KR ACKER J AX REVEALED PAGE A-l
< < < INTRODUCTION: PROTECTION SCHEME TYPE A > > >
Owners of the i57i disk drive may not realize it, but every time they boot
their favorite program and it bangs the disk drive head, that program is using
this form of protection. It is common knowledge among experienced users that
this form of copy protection is hazardous to the health of the 1541 drive.
Let's face it; would YOU write a program that purposely banged YOUR disk drive's
read/write head against it's end stop?
This protection is still being used by many software publishers, knowing full
well that the drive knock is probably the major source of alignment problems
with the 1541/1571 disk drives. We at Kracker Jax can't see any purpose in the
continuation of this form of protection*
Sure, you can back up your software with almost ANY nibble utility on the
market. The problem is that the backup is ALSO protected and will bang the
drive as well. It is this protection type that we especially urge you to learn
to break, just so you can preserve the alignment of your disk drive.
The operation of this scheme is simple. The programmer writes a routine in the
program (generaly in the boot) to seek out a non-standard sector on the disk,
if that non-standard sector is found, the drive will usually bang, and the
program will continue operations. If not, the program will cease to operate or
"crash*. These non-stanadard sectors are generally write errors, and are
documented in your 1541/1571 drive manual. The most commonly used are the
fol lowing:
20: Block header not found / drive banger.
21: Sync character not found / sector not formated properly / drive banger.
22: Data block not present / drive banger.
23: Checksum error in data / very common / drive banger.
28: Attempt to write with write protect on /' some programs check for the
write protect / no drive bang.
27: Checksum error in header / drive banger.
29: Disk ID mismatch / whole track formated with wrong ID characters / no
drive bang.
Many of the programs using this scheme are checking the protection with simple
drive commands and the kernal routines in the computer ROM. Keep in mind that
this check can be done with Basic programming as well as machine language. Once
understood, most are fairly easy to unprotect.
Most of the time the programmer will check for the bad sector with a block
read. It will look something like this: Ul: aa bb cc dd f or B-R: aa bb cc dd .
The aa denotes channel, bb denotes drive number, cc denote track, and dd denotes
sector. A character or two is then returned from the drive, and a comparison is
made. If the comparison is satisfactory, the program continues operation. If
KRACKER J AX REVEALED PAGE A-2
not, the program flow is ended or set in an endless loop. Our task will be to
either give the program the proper characters, or to short circuit the program
flow around the protection check*
Before starting to work on any of the following programs, please do a disk
log, an error scan, noting all write errors, and make a Three Minute Backup
which will remove all errors. Place a write protect on the original disk.
KBACKER J AX REVEALED PAGE A-3
< < < PROGRAM; TAPPER <> PUBLISHER: BALLY MIDWAY > > >
Procedure;
Loading the original produces a drive rattle twice. An error scan shows write
errors on the original- A backup made with Three Minute Backup produces a
non-working copy. Before starting to work on this program, do a disk log and an
error scan to determine error type and location. Also make two Three Minute
Backup copies/
Working with your backup:
1/ In order to look at the boot with our monitor, we must change its location
in memory. The reason for this is because this boot cannot be stopped once it
has been started. This is a simple procedure. From your utility disk, load
DISK DR <> L0AD n DISK DR ff ,8,l <>. When the cursor reappears type RUN and hit
RETURN. Remove the utility disk and insert one of your Tapper backups in the
drive. Hit RETURN again and you will be shown Track 18, Sector 1. Cursor over
to position 3 and hit the J key. This will take you to the first sector of the
Boot file. The first four bytes in this sector are the pointer bytes. Bytes
and 1 are the pointers denoting this as the only sector and the number of bytes
used in this sector. Bytes 2 and 3 are the program address bytes in reverse
order. Place the cursor over the byte in position 2 and hit the © key. Now,
type a 1 and hit RETURN. The cursor should now be on position 4. Again hit the
a key and type an 8 and hit RETURN. To make the changes on the backup, hit the
C key and hit RETURN. The sector is now changed on the disk. We have just
changed the boot address to $0801, which places it in Basic memory. The boot
will not run properly , but we may load and examine it.
2/ Turn your computer off and insert the reset button assembly into the
cartridge port. Turn on the computer and load the $8000 monitor from the utility
disk <> LOAD "32768", 8,1 <>. Type SYS 32768 and hit RETURN. With the monitor
active, place the altered backup in your drive and load the boot file
<> L "BOOT", 08 <>. disassemble code at $0801 (D 0801) and scroll down through
the code. The code from $0838 to $0853 is a loader routine that loads in the
file LOADER and then jumps to $C000. This gives us the information we need to
trace the program flow. Take this backup out of the drive and put the other
backup in its place. (Remember, we altered the boot file on this backup.)
3/ Load the LOADER file <> L "LOADER* ,08 <>. When the load is complete,
interperet memory at $C000 (I C000). Scroll down through the code watching the
left hand screen. At address $C1A3 youMl find the block read command : Ul
2,0,32,8. This is the command to read Track 32 Sector 8. Our error scan has
shown a 21 error in this location. Now let's disassemble and locate the
protection code.
4/ This protection scheme is written as a series of JSR (GOSUB in Basic).
Remember each JSR ends with a RTS (RETURN). Code will be explained in segments.
Try to follow the program flow.
A- Starting at $C000 in the DISASSEMBLE mode, scroll down to $C017 :
JSR C116.
KRACKER J AX REVEALED
PAGE A-4
B- Disassemble $C116
C- Disassemble $C14B
D- Disassemble $C172
E- Disassemble $C14E
F- Disassemble $C188
G- Disassemble $C151
JSR C14B.
JSR C172.
Opens a channel to the drive then RTS.
JSR C188.
Sends Block Read command to the drive then RTS.
JSR CiAF.
H- Disassemble $C1AF : Inputs two characters from the error channel and
stores them at $CiCA and $C1CB then RTS.
I- Disassemble $C154 : The accumulator is loaded with the error character
placed in $C1CA and compared with a $32. The accumulator is then loaded
with the error character placed in $C1CB and compared to a $31. This is
the hexadecimal equivalent of a 21 error ($32=2, $31=1). Notice that if
both comparisons ARE equal, the accumulator is loaded with a 0, if not,
it's loaded with a 1, then a RTS.
J- Disassemble $C119 : The accummulator is compared with 0, and if equal a
branch to $C127 occurs. To see what happens, type G C127 and hit RUN/STOP
-RESTORE. Code was transfered to the $8000 area of memory and was
activated by the RUN/STOP-RESTORE. You* 1 1 have to turn off the computer
and reload the monitor and the LOADER file again.
