAM SEEMS
TO IMPRESS ALL BUT THE AUTHOR OF THE
PROGRAM.
KRAKING PROTECTED PROGRAMS REQUIRES
SEVERAL THINGS THAT YOU SHOULD TRY YOUR
BEST TO POSSESS. THE FIRST IS A GOOD
BASIC UNDERSTANDING OF THE APPLE
COMPUTER AND ITS ARCHITECTURE. READ
YOUR DOS MANUAL AND THE APPLE II
REFERENCE MANUAL FOR INFORMATIVE
DISCUSSIONS OF YOUR COMPUTER. EVEN
BETTER, PICK UP A COPY OF DON WORTH'S
"BENEATH APPLE DOS" AND STUDY IT
CAREFULLY. AFTER YOU HAVE DONE THESE
BASIC THINGS, YOU CAN PROBABLY IMPRESS
EVERYONE BUT STEVE "THE WOZ", AND TURN
THE SALESMEN AT COMPUTER LAND TO SHAME.
I CAN NOT STRESS THE IMPORTANCE OF
READING THESE WELL WRITTEN MANUALS, AND
DOING THE BEST TO UNDERSTAND THEIR
IMPLICATIONS. AFTER YOU HAVE ACHIEVED
THE KNOWLEDGE GRANTED BY THESE BOOKS,
YOU ARE WELL BEYOND 99% OF THE APPLE
USERS THAT CLAIM THEY KNOW ANYTHING
ABOUT ANYTHING.
FOR THE ULTIMATE UNDERSTANDING OF THE
APPLE, AND TO MAKE YOUR JOB AS A
"KRAKIST" EASIEST, THE NEXT STEP IS TO
LEARN THE FORBIDDEN LANGUAGE, 6502
ASSEMBLY LANGUAGE. ALTHOUGH THIS IS NOT
NECESSARY FOR A GREAT NUMBER OF KRAKING
CHORES, ANY PROGRAM THAT IS THE LEAST
BIT TRICKY WILL REQUIRE YOU TO
UNDERSTAND ASSEMBLER. THE REASON IS
SIMPLE: MOST EVERYTHING SOLD TODAY IS
WRITTEN IN ASSEMBLER. LOOK AT SOFTALK'S
TOP TEN LIST AND I BET YOU 95% OF THE
PROGRAMS ARE WRITTEN IN ASSEMBLY
LANGUAGE. THE OBVIOUS REASON FOR THIS
IS BECAUSE ASSEMBLER IS FAST, AND THIS
IS VERY IMPORTANT FOR GRAPHIC GAMES.
ALSO, BECAUSE PROTECTING A DISK ON THE
APPLE IS DONE AT THE OPERATING SYSTEM
LEVEL, THE PROTECTION REALLY HAS TO BE
WRITTEN IN ASSEMBLER.
FOR LEARNING ASSEMBLER, I WOULD SUGGEST
EITHER ROGER WAGNER'S "ASSEMBLY LINES",
OR RANDY HYDE'S "USING 6502 ASSEMBLY
LANGUAGE". BOTH OF THESE BOOKS ARE
EXCELLENT AND ARE EASY TO UNDERSTAND
FOR THE BEGINNING PROGRAMMER.
BEYOND THIS, THE NEXT BEST THING TO DO
AS TO USE YOUR NEW FOUND KNOWLEDGE.
WRITE SOME ASSEMBLY LANGUAGE PROGRAMS
TO GET FAMILIAR WITH THE LANGUAGE.
INSTEAD OF WRITING THAT "HELLO" PROGRAM
IN BASIC, DO IT IN ASSEMBLER. GET USE
TO IT, AND KEEP GOOD NOTES OF WHAT YOU
LEARN!
NOW YOUR READY FOR THE BIG TIME....
KRAKING PROGRAMS. I ASSUME YOU HAVE A
GOOD UNDERSTANDING OF THE MONITOR
COMMANDS (LIST, MOVE, VERIFY, EXECUTE)
FROM READING THE APPLE II REFERENCE
MANUAL. OF MOST IMPORTANCE IS THE "L"
COMMAND TO DISASSMBLE AND LIST CODE
PRESENTLY IN MEMORY. GET USE TO LOOKING
AT THESE DISASSEMBLIES SINCE YOU WILL
NEVER HAVE "SOURCE" CODE FROM PROTECTED
PROGRAMS TO EXAMINE. THEREFORE BE
FLUENT IN APPLE DISASSEMBLY. THE BEST
WAY TO ACHIEVE THIS IS PRACTICE, AND
NOTHING ELSE WILL SUBSTITUTE.
ALSO, BE AWARE OF THE EXISTING
DOCUMENTATION ON KRAKING. NOW JUST
ABOUT ANYONE CAN READ "COOKBOOKS" ON
HOW TO DEPROTECT A PARTICULAR PROGRAM
THAT THEY DOWN LOADED FROM PIRATE'S
HARBOR. SO YOU WANT TO TAKE A STEP
FARTHER. DON'T DISCARD OR CASUALLY
GLANCE THROUGH THESE "COOKBOOKS", BUT
GO THROUGH THEM AND UNDERSTAND THE
PROTECTION AND SEE HOW THE AUTHOR
CHOOSE TO KRAK THE PARTICULAR PROGRAM.
THIS WILL PROVE INVALUABLE BY OPENING
YOUR MIND TO PREVIOUSLY USED TECHNIQUES
THAT YOU CAN LEARN FROM. TRY AND
UNDERSTAND EVERY STEP THE EXPERIENCED
KRAKIST TOOK TO DEPROTECT THE PROGRAM,
AND MAKE CAREFUL NOTES (BOTH MENTAL AND
ON PAPER) TO GUIDE YOU IN YOUR OWN
EFFORTS.
MSG LEFT BY: RED REBEL
THE FOLLOWING TOOLS SHOULD BE IN YOUR
ARSENAL FOR CRACKING:
'BENEATH APPLE DOS' QUALITY SOFTWARE
'BAG OF
TRICKS'
QUALITY
SOFTWARE
'APPLE MONITORS PEELED' APPLE COMPUTER
'WHAT'S WHERE IN THE APPLE' MICRO INK
INTEGER
CARD
APPLE COMPUTER
MASTERDISK
MASTERWORKS
SOFTWARE
MASTER
DOS
MASTERWORKS
SOFTWARE
D-A-R-K
MICROSEEDS
NIBBLES AWAY COMPUTER
APPLICATIONS
LOCKSMITH
5.0
OMEGA
INSPECTOR
OMEGA
WATSON
OMEGA
BEAGLE BROTHERS SOFTWARE FROM SAME
ANY OF THE VARIOUS NON MASKABLE (NMI)
INTERRUPT CARDS SUCH AS:
CRACK-SHOT,REPLAY II, WILDCARD
GOOD BOOKS ON MACHINE LANGUAGE BY:
ROGER WAGNER & RANDY
HYDE
CRACKING TECHNIQUES '83 PIRATES HARBOR
CRACKING-DISK JOCKEY PIRATES
HARBOR
CRACKING-APPLE BANDIT
-THE
BURGLAR PIRATES HARBOR
KEEP ON CRACKING!!!
>>> RED REBEL <<<
MSG LEFT BY: RESET VECTOR
DATE POSTED: SAT DEC 3 1:16:14 PM
HERE IS A FOOLPROOF AND EASY WAY TO CRACK ALL
(WELL, ONE
EXCEPTION) DISKS
PROTECTED WITH THE INFAMOUS LOCK IT UP. CREDIT FOR THE LATTER
STAGES OF THIS
CRACKING METHOD MUST BE SHARED WITH SOFT SECTOR. ONCE YOU
HAVE A
HEARD A
DISK PROTECTED WITH LOCK IT UP (VIDEX PREBOOTS, STELLAR 7, REGATTA,
BASIC
GUITAR, SONGWRITER, THE VISIBLE COMPUTER AND A MULTITUDE OF OTHERS)
BOOT,
YOU WILL BE ABLE TO RECOGNIZE THE PROTECTION - IT WILL SIT ON TRACK 0
FOR
A SECOND AND THEN THE DRIVE WILL GRIND AND THEN IT WILL COMPLETE THE
BOOT.
THE RHYTHM OF THE INITIAL BOOT AFTER THE GRIND IS VERY DISTINCTIVE.
THE FIRST STEP OF THE CRACK IS TO GET THE FILES
OFF THE
DISK. THIS CAN
BE DONE WITH FID AS I DESCRIBED ON BOARD 2 (BLOAD FID, CALL -151,
B942:18,
BAAA:00, 803G AND FID THE FILES OFF). THIS METHOD HAS THE
DISADVANTAGE THAT
WHENEVER YOU TURN OFF THE CHECKSUM (B942:18) YOU ARE LIKELY TO GET DATA
ERRORS. DEMUFFIN IS A MORE RELIABLE METHOD, BUT YOU CANNOT
SIMPLY
HIDE IT
AT $6000 AS WE USUALLY DO, BECAUSE LOCK IT UP OVERWRITES ALL OF
MEMORY. NOW,
YOU ARE GOING TO NEED A (SLIGHTLY ALTERED) COPY OF THE LOCK IT UP RWTS
TO
COMPLETE THE CRACK OF MANY OF THESE DISKS, SO LET'S SAVE IT OUT NOW TO
ALSO
HELP US WITH DEMUFFIN. YOU NEED A WAY TO RESET INTO THE
MONITOR,
OF COURSE.
BOOT LOCK IT UP DISK
HIT RESET
4000<B700.BFFFM
BOOT SLAVE DISK
BSAVE LOCK IT UP RWTS,A$4000,L$900
NOW, FOR THE ALTERED RWTS YOU MAY NEED LATER, DO THIS:
BOOT LOCK IT UP DISK
HIT RESET
B942:18
BAAA:AA
4000<B700.BFFFM
BOOT SLAVE DISK
BSAVE ALTERED LOCK IT UP RWTS,A$4000,L$900
TO USE DEMUFFIN TO GET THE FILES OFF, JUST DO THIS:
BLOAD DEMUFFIN
BLOAD LOCK IT UP RWTS (NOT THE ALTERED VERSION!)
CALL -151
B700<4000.4900M
803G TO START DEMUFFIN
MANY PROGRAMS WILL WORK WITHOUT ANY MODIFICATION,
BUT MOST
HAVE SOME
CHECKS FOR THE LOCK IT UP DOS, AND THESE CAN BE VERY DIFFICULT TO
REMOVE.
ALL YOU NEED TO DO TO MAKE THESE PROGRAMS RUN IS TO USE THE ALTERED LOCK
IT UP RWTS YOU SAVED ABOVE (THIS HAS BEEN ALTERED TO READ AND WRITE TO
A
NORMAL DOS DISK). IF THE FILES YOU JUST DEMUFFINED WON'T RUN,
JUST WRITE
A SMALL EXEC FILE TO START UP THE PROGRAM:
BLOAD ALTERED LOCK IT UP RWTS
CALL -151
B700<4000.48FFM
RUN HELLO (OR WHATEVER THE HELLO PROGRAM IS)
E ONLY EXCEPTION IS REGATTA, WHICH CALLS SOME INFORMATION
BY TRACK AND SECTOR, SO USE ADVANCED DEMUFFIN INSTEAD OF DEMUFFIN.
COURTESY OF ->RESET VECTOR!
***************************************
MSG LEFT BY: RESET VECTOR
DATE POSTED: WED DEC 7 8:19:00 PM
MESSAGE #3: LOCK IT UP ADDENDUM
ONE MORE ADDITION, YOU ALSO HAVE TO DO BA29:96 TO THE LOCK IT UP
DOS BEFORE YOU MOVE IT AND SAVE IT AS THE ALTERED DOS.
COURTESY OF ->RESET VECTOR!
MSG LEFT BY: RESET VECTOR
DATE POSTED: WED DEC 7 8:27:57 PM
IN THESE DAYS OF POWERFUL CRACKING TOOLS LIKE NMI BOARDS AND ADVANCED
DEMUFFIN, IT IS FAIRLY EASY FOR A NOVICE AT THE TRADE TO CRACK A LARGE
NUMBER
OF PROGRAMS. I THINK THAT MOST NOVICES, HOWEVER, THINK THAT THE SECTMOD
IS
SOMETHING RESERVED FOR THOSE CRACKING GENIUSES WHO SPEAK MACHINE
LANGUAGE AS
WELL AS THEY SPEAK ENGLISH. WELL, TO A CERTAIN EXTENT THIS IS
TRUE, BUT
THERE IS NO REASON FOR THE CRACKER WITH LITTLE KNOWLEDGE OF MACHINE OR
ASSEMBLER TO GIVE UP WITHOUT TRYING. THERE ARE CERTAIN TRICKS
YOU
CAN USE
TO DO SUCCESSFUL SECTMODS EVEN IF YOU KNOW HARDLY ANY MACHINE LANGUAGE
AT
ALL! NOW FOR THE ASTOUNDING TRUE CONFESSION - IF YOU HAVE
BEEN
READING
BOARD #2 YOU WILL HAVE SEEN QUITE A LARGE NUMBER OF SECTMODS POSTED BY
ME,
AND YOU PROBABLY THINK I KNOW A LOT ABOUT PROGRAMMING. THE
TRUTH
IS THAT I
KNOW ALMOST NO MACHINE LANGUAGE AT ALL! DOING A SUCCESSFUL
SECTMOD IS ON
A PAR WITH A RELIGIOUS EXPERIENCE (AT LEAST IF YOU HAVEN'T DONE A LOT
OF THEM)
SO LET'S GET CRACKING...
THERE ARE A FEW TOOLS YOU WILL NEED IN ORDER TO
EMBARK
UPON THIS STUDY.
FIRST OF ALL, YOU WILL NEED SOME METHOD OF SEARCHING A DISK FOR A
STRING OF
HEX. THE BEST PROGRAM FOR THIS PURPOSE IS THE TRACER FROM THE
C.I.A. FILES,
BECAUSE IT ALLOWS YOU TO DO WILDCARD SEARCHES. I ALSO USE
DISK
EDIT BECAUSE
IT IS VERY FAST. THE SECOND TOOL YOU NEED IS AN NMI
BOARD.
ANY BOARD THAT
GIVES YOU THE ADDRESS OF THE PROGRAM COUNTER AND THE ADDRESSES ON THE
STACK
WILL DO JUST FINE (AND I THINK THEY JUST ABOUT ALL DO THIS).
REPLAY ][ IS
BY FAR MY FAVORITE BOARD, BUT WHATEVER YOU HAVE IS OK.
FINALLY
YOU NEED
A SECTOR EDITOR THAT WILL ALLOW YOU TO DISASSEMBLE A SECTOR; I FIND ZAP
FROM
BAG OF TRICKS THE EASIEST TO USE, BUT A LOT OF THEM ARE JUST FINE.
