💾 Archived View for spam.works › mirrors › textfiles › apple › CRACKING › krackarcade.txt captured on 2023-06-16 at 21:12:56.
View Raw
More Information
-=-=-=-=-=-=-
- **************************************
- *
- *
- KRAKOWICZ'S KRACKING KORNER IV *
- *
- *
- *
- *
- *
- THE ARCADE MACHINE *
- *
- *
- *
- WITH NOTES ON NMI AND IDSI'S JUGGLER*
- *
- *
- *
- **************************************
AFTER A NINE-MONTH DELAY,
BR0DERBUND HAS FINALLY RELEASED THE
ARCADE MACHINE (A.M.). THE PROTECTION
SCHEME IS A NEW CHALLENGE FOR COPIERS,
SINCE IT USES THE TECHNIQUE KNOWN AS
SPIRALING OR QUARTER-TRACKING, AS WELL
AS THE STANDARD BR0DERBUND SYSTEM OF A
NEW ADDRESS MARKER FOR EACH TRACK. AN
ATTEMPT TO COPY THE DISK WITH A
CONVENTIONAL NIBBLE COPIER QUICKLY
REVEALS THAT TRACKS 0 AND 3-11 ARE
EASILY COPIED WITH AN ADDRESS MARKER OF
D5 AA 96, WHILE THE REST OF THE TRACKS
ARE A MYSTERY. PROBING INTO THE LOADER
REVEALS THE FOLLOWING INFORMATION ABOUT
TRACK USAGE:
TRACK CONTENTS
----- --------
T0/S0 PRELOADER --> 800-8FF
(AS ALWAYS)
/S1-5 LOADER --> 300-7FF
T1-2 HIRES SPLIT "BR0DERBUND"
LOGO AND PROGRAM
T12-20 MAIN PROGRAM WHICH LOADS
INTO 800-BFFF
T12-13.5 FOUR HALFTRACKS USED FOR
QUARTER-TRACKING
T3-4 #1 SHAPE CREATOR
T5-6 #2 PATH CREATOR
T7-8 #3 GAME OPTIONS
T9-A #4 LEVEL OPTIONS
TC-D #5 BKGD/TITLE CREATOR
TE-F #6 LOAD/SAVE GAME
T10-11 #7 CREATE GAME DISK
(OPTION #8 JUMPS TO 0800
TO RUN THE GAME)
THE APPROACH TO KRACKING THIS TYPE
OF PROGRAM SEEMS STRAIGHTFORWARD:LOAD
THE PROGRAM INTO MEMORY, RESET IT, AND
SAVE IT OUT TO DISK AS A BINARY FILE,
WITH THE APPROPRIATE MEMORY MOVES.
HOPEFULLY, YOU'LL LOCATE THE STARTING
ADDRESS AND BE ABLE TO RUN THE BINARY
FILE AT WILL. IF YOU WISH TO INCLUDE
ALL OF THE ADVERTISING FOR BR0DERBUND
AT THE BEGINNING, THIS WORKS. IF YOU
TRY TO DELETE THE DUAL BANNER, IT
CRASHES. THE REASON IS THAT MODULE
SWITCHING IS VIA THE STACK--THEY PUSH
THE CORRECT LOCATION ONTO THE STACK AND
DO AN RTS. SO, UNLESS YOU HAPPEN TO
KNOW THE VALUE OF THE PROGRAM COUNTER
(THAT IS, EXACTLY WHAT THE ADDRESS WAS
WHEN YOU STOPPED), THE STACK POINTER
(S) AND THE PROCESSOR STATUS WORD (P),
AND RESTORE THEM EXACTLY AS THEY WERE
BEFORE THE RESET, THE PROGRAM PROBABLY
WON'T RUN. ANYONE WHO TRIED TO BREAK
JUGGLER FOUND THIS TO BE FRUSTRATING IN
THE EXTREME, SINCE SOMETIMES THE GAME
WOULD RUN ALL THE WAY THROUGH THE FIRST
LEVEL BEFORE CRASHING - THE SAME
TECHNIQUE WAS USED THERE, BUT WITH EVEN
MORE PROTECTION.
THERE IS A HARD WAY AND AN EASY
WAY TO DO EVERYTHING, AND IF YOU ARE
COMPLETELY RESTRICTED TO SOFTWARE
DEVICES, IT IS STILL POSSIBLE TO BREAK
ARCADE MACHINE. REFERRING TO THE
NIBBLE ALTERATION TECHNIQUES DESCRIBED
IN THE PREVIOUS EPISODE, IT IS POSSIBLE
TO LOCATE AND ALTER THE GAME LOADER SO
THAT IT HALTS WITH CONDITIONS WELL
DEFINED AFTER THE ENTIRE PROGRAM IS IN
MEMORY. IF IT IS YOUR PURPOSE IN LIFE
TO LEARN AS MUCH AS YOU POSSIBLY CAN
ABOUT DISK PROTECTION SCHEMES AND THE
CIRCUMVENTION THEREOF (ONLY A FEW
REALLY CRAZY PEOPLE ARE SO INCLINED),
THIS IS REWARDING. IF YOU ARE
INTERESTED IN PREPARING AN UNPROTECTED
VERSION OF THE GAME WITH MINUMUM
ADVERTISING AND MINIMUM EFFORT,
HOWEVER, THERE IS AN EASIER WAY.
THIS SOLUTION IS ELEGANT, BUT
REQUIRES A VISIT TO THAT GOD OF THE
UNDERWORLD =>HARDWARE<=. BY NOW
EVERYONE IS FAMILIAR WITH THE TERM NMI,
THANKS TO AN OVERSOLD CARD WHICH USES
THIS TECHNIQUE TO REPLAY SINGLE-LOAD
GAMES FROM DISK. NMI STANDS FOR
NON-MASKABLE INTERRUPT, ONE OF FOUR
TYPES OF INTERRUPT AVAILABLE ON THE
6502 (THE OTHERS ARE RESET, BREAK, AND
THE IRQ OR INTERRUPT REQUEST). AS THE
NAME OF THIS ONE IMPLIES, IT IS AN
INTERRUPT WHICH MUST BE ATTENDED,
REGARDLESS OF WHATEVER ELSE THE CPU HAD
IN MIND TO DO NEXT. THIS LINE COMES
DIRECTLY FROM PIN 6 OF THE CPU CHIP, IS
HELD AT 5 VOLTS (LOGIC 1) BY A IK
RESISTOR, AND RUN OUT TO PIN 29 OF THE
PERIPHERAL CONNECTORS. CONNECTING THIS
PIN MOMENTARILY TO GROUND (PIN 26)
BEGINS A SMALL MICROPROGRAM WITHIN THE
6502 WHICH STORES THE PROGRAM COUNTER
('PC', TWO BYTES) AND THEN THE
PROCESSOR STATUS WORD ('P', ONE BYTE)
ON THE STACK, AND JUMPS TO THE ADDRESS
STORED IN LOCATIONS FFFA AND FFFB IN
THE F8 ROM. THIS BUSINESS OF PUSHING
ONTO THE STACK IS A LITTLE OBSCURE, SO
LET'S SPEND A FEW SECONDS DESCRIBING
THE STACK STRUCTURE. WE ALL KNOW THAT
THE STACK IS IN PAGE ONE OF MEMORY
($100-$1FF), AND THAT THERE IS A THING
CALLED A STACK POINTER (S) WHICH POINTS
TO AN ADDRESS WITHIN THAT RANGE. IF THE
FOLLOWING PROGRAM WERE RUN, THE STACK
WOULD LOOK LIKE WHAT'S SHOWN BELOW:
1000: TSX
TXA
JSR $1010
1010: JSR $1020
1020: JSR $1030
1030: TSX
BRK
---------------------------------------
(STACK)
FINAL STACK POINTER LOCATION-> XX (ANY)
22
10
12
10
04
FIRST STACK POINTER LOCATION-> 10
---------------------------------------
THIS "PROGRAM" STORES THE FIRST VALUE
OF THE STACK POINTER IN THE
ACCUMULATOR, JSR'S TO THREE PLACES,
STORES THE FINAL VALUE OF THE STACK
POINTER IN THE X-REGISTER, AND THEN
HALTS. (WE HAVE TO NEGLECT FOR THE
MOMENT THAT APPLE'S MONITOR DOES SOME
WEIRD THINGS TO THE STACK AFTER THE
'BRK'). IF WE EXAMINE THE STACK MEMORY
BETWEEN THE LOCATIONS IN THE ACC. AND
X-REG, WE WILL FIND THE VALUES LISTED
