💾 Archived View for spam.works › mirrors › textfiles › apple › CRACKING › krakowic.txt captured on 2023-06-16 at 21:13:05.
-=-=-=-=-=-=-
***************************************
* KRACKOWITZ'S CRACKING TIPS *
***************************************
FROM: THE ROM RAIDER
DR. DIGITAL
CALL HER MAJESTY'S SECRET SERVICE
3 0 3 - 7 5 1 - 2 0 6 3
ALONG WITH A NUMBER OF REQUESTS FOR MATERIAL USEFUL TO THOSE WHO ARE NOT YET IN
THE RANKS OF PROFESSIONALS IN THIS FIELD, IT HAS BEEN POINTED OUT TO ME THAT I
AM ALL TOO WILLING TO SUGGEST BURNING THIS PROM, INSTALLING THAT ROM, AND
GENERALLY MAKING WHOLESALE HARDWARE CHANGES IN AN UNSUSPECTING APPLE, WITHOUT
PROVIDING BACKGROUND INFORMATION FOR THE UP-AND-COMING KRACKISTS OF THE FUTURE.
THIS SERIES, WHILE AIMED AT THE BEGINNING TO INTERMEDIATE KRACKIST, WILL STILL
ASSUME A REASONABLE KNOWLEDGE OF ASSEMBLY LANGUAGE. IF YOU FIND THESE
DISCUSSIONS ARE STILL TOO HEAVY INTO MACHINE CODE FOR YOU, THEN IT'S BEST TO
BUY A BOOK LIKE ROGER WAGNER'S "ASSEMBLY LINES" OR EQUIVALENT, AND STUDY IT
CAREFULLY (IF, ON THE OTHER HAND, YOU FIND THAT THIS IS ALL BENEATH YOU, JUST
KEEP A KNOWING SMIRK ON YOUR LIPS AS YOU SKIP LIGHTLY OVER THESE EPISODES -
THERE MIGHT BE SOMETHING YOU MISSED BECAUSE YOU HAD A BAD HANGOVER ONE DAY IN
KRACKING 101).
IN THIS AND FUTURE EPISODES IN THE 'BASICS OF KRACKING' SERIES, WE'LL DEAL WITH
THE FUNDAMENTALS OF THE KRACKIST'S ART, STARTING WITH THE HOW (AND WHY) OF
MAKING ALTERATIONS IN THE APPLE'S "PERMANENT" MEMORY. FIRST OF ALL, THE MOST
IMPORTANT SINGLE TOOL AVAILABLE TO THE ASPIRING KRACKIST IS REPLACING THE
AUTOSTART ROM ON THE MOTHER BOARD WITH AN "OLD MONITOR" ROM. WITH THIS ROM IN
PLACE, YOU CAN HIT 'RESET' WHENEVER YOU WANT, AND ALWAYS BE RETURNED TO THE
MONITOR FOR THE BEGINNING OF THE SNOOPING PROCESS. THIS CHANGE, INCIDENTALLY,
WILL MAKE AVAILABLE TO YOU A REASONABLE SET OF "STEP AND TRACE" UTILITIES (SEE
THE APPLE II REFERENCE MANUAL. PP 51-53).
TO UNDERSTAND WHAT THE DIFFERENCES ARE BETWEEN THE TWO ROMS, LET'S TAKE A
MINUTE TO EXAMINE WHAT PRESSING THE 'RESET' KEY DOES (OMIGOSH, MAUDE, THERE HE
GOES AGAIN ON THAT DETAILED TECHNICAL CRAP!). INSTEAD OF GOING THROUGH THE
KEYBOARD INPUT ROUTINE AT C000, THE RESET KEY IS CONNECTED DIRECTLY TO PIN 40
OF THE 6502 MICROPROCESSOR CHIP. WHEN THIS PIN IS CONNECTED TO GROUND (0
VOLTS), THE COMPUTER JUMPS UNCONDITIONALLY TO THE ADDRESS CONTAINED IN
LOCATIONS FFFC AND FFFD. THIS IS NOT A TRUE INTERRUPT, SINCE THE APPLE FORGETS
WHAT IT WAS DOING BEFORE THE LINE WAS "YANKED", BUT IT IS AN EXAMPLE OF
'VECTORING' OR SENDING THE COMPUTER TO A SPECIFIC PLACE BY SETTING AN ADDRESS
INTO THE PROGRAM COUNTER. IN THE AUTOSTART ROM, THESE TWO LOCATIONS CONTAIN 62
FA, SO THE NEXT INSTRUCTION TO BE EXECUTED IS AT FA62. THIS SERIES OF ROUTINES
(SEE P. 143 AND PP. 36-38 OF THE REFERENCE MANUAL) CHECKS TO SEE IF THE
COMPUTER IS BEING POWERED UP FOR THE FIRST TIME (COLDSTART) OR RESET WITH THE
POWER ON (WARMSTART). IF IT IS A WARMSTART, THE SYSTEM JUMPS TO THE
INSTRUCTIONS AT LOCATIONS 3F2 AND 3F3, AND BEGINS RUNNING THE PROGRAM FOUND
THERE (USUALLY BASIC AT E000).