NOW, THE FIRST TYPE OF DISK YOU WILL WANT TO
SECTMOD IS
THE ONE THAT IS
NORMALLY FORMATTED (CAN BE COPIED WITH COPYA) BUT WILL NOT BOOT WHEN
COPIED.
THE EINSTEIN COMPILER (VERSION 5.2) IS A GOOD EXAMPLE OF
THIS.
THE FIRST
THING TO DO IS TO COPY THE DISK AND THEN SEARCH THE DISK FOR THE HEX
STRING
BD 8C C0. THIS IS COMMONLY USED CODE TO SET UP THE DISK DRIVE
AND
CHECK FOR
A CERTAIN SIGNATURE (USUALLY A SEQUENCE OF BYTES) ON THE
DISK.
WRITE DOWN
EACH SECTOR WHERE YOU FIND THIS SEQUENCE. NOW EINSTEIN WAS
NICE
BECAUSE THIS
SEQUENCE IS FOUND ONLY ONCE ON THE WHOLE DISK. IF YOU THEN
USE
YOUR SECTOR
EDITOR TO DISASSEMBLE THE AREA WHERE YOU FOUND THIS BD 8C C0, YOU WILL
FIND
THAT THAT CODE IS FOLLOWED BY A BUNCH OF CMP AND BNE OR BEQ OR BPL (THE
LATTER
BEING CODES DIRECTING YOUR APPLE WHERE TO BRANCH IF IT FINDS OR DOESN'T
FIND
WHAT IT IS LOOKING FOR IN THE CMP - COMPARE - STATEMENT). YOU
WILL FIND
THIS ALL REPEATED SEVERAL TIMES. GENERALLY, AT THE END OF ALL
THIS YOU WILL
FIND AN RTS ("60"), AND THE FIRST WAY TO TRY TO CRACK A PROGRAM LIKE
THIS IS
TO JUST MOVE THE RTS TO THE VERY START OF THAT CODE AND THEN SEE IF THE
PROGRAM WILL RUN. HOWEVER, WITH EINSTEIN IF YOU LOOK THROUGH
ALL
THE CODE
IN THAT AREA, YOU WILL SEE THAT AT THE END IS A JMP INSTRUCTION; WHAT
HAPPENS
IS THAT IF THE PROGRAM FINDS EVERYTHING IT IS LOOKING FOR, IT FALLS
THROUGH
TO THIS JMP INSTRUCTION. NOW, WE KNOW IT IS NOT GOING TO FIND
WHAT IT IS
LOOKING FOR, BUT WE WANT IT TO EXECUTE THE JMP TO START THE PROGRAM, SO
ALL
YOU DO IS MOVE THAT JMP INSTRUCTION TO THE START OF THAT AREA OF CODE
AND
VOILA! - COPYA EINSTEIN COMPILER!
SEE THE NEXT MESSAGE...
MSG LEFT BY: RESET VECTOR
DATE POSTED: WED DEC 7 8:37:22 PM
NOW, ANOTHER EXAMPLE OF A NORMALLY FORMATTED DISK
THAT
WON'T BOOT WHEN
IT IS COPIED IS LEARNING WITH LEEPER FROM ONLINE. IF YOU COPY
IT
AND THEN
BOOT THE COPY, YOU WILL SEE THAT IT CHECKS TRACK 0 AND THEN DIES WHEN IT
DOESN'T FIND WHAT IT IS LOOKING FOR. A SEARCH OF BD 8C C0 IS
FRUITLESS
(NOWHERE ON THE DISK), SO WE HAVE TO TRY ANOTHER METHOD. BOOT
THE
COPY,
AND JUST AS THE DRIVE HEADS TOWARD TRACK 0 TO CHECK THE PROTECTION, HIT
YOUR
NMI SWITCH, THE WRITE DOWN THE PROGRAM COUNTER AND THE ADDRESSES ON THE
STACK. IF YOU DO THIS SEVERAL TIMES, YOU WILL FIND A BUNCH OF
ADDRESSES IN
THE $1200 RANGE. NOW, PROTECTION ROUTINES LIKE THIS ARE
GENERALLY
SUBROUTINES
(ACCESSED VIA A JSR), SO IF WE LOOK FOR JSR'S ("20") IN THE $1200
RANGE,
MAYBE WE CAN DO SOMETHING ABOUT IT. HERE IS WHERE CIA IS
ESSENTIAL, BECAUSE
WE CAN DO A SEARCH FOR 20==12. YOU WILL FIND THIS CODE IN
JUST 3
LOCATIONS
ON THE DISK, AND IF YOU JUST TRY REPLACING THEM ONE BY ONE WITH EA EA EA
(NOP'S), YOU WILL FIND THAT REPLACING ONE OF THEM LEADS TO A WORKING
DISK.
THERE IS ONE FINAL VARIATION ON THIS
THEME.
SOMETIMES YOU CANNOT FIND
A BD 8C C0, AND SOMETIMES YOU CANNOT FIND A JSR IN THE MEMORY RANGE YOU
ARE
LOOKING FOR. TYPICAL OF THIS IS STELLAR DEFENSE (PLEASE ALL
NOTE
MY
CORRECTED SECTMOD WHEN I HAVE A CHANCE TO POST IT - MY ORIGINALLY POSTED
ONE DOES NOT WORK QUITE RIGHT). THIS DISK CAN BE COPIED WITH
COPYA BUT WILL
DIE WHEN IT CHECKS TRACK 0. YOU CANNOT FIND EITHER A BD 8C C0
(AT
LEAST NOT
ONE THAT CHANGING WILL HELP!) OR A JSR INTO THE RANGE OF THE CHECKING
CODE.
WELL, LET'S JUST FIND THE CODE ITSELF! HIT YOUR NMI SWITCH
WHEN
THE DRIVE
GOES TO TRACK 0 TO CHECK (THIS MAY TAKE A FEW ATTEMPTS TO GET AN ADDRESS
OTHER THAN IN DOS). EVENTUALLY YOU WILL FIND AN ADDRESS IN
THE PC
OR ON
THE STACK OF $3E58. IF WE THEN USE THE MONITOR (THE REPLAY ][
MONITOR IS
REALLY HELPFUL HERE) TO LIST THIS ADDRESS, WE WILL FIND A SEQUENCE OF
BYTES;
WRITE DOWN 7 OR 8 BYTES, AND THEN SEARCH THE DISK FOR THIS
STRING. YOU WILL
FIND THIS STRING ON TRACK 5 SECTOR 6, AND YOU WILL SEE SOME CODE WITH
CMP'S
AND BRANCHES THAT ENDS IN AN RTS. THE FIRST THING TO TRY IS
TO
MOVE THE RTS
TO THE BEGINNING OF THIS CODE; AND LOW AND BEHOLD THE DISK BOOTS UP AND
RUNS.
THE ONLY PROBLEM IS THAT WHEN YOU PLAY THE GAME ALL THE ENEMY SHIPS ARE
INVISIBLE! WELL, IF YOU LOOK AGAIN AT THIS CODE, YOU WILL SEE
THAT A LOT OF
THE BRANCHES ARE TO A JMP INSTRUCTION RIGHT AFTER THE RTS. SO
TRY
AND MOVE
THE JMP INSTRUCTION TO THE START - WELL, IT ACTS JUST AS IF YOU HAD
MOVED THE
RTS TO THE START! SO WHAT YOU HAVE TO DO IS PEEK AT THE CODE
THAT
IS BEING
JMPED TO, BY BOOTING THE DISK, HITTING THE NMI SWITCH AND THEN LISTING
THE
CODE AT THE ADDRESS WHICH IS JMPED TO ($3A68). WRITE DOWN THE
STRING AND
SEARCH THE DISK - IT WILL BE FOUND ON TRACK 5 SECTOR A.
DISASSEMBLY REVEALS
ANOTHER LITTLE CHECKING ROUTINE WITH AN RTS AT THE END. MOVE
THIS
RST TO
THE BEGINNING AND VOILA! CRACKED STELLAR DEFENSE!
WELL, NOW THAT ALL THE ADVANCED CRACKERS ARE BORED
AND THE
NEOPHYTES HAVE
INDIGESTION, I WILL BRING THIS TO A CLOSE. I ONLY MEANT TO
GET
ACROSS SOME
GENERAL PRINCIPALS; YOU MAY NOT KNOW ANY MACHINE LANGUAGE, BUT WITH A
LITTLE
HELP YOU CAN FIND THE AREA OF CODE THAT IS DOING THE CHECKING AND THEN
JUST
PLAY AROUND WITH IT UNTIL SOMETHING (GOOD, I HOPE) HAPPENS.
IT
WON'T MAKE
YOU A KRACOWICZ OR APPLE BANDIT OR KRAC-MAN OR FREEZE OR DISK JOCKEY OR
RED REBEL, BUT IT MIGHT MAKE YOU A BETTER CRACKER.
COURTESY OF ->RESET VECTOR!
MSG LEFT BY: COUNT NIBBLER
DATE POSTED: WED JAN 11 1:58:17 AM
WELL AS YOU KNOW ONCE YOU MOVE THE
FILES FROM A LOC-IT-UP DISK TO A
NORMAL DOS 3.3 DISK(VIA RESET VECTORS
ROUTINES),SOMETIMES THEY WILL NOT WORK
OR WILL RE-INITIALIZE OVER THEMSELVES.
THATS BECAUSE IN MOST OF THE APPLESOFT
PROGRAMS,IT DOES SOME CHECKING!WHAT YOU
HAVE TO DO IS LOAD IN AN APPLESOFT FILE
THAT WAS TRANSFERED FROM A LOCK-IT-UP
PROTECED DISK..AND LIST IT!
LOOK FOR A CALL 47721.(THAT CALLS BACK
TO PROTECED DOS,AND IF IT AIN'T THERE
YOU GET AN ERROR) REPLACE IT WITH A
CALL 47741(SWITCH TO DOS 3.3).ANOTHER
NEAT TRICK IS: CALL PEEK(40222)+PEEK
(40223)*256+1.<-- THIS RE-INITIALIZES
A DISK IF IT DETECTS DOS 3.3....
REPLACE IT WITH A FOR NEXT LOOP SO YOU
DON'T HAVE TO BOTHER WITH RE-ARRANGING
LINE NUMBERS.WATCH FOR FP STATMENTS
IN REM LINES.LOOK FOR PEEK(512) AND
DELETETE IT...THIS IS A READ KEYBOARD
ROUTINE AND WILL CRASH THE PROGRAM.
AND ITS HELPFUL TO TAKE OUT ONERRS!
-->ENJOY<--
-=+*])!
COUNT NIBBLER !([*+=-
MSG LEFT BY: CHANDIN WILSON
DATE POSTED: SAT FEB 18 3:21:31 AM
HERE IS MY ENTRY TO THE **CRAC
CONTEST**
DISABLE DOS CHECKSUMS:
CALL-151
B92518 60
B988:18 60
B942:18 60
BLOAD FID
B954:4A 49 6A D0 EF
B934:C9 DA
B990:C9 DA
803G
COPY OFF FILES FROM MINIT MAN DISK TO
BLANK DISK. DEPENDING ON YOUR COPY,
YOU MAY HAVE TO MODIFY A PROGRAM CALLED
"PLAYGAME PROG". THIS PROGRAM JUS
LOADS MINIT MAN INTO MEMORY.
HAVE FUN!!
===============>THE<================
==============>CROW<================
MSG LEFT BY: WILLIAM KEYES
DATE POSTED: SUN FEB 19 1:24:25 PM
CUBIT:
BOOT DOS 3.3
PUT IN CUBIT DISK
CALL-151
B942:18 60
BAAA:00
BLOAD CUBIT
9465:4C 75 94
PUT IN DOS 3.3 DISK
BSAVE CUBIT,A$19FD,L$7FF0
NOW CUBIT IS CRACKED!
NOTE: SOMETIMES IT IS NECCESSARY TO DO
A "MAXFILES1" BEFORE
RUNNING OR Y
OU WILL GET AN I/O
ERROR.
TO CHEAT: CHANGE $4097 TO THE NUMBER OF
CUBITS YOU WANT.
------------=> DOCTOR WHO <=-----------
MSG LEFT BY: THE JESTERS
DATE POSTED: SAT FEB 25 2:24:28 PM
THIS IS AN OLD TECHNIQUE, BUT FOR THOSE
JUST ENTERING THE BUSINESS, IT IS AN
ESSENTIAL ONE.
THE OBJECT OF THE LANGUAGE CARD CRACK
IS TO LET THE PROGRAM BOOT, THEN HIT
RESET AND HAVE THE RESET ROUTINE SAVE
THE MEMORY YOU WANT, AND LEAVE YOU IN
THE MONITOR $FF59 TO DO WHAT YOU WANT.
SOME OF THE POORLY PROTECTED PROGRAMS
JUST HAVE A MODIFIED DOS AND YOU CAN
JUST RESET OUT OF THEM WITHOUT EVEN
MAKING A RESET ROUTINE... BUT THESE
ARE DISAPPEARING. SOMETIMES, THE
PROGRAM NOTICES THAT THERE IS A CHANGED
RESET VECTOR AND REBOOT.
ANYWAY, HERE IS THE TRICK:
WRITE ENABLE THE LANGUAGE CARD: $C081
$C081
COPY ALL ROM INTO CARD: D000<D000.FFFFM
CHANGE RESET ROUTINE TO JUMP TO
MONITOR: FA62:4C
59 FF
WRITE PROTECT,READ ENABLE CARD: $C080
BOOT DISK
HIT RESET: YOU SHOULD GO TO MONITOR
FROM THE MONITOR, YOU CAN BOOT A DOS
DISK AND SAVE THE VARIOUS PARTS OF
MEMORY... THE ONLY THING THAT WAS
LOST WAS ZERO PAGE: FOR THIS
YOU MUST WRITE A ROUTINE IN THE RESET
ROUTINE TO SAVE LOW MEMORY BEFORE GOING
TO THE MONITOR $FF59
IF THE PROGRAM SEES THE LANGUAGE CARD
AND REBOOTS, OR TURNS IT OFF, THE
NEXT TRICK COMES IN HANDY... MOVE
THE LANGUAGE CARD TO A DIFFERENT SLOT
LIKE SLOT ONE OR SLOT TWO (TURN
YOUR COMPUTER OFF FIRST)
THE ENABLE AND PROTECT LOCATIONS WILL
CHANGE ACCORDINGLY : C081 -> C0A1
C080 -> C0A0
FOR SLOT 2
FOLLOW THE STEPS ABOVE AND QUITE OFTEN
THE PROGRAM WILL NOT THINK TO CHECK
ALL OF THE SLOTS.
