💾 Archived View for gemini.spam.works › mirrors › textfiles › apple › CRACKING › krackcyclod2.txt captured on 2020-10-31 at 21:20:11.

View Raw

More Information

-=-=-=-=-=-=-




NOTICE -- IF YOU HAVEN'T READ EPISODE NUMBER ONE, PLEASE DO SO BEFORE TRYING TO MAKE SENSE OF THIS ONE.


WELCOME BACK!  LAST WEEK WHEN WE LEFT WE WERE MIRED DEEP IN THE SANDS OF SIRIUS AND THEIR INFERNAL COPY GUARD. WE'LL FINISH THAT THIS WEEK AND PROCEED TO THE TOPIC OF CRACKING JUGGLER NEXT WEEK.

REFERRING TO LAST WEEK'S WORK, WE HAD LOOKED AT THE REASONS THAT NORMAL COPIERS WILL FAIL TO COPY BANDITS, CYCLOD, ETC, AND WERE TALKING ABOUT THE MAIN LOADING PROCESS WHEN WE WERE RUDELY INTERRUPTED BY AN ARBITRARY 500 LINE LIMIT FOR A NETWORKS TEXT FILE. RETURNING TO THAT, YOU WILL NOTE FROM THE LOAD PROCESS THAT EACH TRACK IS ALWAYS LOADED INTO THE SAME RANGE OF MEMORY, SINCE THE LOADER ALWAYS PICKS THE STARTING LOCATION FROM THE TABLE AT 7AB UP.  IT IS POSSIBLE, THEN, TO USE THE LOADER TO LOAD THE PROGRAM INTO MEMORY FOR THE FIRST REAL STEPS IN CRACKING THE PROGRAM. OUR EVENTUAL GOAL IS, AS ALWAYS, TO SAVE THE PROGRAM AS A BINARY FILE.

TO BEGIN THE PROCESS, LOAD YOUR SINGLE TRACK LOADER INTO LOCATIONS 1400-17FF. CHANGE LOCATIONS 1440-1442 TO '4C 4F 04 ' TO AVOID THE CHECKSUM ON THE SCREEN MEMORY, THEN CHANGE 172B-172D TO '4C 59 FF'(JUMP TO RESET): NORMALLY, WE WOULD JUST INSERT A 00 (BRK) INSTRUC- TION, BUT SIRIUS HAS,AS USUAL, TRAPPED THE BREAK VECTOR TO A REBOOT ROUTINE. THE FOLLOWING CHANGES MAKE LIFE EASIER FOR THE INTREPID CRACKER - CHANGE LOCATIONS 1402-1403 TO 'A2 60' (PUT 60 IN THE X-REG TO REFERENCE SLOT 6 FOR ALL DISK OPERATIONS), THEN CHANGE 141C- 141E TO THREE NOP'S - EA EA EA.  THIS ROUTINE SHOULD BE SAVED TO A NORMAL DOS DISK BY "BSAVE HALTLOAD,A$1400, L$400". WHEN RUN, IT WILL LOAD THE PROGRAM, DECRYPT THE CODE, AND HALT IN THE MONITOR AFTER A RESET.

PUT THE ORIGINAL IN DRIVE 1 (IT IS WRITE-PROTECTED, ISN'T IT?), AND TYPE IN, FROM THE MONITOR :
        400<1400.17FFM 400G
THE DRIVE WILL RUN AND RAPIDLY LOAD IN TRACKS 1 - 11. THE LOAD LOCATIONS OF THESE TRACKS, TAKEN FROM THE TABLE AT 7AB ARE:

    TRACK #    START   END
    -------    -----   -----
       1       4000    4BFF
       2       4000    4BFF
       3       4000    4BFF
       4       4000    4BFF
       5       4000    4BFF
       6       4000    4BFF
       7       4000    4BFF
       8       0A00    15FF
       9       1600    21FF
       A       6000    6BFF
       B       6C00    77FF
       C       7000    7BFF
       D       7C00    87FF
       E       8800    93FF
       F       9000    9BFF
      10       9600    A1FF
      11       A200    ADFF

