1 *************************************** * * * KRAKOWICZ'S KRACKING KORNER * * * * BROUGHT TO YOU BY PIRATE TREK ][ * * * *************************************** WELCOME TO THE FIRST IN A SERIES OF TECHNICAL DISCUSSIONS ON THE USES AND ABUSES OF COPY PROTECTION TECHNIQUES. YOUR HOST IS KRAKOWICZ, BASED IN NEW YORK AND DEDICATED TO THE PROPOSITION THAT ALL MEN ARE EQUALLY ENTITLED TO THE KNOWLEDGE AND ENJOYMENT OF COMPUTERS AND SOFTWARE. THIS SECTION OF THE BOARD IS INTENDED TO PROVIDE INFORMATION AND TO STIMULATE DIALOG AMONG THE INTERNATIONAL BROTHERHOOD OF SOFTWARE CRACKISTS. THE MANAGEMENT OF THIS SYSTEM, AS WELL AS YOUR HOST, CERTAINLY DO NOT ADVOCATE OR ADVISE ANY ILLEGAL ACTS, AND ALL INFORMATION PRESENTED HERE IS INTENDED TO EDUCATE, INFORM, OR AMUSE THOSE WHO READ IT. THAT'S ENOUGH SERIOUS CRAP, NOW LET'S HAVE SOME FUN. SIRIUS SOFTWARE, IN THEIR LATEST RELEASE (MINOTAUR, BANDITS , FLY WARS, CYCLOD, ETC) HAS RAISED THE SCIENCE OF COPY PROTECTION TO NEW HEIGHTS. AS YOU KNOW, MOST DISKS THAT DO A LOT OF DISK ACCESSING ARE NOT EASILY CRACKED, AND MOST PEOPLE WORK VERY HARD DEVELOPING PARMS FOR THE POPULAR BACKUP PROGRAMS. BECAUSE OF TH E TECHNIQUES USED BY SIRIUS, IT IS DOUBTFUL THAT ANY OF THE PRESENTLY AVAILABLE COPIERS WILL BE SUCCESSFUL, AND NEW EFFORT MUST BE FOCUSED ON THE CRACKING OF THESE PROGRAMS. (PLEASE DON'T BE ALARMED IF THE TERMS USED HERE ARE UNFAMILIAR TO YOU - WE WILL BE DOING MANY OF THESE IN THE FUTURE, AND YOU'LL HAVE A CHANCE TO GET USED TO THE TECHNIQUES AND JARGON AS WE GO ALONG). THIS DISCUSSION ASSUMES A BASIC KNOWLEDGE OF CRACKING TECHNIQUES - MEMORY MOVES, PROBABLE STARTING LOCATIONS, EXCLUSIVE-ORING TO HIDE SENSITIVE CODE, ETC, AND A GOOD WORKING KNOWLEDGE OF A SECTOR EDITOR. MY FAVORITE IS THE INSPECTOR, BUT THE ONE IN NIBBLES AWAY II ALSO HAS SOME NICE FEATURES. HAVING THE INSPECTOR IN ROM IS JUST ABOUT A NECESSITY FOR TODAY'S SOFTWARE ARTIST, ANYWAY. ALL ADDRESSES ARE GIVEN IN HEXADECIMAL, WITH BINARY OR DECIMAL EQUIVALENTS AS REQUIRED. THE LISTINGS BELOW WERE EXTRACTED FROM CYCLOD, BUT ARE VIRTUALLY THE SAME FOR ALL OF THE NEW SIRIUS PROGRAMS. IF YOU CAN GET YOUR HANDS ON AN ORIGINAL, YOU WILL BE ABLE TO EXPERIMENT WITH SOME OF THE TIPS GIVEN HERE AND LEARN CONSIDERABLY MORE. THE FIRST PROTECTION DEVICE BEING USED, AND ONE OF THE OLDEST, IS LOADING A CRUCIAL PART OF THE PROGRAM ACROSS THE TEXT SCREEN MEMORY FROM 400-7FF, SO IT WILL SCROLL THE TOP LINE OFF THE SCREEN WHEN YOU HIT