"One of the first large commercial pay boards in Boston, a subscription to Pirate's Harbor would allow the caller access to a collection of text files that would extensively explain the various software protection cracking techniques useful for all brands of 8-bit computer. There were separate sections for all brands of popular computer. 1983: Board is originally known as Pirate's Harbor. 1986: A second line is installed at 617-720-4097. The board now goes by the name of T-I-M-E-C-O-R, rather than Pirate's Harbor, as the term "Pirate" is now looked upon with much disfavor. Tightening of copyright laws and the spread of the Internet will lead to the eventual demise of the board. (The term "pirates" is replaced by "elites" and "RaTz", among other euphemisms....)"

- Winston Smith

DOS 3.3

Download Original disk: Cracking Techniques 1986 (gzipped)

Lien	Information
	01) CRACKING TOOLS.
	02) BANK STREET SPELLER.
	03) BARD'S TALE.
	04) BC'S QUEST.
	05) BOSTON COMPUTER DIET.
	06) EIDOLON!!!
	07) F-15 STRIKE EAGLE.
	08) FANTAVISION!
	09) FATHOMS 40 KRAK.
	10) GATO CRACKED.
	11) GATO KRAK.
	12) GOONIES.
	13) HACKER HACKED.
	14) HITCHHIKER'S GUIDE.
	15) HOBBIT.
	16) KARATE CHAMP.
	17) KING'S QUEST I.
	18) KINGS QUEST II-1 BYTE.
	19) MATH IN NUTSHELL.
	20) MIDI SOFTWARE.
	21) MINDSCAPE.
	22) MUSIC CONSTRUCTION.
	23) PRINT SHOP KRACKS.
	24) QUICKEN.
	25) ROAD RALLY USA.
	26) ROBOT ODYSSEY.
	27) SAT CRACKED.
	28) SHERLOCK HOLMES.
	29) SIDEWAYS ANSWER.
	30) SPACE STATION.
	31) STAR TREK KRAK.
	32) TELEPORTER.
	33) TRILLIUM.
	34) ULTIMA IV KRAK!!
	35) UNIVERSE KRAK.
	36) WORLD'S GREATEST FOOTBALL.
	37) WORLDS GREATEST BASEBALL.
	38) ZORRO!

MSG LEFT BY: RED REBEL


THE FOLLOWING TOOLS SHOULD BE IN YOUR
ARSENAL FOR CRACKING:
 
'BENEATH APPLE DOS'    QUALITY SOFTWARE
'BENEATH APPLE PRO DOS QUALITY SOFTWARE
'BAG OF TRICKS'        QUALITY SOFTWARE

'WHAT'S WHERE IN THE APPLE'   MICRO INK

'APPLE MONITORS PEELED'  APPLE COMPUTER
INTEGER CARD             APPLE COMPUTER
LANGUAGE CARD            APPLE COMPUTER

MASTERDISK         MASTERWORKS SOFTWARE
MASTER DOS         MASTERWORKS SOFTWARE

D-A-R-K                      MICROSEEDS

NIBBLES AWAY      COMPUTER APPLICATIONS

LOCKSMITH 6.0                     OMEGA
MR. FIXIT                         OMEGA
INSPECTOR                         OMEGA
WATSON                            OMEGA

COPY ][ PLUS     CENTRAL POINT SOFTWARE

   BEAGLE BROTHERS SOFTWARE FROM SAME

ANY OF THE VARIOUS NON MASKABLE (NMI)
 INTERRUPT CARDS SUCH AS:
     CRACK-SHOT,REPLAY II, WILDCARD
 
GOOD BOOKS ON MACHINE LANGUAGE BY:
     ROGER WAGNER & RANDY HYDE
 
CRACKING TECHNIQUES '83  PIRATES HARBOR
CRACKING TECHNIQUES '84  PIRATES HARBOR
CRACKING TECHNIQUES '85  PIRATES HARBOR
KRAKING-DISK JOCKEY      PIRATES HARBOR
KRAKING by DJ  Vol II    PIRATES HARBOR
 
Any of thes products may be obtained
from PIRATES HARBOR if you can not
get them from your local dealer.

KEEP ON CRACKING!!!
 
                    >>> RED REBEL <<<

MSG LEFT BY: DRACKS KRAX


HERE IS HOW TO "FIX" YOUR BANK STREET
SPELLER'S BUILT IN COPIER TO MAKE
INFINITE COPIES. THIS REQUIRES THAT
YOU HAVE NOT USED IT YET. WHILE THIS
IS NOT ACTUALLY CRACKING IT, IT IS
GOOD ENOUGHT TILL I (OR SOMEONE) GETS
AROUND TO CRACKING IT.
 
1) BOOT THE SPELLER.
2) HIT <ESC> TO ENTER TO ENTER OPTIONS/
COPIER MENU.
3) ENTER MONITOR BY YOUR FAVORITE
METHOD.
4) TYPE: 42F6:20 14 43
         4000G
 
5) NOW YOU'VE A COPY WHOSE BUILT-IN
COPIER ALLOWS INFINITE COPIES. COPYA
WORKS FINE FOR THE BACK.
 
--> OH YES, YOUR ORIGINAL SHOULD BE
WRITE-PROTECTED DURING THIS!
 
 
 
          ===> DRACKS KRAX <===

MSG LEFT BY: DOCTOR DETROIT

 
To crack Bard's Tale by Electronic Arts:
 
 
(1) Copy all three sides onto blanks disks using something like LS fastcopy.
 
(2) Get out your favorite sector editor and read track 1, sector $E
    from the boot disk.  Change bytes $47-$49 from  20 F8 A0
                                                to  18 60 40
    write the sector back out.
 
(3) read in track 1, sector $B and change bytes $47-$49 the same way.
 
 
>>> Doctor Detroit <<<

MSG LEFT BY: STEPHEN GAMBLIN


COPY BC'S QUEST FOR TIRES WITH ANY COPY
PROGRAM SUCH AS LOCKSMITH'S FAST COPY
OR COPYA AND THEN USE A SECTOR EDITOR
AND CHANGE TRACK 6 SECTOR 7
BYTE
E8  TO EA
E9  TO EA
EA  TO EA
 
THIS IS THE PROPER WAY TO DO IT. THERE
IS ANOTHER BC CRACK ON THIS SYSTEM BUT
IT IS INCORRECT.

Deprotecting the Original Boston
Computer Diet from Scarborough Systems.
By the Disk Jockey.


Requirements to Perform Krak:
-----------------------------
-Any Apple or Apple clone computer with
 a disk drive.
-A Sector Editor.
-COPYA from the DOS 3.3 System Master,
 or any normal DOS copy program.
-4 blank disks.
-The Original Boston Computer Diet.


Hardware/Software Used to Determine
Krak:
-----------------------------------
-The Senior PROM version 2.0 from
 Cutting Edge Enterprises (for
 interrupting, editing/modifing, and
 restarting a program).


All four sides of the OBCD copy with
COPYA or Locksmith 5.0 Fastcopy.  Of
course, the copied program will not
run.  Instead, after booting you
receive the message "Defective Disk",
memory clears, and the program
halts.

After booting the Copied OBCD several
times, I was able to time where the
Disk Check was occurring, and interrupt
the program before receiving the
"Defective Disk" message.  Using the
Senior PROM's "D" command after
interrupting the program (which gives a
disassmebly of ten instruction
before and after where the program is
currently executing), I could easily
see a check disk routine was at
location $77A2.

In words, this routine saves the
current parameters of RWTS (current
track and command code), seeks the
read/write head to track $0E, and then
looks for the byte sequence $D5 F7.

To test my theory about the Check Disk
routine, I put a "60" (Return from
Subroutine instruction) at location
$77F2, and restarted the program with
the Senior PROM.  Sure enough, the
program restarted and ran perfectly,
just as if the original disk was in the
drive.

So all I needed to do was to put a $60
(Return from Subroutine instruction) at
location $77A2 on the disk with a
sector editor, and the OBCD would be
deprotected!

