💾 Archived View for spam.works › mirrors › textfiles › apple › CRACKING › krackspm.txt captured on 2023-06-16 at 21:12:59.
View Raw
More Information
-=-=-=-=-=-=-
- **************************************
- *
- *
- KRAKOWICZ'S KRACKING KORNER *
- *
- *
- KAMEARI FROM ADO-SOFT (JAPAN) *
- *
- *
- *
- **************************************
BOTH BECAUSE MR. KRAC-MAN WAS
GENEROUS ENOUGH TO SEND ME AN ORIGINAL
OF THE PROGRAM, AND BECAUSE THE
ORIGINAL PUCKMAN WAS THE FIRST REAL
PROTECTED DISK I EVER BROKE, IT WAS FUN
TO GET MY HANDS ON THE NEW "SUPER
PUCKMAN", OR KAMEARI. IT TURNED OUT TO
BE NOT QUITE AS HARD TO BREAK AS THE
FIRST ONE, BUT IT PROVIDED SOME
INTERESTING CHALLENGES.
IF YOU CATCH THE PROGRAM AT THE
RIGHT POINT, IT'S SMALL ENOUGH TO FIT
IN A NORMAL DOS BFILE, SO WE WON'T GET
TO GO THROUGH THE THEORY AND PRACTICE
OF PROGRAM PACKING ON THIS ONE. THE
SEQUENCING USED TO LOAD THE GAME AND
ACCESS THE DISK LATER IS A LITTLE
UNUSUAL, AND WOULD HAVE BEEN TOUGHER IF
THEY HADN'T MADE A FEW MISTAKES.
A FIRST-STAGE BOOT TRACE REVEALS
THE FIRST INTERESTING TRICK--THE
CONTENTS OF $814-8FF ARE EXCLUSIVE-ORED
WITH THE ADDRESS LOW BYTE AND STUFFED
INTO PAGE ONE WITH SOME CUTE CODE:
0801- LDX $26
0803- TXS
0804- DEC $27
0806- LDA ($26),Y
0808- EOR $26
080A- TSX
080B- PHA
080C- DEC $26
080E- CPX #$14
0810- BNE $806
0812- RTS
NOW, THIS IS NOT BAD FOR THE FIRST PART
OF A PROTECTION SCHEME, BECAUSE IT
REQUIRES A REASONABLE KNOWLEDGE OF THE
DOS BOOT PROCESS AS WELL AS 6502
STACK/PAGE ONE USAGE. THE TRICKS ARE:
1. YOU HAVE TO KNOW (OR GUESS) THAT $26
CONTAINS 0 AND $27 CONTAINS 9 AFTER
THE FIRST STAGE BOOT,
2. YOU HAVE TO UNDERSTAND HOW THE
INDEXED, INDIRECT LOAD WORKS AT
$806,
3. YOU NEED AN UNDERSTANDING OF THE TSX
AND TXS INSTRUCTIONS, AND
4. YOU NEED TO INTERPRET THE FINAL RTS
CORRECTLY.
(IF YOU KNOW ALL THESE, SKIP THIS
EXPLANATION AND GO ON TO THE MEAT OF
THE PROTECTION SCHEME BELOW).
IN THE ORDER LISTED ABOVE, LOCATION
$26 CONTAINS 0 FROM THE BOOT ROM AT
LOCATION $C652, WHERE THE ACCUMULATOR
WAS STORED THERE AFTER CALLING THE
"WAIT" ROUTINE AT $FCA8 (ACC=0 ON EXIT
FROM "WAIT"). LOCATION $27 IS THE HIGH
BYTE OF THE TWO-BYTE STORAGE POINTER,
AND IT IS INCREMENTED FROM $08 TO $09
IN CASE THERE'S MORE THAN ONE SECTOR TO
LOAD IN ON THE FIRST STAGE BOOT. LDA
($26),Y MEANS LOOK AT THE LOCATION
POINTED TO BY $26 AND $27, ADD THE
CONTENTS OF THE Y-REGISTER TO IT, AND
LOAD THE ACCUMULATOR WITH THE CONTENTS
OF THAT LOCATION: IF $26=32, $27=08,
AND THE Y-REG=17, THE ADDRESS IS
$832+$17, OR $849. NEXT, AS THOSE OF
YOU WHO STAYED AWAKE THROUGH THE
DESCRIPTION OF THE STACK AND STACK
POINTER IN THE ARCADE MACHINE FILE WILL
RECALL, THE TSX AND TXS INSTRUCTIONS
REFER TO TRANSFERRING A BYTE BETWEEN
THE ->STACK POINTER<- AND THE
X-REGISTER, NOT BETWEEN THE STACK AND
THE REGISTER.
