r57
1
R13
************************
* The Cracker Handbook *
************************
by DARTH WADER
Lord of the SITH
---------------------------------------
This Handbook will permit you to crack
a game in a few "easy" steps.
The protection that I am going to deal
with are from the most trivial to the
most complicated mind-boggling ...
ok, fasten you seat belts
and let's go ...
---------------------------------------
Basic material to have :
*2 monitors: 1 loading at $c000:49152
1 loading at lower in ram
(so you have virtually a monitor to
disassemble everything in mem : if
you have a machine language
(m.l.)prg
that loads at $c000 then you could
use the monitor that is loaded
between the adress $0801 and $a000
and not be bothered to load and
relocate it somewhere else where it
will not damage the functionning of
the monitor.).
-The ultimate monitor is the one furni
shed with the Final Cartridge, you
can
disassemble from $0000 to $ffff
without any fears and tears.(the moni
tor resides outside the normal cbm
rom/ram system )
- The monitors on other cartridges are
are using memory and will overwrite
any program placed at the same
adress
than them ... so : no good ....
*Programming the Commodore 64: it has
an expanded Kernal routines list with
a complete list of how to use it.
and a list of Unlisted M.L. opcodes.
(the title of the book sounds
childish
,not the contents...)
*Mapping the c-64: may be a plus but
is
optional.
the 2 previous books are important
sincethey not only list all the INFOS
(zero
page adresses,what they are, all the
stuff used by the internal system AND
they give an explication of their use
: not a 1 line explication, but a very
precise explication from 3 lines to 5
pages .... definitely an asset to
have.
---------------------------------------
let's go cracking !!!
---------------------------------------
1) the easiest :
The companies that are using these
protection schemes must have been cut
from the world. such schemes are used
by SSI (yes IT) and few other but not
worth mentioning (the one that
produced
the shit game HUEY ...)(and I mean it)
the protection are in Basic and hidden
a)hidden directory: (SSI)
they play with the filenames:you do
a disk directory and suddenly
nothing
appear on the screen, no cursor,no
"ready"... and you say: My computer
is dead !!! naaahh,
just change the background color
with
poke 53281,1 and you will see the
θΉ
:what happened ? : they put in the
disk name some characters that will
change the character color of what
will be printed on the screen.
(like the trick with the REM
statement) -another trick is when you
do a list
and see only one file and ended by
some weird characters :::
take a monitor, load it,run it and
look at the memory from $0800
you will then see the COMPLETE dir.
what happened ? : when you do a disk
dir. you do a list to see it. the
list of the directory is treated
like
a basic program, it list whatever is
in memory until it sees 3 following
$00 bytes. The publisher have hidden
somewhere in one filename of the dir
3 $00 bytes and so like in basic, it
will stop showiing what is after 'em
The monitor bypasses the Basic LIST
routine. You can have 100 following
$00 bytes, you still can look at
the
memory...
-the disk protection: in basic:it is
often a "block-read" and check for a
byte. if not corresponding then: bad
copy ... the basic program is really
easy to understand to crack so i
will
no explain it. ( you can bypass it
by putting a GOTO ...
i.e: start of program
check disk
if bad disk then crash
else continue
let the game begin
can be unlocked to be:
start of prg.
goto "continue" <--
disk Protection
"continue" <--
let the game begin
-why not simply remove the disk prot.
instead of putting the goto ?
-The main program may later check if
the protection program is still
there
- some of these protection reset the
disk loading vectors: preventing the
use of a fast loader ...
practical example: Computer ambush:
:hidden directory and instaspeed
basic disk protection ..(a compiled
basic)
-copy all the files using "fast file
copY" (you get rid of the hidden
dir
protection).
- you can see 3 !!! boots : the
first
calls the second,the 2nd calls the
3rd....
all of them in basic or instaspeed
the protection is in the second
one
ok ... that's it, all one have to
do is to load the 3rd boot and
that
will do the trick ...(delete boot1
and boot 2) rename boot 3 as boot
- to run the prg. load "boot",8:run
---------------------------------------
enough easy stuff !!!
---------------------------------------
2) the regular stuff :
here are the few rules:
a) have an overview of the protection.
b) all the error checking are made by
way of kernal subroutine callings
so they are easy to recognise
c) THE MOST IMPORTANT:
Do not try to UNDERSTANT everything
you are disassembling. You WILL
lose
a lot of time understanding a prog.
subroutine that does NOT have
anything to do with the protection.