THE "OLD MONITOR" ROM, HOWEVER, HAS 59 FF STORED IN FFFC-D. THIS CAUSES AN
APPLE II (OR A II+ WITH AN INTEGER CARD AND THE RED SWITCH "UP") TO GO TO
ROUTINES WHICH SET UP THE KEYBOARD FOR INPUT, THE TV FOR OUTPUT, AND WIND UP IN
THE MONITOR WITH THE '*' PROMPT DISPLAYED. IN CONTRAST TO THE AUTOSTART ROM,
WHERE ANYONE CAN TELL THE RESET BUTTON WHERE TO GO, THERE IS NO WAY TO PREVENT
A RESET FROM GOING TO FF59 AND WINDING UP IN THE MONITOR. THIS IS OBVIOUSLY
ESSENTIAL IF YOU WANT TO BREAK INTO A GAME AND START EXAMINING THE CODE, BUT IT
HAS ITS OWN SET OF PROBLEMS.
IN THE PROCESS OF SETTING UP THE I/O DESCRIBED ABOVE, ESPECIALLY IN SETTING UP
THE TEXT WINDOW ON THE SCREEN, A NUMBER OF LOCATIONS IN ZERO PAGE MUST BE
CHANGED. THE FOLLOWING LOCATIONS WILL PROBABLY BE ALTERED (ALL HEX):
20,21,22,23,24,25,28,29,32,33,35, 36,37,38,39, AND 48. WORSE THAN THAT, THE
ENTIRE SCREEN SCROLLS UP ONE LINE WHEN THE MONITOR PROMPT IS PRINTED, WHICH
LOSES THE ENTIRE TOP ROW OF THE TEXT SCREEN (LOCATIONS 400-427), AND ALTERS THE
CONTENTS OF ALL THE OTHER LOCATIONS FROM 400-7FF, WITH THE EXCEPTION OF THE
"SCRATCHPAD" REGIONS AT 478-47F, 4F8-4FF, ETC. (THE COMPUTER WIMP AT YOUR
SCHOOL SAYS THAT THE TOP LINE "FALLS INTO THE BIT BUCKET", BUT YOU KNOW HOW
EVERYONE FEELS ABOUT HIM.)
AS MOST SOFTWARE PROTECTORS KNOW, THIS WILL KEEP MOST OF THE AMATEURS OUT OF
THE PROGRAM, AND YOU'LL SEE EVIDENCE OF THIS TECHNIQUE IN THE FORM OF A LOT OF
"GARBAGE" ON THE TEXT SCREEN WHEN YOU RESET OUT OF A PROTECTED GAME. OUR JOB,
THEN, IS TO KEEP THESE ZERO PAGE AND SCREEN MEMORY LOCATIONS FROM BEING LOST,
SINCE MOST PROTECTION SCHEMES USE THESE AREAS IN SOME WAY OR OTHER (BR0DERBUND,
FOR EXAMPLE, HAS RECENTLY BEEN STORING THE ADDRESS MARKER FOR THE DISK TRACK IN
LOCATIONS 20, 21, AND 22).
THE SAFE WAY TO PREVENT INFORMATION FROM BEING LOST FROM THESE "VOLATILE"
LOCATIONS IS TO TRANSFER ALL OF THE CONTENTS TO A SAFE AREA -- LOCATIONS 2000 &
UP (OR 4000 & UP) WHERE A HI-RES PICTURE NORMALLY RESIDES. IN FACT, IT WOULD
BE BEST TO SAVE EVERYTHING FROM 0 TO 8FF, SINCE BOOTING A DISKETTE TO SAVE THE
DATA ALSO DESTROYS LOCATIONS 800-8FF. (REMEMBER THE FIRST LAW OF DISK KRACKING
- TRACK 0, SECTOR 0 ALWAYS STARTS WITH D5 AA 96 AND ALWAYS LOADS INTO 800-8FF).