Now the bad news.  Searching through
all the disks for the code at $77A2
with the Senior PROM's disk search
utility brought nothing.  Obviously,
the OBCD anticipated this action and
thoughtfully encoded the routine
differently on the disk than when it
was running in memory.

Knowing that the OBCD used RWTS to load
in the code, this meant that each
page in memory ($100 hex bytes or 256
decimal bytes) represented a sector
on the disk.  Since the Disk Check code
was somehow encoded, I decided to
search the disk for the byte sequence
at location $7700, the beginning of
the page where the Disk Check routine
resided.  Hopefully this code wasn't
encoded.  This code was found on track
$08, sector $3, side A of the OBCD.

Great!  Now we just need to figure out
how the code was encoded and then
make the appropriate change.  I found
the encoding routine at location
$7783.

After much experimentation with editing
different tracks and examining the
results in memory, I found that
replacing bytes $60-62 on track $8,
sector $4 from the original $83 77 71
to $60 60 60 would put a single $60
(Return from Subroutine instruction) at
location $77A2 in memory.  That's the
only change needed to deprotect the
OBCD!


In cookbook form:

1)  Boot normal DOS 3.3 and run your
favorite normal DOS copy program
(i.e. COPYA, Locksmith 5.0 Fast Copy,
etc.).

2)  Copy all four sides of the Original
Boston Computer Diet to some blank
disk.

3)  Run your favorite sector editor and
make the following change to your
copy of the OBCD:

 Track $08, sector $4, byte $60, side A
      From  $83 77 71
      To    $60 60 60

4)  Write the sector back out to your
copy of the OBCD.


And you're all done!

-the Disk Jockey-

MSG LEFT BY: THE SCHIZOPHRENIC


THIS MAY WORK ON ALL OF LUCASFILMS
STUFF.
BOOT SYSTEM MASTER AND RUN COPYA
CTRL C
CALL-151
*B925:18 60
*B988:18 60
*3D0G
(THIS DEFEATS THE EPILOGUE BYTE CHECK)
70
RUN
THEN RUN A SECTOR EDITOR ON
TRACK 01 SECTOR F BYTE 05
FROM 4C 00 C6
TO   EA EA EA
 
THAT'S IT. FOR OTHER STUFF YOU MAY
HAVE TO SEARCH THE DISK FOR THE ABOVE
SEQUENCE.
 
 
///////THE SCHIZOPHRENIC\\\\\\\
\\\\\\\[][E.C.C.I.[][][]///////
EAST COAST CANADIAN INDEPENDENT KRACKER

MSG LEFT BY: DOCTOR DETROIT


To crack F-15 strike eagle:
 
1) Copy the whole disk except track $06 using
   something like advanced copya.
 
2) Sector edit - track $20  sector $00  change bytes $71-73 to EA
                 track $1F  sector $06  change bytes $DE-E0
                                        from 8D 0D 6A  to  EA EA EA
 
That should do it.
 
>>> Doctor Detroit <<<

MSG LEFT BY: DRACKS KRAX


HERE IS  THE "COOK-BOOK" METHOD TO
CRACK FANTAVISION:
 
1) BOOT A NORMAL DOS 3.3 DISK.
2) TYPE THIS:
CALL -151
9600<C600.C700M
96F9:59 FF (AFTER BOOT1, ENTER MONITOR)
9600G (FIRST PUT FANTAVISION IN DR. 1)
C0E8 (TURN OFF DISK DRIVE)
9700<800.8FFM
96F9:01 97
9751:97
977F:59 FF (NOW NEXT AMOUNT OF CODE
 SHALL LOAD UP & PUT YOU IN MONITOR).
9600G
C0E8
1900<BE00.BFFFM (MOVE CODE TO SAFETY).
19AB:0F BF (DISABLE NIBBLE COUNT)
C600G (1ST. PUT IN NORMAL DOS DISK)
BSAVE RWTS,A$1900,L$1FF
 
3) NOW RUN ANY DISK COPIER/CONVERTER
 SUCH  AS ADVANCED DEMUFFIN, IOB+ OR
 COPYB. WHICHEVER. HAVE IT LOAD THE
 RWTS FILE YOU SAVED.
 
4) ON YOUR COPY IT PRODUCES, DO  THE
 FOLLOWING SECTER EDITS:
 
AT TRACK $15, SECTER $05, BYTE $00,
START TYPING THIS:
A9 22 20 09 B0 A2 60 20
26 B1 A5 E3 C9 00 D0 F7
85 E6 A9 BE 85 E7 20 11
B0 20 26 B1 A5 E3 C9 0D
D0 F7 E6 E7 20 11 B0 18
60
 
THAT BE-ITH IT!
 
         -=> DRACKS KRAX <=-
         -=>K-O ALLIANCE!<=-

MSG LEFT BY: BRETT BENO



ALTHOUGH THIS GAME IS A LITTLE OLD, ITS GREAT WHEN YOU'RE IN A PSYCHOTIC MOOD.
THE CRACK IS EXTREMELY SIMPLE.
1) INIT A BLANK DISK WITH YOUR OWN HELLO PROGRAM
2) FID LL FILES EXCEPT GAMES HELLO PROGRAM ONTO INIT'ED DISK.
3) ADD A LINE O YOUR HELLO -PRINT CHR$(4)"BRUN RESET,A$280-
IT'S THAT SIMPLE.
THIS IS MY FIRST REAL CRACK, BUT I HOPE TO BE ONTO BIGGER AND BETTER KRAKS.
&&&&&&&&&&&& SIR NEMISIS &&&&&&&&&&&&&&

MSG LEFT BY: DRACKS KRAX


HERE'S HOW TO DEPROTECT THE WWII SUB-
-MARINE GAME, CALLED GATO:
 
THE GATO DOS LIVES AT $D000, IN THE RAM
CARD, BUT THE PROTECTION CODE'S AT
$B65A. IT DOES A NIBBLE READ TO TRACK
$11, LOOKING FOR BYTE SEQUENCE $AA $AB.
IF IT IS NOT FOUND, THE ACCUMULATOR
LOADS $00 INTO THE STACK. ELSE, $01.
THIS CODE IS ON TRACK $15. TO CREATE
A COPYA COPY:
 
1) COPY THE DISK WITH COPYA.
2) EDIT ON TRACK $15, SECTOR $C WITH A
 SECTOR EDITOR:
 
CHANGE THE BYTES FROM $8C TO $8F:
FROM: $AD E9 C0 A9
TO: $A9 01 D0 67
 
AND: THAT'S IT!
 
***************************************
*       FROM DRACKS KRAX OF THE       *
*             K-O ALLIANCE            *
***************************************

MSG LEFT BY: DISK JOCKEY


Gato is an excellent WWII sub program,
and it could involve a lot of time to
krak because of the subtle protection
that is deep in the program.
 
The Gato DOS lives in the RAM card
around $D000, but the protection code
lives at $B660. You may run COPYA on
the disk, and it will copy and ALMOST
run...
 
The routine at $B660 does a "nibble
count" on track $11, looking for a
byte sequence of $AA AB (not really
a nibble count). If not found it loads
the accumulator with #$00 and pushes
it on the stack. Then the program locks
up.
 
But if the correct bytes are found, it
loads the accumulator with #$01 and
pushes that on the stack. Then the
program continues happily along...
 
So we must find this routine on the
disk, and change it so no matter what,
it pushes #$01 on the stack instead of
#$00.
 
Using a disk search utility, I found
the offending code on Track $15,
sector $C, byte $8C.
 
So to krak Gato, do the following:
 
1) Copy the original Gato disk to a
   blank disk using COPYA. It will
   copy fine.
 
2) Run you favorite sector editor and
   make the following byte changes:
 
Track $15, sector $C, byte $8C
   from $AD E9 C0 A9
    to  $A9 01 D0 67
 
This code will load the accumulator
with #$01 and then branch to the end
of the routine. This is the best (and
safest way) to disable the protection!

Deprotecting Goonies from Datasoft.
By the Disk Jockey.


Requirements to Perform Deprotection:
-------------------------------------
-COPYA from the DOS 3.3 System Master.
-A Sector Editor.
-A blank disk.
-Goonies from Datasoft.


