💾 Archived View for gemini.spam.works › mirrors › textfiles › apple › CRACKING › copyprot.app captured on 2020-10-31 at 21:22:21.

View Raw

More Information

-=-=-=-=-=-=-

#44 : COPY PROTECTION
295 LINES - 59 SECTORS
CONTRIBUTED BY DIAMOND JIM
-----*

COPY PROTECTING YOUR OWN DISKS
BY THOMAS T. BRYLINSKI
08/04/82


INTRODUCTION:

  For those new-commers to the world of APPLE Computers, and to the history of
software development, here is a brief summary.	In ancient times (1978-1979),
the APPLE Corporation was just getting started , and absolutely no software was
available for your $1530 toy.  So most people who bought this expensive little
tan box had to write their own software.  If you were among the more fortunate
users who had a good sales pitch, you talked your boss into buying you an APPLE,
and then spent your company's time learning the in's and out's of programming.
In any case, you could not purchase ANY good software for your mac hine.
Shortly after the first early programmers crawled out of their shells, APPLE
users groups started to form.  The prime function of these groups was to share
programs and to exchange the secrets which one had learned in the previous
month.	(also it was a good excuse to get away from the kids at home, for a
night)!  Four or five months passed and a few early programmers got the idea
that they would market their software and make a few bucks for their hard hours
programming.  And thus, the first APPLE soft ware companies formed.  These
companies were very small and usually started in someone's basement.  The prime
buyers of this software were the APPLE DEALERS.  The dealers could now
demonstrate these marvelous machines with some "GREAT" software.  By the way,
this great software came on cassettes, (you know, those little plastic things
you used to record music on).  These cassettes were copyable by normal means,
(eg.  tape recording), and the dealers started giving some programs away with
each system that theys old.

  In the summer of the DARK AGES (1979), APPLE COMUPTER released their first d
isk drive system (3.2 DOS).  This disk system made copying programs easier,
faster, and much more reliable.  At this time copying was encouraged by both
programmer and dealer.	So on the software companies realized the increasing
market for their products, and theorized that if they could produce a disk that
could not be copied by normal means they could sell more software, hence more
profit.  APPLE'S disk system was the perfect answer to their problem.  APPLE
chose to make their disk system totally "SOFT", which means that all information
pertaining to the disk operation is stored on disk .  This information is then
loaded into RAM (random access memory), upon a system boot (PR#6).  All commands
typed at the keyboard are examined by the "disk operating system" (DOS), and
then by the apple ROM's (that row of big fat chips inside the machine).  Now the
software writers had an edge on the normal user, change how the APPLE responds
to user commands, and keep them out of your programs.  The only problem was that
the copy program that came with your disk drive was able to copy the complete
disk.  With a "soft" DOS, the programmers could change how the information is
read from disk and modify their DOS to read it.  As Apple users became more
aware of the internal workings of their machines, programmers made more and more
changes to DOS, and the race was on!

  So much for the history lesson (boring out-of-date information anyway), and o
n to the meat of the lecture.


TERMS USED IN THE TEXT:

  BIT-	  the smallest piece of information that the computer can recognize or
	  process.
  NIBBLE- four bits in a row, or a block
  BYTE-   eight bits in a row or block.  It is the smallest piece of information
	  that people like to work with.  (00000000)
  VTOC-   Volume Table Of Contents:  DOS uses this sector to tell it which
	  sectors are used and which are free on the disk.

  SELF-SYNC BYTE- a special byte used for locating information on the disk.
		  This byte differs from a normal byte in that it is made up of
		  nine bits.  (111111111)





PROTECTION METHODS


  DISK COMMAND CHANGES- changes to the DOS that make those familiar words like
Load, Delete, and Save, give the user that cold, unforgiving response...SYNTAX
ERROR

  CATALOG TRACK LOCATION- moving the catalog to a non-standard track (normally
track HEX $11, DEC 17)

  CHECKSUM ALTERATION- the portion of each sector that DOS automatically checks
to make sure that the information it has read is correct.

  $D6,VECTOR- an Applesoft pointer used by the machine to make "carriage return"
= RUN.

  LOADER DOS- a DOS whose sole purpose is to Load and execute one program from
disk.

  HALF-TRACKING- writing information between the normal tracks on the disk.

  DOS HOOK- designating a specific track on the disk, where the only information
on the track is a track & sector number, to tell DOS where to read next.

  PROGRAM LOCK- a line of programming that looks at a specific memory location
 and compares its contents to a programmed number.  (x=peek(y))

HARDWARE LOCK- Using a hardware modification to lock the program.

  NIBBLE COUNTING- setting aside a specific track on the disk where a number of
self-sync nibbles are written.









TOOLS FOR LOCKING PROGRAMS


DOS BOSS - Beagle Brothers Software
BEANETH APPLE DOS - Quality Software
PROGRAMMER'S AIDS - Dakin 5 Corporation
BAG OF TRICKS - Quality Software
SUPER DISK COPY - Sensible Software
TASC - Microsoft
THE EXPEDITER - On Line Systems
THE DOS MANUAL - Apple Computer Corporation
APPLE II REFERENCE MANUAL - Apple Computer Corporation
WHAT'S WHERE IN THE APPLE - William F. Luebbert
SOFTALK magazine
NIBBLE magazine


  If you are familiar with the above manuals, software, and periodicals you ar e
well on your way to locking programs.  Also you will need use of one of the nib
ble copiers on the market such as, LOCKSMITH, NIBBLES AWAY, or CLONE.  CLONE is
my choice because it is very fast compared to the others.


LOCKING TECHNIQUES:

MESS UP DOS

  Change some or all of the DOS commands.  This in itself may be enough to prot
ect your programs.  Go a little further.  Bury some control characters in the
cata log.  (control chrs.  don't print usually).  Change "CATALOG" to "LIST" and
the Bas ic command "List " becomes unusable.  Try it, you can't "list" a program
in memory.  Duplicate DOS commands are great.  Only the first one encountered
will work.  Confuse the user by changing the disk error messages.  For example
do the following:

 1) Change the SAVE command to STORE
 2) Change the READ command to SAVE
 3) Change the "NOT DIRECT COMMAND" error
    message to "NOT COPYABLE"

  Now when anyone tries to load and save your program you get the "NOT COPYABLE"
error message because he used the wrong command!  *** EXPERIMENT ***

  Now the following can be done to any disk you want.  We will move the catalog
track from track $11 to track $5, just for convenience mind you.

 1) Boot your favorite 3.3 system master to load DOS
 2) Placeyour DOS BOSS disk in the drive and type:LOAD DOS BOSS (return)
 3) Type: Poke 44033,5 (return)
 4) Place a blank disk into the disk drive and close the door. (something your
    parents keep telling you to do.)
 5) Type: RUN (return)
 6) Change a few commands...any one you want!
 7) Before you leave DOS BOSS, change the disk volume heading to" SYNTAX ERROR"
 ... Don't forget the ctrl-G at the end!
 8) Exit the DOS BOSS program.
 9) Type: NEW (return) <--(by now you should remember)
 10) Type: INIT HELLO
 11) Wait a minute or so and pull the disk out of the drive.
 12) Boot your system master again and try to catalog the disk you've just init
     iallized.


  If you have not noticed by now 44033 is the memory location that holds the
cata log track number.	Type:  PRINT PEEK(44033), and you will see that DOS is
looking at track 17 to find the catalog.  Now if one were rather clever you
would use som ething like SUPE R DISK COPY to copy the catalog track from
another disk onto your modified disk .	Also it will be necessary to change VTOC
so that you do not overwrite real fil es on the disk.  VTOC is normally located
on track $11, sector $00.  However the V TOC to fix on yo ur modified disk i **

   T0 SYNC: 18=20 19=00 40=20 44=DD 45=AD
	    46=DA 72=00 73=00 77=00
	    78=00 79=12 7C=00

   T1.5-TB.5  SYNC
   TD-T20  SYNC



  BORG **

   T0: 18=20 19=00 40=20 4D=00 4E=00
       52=00 53=00 54=12 57=00
       72=00 73=00 77=00 78=00 79=12
       7C=00 44=DD 45=AD 46=DA

   T1.5-TC.5 SYNC
   TD-T20 SYNC



BPI BUSINESS ACCTING SYSTEM (4 DISKS)

       (REVISED 10-26)

  T0-T22: 19=00 21=02 58=19 59=06	     5A=1A 5B=FF BD=44 BE=E6
  BF=45 C0=FF C1=40 C2=01

	   C4=44 program RUN when any command is issued.


  POKE 1010,102:  POKE 1011,213:  POKE 1012,112 -- Makes RESET run the program
in m emory.

POKE 2049,1 -- Makes the first program line list repeately.


  Well by this time you should be bored stiff or really into learning copy pro
tection.  If the latter is the case continue to read, if the former, re-boot the
system and fire up your favorite game.

  Now we shall take on the heavier ways to protect.  If you were reading carefu
lly to this point, you now should know how to change your DOS commands and chang
e the catalog track.  Also if you were experimenting you should have a few other
tricks under you r belt.  So, if you're having trouble at this point it would be
advised to start at the beginning!

  In this section we will discuss the heavier ways of protection.



CHECKSUM ALTERATION:

  In each sector on the disk is a byte which is the Checksum.  This byte is the
last byte to be written into a sector.	The value of this byte varies with the a
mount of information stored in that sector.  Normal Apple DOS reads in the
inform ation on the sec tor, and then counts the bytes it has read.  It then
compares this number to the checksum, if they are equal it continues to read the
next sector.  If it is not equal DOS has made an error and tries to read it
again.	After three tries it sto ps and gives the user an error message.  In
order to change the checksum we must change the byte should also be noted at
this time, that your standard 3.3 DOS will no longer re ad this sector.

  Now in order to read this sector, we must disable the Checksum routine in DOS.
To do this from the keyboard type the following:

  1) CALL-151
  2) B942:18	 REM 3.3 DOS
       or
     B963:18	 REM 3.2 DOS

This changes a "set carry" instruction to a "clear carry" instruction.

  3) 3D0G

Now you're back in Basic.

  I hav'nt found a way to INIT a disk with this changed DOS yet, but by using
DAK IN 5 PROGRAMMERS AIDS you can change DOS directly on your disk with the
Patcher.  The data to be zapped resides on track 0, sector 3.

    Byte $42  change $38 to $18  REM 3.3 DOS

    Byte $63  change $38 to $18  REM 3.2 DOS




$D6, VECTOR:

  The D6 memory location in the Apple can set from Applesoft by typing POKE 21
4,255; OR from assembly by:

	     LDA  #$FF
	     STA  D6

  This is where the Applesoft Run pointer resides.  By putting a number larger
tha n 128 in this location Applesoft equates a carriage return with the
Applesoft RU N command.  Once set, all user commands cause the program in memory
to be execute d.


LOADER DOS:

  Loader DOS is the minimal DOS that can be utilized in the Apple.  It consists
of nothing more than RWTS and a table of track and sector numbers that are to b
e read in.  Loader DOS has no DOS commands, as its only function is to load a
pro gram, and start running it.  If you're interested in this consult the DOS
manual.  The manual exp lains how to write the look-up table and how to utilize
RWTS directly.




HALF-TRACKING:

  half- tracking is utilizing the tracks between the normal tracks on the disk .
This is possible because the disk drive is actually capable of writing to seve
nty tracks, as that is the number of stepped positions the read/write head has.
However one cann ot use these half tracks to double the amount of information
stored on the disk due to hardware constraints in the Apple drive unit.  In
order to use half track s the adjacent full tracks must not be written to
because of the high risk of ov erwriting or des troying information on the half
track.	It is only possible to write to half tra cks with assembly because the
programmer must toggle the soft stepper switch onl y once and then access RWTS
directly.


DOS HOOK:

  In order to use a DOS HOOK one has to first write their own RWTS portion of
DOS.  Then write or modify the DOS boot routines to supply RWTS with a track and
sector number and read that sector.  This information is taken as data for RWTS
a nd the next read .  A program that utilizes the hook very effectively is
MASTERTYPE from Lightning Software.




PROGRAM LOCK:

  This is no more than a combination lock that is built into the program.  To e
ffectively use it, it is necessary to modify the boot routine in DOS.  This is
done by moving the PROM boot routine down into RAM where we can change it to
stop after the first bootstrap routine is loaded.  This is done by typing:

 1) CALL-151
 2) 9600<C600.C700M
 3) 96F9:59 FF
 4) 9600G

  At this point the disk starts and loads the boot routine in at $800 but does
not execute it.  Now look at it by typing 800L.  Hit L a few more times until
you come to JMP $301.  The OP codes should be 4C 01 03.  This is the key that
you will look for on the d isk.  You will find them on track 00, sector 00 of
the disk.  Using PROGRAMMING A IDS you will be able to change this information
on the disk, and put into memory your own combination.	Do this by typing in the
OP codes for the following:

       LDA  #$XX      ;XX = PART OF COMB

       STA  YYYY      ;YYYY = MEMORY LOC

And don't forget to put the JMP $300 back in.

  Now all that is left is to doctor up your program to look for the combinatio n
that you stored in the boot.  Do this by PEEKing that memory location, and comp
aring the contents.





HARDWARE LOCK:

  I won't spend much time on this because it is the worst way to protect softw
are.  It works like this:  You have to plug in something that looks like an
integrated circuit into the game port.	That will simulate the game paddles set
at a specific spot.  The program then reads the port and compares the input to
the progeammed readings , if different....CRASH!!!




NIBBLE COUNTING:

  Unfortunately the only thing I know for sure about this is it must access the
memory locations C080-C08F+16*(SLOT #)



SUMMARY:

  If you choose to write your programs in Basic, it is a very good idea to comp
ile the source code.  The generated OP CODE is almost impossible to read or
change.  In this way you can hide all sorts of locking schemes.  Also don't
forget to use the ONERR Applesoft command, this will stop a ctrl-C Break from
Applesoft.

-----*