Or if you have found the protection
subroutine, FIND what the results
of
the subr. ARE. (in cracking ELITE,
what made me lose a LOTSA time was
that I was trying to understand how
LENSLOCK (you put a crystal on the
screen to find a code: no crystal
no code and then crash ....)
was working ... my mistake !!!!
ok ,let's start ...
first: always try to get the starting
loading adress and ending
adress
of everyfile on the disk. and
write them down...
use a monitor to do so or one
of
your utilities.
ie: on ZOOM you do a
<-#filename and you get these
2 adresses.
the most important adresses are the
one for the boot. get them ...
there are 2 possible cases:
load and run automatically
load and you have to type run
first case:
now lets say the starting address
is
$033c (use of hexadecimal is
easier)
ok, load your monitor:
try to load the boot while in monitor
the format is often:
.L "boot",08,starting adress found
in the example:
.L "boot",08,033c
now, after the loading of the boot,
the disk should stop and the
blinking cursor appear.
now dissassemble from the starting
address you found to the ending a
address you found.
you will see some garbage code,but
after a while,you can see coherent
code: have a kernal table near you
the format of a boot is like :
load the first file
load the second file
.....
load the last file
jump (goto) an adress...
write down the adress where the
program booter goes to.
now you can modify the boot:
by putting a rts instead of the
jump address ...
in the following form :
load first
....
load last
rts (is equivalent to END in
basic or STOP.)
how? ok, here is a simulated monitor:
.D 033c
., 033c lda #$00
., ... (other
commands)
., 0349 jmp $6000
., 034c
.
.A 0349 rts (same adress as the
jump)
the Rts will overwrite the JMP $6000
if you want you can save the new
boot from the starting adress you
got
earlier to the ending ad.
.S "boot 2 ",08,start,ending
(the format may vary from mon to mon
Why a RTS ?
so we still have the computer under
our
control, and we can disassemble after
all the important files having a role
in the protection have been loaded.
(you see the load have been
successfull
when the read light of the drive is
off
) sometimes a run/stop + restore is
required (these boots often switch off
basic...) (the final cartridge is
reallyhandy...)
---------------------------------------
Relocated coding technique
---------------------------------------
If for any reason you want to load and
modify a program such a boot somewhere
safe like in the ram ($0800 to $a000),
then you have to do a transposition
table.
let say you have a boot that loads at
$033c , it is a good idea to load it
at $ 133c (in ram area) so if in the
boot there is a reference to : JSR
0339
you could assume that it is equivalent
to JSR 1339 for your relocated prg.
do you see my point ?
the $133c area is your working area so
keep in mind that it will be loaded at
$033c , not $133c when you will really
load and play the super game you are
cracking (drug dealers give it such
a bad meaning ) ...
now save the new version of the prg
under a dif. name
(ex:test,booty,alpha..)
now get a disk editor:run it,look for
track 18 sector1 : the dir is saved
there. look for the file name you
just
saved if not found then look at the
first 2 bytes of the sector: they
represent the next sector of the disk
where the disk dir is stored .do that
until you
find something that looks like your
filename.
when you have found it:look at the 2
bytes preceeding the filename: they
represent the track§or where the
frist block of hte file are stored on
the
disk. go to the track & sector. and
look at the 3rd and fourth byte: they
represent the loading adress of the
fileall you need to do is to change
them to
their original value: Lobyte/hibyte
in my exaple : I will see 3c 13
I will change it to 3c 03
easy .... now the program will load to
033c ...
that is it ...
this technique is used when some
protection programs are laoded in the
ram under the basic rom .
That is it ... (lot of words but done
in a few sec.)
---------------------------------------
Hexadecimal is easier to work with.
can you see the difference between
$033c and $133c AND 828 and 4924 ???
828 is decimal for $033c
4924 is decimal for 133c
That eases the relocated coding.
---------------------------------------
now the cracking itself.
you have created a new boot, loaded
all,kept the adress where the boot
should have jumped to after all the
LOADs.
ok,from that adress, disassemble:
and look for what might look like a
Kernal routine call. (ie: jsr $FFd5)
look for jsr $FFBD, and kernal
routines
that input/output bytes on the
data/seril port...
The first hint is the JSR $FFBD
in the format
lda #$04
ldx #$00
ldy #$09
JSR $ffbd
look at the x and Y register: they
represent the names of the opened file
xy = address of the name
a= its lenght
so if you look at the adress 0900 (my
example) you should see a filename of
4 characters:
This filename is used to send commands
to the disk drive and load:
multipurposetask routine.
if you find at 0900 names like game or
part1, then
that is ok, but if it looks like
b-r 8 0 10 10 then you have found the
bugger ...