ABOVE. ALTHOUGH WE SPEAK OF THE STACK
AS A "PUSH-DOWN" (ALSO "LIFO" FOR
LAST-IN, FIRST-OUT) STACK, WHAT
ACTUALLY HAPPENS IS THAT THE VALUE OF
THE STACK POINTER IS DECREMENTED, SO
THAT IT POINTS TO A LOCATION ONE LESS
THAN IT WAS. THE SUBROUTINE ADDRESSES
TO WHICH THE PROGRAM WHOULD RETURN (IF
IT WERE GIVEN AN 'RTS') ARE STORED IN
NORMAL FASHION OF LOW BYTE, HIGH BYTE,
AT A LOCATION ONE HIGHER THAN THE
VALUE OF THE STACK POINTER. THE RTS
INSTRUCTION TRANSFERS THESE NUMBERS
INTO THE PROGRAM COUNTER, INCREMENTS
THE STACK POINTER BY TWO, INCREMENTS
THE LOW BYTE BY ONE, AND STARTS THE
PROGRAM EXECUTING AGAIN AT THE LOCATION
OF THE PROGRAM COUNTER. THE STACK
POINTER NOW POINTS TO (ONE BELOW) THE
NEXT SUBROUTINE RETURN ADDRESS, AND THE
NEXT 'RTS' INSTRUCTION ENCOUNTERED IN
THE PROGRAM WILL RETURN TO THAT
ADDRESS. NOTICE THAT THE FINAL LOCATION
OF THE STACK POINTER CAN HAVE ANYTHING
IN IT, SINCE IT POINTS TO THE LOCATION
WHERE THE NEXT BYTE WILL BE STORED, NOT
WHERE THE LAST ONE WAS STORED. THE
DATA PAIRS '22,10', '12,10', AND '04,
10' CORRESPOND TO THE SUBROUTINE RETURN
ADDRESSES 1023, 1013, AND 1005 FOR THE
PROGRAM, EACH ONE BEING ONE LESS
THAN THE ACTUAL RETURN POINT.
THAT DIGRESSION WAS INTENDED TO
CLARIFY THE STACK STRUCTURE THAT
RESULTS FROM AN NMI SIGNAL:
STACK POINTER: (ANYTHING)
S+1: STATUS WORD (P)
S+2: PROGRAM CTR LOW (PCL)
S+3: PROGRAM CTR HI (PCH)
THIS WAS SET UP TO ALLOW AN EXTERNAL
DEVICE TO INTERRUPT THE APPLE, AND THEN
TO RESUME THE INTERRUPTED PROGRAM
EXACTLY WHERE IT WAS BEFORE THE
INTERRUPT OCCURRED. THE INSTRUCTION
THAT MAKES IT ALL HAPPEN IS 'RTI',
WHICH OBLIGINGLY PUTS THE PROCESSOR
STATUS WORD BACK, RESTORES THE ORIGINAL
VALUE OF THE PC, AND CRANKS UP THE
PROGRAM JUST AS IT WAS BEFORE THE NMI
LINE WAS YANKED.
THE PRACTICAL IMPLEMENTATION OF
THIS TRICK IN KRACKING REQUIRES A
MINIMUM OF TWO THINGS: AN ALTERED F8
ROM AND A SWITCH. A NORMAL F8 ROM HAS
FB 03 AT FFFA-FFFB, WHICH MEANS THAT AN
NMI SIGNAL WILL EXECUTE THE INSTRUCTION
AT 03FB. PRUDENT SOFTWARE PUBLISHERS
WILL PUT THERE EITHER A JUMP TO THE
BEGINNING OF THE GAME OR TO A REBOOT:
4C 00 C6. TO GET AROUND THE PROBLEM,
THE F8 ROM MUST BE MODIFIED. SINCE MOST
SERIOUS KRACKISTS ALREADY HAVE A
KRAKROM OR LOCKBUSTER, ETC., WHICH
RELOCATES THE 0-7FF MEMORY WHEN RESET
IS PRESSED, THIS IS NOT A MAJOR
PROBLEM. YOU SHOULD PUT THE STARTING
ADDRESS OF THE MEMORY MOVE ROUTINE IN
LOCATIONS FFFA-B, AND BURN A NEW 2716
EPROM. AFTER THIS PROM IS INSTALLED IN
THE F8 SOCKET, ACTIVATING THE NMI LINE
WILL SAVE ALL OF THE VOLATILE MEMORY AS
WELL AS THE PC AND P (A WORD OF CAUTION
- IF YOU DON'T HAVE A SOLID-STATE
SWITCH ON THE NMI LINE, YOU'LL STORE
SOME ADDITIONAL GARBAGE ON THE STACK,
BUT THE SYSTEM WILL STILL WORK).