THERE ARE TWO INTERESTING THINGS ABOUT THE LIST, AND ONE SUSPICIOUS.  SIRIUS WAS KIND ENOUGH TO LEAVE MOST OF BOTH HI-RES PAGE OPEN TO US, SO YOU CAN "FOLD-IN" SOME OF THE PROGRAM WHERE ITS FEET STICK OUT FROM UNDER DOS'S BLANKET AT 9600 (ACTUALLY 9D00). SECOND, THERE IS SOME OVERLAPPING AMONG THE TRACKS; THE ORDER IN WHICH THEY ARE LOADED COULD BE CRUCIAL.  FINALLY, THE FACT THAT TRACKS 1 TO 7 LOAD IN FROM 4000 TO 4BFF PROBABLY INDICATES THAT THEY GET LOADED IN AT LEVEL CHANGES (WE KNOW THERE ARE 20 LEVELS, SO THAT DOESN'T SOUND QUITE RIGHT, BUT KEEP IT IN MIND) .  TYPE 2200<9600.ADFFM TO PUT THE HIGH STUFF FROM 2200 TO 37FF. NEXT, BOOT A SLAVE DISKETTE (REMEMBER THAT BOOTING A SLAVE DISKETTE ONLY DESTROYS 800-8FF AND LEAVES 900-9D00 UNTOUCHED, WHILE BOOTING A MASTER WIPES OUT 1B00-3FFF), AND SAVE THE GAME WITH BSAVE CYCLOD1, A$A00,L$8C00 (IF YOU GET A RANGE ERROR, TRYING TO SAVE A LONG BINARY FILE, YOU NEED TO CHANGE LOCATION A964 FROM 7F TO BF).  THIS FILE CONTAINS ALMOST ALL OF THE MEMORY REQUIRED TO RUN THE GAME, BUT THE CRUCIAL PARTS AT 0-7FF ARE MISSING.  TO CATCH THIS PART OF MEMORY NORMALLY REQUIRES A MODIFIED 'F8' ROM, SUCH AS THE KRAKROM (MUCH MORE ABOUT THIS SUBJECT IN FUTURE EPISODES), BUT WE CAN DO IT WITH SOFTWARE IN THIS CASE, SINCE WE HAVE A CLEAN 'HALT' LOCATION TO REFERENCE FROM.

LOAD IN HALTLOAD AND THIS TIME CHANGE LOCATIONS 142A-142C TO 4C 38 04 TO AVOID THE MEMORY WIPE ROUTINE AT LOC 7CF. CHANGE 172B-2D TO 4C 00 08; ADD THE FOLLOWING SHORT ROUTINE:

800:   LDY  #0   ;SEE BELOW
       LDA  $00,Y
       STA  $1000,Y
       INY
       BNE  $802
       INC  $805
       INC  $808
       LDA  $808
       CMP  #$14
       BNE  $802
       JMP  $FF59

THIS IS A STANDARD MOVE ROUTINE WHICH PUTS THE CONTENTS OF ZERO PAGE, THE STACK, THE KEYBOARD BUFFER AND 300-3FF UP AT LOCATIONS 1000-13FF. SINCE WE "JUMP" TO LOCATION 8EA6 TO BEGIN, WE DON'T NEED TO WORRY ABOUT SUBROUTINE RETURNS AND THE STACK POINTER, AND THE PROCESSOR STATUS WORD IS PROBABLY OKAY AS IT SITS. SINCE LOCATIONS 400-7FF CONTAIN THE LOADER PROGRAM WHICH IS TOTALLY USELESS FOR A DOS DISK, IT NEED NOT BE SAVED. NOTICE THAT IT'S BETTER TO WRITE THIS ROUTINE WITH THE LDA 00,Y SINCE THERE IS NO LDA 00,Y WHICH REFERS SPECIFICAL- LY TO ZERO PAGE AS THERE IS FOR LDA 00, X.  (KEEPS THE MINI-ASSEMBLER FROM SCREWING YOU UP).

AGAIN, TYPE IN 400<1400.1820M 400G AND AWAIT THE RESET BEEP.  YOU CAN NOW BOOT A SLAVE (A LITTLE S&M) AND SAVE THIS STUFF AS CYLOW,A$1000,L$400. NOW RELOAD YOUR CYCLOD1 FILE, LOAD CYLOW AT 5000, AND BSAVE THE NEW FILE AS 'CYCLOD2,A$A00,L$4C00'.