RESET. THE PART LOADED THERE ON THESE PROGRAMS IS ONE WE WILL CALL 'LOADER', SINCE IT ACTS AS THE SUBSTITUTE 'DOS' FOR ALL DISK ACCESSES. (IF YOU HAVE AN ORIGINAL, NOW IS THE TIME TO COPY TRACK 0 ONTO A BLANK DISKETTE USING YOUR FAVORITE COPIER - ALMOST ANY WILL GET IT. ALL FUTURE REFERENCES TO THE DISK ARE FOR THE SINGLE TRACK YOU JUST COPIED - DON'T TAKE A CHANCE WITH THE ORIGINAL). TO GET A LOOK AT THIS LOADER, HOWEVER, WE HAVE TO GO BACK TO THE FUNDAMENTALS OF THE APPLE DISK SYSTEM. REMEMBER TRACK 0, SECTOR 0 OF EVERY DISK MUST ALWAYS, ALWAYS BE READABLE BY THE BOOT ROM, AND MORE OR LESS BY MOST SECTOR EDITORS. READ T0,S0 INTO LOCATION 800 UP, AND FROM THE MONITOR TYPE IN '801L' (RECALL THAT LOCATION 800 IS USED TO TELL THE BOOT ROM HOW MANY PAGES TO LOAD IN) TO LIST THIS 'PRELOADER'. THE LISTING BELOW IS A REGULAR MONITOR DISASSEMBLY OF ALL THE MEANINGFUL CODE. 0801- AD 52 C0 LDA $C052 0804- AD 57 C0 LDA $C057 0807- AD 55 C0 LDA $C055 080A- AD 50 C0 LDA $C050 080D- AD 81 C0 LDA $C081 0810- AD 81 C0 LDA $C081 0813- A0 00 LDY #$00 0815- 84 00 STY $00 0817- A9 D0 LDA #$D0 0819- 85 01 STA $01 081B- A2 30 LDX #$30 081D- B1 00 LDA ($00),Y 081F- 91 00 STA ($00),Y 0821- C8 INY 0822- D0 F9 BNE $081D 0824- E6 01 INC $01 0826- CA DEX 0827- D0 F4 BNE $081D 0829- A6 2B LDX $2B 082B- BD 89 C0 LDA $C089,X 082E- A9 04 LDA #$04 0830- 85 01 STA $01 0832- BD 8C C0 LDA $C08C,X 0835- 10 FB BPL $0832 0837- C9 DD CMP #$DD 0839- D0 F7 BNE $0832 083B- BD 8C C0 LDA $C08C,X 083E- 10 FB BPL $083B 0840- C9 AD CMP #$AD 0842- D0 F3 BNE $0837 0844- BD 8C C0 LDA $C08C,X 0847- 10 FB BPL $0844 0849- C9 DA CMP #$DA 084B- D0 EA BNE $0837 084D- BD 8C C0 LDA $C08C,X 0850- 10 FB BPL $084D 0852- 38 SEC 0853- 2A ROL 0854- 85 02 STA $02 0856- A5 01 LDA $01 0858- C9 08 CMP #$08 085A- F0 10 BEQ $086C 085C- BD 8C C0 LDA $C08C,X 085F- 10 FB BPL $085C 0861- 25 02 AND $02 0863- 91 00 STA ($00),Y 0865- C8 INY 0866- D0 E5 BNE $084D 0868- E6 01 INC $01 086A- D0 E1 BNE $084D 086C- 4C 1F 04 JMP $041F 086F- D2 ??? 0870- A6 AD LDX $AD 0872- 5D B6 F0 EOR $F0B6,X 0875- 08 PHP 0876- EE BD B5 INC $B5BD 0879- D0 03 BNE $087E 087B- EE BE B5 INC $B5BE 087E- A9 00 LDA #$00 AFTER THE PRELIMINARY STUFF AT LOCATIONS 801-82D, YOU WILL SEE LDA #$04, STA $01 AT 82E. THIS IS THE LOCATION WHERE THE REST OF TRACK 0 IS LOADED: 400-7FF. CHANGE THE 04 AT 82F TO 14 TO CHANGE THE LOADING LOCATION TO 1400, THEN WRITE THE SECTOR BACK TO SECTOR 0 OF TRACK 0. IF YOU THEN BOOT YOUR SINGLE-TRACK DISK, THE LOADER WILL BE STORED AT 1400-17FF (IT WILL PROBABLY RE-BOOT AFTER A FEW SECONDS - WE'LL SEE WHY IN A MINUTE). INTERRUPT IT WITH A RESET, AND LOOK AT LOCNS 1400- 17FF. WRITE DOWN THE BYTE AT 1400! YOU HAVE NOW CAPTURED THE SIRIUS LOADER BUT BEFORE WE DISCUSS IT, LETS SAVE IT UNDER DOS. BOOT A 48K SLAVE DISK - NOT A MASTER (THIS WAY NO MEMORY BETWEEN 0900 AND 95FF IS TOUCHED DURING THE BOOT), AND DO BSAVE LOADER,A$1400,L$400 NOW LET'S LOOK FOR A SECOND AT THE TRACK THAT THE LOADER WAS LOADED FROM - WE'LL NEED TO KNOW BEFORE THIS IS OVER. USING INSPECTOR, NA II, OR LS 4, DO A NIBBLE READ OF TRACK 0, AND LOCATE THE STRING "D5 AA 96". AS EVERYONE(?) KNOWS, THIS WILL LOCATE THE START OF A SECTOR. (IN THIS CASE THE ONLY DOS 3.3 SECTOR ON THE TRACK). ABOUT 180(HEX) BYTES LATER, YOU WILL FIND A STRING "DD AD DA" (A TRADITION AT SIRIUS) LOOK AT THE LENGTH OF THIS SECTOR - IT'S CERTAINLY NOT NORMAL DOS! GO BACK TO THE PRELOADER LISTING AND LOOK AT THE SEQUENCE FROM 832 TO 84C WHICH IS LOOKING FOR THESE THREE BYTES IN SEQUENCE ON THE TRACK. A CAREFUL STUDY OF THE CODE FROM 84D TO 86C WOULD EXPLAIN WHY THE SECTOR IS SO LONG - IT KEEPS ON LOADING IN BYTES (REALLY NIBBLES) UNTIL THE PAGE COUNTER AT 01 BECOMES 8 (CMP #$08 AT 858). SINCE WE DIDN'T CHANGE THIS, THE DISK KEPT ON LOADING, TRYING TO FIND AN 08 AFTER WE STARTED AT 14! NOTICE ON YOUR NIBBLE READ THAT THE NIBBLES USED AFTER THE DD AD DA MARKER, ARE ONLY A, B, E, AND F. THE REASON IS THAT THE SECTOR IS 'ENCODED' USING THE "OLD" FREQUENCY MODULATION TECHNIQUE DESCRIBED AS 4+4 NIBBLIZING ON PAGE 3-14 OF "BENEATH APPLE DOS" (CALLED B.A.D. HENCEFORTH). TO SEE QUICKLY HOW IT'S DONE, WRITE DOWN THE FIFTH AND SIXTH NIBBLES AFTER THE MARKER: FB AE. THE FB BYTE, IN BINARY, IS: 1 1 1 1 1 0 1 1 FOLLOW THE INSTRUCTIONS AT LOC 852, AND SET THE CARRY BIT, THEN ROTATE LEFT ONCE, WITH THE CARRY: C 1 1 1 1 1 1 0 1 1 ROL <=ONE 1 1 1 1 1 0 1 1 1 THEN GET THE 'AE' BYTE, WHICH IS: 1 0 1 0 1 1 1 0 NEXT, DO A LOGICAL 'AND' OF THE TWO BYTES, AS DIRECTED BY LOC 861: (REMEMBER, FOR THE RESULT TO BE A '1' IN AN 'AND' OPERATION, BOTH BITS BEING COMPARED MUST BE '1'): 1 1 1 1 0 1 1 1 'AND' 1 0 1 0 1 1 1 0 ------------------ RESULT= 1 0 1 0 0 1 1 0 WHICH IS 'A6' IN HEX. THIS IS THE BYTE STORED IN MEMORY IN THE LOADER FILE AT LOCATION 402 (FOR US, 1402). (WE DID THE THIRD BYTE BECAUSE THE FIRST TWO WERE EA, WHICH DOESN'T SHOW THE PRINCIPLE). COMPARE IT TO THE BYTE LOADED IN AT 1402. IF THIS IS NEW TO YOU, TRY MAKING THE NEXT FEW BYTES OUT OF THE NIBBLE PAIRS WHICH CORRESPOND TO THEM FROM THE NIBBLE READ - NIBBLES 7 & 8 MAKE BYTE 4 (LOC 1403), AND SO ON. OK, SO THAT'S HOW THEY LOAD IN THE LOADER, LET'S GET DOWN TO SERIOUS BUSINESS. NOTICE THE 'JMP 41F' INSTRUCTION AT 86C - THIS IS THE JUMP INTO THE LOADER ROUTINE. A DISASSEMBLY OF THE FIRST PART OF THE LOADER CODE FOLLOWS, TAKEN FROM LOCATIONS 1400 UP. 1400- EA NOP 1401- EA NOP 1402- A6 34 LDX $34 1404- BD 8A C0 LDA $C08A,X 1407- BD 89 C0 LDA $C089,X 140A- A0 64 LDY #$64 140C- A9 64 LDA #$64 140E- 20 89 07 JSR $0789 1411- 88 DEY 1412- D0 F8 BNE $140C 1414- A6 34 LDX $34 1416- BD 8E C0 LDA $C08E,X 1419- EA NOP 141A- EA NOP 141B- EA NOP 141C- 4C 51 04 JMP $0451 141F- 86 34 STX $34 1421- BD 8E C0 LDA $C08E,X 1424- A9 00 LDA #$00 1426- 85 26 STA $26 1428- EA NOP 1429- EA NOP 142A- 4C CF 07 JMP $07CF 142D- AE EE BB LDX $BBEE 1430- FF ??? 1431- AB ??? 1432- FF ??? 1433- AF ??? 1434- BB ??? 1435- 44 ??? 1436- 00 BRK 1437- FF ??? 1438- A9 02 LDA #$02 143A- 85 57 STA $57 143C- A9 00 LDA #$00 143E- A0 00 LDY #$00 1440- 59 00 04 EOR $0400,Y 1443- 59 00 05 EOR $0500,Y 1446- 59 00 06 EOR $0600,Y 1449- 59 00 07 EOR $0700,Y 144C- C8 INY 144D- D0 F1 BNE $1440 144F- 85 2C STA $2C 1451- A5 34 LDA $34 1453- 4A LSR 1454- 4A LSR 1455- 4A LSR 1456- 4A LSR 1457- 18 CLC 1458- 69 C0 ADC #$C0 145A- 85 33 STA $33 145C- A9 00 LDA #$00 145E- 85 32 STA $32 1460- A5 2C LDA $2C 1462- F0 03 BEQ $1467 1464- 6C 32 00 JMP ($0032) 1467- A9 90 LDA #$90 1469- 8D 62 04 STA $0462 146C- A5 32 LDA $32 146E- 8D FE 03 STA $03FE THE FIRST THING TO NOTICE IN THE LISTING IS THAT THE BYTES FROM 42D TO 434 ARE NOT CODE, AND THAT THE PROGRAM JUMPS AROUND THEM (AS WITH MOST CRACKING WORK, IF IT LOOKS SUSPICIOUS, CHASE IT DOWN!). THE 'JMP 7CF' GOES TO A ROUTINE WHICH CLEARS ALL OF MEMORY FROM 800 TO B800, THEN JUMPS BACK TO 438 (NOTICE THAT REFERENCES ARE MADE WITHOUT THE '1' IN FRONT OF THE ADDRESS JUST AS THE DISASSEMBLED CODE DOES). THE PROGRAM NEXT SETS UP LOCATION 57 AS THE TRACK COUNTER (ACTUALLY TWICE THE TRACK NUMBER, SINCE HALF-TRACKS ARE COUNTED), AND DOES A CHECKSUM ON THE SCREEN MEMORY PROGRAM (LOC 143C TO 144F). THE CHECKSUM RESULT, IF IT EQUALS 0, IS STORED IN 2C. WE'LL SEE LATER THAT IT'S NECESSARY TO AVOID THIS TO DO THE CRACK. AFTER SETTING UP TRAP VECTORS FOR RESET, IRQ, AND NMI INTERRUPTS AT 3F0-3FF, THE ACTUAL LOADING BEGINS. BEFORE THE PROGRAM IS LOADED, ALL THE ACTIVE TRACKS ON THE DISK ARE CHECKED BY READING THEM IN AND CHECKING THE TRACK CHECKSUM. THIS IS THE "QUICK CHECK" THAT THE SIRIUS DOC ALWAYS MENTIONS. A DESTINATION ADDRESS IS PICKED OUT OF A TABLE AT LOC 7AB-7BC (FOR CYCLOD: THIS TABLE VARIES FOR EACH GAME), AND THE READ HEAD (ARM) IS MOVED TO THE RIGHT TRACK. THE LISTING BELOW SHOWS WHAT HAPPENS NEXT: 1500- A9 FC LDA #$FC 1502- 85 EA STA $EA 1504- A0 00 LDY #$00 1506- BD 8C C0 LDA $C08C,X 1509- 10 FB BPL $1506 150B- D9 2D 04 CMP $042D,Y 150E- F0 07 BEQ $1517 1510- A0 00 LDY #$00 1512- D9 2D 04 CMP $042D,Y 1515- D0 EF BNE $1506 1517- C8 INY 1518- C0 08 CPY #$08 151A- 90 EA BCC $1506 151C- BD 8C C0 LDA $C08C,X 151F- 10 FB BPL $151C 1521- C5 53 CMP $53 1523- D0 3D BNE $1562 1525- BD 8C C0 LDA $C08C,X 1528- 10 FB BPL $1525 152A- 38 SEC 152B- 2A ROL 152C- 85 3F STA $3F 152E- BD 8C C0 LDA $C08C,X 1531- 10 FB BPL $152E 1533- 25 3F AND $3F 1535- 85 42 STA $42 1537- 20 9F 05 JSR $059F 153A- AD 50 C0 LDA $C050 153D- AD 57 C0 LDA $C057 1540- A6 34 LDX $34 1542- A9 71 LDA #$71 1544- AD FE 07 LDA $07FE 1547- A9 00 LDA #$00 1549- 49 21 EOR #$21 154B- 4D FD 07 EOR $07FD 154E- A5 41 LDA $41 1550- C5 42 CMP $42 1552- F0 2D BEQ $1581 1554- A9 14 LDA #$14 1556- 20 88 05 JSR $0588 1559- C6 43 DEC $43 155B- 10 21 BPL $157E 155D- A9 3C LDA #$3C 155F- 20 88 05 JSR $0588 1562- A9 06 LDA #$06 1564- 85 43 STA $43 1566- C6 44 DEC $44 1568- 30 0C BMI $1576 156A- A9 5A LDA #$5A 156C- 85 26 STA $26 156E- A9 00 LDA #$00 1570- 20 2E 07 JSR $072E 1573- 4C B0 04 JMP $04B0 1576- A9 FF LDA #$FF 1578- 20 88 05 JSR $0588 157B- 6C 32 00 JMP ($0032) 157E- 4C B0 04 JMP $04B0 1581- E6 57 INC $57 1583- E6 57 INC $57 1585- 4C AC 04 JMP $04AC THE PROGRAM BEGINS TO SEARCH THE TRACK FOR THE 8-BYTE SEQUENCE THAT IT JUMPED AROUND AT LOC 42D TO 434. THIS IS A UNIQUE SEQUENCE USED TO START EACH TRACK ON THE DISK; IT VARIES FROM GAME TO GAME. (THOSE OF YOU WHO ARE THINKING THAT YOU NOW HAVE ENOUGH INFORMATION TO COPY THE DISK WITH NA OR LS ARE WRONG. SO FAR, WE HAVE ONLY SEEN A FEW OF THE REALLY SNEAKY THINGS THAT SIRIUS HAS IN STORE FOR US). WHEN THE SEQUENCE IS FOUND, THE TRACK IS LOADED,STARTING AT THE LOCATION PICKED FROM THE TABLE. EACH TRACK IS A SINGLE SECTOR, IN 4+4 'FM' ENCODING, WHICH LOADS TWELVE CONSECUTIVE PAGES IN MEMORY, WITHOUT ANY BUFFERS OR EXTRA TRANSLATION - THAT'S WHY THE LOAD IS SO FAST! NOW COMES THE REALLY SNEAKY PART! (THE LISTING IS NOT INCLUDED, SINCE IT'S LONG AND OBSCURE, BUT TRY TO FOLLOW THE PROCEDURE OUTLINED BELOW). SIRIUS IS FOOLING AROUND WITH THE TIMING OF THE NIBBLE READ FROM THE TRACK, IN A MOST DEVIOUS WAY. IN A NORMAL DISK READ, YOU WANT TO BE SURE THAT NO BITS SLIP AWAY, SO YOU MONITOR THE INPUT LATCH FROM THE READ HEAD ON THE DISK. LOOK BACK AT THE INSTRUCTIONS AT 832-84B. THE COMBINATION OF 'LDA C08C,X' AND 'BPL 832' MEANS: KEEP CHECKING THE LATCH, AND WHEN THE 8TH BIT IS NO LONGER A 0, TAKE THE NIBBLE AND RUN. (BY DEFINITION, THE LEFTMOST OR FIRST BIT IS ALWAYS A ONE IN THE DISK NIBBLES USED, IN DOS 3.3 AS WELL AS THE SIRIUS FM ENCODING). ON AVERAGE, A NEW NIBBLE IS "BUILT UP" A BIT AT A TIME EVERY 32 MICROSECONDS, AND IF YOU WANT TO BE SURE TO GET ALL THE DATA STORED, YOU MUST COME BACK AND EMPTY THE LATCH EVERY 32 MICROSECONDS DURING A READ. SIRIUS, HOWEVER, RECORDED THE TRACK IN A DIFFERENT TIMING PATTERN (SORT OF A STUTTERSTEP), AND A SPECIFIC MATCHING PATTERN MUST BE USED TO READ IT OUT. THEIR CODE FOR DOING THIS RUNS FROM 59F TO 6FE, AND READS IN A CAREFULLY TIMED PATTERN FOR AN 8-BYTE SERIES. THE PATTERN REPEATS EVERY 8 BYTES, BUT THERE IS ADDITIONAL JIGGERY-POKERY BEING DONE WITH A VARIABLE OFFSET BYTE IN LOCATION EA TO FURTHER CONFUSE THE ISSUE. THIS IS WHY, ALTHOUGH BOTH NIBBLES AWAY AND LOCKSMITH CAN READ THE TRACKS GIVEN THE ADDRESS MARKER, THE BYTES READ IN AT NORMAL 32-USEC TIMING RATES ARE NEVER CORRECT WHEN READ BY THE LOADER OFF THE COPY DISK. AFTER LOADING IN 12 PAGES (C00 LOCATIONS) AND CHECKING THE CHECKSUM, THE TRACK NUMBER IS INCREMENTED TWICE (LOC 581-584), AND THE DESTINATION FOR THE NEW TRACK IS PICKED FROM THE 7AB TABLE. THIS CONTINUES UNTIL A ZERO IS FOUND IN THE TABLE, WHERE THE PROGRAM JUMPS TO 6FF TO DECRYPT ALL THE DATA IN MEMORY WITH AN OLD-FASHIONED EXCLUSIVE- OR TECHNIQUE. HAVING LOADED AND "UNHID" ALL OF THE PROGRAM, IT JUMPS TO LOCATION 8EAG TO BEGIN THE GAME. *************************************** * * * THAT'S ALL FOR NOW - BE SURE TO TUNE* * IN NEXT WEEK FOR THE CONCLUSION TO * * THIS EPISODE: HOW TO COPY THE TRACKS* * AND PUT THEM INTO NORMAL DOS FORMAT,* * AND HOW TO MAKE A REALLY COMPACT DOS* * READ TRACK AND SECTOR ROUTINE TO * * DO MULTIPLE DISK ACCESSES AFTER THE * * CONVERSION. FINALLY, WE'LL SEE HOW * * THIS PARTICULAR GAME CAN BE PACKED * * INTO A 144 SECTOR BINARY FILE WITH * * NO DISK ACCESSES AT ALL! * * * * HAPPY CRACKING! * * * * =>KRAKOWICZ<= * * * *************************************** SORRY, NO MORE FOR THIS CALL! ======================================= DELTA/TIM