K- Disassemble $C11B
Read to 33).
L- Disassemble $CiiE
Read to 09).
Increment $C1AB (increments the track of the Block
Increment $C1AB (increment the sector of the Block
M- Disassemble $C120 : JSR C14B : Goes back through the error check routine
once again but now the 21 error at Track 33, Sector 9 is checked (the
second drive rattle). This time if the code is not branched to the
message screen as before, it will return back to $C01A to resume normal
loading.
N- This program can be broken in many different ways. Three will be given.
i- Place three NOPS at $C017 (EA EA EA), This will erase the code that
sends the program to the protection check in the first place (our
choice). The program will never do an error check.
2- Place a BNE at $Cil9 and $C124 (D0). This will instruct the program
to operate in an opposite fashion in regards to the protection, in
other words, crash if an error is found.
3- Place a $30 at $C162 and $C169. This will instruct the program to
expect NO error at the Block Read locations. Again, if an error is
found, the program will crash*
KEACKEt JAX REVEALED PAGE A-5
0- Choose one of the above methods and make your changes using the MEMORY
command. After the change is made the LOADER file may be scratched and saved.
Checking the disk log shows us the start address of $C000 and the end address of
*C2BC. Remember to add one byte to the end address
<> S tt @0:LOADER",08,C000,C2BD <>.
5/ Your backup is now broken and will never rattle the drive again. Another
benefit of this particular break is the fact that now you may file copy this
program.
KR ACKER J AX REVEALED __ PAGE A-6
< < < PROGRAM: BUCKAROQ BANZAI <> PUBLISHER: ADVENTURE INTERNATIONAL > > >
Procedure:
Booting the original produces a drive rattle early in the load. An error scan
shows write errors on the original, A backup made with Three Minute Backup
produces a non-working copy. Before starting to work on this program, do a disk
log and an error scan to determine error type and location. Also, make a Three
Minute Backup copy.
Working with your backup:
1/ The disk log shows us that the boot file SAGA resides in Basic memory, so
let's begin by loading the boot and examining it <> LOAD tt SAGA ff ,8: <>. List it
out and notice it loads the file SAGA* OBJ and does a SYS to 4863 ($1300).
2/ Turn your computer off and insert the reset button assembly* Turn the
computer on again and, from your utility disk, load the $C00® monitor
<> LOAD "49152", 8,1 <>. When the load is complete, sys the monitor in with
SYS 49152. Now load the SAGA. OBJ file from your backup, and follow the program
flow <> L "SAGA. OBJ tt , 08 <>* Start your dissasembly at $1300 (D 1300). We will
break the code down into sections for you. Try to follow along and inspect the
code as we go through it*
A- *1300-$1323 : Loads the SAGA.C64 file
B- $1324 : Does a JSR to $137A which IS the protection check routine
C- $137A-$13BE : Opens the error channel to the drive and sends the Block
Read command to check Track 34, Sector 4. Interpret memory at $13BF to
see the Ui (I 13BF). Then a jump to $13CE is taken.
D- $13CE-*13FE : Two bytes are received from the error channel and stored at
11556 and $1557* Then a check of these two addresses for the proper error
bytes is done. The bytes are compared to $32 (2 in decimal) and a $31 (1
in decimal)* These bytes correspond to a 21 error in decimal. If the
comparison is incorrect, the program branches to $13FF* Do a GO 13FF
(G 13FF) to see what happens. (You'll have to reload your monitor and
SAGA. OBJ file again). If the comparison is correct, the program continues
along until it encouters the RTS at $13FE. This will branch the code back
to $1327, and the program load will continue.
3/ This protection scheme is fairly simple, and extremly easy to defeat* Four-
different methods will be given to break this title. Choose one and make your
changes with the MEMORY command.
A- Place three NOFs at $1324. This will erase the JSR to the protection
routine. The program will never even look for protection now (our
choice) . '
B- Place an *F0 at 413EQ and I13F0. This will tell the program to fail if an
error IS found.
KRACKER JAX REVEALED PAGE A-7
C- Replace the code at $13E3 with A9 32 EA (LDA 32 EA) and the code at $13EA
with A9 31 EA (LDA 3i EA). This loads the accumulator with the correct
bytes the protection check is looking for.
D- Change $13E6 from a $32 to a $30 and $13ED from a $31 to a $30. This
tells the program to look for NO error ($30=0 in decimal)* The program
will crash if an error is found.
4/ After your changes are made, all that is left is to save the code back to
your backup. The disk log tells us the file resides from $1300 to $1575. Be
sure to add one byte to the end address <> S "@0:SAGA. OBJ", 08, 1300, 1576 <>.
5/ Your backup is now free from the restrictions of copy protection. It will
no longer bang your drive head and can even be file copied. This scheme can be
found in aproximatly this form in many different programs. Don f t be surprised
if you see it again*
KRACKER JAX REVEALED PAGE A-8
< < < PROGRAM; SARGQN II i CHESS <> PUBLISHER: HAY&EN SOFTWARE > > >
Procedure:
Booting the original produces a drive rattle twice at the end of the load. An
error scan shows write errors on the original. A backup made with Three Minute
Backup produces a non-working copy. Before starting to work on this program, do
a disk log and an error scan to determine error type and location. Also, make a
Three Minute Backup copy.
Working with your backup:
1/ Turn the computer off and insert the reset button assembly into the
cartridge port. Turn the computer back on and from your utility disk, load the
♦8000 monitor <> LOAD "32768*, 8, i <>. Sys the monitor in with SYS 32768. Place
your backup in the drive and load the boot file <> L "SARGON 1 1 I " , 08 <>. Start
your dissasembly of code at $02A7 <D 02A7). The code from *02A7 to *02F2 loads
the COPYRIGHT 1984 file in and jumps to $C000.
2/ Load the file COPYRIGHT 1984 <> L "COPY*", 08 <>. We will explain the code
a section at a time, so try to follow as we go through it. Using the
DISASSEMBLE command, disassemble memory beginning at $C000 (D C000).
A- Disassemble $C000 : $C000-$C09i sets up a loader routine that loads HAYDEN
SOFTWARE and JUMPS to $C311.
B- Disassemble $C3ii : $C3il-C336 opens an error channel to the drive and
sets the Y register to 0.
C- Disassemble $C337 : JSR $C376
D- Disassemble $C376 : *C376-$C389 sends Block Read command to Drive to check
Track 2, Sector 15. The address $C2F7,Y is accessed. Since Y has been
set to 0, the true address IS $C2F7. Interpret memory at $C2F7 to see the
B-R (I C2F7). This subroutine returns when an RTS is encountered.