NOW, WITH THE GAME NESTLED ALL SAFE AND SNUG IN BINARY FILES, IT'S TIME TO SEE IF WE CAN DO SOMETHING ABOUT THOSE DISK ACCESSES WHICH OCCUR EVERY TIME WE ELEVATE TO A NEW LEVEL.  EXPERIENCE HAS TAUGHT THAT A DISK ACCESS UNDER THIS SYSTEM IS A 'JSR 400'. YOU CAN PUZZLE IT OUT IF YOU STARE AT THE CODE LONG ENOUGH, BUT TAKE MY WORD FOR IT FOR NOW.  SEARCHING THROUGH MEMORY WITH THE INSPECTOR IN 'FIND' MODE SET FOR 20 00 04, YOU WILL FIND ONLY ONE CALL (THIS IS IN MARKED CONTRAST TO BANDITS, WHERE THERE WERE THREE SEPARATE CALLS, EACH OBSCURED WITH A SLIGHTLY DIFFERENT EXCLUSIVE-OR TECHNIQUE AND A COMPLEX ALGORITHM TO COMPUTE THE EX-OR BYTE). YOU SHOULD APPRECIATE BY NOW HOW IMPOR- TANT IT IS TO AVOID ANY DISK ACCESSES, SINCE THE OLD SIRIUS LOADER IS USELESS FOR NORMAL DOS, AND PUTTING THE FILES INTO SPECIFIC TRACKS FOR RWTS ACCESS IS AT BEST WASTEFUL OF DISK SPACE, AND AT WORST NOT POSSIBLE (BANDITS, AGAIN) DUE TO MEMORY SPACE. LETS SPEND A FEW MIN- UTES, THEN TO ANALYZE THE CODE SURROUN- DING THE DISK CALL AT 8262:

 8236-   00          BRK
 8237-   A9 30       LDA   #$30
 8239-   85 53       STA   $53
 823B-   AD 45 70    LDA   $7045
 823E-   A2 00       LDX   #$00
 8240-   8E 35 82    STX   $8235
 8243-   C9 04       CMP   #$04
 8245-   30 09       BMI   $8250
 8247-   38          SEC
 8248-   E9 03       SBC   #$03
 824A-   EE 35 82    INC   $8235
 824D-   4C 43 82    JMP   $8243
 8250-   8D 36 82    STA   $8236
 8253-   EE 35 82    INC   $8235
 8256-   AD 35 82    LDA   $8235
 8259-   0A          ASL
 825A-   85 57       STA   $57
 825C-   18          CLC
 825D-   69 01       ADC   #$01
 825F-   8D 37 04    STA   $0437
 8262-   20 00 04    JSR   $0400
 8265-   CE 36 82    DEC   $8236
 8268-   AD 36 82    LDA   $8236
 826B-   0A          ASL
 826C-   0A          ASL
 826D-   0A          ASL
 826E-   8D 00 70    STA   $7000
 8271-   0A          ASL
 8272-   18          CLC
 8273-   6D 00 70    ADC   $7000
 8276-   85 00       STA   $00
 8278-   A9 40       LDA   #$40
 827A-   85 01       STA   $01
 827C-   A0 17       LDY   #$17
 827E-   B1 00       LDA   ($00),Y
 8280-   99 00 10    STA   $1000,Y
 8283-   88          DEY
 8284-   10 F8       BPL   $827E
 8286-   A5 53       LDA   $53
 8288-   09 15       ORA   #$15
 828A-   C9 BF       CMP   #$BF
 828C-   F0 05       BEQ   $8293
 828E-   A9 01       LDA   #$01
 8290-   8D 9D 7B    STA   $7B9D
 8293-   A9 40       LDA   #$40
 8295-   8D 5B 70    STA   $705B
 8298-   A9 60       LDA   #$60
 829A-   8D 5C 70    STA   $705C
 829D-   20 CC 76    JSR   $76CC
 82A0-   A9 20       LDA   #$20
 82A2-   8D 5B 70    STA   $705B
 82A5-   A9 40       LDA   #$40
 82A7-   8D 5C 70    STA   $705C
 82AA-   60          RTS




THE ROUTINE FROM 8237 TO 8264 DETER- MINES WHICH TRACK TO READ IN BY LOOKING AT THE GAME LEVEL IN LOCATION 7045. IF THE LEVEL IS ABOVE 3, IT SUBTRACTS 3 AND INCREMENTS LOCATION 8235. THIS BECOMES THE TRACK NUMBER TO LOAD FROM, AS FOLLOWS:

      LEVEL  TRACK
       1-3     1
       4-6     2
       7-9     3,     ETC

AND LOCATION 8236 CONTAINS THE REMAIND- ER AFTER THE TRACK*3 IS SUBTRACTED. AFTER THE TRACK IS LOADED (JSR 400), THIS NUMBER IS MANIPULATED TO GIVE 0, 18, OR 30 (HEX) WHICH IS STORED AT LOCN 0.  THE 18 BYTES POINTED TO BY 0 & 1 ARE THEN STORED AT 1000-1017:

