Chapter 4 Cracking Self Booters
-------------------------------------------------------------
Now we'll take a look at cracking self booters. A few compa-
nies have found this to be the best copy protection scheme
for them, one of which is DataEast, makers of Ikari Warriors,
Victory Road, Lock-On, Karnov, etc... This posses a special
problem to the Amateur Cracker, since they seldom use stan-
dard DOS formats. So let's jump right in!
-------------------------------------------------------------
This is the area where a "Higher than Normal" knowledge of
Assembly Language and DOS Diskette structures, so first of
all, the Basic's.
The Disk's Physical Structure
Data is recorded on a disk in a series of concentric circles,
called Tracks. Each track if further divided into segments,
called Sectors. The standard double-density drives can
record 40 tracks of data, while the new quad-density drives
can record 80 tracks.
However, the location, size, and number of the sectors within
a track are under software control. This is why the PC's
diskettes are known as soft-sectored. The characteristics of
a diskette's sectors (Their size, and the number per track)
are set when each track is formatted. Disk Formatting can be
done either by the operating system or by the ROM-BIOS format
service. A lot of self booters and almost all forms of copy
protection create unusual formats via the ROM-BIOS diskette
services.
The 5 1/4-inch diskettes supported by the standard PC BIOS
may have sectors that are 128,256,512, or 1,024 bytes in
size. DOS, from versions 1.00 through 4.01 has consistently
used sectors of 512 bytes, and it is quite possible that this
will continue.
Here is a table displaying 6 of the most common disk formats:
_____________________________________________________________
Type Sides Sectors Tracks Size(bytes)
_____________________________________________________________
S-8 1 8 40 160K
D-8 2 8 40 320K
S-9 1 9 40 180K
D-9 2 9 40 360K
QD-9 2 9 80 720K
QD-15 2 15 80 1,200K
_____________________________________________________________
S - Single Density
D - Double Density
QD - Quad Density
Of all these basic formats, only two are in widespread use:
S-8 and D-9. The newer Quad Density formats are for the 3
1/2" and 5 1/4" high density diskettes.
The Disk's Logical Structure
So, as we have already mentioned, the 5 1/4-inch diskette
formats have 40 tracks, numbered from 0 (the outside track)
through 39 (the inside track, closest to the center). On a
double sided diskette, the two sides are numbered 0 and 1
(the two recording heads of a double-sided disk drive are
also numbered 0 and 1).
The BIOS locates the sectors on a disk by a three-dimensional
coordinate composed of a track number (also referred to as
the cylinder number), a side number (also called the head
number), and a sector number. DOS, on the other hand, lo-
cates information by sector number, and numbers the sectors
sequentially from the outside to inside.
We can refer to particular sectors either by their
three-dimensional coordinates or by their sequential order.
All ROM-BIOS operations use the three-dimensional coordinates
to locate a sector. All DOS operations and tools such as DE-
BUG use the DOS sequential notation.
The BASIC formula that converts the three-dimensional coordi-
nates used by the ROM-BIOS to the sequential sector numbers
used by DOS is as follows:
DOS.SECTOR.NUMBER = (BIOS.SECTOR - 1) + DIOS.SIDE
* SECTORS.PER.SIDE + BIOS.TRACK * SECTORS.PER.SIDE
* SIDES.PER.DISK
And here are the formulas for converting sequential sector
numbers to three-dimensional coordinates:
BIOS.SECTOR = 1 + DOS.SECTOR.NUMBER MOD SECTORS.PER.SIDE
BIOS.SIDE = (DOS.SECTOR.NUMBER \ SECTORS.PER.SIDE)
MOD SIDE.PER.DISK
BIOS.TRACK = DOS.SECTOR.NUMBER \ (SECTORS.PER.SIDE
* SIDES.PER.DISK)
(Note: For double-sided nine-sector diskettes, the PC's
most common disk format, the value of SECTORS.PER.SIDE
is 9 and the value of SIDES.PER.DISK is 2. Also note
that sides and tracks are numbered differently in the
ROM-BIOS numbering system: The sides and tracks are num-
bered from 0, but the sectors are numbered from 1.)
Diskette Space Allocation
The formatting process divides the sectors on a disk into
four sections, for four different uses. The sections, in the
order they are stored, are the boot record, the file alloca-
tion table (FAT), the directory, and the data space. The
size of each section varies between formats, but the struc-
ture and the order of the sections don't vary.
The Boot Record:
This section is always a single sector located at sector
1 of track 0, side 0. The boot record contains, among other
things, a short program to start the process of loading the
operating system on it. All diskettes have the boot record
on them even if they don't have the operating system. Asisde
from the start-up program, the exact contents of the boot
record vary from format to format.
The File Allocation Table:
The FAT follows the boot record, usually starting at
sector 2 of track 0, side 0. The FAT contains the official
record of the disk's format and maps out the location of the
sectors used by the disk files. DOS uses the FAT to keep a
record of the data-space usage. Each entry in the table con-
tains a specific code to indicate what space is being used,
what space is available, and what space is unusable (Due to
defects on the disk).
The File Directory:
The file directory is the next item on the disk. It is
used as a table of contents, identifying each file on the
disk with a directory entry that contains several pieces of
information, including the file's name and size. One part of
the entry is a number that points to the first group of sec-
tors used by the file (this number is also the first entry
for this file in the FAT).
The Data Space:
Occupies the bulk of the diskette (from the directory
through the last sector), is used to store data, while the
other three sections are used to support the data space.
Sectors in the data space are allocated to files on an
as-needed basis, in units known as clusters. The clusters
are one sector long and on double-sided diskettes, they are a
pair of adjacent sectors.
(From here on I'll continue to describe the basics of DOS
disk structures, and assembly language addressing technics.
-------------------------------------------------------------
Here is a simple routine to just make a backup copy of the
Flight Simulator Version 1.0 by Microsoft. I know the latest
version is 3.x but this version will serve the purpose of
demonstrating how to access the data and program files of a
selfbooter.
-------------------------------------------------------------
By: PTL
Title: Microsoft Flight Simulator 1.00 Unprotect
This procedure will NOT convert the Flight Simulator disk to
files that can be loaded on a hard drive. But... it will
read off the data from the original and put it onto another
floppy. And this should give you an idea of how to read data
directly from a disk and write it back out to another disk.
First of all take UNFORMATTED disk and place it in drive B:.
This will be the target disk.
Now place your DOS disk (which has Debug) into drive A:, or
just load Debug off you hard disk.
A>DEBUG
Then we are going to enter (manually) a little program to
load the FS files off the disk.
-E CS:0000 B9 01 00 BA 01 00 BB 00
01 0E 07 06 1F 88 E8 53
5F AA 83 C7 03 81 FF 1C
01 76 F6 B8 08 05 CD 13
73 01 90 FE C5 80 FD 0C
76 E1 90 CD 20
-E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02
00 00 04 02 00 00 05 02 00 00 06 02
00 00 07 02 00 00 08 02
Next we'll [R]eset the IP Register by typing.
-R IP
And then typing four zeros after the address prefix.
xxxx:0000
Next insert the original Flight Simulator disk into drive A:
and we'll run our little loader.
-G =CS:0000 CS:22 CS:2A
Now enter a new address to load from.
-E CS:02 0E
-E CS:27 19
And run the Loader again.
-G =CS:0000 CS:22 CS:2A
New address
-E CS:02 27
-E CS:27 27
Run Loader
-G =CS:0000 CS:22 CS:2A
Here we'll do some [L]oading directly from the disk our-
selves.
-L DS:0000 0 0 40
And the in turn, write it back out to the B: (1) drive
-W DS:0000 1 0 40
Etc...
-L DS:0000 0 40 28
-W DS:0000 1 70 30
-L DS:0000 0 A0 30
-W DS:0000 1 A0 30
-L DS:0000 0 138 8
-W DS:0000 1 138 8
When we are all through, [Q]uit from debug and you should
have a backup copy of the Flight Simulator.
-Q
And that's all there is to it.
END.
///////////////////////////////////////////////////////
// The PIRATES' HOLLOW //
// 415-236-2371 //
// over 12 Megs of Elite Text Files //
// ROR-ALUCARD //
// Sysop: Doctor Murdock //
// C0-Sysops: That One, Sir Death, Sid Gnarly & Finn //
// //
// "The Gates of Hell are open night and day; //
// Smooth is the Descent, and Easy is the way.." //
///////////////////////////////////////////////////////