-MORE- NEXT
MESSAGE THE
JESTERS
MSG LEFT BY: DOCTOR WHO
DATE POSTED: FRI MAR 3 2:52:40 PM
TO CRACK CRISIS MOUNTAIN:
BOOT DOS 3.3
CALL-151
B925:18 60
B988:18 60
BE48:18
B942:18
BAAA:00
RUN COPYA
COPY CRISIS MOUNTAIN
WITH A SECTOR EDITOR MAKE THE FOLLOWING
CHANGES ON TRACK 0 SECTOR 5
24:D5 (WAS EB)
2D:AA (WAS D5)
36:96 (WAS AA)
NOW ITS CRACKED
ANOTHER CRACK FROM-
------------=> DOCTOR WHO <=-----------
MSG LEFT BY: DOCTOR WHO
DATE POSTED: SAT MAR 4 12:28:38 PM
TO CRACK DUNGEON & THESEUS AND THE MINO
TAUR BY TSR, I HAVE A METHOD THAT REQUI
RES NO WIERD HARDWARE OR EXTRA CARDS.
THIS PROGRAM IS WRITTEN IN BASIC AND US
ES FILE NAMES TO LOAD FILES, BUT IT DOE
SN'T HAVE A CATALOG SO YOU HAVE TO CRAC
K IT ANOTHER WAY BESIDES DEMUFFIN.HERE
IS WHAT TO DO:
BOOT DUNGEON
WHEN IT SAYS"PLEASE WAIT" THEN PRESS RE
SET TWICE.
CALL-151
A44D:4C 69 FF
36:BD 9E 81 9E
MAXFILES1
CLOSE
LOAD HELLO
D6:0
NOW YOU CAN GO TO BASIC AND LIST THE
PROGRAM.BUT THERES MORE PROGRAMS TO THE
GAME! SO WHAT YOU HAVE TO DO IS FIND TH
E ENDING APPLESOFT ADDRESS AT $AF.B0 (L
ISTED IN REVERSE ORDER) AND USE THE MON
ITOR MOVE COMMAND TO MOVE IT INTO A SAF
E AREA.I CAN'T REMEBER THE ACTUAL ADDRE
SS FOR THE PROGRAMS, BUT I WILL GIVE YO
U THE CORRECT FORMAT FOR DOING THIS:
6000<800.[WHAT EVER IS IN $AB.F0,INREVE
RSE ORDER]M [RETURN]
THEN YOU BOOT DOS 3.3 AND MOVE IT BACK
TO THE CORRECT PLACE IN MEMORY:
800<6000.[6000+WHATEVER WAS IN AB.F0]M
NOW FIX THE AB.FO TO WHAT THEY WERE BEF
ORE AND SAVE THE PROGRAM!
IN AWHILE, YOU WILL HAVE IT CRACKED!
BY THE WAY
D6:0 - CANCELS THE THING THAT MAKES THE
PROGRAM IN
MEMORY RUN EVERY TIME
YOU TYPE A
COMMAND IN APPLESOFT.
A44D:4C 69 FF - MAKES IT SO WHEN YOU LO
AD AN APPLESOFT PROGRAM
IT PUTS YOU IN THE MONI
TOR.
36:BD 9E 81 9E RECONNECTS DOS
------------=> DOCTOR WHO <=-----------
MSG LEFT BY: DOCTOR WHO
DATE POSTED: WED MAR 7 4:31:56 PM
FIRST, BLOAD MUFFIN, THEN CALL-151
AVANT-GARDE:(EXEPT JUMP JET)
1A63:18 N 803G
HAYDEN:
1A77:EA EA N 1FF6:EA EA N 803G
MUSE:(ABM, SUPERTEXT, SOME OTHERS)
1AA9:18 66 2D 60
------------=> DOCTOR WHO <=-----------
MSG LEFT BY: DOCTOR WHO
DATE POSTED: WED MAR 7 4:39:18 PM
THERE ARE CURRENTLY 3 CRACKS FOR ZAXXON
, THE LAST ONE WORKED FOR ME.
LOAD COPYA
71POKE770,24:POKE863,24:POKE47426,24
RUN
THEN WITH A SECTOR EDITOR, MAKE ONE OF
THE FOLLOWING SET OF CHANGES:
---------------------------------------
T0 S4 4F:DE
T0 S7 B0:4C C0 08
T0 S1 35:10
2B:10
4D:10
---------------------------------------
T0 S8 47:EA EA EA
8D:15
90:C4
92:C2
94:AA BF AA AE
T0 S4 00:18
---------------------------------------
T0 S4 00:18
4F:DE
T0 S8 47:EA EA
---------------------------------------
------------=> DOCTOR WHO <=-----------
PS I DIDN'T THINK UP THE FIRST TWO, CRE
DIT GOES TO -> GUMBY DAMMIT <-
THE 3RD GOES TO FALLEN ANGEL & MYSELF
I DON'T REMEMBER WHERE I GOT THE FIRST
ONE.
------------=> DOCTOR WHO <=-----------
MSG LEFT BY: THE PROWLER
DATE POSTED: WED MAR 7 7:01:50 PM
HERE'S A COUPLE ONE BYTE CRACKS FOR YOU
OILS WELL
---------
COPY ORIGINAL WITH COPYA
WITH A SECTOR EDITOR, CHANGE TRACK 10,
SECTOR A,BYTE 06 FROM 6C TO 60
GALACTIC ATTACK (NEW VERS.)
---------------------------
COPY DISK WITH DISK MUNCHER AND IGNORE
READ ERRORS ON TRACK 22 (YOU MAY NOT)
WITH A SECTOR EDITOR, CHANGE TRACK 19,
SECTOR 0B, BYTE 9D FROM 38 TO 18.
THIS PROBABLY WON'T WORK ON THE OLD
VERSION, BUT IF THERE'S ANY ONE WHO
WOULD LIKE THE OLD VERSION DONE, JUST
LEAVE ME E-MAIL.
COMING SOON...ODESTA CHESS 7.0 CRACKED!
UNTIL LATER
-?- THE PROWLER -?-
MSG LEFT BY: DOCTOR WHO
DATE POSTED: SAT MAR 17 7:27:23 PM
TO KRAK HOMEWORD---
COPYA THE DISK
SECTOR EDIT T$10 S$A
BYTE
9:60 EA
-----------=> DOCTOR WHO <=------------
MSG LEFT BY: THE WISE CRACKER
DATE POSTED: WED MAR 28 5:29:27 PM
HERE'S HOW TO MAKE A SUPER ROMSWITCH!
OBTAIN AN OLD MONITOR ROM AND MAKE
SURE YOU HAVE AN APPLE LANGUAGE CARD.
REMOVE THE LANGUAGE CARD AND LOCATE
CHIP#5, TTL 74LS20. LOCATED AT THE
TOP OF THE FIRST ROW NEXT TO THE ROM.
BEND OUT PIN SIX (DON'T BREAK IT OFF!)
OBTAIN AN SPST SWITCH. SOLDER ONE LEAD
FROM A POLE TO THE PIN BENT OUT. SOLDER
THE OTHER TO THE BOTTOM OF THE CARD
WHERE THE HOLE 6 IS. NOW REMOVE THE
AUTOSTART ROM FROM THE LANGUAGE CARD
AND REPLACE IT WITH THE MONITOR ROM.
NOW YOU CAN SWITCH BETWEEN THE AUTO-
START ROM ON THE MOTHERBOARD AND THE
MONITOR ROM ON THE CARD BY FLIPPING
A SWITCH! OR BURN YOUR OWN 2716, MAKE
A JUMPER SOCKET, AND PUT IT ON THE
LC FOR A SUPER CRACKING ROM!
THIS PUBLIC SERVICE MESSAGE HAS BEEN
BROUGHT TO YOU BY THE WISE CRACKER!
MSG LEFT BY: DOCTOR WHO
DATE POSTED: SUN APR 1 1:50:53 PM
TO CRACK INFOCOM LOAD COPYA
CALL -151
B925:18 60
B988:18 60
BE48:18
B8FB:29 00
CTRL-C
RUN
AFTER COPYING RUN A SECTOR EDITOR
TR-0 SEC-2
CHANGE BYTE 5D TO AD
FB
TO 29
FC
TO 00
DOCTOR WHO.
MSG LEFT BY: THE SMUGGLER
DATE POSTED: WED APR 11 11:38:31 AM
WELL WELL, IT TOOK ME ABOUT 5-10 MIN.
TO CRACK IT. IT WAS KIND OF HARD BUT
ANYWAY I FINALLY DID IT. MAYBE/PROBABL
Y SOMEONE DID IT BEFORE ME CUZ IT'S A
(C) 1981, BUT ANYWAY I GOT AN ORIGINAL
IN MY HAND FOR A WEEK, SO I DECIDED TO
CRACK IT.
HERE'S THE FASTEST WAY TO DO IT.
1) EDIT: TRACK: 13 SECTOR: 0F
BYTE#: A9 FROM: '9E'
TO 'A6'.
2) BOOT PASCAL#1 THAN DO A FIX BLOCK.
1- F)ILE
2- X)EXAMINE
RANGE: FROM '0' TO '280'. (0-280)
3) THAN INIT YOUR DISK.... NO I WAS
JUST KIDDING... THAT'S IT!!!
HERE'S ANYTHOR WAY TO DO IT IF YOU DON'
T WANT TO CRASH YOUR ORIGINAL.
1) DO A COPY WITH LOCKSMITH/COPY II PLU
S/NBII/EDD... ETC...
(PS: YOU MIGHT GET AN ERROR ON TRACK
#11)
2) THAN EDIT T$13,S$0F
BYTE# A9 FROM 9E TO A6
3) THAN FIX ALL BLOCK.
THAT'S ALL FOR NOW FOLKS..
-----> THE SMUGGLER DID IT AGAIN <-----
MSG LEFT BY: PIRATE'S GUILD
ABCABCABCABCABCABCABCABCABCABCABCABCABC
B
B
C APPLE BANDIT'S
CRAKFILES A
A
C
B OVERVIEW -- THE CRAKFILE
SERIES B
C
A
ABCABCABCABCABCABCABCABCABCABCABCABCABC
WITH THE END OF THE INFAMOUS KRACKOWICZ'S KRACKING KORNER, IT HAS BECOME
APPARENT TO ME, AFTER MANY MONTHS, THAT THERE IS A DEFINITE NEED FOR A
GOOD
SERIES OF CRACKING TUTORIALS TO CONTINUE. I WAS ASKED BY KRACKOWICZ TO
'GUEST-WRITE' FOR THE KRACKING KORNER SOME TIME AGO. NOW, THE TIME HAS
COME HAS
PICK UP WHERE KRACKOWICZ LEFT OFF -- THAT IS, IF IT'S POSSIBLE.
KRACKOWICZ HAS
BEAUTIFULLY COVERED MOST MAJOR AREAS OF BASIC CRACKING. HOWEVER, I'LL BE
CONCENTRATING MAINLY ON SPECIFIC PROGRAMS RATHER THAN GENERAL
TECHNIQUES, WHICH
WILL SERVE TO BRING TOGETHER MANY ASPECTS OF CRACKING. MANY OF THE
"CRAKFILES"
THAT WILL FOLLOW MAY BE QUITE BASIC; AFTER ALL, ITS THE BEGINNING
CRACKIST THAT
WILL BENEFIT MOST FROM THIS SERIES. EXPERIENCED CRACKERS ARE ENCOURAGED
TO SKIM
THROUGH THE ARTICLES, NOTING THAT THE ACTUAL STEPS IN TH CRACKING
PROCESS ARE
PRECEEDED WITH THE '->' SYMBOL.
THE CRAKFILES THAT FOLLOW WILL CONSIST OF TWO MAIN PARTS: [1]
STEP-BY-STEP
PROCEDURE OF CRACKING, AND [2] THEORY BEHIND THE METHODS USED. THE
STEP-BY-STEP
PORTION WILL ASSUME THAT YOU HAVE A FAIRLY GOOD UNDERSTANDING OF DOS
AND YOU
SHOULD BE COMFORTABLE WITH THE APPLE'S MONITOR. ALSO, IF YOU ARE TO GAIN
ANYTHING FROM THE SERIES, I SUGGEST YOU HAVE A FAIRLY STRONG BACKROUND
IN
ASSEMBLY LANGUAGE PROGRAMMING. YOUR KNOWLEDGE OF MACHINE LANGUAGE IS
REALLY
THE KEY TO CRACKING, SINCE PROTECTIONS SCHEMES =>ARE<=
MACHINE
LANGUAGE.
IF YOU DON'T OWN A COPY OF QUALITY SOFTWARE'S 'BENEATH APPLE DOS', I
HIGHLY
RECOMMEND YOU PICK UP A COPY; IT IS KNOWN TO SOME AS THE BIBLE OF DOS.
THERE
ARE ALSO MANY GOOD BOOKS ON THE SUBJECT OF APPLE MACHINE LANGUAGE,
INCLUDING
ROGER WAGNER'S 'ASSEMBLY LINES'.
THERE ARE SOME BASIC AREAS I HOPE TO EVENTUALLY COVER IN THIS SERIES.
THEY
INCLUDE:
-> EXAMPLES OF CRACKS USING ADVANCED DEMUFFIN,
FASTLOADER
& MINI-RWTS
-> DATA COMPRESSION & PICTURE PACKING
-> PASCAL PROTECTION SCHEMES
-> CRACKING ON THE APPLE //E
-> USING NMI'S AS A LAST RESORT
-> EMPHASIS OF THE BOOT-TRACING PROCESS
-> CRACKING OF SELECTED 'OLDIE BUT TUFFIES'
MSG LEFT BY: PIRATE'S GUILD
ABCABCABCABCABCABCABCABCABCABCABCABCABC
B
B
C APPLE BANDIT'S CRAKFILE -
#01 A
A
C
B COPY ][+ 4.4B - SINGLE LOAD CRACK B
C
A
ABCABCABCABCABCABCABCABCABCABCABCABCABC
FIRST OF ALL, LET ME JUST SAY THAT THIS IS NOT A 'HARD' CRACK. IF
YOU'RE AN
EXPERIENCED CRACKER, YOU MAY JUST WANT TO SKIM THIS ARTICLE, WATCHING
FOR THE
'->' SYMBOLS, WHICH PRECEDES THE STEP-BY-STEP PROCEDURE FOR THE
CRACK.
COPY ][+ 4.4B IS CENTRAL POINT SOFTWARE'S NEWEST VERSION OF THEIR
POPULAR COPY
UTILITY. THE PROGRAM ITSELF IS COMPRISED OF TWO PARTS: [1] A UTILITY
PROGRAM
WHICH ALLOWS YOU TO CATALOG, COPY, DELETE, LOCK/UNLOCK FILES, ETC., AND
[2] A
BIT COPY PROGRAM, WHICH IS ONE OF THE BEST BIT COPIERS OUT ON THE
MARKET. AS
THE PROGRAM IS FIRST BOOTED, THE UTILITY MENU IS LOADED. IF YOU WISH TO
USE THE
BIT COPIER, YOU MAY SELECT IT FROM THIS MENU, AND IT IS LOADED IN
SEPERATELY.