E- Disassemble $C33A : JSR $C38A
F- Disassemble *C38A : $C38A-$C3A0 inputs two bytes from the error channel
and compares it to a $30 (0 or no error in decimal). If NO error is
found, a branch to *C373 is taken. This in turn jumps to a reset vector
and the program crashes. If errors are found, the program flows until the
RTS is encoutered.
G- Disassemble $C33A : Loads the Y register with 0D (13 in decimal).
H- Disassemble $C33F : JSR $C376 : Same as step d, except this time the
address $C2F7,0D <$C2F7+0D) is sent to the drive. This address is the
same as *C304 and is the B-R command for Track 3, Sector 16 (I C304).
I- Disassemble $C342 : JSR $C38A : Same as step f. Checks for error and RTS
if found.
m ACKER J AX REVEALED PAGE A-9
J- Disassemble $C345 : Close all channels and files; continue setup and jump
to start of program.
3/ This protection scheme is fairly simple and can be defeated in many ways.
Four will be given. Choose one, and make your changes with the MEMORY command*
When the change has been made, all that is left is to save the file back to the
disk. The disk log tells us the file resides in memory from $C000 to $C3A2.
Remember to add one byte to the end address when you save it OS "@0: COPYRIGHT
1984 fl ,08,C000,C3A3 <>.
A- Change the address *C08F from 4C ii C3 (JMP C31i) to 4C 45 C3 (JMP C345).
This will jump the program flow completely around the protection check
(our choice).
B- Change *C33A and $C342 from 20 8A C3 (JSR C38A) to EA EA EA. This will
erase the JSR to the error check.
C- Change $C397 from F0 0A (BEQ reset address) to EA EA. This will erase the
branch to the crash and the program flow will be forced to continue on.
D- Change $C395 from C9 30 (CMP 30) to C9 32. This will force the program to
crash if an error IS found.
4/ After your changes are made, you will have a completely broken copy that
can be fast copied and even file copied.
KB ACKER J AX REVEALED PAGE A- 10
< < < PROGRAM: THE SLUGGER <> PUBLISHER: MASTERTRQNIC5 > > >
Procedure:
Loading the original produces a drive rattle. An error scan shows write
errors on the original. A backup made with Three Minute Backup produces a
non-working copy. Before starting to work on this program, do a disk log and an
error scan to determine error type and location. Also, make a Three Minute
Backup*
Working with your backup:
1/ Checking the disk log shows us the boot file is in Basic memory so let's
start by loading it <> LOAD "THE SLUGGER", 8: <>. List it and examine the
loader* It loads various files and then does a SYS 514 ($0202). The disk log
again tells us the address $0202 is the start of the GOFILE file.
2/ Turn the computer off and install the reset assembly into the cartridge
port. Turn the computer back on, and from your utility disk, load the $2000
monitor <> LOAD "8192", 8,1 <>. Sys it in with SYS 8192. Now from your backup,
load the GOFILE file <> L "GOFILE", 08 <>. Start disassembly at $0202 (D 0202).
Scroll down through the code and notice that this file loads the CODE file and
Jumps to $0340.
3/ From the backup, load the CODE file <> L ft euDE*S08 <>. Start disassembly
at $0340 (D 0340). The disassembly is given in the sections below. Try to follow
along as we go through it.
A- $0340-$036A : Opens the error channel to the drive.
B- $036B-$037D : Sends Ul (Block Read) command to the drive to read Track 6,
Sector 7. Use the INTERPRET command to see the Ul (1 03E3).
C- $037E-$0385 : Set up to read two bytes from the error channel.
D- $0389-$0396 : Inputs a byte from the error channel and compares it to a
$32 (2 in decimal). Another byte is retrieved and compared to a $33 (3
in decimal). Each compare results in a branch to a crash address if not
satisfied. Otherwise the program flow continues on to a Jump to $03A1.
These compares are the 2 and the 3 of a number 23 error. The error scan
confirms a 23 error at Track 6, Sector 7.
E- $03A1-$03A8 : Close error channel and normal program flow continues.
4/ The break in this program is fairly simple. Four different methods will be
given. Choose one and make your changes with the MEMORY command.
A- Change $0340 to 4C AB 03 (JUMP $03AB). This will cause the program to
jump completly around the protection check (our choice).
B- Change $038D and $0394 to $30. This will instruct the protection check to
look for NO error ($30=0 in decimal).
KSACKER JAX REVEALED FAfiE A- 11
C- Change $038E and $0395 to $F0, This will cause the protection to branch
to the crash if an error IS found.
D- Change $0389 to A9 32 EA (LDA 32) and $0390 to A9 33 EA (LDA 32). This
will load the accumulator with the bytes it wants in the compares. The
bytes will not be inputed from the error channel.
5/ When your changes are made, ail that's left is to save them to the backup*
The disk log supplies the start and end addresses. Be sure to add one byte to
the end address <> S M @0:CODE n , 08, 0340, 0401 <>. Your backup is completely
broken and may be file copied to another disk*
KRACKER J AX REVEALED
PASE B-l
< < < INTRODUCTION: PROTECTION SCHEME TYPE B > > >
This protection scheme has allowed software publishers a means of protecting
their programs from the finest nibblers on today's market. It employs a loader
that resides in RAM at $C000. This loader does the protection check and then
procedes to gather a Basic boot from the program disk. This boot is placed in
RAM at the beginning of Basic ($0801-). Our task in each of these schemes will
be to let the original disk pass protection and then place the boot in memory.
At this point we can retrieve the boot and from then on use it to load our
back-up, leaving the protection check completely behind.
Before starting, you must understand the way a Basic program is placed in
memory and how the pointers affect it. The reason for this is that most of the
time upon reset, the beginning pointers will be destroyed and we will have to
repair them ourselves.
The pointers used by Basic are very specific, and if not correct, the Basic
program will fail to operate properly. To show you how a Basic program looks in
memory, let's inspect the example on your work disk.
First, load the $C000 monitor from your Utility disk <> Load "49152", 8,1 <>
and sys it in by typing SYS49152 and hitting RETURN. You should be in the
monitor now so load again from your work disk the file called BASIC EXAMPLE
<> L "BASIC EXAMPLE", 08 <>. After the load, examine memory from $0801-*0890
<> M 0801 <>. Scroll up and down through the code. You should be looking at
the same code as shown below. Please note that the example below has all
pointer bytes under! ined for ease of viewing.