THE FIRST BYTE FETCHED FROM $26 THROUGH
THE X-REG IS USED TO INITIALIZE THE
STACK POINTER AT $00, MEANING THAT
THE NEXT BYTE PUSHED ON THE STACK WILL
BE PLACED IN LOCATION $100. SINCE THE
STACK POINTER IS A NINE BIT HARDWARE
REGISTER WITH THE MOST SIGNIFICANT BIT
SET, IT WILL ALWAYS CONTAIN A VALUE
BETWEEN $100 AND $1FF. IF YOU 'PUSH'
(PHA) ANOTHER BYTE ONTO THE STACK, IT
GOES NOT INTO $FF, BUT INTO $1FF.
SUCCESSIVE BYTES GO INTO $1FE, $1FD,
ETC. THIS IS KNOWN AS "STACK
WRAPAROUND", AND WAS USED BY IDSI IN
THEIR 'JUGGLER' PROTECTION, AMONG
OTHERS. AFTER THE FIRST TIME THROUGH,
EACH BYTE FROM $8FF DOWN TO $814 IS
EXCLUSIVE-ORED WITH THE ADDRESS LOW
BYTE ($FF-$14), AND PUSHED ON THE STACK
IN THE CORRESPONDING LOCATION FROM $1FF
TO $114. EACH TIME THROUGH, THE STACK
POINTER IS LOADED INTO THE X-REGISTER
TO COMPARE IT WITH #$14 TO FIND OUT IF
ENOUGH BYTES HAVE BEEN TRANSFERRED.
WHEN $14 IS FOUND, THEY DO AN 'RTS'.
THIS TAKES THE TWO BYTES ABOVE THE
STACK POINTER, INCREMENTS THE LOW BYTE,
AND PLACES THEM INTO THE PROGRAM
COUNTER. THE PROGRAM CONTINUES TO RUN
AT THE NEW LOCATION (A VARIATION OF
"JUMPING THROUGH THE STACK").
THE NEW STARTING LOCATION IS $116
(IT MAY SEEM A LITTLE STRANGE TO
EXECUTE CODE OUT OF WHAT IS NORMALLY
THE STACK PAGE, BUT THERE'S NOTHING
ILLEGAL ABOUT IT. APPLESOFT, IN FACT,
HAS A SHORT SUBROUTINE CALLED 'CHRGET'
AT $B1-C8 IN ZERO PAGE!). BRIEFLY, THE
PROGRAM RUNS A CHECKSUM ON $120-1FF
TO MAKE SURE THOSE NASTY KRACKISTS
HAVEN'T CHANGED ANYTHING, THEN CLEARS
ALL OF MEMORY FROM $800-B7FF. AFTER
SETTING UP THE SCREEN TO VIEW HIRES
PAGE TWO (SO YOU CAN'T SEE THE READ
ROUTINE LOADING IN ACROSS THE TEXT
SCREEN MEMORY), TRACK 0 OF THE DISK IS
SEARCHED FOR THE BYTE SEQUENCE "DD AD
DA". ASTUTE READERS OF THIS COLUMN WILL
RECALL THAT THIS IS THE OLD SIRIUS
TRADEMARK, AND JUST THE BEGINNING OF
THE RIP-OFF OF SIRIUS PROTECTION
TECHNIQUES USED BY THE PUBLISHER
(APPARENTLY, IT'S ALL RIGHT TO
PLAGIARIZE CODE FROM A COMPETITOR'S
PROTECTION SCHEME, BUT NOT TO MAKE
BACKUP COPIES OF SOFTWARE PROTECTED
WITH THE STOLEN CODE!). THE REAL LOADER
PROGRAM IS LOADED INTO $400-7FF
(REMEMBER CYCLOD AND FRIENDS?), AND
AFTER CHECKING FOR A SINGLE EPILOG BYTE