EACH TIME YOU USE THE NMI ROM,
YOU'LL HAVE TO EXAMINE THE MEMORY AREA
WHERE THE STACK IS STORED. SINCE THE
STACK POINTER IS ALWAYS ONE LESS THAN
THE LAST LOCATION STORED INTO, YOU
SHOULD HAVE NO TROUBLE IDENTIFYING THE
CORRECT VALUE OF PC AND P. AFTER
SAVING THE GAME, WITH MEMORY MOVES IF
REQUIRED, SET THE STACK POINTER TO THE
LOCATION OF THE STATUS WORD-1 (USE LDX
#NN, TXS), AND DO AN RTI INSTRUCTION.
THE PROGRAM WILL START RIGHT BACK UP AS
IF IT HAD NEVER BEEN INTERRUPTED. BE
SURE THAT YOUR MEMORY RELOCATE ROUTINE
IN ROM SAVES THE VALUE OF THE A, X, AND
Y REGISTERS, AND RESTORES THE CORRECT
VALUES BEFORE THE RTI.
ONE FINAL CAUTION - SOME GAMES
(LIKE JUGGLER) REQUIRE THAT YOU HAVE AN
UNMODIFIED ROM IN THE F8 SOCKET - THIS
REQUIRES A LITTLE MORE ASSISTANCE FROM
THE GOD OF HARDWARE, AND WILL BE DEALT
WITH IN A FUTURE EPISODE DESCRIBING
OTHER APPLICATIONS OF THE NMI
TECHNIQUE.
RETURNING TO THE A.M. KRACK, YOU
NOW CAN BOOT THE DISK AND GET TO THE
MAIN MENU. DO THE NMI TRICK BY CLOSING
A SWITCH WIRED BETWEEN PINS 29 AND 26
OF ANY PERIPHERAL CARD, AND MOVE THE
EXCESS MEMORY TO 2000-3FFF (THE
NORWEGIAN NURDS WERE NICE ENOUGH TO
LEAVE US HI-RES PAGE ONE OPEN -- TAK!),
INCLUDING 0-8FF AND B600-BFFF. ADD THE
APPROPRIATE MEMORY MOVE ROUTINES AS
WELL AS THE REGISTER RESTORE, STACK
POINTER ADJUST, AND RTI, THEN BOOT A
SLAVE DISK AND BSAVE THE MEMORY FROM
900-9600.
COPY TRACKS 3-11 FROM THE ORIGINAL
A.M. WITH YOUR FAVORITE COPIER, AND
TELL THE VTOC THAT THOSE TRACKS ARE
OCCUPIED. SAVE THE FILE ONTO ANY TRACKS
ABOVE 11, AND, USING THE BOOT MODIFIER
DESCRIBED IN THE KKK III ON WAY OUT,
LOAD IN THE MAIN PROGRAM AS PART OF THE
BOOT. YOU SHOULD NOW BE OFF AND RUNNING
WITH YOUR OWN FRESHLY BROKEN COPY OF
ARCADE MACHINE.
IT'S NOT REALLY AS HARD AS IT
SOUNDS, AND IF YOU REALLY LIKE TO
PROGRAM YOUR OWN LEFT-RIGHT
SHOOT-EM-UPS WITHOUT LEARNING TO
PROGRAM, THE RESULT IS WORTH THE
EFFORT.
=>KRAKOWICZ<=
�
�����������������������������