0801
0£
08
05
00
99
22
93
11
0809
11
11
05
22
00
35
08
0A
0811
00
99
22
20
20
20
54
48
0819
49
53
20
49
53
20
41
4E
0821
20
45
58
41
4D
50
AC
45
0829
20
4F
46
20
48
4F
57
20
0831
41
20
22
00
5A
08
14
00
0839
99
22
20
20
20
42
41
53
0841
49
43
20
50
52
4F
47
52
0849
41
4D
20
49
53
20
46
4F
0851
52
4D
41
54
45
44
20
22
0859
00
84
08
IE
00
99
22
20
0861
20
20
49
4E
20
54
48
45
0869
20
4D
45
4D
4F
52
59
20
0871
4F
46
20
54
48
45
20
43
0879
4F
4D
4D
4F
44
4F
52
45
0881
2E
22
00
00
00
FD
BD
FF
0889
D0
FF
FF
E6
FF
FE
00
00
The format of Basic is as folows. Starting at $0801, the bytes 0E 08 denote
the placement of the next line number in memory in reverse order ($080E). The
next two bytes, 05 00 denote the current line number in reverse order ($0005=5)*
Follow the bytes from here until you get to the next 00. This byte (residing at
KR ACKER J AX REVEALED PAGE B-2
address $080D) denotes the end of the first line in this program. The next four
bytes are again the pointers for the second line in our Basic program. The
address $080E and $080F contain the bytes 35 08. These are the address of the
next line number in our program, again in reverse order ($0835). The next two
bytes starting at $0810 are 0A 00 which is the current line number of our
program, again in reverse order (000A=0A in hex or line 10 in decimal). This
format is followed all through any normal Basic program and ends only when three
hex zeros are encountered (00 00 00). This tells Basic that the programs end
has been found. YouM 1 find these bytes in our example starting at $0883.
This means that this program could be saved with your monitor using the
addresses from $0801-$0885. The $0801 being the beginning of Basic and the
$0885 the last of the three zero bytes. The actual save command would be
OS "FILENAME", 08, 0801, 0886 <>. We used the end address $0886 because ail
monitor saves need one extra byte added to the actual ending address
($0885+1 =$0886).
By understanding the structure of Basic, we can now repair any damage done to
our pointers when we reset out of our program loads. Now let's move on to our
example programs.
KBACKER JAX REVEALED _ PAGE B , 3
< < < PROGRAM: TITLE BOUT <> PUBLISHER: AVALQN HILL > > >
Procedure:
Loading the original produces a rattle free load, and an error scanner shows
no standard errors. A backup made with Three Minute Backup produces a
non-working copy. A backup made with a nibbler also produces a non-working
copy. Before starting to work on this program, please make a non-working backup
of the original .
Working with your backup:
1/ Start by validating the BAM <> 0PEN15,8, 15, n V":CL0SE15 <> to make room for
a new file we will be adding later. Scratch The first file from your backup
<> OPENi5,8,15, w S0:AH n :CLOSE15 <>.
Working with your original:
2/ Place a write protect tab on the original to ensure its safety during the
breaking process.
3/ Turn off your computer and insert your reset assembly into the cartridge
port. Turn the computer on again and load the boot file and start the load
process <> LOAD^AH",^ 1 <> . Allow the program to load until the screen turns
black and the words LOADING DATA appear in the middle of the screen. At this
point, reset the computer*
4/ Remove the original disk from your drive and insert the utility disk. Load
the $C000 monitor <> L0AD T, 49152 n , 8, i <>. When the load is complete, sys the
monitor in with SYS 49152. The monitor should be active now. Remove the
utility disk from the drive and replace it with the backup work disk.
5/ Interpret memory starting at $0801 (I 0801). Scroll through memory and
notice the Basic program. Our task is to repair the pointers and save the
program to your backup (see scheme B intro). Using the memory command (M 0801)
inspect code at 0801. Notice that the first two bytes are 00 00. These two
bytes represent the start of the next line in this Basic program. Obviously,
these bytes have been destroyed by the reset because the next line couldn't be
zero. To find the correct bytes to replace the two zeros, follow this
procedure. We know the first four bytes are pointer bytes ( $0801- $0804 ) . We
also know that the next time a zero byte appears in memory ($0811), it signals a
new line. The next address is the address that the pointer will point to
($0812). Therefore, the first two bytes in this program should be 12 08 because
all addresses are read in reverse order. Now we can scroll to the two zeros at
$0801 and type over them 12 08 and hit RETURN. The first four bytes starting at
$0801 should now be 12 08 01 00 (the 01 00 bytes represent the current line
number in reverse 01 00=00 01). Our Basic program is now repaired and all
that's left is to locate the end of the program and save it to your backup disk.
To find the program end, use the HUNT command in your monitor. We'll hunt for
the three zero bytes that signal the end of Basic. OH 0801 8000 00 00 00 <>.
As the first bytes begin to be reported, hit the number 1 key to stop the hunt.
We are only interested in the first address reported. In this case, it should
be $1C15. Using the MEMORY command, inspect memory around the address $1C15.
KRACKER JAX REVEALED PAGE B-4
You will notice that the third zero is at the location $1C15. We now have ail
the information needed to save the new boot to your backup. The start address
is $0801 (beginning of Basic) and the end address is HCiS (all monitors require
us to save the actual address plus one;$iC15+I=$iCi6) . Hake sure your backup is
in the drive and save the memory from $0801-$1C15 <> S«Mi" 9 <fiS,Q8<bl, 1C16 <>.
6/ When the save is complete, you will have a broken copy that will no longer
do a protection check. We have essentially replaced the auto boot and the
protection check with the result, a Basic boot*
KftACKHt J AX REVEALED PAGE B-5
< < < PROGRAM: SUPERBQWL SUNDAY <> PUBLISHER: AVALQN HILL > > >
Procedure;
Loading the original produces a rattle free load, and an error scanner shows
no standard errors, A backup made with the Kracker Jax copier produces a
non-working copy. A backup made with a nibbier produces the same non-working
copy. Before starting to work on this program, please make a non-working backup
of the original*
Working with your backup;
1/ Start by validating the BAM <> 0PEN15,8, 15, n V tt :CLQSE15 <> to make room for
a new file we wiil be adding later. Scratch The first file from your backup
<> OPEN15,8,15, t, S0:START*:CLGSE15 <>.
