💾 Archived View for mirrors.apple2.org.za › archive › www.textfiles.com › apple › CRACKING › krackwo… captured on 2024-08-19 at 03:04:00.
View Raw
More Information
⬅️ Previous capture (2023-01-29)
-=-=-=-=-=-=-
- **************************************
- *
- *
- *
- KRAKOWICZ'S KRACKING KORNER III A *
- *
- *
- *
- =>WAY OUT<= *
- *
- *
- *
- **************************************
WELCOME BACK - IT'S BEEN A LONG WEEK SINCE THE LAST INSTALLMENT, SO LET'S GET RIGHT TO THE BUSINESS OF KRACKING WAY OUT. AFTER THE EXCELLENT AND CHALLENGING PROTECTION THAT SIRIUS PUT ON THE BANDITS/CYCLOD GROUP, IT WAS DISCOURAGING TO SEE THE PUTRID LITTLE DOS COMMAND CHANGE ON ESCAPE FROM RUNGISTAN. WAY OUT IS ABOUT HALFWAY BETWEEN THE TWO, WITH ENOUGH CHALLENGE TO MAKE IT INTERESTING, AND ENOUGH DISK ACCESS TO MAKE IT DIFFERENT.
IN THE FIRST HALF OF THIS EPISODE, WE WILL DESCRIBE THE REMOVAL OF THE NIBBLE COUNTS FROM THE DISK TO MAKE IT COPY WITH NA II, AND IN PART B WE'LL COVER THE CONVERSION OF THE PROGRAM TO A TOTALLY COPYA VERSION.
TRACK 0, SECTOR 0 LOADS, OF COURSE, INTO 800-8FF, AND BRINGS IN A FAIRLY STRAIGHTFORWARD LOADER FROM THE REST OF TRACK 0 INTO $9600 UP. THEY PUT IT THERE RATHER THE 400-7FF SCREEN MEMORY IN ORDER TO DO THE RIPPLE VISUAL EFFECT BANNER (THAT'S ALL IN LO-RES COLOR, BY THE WAY). THE LOADER IS VISIBLE WHEN YOU RESET DURING THE LOOOONG BOOT (THEY STILL READ IN ALL THE TRACKS FROM 0 TO 1C TO "CHECK YOUR APPLE"), AND CHECKING THE END OF THE BOOT SECTOR AT 890 SHOWS THAT THE STARTING LOCATION IN THE LOADER IS 979B. A SHORT ROUTINE READS THROUGH ALL THE TRACKS, LOADING THEM AT STARTING ADDRESSES TAKEN FROM A LOOKUP TABLE JUST LIKE BANDITS AND CYCLOD. FOLLOWING THAT, AT 9811 AND 9814 ARE JSR'S TO DIFFERENT NIBBLE COUNT ROUTINES FOR TRACKS 21 AND 22. IN THIS FIRST PART, WE WILL MAKE THE DISK COPY WITH NA II BY CHANGING THE SIX BYTES FOR THE TWO JSR'S TO NOP'S. BUT BEFORE WE DO THAT, LET'S TAKE A MINUTE TO LOOK AT THE COPY PROTECTION SCHEMES ON THESE TWO TRACKS. TRACK 21 HAS A GOOD, OLD-FASHIONED NIBBLE COUNT WHERE THEY DETERMINE THE NUMBER OF BYTES BETWEEN THE TWO OCCURRANCES OF 'AA' ON THE TRACK. THIS IS THE KIND OF COUNT THAT NA II EATS FOR BREAKFAST, SO IT'S NOT HARD TO GET AROUND. TRACK 22, ON THE OTHER HAND, SHOWS THAT SIRIUS HAS BEEN READING THE DOCS ON THE MAJOR NIBBLE COPIERS - WE SURE HOPE THEY BOUGHT THEM ALL, RIGHT? IN ORDER TO DO A NIBBLE COUNT, A COPIER HAS TO KNOW WHERE TO START COUNTING AND SOMETIMES WHERE TO ADD OR DELETE THE SPARE NIBBLES. TO DO THIS, NA II ALLOWS YOU TO ENTER AN 8-BYTE ADDRESS MARKER, WHILE LS 4.1 ALLOWS 9 BYTES TO INCLUDE A NORMAL 3-BYTE HEADER, VOL #, TRACK#, AND SECTOR # AT TWO BYTES EACH. THIS TRACK HAS SEVERAL SECTIONS WITH NORMAL "GAPS" JUST LIKE NA AND LS LOVE TO FIND, ALL BEGINNING WITH THE BYTE SEQUENCE AA, D5, D5, FF, D6, FF, FD, FD, DD. THE PROGRAM, HOWEVER, LOOKS FOR THE NEXT THREE BYTES AS WELL, AND THESE MUST BE EA, B5, F7. ALL BUT ONE OF THESE 9-BIT SEQUENCES HAVE OTHER BYTES FOR THE NEXT THREE, AND THESE WILL BE INCORRECTLY CHOSEN FOR THE ADDRESS MARKER BY ANY OF THE POPULAR COPIERS. THE ENTIRE TRACK IS READ 16 TIMES, AND THE CHECKSUM FOR THE 64K BYTES READ IN MUST AGREE WITH THE ONE IN THE PROGRAM, OR THE DISK REBOOTS. DEVIOUS ENOUGH, BUT QUITE VISIBLE IN A LOADER THAT WASN'T WELL HIDDEN.
TO CHANGE THOSE NIBBLE COUNT JSR'S TO NOP'S, WE HAVE TO ALTER THE ACTUAL NIBBLES ON THE TRACK. ANY ALTERATION WILL CHANGE THE CHECKSUM FOR THE TRACK, SO WE FIRST HAVE TO NEGATE THE CHECKSUM COMPARISON ROUTINE. THE SAME PROCESS IS USED FOR THE ACTUAL REMOVAL OF THE NIBBLE COUNT, SO WE'LL DO THE EASY ONE FIRST.
IT'S BEEN A WHILE SINCE WE LOOKED AT THE TECHNIQUE USED BY SIRIUS TO ENCODE INFORMATION ON THE DISK, SO LET'S REVIEW FOR A MINUTE. REMEMBER THAT MOST PROTECTED SIRIUS SOFTWARE DOES NOT USE REGULAR SECTORS, BUT AN UNSEGMENTED STREAM EQUIVALENT TO C00 BYTES OF DATA ON EACH TRACK. AFTER THE ADDRESS MARKER OF AD DA DD (THE SIRIUS TRADEMARK), EVERY BYTE IS ENCODED IN A 4+4 FORMAT WHERE HALF THE INFORMATION IS STORED IN EACH NIBBLE (A BRIEF ASIDE - THE USE OF THE TERM 'NIBBLE' IS CONFUSING AND A LITTLE BIT ERRONEOUS WHEN USED IN DESCRIBING DISK ACCESS. IT FORMALLY REFERS TO EITHER THE LEFT-HAND OR RIGHT-HAND FOUR BITS OF A BYTE, AND HAS BEEN CONTINUED IN USAGE FOR THE UNITS OF INFORMATION STORAGE ON A DISK, EVEN THOUGH MANY SCHEMES, LIKE DOS 3.3, USE A VERY DIFFERENT METHOD OF ENCODING THE 8 BITS OF A BYTE ONTO A DISK 'NIBBLE'. IN ALMOST ALL CASES, ON THE APPLE, INFORMATION IS RECOVERED FROM THE DISK IN A SERIES OF EIGHT-BIT BYTES WHICH THEN MUST BE FURTHER PROCESSED TO DECODE THE REAL BINARY INFORMATION CONTAINED IN THEM).