OF $EE ON THE TRACK, WE DO A CHECKSUM
ON ZERO PAGE AND JUMP TO $400 WITH THE
CHECKSUM BYTE IN THE ACCUMULATOR. THE
OLD "4+4" NIBBLIZING FROM SIRIUS IS
USED, AND THE PROGRAM IS CONTAINED IN A
SINGLE RECORD WHICH IS $800 NIBBLES
LONG AND FOLLOWS SECTOR 0, WHICH IS IN
NORMAL DOS FORMAT, ON TRACK 0 (THE NICE
THINGS ABOUT 4+4 NIBBLIZING ARE THAT
INDIVIDUAL BYTES CAN BE LOCATED AND
CHANGED, AS DESCRIBED IN THE 'WAY OUT'
FILE, AND THE NUMBER OF NIBBLES IS
ALWAYS EXACTLY EQUAL TO TWICE THE
NUMBER OF BYTES IN THE RECORD).
AT $400, THE CHECKSUM OF ZERO PAGE
IS REPEATED AND COMPARED (THEY ONLY
NEED TO BE THE SAME), AND THERE IS A
BUNCH OF LANGUAGE CARD DEPROTECTION
AND CHECKING OF THE RESET AND NMI
VECTORS. IF ANY OF THE CHECKS FAIL, AN
ERROR MESSAGE IS PRINTED AND THE
ILLEGAL OPCODE $12 IS EXECUTED TO CAUSE
THE SYSTEM TO HANG. TRUE TO THE SIRIUS
HERITAGE, THE LOADER THEN FILLS UP
MEMORY BY READING TRACKS 1-D (TWELVE
PAGES EACH) INTO $0800-A3FF, USING AN
ADDRESS MARKER OF DD AD DA AND THE $EE
EPILOG BYTE. AFTER JUMPING TO $612, THE
MAIN SCREEN IS MOVED FROM $8000-9FFF TO
$4000-5FFF, AND THE MAIN PROGRAM IS
ENTERED AT $800. SOURCE CODE FOR THE
READER IS SHOWN BELOW:
ORG $0579
STA $05 ;DESTINATION
PHA ;HIGH BYTE
LDY H03FE ;NUMBER OF
STY $06 ;PAGES TO READ
LDY #$00 ;CLEAR DEST'N
STY $04 ;LOW BYTE.
LDX H03FF
H0588 LDA HC08C,X ;BEGIN TO SEARCH
BPL H0588 ;FOR THE 'DD AD
H058D CMP #$DD ;DA' SEQUENCE
BNE H0588
H0591 LDA HC08C,X
BPL H0591
CMP #$AD
BNE H058D
H059A LDA HC08C,X
BPL H059A
CMP #$DA
BNE H058D ;AFTER HEADER,
H05A3 LDA HC08C,X ;GET THE FIRST
BPL H05A3 ;NIBBLE, SET THE
SEC ;CARRY, ROTATE
ROL ;LEFT, AND STORE
STA $0F ;IT IN $0F
H05AC LDA HC08C,X ;GET THE SECOND
BPL H05AC ;NIBBLE: AND IT
AND $0F ;WITH THE FIRST
STA ($04),Y ;STORE COMPLETE
INY ;BYTE AND GO ON
BNE H05A3 ;TO THE NEXT.
INC $05 ;DEST'N ADDRESS
DEC $06 ;PAGE COUNTER
BNE H05A3
H05BE LDA HC08C,X ;CHECK FOR
BPL H05BE ;EPILOG BYTE
CMP #$EE
BNE H0578
PLA
RTS
AT THIS POINT, ALL THE PROGRAM
RESIDES IN $0000-8000, SO IT'S A GOOD
PLACE TO INTERRUPT AND SAVE IT. IT
SEEMS STRANGE THAT, WITH ALL THE OTHER
SIRIUS-TYPE PROTECTION, THERE'S NO
CHECKSUM ON THE LOADER, SO WE CAN GO IN
AND CHANGE BYTES ON A COPY OF THE DISK.