Working with your original;
2/ Place a write protect tab on the original to ensure its safety during the
breaking process,
3/ Turn your computer off and insert the reset assembly into the cartridge
port. Turn the computer on again and load the boot file and start the load
process <> L0AD n START",8, 1 <>. Allow the program to load until the game menu is
on the screen. At this point, reset the computer,
4/ Remove the original disk from your drive and insert the utility disk. Load
the $C000 monitor <> L0AD"49I52",8, 1 <> . When the load is complete, sys the
monitor in with SYS49152. The monitor should be active now. Remove the utility
disk from the drive and replace it with the backup work disk.
5/ Interpret memory starting at $0801 (I 0801). Scroll through memory and
notice the Basic program. Our task is to repair the pointers and save the
program to your backup (see scheme B intro). Using the memory command (M 0801)
inspect code at 0801. Notice that the first two bytes are 00 00. These two
bytes represent the start of the next line in this Basic program* Obviously,
these bytes have been destroyed by the reset because the next line couldn't be
zero. To find the correct bytes to replace the two zeros, follow this
procedure. We know that the first four bytes are pointer bytes ($0801-50804) ♦
We also know that the next time a zero byte appears in memory ($0811), it
signals a new line. The next address is the address that the pointer will point
to ($0812). Therefore, the first two bytes in this program should be 12 08
because all addresses are read in reverse order. Now we can scroll to the two
zeros at $0801 and type over them 12 08 and hit RETURN. The first four bytes
starting at $0801 should now be 12 08 00 00 (the 00 00 bytes represent the
current line number in reverse 00 00=00 00; yes, we CAN have a line number 0!).
Our BASIC program is now repaired and all that is left is to locate the end of
the program and save it to our backup disk. To find the program end, use the
HUNT command in your monitor. We* 1 1 hunt for the three zero bytes that signal
the end of Basic. OH 0801 8000 00 00 00 <>. As the first bytes begin to be
reported, hit the number 1 key to stop the hunt. We are only interested in the
first address reported. In this case it should be $0A6E. Using the memory
command, inspect memory around the address $0A6E. You will notice that the
KIACKER J AX REVEALED
PAGE B-6
third zero is at the location $0A70. We now have all the information needed to
save the new boot to our backup. The start address is $0801 (beginning of
Basic) and the end address is $0A7i (all monitors require us to save the actual
address plus one: $0A70+i=$0A71) . Make sure your backup is in the drive and
save the memory from $0801-$0A70 <> S*START n ,08, 0801, 0A71 <>.
6/ When the save is complete, you will have a broken copy that will no longer
do a protection check. We have essentially replaced the auto boot and the
protection check with the result, a Basic boot.
KRACKER J AX REVEALED PAGE B-7
< < < PROGRAM; GULF STRIKE <> PUBLISHER: AVALON HILL > > >
Procedure;
Loading the original produces a rattle free load, and an error scanner shows
no standard errors, A backup made with the Kracker Jax copier produces a
non-working copy. A backup made with a nibbler produces the same non-working
copy. Before starting to work on this program, please make a non-working backup
of the original.
Working with your backup;
1/ Start by validating the BAM <> GPEN15,8, 15, n V n :CLGSE15 <> to make room for
a new file we will be adding later. Scratch the first file from your backup
<> OPEN15,8,i5, N S0:BOOT*:CLOSEi5 <>.
2/ Turn off your computer and insert the reset assembly into the cartridge
port. Turn the computer on again and remove your backup from the drive. Insert
the utility disk and load the $C000 monitor <> L0AD n 49i52 t ^ 8, i <>. After the
load, sys in your monitor with SYS 49152 and hit RETURN. We want to fill memory
from $0801~$2000 with EA so, use the FILL command <> F 0801 2000 EA <>. We now
have a marked workspace to load our program into. Use the reset button to reset
the computer and clear the screen.
Working with your original:
3/ Place a write protect on the original to ensure its safety during the
breaking process.
4/ Load the boot file and start the load process <> L0AD n BQQT n ,8, 1 <>. Allow
the program to load until the screen clears and then turns blue. At this point,
reset the computer.
5/ Remove the original disk from your drive and insert the utility disk again.
Load The $C000 monitor <> L0AD fr 49152*,8, 1 <>. When the load is complete, sys
the monitor in with SYS49152. The monitor should be active now. Remove the
utility disk from the drive and replace it with the backup work disk.
6/ Interpret memory starting at $0801" (I 0801). Scroll through memory and
notice the Basic program. Our task is to repair the pointers and save the
program to our backup (see scheme B intro). Using the MEMORY command CM 0801),
inspect code at $0801. Notice that the first two bytes are 00 00. These two
bytes represent the start of the next line in this Basic program. Obviously,
these bytes have been destroyed by the reset because the next line couldn't be
zero. To find the correct bytes to replace the two zeros, fol low this
procedure. We know the first four bytes are pointer bytes ($0801-$0804) . We
also know that the next time a zero byte appears in memory ($080D), it signals a
new line. The next address is the address that the pointer will point to
($080E). Therefore, the first two bytes in this program should be 0E 08 because
all addresses are read in reverse order. Now we can scroll to the two zeros at
$0801 and type over them 0E 08 and hit RETURN. The first four bytes starting at
$0801 should now be 0E 08 0A 00 (the 0A 00 bytes represent the current line
number in reverse 0A 00=000A =10 in decimal). Our Basic program is now repaired
KB ACKER J AX REVEALED PAGE B-8
and ail that is left Is to locate the end of the program and save it to our
backup disk. To find the program end, use the HUNT command In your monitor.
We 1 11 hunt for the first three EA bytes that signal the end of the program that
we loaded in <> H 0801 2000 EA EA EA <>. This search will bring back the
address *08A5. Dissasembly of code around this address reveals a small machine
language program placed under a Basic program. To properly capture all the
neccessary code, we must save the code from the beginning of Basic ($0801) to
the beginning of our EA bytes ($08A5). Because all monitors require us to add
one extra byte to the end address, use this command:
<> S"BGOT ff ,08,0801,08A6 <>.
7/ When the save is complete, you will have a broken copy that will no longer
do a protection check. We have essentially replaced the auto boot and the
protection check with the result, a small program consisting of a Basic loader
with a machine language routine placed under it.
KRACKER JAX REVEALED p AG£ B . 9
< < < PROGRAM; CREATIVE CONTRAPTIONS <> PUBLISHER; BANTAM SOFTWARE > > >
Procedure:
Loading the original produces a rattle free load, and an error scanner shows
no standard errors. A backup made with the Kracker Jax copier produces a
non-working copy* A backup made with a nibbier produces the same non-working
copy. Before starting to work on this program, please make a non-working backup
of the original.