THE USUAL APPROACH TO A PROGRAM WITH MULTIPLE DISK ACCESS WOULD BE TO
USE
ADVANCED DEMUFFIN, BY 'THE STACK' OF CORRUPT COMPUTING. WE WOULD USE
ADVANCED
DEMUFFIN TO READ DATA FROM THE COPY ][+ ORIGINAL, AND WRITE IT OUT TO
OUR BLANK
DOS 3.3 DISK. HOWEVER, SINCE THE DISK ACCESS IN COPY ][+ IS MINIMAL, IT
WOULD
BE FEASIBLE TO JUST SAVE THE BIT COPIER AND UTILITY PROGRAMS SEPERATELY.
ADDITIONALLY, SINCE BOTH PARTS RESIDE IN 'NORMAL' PARTS OF MEMORY
(WITHIN THE
NORMAL 48K OF THE APPLE AND NOT BELOW $800), THESE TWO PARTS CAN EASILY
BE
SAVED OUT AS BINARY FILES, WHICH CAN BE INDIVIDUALLY BRUN'ED BY THE
USER. THE
ONLY SACRIFICE IN THIS METHOD IS THAT WE DON'T GET THE FAST-BOOTING
THAT THE
ORIGINAL PROGRAM HAD, AND THAT WHEN WE SELECT THE 'BIT COPY' OPTION
FROM THE
UTILITY MENU, IT DOESN'T LOAD. IT WOULD BE POSSIBLE TO WRITE A BOOT
ROUTINE FOR
THE UTILITY PROGRAM, AND WRITE ANOTHER SMALL ROUTINE TO DIRECTLY USE
RWTS TO
LOAD IN THE BIT COPIER UPON SELECTION FROM THE UTILITY MENU, BUT THAT
IS BEYOND
THE SCOPE OF THIS CRAKFILE. HERE WE WILL TRADE SPEED AND EASE OF USE
FOR DISK
SPACE AND THE ABILITY TO HAVE THE PROGRAMS IN THE FORMAT OF A FILE,
WHICH ARE
TWO OF THE MAIN REASONS OF CRACKING IN GENERAL. ANYWAY, ON WITH THE
SHOW...
AFTER BOOTING COPY ][+ 4.4B, YOU WILL SOON SEE THE UTILITY MENU. AT
THIS POINT
WE WOULD LIKE TO STOP THE PROGRAM, AND SAVE IT AS A FILE. TO DO THIS,
WE HAVE A
FEW OPTIONS: [1] WE CAN PRESS <RESET> ON OUR APPLE ][+ OR
APPLE
//E OR OTHER
COMPUTER WITH AUTOSTART ROM (AS OPPOSED TO THE 'OLD MONITOR' ROM) AND
DISCOVER
THAT THIS ONLY CAUSES THE PROGRAM TO CLEAR MEMORY AND RE-BOOT; [2] WE
CAN
BOOT-TRACE THE DISK UP TO THE POINT WHERE THE PROGRAM BEGINS EXECUTION;
[3] WE
CAN USE A CRACKSHOT, WILDCARD, OR OTHER NMI BOARD TO HALT THE EXECUTION
OF THE
PROGRAM AND LEAVE US IN THE APPLE'S MONITOR; [4] WE CAN PRESS
<RESET> IF WE
HAVE INSTALLED AN OLD MONITOR F8 ROM OR OTHER MODIFIED ROM
THAT
LEAVES US IN
MONITOR UPON PRESSING THAT KEY; OR [5] IF WE DO NOT HAVE AN OLD MONITOR
OR
OTHER MODIFIED F8 ROM AVAILABLE, WE CAN USE THE RAM CARD TO SIMULATE
ONE, SINCE
COPY ][+ IGNORES THE TOP 16K OF A 64K APPLE.
WHICH METHOD SHOULD WE USE? WELL OPTION #1 ISN'T GOING TO HELP TOO
MUCH, OPTION
#2 (BOOT-TRACING) IS AN ART IN ITSELF (WHICH WILL BE THE TOPIC OF A
FUTURE
CRAKFILE), AND OPTION #3 (USING A CRACKING/NMI BOARD) IS NOT THE
EASIEST, SO
WE'LL CONCENTRATE ON THE LAST TWO OPTIONS. IF YOU HAVE AN F8 ROM TO
DUMP YOU
INTO MONITOR UPON <RESET> USE THAT -- OTHERWISE YOU CAN
EASILY
MAKE YOUR 16K
LANGUAGE CARD LOOK LIKE ONE. (UNLESS YOU'RE USING A //E. IF THIS IS THE
CASE,
THE LANGUAGE CARD TRICK WILL NOT WORK BECAUSE PRESSING
<RESET> ON
THE //E WILL
AUTOMATICALLY TURN OFF THE 'BUILT-IN' LANGUAGE CARD; YOU'RE STUCK WITH
EITHER
BOOT-TRACING OR USING A CRACKING CARD).
USING THE LANGUAGE CARD TO RESET INTO MONITOR:
]CALL-151 (GO INTO MONITOR)
*C081 N C081 (WRITE-ENABLE LANGUAGE CARD)
*D000<D000.FFFFM (COPY YOUR ROM'S TO THE LANGUAGE CARD)
*C083 N C083 (TURN ON LANGUAGE CARD AND IGNORE THE ROM'S)
*FFFC:59 FF (SET THE 6502 RESET LOCATON TO JUMP INTO MONITOR)
NOW WE COME TO THE ACTUAL CRACKING PROCESS OF COPY ][+ 4.4B:
-> CLEAR MEMORY BY TYPING FROM MONITOR:
0<CTRL-P>
0<CTRL-K> N 300:0 N
301<300.BFFFM
-> BOOT YOUR ORIGINAL COPY ][+ DISK
-> AT THE UTILITY MENU, BREAK OUT INTO MONITOR USING
YOUR OLD
MONITOR ROM,
MODIFIED LANGUAGE CARD, OR CRACKING CARD
NOW WE CAN TELL WHAT PARTS OF MEMORY ARE ACTUALLY USED BY THE PROGRAM
BY USING
THE MEMORY DUMP COMMAND FROM MONITOR. IF YOU TYPE "800.BFFF" YOU WILL
SEE THE
PROGRAM WHIZ BY, UNTIL IT REACHES THE $4C00 RANGE OF MEMORY. HERE YOU
FIND ALL
ZERO'S UNTIL $B000, WHERE $B000-$BFFF SEEMS TO BE USED. KNOWING THAT
$800-$4C00
AND $B000-$BFFF IS USED, WE CAN SAVE THE PROGRAM TO OUR DOS 3.3 DISK IN
FILE
FORMAT THE FOLLOWING WAY:
-> FROM MONITOR, TYPE "4C00<B000.BFFFM" TO SAVE
THE RANGE
OF MEMORY UP AT
$B000-$BFFF SO IT WON'T INTERFERE WITH
WHERE DOS
NORMALLY RESIDES
-> TYPE "6000<800.900M" TO SAVE THE RANGE OF
MEMORY FROM
$800-$900 WHICH
WILL GET OVER-WRITTEN WHEN DOS IS BOOTED.
-> BOOT A DOS DISK WHICH YOU HAVE PREVIOUSLY INIT'ED
AND
DELETED THE HELLO
PROGRAM FROM
-> GO INTO MONITOR AND TYPE "800<6000.60FFM" TO
RESTORE
$800-$900
NOW, WE OBVIOUSLY CAN'T JUST MOVE THE $B000-$BFFF RANGE BACK UP,
BECAUSE IT
WILL INTERFERE WITH DOS, SO WE'LL HAVE TO WRITE A SHORT ROUTINE TO MOVE
THE
RANGE FROM WHERE IT IS NOW LOCATED (AT $4C00-5C00) UP TO THE
DESTINATION.
SCANNING THROUGH THE $800 PAGE, WE FIND A JMP $11AD. THIS IS THE ACTUAL
START
OF THE PROGRAM, SO WE HAVE SOME EXTRA SPACE BEFORE THAT POINT TO PUT
OUR MOVE
ROUTINES. HERE IS THE ROUTINE, ALL READY TO TYPE IN:
-> 82B:A9 00 85 00 85 02 A9 4C 85 01 A9 B0 85 03 A0 00
B1 00
91 02 C8 D0
F9 E6 01 E6 03 A5 01
C9 5C D0 EF A9 60 8D FF 02
NOTE: UPON EXAMINATION OF THE COPY ][+ PROGRAM, IT CAN BE FOUND THAT THE
PROGRAM USES
LOCATION $2FF TO STORE THE
SLOT NO. TIMES 16. THE LAST 5
BYTES OF THE ABOVE
ROUTINE TAKE CARE OF
THIS.
NOW, BEFORE WE SAVE THE PROGRAM, THERE IS ONE OTHER FEATURE WE CAN ADD.
SINCE
WE CAN NO LONGER RUN THE BIT COPY PROGRAM DIRECTLY FROM THE UTILITY
MENU, IT
WOULD BE NICE TO DISABLE THE OPTION COMPLETELY. THE FOLLOWING MOD WILL
TAKE
CARE OF THIS: 1A90:60. ON OUR CRACK, THE BURGLAR PUT A SMALL ROUTINE AT
$1A90
THAT CLEARED THE SCREEN AND WENT INTO MONITOR. THEN HE SEARCHED MEMORY
FOR THE
MENU, AND CHANGED THE 'BIT COPY' TEXT TO 'MONITOR '. YOU MAY THINK OF
SOMETHING
ELSE INTERESTING TO PUT HERE...
NOW, THE MOMENT WE'VE BEEN WAITING FOR! YOU CAN FINALLY SAVE YOUR
CRACKED COPY:
-> BSAVE COPY ][+ 4.4B UTILITY,A$82B,L$53FB
NOW FOR THE BIT COPY PORTION. THE PROCESS IS ALMOST EXACTLY THE SAME:
-> BOOT YOUR ORIGINAL COPY ][+ AND SELECT THE "BIT
COPY"
OPTION
-> WHEN BIT COPY IS LOADED, HIT <RESET>
(OR WHATEVER
METHOD YOU ARE USING)
NOW, WE MAY NOT BE ABLE TO TELL BY JUST SCANNING MEMORY THIS TIME, BUT
BY
EXPERIMENTING WE CAN TELL THAT THE ONLY PORTION OF MEMORY USED BY THE
BIT
COPIER IS $800-$3300. THIS WILL MAKE OUR JOB EASIER...
-> TYPE "6000<800.900" TO SAVE RANGE FROM
$800-900
-> BOOT YOUR DOS SLAVE DISKETTE W/NO HELLO PROGRAM
(THE SAME
DISK AS BEFORE)
-> FROM MONITOR, TYPE "800<6000.60FF" TO
RESTORE RANGE
$800-900
-> TYPE "808:A9 60 8D FF 02 4C 00 09" TO SET $2FF
WHICH IS
USED BY THE
PROGRAM, AND TO JUMP TO THE
STARTING LOCATION
AT $900
-> BSAVE COPY ][+ 4.4B BIT COPY,A$808,L$2AFB
CONGRATULATIONS...IT'S A 1ST CLASS CRACK!
COMING SOON: ABC #2 - HOW I CRACKED "SUNDOG", A NEW PASCAL GRAPHIC
ADVENTURE.
APPLE BANDIT & THE BURGLAR OF MIDWEST PIRATE'S GUILD [MPG]
MSG LEFT BY: THE SHADOW
DATE POSTED: SUN APR 15 1:40:45 AM
DOCTOR WHO, YOUR CRACK FOR
CRISIS
MOUNTAIN WILL NOT WORK WHEN YOU GET A
HIGH SCORE!! YOU FORGOT TO CHANGE THE
WRITE ROUTINE AND THE TRANSLATION TABLE
OVERWRITE T0,S2 WITH THE SAME SECTOR
FROM A NORMAL DISK AND CHANGE BYTES 29
AND AA IN SECTOR 4 TO THEIR NORMAL
VALUES!! THAT SHOULD DO IT!
THE SHADOW AND THE PUSMAN
MSG LEFT BY: RESET VECTOR
DATE POSTED: SUN APR 15 11:14:13 PM
WELL, APPLE BANDIT, WHO IS CERTAINLY A MORE TALENTED CRACKER THAN I, HAS
HEATED UP THIS COMPETITION WITH HIS ABOVE CRACKING TUTORIALS.
SO
HERE IS
ANOTHER TUTORIAL FROM ->RESET VECTOR! IN A SIMILAR
FASHION TO
APPLE BANDIT,
I AM GOING TO DESCRIBE THE PROCEDURE USED TO CRACK A PARTICULAR PROGRAM
-
IN THIS CASE AN EDUCATIONAL GAME FROM DESIGNWARE CALLED
MATHMAZE.
ALTHOUGH
THE PROGRAM ITSELF MAY NOT BE OF ANY GREAT INTEREST, SOME OF THE
TECHNIQUES
USED HERE WILL HAVE MORE GENERAL APPLICATION. IN PARTICULAR,
THE
METHODS USED
TO MOVE THE VTOC AND FIND/MARK FREE SECTORS ARE OFTEN CONFUSING TO
BEGINNERS
AND THIS EXPLANATION AND STEP BY STEP PROCEDURE MAY PROBE HELPFUL.
MATHMAZE IS ONE OF A LARGE NUMBER OF PROTECTED
PROGRAMS
THAT IS NORMALLY
FORMATTED AND CAN BE COPIED WITH COPYA, BUT THE COPY WILL NOT
BOOT. HOWEVER,
IF YOU BOOT WITH THE ORIGINAL, YOU CAN THEN PUT IN A COPYA COPY AND THE
GAME
WILL RUN JUST FINE. SO THE TRICK HERE IS TO GET THE BOOT OUT
AS A
FILE AND
THEN FIT IT ON THE DISK WITH THE DATA PARTS OF THE ORIGINAL
DISK.
NOW, THE
FOLLOWING DISCUSSION ASSUMES THAT YOU HAVE A FEW CRACKING
TOOLS.
YOU NEED
A WAY TO RESET INTO THE MONITOR (SEE APPLE BANDIT'S DISCUSSION ABOVE)
PLUS
YOU NEED A WAY TO SAVE PAGES 00 THROUGH 07 (UP TO $800). FOR
THIS
PURPOSE I
USE APPLESOFT 0 FROM MASTER KEY+. IF YOU ATTEMPT TO GET THE
BOOT
FILE OUT
WITH SOMETHING LIKE REPLAY, YOU WILL FIND THAT IT IS TOO LONG TO PACK
INTO
A FILE (IT EXTENDS FROM 0800-9600 AND B700-C000, ALTHOUGH YOU COULD
PROBABLY
DO WITHOUT THE B700-C000 PART WHICH IS THE RWTS). SO WE ARE
FORCED TO DO THIS
MANUALLY. THE EASIEST WAY IS TO USE FASTLOADER (BY THE
STACK),
WHICH LETS
US CREATE VERY LONG FILES THAT WILL RUN UNDER 48K, AND IT DOES A LOT OF
THE
WORK FOR US. THE ONLY HARD PART, REALLY, ABOUT USING
FASTLOADER
IS THAT IT
REQUIRES US TO FIND THE STARTING ADDRESS OF THE PROGRAM.
THERE
ARE MANY
WAYS TO DO THIS (NONE OF THEM REALLY EASY!), BUT MATHMAZE IS AN EXAMPLE
OF
A PROGRAM WHERE THE PROTECTORS MADE IT EASY FOR US. IF YOU
BOOT
UP MATHMAZE
AND TRY HITTING RESET (WITH THE AUTOSTART MONITOR), YOU WILL FIND THAT
THE
PROGRAM JUST GOES BACK TO DISK AND RESTARTS ITSELF (SOME PROGRAMS WILL
RESTART
THEMSELVES WITHOUT THE DISK ACCESS). THIS MAKES LIFE REALLY
EASY
FOR US,
BECAUSE ALL WE HAVE TO DO IS FIND THE RESET VECTOR (I ALWAYS KNEW MY
NAME
HAD A REAL PURPOSE HERE) AND USE THAT FOR THE STARTING
ADDRESS.
THE RESET
VECTOR WILL BE STORED IN BACKWARDS FORMAT AT BYTES 3F2-3F3, WHICH IN
THIS
CASE WILL BE 04 08, MEANING THE STARTING ADDRESS WE WILL USE IS $804.
NOW, WITH THAT OUT OF THE WAY, WE CAN CRACK THE
BOOT INTO
A FILE. I FIND
THAT FASTLOADER GETS A LITTLE FLAKY IF THE FILES YOU USE ARE TOO LONG,
SO HERE
ARE THE FILES I TOOK OUT TO CRACK MATHMAZE. I AM GOING TO
ASSUME
SOME
KNOWLEDGE ON YOUR PART HERE. AS DESCRIBED IN PART BY APPLE
BANDIT, YOU HAVE
TO BOOT THE ORIGINAL, HIT RESET AND THEN BOOT A SLAVE DISK AND SAVE THE
FILES.
IF YOU ARE SAVING A FILE THAT STARTS AT $800, THEN YOU HAVE TO MOVE THE
$800
PAGE OUT OF THE WAY BEFORE YOU BOOT THE SLAVE DISK, AND IF YOU ARE
SAVING A
FILE ABOUT $9500 YOU HAVE TO MOVE IT DOWN IN MEMORY BEFORE YOU BOOT THE
SLAVE.
HERE ARE THE FILES:FILE1 IS 0000-0800 FILE2 IS
0800-3700
FILE 3 IS 3800-6700
FILE 4 IS 6800-9500 (LENGTH 2E00) AND FILE 5 IS B700-C000 (LENGTH
900). NOW
JUST PLUG THESE INTO FASTLOADER WITH A STARTING ADRESS AND YOU WILL
HAVE
CRACKED THE BOOT INTO 165 SECTORS. NOW ON TO THE NEXT
MESSAGE.
MSG LEFT BY: RESET VECTOR
DATE POSTED: SUN APR 15 11:21:20 PM
NOW THAT YOU HAVE THE BOOT CRACKED, YOU HAVE TO
FIT IT ON
A COPY OF THE
ORIGINAL DISK. YOU WILL HAVE TO FIND FREE SPACE ON THE DISK
AND
MARK IT
FREE IN THE VTOC AND THEN MOVE THE VTOC TO SOMEWHERE OTHER THAN TRACK
11,
WHICH IS USED FOR DATA BY THE ORIGINAL. NOW, IF YOU WATCH THE
ORIGINAL BOOT,
YOU WILL SEE THAT IT USES TRACKS 0-9 FOR THE BOOT. SO WE KNOW
THAT WE CAN
PUT A NORMAL DOS ON THE DISK AND FREE UP THESE TRACKS. BUT
THIS
WILL NOT BE
QUITE ENOUGH ROOM, SO FOLLOW THE FOLLOWING PROCEDURE.
1. INIT A BLANK DISK
2. MAKE A COPYA COPY OF THE ORIGINAL AND COPY TRACKS 0-2 (THE DOS
TRACKS) AND
TRACK 11 (THE VTOC/CATALOG TRACK) FROM THE INITED BLANK DISK ON TO THIS
COPY
OF THE ORIGINAL DISK.
3. NOW YOU NEED A VTOC EDITOR. I USE DISK FIXER FOR THE BI
CHANGES AND
WATSON (WHICH WILL BE ESSENTIAL HERE) FOR THE INDIVIDUAL SECTORS,
ALTHOUGH
YOU CAN USE WATSON FOR THE WHOLE THING. TAKE THE DISK YOU
HAVE
CREATED AND
USE THE VTOC EDITOR (REMEMBER CTRL-L IN WATSON CHANGES THE STATUS OF A
SECTOR)
TO FREE UP SECTORS 5-F OF TRACK 2 (UNUSED BY DOS) AND TO MARK ALL OF
TRACKS
A-22 AS USED. ALSO MARK AS USED SECTORS 0 AND F OF TRACK 9,
WHICH
IS WHERE
WE WILL EVENTUALLY MOVE THE VTOC, AND WHILE YOU ARE AT IT EDIT TRACK 1
SECTOR B BYTE 01 FROM 11 TO 09 TO TELL DOS WHERE THE VTOC WILL BE.
4. NOW USE WATSON TO SCAN THE DISK SECTOR BY SECTOR STARTING AT TRACK A
SECTOR 0, AND EVERY TIME YOU FIND A SECTOR THAT IS ALL THE SAME VALUE
(IN THIS
CASE USUALLY "20" ALTHOUGH SOMETIMES "00") HIT CTRL-L TO FREE UP THE
SECTOR.
DO THIS UNTIL YOU HAVE 165 FREE SECTORS (JUST HIT "M" OCCASIONALLY TO
SEE HOW
YOU ARE PROGRESSING).
5. YOU ARE ALMOST DONE. JUST USE FID OR COPY ][+ OR
WHATEVER TO TRANSFER
THE CRACKED BOOT FILE TO THIS DISK. COPY ][+ IS NICE BECAUSE
YOU
CAN THEN
JUST CHANGE BOOT PROGRAM AND IT WILL AUTOMATICALLY MAKE THE DOS BRUN
YOUR
CRACKED FILE.
6. NOW USE YOUR SECTOR EDITOR (WATSON OR WHATEVER) TO MOVE TRACK 11
SECTOR 0
TO TRACK 9 SECTOR 0 AND TRACK 11 SECTOR F TO TRACK 9 SECTOR F, THEREBY
MOVING
THE VTOC AND CATALOG. YOU WILL HAVE TO EDIT BYTE 01 OF SECTOR
0
FROM 11 TO 09
AND BYTES 01-02 OF SECTOR F TO 00 00.
7. FINALLY, USE YOUR COPY PROGRAM (I USE FAST COPY WHICH ALLOWS ME TO
COPY
A RANGE OF NORMAL TRACKS, BUT YOU CAN USE A NIBBLE COPIER) TO COPY
TRACK 11
FROM THE ORIGINAL DISK ON TO THE DISK YOU HAVE CREATED.
THAT'S IT! I KNOW THAT THE VTOC EDITING
AND MOVING
CAN BE CONFUSING AS ALL
HELL AT FIRST, BUT THEY ARE ESSENTIAL FOR CRACKING A MULTITUDE OF
DIFFERENT
PROGRAMS, SO KEEP ON CRACKING!
COURTESY OF ->RESET VECTOR!
MSG LEFT BY: THE PROWLER
DATE POSTED: MON APR 23 12:29:50 PM
THIS ONE IS PRETTY SIMPLE, JUST RUN
ADVANCED DEMUFFIN, EXIT TO MONITOR AND
TYPE --> B991:DF <RETURN>
THEN TYPE --> 800G <RETURN> AND
YOU SHOULD BE BACK IN ADVANCED DEM.
CONVERT BOTH SIDES OF STRIP BLACKJACK
(IT WILL COPY NO PROBLEM NOW) AND THEN
BOOT UP A SECTOR EDITOR (ANY ONE WILL
DO).
CHANGE TRACK 0,SECTOR 3,BYTE 91
FROM $DF TO $DE
ON BOTH SIDES OF THE DISK.
VOILA, CRACKED AND EASY TO COPY!
-?- THE PROWLER -?-
MSG LEFT BY: PIRATE'S GUILD
CRACKING BC'S QUEST FOR TIRES
=============================
TRACK $21 (HEX) IS A NIBBLE COUNT TRACK
AND CONTAINS NO DATA NEEDED BY THE
GAME. OTHERWISE, THE DISK FORMAT IS
STANDARD DOS 3.3...SO...
COPY THE DISK (SKIPPING TRACK $21)
ONTO A BLANK. OR, IF YOU WANT TO MODIFY
YOUR ORIGINAL, JUST USE BAG OF TRICKS'
"INIT" OR SIMILAR UTILITY, AND FORMAT
TRACK $21 ON THE ORIGINAL DISK.
NOW, THE DISK CAN BE COPIED BY COPYA,
BUT IT WON'T BOOT BECAUSE OF THE
NIBBLE COUNT. WE CAN JUST NOP THE JSR
TO THE NIBBLE COUNT BY CHANGING THE
FOLLOWING BYTES WITH ZAP OR INSPECTOR:
TRACK SECTOR BYTE
FROM TO:
----- ------ ----
---- ---
$06
$07
$E8 $20 $EA
$06
$07
$E9 $00 $EA
$06
$07
$EA $96 $EA
THERE...IT'S CRACKED! (EASY, EH?)
(C): THE BURGLAR OF PIRATE'S GUILD
[AN APPLE BANDIT QUIKFILE]
MSG LEFT BY: PIRATE'S GUILD
CRACK MICRO LAB'S DINO EGGS & CRISIS MT
=======================================
MICRO LAB'S PROTECTION SCHEME ON THEIR
DINO EGGS, AND CRISIS MOUNTAIN IS VERY
MINIMAL. TO CONVERT IT TO A COPYA
FORMAT, JUST LOAD COPYA, GO INTO MONITOR
AND DISABLE THE RWTS ADDRESS MARKER
CHECKSUM:
*B942:18 (A VERY BASIC TECHNIQUE THAT
WILL
COPY MANY PROGRAMS..)
THEN MAKE A COPY OF THE DINO EGGS OR
CRISIS MOUNTAIN ORIGINAL WITH COPYA...
NOW, THEIR ROUTINES STILL TRY TO READ
IN THE OLD ADDRESS MARKS. TO MODIFY THE
READADDR ROUTINE TO READ NORMAL DOS 3.3
JUST MAKE THE FOLLOWING MODS ON
TRACK $00, SECTOR $09 -->
BYTE FROM TO:
---- ---- ---
$35 $D5 $DE
$91 $9E $DE
$94 $18 $EA
$95 $60 $BD
$9B $E7 $AA
NOW, THEIR MODIFIED RWTS STILL DE-
NIBBLIZES THE DATA ABNORMALLY, SO TO
NORMALIZE IT, MAKE THE FOLLOWING MODS
ON TRACK $00, SECTOR $0C -->
BYTE FROM TO:
---- ---- ---
$FB $BF $BC
$FC $1A $19
AND ON TRACK $00, SECTOR $0E -->
BYTE FROM TO:
---- ---- ---
$38 $4C $08
$39 $00 $B0
$3A $BB $8E
(C): THE BURGLAR AND APPLE BANDIT/MPG
[AN APPLE BANDIT
QUIKFILE]
MSG LEFT BY: PIRATE'S GUILD
CRACKING GENERAL MANAGER //E (V2.0Y)
====================================
THE GENERAL MANAGER, VERSION 2.0Y, BY
SIERRA ON-LINE IS VERY EASY TO CRACK;
THAT IS, ONCE YOU KNOW HOW. THE DISK
IS IN STANDARD DOS 3.3 FORMAT, AND
THEREFORE CAN BE COPIED WITH COPYA.
HOWEVER, THE PROGRAM WILL NOT WORK DUE
TO A SMALL NIBBLE COUNT ROUTINE
CLEVERLY HIDDEN IN ONE OF THE FILES ON
THE DISK...
TO DISABLE THE NIBBLE COUNT, JUST
TYPE THE FOLLOWING:
]BLOAD GENERAL MANAGER
]CALL-151
*631C:2C
*6322:2C
*BASVE GENERAL MANAGER,A$6000,L$6F0
IT'S CRACKED...
(C): APPLE BANDIT OF PIRATE'S GUILD
[AN APPLE BANDIT
QUIKFILE]
MSG LEFT BY: PIRATE'S GUILD
CRACKING APPLEWRITER //E
========================
ACCORDING TO THE BURGLAR, THIS IS ALL
THERE IS TO IT...
[1] COPYA THE DISK
[2] SECTOR MOD:
TRACK $04, SECTOR $0C
BYTES $B1-B3 = EA EA EA
IT JUST DISABLES A SMALL DISK ROUTINE.
(C): THE BURGLAR AND APPLE BANDIT/MPG
[AN APPLE BANDIT
QUIKFILE]
MSG LEFT BY: PIRATE'S GUILD
HOW TO BOOT FROM DRIVE 2
========================
WELL, HERE'S AN INTERESTING TECHNIQUE
THAT SOMETIMES COMES IN HANDY WHEN
DRIVE SPEED SEEMS TO BE CRITICAL IN
A PROTECTION SCHEME, AND YOU CAN'T
PULL OUT THE CONTROLLER CARDS AND SWAP
THEM BECAUSE YOUR COMPUTER DESK IS FULL
OF PRINTOUTS AND OTHER GARBAGE...
]CALL-151
*8600<C600.C700M (MOVE BOOT0 ROUTINE
FROM CONTROLLER CARD
DOWN INTO RAM WHERE
WE CAN MODIFY IT.)
*8636:8B (ADDRESS FOR DRIVE 2. WAS SET
PREVIOUSLY TO
"8A" FOR D1.)
NOW PUT THE DISK IN DRIVE 2, AND TYPE:
*8600G
IT WILL BOOT UP. IF YOU WANTED TO BOOT
FROM A DIFFERENT SLOT OTHER THAN 6,
JUST MOVE THE BOOT ROUTINE FROM C600 TO
8000+SLOT*256. (I.E. SLOT 5 WOULD BE
$8500, SLOT 4 $8400, ETC.)
JUST A LITTLE TID-BIT FROM...
APPLE BANDIT OF MIDWEST PIRATE'S GUILD.
MSG LEFT BY: DOCTOR WHO
K PIRATES GUILD BUT WHAT IF YOU DON'T
HAVE ADVANCED DEMUFFIN?
LOAD COPYA
CALL-151
B942:18
BAAA:18
CTRL-C
RUN80
COPY DISK
USE MASTER CREATE TO PUT NORMAL DOS
ON THE DISK
NO YOU HAVE A CRACKED DUNZHIN!!
------------=> DOCTOR WHO <=-----------
MSG LEFT BY: RESET VECTOR
DATE POSTED: SAT JUL 2 6:20:34 PM
MESSAGE #78: DEATH IN THE CARIBBEAN!
THIS ONE IS REAL EASY TO CRACK. THE EASIEST WAY IS TO USE
ADVANCED DEMUFFIN
ON TRACKS 3-22, BOTH SIDES, AND THEN JUST PUT NORMAL DOS ON THE
DISK. THE
PROTECTION IS SO MARGINAL, THAT YOU COULD PROBABLY USE COPYA CHANGING
THE
BYTES IN DOS TO CHANGE THE ADDRESS AND DATA HEADERS OR USE DISK EDIT
2.0.
COURTESY OF ->RESET VECTOR!.
MSG LEFT BY: GREGG BURMAN
DATE POSTED: WED JUL 20 3:09:50 AM
MESSAGE #79: INSTANT RECALL - COPYA
INSTANT RECALL WAS ANOTHER TRIVIAL
PROGRAM TO CRACK, ITS MAIN PROTECTION
SCHEME CONSISTED OF NONE OTHER THAN
THE MODIFIED RWTS. THERE A COUPLE
OTHER MINOR PROTECTION SCHEMES...
IF YOU USED DEMUFFIN PLUS YOU WOULD
NOT GET THE DATA THAT IS JUST ON THE
DISK BUT NOT IN A FILE, AND THEY ALSO
CHANGE A FEW DOS COMMANDS.
IN ORDER TO CRACK IT, JUST USE ANY RWTS
CONVERTER PROGRAM LIKE COPYB OR
ADVANCED DEMUFFIN TO CONVERT IT TO DOS
3.3 FORMAT. THEN CHANGE THE DOS
COMMANDS IN THE FOLLOWING LINES BACK TO
NORMAL. (IN THIS CASE BECAUSE THERE ARE
SO FEW DOS COMMANDS IT WAS EASIER TO
MODIFY ALL THE PROGRAMS TO WORK WITH
NORMAL DOS RATHER THAN MODIFYING NORMAL
DOS TO FIT THEIR PROGRAMS.)
LOAD
SAMS
LOAD I.R.DEMO
LINE 20
(RUN)
LINE
2400 (RUN)
LINE 30
(RUN)
LINE
2410 (RUN)
LOAD XPLAIN
+
LOAD
XPLAIN E
LINE 190
(BRUN)
LINE
190 (BRUN)
" 3000
(BLOAD)
" 3000 (BLOAD)
" 3090
(BSAVE)
" 3090 (BSAVE)
" 4000
(RUN)
"
4000 (RUN)
ANY QUESTIONS? LEAVE E-MAIL.
GREGG BURMAN
MSG LEFT BY: GREGG BURMAN
DATE POSTED: SUN JUL 24 9:18:11 PM
FOR QUITE SOME TIME NOW SIERRA ON-LINE
HAS BEEN PUTTING OUT SOFTWARE IN A DOS
3.3 FORMAT EXCEPT FOR A NIBBLE COUNT ON
ONE OF THE TRACKS. THIS INCLUDES SUCH
PROGRAMS AS SCREENWRITER II, DICTIONARY
AND MORE.
RECENTLY THEY HAVE PUT OUT TWO NEW ONES
APPLE CIDER SPIDER AND SAMMY LIGHTFOOT,
YES, THEY TOO ARE IN A COPY-A FORMAT,
BUT THEY WON'T RUN WITHOUT REMOVING THE
NASTY NIBBLE COUNT.
TO FIND THE NIBBLE COUNT ON THESE TWO
NEW ONES, AND POSSIBLY FUTURE RELEASES
SEARCH THE DISK WITH DISK EDITOR OR
SOME OTHER UTILITY FOR THE FOLLOWING
HEX STRING:
CE
03 09 EF 03
WHEN YOU FIND IT CHANGE THE FIRST TWO
BYTES TO:
60 AD
THE 60 IS AN RTS THAT NULLIFIES THE
NIBBLE COUNT SUBROUTINE, AND THE AD
MAKES THE CHECKSUM COME UP WITH THE
CORRECT VALUE.
HERE ARE THE PATCHES FOR LIGHTFOOT, AND
CIDER SPIDER, BUT YOU MAY BE ABLE TO
USE THE ABOVE PROCEDURE ON THEIR NEXT
RELEASE?
A.C.S.
S.L.
------
----
TRACK 12 SECTOR 1 TRACK 5 SECTOR E
BYTES
0-1
BYTES 0-1
CHANGE TO 60 AD
CHANGE TO 60 AD
THAT SHOULD DO IT! THEY ARE NOW REALLY
COPY-A-ABLE.
GREGG BURMAN
MSG LEFT BY: MR. KRAC-MAN
DATE POSTED: MON JUL 25 1:54:00 AM
MY MODS TO CRACK THESE TWO........
SAMMY
TD S0 B9B->EA EA EA
APPLE CIDER
T13 S5 B18->EA EA EA
T12 S1 B0->60
THEY WORK AS FAR AS I CAN SEE!
MSG LEFT BY: GREGG BURMAN
DATE POSTED: WED JUL 27 1:24:47 AM
U.S. CONSTITUTION TUTOR, AND SAT
ENGLISH #1 AND PRETTY OLD NOW, BUT
I JUST RECENTLY GOT HOLD OF ORIGINALS,
AND THOUGHT I WOULD PASS THIS INFO
ALONG.
MICRO LAB USES A MODIFIED DOS FOR
PROTECTION LIKE SO MANY OTHERS WE
HAVE SEEN IN THE PAST. FROM THE START
IT LOOKS LIKE A STANDARD DEMUFFIN TYPE
CRACK, ALTHOUGH WHEN YOU TRY IT THE
DRIVE COMES ON, AND YOU SEE:
I/O
ERROR
HMMM...
WELL MICRO LAB USES INDIRECT COMPARES
WITH ZERO PAGE LOCATIONS IN THEIR RWTS
ROUTINE (I.E. CMP $D6) RATHER THAN THE
STANDARD CMP #$D5. THE PROBLEM WITH
THIS IS THAT SOME OF THESE LOCATIONS
ARE CHANGED WHEN WE RESET OUT OF THE
PROGRAM, OR LIKE BYTE $D6, THE APPLE-
SOFT RUN FLAG, IT IS OFTEN CHANGED
PURPOSEL
MSG LEFT BY: MR. XEROX
DATE POSTED: WED AUG 3 7:07:45 PM
TO CRACK SAMMY LIGHTFOOT:
A) COPY THE DISK WITH COPYA
B) USE THE INSPECTOR TO EDIT:
TRACK-5
SECTOR-E
C) CHANGE BYTE 00 FROM $CE TO $60
D) CHANGE BYTE 28 FROM $60 TO $CE
THAT'S IT !!!!!!
YOUR FRIEND,
MR. XEROX
MSG LEFT BY: RESET VECTOR
DATE POSTED: WED AUG 17 8:49:57 AM
MESSAGE #86: LEARNING WITH LEEPER
THE SECTMOD TO CRACK THIS ONE TO COPYA IS THIS:
TRACK 3 SECTOR F CHANGE BYTES 2C-2E FROM 20 00 12 TO EA EA EA.
THAT'S IT!
COURTESY OF ->RESET VECTOR!
MSG LEFT BY: JIM PHELPS
DATE POSTED: THU SEP 8 8:39:20 AM
TO COPY THE INCREDIBLE JACK, ALL YOU
HAVE TO DO IS USE NIBBLES AWAY II B
AND COPY T0-22 PRESERVE NIBBLE COUNT.
IF IT GETS HUNG UP ON T21 TRYING TO
WRITE WITH D=000 AND P DECREASING BY
2'S THEN JUST HIT THE SPACE BAR AND IT
WILL CONTINUE.
THEN WITH A SECTOR EDITOR,CHANGE THE
INFORMATION ON B9,BA,AND BB ON TRACKS
21,F 21,E 21,A 21,8 21,4 21,2 AND 22,E
TO FF FF FF.THAT'S IT.NOW WRITE PROTECT
IT AND BOOT IT.REMEMBER YOU MUST HAVE
64K FOR IT TO BOOT UP!!!!
HAVE FUN.
JIM PHELPS
MSG LEFT BY: CLINT CAPEHART
DATE POSTED: SAT OCT 15 8:18:20 AM
THERE'S GOT TO BE A BETTER WAY TO DO
THIS , BUT ANYWAY...
GET YOUR FAVORITE IO BLOCK PROGRAM
THAT ALLOWS YOU TO CHANGE HEADERS
AND WRITE ONE TRACK AT A TIME. I USED
DISC-O-DOC II.NOW READ IN TRACKS
WITH THE FOLLOWING DATA HEADERS,
CHANGE THEM TO NORMAL AND WRITE THEM
BACK OUT ONTO A DISK INITIALIZED
UNDER DOS 3.3
T:0-4 -> D5 AA AD (NORMAL)
T:5,6,8,C,E,11,12,16,19,1A,1D,1E,1F,
AND 21 -> D5 AA F7
T:7,9,D,F,13,15,17,22 -> D5 AA B7
T:A,B,10,14,18,1B,1C,20 -> D5 AA F5
IF THERE'S A PATTERN THERE I CAN'T
SEE IT.
ANYWAY THEN BOOT YOUR FAVORITE DOS
(NORMAL OR FAST) AND DO THE MAGIC
TO EXEC ON BOOT (USUALLY
POKE 40514,20) THEN INSERT A BLANK
DISK AND ']INIT TSR' THEN
']DELETE TSR' THEN FID ALL THE FILES
OFF OF YOUR PREPARED DISK.
THEY HAVE A REALLY FUNNY DOS SOME OF
WHICH LIES ON TRACK 4! (THAT'S WHERE
I FOUND 'TSR', INIT-ING WITH HELLO
CAUSES PROBLEMS). INCIDENTALLY ,OF
COURSE, DEMUFFIN DOESN'T FLY AT ALL
WITH THIS LOSER.TILL THEN ...
-> THE BEAST <-
MSG LEFT BY: RESET VECTOR
DATE POSTED: SUN OCT 30 6:05:35 PM
THE JUST RELEASED SARGON III IS BY FAR THE BEST APPLE CHESS GAME
AVAILABLE,
PLAYING A MUCH STRONGER GAME OF CHESS THAT CHESS 7.0. IT HAS
A
PROTECTED
BOOT THAT THEN READS DATA OFF OF THE UNPROTECTED PART OF THE DISK, AND
IT
IS QUITE EASY TO CRACK. YOU WILL, HOWEVER, NEED FASTLOADER
CREATE
PLUS
SOME MEANS OF SAVING PAGES $00-$08 (I USE APPLESOFT 0 FROM MASTER KEY+
BUT
THERE ARE OTHER WAYS). IF YOU HAVE THE RIGHT TOOLS, THE ONLY
HARD
PART IS
FINDING THE STARTING ADDRESS; THE ADDRESS GIVEN HERE STARTS UP THE
PROGRAM
JUST AT THE END OF THE PROTECTED BOOT AND THEN GOES ON TO READ FROM THE
NORMAL
PART OF THE DISK. YOU CAN THUS TAKE OUT LESS MEMORY IN THE
CRACKED FILE, AND
THIS IS IMPORTANT BECAUSE THERE IS LIMITED SPACE ON THE DISK.
FIRST INIT A BLANK DISK WITH VOLUME NUMBER
205. NOW
COPY TRACKS C-22 FROM
THE SARGON III ORIGINAL TO THIS DISK. THEN USE A VTOC EDITOR
(DISK FIXER OR
DISK EDIT) TO FREE UP TRACKS 3-B ON THIS DISK (AND PART OF TRACK 2 ALSO
IF
YOU WANT). NOW CRACK THE SARGON BOOT FILE BY TAKING OUT THE
FOLLOWING CHUNKS
OF MEMORY (NONE ARE LONGER THAN $3000 BECAUSE FASTLOADER GETS A LITTLE
FLAKY
WITH LONGER MEMORY CHUNKS...):$00-$08 (LENGTH 08 PAGES),$08-$0C (LENGTH
04 PAGES),$1B-$20 (LENGTH 05 PAGES),$40-$70 (LENGTH 30),$70-$A0 (LENGTH
30),
$A0-$C0 (LENGTH 20). NOW USE FASTLOADER CREATE TO MAKE THESE INTO A
BINARY
FILE WITH A STARTING ADDRESS OF $1B33. IF YOU DID EVERYTHING
RIGHT YOU
SHOULD HAVE A 151 SECTOR FILE THAT WILL FIT ON THE DISK YOU MADE WITH
ROOM
TO SPARE IF YOU FREE UP SECTORS 5-F OF TRACK 2. YOU WILL ALSO
HAVE A FEW
SECTORS LEFT OVER FOR AN IN
SECTORS LEFT OVER FOR AN INSTRUCTION FILE IF YOU WISH (MINE CONTAINS ALL
OF THE SARGON COMMANDS).
COURTESY OF ->RESET VECTOR!
MSG LEFT BY: RESET VECTOR
DATE POSTED: SUN NOV 6 7:15:32 PM
THIS DISK IS NORMALLY FORMATTED TRACKS 0 - 21 AND THEN HAS A FUNNY
TRACK 22.
JUST COPY TRACKS 0-21 WITH ANYTHING (FAST COPY OR DISK MUNCHER
PREFERABLE
ALTHOUGH YOU COULD USE NIBBLES AWAY IN A PINCH), INIT TRACK 22 WITH BAG
OF TRICKS, AND THEN DO THIS SECTMOD:
TRACK 5 SECTOR F BYTE 19, CHANGE FROM BD TO 60. IT IS NOW
COPYA!
COURTESY OF ->RESET VECTOR!
MSG LEFT BY: GREGG BURMAN
DATE POSTED: MON NOV 7 9:00:23 PM
TO CRACK HOMEWORD, JUST COPYA THE
ORIGINAL DISK, THEN MAKE THE
FOLLOWING SECTMOD:
PATCH:
TRACK $10
SECTOR $0A
BYTES $00 - $01 CHANGE FROM $CE $03
TO $60 $AD
THAT IS ALL! IT IS NOW COPYA.
GREGG BURMAN
MSG LEFT BY: THE WISE CRACKER
DATE POSTED: SAT NOV 12 12:30:10 AM
IF YOU HAVE SPEAK-UP, A HUMAN VOICE
GENERATOR FOR THE ECHO II, YOU MAY BE
WONDERING WHY ONLY THE DATA FILES AP-
PEAR IN THE DIRECTORY? WELL, THEY HIDE
THE REST ON TRACK 3. BUT A GOOD OL'
POKE 44033,3 WON'T DO THE TRICK. HERE'S
WHAT YOU GOTTA DO TO CRACK THIS GREAT
PROGRAM. BOOT THE SPEAK UP DISK, AND
WAIT UNTIL YOU SEE THAT APPLESOFT
PROMPT. THEN, BREAK OUT. WHATEVER IS
YOUR PREFERENCE. GO TO MONITOR, TYPE
*D6:00
*3F2:BF 9D 38
HIT RESET. TYPE
]CATALOG,V96
VOILA, LE DIRECTORIE DE SPEAK UP EST
ICI!
NOW, FOR THE APPLESOFT FILES, JUST
LOAD XXXXXXX,V96, PUT IN A BLANK, AND
SAVE XXXXXX (NO V96). FOR BINARY FILES,
BLOAD XXXXXXX,V96
GET THE ADDRESSES AND LENGTH FROM DOS,
AND BSAVE XXXXXXXX. THEN, FID THE DATA
FILES YOU CAN USUALLY SEE TO THE DISK.
NOW, USE COPYA, OR ANY OTHER COPIER,
AND COPY THE DISK. NOW, INIT THE FIRST
COPY WITH A VOLUME OF 96. NOW, FID THE
FILES FROM THE SECOND COPY TO THE NEWLY
INITTED DISK. NOW, BLOAD RESET, AND
LIST THE CODE. IF YOU WANT, MODIFY THE
ADDRESSES (YOU KNOW HOW TO GET START
AND LENGTH ADDRESSES FROM DOS. RIGHT??)
WELL, NOW BLOAD BHELLO, AND YOU'LL SEE,
THAT THE FIRST THING IT DOES IS
LDA #$80
STA $D6
CHANGE IT TO
CONTINUED NEXT MESSAGE
MSG LEFT BY: THE WISE CRACKER
DATE POSTED: SAT NOV 12 12:32:39 AM
CONT'D
TO
LDA #$00
STA $D6
SAVE IT.....
NOW, WRITE A HELLO PROG TO BRUN BHELLO.
DONE.......
HAPPY KRAKIN'
THE WISE CRACKER
P.S. IF YOU DON'T KNOW HOW TO GET DOS
START AND LENGTH ADDRESSES, HERE....
AA72:LOW ORDER BYTE OF START
AA73:HIGH "
" " "
AA60:LOW ORDER BYTE OF LENGTH
AA61:HIGH "
" " "
MSG LEFT BY: RESET VECTOR
DATE POSTED: FRI NOV 18 10:02:16 PM
THE FOLLOWING CHANGES ARE PROBABLY A BIT MORE EXTENSIVE THAN ARE
ABSOLUTELY
NECESSARY TO CRACK THIS PROGRAM, BUT THEY WORK, AND IT WAS EASIER THIS
WAY
THAN NARROWING IT DOWN FURTHER. JUST COPYA THE DISK (ONLY
DISK A
IS
PROTECTED), THEN USE A SECTOR EDITOR ON THE FOLLOWING SECTORS AND CHANGE
ALL OF THE LISTED BYTES TO 60'S:
TRACK F SECTOR 0 BYTES 00-93
TRACK 8 SECTOR 7 BYTES 00-9C
TRACK 4 SECTOR C BYTES 40-FF
TRACK F SECTOR 1 BYTES F7-FF
THAT SHOULD DO IT!
COURTESY OF ->RESET VECTOR!
MSG LEFT BY: CAPTAIN NIBBLE
DATE POSTED: SUN NOV 27 11:11:49 AM
HERES AN EASY WAY TO CRACK DINO EGGS
BY MICRO LAB
LOAD A 3.3 DOS
CALL-151
*B942:18
*3D0G
RUN COPY A
NOW CHANGE THE FOLLOWING ON YOUR NEW
COPY
TRACK 0 SECT B BYTE 75 FROM 38 TO 18
TRACK 0 SECT 9 BYTE 42 FROM 38 TO 18
THATS ALL THERE IS TO IT
ANOTHER GOODIE FROM
CAPTAIN
NIBBLE
MSG LEFT BY: COUNT NIBBLER
DATE POSTED: MON DEC 5 10:11:51 AM
MOST OF YOU PRESUMABLY KNOW
ABOUT
HOW TO DISABLE THE DOS CHECKSUMS FOR
CRACKING. THIS WILL UNPROTECT A GOOD
NUMBER OF RECENT PROGRAMS. HOWEVER,
SOME OF THEM DO SOME ADDITIONAL CHANGES
WHICH MAKE THIS METHOD UNUSABLE.
BY PRESSING RESET, EVEN WITH AN
AUTOSTART ROM, YOU CAN TAKE A LOOK AT
THE DOS IN MOST OF THESE PROGRAMS (WITH
AN AUTOSTART ROM, JUST KEEP PRESSING
RESET UNTIL THE DRIVE STOPS WHEN THE
PROGRAM TRIES TO REBOOT, AS MOST OF
THEM DO). THERE ARE A FEW KEY LOCATIONS
THAT CAN BE CHANGED TO OFTEN MAKE THE
FILES COPYABLE FROM THE PROTECTED DISK.
THIS WORKS ON SUCH PIECES OF SOFTWARE
AS THE QUEST, AND MANY OTHERS.
PENGUIN SOFTWARE'S PROTECTION
OF
ITS ADVENTURE PROGRAMS SEEMS TO BE ALL
THE SAME. THEY CHANGE VARIOUS ADDRESS
AND DATA MARKERS, ETC, ENOUGH SO THAT
THE CHECKSUMS METHOD ALONE WILL NOT
WORK, BUT NEITHER WILL THE MUFFIN13/
MUFFIN16 METHOD. TRY BOOTING ONE OF
THEM, AND PRESSING RESET UNTIL IT STOPS
IN BASIC (IT WILL TRY REBOOTING AND
ERASING MEMORY, BUT KEEP PRESSING
RESET). IF YOU HAVE A MONITOR ROM, THEN
NO PROBLEM. IN ANY CASE, ENTER THE
MONITOR AND TAKE A LOOK AT DOS. IN
PARTICULAR, THE FOLLOWING LOCATIONS ARE
DIFFERENT:
ADDR: DOS
3.3:
PENGUIN'S:
----
-------
---------
B934L C9 DE CMP #$DE C9 DA CMP #$DA
B990L C9 DE CMP #$DE C9 DA CMP #$DA
B954L C9 D5 CMP #$D5
4A LSR
D0 F0 BNE
$B948 49 6A EOR
#$6A
EA
NOP D0
EF BNE $B948
TO BE CONTINUED
-=+*])! COUNT
NIBBLER !([*+=-
MSG LEFT BY: COUNT NIBBLER
DATE POSTED: MON DEC 5 10:19:29 AM
IF THIS IS TO MAKE ANY SENSE AT ALL
READ THE FIRST MESSAGE.
IF YOU BOOT YOUR SYSTEM MASTER AND
DISABLE THE CHECKSUM VIA:
CALL-151
B925:1860
B988:1860
B942:1860
YOU CAN BLOAD FID AND MAKE CHANGES IN
THE RESIDENT DOS TO MAKE THE DOS THE
SAME AS PENGUINS:
B954:4A 49 6A D0 EF
B934:C9 DA
B990:C9 DA
THEN WITH A 803G BRUN FID AND COPY THE
FILES OFF THE PROTECTED DISK ONTO YOUR
OWN!!!
** ENJOY **
-=+*])! COUNT
NIBBLER !([*+=-
MSG LEFT BY: RESET VECTOR
FIX IT... THE PROPER CRACK IS:
COPY DISK WITH COPYA
CHANGE TRACK 5 SECTOR 6 BYTES 55-57 FROM A9 20 8D (60 20 8D IF
PREVIOUSLY
ALTERED) TO 4C 68 3A
CHANGE TRAC 5 SECTOR A BYTE 6C FROM A9 TO 60
THAT'S IT - IT SHOULD NOW WORK PERFECTLY
COURTESY OF ->RESET VECTOR
MSG LEFT BY: RESET VECTOR
DATE POSTED: SUN DEC 11 10:10:42 PM
CRACKS WITH SAME SECTMOD AS THE EARLIER VERSION, BUT IN A DIFFERENT
PLACE.
COPY WITH COPYA THEN EDIT TRACK 8 SECTOR 4 BYTES A9-AB FROM BD 8C C0 TO
4C E2 91. CRACKED!
COURTESY OF ->RESET VECTOR!
MSG LEFT BY: RESET VECTOR
DATE POSTED: SUN DEC 11 10:13:41 PM
DON'T KNOW IF THIS IS REALLY WORTH POSTING, BUT THAT LONG MESSAGE ON HOW
TO CRACK ATARISOFT WAS REALLY A BIT MUCH. EVERY SINGLE ONE OF
THERE GAMES
WILL DEMUFFIN WITH THE GREATEST OF EASE, SO WHY GO TO ALL THE TROUBLE
OF THAT
OTHER PROCEDURE???
->RESET VECTOR!
MSG LEFT BY: BOZO NYC
DATE POSTED: WED JAN 18 3:32:31 AM
THE CRACK WAS NOT DONE BY ME, BUT WAS DONE BY THE WOMBAT. I
JUST
DUG THRU HIS
WORK (HIS CRACKED COPY) AND HERE'S THE NITTY-GRITTY. THE
SERIAL
NUMBERS ARE
NOT REMOVED, BUT EVERYTHING SEEMS TO WORK.
CRACKING LOCKSMITH 5.0
-------- --------- ---
1) USE ANY COPYA TYPE COPIER.
2) TRACK-0 SECTOR-D BYTE-E3
CHANGE TO 90 A8
3) TRACK-1 SECTOR-7 BYTE-90
CHANGE TO A9 EA 8D 72 19
8D 71 19 4C 00 20
THAT'S IT!
BOZONYC
MSG LEFT BY: BOZO NYC
DATE POSTED: THU JAN 19 2:41:33 AM
WELL, AFTER DIGGING AROUND SOME MORE, I FOUND A 1 BYTE PATCH TO CRACK
LOCKSMITH 5.0!
AGAIN, THANKS TO THE WOMBAT FOR THE ORIGINAL CRACKED DISK THAT LEAD ME
TO THIS
1 BYTE CRACK.
USE A COPYA PROGRAM TO COPY LS5.0
USE A TRACK/SECTOR EDITOR TO CHANGE THE FOLLOWING:
TK=F SK=E BYTE=71
WAS: F4
CHANGE TO: D4
THAT'S REALLY ALL!
BOZONYC
MSG LEFT BY: RIP_EM_OFF SOFTWARE
DATE POSTED: SUN FEB 5 1:10:24 AM
TO CRACK SENSIBLE'S NEW COMM PROGRAM
HERE IS WHAT YOU DO:
1) DISABLE CHECKING ON END OF ADDRESS
MARKERS.
2) COPY ENTIRE DISK EXCEPT FOR TRK $F.
3) MODIFY THESE TRKS AND SCTRS.
TRK SEC
FROM TO
00 03
ED
DE BYTE ($35)
02 02
90
D0 BYTE ($E9)
02 03 00
BF 84 9D BYTE
($61-62)
0B 0F D0
0B EA EA BYTE
($12-13)
10 08 D0
01 EA EA BYTE
($5E-5F)
MAKE SURE VOLUME NUMBER ON DEST DISK IS
4! PROGRAM MAY NOT RUN WITHOUT THIS,SO
WATCH IT!
MSG LEFT BY: RESET VECTOR
DATE POSTED: SAT FEB 11 10:02:33 PM
HERE IS HOW TO CRACK THIS ADVENTURE FROM ADVENTURE
INTERNATIONAL.
THE FLIP
SIDE IS ALREADY UNPROTECTED; YOU JUST HAVE TO CRACK THE BOOT
SIDE. CONVERT
THE WHOLE DISK EXCEPT FOR TRACK 22 WITH ADVANCED DEMUFFIN (I SUGGEST YOU
USE THEIR DOS ALSO SO CONVERT TRACKS 0-21). THEN DO THE
FOLLOWING:
BLOAD M1
CALL -151
B01:60
BSAVE M1,A$80D,L$1785
CRACKED!
COURTESY OF ->RESET VECTOR!
MSG LEFT BY: RESET VECTOR
DATE POSTED: SUN MAR 5 12:45:55 AM
EASY CRACK. JUST COPYA THE DISK THEN CHANGE TRACK B SECTOR 4
BYTE
F3
FROM BD TO 60. CRACKED!
Courtesy of ->Reset Vector!
MSG LEFT BY: X - RAY
DATE POSTED: FRI APR 13 10:40:58 AM
TO CRACK BC'S QUEST FOR TIRES REQUIRES
A SECTOR MOD. AFTER COPYING THE DISK
WITH A STANDARD COPY PROGRAM SUCH AS
COPY A. THE MODIFICATION TO MAKE IS ON
TRACK 6 , SECTOR 7 . THE CHANGE IS MADE
ON BYTES E7 THRU E9 CHANGED FROM 20 00
96 TO EA EA EA. THAT'S IT .
HAVE FUN....THE X-RAY.
COPYB DOCUMENTATION FILE. BY THE DISK
JOCKEY.
INTRODUCTION:
THERE ARE PROBABLY HUNDREDS OF WAYS TO
PROTECT A PROGRAM FROM BEING COPIED.
BUT GENERALLY SPEAKING, PROTECTION
FALLS UNDER TWO CATEGORIES: PROTECT THE
ACTUAL PROGRAM (BY VARIOUS MEANS), OR
PROTECT A DISK FULL OF PROGRAMS WITH
SOME SORT OF DOS MODIFICATION. DOS
MODIFICATIONS ARE THE MOST COMMON SINCE
THEY ARE THE EASIEST TO DEAL WITH (FROM
THE PUBLISHER'S POINT OF VIEW). DOS
MODIFICATIONS ARE ALSO THE LEAST
SUCCESSFUL OF PROTECTION, SINCE SOMEONE
ALWAYS SEEMS TO FIND A WAY TO COPY ALL
THE FILES ONTO A NORMAL DOS DISK,
ELUDING ALL THE PROTECTION. THE CLASSIC
PROGRAM FOR DEALING WITH MODIFIED DOS'S
IS DEMUFFIN PLUS. IT WORKS MUCH THE
SAME WAY AS APPLE'S MUFFIN PROGRAM
WORKS. MUFFIN WAS WRITTEN TO READ FILES
FROM A DOS 3.2 DISK AND THEN WRITE THEM
TO A DOS 3.3 DISK. DEMUFFIN WAS A
VARIATION OF MUFFIN, ALLOWING THE
HARDCORE 3.2 USER TO COPY FILES FROM
DOS 3.3 TO DOS 3.2. DEMUFFIN PLUS
OPERATES ON THE SAME PRINCIPLE, BUT
USES WHATEVER DOS IS IN MEMORY TO READ
THE DISK, AND THEN WRITES OUT TO AN
INITIALIZED DOS 3.3 DISK. WHILE THIS IS
A POWERFUL UTILITY, IT ONLY WORKS WITH
PROGRAMS THAT ARE BASED ON DOS FILE
STRUCTURES AND THAT HAVE A CATALOG
TRACK.
INTRODUCING COPYB:
COPYB IS A HIGHLY MODIFIED VERSION OF
COPYA WHICH CONVERTS A PROTECTED DISK
THAT USES A MODIFIED DOS AND/OR RWTS TO
NORMAL DOS 3.3 FORMAT. THE PROTECTED
DISK MAY HAVE A NORMAL DOS FILE
STRUCTURE, OR IT MAY NOT. SINCE COPYB
COPIES ON A TRACK BY TRACK BASIS, THIS
DOES NOT MATTER. THIS MAKES COPYB A FAR
MORE FLEXIBLE TOOL THAN DEMUFFIN PLUS.
COPYB USES THE PROTECTED DISK'S RWTS TO
READ IN THE TRACKS AND THEN USES NORMAL
DOS 3.3 TO WRITE THEM BACK OUT TO AN
INITIALIZED DISK. UNLESS OTHERWISE
INSTRUCTED, COPYB COPIES TRACK $03 TO
TRACK $22, SECTOR $0F TO SECTOR $00 OF
EACH TRACK. HERE ARE THE PARAMETERS FOR
COPYB:
LOCATION
NORMALLY
HEX DEC
DESCRIPTION HEX
DEC NT.
---------------------------------------
22E 558 FIRST TRACK TO READ 03 03 (1)
236 556 FIRST SECTOR TO READ 0F 15 (2)
365 869 RESET SECTOR NUMBER 0F 15 (2)
3A1 929 STOP ON ERROR($18=NO) 38 56 (3)
302 770 TRK TO STOP READING+1 23 35 (4)
35F 863 TRK TO STOP READING+1 23 35 (4)
NOTES (NT.):
1) THIS IS THE FIRST TRACK THAT COPYB
STARTS READING AT. THIS IS NORMALLY SET
AT TRACK 3, SO NOT TO COPY THE
PROTECTED DOS WHICH NORMALLY RESIDES ON
TRACK 0 THROUGH TRACK 2.
2) THESE TWO PARAMETERS ARE NORMALLY
SET TO $0F FOR 16 SECTOR DISKS. CHANGE
THESE TWO PARAMETERS TO $0C FOR 13
SECTOR DISKS. MOST OF TODAY'S
PROTECTION SCHEMES ARE BASED ON 16
SECTORS. YET THERE ARE STILL A FEW
USING 13 SECTORS (SUCH AS MUSE).
INTERESTINGLY ENOUGH, THERE IS A
HANDFUL OF AUTHORS THAT ALSO US
SECTORING OTHER THAN 13 OR 16 SECTORS
PER TRACK. AN EXAMPLE OF THIS IS
"THIEF" FROM DATAMOST. THIS PROGRAM
USES 11 SECTORS PER TRACK. COPYB CAN
ALSO ACCOMMODATE THESE PROGRAMS.
3) THIS PARAMETER IS NORMALLY SET SO
THAT UPON READING A 'BAD SECTOR' COPYB
WILL STOP AND DISPLAY AN ERROR. TO LET
COPYB KEEP GOING AFTER A READ ERROR,
CHANGE THIS BYTE TO $18 (24 IN
DECIMAL). THE EQUIVALENT SECTOR ON THE
COPIED DISK WILL BE WRITTEN BLANK.
4) THESE TWO PARAMETER DETERMINE WHERE
COPYB WILL STOP READING THE PROTECTED
DISK. NORMALLY, THIS IS SET TO THE LAST
TRACK, $22 (34 IN DECIMAL) , PLUS ONE.
TO CHANGE THIS, ADD ONE TO THE LAST
TRACK YOU WANT TO COPY AND CHANGE THESE
TWO PARAMETERS.
CREATING COPYB:
AFTER ENTERING OR DOWNLOADING THE BASIC
PROGRAM, SAVE THE PROGRAM BY TYPING:
]SAVE COPYB
NOW YOU MUST ENTER THE ASSEMBLY
LANGUAGE SUBROUTINES THAT COPYB USES.
COPYB USES THE MAIN SUBROUTINES THAT
COPYA USES, SO WE ONLY HAVE TO MODIFY
THE FILE COPY.OBJ0 THAT IS ON THE DOS
3.3 SYSTEM MASTER. BUT FIRST I WILL
EXPLAIN THE ADDED SUBROUTINES THAT
COPYB NEEDS.
REMEMBER THAT COPYB USES THE PROTECTED
PROGRAM'S RWTS TO READ THE DISK BY
MOVING IT FROM $8000 TO $B700 - $BFFF.
AFTER COPYB IS DONE READING THE
PROTECTED DISK, NORMAL RWTS IS MOVED
BACK UP TO $B700 - $BFFF FROM $8900 TO
WRITE TO A NORMAL DOS DISK. THIS IS
HANDLED BY SOME SUBROUTINES WHICH WILL
ADD TO THE EXISTING FILE COPY.OBJ0.
HERE ARE THE ROUTINES (FORMATTED IN 80
COLUMNS):
0220- 20 B0 02
JSR
$02B0 :SAVE THE REGISTERS.
0223- A0
B7
LDY #$B7 :BOTTOM PAGE TO MOVE
FROM.
0225- A9
89
LDA #$89 :DESTINATION PAGE TO
MOVE TO.
0227- 20 80 02
JSR
$0280 :COPY NORMAL RWTS FROM $B700-BFFF
TO 8900-91FF.
022A- 20 B4 03
JSR
$03B4 :SUBROUTINE TO LOCATE RWTS ($3E3).
022D- A9
03
LDA #$03 :STARTING TRACK TO
READ FROM.
022F- 8D D1 02
STA
$02D1 :STORE TRACK.
0232- 8D D2 02
STA
$02D2 :STORE TRACK.
0235- A9
0F
LDA #$0F :STARTING SECTOR TO
READ FROM.
0237- 8D D3 02
STA
$02D3 :STORE SECTOR.
023A- 8D D4 02
STA
$02D4 :STORE SECTOR.
023D- 4C E7 02
JMP
$02E7 :JUMP TO READ ROUTINE.
0240- 20 B0 02
JSR
$02B0 :SAVE THE REGISTERS.
0243- A0
80
LDY #$80 :BOTTOM PAGE TO MOVE
FROM.
0245- A9
B7
LDA #$B7 :DESTINATION PAGE TO
MOVE TO.
0247- 20 80 02
JSR
$0280 :MOVE NORMAL RWTS FROM $8900 BACK TO
$B700-BFFF.
024A- 4C F7 02
JMP
$02F7 :JUMP TO WRITE ROUTINE.
0260- 20 B0 02
JSR
$02B0 :SAVE THE REGISTERS.
0263- A0
89
LDY #$89 :BOTTOM PAGE TO MOVE
FROM.
0265- A9
B7
LDA #$B7 :DESTINATION PAGE TO
MOVE TO.
0267- 20 80 02
JSR
$0280 :MOVE NORMAL RWTS FROM $8900 BACK TO
$B700-BFFF.
026A- 4C 17 03
JMP
$0317 :JUMP TO WRITE ROUTINE
0270- 20 B0 02
JSR
$02B0 :SAVE THE REGISTERS.
0273- A0
89
LDY #$89 :BOTTOM PAGE TO MOVE
FROM.
0275- A9
B7
LDA #$B7 :DESTINATION PAGE TO
MOVE TO.
0277- 20 80 02
JSR
$0280 :MOVE NORMAL RWTS FROM $8900 TO
$B700-BFFF.
027A- 4C BC 03
JMP
$03BC :RESTORE THE REGISTERS AND EXIT.
0280- 84
07
STY $07 :STORE
ORIGINAL PAGE TO MOVE FROM.
0282- 85
09
STA $09 :STORE
DESTINATION PAGE TO MOVE
TO.
0284- A2
09
LDX #$09 :LOAD X WITH NUMBER OF
PAGES TO MOVE.
0286- A9
00
LDA #$00 :LOAD ACCUM WITH $00.
0288-
A8
TAY
:TRANSFER
#$00 TO Y.
0289- 85
06
STA $06 :STORE #$00
AT $06.
028B- 85
08
STA $08 :STORE #$00
AT $08.
028D- B1
06
LDA ($06),Y:LOAD ACCUM WITH THE ADDRESS POINTED
TO BY LOCATIONS $06 & $07 (LO-HI ORDER),
INDEXED BY Y.
028F- 91
08
STA ($08),Y:STORE ACCUM AT THE ADDRESS POINTED
TO BY LOCATIONS $07 & $08 (LO-HI ORDER)
INDEXED BY Y.
0291-
C8
INY
:INCREMENT Y.
0292- D0
F9
BNE $028D :CONTINUE UNTIL END OF PAGE.
0294- E6
07
INC $07 :INCREMENT
ORIGINAL PAGE.
0296- E6
09
INC $09 :INCREMENT
DESTINATION PAGE.
0298-
CA
DEX
:DECREMENT X.
0299- D0
F2
BNE $028D :IF HAVEN'T MOVED 9 PAGES, DO
AGAIN.
029B-
60
RTS
:RETURN FROM
SUBROUTINE.
02B0- 8D C7 03
STA
$03C7 :STORE ACCUMULATOR AT $3C7.
02B3- 8E C8 03
STX
$03C8 :STORE X-REGISTER AT $3C8.
02B6- 8C C9 03
STY
$03C9 :STORE Y-REGISTER AT $3C9.
02B9-
60
RTS
:RETURN FROM
SUBROTINE.
SO TO CREATE THE OBJECTIVE FILE FOR
COPYB, WE SHOULD FIRST ENTER THE
MONITOR BY TYPING:
]CALL-151
NEXT WE SHOULD INITIALIZE THE MEMORY
AREA BY TYPING:
*220:FF N 221<220.2CDM
NOW BLOAD THE FILE COPY.OBJ0 FROM THE
DOS 3.3 SYSTEM MASTER BY TYPING:
*BLOAD COPY.OBJ0
NOW TYPE IN THE NEW CODE AND SOME
CHANGES:
*228:80 02 20 B4 03 A9 03 8D
*230:D1 02 8D D2 02 A9 0F 8D
*238:D3 02 8D D4 02 4C E7 02
*240:20 B0 02 A0 80 A9 B7 20
*248:80 02 4C F7 02
*260:20 B0 02 A0 89 A9 B7 20
*268:80 02 4C 17 03
*270:20 B0 02 A0 89 A9 B7 20
*278:80 02 4C BC 03
*280:84 07 85 09 A2 09 A9 00
*288:A8 85 06 85 08 B1 06 91
*290:08 C8 D0 F9 E6 07 E6 09
*298:CA D0 F2 60
*2B0:8D C7 03 8E C8 03 8C C9
*2B8:03 60
*2C1:20
*2C4:40
*2C7:60 02
*2CB:13 7F B0 60
*2D0:01 03 03 0F 0F
*2D8:B4
*2DD:02
*2F8:B4
*318:B4
*3C7:02 9D C0 B3 C4 C4
*220:20 B0 02 A0 B7 A9 89 20
AFTER ENTERING THESE CHANGES, SAVE THE
FILE BY TYPING:
*BSAVE COPYB.OBJ,A$220,L$1AB
USING COPYB:
TO USE COPYB, YOU MUST CAPTURE THE
FOREIGN RWTS AND PUT IT AT LOCATIONS
$8000 THROUGH $88FF. YOU CAN DO THIS
ONE OF TWO WAYS:
1) BOOT THE PROTECTED DISK AND AFTER
THE FOREIGN DOS IS LOADED, RESET INTO
THE MONITOR. THE FOREIGN DOS WILL
USUALLY BE LOADED A FEW SECONDS AFTER
THE BOOT STARTS. YOU CAN TELL THIS
BECAUSE MANY TIMES A BASIC PROMPT WILL
APPEAR AT THE BOTTOM OF THE TEXT
SCREEN. USE THE MONITOR MOVE COMMAND TO
MOVE RWTS DOWN TO $8000 AS SO:
*8000<B700.BFFFM
NOW BOOT A 48K SLAVE DISK (THIS WILL
NOT DESTROY MEMORY FROM $900 TO $95FF)
AND RUN COPYB.
2) READ IN TRACK 0, SECTOR 1 THROUGH
TRACK 0 SECTOR 9 OF THE PROTECTED DISK
INTO MEMORY $8000 TO $88FF WITH A
SECTOR EDITOR SUCH AS 'THE INSPECTOR'.
THEN RUN COPYB.
ENTERING THE PARAMETERS AND RUNNING
COPYB:
RUN COPYB BY TYPING:
]RUN COPYB
THE PROGRAM WILL COME UP AND ASK WHAT
PARAMETERS TO USE, ALL DESCRIBED ABOVE.
COPYB WILL POKE IN THE VALUES YOU HAVE
ENTERED FOR YOU. ENTER ALL VALUES IN
DECIMAL.
AFTER ENTERING THE PARAMETERS, YOU WILL
BE ASKED IF YOUR SELECTIONS ARE
CORRECT. IF YOU ANSWER YES, THE NEXT
SET OF PROMPTS WILL APPEAR, WHICH
SHOULD LOOK FAMILIAR. ENTER THE
ORIGINAL AND DESTINATION DRIVE AND SLOT
NUMBERS, JUST LIKE IN COPYA. LASTLY,
YOU WILL BE ASKED IF YOU WANT THE
DESTINATION DISK TO BE INITIALIZED,
RESPOND YES OR NO. NOW PRESS THE RETURN
KEY TO START THE COPY.
WHEN THE COPY IS COMPLETED, ASSUMING
ALL WENT CORRECTLY, YOU WILL HAVE A
NORMAL DOS 3.3 VERSION OF YOUR
PROTECTED DISK WHICH MAY RUN OR BE
EXAMINED AND CHANGED MORE EASILY THEN
THE ORIGINAL DISK.
THIS METHOD OF DEPROTECTION IS MORE
DEPENDABLE THAT USING DEMUFFIN PLUS AND
COVERS MORE TYPES OF PROGRAMS. I AM
SURE YOU WILL FIND COPYB AN EXCELLANT
UTILITY TO HAVE.
MSG LEFT BY: CAPTAIN NIBBLE
DATE POSTED: THU DEC 1 4:41:39 PM
HERES HOW TO CRACK THE STANDING STONE
BY ELECTRONIC ARTS
RUN COPYA ON BOTH SIDES OF THE DISK
NOW ON THE BOOT SIDE CHANGE THE
FOLLOWING
TRACK 11 SECTOR 3 BYTES 68 & 69
TO 18 60
THATS ALL THERE IS TO IT
ENJOY
CAPTAIN NIBBLE