BECAUSE THIS IS THE BEGINNING CLASS, LET'S LOOK AT TWO EXAMPLES OF SHORT BINARY
SUBROUTINES THAT WILL DO THE "SAVE" FOR US. BOTH START, AS WILL BE EXPLAINED
LATER, AT LOCATION FECD IN THE F8 ROM. THE FIRST IS THE MOST STRAIGHTFORWARD
AND EASIST TO FOLLOW:
LDY #$00 ;CLEAR Y-REGISTER
LDA $00,Y ;GET A BYTE FROM 0+Y
STA $2000,Y ;STORE AT 2000+Y
LDA $0100,Y ;THEN FROM 100+Y
STA $2100,Y ;TO 2100+Y
LDA $0200,Y ;AND SO ON UNTIL
STA $2200,Y ;WE HAVE COVERED
LDA $0300,Y ;ALL THE MEMORY
STA $2300,Y ;'PAGES' FROM 0 TO 8
LDA $0400,Y ;AND STORED INTO
STA $2400,Y ;PAGES 20 TO 28
LDA $0500,Y
STA $2500,Y
LDA $0600,Y
LDA $2600,Y
LDA $0700,Y
STA $2700,Y
LDA $0800,Y
STA $2800,Y
INY ;THEN ADD 1 TO Y-REG
BNE $FED0 ;AND REPEAT IF < 256
JMP $FF59 ;WHEN WE'RE ALL DONE
;JUMP TO MONITOR START
THIS 61-BYTE ROUTINE, IF IT COULD BE EXECUTED AUTOMATICALLY WHEN THE RESET KEY
IS PRESSED, WOULD SAFELY STASH ALL OF THE CHANGEABLE MEMORY AND EXIT GRACEFULLY
INTO THE MONITOR.
A MORE COMPACT AND GENERAL, BUT LESS OBVIOUS ROUTINE IS SHOWN BELOW. IT IS
INCLUDED BECAUSE IT IS TYPICAL OF THE "MEMORY MOVE PROGRAMS" THAT WE WILL
EVENTUALLY HAVE TO WRITE IN KRACKING ALMOST ANY PROGRAM.
LDY #$00 ;CLEAR Y-REGISTER
LDA $00,Y ;XFER THE ZERO PAGE TO
STA $2000,Y ;2000-20FF SO WE CAN USE
INY ;THE ZERO PAGE MEMORY
BNE $FED0 ;FOR THE OTHER MOVES
LDA #$00 ;SET UP LOCNS 0 & 1 AS A
STA $00 ;2-BYTE POINTER FOR THE
STA $02 ;SOURCE ADDRESS, USE 2&3
LDA #$01 ;AS 2-BYTE POINTER FOR
STA $01 ;THE DESTINATION ADDRESS
LDA #$21 ;STARTING AT $2100
STA $03
LDA ($00)<- ;GET A BYTE FROM 100-UP
STA ($02) ^ ;STORE AT 2100-UP
INC $02 ^ ;INCREMENT LO-ORDER BYTE
INC $00 ^ ;OF SOURCE & DESTINATION
BNE ->->->^ ;(BACK TO LDA ($00) IF
^ ;LO-ORDER IS <256
INC $03 ^ ;IF LO-ORDER=0, INC THE
INC $01 ^ ;HI BYTE OF EACH
LDA $01 ^ ;CHECK TO SEE IF HI-BYTE
CMP $#09 ^ ;IS 9 -WE'RE THRU AT 8FF
BNE ->->->^ ;IF NOT, LOOP BACK TO
;THE LOAD/STORE UNTIL
;WE'RE ALL DONE
JMP $FF59 ;EXIT THRU MONITOR
UNLIKE THE FIRST ROUTINE, THIS ONE (AT 47 BYTES) USES RAM LOCATIONS 0 THROUGH
3, SO THE ZERO PAGE MUST BE TRANSFERRED BEFORE IT IS ALTERED BY USING THOSE
ADDRESSES AS POINTERS. WHILE THE FIRST ROUTINE MUST GROW BY SIX BYTES FOR EACH
ADDITIONAL PAGE TRANSFERRED, THE SECOND NEEDS ONLY TO HAVE THE "9" IN THE
COMPARE STATEMENT CHANGED TO THE APPROPRIATE VALUE ONE HIGHER THAN THE LAST
PAGE NUMBER BEING TRANSFERRED.