Working with your backup:
1/ Start by scratching the first file from your backup
<> OPEN15,8,lS, tt S0:CREATIVE t, :CLQSE15 <>.
Working with your original:
2/ Place a write protect on the original to ensure its safety during the
breaking process.
3/ Turn your computer off and insert the reset assembly into the cartridge
port. Turn the computer on again and load the boot file and start the load
process <> LQAD^CREATIVE", 8 <>. When the cursor appears, type RUN and hit
RETURN. Let the program load for about 15 seconds and reset the computer.
4/ Remove the original disk from your drive and insert the utility disk. Load
the $C000 monitor <> L0AD tf 49152", 8, 1 <>. When the load is complete, sys the
monitor in with SYS49152. The monitor should be active now. Remove the utility
disk from the drive and replace it with the backup work disk.
5/ Interpret memory starting at $0801 (I 0801). Scroll through memory and
notice the Basic program. Our task is to repair the pointers and save the
program to our backup (see scheme B intro). Using the MEMORY command (M 0801),
inspect code at 0801. Notice that the first two bytes are 00 00. These two
bytes represent the start of the next line in this Basic program. Obviously,
these bytes have been destroyed by the reset because the next line couldn't be
zero. To find the correct bytes to replace the two zeros, follow this
procedure. We know the first four bytes are pointer bytes ($0801-$0804) . We
also know that the next time a zero byte appears in memory ($0818), it signals a
new line. The next address is the address that the pointer will point to
($0819). Therefore, the first two bytes in this program should be 19 08 because
all addresses are read in reverse order. Now we can scroll to the two zeros at
$0801 and type over them 19 08 and hit RETURN. The first four bytes starting at
$0801 should now be 19 08 0A 00 (the 0A 00 bytes represent the current line
number in reverse 0A 00=000A -10 in decimal). Our Basic program is now repaired
and all that is left is to locate the end of the program and save it to your
backup disk. To find the program end, use the HUNT command in your monitor.
We'll hunt for the three zero bytes that signal the end of Basic.
<> H 0801 8000 00 00 00 <> 4 As the first bytes begin to be reported, hit the
number 1 key to stop the hunt. We are only interested in the first address
reported. In this case it should be $0879. Using the MEMORY command, inspect
memory around the address $0879. You will notice that the third zero is at the
location $087B. We now have all the information needed to save the new boot to
KBACKER JAX REVEALED PAGE B-10
our backup. The start address is $0801 (beginning of Basic) and the end address
is $087C (all monitors require us to save the actual address plus one:
*087B+i=$087C) . Make sure your backup is in the drive and save the memory from
$0801-$087C <> S "CREATIVE", 08, 0801, 087C <>.
6/ When the save is complete, you will have a broken copy that will no longer
do a protection check, and will even load faster than the original. Ue have
essentially replaced the auto boot and the protection check with the result, a
Basic boot.
MUCKER JAX REVEALED PAGE C-l
< < < INTRODUCTION: PROTECTION SCHEME TYPE C > > >
This protection scheme employs the use of a "fat track** to prevent the user
from making his backup* To make matters worse, the fat track is placed on the
outer (36-40) tracks.
Most of the examples covered in this manual work aproximatly the same* The
following general loading procedure is taken with each,
1/ The boot is loaded and autostarts the program.
2/ A fast loader is set up and activated.
3/ The logo screen is loaded in and activated.
4/ The protection routine is decrypted.
5/ The files pertaining to the program are loaded in. These are generally
encrypted.
6/ The protection is checked, which places a numeric value ($FF) in the disk
drive's memory.
7/ The value is checked using a memory read.
8/ The value is used as a part of a decryption routine to decrypt the main
program. Proper decryption takes place ONLY if the correct value is
returned.
9/ The code then jumps to the start of the program.
The Activision examples in this manual represent this protection scheme in
it's most difficult form to un-protect. YouM 1 find this same scheme being used
by other software publishers, but generally not encrypted. They usually check
for the value in the same way and start the program if found. One example of
this will be given, and will be unprotected by a different method.
Understanding this routine is imperative, because this scheme has been improved,
and will be covered in it's expanded form in updates to this manual.
KBACKER JAX REVEALED PAGE C-2
< < < PROGRAM: COUNTDOWN TO SHUTDOWN <> PUBLISHER: ACTI VISION > > >
Procedure:
Loading the original produces a rattle free load, and an error scanner shows
no standard errors. A backup made with Three Minute Backup produces a
non-working copy. A nibbled backup produces the same non-working copy- Before
starting to work on this program, please make a (non-working) backup of the
original, and a disk log to log the file addresses.
1/ Turn off your computer and insert your reset button assembly into the
cartridge port. Turn the computer on again. Load the $C000 monitor from your
utility disk <> LOAD^AQiSZ", 8» i <>. At the completion of the load, type SYS
49152 and hit RETURN. The monitor should be active now.
Working with your backup:
2/ With your backup in the drive and the monitor active, load the boot file
<> L "COP*" ,08 <>. When the load is complete, dissasemble memory at $02A0.
You'll find a loader routine that loads in the 1985 file and jumps to $0B79.
3/ Load the 1985 file into memory <> L n 19* ff ,08 <>. After the load, start
disassembly of code at $0B79 <D 0B79). The code is as follows: $0B79-$0BCB
sets up a fast loader and loads in the logo screen. $0BCC is a JSR (GOSUB in
BASIC) to the logo screen. $0BCF is the start of the main program load. It is
this code that is of interest to us.
4/ The code at $0C40~$0C6i is a decryption routine. Examine it because it is
the key to the de-protection. This routine allows decryption and examination of
the protection code. At the end of this decryption routine is a RTS ($0C61).
Using the Memory command (M 0C61), change the 60 to a 00. This will allow a
normal operation of code until the 00 (Break or Stop) is encountered. The
program, once started, will stop right after the decryption, allowing us to
examine the protection routine.
5/ For our purposes, we will skip over the fast loader and logo screens. Let's
start the program after the logo screen is run ($0BCF). Type G 0BCF and hit
RETURN. The screen should turn black. Wait for about five seconds and reset
the computer. Return to the monitor with SYS 49152. Using the INTERPERET
command, examine code from $0A00 on (I 0A00). Code at I0AEF reveals a Block
Execute (executes a protection check routine placed in drive memory) and code at
$0B72 reveals a Memory Read that reads the value placed in the drive by the
protection check. This value, in this scheme, is always an *FF. Examine code
at $0B42, The value is being returned to the computer by a Memory Read with a
kernal routine. The SFFCF routine brings back the value $FF. It is then EORed
with $AA which turns it into a $55 and then stores it at location $0B65« Our
job is to place the correct value in $0B65 and disable the routine overwriting
it* This can be accomplished by placing three NOPs at $0B47 which will allow
the routine to Memory Read the value but not place it in computer RAM. All that
is left is to place the correct value of $55 at $0B65.