IT'S EASY TO COPY THE DISK BY USING
NIBBLES AWAY WITH AN ADDRESS MARKER OF
DD AD DA FOR TRACKS 0-E, BUT YOU CAN
ACTUALLY GET BY WITH ONLY COPYING TRACK
0 ONTO A SEPARATE DISK (NA OR LOCKSMITH
WILL BOTH COPY IT WITHOUT PARMS, SINCE
THERE IS A STANDARD DOS 3.3 SECTOR ON
IT). THERE IS NO DISK ERROR HANDLING,
SO A DISK WITH ONLY TRACK ZERO ON IT
JUST SITS AND SPINS, ALLOWING YOU TO
REMOVE IT AND INSERT THE ORIGINAL TO
LOAD IN TRACKS 1-D. AS IN DAYS OF OLD,
READ IN TRACK ZERO USING THE TRACK
EDITOR FROM NIBBLES AWAY, THEN TYPE 'Z'
TO MAKE IT ANALYZE THE TRACK. SET THE
DISPLAY TO THE POINTER PAGE WITH
'G6800', THEN SEARCH FOR THE STRING "AA
EE AA AA AE AA", WHICH IS "4C 00 08" OR
'JMP $0800' IN 4+4 NIBBLEZE. CHANGE
THIS TO "AE EE AE FB FF FF", WHICH
MEANS 'JMP $FF59', OR "AE EE EE EF FF
FE" WHICH IS 'JMP $FECD' FOR USE WITH A
KRAKROM (THE RIGHT ONE TO USE HERE IS
KRAKROM4, SINCE $2000-3FFF CONTAINS
PROGRAM CODE AND $4000-5FFF HAS ONLY A
HI-RES PICTURE). WRITE THE ALTERED
TRACK TO A BLANK DISK WITH THE 'W'
COMMAND.
BOOT THE NEW DISK, AND WHEN IT
SPINS, INSERT THE ORIGINAL. AFTER THE
NORMAL LOAD, THE BANNER WILL BE
DISPLAYED FOR ABOUT 5 SECONDS BEFORE
YOUR MODIFICATION AT $66E REDIRECTS THE
PROGRAM INTO THE MONITOR. ASSUMING THAT
YOU USED A KRAKROM, THE ENTIRE PROGRAM
IS NOW CONTAINED IN $900-7FFF AND CAN
BE SAVED AS A BFILE AFTER BOOTING A
SLAVE DISKETTE.
MODIFICATIONS ARE EASY NOW, AND
THIS IS ONE SET OF 'CLEANUP' ACTIVITIES
THAT WILL BRING THE PROGRAM INTO
CONDITION TO BRUN:
1. BOOT A SLAVE DISK, THEN MOVE PAGE 8
BACK FROM $4800-48FF.
2. MOVE THE STORED ZERO PAGE MEMORY
FROM $4000-40FF TO $8000-80FF.
3. WRITE A MEMORY MOVE ROUTINE AT $8050
WHICH WILL RESTORE ZERO PAGE TO $0-FF
(SEE BELOW). DON'T FORGET TO SET UP
HIRES PAGE 2 AND CLEAR THE KEYBOARD
STROBE.
4. REPLACE THE PICTURE IN $4000-5FFF
WITH ONE CONTAINING YOUR OWN
ADVERTISING (YOU CAN RESET THE ORIGINAL
AFTER THE BOOT AND SAVE THE PICTURE AS
A BINARY FILE FOR MODIFICATION).
5. PUT '4C 50 80' OR 'JMP 8050' AT $7FD
TO START THE PROGRAM.
6. BSAVE KAMEARI,A$7FD,L$7880.
ORG $8050
LDY #$00
H8052 LDA H8000,Y ;RETURN ZERO
STA H0000,Y ;PAGE TO $0-FF
INY
BNE H8052
LDX #$60 ;SET UP STACK
TXS ;POINTER AND
LDA TXTCLR ;GRAPHICS
LDA HISCR
LDA MIXCLR
LDA HIRES
LDA STROBE
LDA #$80 ;LOAD UP THE
LDX #$60 ;REGISTERS
LDY #$00
JMP H0800 ;BEGIN PROGRAM
TXTCLR = $C050
HISCR = $C055
MIXCLR = $C052
HIRES = $C057
STROBE = $C010
THE RESULTING PROGRAM WILL RUN
JUST FINE UNTIL YOU CLEAR A BOARD AND
ADVANCE TO THE NEXT LEVEL. AT THAT
POINT, THE DISK STARTS TO SPIN AND
THE SYSTEM REFUSES TO RESPOND TO ANY
INPUTS. THE REASON IS THE INSTRUCTION
AT $B5C WHICH JUMPS TO $403, WHICH
JUMPS TO $5D5:
ORG $05D5
TYA
PHA
LDY #$00
STA H03FE
H05DC LDX H03FF
LDA HC089,X;START THE DRIVE
LDA #$30
JSR WAIT
LDA #$7F
JSR H0579 ;READ THE "TRACK"
LDX H03FF ;INTO 7F00-UP
LDA HC088,X;STOP DRIVE
LDA #$00
TAY
H05F5 EOR H7F00,Y ;CHECKSUM 7F00-
INY ;7FFF
BNE H05F5
CMP #$44
BNE H05DC
JSR H7F00 ;DO SUBROUTINE
LDY #$00
H0604 CLC
ADC #$45 ;AND WIPE OUT
STA H7F00,Y ;THE CODE SO
INY ;IT MUST BE READ
BPL H0604 ;IN EACH TIME
PLA
TAY
JMP H0CE8
THIS ROUTINE LOADS THE SINGLE PAGE
CONTAINED ON TRACK E INTO $7F00-7FFF,
EXECUTES THE SUBROUTINE AT $7F00, AND
MANGLES THE CODE IN PAGE $7F FOR GOOD
MEASURE. BY LOADING THE CODE IN ONCE
AND NOP'ING THE MANGLE ROUTINE, YOU CAN
AVOID THE UNNECESSARY DISK ACCESS AND
HAVE A 122-SECTOR KAMEARI PROGRAM TO
USE AS YOU SEE FIT. CHANGE $B5C FROM
'4C 03 04' TO '4C 80 1A', AND PUT THIS
SHORT SUBSTITUTE ROUTINE AT $1A80:
ORG $1A80
TYA
PHA
JSR H7F00
PLA
TAY
JMP H0CE8
KAMEARI IS A DECENT ENOUGH PACMAN,
BUT IT LACKS THE "PAUSE" CONTROL WITH
THE ESCAPE KEY THAT'S BECOME STANDARD
IN GAMES FROM THE U.S.A. YOU CAN ADD
ONE BY CHANGING LOCATIONS $1717-1719 TO
'4C 40 14', AND ADDING THIS SHORT
ROUTINE AT $1440:
ORG $1440
CMP #$9B ;WAS IT 'ESC'?
BEQ H144B
CMP #$CB ;NO, CHECK FOR 'K
BNE H145A ;NOTHING, EXIT
JMP H175D ;IT WAS K, ->175D
H144B LDA STROBE ;IT WAS ESC, CLR
H144E LDA KEY ;THE STROBE AND
BPL H144E ;WAIT FOR ANOTHER
CMP #$9B ;'ESC' TO BE HIT
BNE H144E
LDA STROBE ;MUST CLEAR HERE!
H145A RTS
H175D = $175D
STROBE = $C010
KEY = $C000
IT'S A PLEASANT BIT OF NOSTALGIA
TO SEE SOMEONE USING THE OLD TECHNIQUES
WITH A NEW TWIST, AND IT PROVIDES US
A CHANCE TO REVIEW SOME OF THE KRACKING
APPROACHES THAT USED TO BE
"STATE-OF-THE-ART". SEE YOU IN A "WEEK"
OR SO WITH THAT PROMISED ARTICLE FROM
THE BASICS OF KRACKING SERIES.
�
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������