TO RETURN TO THE BUSINESS OF ALTERING ROMS, IT IS EASY TO SEE THAT AN AUTOSTART
ROM COULD BE MADE TO BEHAVE LIKE AN OLD ROM JUST BY CHANGING LOCATIONS FFFC-D
TO 59 FF FROM 62 FA. (A NOTE TO THE FAINT-HEARTED--YOU CAN BUY AN OLD MONITOR
F8 ROM FOR ABOUT $10 AND PLUG IT DIRECTLY INTO YOU APPLE'S F8 SOCKET, BUT YOU
WON'T HAVE ALL THE BENEFITS WE'VE BEEN TALKING ABOUT). AS LONG AS WE'RE GOING
TO THE EFFORT OF MAKING A CHANGE, THOUGH, WE MIGHT AS WELL ADD ONE OF THE
ROUTINES ABOVE AND ALLOW THE NEW ROM TO SAVE THE VOLATILE MEMORY FOR US. TO DO
THIS, WE'LL HAVE TO GIVE UP SOMETHING IN THE ROM, AND THE MOST EASILY
SURRENDERED AREA FOR MOST OF US IS THE TAPE READ/SAVE ROUTINES AT $FECD. IF WE
THEN CHANGED FFFC-D TO CD FE, THE MEMORY FROM 0 TO 8FF WOULD BE SAVED TO
2000-28FF EVERY TIME THE 'RESET' KEY WAS PRESSED. SINCE IT'S SOMETIMES
INCONVENIENT TO HAVE THAT HAPPEN WHEN THE RESET KEY IS PRESSED, WE CAN REQUIRE
THAT A SPECIFIC KEY BE ALSO PRESSED TO MAKE IT OCCUR. THESE FEW INSTRUCTIONS
INSERTED BEFORE EITHER OF THE ROUTINES ABOVE WILL GIVE A "RESET AND SAVE" WHEN
THE "-" KEY IS HELD DOWN (OR WAS THE LAST KEY PRESSED), WHILE GIVING A REGULAR
"OLD RESET" THE REST OF THE TIME.
LDA $C000 ;LOOK AT THE KEYBOARD
ROL ;MASK OFF HIGH BIT
CMP #$5A ;WAS IT "-"?($2D X 2=$5A)
BNE ->->-> ;IF NOT, BRANCH TO THE
! ;LOCATION WITH THE
! ;"JUMP FF59" INSTRUCTION
! ;AT THE END OF THE SAVE
! ;SUBROUTINE.
OK, OK - WE ALL AGREE THAT THESE WOULD BE NEAT THINGS TO HAVE IN THE F8 ROM, SO
HOW DO WE GET IT THERE? FIRST, GET HOLD OF A PROMBURNER (PROMBLASTER, EPROM
PROGRAMMER, ETC.) THAT WILL PROGRAM 2716 EPROMS. EACH ONE IS DIFFERENT, SO I
WON'T TRY TO GIVE DETAILED INSTRUCTIONS ON THE ACTUAL PROGRAMMING. BUY OR
BORROW A FRIEND'S OLD F8 ROM (OR GET THE BINARY FILE) THEN TYPE IN OR LOAD IN
THE CHANGES YOU WANT TO MAKE AT FECD & UP AND AT FFFC-D, AND PROGRAM A 2716
EPROM WITH OUR MODIFIED VERSION OF APPLE'S F8 MONITOR ROM.
ALL THAT REMAINS TO TAKE FULL ADVANTAGE OF THE NEW F8 ROM IS TO MAKE A SLIGHTLY
MODIFIED SOCKET AND PLUG IT IN. BOTH THE 2716 AND THE ORIGINAL 9316 ROM USED
BY APPLE ARE READ-ONLY-MEMORY DEVICES HOLDING 2K BY 8 BITS OF INFORMATION
("16K" ROMS), BUT THE PINOUT, OR ASSIGNMENT OF CHIP FUNCTIONS TO PIN NUMBERS IS
SLIGHTLY DIFFERENT. TO USE THE 2716 IN A BOARD DESIGNED FOR A 9316, YOU NEED
TO TIE PIN 21 TO 5 VOLTS (PIN 24) AND TIE PIN 18 TO GROUND (PIN 12). YOU COULD
MODIFY THE PROM ITSELF, BUT YOU'RE LIABLE TO RUIN THE CHIP, AND IT CREATES A
REAL MAGILLA IF YOU NEED TO REPROGRAM IT. (A ROM CARD, SUCH AS AN INTEGER
CARD, CAN BE USED FOR 2716'S IF TWO JUMPERS ARE CONNECTED AT THE TOP OF THE
CARD, AND ->ONLY<- 2716'S ARE USED IN ALL OF ITS SOCKETS AFTER THAT).
GET A 24-PIN, PREFERABLY LOW-PROFILE IC SOCKET, AND ORIENT IT WITH THE PINS UP
AND THE NOTCH INDICATING THE 'PIN ONE' END TO THE RIGHT. IT SHOULD LOOK LIKE:
---------------------------------------
! 13 14 15 16 17 18 19 20 21 22 23 24!
! ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ !
! !
! !
! /
! (NOTCH)->!
! \
! !
! . . . . . . . . . . . . !
!/ / / / / / / / / / / / !
!12 11 10 9 8 7 6 5 4 3 2 1 !
---------------------------------------
USING A LOW-WATTAGE SOLDERING IRON, SOLDER A SHORT PIECE OF 26-30 GAUGE WIRE
BETWEEN PINS 21 AND 24, AND ANOTHER ONE BETWEEN PINS 12 AND 18. MAKE THE
CONNECTION AS CLOSE TO THE SOCKET AS POSSIBLE, AND TRY TO AVOID GETTING ANY
SOLDER ON THE ENDS OF PINS 12 AND 24. CUT OFF PINS 21 AND 18, AGAIN AS CLOSE
AS POSSIBLE TO THE SOCKET. (PLUGGING ANOTHER SOCKET INTO THE ONE BEING
MODIFIED WILL HELP TO PREVENT DISTORTION DURING THE SURGERY). THE SOCKET NOW
LOOKS LIKE:
---------------------------------------
! 13 14 15 16 17 18 19 20 21 22 23 24!
! ./ ./ ./ ./ ./ / ./ ./ / ./ ./ ./ !
! X X / !
! / / / !
! / /-------/ /
! /---------/ !
! / \
! / !
! / . . . . . . . . . . . !
!/ / / / / / / / / / / / !
!12 11 10 9 8 7 6 5 4 3 2 1 !
---------------------------------------
X=NO PIN
DOUBLE CHECK THE CONNECTIONS ON THE BOTTOM OF THE SOCKET, AND PLUG THE 2716
INTO THE SOCKET, BEING CAREFUL TO MATCH THE NOTCHED END OF THE CHIP TO THE
SOCKET. MAKE SURE THAT THE POWER TO THE APPLE IS TURNED OFF, AND PLUG THE
ASSEMBLY INTO THE F8 SOCKET ON THE MOTHER BOARD WITH THE NOTCH TOWARD THE FRONT
(KEYBOARD) END OF THE APPLE. CROSS YOUR FINGERS AND TURN ON THE APPLE. IF
THERE IS NO FAMILIAR "BEEP", OR IF THE TV SCREEN STAYS WHITE, OR IF THE SYSTEM
DOESN'T RESPOND TO THE RESET KEY, TURN OFF THE POWER AND EXAMINE THE CHIP AND
SOCKET CAREFULLY TO FIND THE ERROR. IF BLACK CLOUDS OF SMOKE ROLL OUT FROM THE
APPLE, FORGET WHERE YOU READ THIS. ACTUALLY, THE MOST COMMON MISTAKE OF
INSERTING THE CHIP BACKWARDS IS SELDOM HARMFUL TO IT, BUT DOES LOCK UP THE
APPLE'S BUS. REMEMBER THAT BOTH THE 2716 AND THE 9316 THAT YOU REMOVED CAN BE
DAMAGED BY STATIC ELECTRICITY, SO HANDLE WITH CARE AND DON'T SCUFF YOUR FEET ON
THE CAT.