6/ Now we have the correct values to plug into the code to disable and give
the protection check what it wants. The last step is to place the changes on
KRACKER JAX REVEALED PAGE c . 3
the disk. This is best done with a sector editor because to scratch and replace
the 1985 file will destroy neccessary code placed on the disk. This code is not
accessed in the normal fashion, so it will be overwritten if we do a scratch and
save of the 1985 file. Finish the job by following these steps:
on
A/ We know the code was originally encrypted, so we must place our values _..
the disk in encrypted form. The three bytes at $0B47 and the single byte at
$0B65 are the only changes needed. Reload the 1985 file <> L 19*" .08 <>.
Again go to location $0B61 and place a 00 in memory. Inspect the three bytes a
*0B47. They should be 29 7A 9i. The byte at *0B65 should be a A2. These are
the bytes we will look for on our backup with the sector editor.
B/ The code can now be decrypted by typing G 0BCF. Again the screen will turn
black. After a few seconds, reset the computer and reactivate the monitor with
SYS 49152. Using the MEMORY command (M 0B47), change the code at $0B47 from
8D 65 0B to EA EA EA. Change the code at $0B65 from A2 to 55.
C/ Now that our changes are in memory, we may re-encrypt the file (and our
byte changes) by again typing G 0BCF. Again, reset out and SYS the monitor back
in with SYS 49152 and hit RETURN. Examine memory at $0B47 and find the
encrypted byte changes. They should be 4E F5 70. The byte at $0B65 has changed
to SB. Now we know the changes, and the location, so we may now do the actual
changes to the backup.
D/ Reset the computer and load the sector editor from the utility disk
<> LQAD n DISK DR n ,8,l <>. When the cursor appears, type run and hit RETURN.
Remove the utility disk and place your backup in the drive. Hit RETURN. You
will be shown track 18, sector 1. By placing the cursor at position 35, you
will be on the file pointers of the 1985 file. Press the J key to jump to the
beginning of the 1985 file. When the sector comes on the screen, examine the
first four bytes. The first two are links to the next sector of the file. The
next two are the address bytes in reverse order ($0700). We know our changes
are in memory block $0B00 so we can use the N key to page through memory. Press
N to go to apx 0800, press again to go to 0900, press again to go to 0A00, and
once more to *0B00. This block turned out to be track 17, sector 3 on our
version. Yours could be in a different location on the disk but the idea will
be the same.
E/ Using the cursor key to move through the code, we find the original three
bytes 29 7A 91 at location 83. The change to 4E F5 70 can be accomplished with
the @ key. The changes must be the decimal equivilant. These are 78 245 112.
Change each byte by placing the cursor over the byte to be changed, and type @
and then the decimal number change. Hit RETURN when the change is made to lock
it in. When all three bytes are changed, continue searching with the cursor for
the A2 byte. This can be found at 113. Using the same change procedure, change
it to a decimal 91 USB). When ail changes have been made and iocked in, press
C to copy the sector back to the disk.
7/ You now have a copy that can be fast copied. The placement of data on the
disk in methods other than directory files will not allow you to fiie copy. One
other point of interest is the fast loader installed in many pieces of this
publisher's software. This fast loader is NOT compatible with the 1571 disk
KB ACKER J AX REVEALED PAGE C-4
drive. In many (but not all) of the programs, you may disable the fast loader
and allow the program to load on the 1571 by changing the jump to the main
program in the autoboot. Countdown does not work by doing this but, just as an
example, you would change the 79 ©B (JMP 0B79) to CF 0B (use DISK Doctor and the
decimal eqivilents). This would bypass the fast loader and the logo screen. A
small price to pay for the 1571 owners.
KRACKER JAX REVEALED PAGE C-5
< < < PROGRAM; WEB DIMENSION <> PUBLISHER: ACTIViSiON > > >
Procedure:
Loading the original produces a rattle free load, and an error scanner shows
no standard errors. A backup made with Three Minute Backup produces a
non-working copy. A backup made with a nibbler produces the same non-working
copy. Before starting to work on this program, please make a (non-working)
backup of the original, and a disk log to log the file addresses.
1/ Turn off your computer and insert your reset button assembly into the
cartridge port. Turn the computer on again. Load the $C000 monitor from your
utility disk <> L0AD W 49152",8, 1 <>. At the completion of the load, type SYS
49152 and hit RETURN. The monitor should be active now.
Working with your backup;
2/ With your backup in the drive and the monitor active, load the boot file
<> L "COP*" ,08 <>. When the load is complete, disassemble memory at $02E0.
YouMl find a loader routine that loads in the 1985 file and jumps to $0C3D.
3/ Load the 1985 file into memory <> L " 19*", 08 <>. After the load, start
dissasembly of code at $0C3D (D 0C3D). The code is as follows: $0C3D-$0C5B
sets up a fast loader and loads in the logo screen, $0C5C is a JSR (GOSUB in
BASIC) to the logo screen. $0C5F is the start of the main program load. It is
this code that is of interest to us.
4/ The code at $0CE5-$0D06 is a decryption routine. Examine it, because it is
the key to the de-protection. This routine allows decryption and examination of
the protection code. At the end of this decryption routine is a RTS <$0D06>.
Using the MEMORY command (M 0D06), change the 60 to a 00. This will allow a
normal operation of code until the 00 (Break or Stop) is encountered. The
program, once started, will stop right after the decryption, allowing us to
examine the protection routine.
5/ For our purposes, we will skip over the fast loader and logo screens.
Let's start the program after the logo screen is run ($0C5F). Type G 0C5F and
hit RETURN. The screen should turn black. Wait for about five seconds and
reset the computer. Return to the monitor with SYS 49152. Using the 1NTERPERET
command, examine code from $0A00 on (I 0A00). Code at $0AB6 reveals a Block
Execute (executes the protection check placed in drive memory) and code at $0AC2
reveals a Memory Read that reads the value placed in the drive by the protection
check. This value is, in this scheme, always an $FF. Examine code at $0A92.
The value is being returned to the computer by a Memory Read with a kernal
routine. The $FFCF routine brings back the value $FF. It is then EORed with
$FF which turns it into a $00 and then stores it at location $0AB5. Our job is
to place the correct value in $0AB5 and disable the routine overwriting it.