The key to success is to have a Kernal
table handy and not to be afraid to
read it as a reference.(you dont read
it as a novel ...).
(the one like b-r , m-e ,etc.. are
buggers ).
now look at the result of the
protectionchecking :
1) jump directly to the game start.
no problem: you can jump pass it
ie:
start
check disk
if ok
begin game
will be:
start
jmp (goto) "now"
check disk
if ok
"now"
begin games
where do I have the place to put
the jump ?
jump uses 3 bytes: you can
overwrite the 3 first bytes of the
disk
protection checking.
"now" is the adress of begin games
: an invisible label.
Why not NOP ?
some games have use the
area where the protections are as
a constant area. :: Each op-codes
of a M.L. prg. has a between 0 and
255 value. a jmp has a value, a jsr
another one. A nop has a value of
$ae. (double use of code: as
constant and as commands..)
2) now lets look at the other aspect:
the result of the disk checking
are stored somewhere in memory.
find the adress of the memory
where
they are stored.
format :
start
check disk
get 10 byte
store them somwhere
go game:
these values are used as constant
for the game: constant that will
serve
as parameters in the game: number
of enemy space ships, color of the
ships, value of the sprites,
now after you have found the adress
where all the bytes will be loaded:
chnage the protection check:
start
check disk
get 10 bytes
store them somewhere (u
know) RTS
go game
you have to put the rts after all the
disk access have been done.(you can
ove rwrite over the "go game part"
now (you are still in the monitor
arent
you ?)
(you know the adress where the
protect ion starts):
lets call it startad.
.
.G startad
.
you will see the drive blinking.a
few noise,spin,and then stop: cursor
blink ing: ready. now you must save
the part
where the values read by the disk
are
stored in for constant purpose.
(it is often no more than 100 bytes
for the games of broderbund).
save it !!!!!
did you keep the important adresses
?
-where the disk read values are
stored (lets call it alpha)
-where the protections are ..
ok, now on the list with all the
file
with their starting/ending adress,
find the main files wich adresses are
including the one of the alpha
file.(in general, the file including
the alpha file
is the one with the protections.)
ok, load the main file, with the
load"main",08,01
now load the alpha
load"alpha",08,01
the alpha must have overwritten a
small
part of the "main" file.now all you
have to do is to bypass the disk
checking
routine (discussed earlier) and save
the new version of the "main" file.
that is it...
what have you done ?: you have created
a main file as it should be after a
check, all the right datas at the
right place.
After you have experienced a few
cracking, you will pass all the
unimportant stuff, and get right to
the protection:
The first cracking witout doc took me
3 days (I disassembled everything)
Lode runner championship: 10 mins.
(I dont count the time spent to
load
type,and save)
you have seen one, you have seen
them all....
---------------------------------------
get a breathe and here comes the
HEAVY LOADS !!!!
---------------------------------------
1)RAPID LOCK: they play with the track
and the sectors:
Wherever you load the boot, it
will start automatically...
psi 5 trade co
2)Pirate Buster: used in bard's tale.
it plays with the internal
stack.(not the public domain
stuff). some few messages
are
worth mentioning in the boot
it was programmed with TSDS
and "lick my userport"
3)Custom DOS: the data are stored on
disk in a very unusual
way, only a different
disk read can load the
data (half track,fat
track ... The WORKS)
if the game has a lot of disk
access,
the the cracker should REWRITE all
the routines dealing with the drive.
lotsa work ....
one Very very fast loading game is
Koronis rift:200 blocks in 10 sec.
from 0800 to d000 = hell ...
to crack that you must have an above
average knowledge on the technical
side
of the drive.
the way of dealing with these games is
like I said earlier: modified boot,
---------------------------------------
how to deal with the isepic ...
---------------------------------------
isepic is not perfect a way to prevent
isepic copying is to store data in the
disk drive ram ... (the isepic doesnt
save them ..)
so in the middle of the game the
computer can look for a variable in
the mem.
of the drive. if nothing is found then
crash...I havent found this yet...
----------------------------------------
if you have any question then
send me mail, I am on many boards
* DARTH WADER *
Lord of the SITH
8-#
UD 7:
[ 64 Min. Left. ]
Credit Pts: 1094 Protocol-Punter 10
Text-Files 1:
8: Text Philez A-O
[UD:Punter][23 Min.][40]: