💾 Archived View for gemini.spam.works › mirrors › textfiles › apple › CRACKING › krackcyclod2.txt captured on 2020-10-31 at 21:20:11.
View Raw
More Information
-=-=-=-=-=-=-
- **************************************
- *
- KRAKOWICZ'S *
- KRACKING KORNER *
- NUMBER 2 *
- *
- **************************************
NOTICE -- IF YOU HAVEN'T READ EPISODE NUMBER ONE, PLEASE DO SO BEFORE TRYING TO MAKE SENSE OF THIS ONE.
WELCOME BACK! LAST WEEK WHEN WE LEFT WE WERE MIRED DEEP IN THE SANDS OF SIRIUS AND THEIR INFERNAL COPY GUARD. WE'LL FINISH THAT THIS WEEK AND PROCEED TO THE TOPIC OF CRACKING JUGGLER NEXT WEEK.
REFERRING TO LAST WEEK'S WORK, WE HAD LOOKED AT THE REASONS THAT NORMAL COPIERS WILL FAIL TO COPY BANDITS, CYCLOD, ETC, AND WERE TALKING ABOUT THE MAIN LOADING PROCESS WHEN WE WERE RUDELY INTERRUPTED BY AN ARBITRARY 500 LINE LIMIT FOR A NETWORKS TEXT FILE. RETURNING TO THAT, YOU WILL NOTE FROM THE LOAD PROCESS THAT EACH TRACK IS ALWAYS LOADED INTO THE SAME RANGE OF MEMORY, SINCE THE LOADER ALWAYS PICKS THE STARTING LOCATION FROM THE TABLE AT 7AB UP. IT IS POSSIBLE, THEN, TO USE THE LOADER TO LOAD THE PROGRAM INTO MEMORY FOR THE FIRST REAL STEPS IN CRACKING THE PROGRAM. OUR EVENTUAL GOAL IS, AS ALWAYS, TO SAVE THE PROGRAM AS A BINARY FILE.
TO BEGIN THE PROCESS, LOAD YOUR SINGLE TRACK LOADER INTO LOCATIONS 1400-17FF. CHANGE LOCATIONS 1440-1442 TO '4C 4F 04 ' TO AVOID THE CHECKSUM ON THE SCREEN MEMORY, THEN CHANGE 172B-172D TO '4C 59 FF'(JUMP TO RESET): NORMALLY, WE WOULD JUST INSERT A 00 (BRK) INSTRUC- TION, BUT SIRIUS HAS,AS USUAL, TRAPPED THE BREAK VECTOR TO A REBOOT ROUTINE. THE FOLLOWING CHANGES MAKE LIFE EASIER FOR THE INTREPID CRACKER - CHANGE LOCATIONS 1402-1403 TO 'A2 60' (PUT 60 IN THE X-REG TO REFERENCE SLOT 6 FOR ALL DISK OPERATIONS), THEN CHANGE 141C- 141E TO THREE NOP'S - EA EA EA. THIS ROUTINE SHOULD BE SAVED TO A NORMAL DOS DISK BY "BSAVE HALTLOAD,A$1400, L$400". WHEN RUN, IT WILL LOAD THE PROGRAM, DECRYPT THE CODE, AND HALT IN THE MONITOR AFTER A RESET.
PUT THE ORIGINAL IN DRIVE 1 (IT IS WRITE-PROTECTED, ISN'T IT?), AND TYPE IN, FROM THE MONITOR :
400<1400.17FFM 400G
THE DRIVE WILL RUN AND RAPIDLY LOAD IN TRACKS 1 - 11. THE LOAD LOCATIONS OF THESE TRACKS, TAKEN FROM THE TABLE AT 7AB ARE:
TRACK # START END
------- ----- -----
1 4000 4BFF
2 4000 4BFF
3 4000 4BFF
4 4000 4BFF
5 4000 4BFF
6 4000 4BFF
7 4000 4BFF
8 0A00 15FF
9 1600 21FF
A 6000 6BFF
B 6C00 77FF
C 7000 7BFF
D 7C00 87FF
E 8800 93FF
F 9000 9BFF
10 9600 A1FF
11 A200 ADFF
THERE ARE TWO INTERESTING THINGS ABOUT THE LIST, AND ONE SUSPICIOUS. SIRIUS WAS KIND ENOUGH TO LEAVE MOST OF BOTH HI-RES PAGE OPEN TO US, SO YOU CAN "FOLD-IN" SOME OF THE PROGRAM WHERE ITS FEET STICK OUT FROM UNDER DOS'S BLANKET AT 9600 (ACTUALLY 9D00). SECOND, THERE IS SOME OVERLAPPING AMONG THE TRACKS; THE ORDER IN WHICH THEY ARE LOADED COULD BE CRUCIAL. FINALLY, THE FACT THAT TRACKS 1 TO 7 LOAD IN FROM 4000 TO 4BFF PROBABLY INDICATES THAT THEY GET LOADED IN AT LEVEL CHANGES (WE KNOW THERE ARE 20 LEVELS, SO THAT DOESN'T SOUND QUITE RIGHT, BUT KEEP IT IN MIND) . TYPE 2200<9600.ADFFM TO PUT THE HIGH STUFF FROM 2200 TO 37FF. NEXT, BOOT A SLAVE DISKETTE (REMEMBER THAT BOOTING A SLAVE DISKETTE ONLY DESTROYS 800-8FF AND LEAVES 900-9D00 UNTOUCHED, WHILE BOOTING A MASTER WIPES OUT 1B00-3FFF), AND SAVE THE GAME WITH BSAVE CYCLOD1, A$A00,L$8C00 (IF YOU GET A RANGE ERROR, TRYING TO SAVE A LONG BINARY FILE, YOU NEED TO CHANGE LOCATION A964 FROM 7F TO BF). THIS FILE CONTAINS ALMOST ALL OF THE MEMORY REQUIRED TO RUN THE GAME, BUT THE CRUCIAL PARTS AT 0-7FF ARE MISSING. TO CATCH THIS PART OF MEMORY NORMALLY REQUIRES A MODIFIED 'F8' ROM, SUCH AS THE KRAKROM (MUCH MORE ABOUT THIS SUBJECT IN FUTURE EPISODES), BUT WE CAN DO IT WITH SOFTWARE IN THIS CASE, SINCE WE HAVE A CLEAN 'HALT' LOCATION TO REFERENCE FROM.
LOAD IN HALTLOAD AND THIS TIME CHANGE LOCATIONS 142A-142C TO 4C 38 04 TO AVOID THE MEMORY WIPE ROUTINE AT LOC 7CF. CHANGE 172B-2D TO 4C 00 08; ADD THE FOLLOWING SHORT ROUTINE:
800: LDY #0 ;SEE BELOW
LDA $00,Y
STA $1000,Y
INY
BNE $802
INC $805
INC $808
LDA $808
CMP #$14
BNE $802
JMP $FF59
THIS IS A STANDARD MOVE ROUTINE WHICH PUTS THE CONTENTS OF ZERO PAGE, THE STACK, THE KEYBOARD BUFFER AND 300-3FF UP AT LOCATIONS 1000-13FF. SINCE WE "JUMP" TO LOCATION 8EA6 TO BEGIN, WE DON'T NEED TO WORRY ABOUT SUBROUTINE RETURNS AND THE STACK POINTER, AND THE PROCESSOR STATUS WORD IS PROBABLY OKAY AS IT SITS. SINCE LOCATIONS 400-7FF CONTAIN THE LOADER PROGRAM WHICH IS TOTALLY USELESS FOR A DOS DISK, IT NEED NOT BE SAVED. NOTICE THAT IT'S BETTER TO WRITE THIS ROUTINE WITH THE LDA 00,Y SINCE THERE IS NO LDA 00,Y WHICH REFERS SPECIFICAL- LY TO ZERO PAGE AS THERE IS FOR LDA 00, X. (KEEPS THE MINI-ASSEMBLER FROM SCREWING YOU UP).
AGAIN, TYPE IN 400<1400.1820M 400G AND AWAIT THE RESET BEEP. YOU CAN NOW BOOT A SLAVE (A LITTLE S&M) AND SAVE THIS STUFF AS CYLOW,A$1000,L$400. NOW RELOAD YOUR CYCLOD1 FILE, LOAD CYLOW AT 5000, AND BSAVE THE NEW FILE AS 'CYCLOD2,A$A00,L$4C00'.