THE FULL SEQUENCE OF INSTRUCTIONS WHICH PERFORM THE DECODING WAS LISTED IN KKK #1; BUT BRIEFLY, THE FIRST NIBBLE (BYTE) IS READ IN, THE CARRY BIT IS SET, AND THE RESULT IS ROTATED LEFT ONCE. THIS SHIFTED NIBBLE IS "ANDED" WITH THE NEXT NIBBLE, AND THE RESULT STORED IN MEMORY AS A FULL BYTE. IN ORDER TO CHANGE A BYTE ON THE TRACK, IT'S NECESSARY TO RECONSTRUCT THE NIBBLES AS THEY WILL APPEAR ON THE TRACK AND FIND THEM WITH A NIBBLE EDITOR. FOR EXAMPLE, TO FIND THE BYTES WHICH CORRESPOND TO THE CHECKSUM ROUTINE, WE NEED TO LOOK AT THE INSTRUCTIONS AT $9887. THEY ARE 'EOR $F5, BNE 988D', OR BRANCH TO A RE-READ ROUTINE IF THE EXCLUSIVE-OR BETWEEN THE ACCUMULATOR AND THE CHECKSUM IN LOCATION F5 IS NOT ZERO. WE CAN GET AROUND THIS RE-READ IF WE CHANGE THE BYTES FOR 'BNE 988D' FROM 'D0 02' TO TWO NOP'S: 'EA EA'.
THE DATA NIBBLES ALLOWED ON THE DISK UNDER THIS SYSTEM MUST HAVE THE MOST SIGNIFICANT BIT SET, AND AT LEAST EVERY SECOND BIT SET TO ONE: THE ONLY VALID NIBBLES ARE A (1010), B (1011), E (1110), AND F(1111). SPARING THE VERY GORY DETAILS, A BYTE HAS ITS FIRST HALF IN ONE TRACK NIBBLE, AND ITS SECOND HALF IN THE NEXT:
-------SECOND BYTE
/ /
EA FA
/ /
------------FIRST BYTE
THE TABLE BELOW IS USED TO "BUILD UP" THE SIRIUS-FORMAT TRACK NIBBLES:
FIRST SECOND
BYTE HALF HALF
---- ----- ------
0 A A
1 A B
2 B A
3 B B
4 A E
5 A F
6 B E
7 B F
8 E A
9 E B
A F A
B F B
C E E
D E F
E F E
F F F
TO BUILD UP 'D0', FOR EXAMPLE, USE E- F- FOR THE 'D' AND -A -A FOR THE ZERO, THEN COMBINE THEM TO GIVE EA FA FOR 'D0'. THE '02' BYTE IS THEN A- A- PLUS -B -A TO MAKE AB AA. THE COMPLETE NIBBLE STRING FOR 'D0 02' IS EA FA AB AA.
TO DO THE NIBBLE EDITING THAT FOLLOWS, THE BEST UTILITY IS PROBABLY THE TRACK/BIT EDITOR OF NIBBLES AWAY II. LOAD NA II, ENTER D5 AA 96 FOR THE ADDRESS MARKER, SELECT THE TRACK EDITOR AND READ IN TRACK ZERO. TYPE 'Z' TO ALLOW THE PROGRAM TO ANALYZE THE TRACK, THEN MOVE THE CURSOR TO THE PAGE CONTAINING THE POINTER (USUALLY 6700). TYPE 'S' FOR STRING SEARCH AND ENTER EA FA AB AA (AS A GENERAL RULE, SEARCHING FOR A TWO-BYTE SEQUENCE IN A PROGRAM IS RISKY, WHILE A FOUR-BYTE SEQUENCE IS PRETTY SAFE. IN THIS CASE, YOU REALLY SHOULD ADD THE PRECEDING TWO BYTES 45 F5, WHICH TRANSLATE TO BA EF FA FF). WHEN THIS STRING IS LOCATED, REPLACE IT WITH THE EQUIVALENT OF TWO EA'S: FF EA FF EA, AND WRITE IT TO A BLANK DISK WITH THE 'W' KEY.
WITH THE CHECKSUM SAFELY REMOVED, YOU CAN FOLLOW THE SAME GENERAL PROCEDURE TO REMOVE THE NIBBLE COUNT JSR'S AT 9811 AND 9814, ALLOWING YOU TO MAKE A WORKING COPY OF WAY OUT WITH NA II. TRACK ZERO WOULD USE D5 AA 96 AS AN ADDRESS MARKER, AND TRACKS 1-1C USE AD DA DD.
STAY TUNED FOR PART B - MAKING WAY
OUT COPYA.
=>KRAKOWICZ<=