     LEVEL     LOCATIONS    TRACK#
       1       4000-4017      1
       2       4018-402F      1
       3       4030-4047      1

       4       4000-4017      2
       5       4018-402F      2
       6       4030-4047      2, ETC

THE ROUTINE AT 8288 CHECKS TO SEE IF YOU ACCESSED THE RIGHT DISK (OR JUST MAYBE CHECKS TO SEE IF YOU DIDN'T DO IT), AND THEN CLEARS ALL OF BOTH(!) HI-RES PAGES AT 8293-82AA.
          =>NOTE CAREFULLY<=
SINCE ALL THE REST OF THE TRACK THAT WAS LOADED IN AT 4000-4BFF IS WIPED BY THE SCREEN CLEAR, ONLY THOSE 18 BYTES WERE REALLY USED TO ESTABLISH THE GAME LEVEL AFTER ACCESSING THE DISK.  OBVIOUSLY, SIRIUS IS MAKING IT UNNECESSARILY HARD IN ORDER TO USE THE DISK AND MAKE LIFE DIFFICULT FOR THE CRACKIST.  HERE'S HOW WE GET AROUND IT: LOAD IN YOUR OLD FRIEND HALTLOAD, AND CHANGE THE FOLLOWING LOCATIONS IN THE TRACK LOAD ADDRESS TABLE:

       ADD     OLD     NEW

       7AC     40      58
       7AD     40      59
       7AE     40      5A
       7AF     40      5B
       7B0     40      5C
       7B1     40      5D
       7B2     40      5E
       7B3     0A      00 (TO END)

DO THE SAME LOAD ROUTINE AS WE DID EARLIER TO GET THE MAIN PROGRAM IN. THIS WILL LOAD IN EVERYTHING WE NEED FOR ALL THE LEVELS, AND ELIMINATE MOST OF THE GARBAGE.  BOOT THE SLAVE AGAIN, AND BSAVE TRACKS,A$5800,L$700. NEXT WRITE A SHORT SUBROUTINE TO PICK UP THE RIGHT RANGE OF MEMORY AND THE RIGHT GROUP OF THE THREE 18-BYTE LEVEL BLOCKS AND STORE IT IN LOCNS 1000-1017. SAVE THIS ROUTINE IN MEMORY, AND LATER TUCK IT INTO LOCNS 3800-38FF OF THE MAIN FILE.  FINALLY, MAKE ONE BIG FILE WHICH CONTAINS ALL OF THE ABOVE PIECES AND ROUTINES, AND WRITE A SHORT MEMORY MOVE ROUTINE (OR USE MASTERKEY PLUS) TO UNFOLD ALL OF THIS 'TUCKED- IN' MEMORY AFTER THE PROGRAM IS LOADED. THE FOLLOWING LIST IS APPROXIMATELY WHAT I USED FOR THE SINGLE 144-SECTOR BINARY FILE:

         ROUTINE   STORAGE   UNFOLDED
          NAME     LOCATION  LOCATION
         --------- --------- ---------
         MAIN PRG  0A00-9600 0A00-9600
         MOVER     0900-09FF 0900-09FF
         HIPART    2200-37FF 9600-ADFF
         LEVLCALC  3800-38FF AE00-AEFF
         CYLOW     5000-53FF 0000-03FF
         TRACKS    5800-5EFF B000-B6FF

A COUPLE OF MINOR CHANGES, AND WE'RE DONE: CHANGE LOCNS 8262-8264 TO '20 00 AE' TO JSR TO YOUR LEVLCALC AND LOAD PROGRAM INSTEAD OF THE DISK, AND CHANGE 8265-8267 TO '4C 93 82' (JMP TO SCREEN CLEAR). MAKE SURE YOUR MOVER ROUTINE ENDS WITH A JMP 8EA6 TO START THE GAME, AND YOU ARE SET TO BSAVE CYCLOD,A$900,L$8D00 AS A SINGLE FILE WHICH YOU CAN 'BRUN' TO YOUR HEART'S CONTENT.

==> SPECIAL NOTICE - IF ANYONE OUT THERE GOT THE PRELIMINARY, BUGGY VERSION OF CYCLOD THAT SAYS "I KNOW IT'S NOT PERFECT", TALK TO THE SYSOP - HE'S IN A POSITION TO SOLVE YOUR PROBLEM WITH THE CORRECTED VERSION.