Hardware/Software Used to Develop the
Deprotection Technique:
--------------------------------------
-The Senior PROM version 2.0 from
Cutting Edge Enterprises.


Goonies is an excellent arcade game
based (loosely) on the Movie by the
same name.  The protection used by
Datasoft is very simular to that of
"Zorro", just implemented slightly
differently.  Where Zorro used the
upper 16k to run their program loader,
Goonies uses text page 1 (memory from
$400-7FF) and page 3.  Both memory
areas are tricky to work with, but
text page 1 is even more so.  The
reason being if you reset out of
Goonies, text page 1 is automatically
destroyed, since anything printed on
the screen will wipe this memory.

In addition, Zorro had a secondary
disk check routine after the boot.
Goonies did not have this protection.

If you have a Senior PROM, there is no
problem dealing with text page 1.
Just press the push button and use the
"G" command to set the location to
examine, and then press "D" to
disassemble at this location.  This
will give a disassembly of volatile
memory $400-7FF if desired.  Using
this technique, it was easy to
discover the start of the protection
code:

0318-  A0 20          LDY #$20
031A-  88             DEY
031B-  F0 61          BEQ $037E
031D-  BD 8C C0       LDA $C08C,X
0320-  10 FB          BPL $031D
0322-  49 A9          EOR #$A9
(1st byte of the Data Prolog sequence)
0324-  D0 F4          BNE $031A
0326-  EA             NOP
0327-  BD 8C C0       LDA $C08C,X
032A-  10 FB          BNE $0327
(2nd byte of the Data Prolog sequence)
032C-  C9 BA          CMP #$BA
032E-  D0 F2          BNE $0322
0330-  A0 56          LDY #$56
0332-  BD 8C C0       LDA #$C08C,X
0335-  10 FB          BPL $0332
0337-  C9 F7          CMP #$F7
(3rd byte of the Data Prolog sequence)
0339-  D0 E7          BNE $0322


Following the code further produced
that the Data Prolog bytes were $A9 BA
F7, and the Address Prolog bytes were
$CA EE DD on tracks $01-20.  Tracks
$21 and $22 were not used, and track
$00 was unprotected.  We need to
change these three byte sequences to
$D5 AA AD, and $D5 AA 96,
respectively.

Using the Senior PROM's sector editor
to nibble read track $01 disk, I
confirmed the following information:

       $A9 BA F7 =    Data Prolog
                      bytes (abnormal)
       $CA EE DD =    Address Prolog
                      bytes (abnormal)
       $DE AA =       Data and Address
                      Epilog bytes
                      (normal)

       342 bytes of data between Data
       Prolog and Epilog bytes.  This
       denotes the disk is in 6+2
       format, or a normal 16 sectors
       per track.

       Only tracks $00-20 contain
       data.  The rest of the disk is
       blank.

This information is invaluable when
trying to convert the disk to normal
DOS format.  The Prolog bytes are road
markers to DOS:  the Address Prolog
bytes tell DOS the next eight bytes
denote what track and sector is being
read.  The Data Prolog bytes tell DOS
that the next 342 bytes is the actual
data.  The Epilog bytes are just
insurance bytes, telling DOS "it ends
here".

The Address and Data Prolog bytes on
Goonies are considerably different
than those on a normal DOS disk.  This
makes it difficult for a copy program
to find what track its reading
(Address Prolog bytes), and where the
data starts for the sector (Data
Prolog bytes).

Using the Senior PROM's "Alter Prolog
Byte" option, I was able to easily
copy the original Goonies disk to a
blank disk in normal DOS 3.3 format.
Track $00 was copied first, as it is
unprotected.  Then tracks $01-20 are
read with $A9 BA F7 and $CA EE DD Data
and Address Prolog bytes,
respectability, and written in normal
DOS format.

You can also convert the disk with
COPYA.  Here is the procedure:

1)    Boot your DOS 3.3 Systems disk,
      and then type CTRL C at the slot
      prompt.

2)    Then type:

      ]CALL-151
      *302:21
      *35F:21
      *2B0:A9 00 8D D1 02 8D D2 02 60
      *2DC:20 B0 02 A9 FF
      *2E6:F8
      *3D0G

      ]70

      ]258 POKE 47335,213: POKE
      47345,170: POKE 47356,173: POKE
      47445,213: POKE 47455,170: POKE
      47466,150

      ]248 POKE 47335,213: POKE
      47345,170: POKE 47356,173: POKE
      47445,213: POKE 47455,170: POKE
      47466,150

      ]197 POKE 47335,169: POKE
      47345,186: POKE 47356,247: POKE
      47445,202: POKE 47455,238: POKE
      47466,221

      ]RUN

3)    Copy the original Goonies disk
      to a blank disk.

4)    Run your favorite sector editor
      and copy track $00 from the
      original Gonnies disk to track
      $00 of the disk you just copied
      in the above step.

The Goonies disk is now in normal DOS
format.  If you boot this disk, of
course it won't run since we haven't
removed the protection yet.

The first step in removing the
protection is to tell Gonnies' DOS
that it should use normal DOS Prolog
bytes instead of the protected ones.
Using the Senior PROM, I interrupted
the Goonie program while it was trying
to read the disk.  Using the
Disassemble at Program Counter feature
of the Senior PROM, I found the
routines to change were at $0318-0339
and $0380-03A7.  Bytes $0323, $032D,
$0338 needed to be changed from $A9 BA
F7 (the old Data Prolog bytes) to $D5
AA AD (normal DOS 3.3's Data Prolog
bytes).  Likewise, bytes $0391, $039B,
$03A6 needed to be changed from $CA EE
DD (the old Address Prolog bytes) to
$D5 AA 96 (normal DOS 3.3's Address
Prolog bytes).

It was pretty obvious that this code
had to be on track $00 since it was
the only track the program could load
(remember it was never protected).
Using the Senior PROM sector editor, I
searched track $00 for the code, and
it could not be found!  There had to
be some encoding routine making a
simple search and edit impossible.

Doing some minor boot-code tracing
lead to to some interesting
information.  The first instruction on
track $00, sector $00 was a JMP $8A2.
Everything past this code looked like
garbage.  The code at $8A2 blanks out
hi-res page 1, and then jumpes
indirectly through location $99 (to be
sneaky, no doubt) to $8D8.  The
routine at $8D8 is interesting:  this
code is a routine used to unencode the
rest page $08.  After unencoding page
$08, it jumps back down to $814 and
loads in the program loader across
text page 1 and page 3.

It turns out the routine at $8D8 is
the same type of routine that is used
to unencode the Goonies disk.  Using
this code, I wrote the following
routine to unencode the bytes on the
disk to what they were in memory:

      900:   A9 FF      LDA #$FF
      902:   85 06      STA $06
      904:   E6 06      INC $06
      906:   A5 06      LDA $06
      908:   48         PHA
      909:   4A         LSR
      90A:   68         PLA
      90B:   6A         ROR
      90C:   C5 07      CMP $07
      90E:   D0 F4      BNE $0904
      910:   A5 06      LDA $06
      912:   20 DA FD   JSR $FDDA
      915:   60         RTS

Using this routine, I could load the
byte I wanted in location $07, type
"900G", and the byte that it
corresponded to on the disk would be
printed.  From this I was able to
determine the following sector edits
to change the Goonie operating system
to read a normal DOS 3.3 disk:

Track $00, sector $02
      byte $23 from $53 to $AB
      byte $2D from $75 to $55
      byte $38 from $EF to $5B
      byte $91 from $95 to $AB
      byte $9B from $DD to $55
      byte $A6 from $BB to $2D


Now the copy of Goonies would boot and
run!  Unlike Zorro, there was no other
associated protection.


In cookbook form, here is the
procedure:
-----------------------------

1)    Boot your DOS 3.3 Systems disk,
      and then type CTRL C at the slot
      prompt.