NOW, WITH THE GAME NESTLED ALL SAFE AND SNUG IN BINARY FILES, IT'S TIME TO SEE IF WE CAN DO SOMETHING ABOUT THOSE DISK ACCESSES WHICH OCCUR EVERY TIME WE ELEVATE TO A NEW LEVEL. EXPERIENCE HAS TAUGHT THAT A DISK ACCESS UNDER THIS SYSTEM IS A 'JSR 400'. YOU CAN PUZZLE IT OUT IF YOU STARE AT THE CODE LONG ENOUGH, BUT TAKE MY WORD FOR IT FOR NOW. SEARCHING THROUGH MEMORY WITH THE INSPECTOR IN 'FIND' MODE SET FOR 20 00 04, YOU WILL FIND ONLY ONE CALL (THIS IS IN MARKED CONTRAST TO BANDITS, WHERE THERE WERE THREE SEPARATE CALLS, EACH OBSCURED WITH A SLIGHTLY DIFFERENT EXCLUSIVE-OR TECHNIQUE AND A COMPLEX ALGORITHM TO COMPUTE THE EX-OR BYTE). YOU SHOULD APPRECIATE BY NOW HOW IMPOR- TANT IT IS TO AVOID ANY DISK ACCESSES, SINCE THE OLD SIRIUS LOADER IS USELESS FOR NORMAL DOS, AND PUTTING THE FILES INTO SPECIFIC TRACKS FOR RWTS ACCESS IS AT BEST WASTEFUL OF DISK SPACE, AND AT WORST NOT POSSIBLE (BANDITS, AGAIN) DUE TO MEMORY SPACE. LETS SPEND A FEW MIN- UTES, THEN TO ANALYZE THE CODE SURROUN- DING THE DISK CALL AT 8262:
8236- 00 BRK
8237- A9 30 LDA #$30
8239- 85 53 STA $53
823B- AD 45 70 LDA $7045
823E- A2 00 LDX #$00
8240- 8E 35 82 STX $8235
8243- C9 04 CMP #$04
8245- 30 09 BMI $8250
8247- 38 SEC
8248- E9 03 SBC #$03
824A- EE 35 82 INC $8235
824D- 4C 43 82 JMP $8243
8250- 8D 36 82 STA $8236
8253- EE 35 82 INC $8235
8256- AD 35 82 LDA $8235
8259- 0A ASL
825A- 85 57 STA $57
825C- 18 CLC
825D- 69 01 ADC #$01
825F- 8D 37 04 STA $0437
8262- 20 00 04 JSR $0400
8265- CE 36 82 DEC $8236
8268- AD 36 82 LDA $8236
826B- 0A ASL
826C- 0A ASL
826D- 0A ASL
826E- 8D 00 70 STA $7000
8271- 0A ASL
8272- 18 CLC
8273- 6D 00 70 ADC $7000
8276- 85 00 STA $00
8278- A9 40 LDA #$40
827A- 85 01 STA $01
827C- A0 17 LDY #$17
827E- B1 00 LDA ($00),Y
8280- 99 00 10 STA $1000,Y
8283- 88 DEY
8284- 10 F8 BPL $827E
8286- A5 53 LDA $53
8288- 09 15 ORA #$15
828A- C9 BF CMP #$BF
828C- F0 05 BEQ $8293
828E- A9 01 LDA #$01
8290- 8D 9D 7B STA $7B9D
8293- A9 40 LDA #$40
8295- 8D 5B 70 STA $705B
8298- A9 60 LDA #$60
829A- 8D 5C 70 STA $705C
829D- 20 CC 76 JSR $76CC
82A0- A9 20 LDA #$20
82A2- 8D 5B 70 STA $705B
82A5- A9 40 LDA #$40
82A7- 8D 5C 70 STA $705C
82AA- 60 RTS
THE ROUTINE FROM 8237 TO 8264 DETER- MINES WHICH TRACK TO READ IN BY LOOKING AT THE GAME LEVEL IN LOCATION 7045. IF THE LEVEL IS ABOVE 3, IT SUBTRACTS 3 AND INCREMENTS LOCATION 8235. THIS BECOMES THE TRACK NUMBER TO LOAD FROM, AS FOLLOWS:
LEVEL TRACK
1-3 1
4-6 2
7-9 3, ETC
AND LOCATION 8236 CONTAINS THE REMAIND- ER AFTER THE TRACK*3 IS SUBTRACTED. AFTER THE TRACK IS LOADED (JSR 400), THIS NUMBER IS MANIPULATED TO GIVE 0, 18, OR 30 (HEX) WHICH IS STORED AT LOCN 0. THE 18 BYTES POINTED TO BY 0 & 1 ARE THEN STORED AT 1000-1017:
LEVEL LOCATIONS TRACK#
1 4000-4017 1
2 4018-402F 1
3 4030-4047 1
4 4000-4017 2
5 4018-402F 2
6 4030-4047 2, ETC
THE ROUTINE AT 8288 CHECKS TO SEE IF YOU ACCESSED THE RIGHT DISK (OR JUST MAYBE CHECKS TO SEE IF YOU DIDN'T DO IT), AND THEN CLEARS ALL OF BOTH(!) HI-RES PAGES AT 8293-82AA.
=>NOTE CAREFULLY<=
SINCE ALL THE REST OF THE TRACK THAT WAS LOADED IN AT 4000-4BFF IS WIPED BY THE SCREEN CLEAR, ONLY THOSE 18 BYTES WERE REALLY USED TO ESTABLISH THE GAME LEVEL AFTER ACCESSING THE DISK. OBVIOUSLY, SIRIUS IS MAKING IT UNNECESSARILY HARD IN ORDER TO USE THE DISK AND MAKE LIFE DIFFICULT FOR THE CRACKIST. HERE'S HOW WE GET AROUND IT: LOAD IN YOUR OLD FRIEND HALTLOAD, AND CHANGE THE FOLLOWING LOCATIONS IN THE TRACK LOAD ADDRESS TABLE:
ADD OLD NEW
7AC 40 58
7AD 40 59
7AE 40 5A
7AF 40 5B
7B0 40 5C
7B1 40 5D
7B2 40 5E
7B3 0A 00 (TO END)
DO THE SAME LOAD ROUTINE AS WE DID EARLIER TO GET THE MAIN PROGRAM IN. THIS WILL LOAD IN EVERYTHING WE NEED FOR ALL THE LEVELS, AND ELIMINATE MOST OF THE GARBAGE. BOOT THE SLAVE AGAIN, AND BSAVE TRACKS,A$5800,L$700. NEXT WRITE A SHORT SUBROUTINE TO PICK UP THE RIGHT RANGE OF MEMORY AND THE RIGHT GROUP OF THE THREE 18-BYTE LEVEL BLOCKS AND STORE IT IN LOCNS 1000-1017. SAVE THIS ROUTINE IN MEMORY, AND LATER TUCK IT INTO LOCNS 3800-38FF OF THE MAIN FILE. FINALLY, MAKE ONE BIG FILE WHICH CONTAINS ALL OF THE ABOVE PIECES AND ROUTINES, AND WRITE A SHORT MEMORY MOVE ROUTINE (OR USE MASTERKEY PLUS) TO UNFOLD ALL OF THIS 'TUCKED- IN' MEMORY AFTER THE PROGRAM IS LOADED. THE FOLLOWING LIST IS APPROXIMATELY WHAT I USED FOR THE SINGLE 144-SECTOR BINARY FILE:
ROUTINE STORAGE UNFOLDED
NAME LOCATION LOCATION
--------- --------- ---------
MAIN PRG 0A00-9600 0A00-9600
MOVER 0900-09FF 0900-09FF
HIPART 2200-37FF 9600-ADFF
LEVLCALC 3800-38FF AE00-AEFF
CYLOW 5000-53FF 0000-03FF
TRACKS 5800-5EFF B000-B6FF
A COUPLE OF MINOR CHANGES, AND WE'RE DONE: CHANGE LOCNS 8262-8264 TO '20 00 AE' TO JSR TO YOUR LEVLCALC AND LOAD PROGRAM INSTEAD OF THE DISK, AND CHANGE 8265-8267 TO '4C 93 82' (JMP TO SCREEN CLEAR). MAKE SURE YOUR MOVER ROUTINE ENDS WITH A JMP 8EA6 TO START THE GAME, AND YOU ARE SET TO BSAVE CYCLOD,A$900,L$8D00 AS A SINGLE FILE WHICH YOU CAN 'BRUN' TO YOUR HEART'S CONTENT.
==> SPECIAL NOTICE - IF ANYONE OUT THERE GOT THE PRELIMINARY, BUGGY VERSION OF CYCLOD THAT SAYS "I KNOW IT'S NOT PERFECT", TALK TO THE SYSOP - HE'S IN A POSITION TO SOLVE YOUR PROBLEM WITH THE CORRECTED VERSION.
- **************************************
- *
- THAT'S IT FOR CYCLOD - TUNE IN NEXT *
- WEEK (OR SO) FOR THE CONTINUING *
- ADVENTURE IN KRACKLAND. OUR NEXT *
- EDITION WILL DETAIL THE CRACKING OF *
- *
- # # # J U G G L E R # # # *
- *
- MEANWHILE, HAPPY KRACKING FROM *
- *
- =>KRAKOWICZ<= *
- *
- **************************************