2)    Then type:

      ]CALL-151
      *302:21
      *35F:21
      *2B0:A9 00 8D D1 02 8D D2 02 60
      *2DC:20 B0 02 A9 FF
      *2E6:F8
      *3D0G

      ]70

      ]258 POKE 47335,213: POKE
      47345,170: POKE 47356,173: POKE
      47445,213: POKE 47455,170: POKE
      47466,150

      ]248 POKE 47335,213: POKE
      47345,170: POKE 47356,173: POKE
      47445,213: POKE 47455,170: POKE
      47466,150

      ]197 POKE 47335,169: POKE
      47345,186: POKE 47356,247: POKE
      47445,202: POKE 47455,238: POKE
      47466,221

      ]RUN

3)    Copy the original Goonies disk
      to a blank disk.

4)    Run your favorite sector editor
      and copy track $00 from the
      original Goonies disk to track
      $00 of the disk you just copied
      in the above step.

5)    Using the sector editor, make
      the following edits to the copy
      of Gonnies:

Track $00, sector $02
      byte $23 from $53 to $AB
      byte $2D from $75 to $55
      byte $38 from $EF to $5B
      byte $91 from $95 to $AB
      byte $9B from $DD to $55
      byte $A6 from $BB to $2D

6)    Write this sector back out to
      your COPYA version of Goonies.


And you're all done!

-the Disk Jockey-

MSG LEFT BY: STEPHEN GAMBLIN


HACKER IS COPYA-BLE SSO IT'S JUST
A MATTER OF USING A SECTOR EDITOR
 
1) COPYA HACKER
2) RUN A SECTOR EDITOR AND
 
  TRACK 1C SECTOR 4
  STARTING AT BYTE 7A ADD
 
  A9 FF 85 FC A9 55 4C B4 5E
 
AND WRITE TO THE DISK!!
 
                                   
                         
 
///////THE SCHIZOPHRENIC\\\\\\\
\\\\\\\[][][][[][][][][]///////

MSG LEFT BY: STEPHEN GAMBLIN


ACTUALLY THIS NOT MY CRACK BUT CLINT
CAPEHART'S. INFOCOM USE THE SAME
PROTECTION SCHEME ON ALL OF THEIR
PRODUCTS, SO IF YOU KNOW THIS ONE THEN
YOU CAN COPY ALL OF THEM.
 
BOOT THE SYSTEM MASTER AND GET INTO THE
MONITOR VIA ]CALL -151
ADD IN-
*B925:18 60
*B988:18 60
*BE48:18
CTRL C
] POKE 47355,41
] POKE 47356,0
 THEN RUN COPYA
 
LOAD IN A SECTOR EDITOR AND MAKE THE
FOLLOWING CHANGES
TRACK 0 SECTOR2
BYTE 5D  TO AD
     FB  TO 29
     FC  TO 00
 
WRITE THIS BACK TO THE COPIED DISK
NOW YOUR COPY OF LOCKSMITH
WILL BE ABLE TO FAST COPY IT.

MSG LEFT BY: BILL FOGG


THERE IS A CUTE NEW GAME FROM ADDISON WESLEY
CALLED 'THE HOBBIT' IT USES NORMAL DOS 3.3 ADDRESS AND DATA MARKERS
HOWEVER, IT USES A COPY PROTECTION THAT SEARCHES THE DISK AND IF
IT DOESNT FIND WHAT IT IS LOOKING FOR IT CRASHES. IT WORKS SO GOOD
THAT MY ORIGIONAL WILL NOT BOOT.!!!
 THE CRACK IS SIMPLE:
1.   COPYA THE DISK FRONT SIDE AND BACK SIDE.
2.   ON THE FRONT (BOOT) SIDE USE A SECTOR EDITOR AND EDIT:
     TRACK $00
     SECTOR $01
     BYTE   $23: EA A9 00 85
 
THATS IT.
IT BYPASSES THE COPY PROTECTION ROUTINE AND BOOTS THE DISK QUICKER.

MSG LEFT BY: DARWIN GROSSE


THIS CRACK IS ALSO GOOD FOR KUNG-FU MASTER.
 
COPY THE ORIGINAL WITH SOMETHING LIKE FAST COPY(L.S. 6.0) OR A MODIFIED COPYA.I
IGNORE ERRORS ON TRACK ZERO.
THEN GET OUT YOUR FAVORITE SECTOR EDITOR AND EDIT TRACK 0 SECTOR 5-BYTE A TO
A:18 60
 
YOUR DONE
                ANOTHER FROM THE ALLIANCE AND THE MOUSE.

MSG LEFT BY: DRACKS KRAX

 
1) COPY ALL 3 SIDES WITH COPYA
2) DO THESE SECTOR EDITS ON SIDE 1:
 
(NOTE: YOU ARE CHANGING THE BYTE
SEQUENCE 20 00 0F TO EA EA EA. I SHALL
JUST TELL WHERE THOSE SEQUENCES ARE):
 
TRACK       SECTOR        START BYTE
-----       ------        ----------
$0B          $02           $B9
$0B          $0B           $ED
$0B          $0D           $B6
$0C          $01           $48
 
 
THAT IS IT. -ENJOY
 
 
            -=> DRACKS KRAX <=-
            -=>K-O ALLIANCE!<=-

MSG LEFT BY: THUFIR HAWAT


IT LOOKS LIKE IT IS NOT GOING TO BE A
BIG PROBLEM CRACKING THE NEW 5-SIDED
 
          "KING'S QUEST II"
 
1) COPYA ALL 5 SIDES
2) BREAK OUT YOUR TRUSTY SECTOR EDITOR:
 
       SIDE 1, TRACK 11, SECTOR F
               BYTE 5, $A9 => $60
3) ENJOY!

MSG LEFT BY: PARITY ERROR


TO KRACK THIS EDUCATIONAL GAME DO
THE FOLLOWING:
 
     1> COPY DISK WITH ANY STANDARD
        COPIER
 
     2> BOOT SECTOR EDITOR
 
     3> MODIFY T20 S1 B6E TO 18 60
 
THATS IT.....
 
 
                PARITY ERROR/LSD

MSG LEFT BY: DRACKS KRAX


IT IS INTERESTING THAT THE FOLKS THAT
PUT OUT THE MIDI INTERFACE CARD THINK
THEY MUST LOCK THE SOFTWARE. WHO IS
GOING TO PIRATE IT IF THEY NEED THE
HARDWARE?? OH WELL, NO MATTER. FOR:
 
HERE'S HOW TO DEPROTECT IT...
 
1) COPY THE DISK WITH SOMETHING THAT
CAN IGNORE ERRORS ON TRACK $03 & $10.
 
2) NOW: LOAD HELLO AND ALTER LINE#6:
 
6 PRINT CHR$(4)"BLOAD BRUNM4P": PRINT
  CHR$(4)"BRUN M4XX"
 
3) SAVE HELLO AND THEN:
TYPE:
 
FP
BLOAD M4XX
CALL -151
958:4C 00 80
UNLOCK M4XX
BSAVE M4XX,A2049,L346
LOCK M4XX
BLOAD BRUN M4P
8069:4C 0A 0A
UNLOCK BRUNM4P
BSAVE BRUNM4P,A32768,L636
LOCK BRUNM4P
 
THAT BE IT.
 
          --> DRACKS KRAX <--
           ->K-O ALLIANCE!<-

MSG LEFT BY: RESET VECTOR

To crack all of the recent Mindscape releases just do this: 
BOOT SYSTEM MASTER
CALL-151
B942:18
RUN COPYA
COPY THE DISK
The just use a sector editor to copy track 0 sector 0 from any normal Pascal
disk onto the disk you have just made.  Voila!
   Courtesy of ->Reset Vector!

MSG LEFT BY: PARITY ERROR



HOW I KRACKED MY  VERSION :
 
1> BOOT A COPY PROG THAT WILL IGNORE
ERRORS OR THAT CAN COPY SELECTED TRACKS
 
2> COPY DISK (OR EVERYTHING BUT TRACK
22).
 
3> SECTOR EDIT T7 S8 BYTES A & B
FROM AD EC TO 18 60.
 
NOW TO ELABORATE ON WHAT I DID TO
DEPROTECT THIS.....
 
    WHEN YOU MAKE A COPY OF THE
DISK, YOU CANNOT COPY TRACK 22
CORRECTLY (WITHOUT A NIBBLE COPIER).
THIS TRACK IS READ IN BY A NIBBLECOUNT
ROUTINE WHICH VERIFIES WHETHER THE
DISK IS VALID OR NOT.
     NOW USUALLY TO FIND A NIBBLE
COUNT I LIKE TO SEARCH THE DISK
FOR DISK ACCESSES (BYTES SUCH AS
C089 AND C08C), BUT THESE TWO
SEQUENCES DID NOT TURN UP ANY VALID
LEADS AS TO THE NIBBLE COUNT
ROUTINE.ELECTRONIC ARTS HOWEVER
SOMETIMES LIKES TO SET UP THE
BYTES C0EC (WHICH IS C08C + 60 FOR
SLOT 6) AND USE THIS FOR
THEIR NIBBLECOUNTS.IF YOU SEARCH
THE DISK YOU WILL FIND THIS SEQUENCE
ON ONLY ONE SECTOR WHICH IS T7 S8
AT LOCATIONS A&B.IF YOU PUT AN 18
AND 60 THEN THE DISK WILL BYPASS
THIS ROUTINE AND WORK FINE.
 
THATS IT!
 
             PARITY ERROR/LSD

MSG LEFT BY: GARY HARTZELL


PRINT SHOP KRACKS
 
TO COPYA PRINT SHOP JUST COPY WITH
A TRACK COPIER LIKE 5.0 FAST COPY
SECTOR EDIT: T-10 S-06
BYTES 23-25  FROM AE F8 05
             TO   4C BB A6
THEN INITIALIZE TRACK $22
 
YOU NOW HAVE A COPYA PRINT SHOP
 
TO KRACK PRINT SHOP GRAPHICS
 
RUN COPYA
^C OUT OF IT
70(deletes line 70)
CALL-151
B925:18 60
3D0G
RUN
COPY BOTH SIDES AND YOU HAVE CRACKED IT!
track 0 is the only protected track with
a changed DATA EPILOG.
 
THE 120 GRAPICS ARE A GREAT ADDITION
TO THIS FINE PROGRAM FROM BRODERBUND
 
LATER,
Cyrano Jones  PPG

Deprotecting Quicken from            
   By the Disk Jockey.

Requirements to Perform Deprotection:
-------------------------------------
-Apple //e or //c (program
 requirement).
-Any normal DOS disk copy program
 (such as COPYA).
-A sector editor.

Hardware used to determine Depro
Procedure:
--------------------------------
-The Senior PROM version 2.0 from
 Cutting Edge Enterprises.



Quicken is an excellent Apple works
check writing utility.  Unfortunately,
its copy protected making backups of
this business program difficult.

The first thing I did when trying to
back up this utility was to make a
normal DOS copy of both sides of the
original Quicken disk using COPYA.  To
my surprises, I encountered no
problems!  Both sides copied without
errors.

Of course the next action was to boot
the new copy.  Everything went fine
till just before the menu should have
appeared.  I then received a message
"original disk damaged", and the
program halted.

Once again I booted the program and
interrupted the program using the
Senior PROM just before receiving the
damaged disk message (it took a few
times to "catch" it at the correct
moment).  Using the Senior PROM
Disassemble command, I could easily
see the code that was being executed
to verify the original disk.  Here is
the code:

5EB2-   68          PLA         
5EB3-   85 00       STA   $00   
5EB5-   68          PLA         
5EB6-   85 01       STA   $01   
5EB8-   68          PLA         
5EB9-   68          PLA         
5EBA-   68          PLA         
5EBB-   68          PLA         
5EBC-   AD E9 C0    LDA   $C0E9 
5EBF-   A9 A0       LDA   #$A0  
5EC1-   85 03       STA   $03   
5EC3-   A9 08       LDA   #$08  
5EC5-   C6 02       DEC   $02   
5EC7-   D0 04       BNE   $5ECD 
5EC9-   C6 03       DEC   $03   
5ECB-   F0 55       BEQ   $5F22 
5ECD-   AC EC C0    LDY   $C0EC 
5ED0-   10 FB       BPL   $5ECD 
5ED2-   C0 FB       CPY   #$FB  
5ED4-   D0 ED       BNE   $5EC3 
5ED6-   F0 00       BEQ   $5ED8 
5ED8-   EA          NOP         
5ED9-   EA          NOP         
5EDA-   AC EC C0    LDY   $C0EC 
5EDD-   C0 08       CPY   #$08  
5EDF-   2A          ROL         
5EE0-   B0 0B       BCS   $5EED 
5EE2-   AC EC C0    LDY   $C0EC 
5EE5-   10 FB       BPL   $5EE2 
5EE7-   C0 FF       CPY   #$FF  
5EE9-   D0 D8       BNE   $5EC3 
5EEB-   F0 EB       BEQ   $5ED8 
5EED-   C9 0A       CMP   #$0A  
5EEF-   D0 D2       BNE   $5EC3 
5EF1-   AD EC C0    LDA   $C0EC 
5EF4-   10 FB       BPL   $5EF1 
5EF6-   C9 D5       CMP   #$D5  
5EF8-   D0 C9       BNE   $5EC3 
5EFA-   AD EC C0    LDA   $C0EC 
5EFD-   10 FB       BPL   $5EFA 
5EFF-   C9 AA       CMP   #$AA  
5F01-   D0 C0       BNE   $5EC3 
5F03-   AD EC C0    LDA   $C0EC 
5F06-   10 FB       BPL   $5F03 
5F08-   C9 96       CMP   #$96  
5F0A-   D0 B7       BNE   $5EC3 
5F0C-   AD EC C0    LDA   $C0EC 
5F0F-   10 FB       BPL   $5F0C 
5F11-   C9 AA       CMP   #$AA  
5F13-   D0 AE       BNE   $5EC3 
5F15-   AD EC C0    LDA   $C0EC 
5F18-   10 FB       BPL   $5F15 
5F1A-   C9 AB       CMP   #$AB  
5F1C-   D0 A5       BNE   $5EC3 
5F1E-   A9 01       LDA   #$01  
5F20-   D0 02       BNE   $5F24 
5F22-   A9 00       LDA   #$00  
5F24-   CD E8 C0    CMP   $C0E8 
5F27-   48          PHA         
5F28-   48          PHA         
5F29-   A5 01       LDA   $01   
5F2B-   48          PHA         
5F2C-   A5 00       LDA   $00   
5F2E-   48          PHA         
5F2F-   60          RTS         

This routine was looking for a
specific byte sequence just before and
after the Address Prolog bytes $D5 AA
96.  The bottom line is if the
specific bytes were not found, then
the program jumped to $5F22, and the
Accumulator got loaded with the value
$00.  If the correct bytes were found,
the routine would go to location
$5F1E, which loaded the Accumulator
with $01, and then would branch around
the code at $5F22.  Upon exiting this
routine if the Accumulator equaled
$01, the program knew the correct
bytes were found.  If the Accumulator
equaled $00, the program gave you the
"Damaged Disk" message.

Fortunately, this is easy code to
defeat:  just change the "LDA #$00" at
location $5F22 to "LDA #$01".  This
way the Accumulator would get loaded
with with $01 regardless of whether
the correct byte sequence was found or
not.

Using the disk search utility in the
Senior PROM, I found this code on
track $1C, sector $F, byte $0E on BOTH
sides of the Quicken disk.  The byte
that needs to be changed is at $7F:
change this from $00 to $01, and the
routine is defeated!

I also noted that this disk check
routine was in memory at two other
locations:  $652C and $7ED6, but only
occurred on the disk in two places.


In cookbook form, here is the
procedure.
-----------------------------

1) Run your favorite normal DOS copy
program and copy BOTH sides of the
original Quicken disk to a blank disk.

2) Run you favorite sector editor and
make the following changes to the copy
of the Quicken disk:

    Track $1C, Sector $F, side 1
      change byte $7F from $00 to $01

    Track $1C, Sector $F, side 2
      change byte $7F from $00 to $01

3) Write the sectors back out to your
copy of the Quicken disk.


And you're all done!

-the Disk Jockey-

MSG LEFT BY: PARITY ERROR


     ROAD RALLY USA IS AN EXTREMELY
LAME GAME WITH AN EQUALLY LAME
PROTECTION SCHEME, HOWEVER THE ARTWORK
ON THE OUTSIDE OF THE DISK IS RATHER
GOOD.IT DEPICTS SCENES FROM THE GAME
AND IS RIGHT ON THE OUTSIDE OF THE
DISK.
 
     ANYWAY TO BREAK IT DO THE
FOLLOWING:
 
     1) RUN COPYA
     2) CNTRL C
     3) 70
     4) CALL-151
     5) B942:18
     6) 3D0G
     7) RUN
     8) COPY
     9) EDIT T0 S3 B42 FROM 38 TO 18
     10) PLASTER YOUR NAME ALL OVER
         IT.
 
THATS IT....

 

 
          PARITY ERROR/L.S.D.

MSG LEFT BY: DISK JOCKEY


TO FIX YOUR "NAMELESS" KRAK OF ROBOT
ODYSSEY THAT DOESN'T SOLDER, MAKE
THE FOLLOWING CHANGES WITH A SECTOR
EDITOR:
 
SIDE 1, TRACK 1, SECTOR 2, BYTE $2D
   CHANGE TO: A9 80 29 80 EA EA
 
SIDE 2, TRACK 1, SECTOR 2, BYTE $63
   CHANGE TO: A9 80 29 80 EA EA
 
 
THESE MODS ARE FROM MR. KRAK-MAN.

MSG LEFT BY: BEAVER MOKEN


"HOW TO PREPARE FOR THE SAT" BY HBJ IS
A SIMPLE PROGRAM TO CRACK, FOR ALL THEY
DO IS HIDE THE CATALOG AND CHANGE THE
VTOC AROUND.
 
RUN COPY A AND WHEN IT GIVES YOU THE
FIRST PROMPT TYPE CTRL-C
NEXT GET INTO MONITOR BY CALL-151
 
TYPE
 
B942:18 60
B988:18 60
BE48:18
 
3D0G
70
RUN
 
NOW COPY ALL 4 DISKS AND WHEN DONE GET
A SECTOR EDITOR OUT AND EDIT THIS ON
ALL 4 SIDES
 
TRK   SEC     BYT    FROM   TO
---   ---     ---    ----   --
 0     3      42      38    18
 
WRITE THIS BACK TO DISKS AND YOU HAVE
A CRACKED VERSION.
 
BEAVER MOKEN

MSG LEFT BY: PHI DEAUX


IN ORDER TO CRACK THIS GRAPHIC ADVEN-
TURE, ONE MUST FIRST COPYA BOTH SIDES
OF THE DISK.
 
NEXT, LOOK FOR 4C 32 D0 WITH A SECTOR
EDITOR AND SIMPLY EA THE BYTES. ONCE
YOU WRITE THEM BACK TO THE DISK, IT
IS COMPLETELY DEPROTECTED.
 
BY THE WAY, I FOUND THAT STRING ON
TRACK $16 SECTOR $0 BYTES 32-34.

MSG LEFT BY: THE PUSMAN
DATE POSTED: SUN DEC  9  3:54:20 AM

Try undeleting files on the disk.  The
stupid idiots left the source code for
the complete protection scheme on the
disk!!

MSG LEFT BY: PARITY ERROR


TO KRACK SPACE STATION BY HESWARE DO
THE FOLLOWING
 
1) BRUN ADVANCED DEMUFFIN
2) EXIT TO MONITOR
3) B942:18
4) 801G
5) CONVERT DISK
 
NOW BOOT THE DISK, IT IS NOW COPYA
BUT DO TO A NIBBLE COUNT IT REBOOTS
RIGHT AWAY AFTER READING IN ONLY ONE
TRACK.IF YOU USE A DISK SEARCH
UTILITY (LIKE TRACER FROM CIA) YOU
WILL FIND A COUPLE OF DISK ACCESSES
ON TRACK 0. ONE OF THESE IS NOT
PART OF DOS AND DEFINATELY DOES NOT
BELONG THERE.IT READS IN A TRACK
AND TRIES TO FIND THE BYTES EE AND
E7.WHEN THEY ARE NOT FOUND IT REBOOTS.
TO FIX THIS EDIT TRACK 0 SECTOR 5
BYTE 32 FROM A BD TO 60.NOW IT
WILL BOOT AND WORK CORRECTLY.
 
THATS IT.
 
           PARITY ERROR/LSD

MSG LEFT BY: THE PUSMAN


     Star Trek is another one of those 4+4 single-load goodies that is
very easy to krak.  Just copy track 0 and make a sector mod. on sector 1:
BYTE     FROM     TO
====================
 DD       8D      4C
 DE       81      59
 DF       C0      FF
 
Then boot your copy.  When the graphics page appears, replace the original
and wait for the game to load.  You will then be in the monitor.  Just
save the file from $800 to $9000 (start address is $2400) and your done!
 
                                          --> The Pusman <--

Deprotecting Teleporter from Sensible
Software, Inc.  By the Disk Jockey.


Requirements for Softkey:
-Any Apple or Apple Clone computer.
-A sector editor.
-COPYA from the DOS 3.3 System Master.
-A blank disk.
-Teleporter from Sensible Software.


Hardware used to develop Softkey:
-Senior PROM v2.0 from Cutting Edge
Enterprises.


Teleporter from Sensible Software is a
very sophisticated communications
program that allows simultaneous
sending AND receiving of files.
Unfortunately, like all other
"Sensible" software, the disk is copy
protected.

Snooping through the disk with the
Nibble read utility in the Senior PROM
revealed that tracks $00-0E had a
modified Epilogue byte sequence of $ED
AA (instead of the normal $DE AA).
Tracks $10-22 were in normal DOS
format.  Track $0F was very strangely
formatted and contained nothing but
$FF's and some header bytes along the
way.  No doubt this track was strangely
formatted for a reason...

The first step was to convert the disk
into normal DOS 3.3 format.  The
epiloque byte check routine at $B988
needed to be defeated to copy tracks
$00-0E.  Also, track $0F needed to be
ignored on the copy.  I choose COPYA
for this chore because it was the
easiest to modify, and everyone has
COPYA.  Putting a "18" at location $3A1
would allow COPYA to continue the copy
even if a read error occurred. This
would enable it to ignore track $0F
(with a lot of disk drive noise!).
Putting a "18 60" at location $B988
took care of the modified epilogue byte
sequence.

To make these mods, first booted normal
DOS 3.3 and run COPYA.  After the
program is loaded and waiting at the
prompt, type "CTRL C" to exit to BASIC.
Then type:

]70       (delete line 70)
]CALL-151
*3A1:18
*B988:18 60
*3D0G
]RUN

Then copy the original Teleporter disk
to a blank disk.

Of course the Teleporter disk will not
boot since its DOS needed to be told
that the Epilogue bytes were no longer
$ED AA, but now the normal $DE AA.
Using a sector editor change track $00,
sector $3, byte $91 from $ED to DE.

The copy of the Teleporter disk will
now boot. Just after DOS is loaded, the
program pauses for a second, reads the
disk, and then clears memory and leaves
you in BASIC.  Since this happens just
after DOS is loaded, we need to somehow
halt the program after DOS is loaded,
but before it runs away and clears
memory.

The best way to do this is to edit
track $00, sector $1, byte $47 to $4C
59 FF (from $4C 03 1B).  This makes the
program jump into the Monitor just
after DOS is loaded.  Normally this
code does a jump $9D84, which loads in
the BASIC Hello program.  In the case
of Teleporter, the program jumps to
$1B03, which is what a DOS Master disk
does (opposed to a slave disk which
jumps to $9D84).

The code at $1B03 moves DOS to the
highest possible memory, just like a
DOS Master disk. Following through the
code revealed a JMP $B4BB at location
$1D84.  This seemed real suspicious
since $B4BB-B5BA is used as a buffer
area to keep the catalog sectors when
searching for a filename. Doing a
"B4BBL" from the Monitor revealed
nothing, since the code at $1B03 hadn't
executed and moved any thing up to that
memory range yet. Knowing the code at
$B4BB would execute and then get wiped
immediately, I typed a "1D84:4C 59 FF"
and then "1B03G". This executed the
code, but halted just before jumping to
$B4BB.

Looking through the code at $B4BB
revealed that Teleporter was moving an
image of the F8 Monitor ROM into the
upper 16k (bank 2), and using this
Monitor ROM.  This has the advantage of
making Reset or NMI do what Teleporter
wants, opposed to letting the user
break out of the program because they
have an old F8 Monitor ROM on the
Motherboard.

The code then jumps to $B42A, which
reveals a whole bunch of subroutine
calls to $B52A, the disk check routine
on track $0F (of course). If the
original disk was not found, a routine
was jumped to at $BF00 which cleared
memory and dumps you into BASIC. If all
went OK, the program jumped to $9D84
and loaded the HELLO program.

Defeating this was simple: replace the
JMP $BF00 with a JMP $9D84.  This way
the program would jump to $9D84
regardless of whether the disk check
routine was satisfied or not. Searching
the disk with the Senior PROM's disk
search utility found the code at track
$02, sector $03, byte $60.  Change this
from $4C 00 BF to $4C 84 9D.

Now Teleporter booted, and (almost)
ran. Just before the main menu appears,
another check on track $0F is made. I
was able to find this code at $AE00 by
using the Senior PROM v2.0
NMI-disassembly feature to interrupt
the program during the disk check, and
have it display the address the program
was currently running at. If this disk
check routine was not satisfied, the
code would branch to $AE61 to clear
memory and reboot.

This was also easy to defeat by putting
a "60 EA 60 60" at location $AE5E.  The
program would then always return to the
calling subroutine (and not reboot)
regardless of whether the disk check
routine was satisfied. Using the Senior
PROM's disk search utility found this
code on track $10, sector $8, byte $5E.
Change the $D0 01 60 AD to 60 EA 60 60.

Teleporter is now deprotected!


In cookbook form:
-----------------

1) Boot normal DOS 3.3 and run COPYA by
typing:

]RUN COPYA

2) After the program is loaded and
waiting for your response, type:

CTRL C

3) Tell COPYA to ignore Epilogue bytes
and to continue reading on errors by
typing:

]70
]CALL-151
*3A1:18
*B988:18 60
*3D0G
]RUN

4) Copy the original Teleporter disk to
a blank disk.  Note the disk drive will
"grind" on track $0F, twice for each
sector. Ignore this.

5) Reboot normal DOS and run your
favorite sector editor. Make the
following changes to your copy of
Teleporter:

   Track $00, sector $3, byte $91
     from $ED to $DE

   Track $02, sector $3, byte $60
     from $4C 00 BF
      to  $4C 84 9D

   Track $10, sector $8, byte $5E
     from $D0 01 60 AD
      to  $60 EA 60 60

6) Write the sector back out to your
copy of Teleporter.


And you're all done!

-the Disk Jockey-

MSG LEFT BY: RESET VECTOR


Just a quickie...
   If you have any of the new Trillium adventures that will copy with COPYA
but won't boot and you have a cracked copy of any one of these, be advised
that all mods are all in the file "IO" - just copy that file to any of the
other programs and it will be cracked.  If you have an OLDER Trillium crack
(like DragonWorld), just copy 3 files - STARTUP, IO AND PARAMS.
   Courtesy of ->Reset Vector!

MSG LEFT BY: MAD MAX


OK HERE'S THE KRAK...(I KNOW IT WORKS)
 
COPY THE MASTER DISK WITH SUPER IOB(IF YOU DON'T HAVE IT YOU'LL HAVE TO SEE IF
SOMETHING ELSE WORKS).THEN...POP INTO MONITOR:
 
TYPE:
BLOAD S(^A)UBS
 
THEN
 
0A9F:EA
0AA0:EA
0AA1:EA
0AA4:EA
0AA5:EA
0AA6:EA
0AA8:EA
0AAA:EA
 
THEN UNLOCK S(^A)UBS
 
BSAVE S(^A)UBS, A$0800, L$1800
 
THEN 3D0G
ONCE YOUR BACK INTO DOS...
 
10 PRINT CHR$(4)"BRUN I(^A)NIT"
 
THEN SAVE HELLO
 
RUN HELLO
 
THIS WILL NOW WORK, BUT YOU'LL HAVE TO USE MASTER CREATE FROM THE SYSTEM MASTER
IF YOU WANT IT TO WORK ON THE RE-BOOT.
 
         HAVE FUN..
 
                  <<:MAD MAX:>>.

MSG LEFT BY: DISK JOCKEY


Universe is a nice 4 sided adventure,
which 3 of the 4 sides are protected.
The protection used on each side is
EXACTLY the same, and is in the HELLO
program. So here is how to krak it:
 
1) Copy all 4 sides of Universe using
   COPYA with no mods (will copy fine)
 
2) Make the following sector edits
   using a sector editor:
 
Flight
------
trk $16, Sct $E, Byte $32
    from $20 00 09
     to  $EA EA EA
 
Construction
------------
Trk $22, Sct $8, Byte $32
    from $20 00 09
     to  $EA EA EA
 
Starport
--------
Trk $22, Sct $E, Byte $32
    from $20 00 09
     to  $EA EA EA
 
Flight 1
--------
No mods needed!
 
 
As you can see, byte $32 of the
Hello program is a JRS $0900, which
must be disabled to defeat the
protection. So all I did was to
use a disk search utility to search
the disk for $20 00 09 and then
disable it by NOPing it with $EA's.
 
-Disk Jockey-

MSG LEFT BY: PARITY ERROR


THE PROTECTION FOR THIS GAME IS
ALSO RATHER WEAK.TO BREAK IT, MAKE
A COPY OF THE DISK AS FOLLOWS:
 
     1> BRUN ADVANCED DEMUFFIN
     2> EXIT TO MONITOR
     3> B942:18
     4> 801G
     5> COPY
 
NOW THE NEW COPY WILL NOT BOOT DUE
TO A SMALL NIBBLE COUNT.THE DISK
WILL READ IN FOR A SECOND AND THEN
CRASH.THE CODE FOR THE PROTECTION
SCHEME IS ON T0 S5 AND AT BYTE 32
IS A DISK ACCESS THAT IS BEING USED
FOR THE NIBBLE COUNT.JUST CHANGE
ONE BYTE TO STOP THE NIBBLE COUNT.
CHANGE T0 S5 B32 FROM BD TO 60.
 
IT WILL NOW BOOT.
 
I AM NOT POSITIVE, BUT I HAVE HEARD
THAT MOST OR ALL OF THE RECENT
EPYX HAVE HAD A SIMILAR NIBBLECOUNT
ON T0 S5.


          PARITY ERROR/LSD.

MSG LEFT BY: JOHN REEVES


OK FOLKS, EPYX PROTECTIONS ARE SAD AS
USUAL, THIS ONES ONLY ONE BYTE.
 
COPY DISK WITH COPYA WITHOUT CHECKSUMS
 
B942:18
 
THEN MODIFY T0 SEC 5
 
BYTE # B0 FROM C6 TO EC
 
AND THATS IT
 
KRACK BY SEE-SAW OF THE N.O.P.G. ON

 
                         JOHN REEVES

Deprotecting Zorro from Datasoft.  By
the Disk Jockey.


Requirements to Perform Deprotection:
-------------------------------------
-COPYA from the DOS 3.3 System Master.
-A Sector Editor.
-A blank disk.
-Zorro from Datasoft.


Hardware/Software Used to Develop the
Deprotection Technique:
--------------------------------------
-The Senior PROM version 2.0 from
Cutting Edge Enterprises.


Zorro is an excellent arcade game were
you are the great Zorro, trying to
keep law and order in a time and place
where none exists.  As all programs
from Datasoft, it's copy protected.
The protection is really pretty good,
and if not for some minor shortcoming,
it could have been very difficult to
deprotect.

The first thing I always do when
deprotecting a program is to get the
program into a normal DOS 3.3 format
so sector edits and easy copies can be
made (even if the program doesn't
run).  After the disk is in a normal
format, then you can remove the
protection.

To do this, I try the easiest steps
first:  Using the Senior PROM's copy
routines, I defeat the DOS error
checking and try copying the disk.  If
you don't have a Senior PROM, boot
your DOS 3.3 System Master, and at the
Basic prompt type:

      ]CALL-151
      *B942:18
      *RUN COPYA

I then try and copy the original disk.
 This small modification to DOS
ignores minor disk alteration
performed by many software publishers.
 Using the Senior PROM, I found that
track $00 would copy fine, but the
other tracks would not copy in this
manner.

The next step is to use the Senior
PROM's sector editor and nibble read
the disk.  This will tell you how the
other tracks are formatted.  Nibble
reading track $01 revealed the
following information:

      $A9 BA F7 =    Data Prolog bytes
                     (abnormal)
      $CA EE DD =    Address Prolog
                     bytes (abnormal)
      $DE AA =       Data and Address
                     Epilog bytes
                     (normal)

      342 bytes of data between Data
      Prolog and Epilog bytes.  This
      denotes the disk is in 6+2
      format, or a normal 16 sectors
      per track.

      Only tracks $00-13 contain data.
       The rest of the disk is blank.

This information is invaluable when
trying to convert the disk to normal
DOS format.  The Prolog bytes are road
markers to DOS:  the Address Prolog
bytes tell DOS the next eight bytes
denote what track and sector is being
read.  The Data Prolog bytes tell DOS
that the next 342 bytes is the actual
data.  The Epilog bytes are just
insurance bytes, telling DOS "it ends
here".

The Address and Data Prolog bytes on
Zorro are considerably different than
those on a normal DOS disk.  This
makes it difficult for a copy program
to find what track its reading
(Address Prolog bytes), and where the
data starts for the sector (Data
Prolog bytes).

Using the Senior PROM's "Alter Prolog
Byte" option, I was able to easily
copy the original Zorro disk to a
blank disk in normal DOS 3.3 format.
Track $00 was copied first, as it is
unprotected.  Then tracks $01-13 are
read with $A9 BA F7 and $CA EE DD Data
and Address Prolog bytes,
respectability, and written in normal
DOS format.

You can also convert the disk with
COPYA.  Here is the procedure:

1)    Boot your DOS 3.3 Systems disk,
      and then type CTRL C at the slot
      prompt.

2)    Then type:

      ]CALL-151
      *302:14
      *35F:14
      *2B0:A9 00 8D D1 02 8D D2 02 60
      *2DC:20 B0 02 A9 FF
      *2E6:F8
      *3D0G

      ]70

      ]258 POKE 47335,213: POKE
      47345,170: POKE 47356,173: POKE
      47445,213: POKE 47455,170: POKE
      47466,150

      ]248 POKE 47335,213: POKE
      47345,170: POKE 47356,173: POKE
      47445,213: POKE 47455,170: POKE
      47466,150

      ]197 POKE 47335,169: POKE
      47345,186: POKE 47356,247: POKE
      47445,202: POKE 47455,238: POKE
      47466,221

      ]RUN

3)    Copy the original Zorro disk to
      a blank disk.

4)    Run your favorite sector editor
      and copy track $00 from the
      original Zorro disk to track $00
      of the disk you just copied in
      the above step.

The Zorro disk is now in normal DOS
format.  If you boot this disk, of
course it won't run since we haven't
removed the protection yet.

The first step in removing the
protection is to tell Zorro's DOS that
it should use normal DOS Prolog bytes
instead of the protected ones.  Using
the Senior PROM, I interrupted the
Zorro program while it was trying to
read the disk.  Using the Disassemble
at Program Counter feature of the
Senior PROM, I found the routines to
change were at $D118-D139 and
$D180-D1A7 in Bank 2 of the Banked
Switched Memory (upper 16k).  Bytes
$D123, $D12D, $D138 needed to be
changed from $A9 BA F7 (the old Data
Prolog bytes) to $D5 AA AD (normal DOS
3.3's Data Prolog bytes).  Likewise,
bytes $D191, $D19B, $D1A6 needed to be
changed from $CA EE DD (the old
Address Prolog bytes) to $D5 AA 96
(normal DOS 3.3's Address Prolog
bytes).

It was pretty obvious that this code
had to be on track $00 since it was
the only track the program could load
(remember it was never protected).
Using the Senior PROM sector editor, I
searched track $00 for the code, and
it could not be found!  There had to
be some encoding routine making a
simple search and edit impossible.

Doing some minor boot-code tracing
lead to a routine at $8B2 on track
$00, sector $00.  This routine
unencoded the rest of sector $00, and
as it turned out, was the same type of
routine used to unencode the rest of
the disk.  Using this code, I wrote
the following routine to unencode the
bytes on the disk to what they were in
memory:

      900:   A9 FF      LDA #$FF
      902:   85 06      STA $06
      904:   E6 06      INC $06
      906:   A5 06      LDA $06
      908:   48         PHA
      909:   4A         LSR
      90A:   68         PLA
      90B:   6A         ROR
      90C:   C5 07      CMP $07
      90E:   D0 F4      BNE $0904
      910:   A5 06      LDA $06
      912:   20 DA FD   JSR $FDDA
      915:   60         RTS

Using this routine, I could load the
byte I wanted in location $07, type
"900G", and the byte that it
corresponded to on the disk would be
printed.  From this I was able to
determine the following sector edits:

Track $00, sector $02
      byte $23 from $53 to $AB
      byte $2D from $75 to $55
      byte $38 from $EF to $5B
      byte $91 from $95 to $AB
      byte $9B from $DD to $55
      byte $A6 from $BB to $2D


Now the copy of Zorro would boot.  But
after a few moments, there was another
disk check routine verifying the
original disk.  Using the Senior PROM
to interrupt the program and
Disassemble at the Program Counter,
the routine was found at $D4D5 in Bank
2 of the Banked Switch Memory.  This
routine was very easy to defeat by
putting a "Return from Subroutine" at
the very beginning of the routine.  Of
course the Return from Subroutine
instruction had to be encoded using
the previous routine before written to
the disk.  Here is the sector edit
necessary to defeat the routine:

Track $00, sector $05
      Byte $D5 from $7B to $C0

And the disk is deprotected!
----------------------------


In cookbook form, here is the
procedure:

1)    Boot your DOS 3.3 Systems disk,
      and then type CTRL C at the slot
      prompt.

2)    Then type:

      ]CALL-151
      *302:14
      *35F:14
      *2B0:A9 00 8D D1 02 8D D2 02 60
      *2DC:20 B0 02 A9 FF
      *2E6:F8
      *3D0G

      ]70

      ]258 POKE 47335,213: POKE
      47345,170: POKE 47356,173: POKE
      47445,213: POKE 47455,170: POKE
      47466,150

      ]248 POKE 47335,213: POKE
      47345,170: POKE 47356,173: POKE
      47445,213: POKE 47455,170: POKE
      47466,150

      ]197 POKE 47335,169: POKE
      47345,186: POKE 47356,247: POKE
      47445,202: POKE 47455,238: POKE
      47466,221

      ]RUN

3)    Copy the original Zorro disk to
      a blank disk.

4)    Run your favorite sector editor
      and copy track $00 from the
      original Zorro disk to track $00
      of the disk you just copied in
      the above step.

5)    Using the sector editor, make
      the following edits to the copy
      of Zorro:

Track $00, sector $02
      byte $23 from $53 to $AB
      byte $2D from $75 to $55
      byte $38 from $EF to $5B
      byte $91 from $95 to $AB
      byte $9B from $DD to $55
      byte $A6 from $BB to $2D

Track $00, sector $05
      Byte $D5 from $7B to $C0

6)    Write this sector back out to
      your COPYA version of Zorro.


And you're all done!

-the Disk Jockey-