This can be accomplished by placing three NOPs at $0A97 which will allow the
routine to Memory Read the value but not place it in computer RAM. All that is
left is to place the value of $00 at $0AB5.
6/ Now we have the correct values to plug into the code to disable and give
the protection check what it wants. The last step is to place the changes on
the disk. This is best done with a sector editor because to scratch and replace
the 1985 file will destroy neccessary code placed on the disk. This code is not
KBACKER J AX REVEALED PAGE C-6
accessed in the normal fashion, so it may be overwritten if we do a scratch and
save of the 1985 file. Finish the job by following these steps:
A/ We know the code was originally encrypted, so we must place our values on
the disk in encrypted form. The three bytes at $0A97 and the single byte at
$0A£5 are the only changes needed- Reload the 1985 file <> L 19* w ,08 <>.
Again, go to location $0D06 and place a 00 in memory. Inspect the three bytes
at $0A97. They should be 19 8E £8. The byte at $0AB5 should be a 8A. These
are the bytes we will look for on our backup with the sector editor*
B/ The code can now be decrypted by typing G 0C5F. Again the screen will turn
black. After a few seconds, reset the computer and reactivate the monitor with
SYS 49152. Using the MEMORY command (M 0A97), change the code at $0A97 from
8D B5 0A to EA EA EA. Change the code at $0AB5 from AC to 00.
C/ Now that our changes are in memory, we may re-encrypt the file (and our
byte changes) by again typing G 0C5F. Again, reset out and SYS the monitor back
in with SYS 49152 and hit RETURN, Examine memory at $0A97 and find the
encrypted byte changes. They should be 7E Dl 08. The byte at *0AB5 has changed
to 26. Now we know the changes, and the location so we may now do the actual
changes to the backup.
D/ Reset the computer and load the sector editor from the utility disk
<> LOAD^DISK ^",8,1 <>. When the cursor appears, type RUN and hit RETURN.
Remove the utility disk and place your backup in the drive. Hit RETURN. You
will be shown track 18, sector 1. By placing the cursor at position 35, you
will be on the file pointers of the 1985 file. Press the J key to jump to the
beginning of the 1985 file. When the sector comes on the screen, examine the
first four bytes. The first two are links to the next sector of the file. The
next two are the address bytes in reverse order ($0A00). We know our changes
are in memory block *0A00 so we are in the proper block to make our changes.
This block turned out to be track 17, sector 2 on our version. Yours could be
in a different location on the disk, but the idea will be the same.
E/ Using the cursor key to move through the code, we find the original three
bytes 19 8E E8 at location 155. The change to 7E Di 08 can be accomplished with
the 6 key. The changes must be the decimal equivilant. These are 126 209 08.
Change each byte by placing the cursor over the byte to be changed, and type §
and the the decimal number change. Hit RETURN when the change is made to lock
it in. When all three bytes are changed, continue searching with the cursor for
the 8A byte. This can be found at position 185. Using the same change
procedure, change it to a decimal 38 ($26). When all changes have been made and
locked in, press C to copy the sector back to the disk.
7/ You now have a copy that can be fast copied. The placement of data on the
disk in methods other than directory files will not allow you to file copy. One
other point of interest is the fast loader installed in many pieces of this
publisher's software. This fast loader is NOT compatible with the 1571 disk
drive. In many of the (but not all) of the programs, you may disable the fast
loader and allow the program to load on the 1571 by changing the Jump to the
main program in the autoboot. Web Dimension will work by doing this. Just
change the 3D OC (JMP 0C3D) to 5F 0C (use DISK Doctor and the decimal
equivilents). This will bypass the fastloader and the logo screen. A small
price to pay for the 1571 owners.
KMACKEB JAX REVEALED
page c-7
< < < PROGRAM; FIREWORKS CELEBRATION KIT <> PUBLISHER; ACT1 VISION > > >
Procedure:
Loading the original produces a rattle free load, and an error scanner shows
no standard errors. A backup made with Three Minute Backup produces a
non-working copy. A backup made with a nibbler produce the same non-working
copy. Before starting to work on this program, please make a (non-working)
backup of the original, and a disk log to log the file addresses*
1/ Turn off your computer and insert your reset button assembly into the
cartridge port. Turn the computer on again. Load the SC000 monitor from your
utility disk <> L0AD n 49152 w ,8, 1 <>. At the completion of the load, type SYS
49152 and hit RETURN. The monitor should be active now.
Working with your backup:
2/ With your backup in the drive and the monitor active, load the boot file
<> L w COP* n ,08 <>. When the load is complete, disassemble memory at *02E0.
YouMI find a loader routine that loads in the 1985 file and jumps to $0C3D.
3/ Load the 1985 file into memory <> L " 19*", 08 <>. After the load, start
disassembly of code at *0C3D (D 0C3DK The code is as follows: $0C3D-$#C5B
sets up a fast loader and loads in the logo screen. $0C5C is a JSR (GOSUB in
BASIC) to the logo screen, *0C5F is the start of the main program load. It is
this code that is of interest to us.
4/ The code at $0CE2-$0D03 is a decryption routine. Examine it, because it is
the key to the de-protection. This routine allows decryption and examination of
the protection code. At the end of this decryption routine is a RTS ($0D03).
Using the MEMORY command <M 0D03), change the 60 to a 00, This will allow a
normal operation of code until the 00 (Break or Stop) is encountered. The
program, once started, will stop right after the decryption, allowing us to
examine the protection routine.
5/ For our purposes, we will skip over the fast loader and logo screens.
Let's start the program after the logo screen is run (I0C5F). Type G 0C5F and
hit RETURN. The screen should turn black. Wait for about five seconds and
reset the computer. Return to the monitor with SYS 49152. Using the INTERPERET
command, examine code from $0A00 on (I 0A00). Code at $0AB6 reveals a Block
Execute (executes the protection check placed in drive memory) and code at $0AC2
reveals a Memory Read that reads the value placed in the drive by the protection
check. This value, in this scheme, is always an $FF. Examine code at $0A92.
The value is being returned to the computer by a Memory Read with a kernal
routine. The *FFCF routine brings back the value $FF. It is then EORed with
$FF which turns it into a $00 and then stores it at location $0AB5. Our job is
to place the correct value in $0AB5 and disable the routine overwriting it.
This can be accomplished by placing three NOPs at $0A97 which will allow the
routine to Memory Read the value but not place it in computer RAM. All that is
left is to place the value of $00 at $0AB5.
6/ Now we have the correct values to plug into the code to disable and give
the protection check what it wants. The last step is to place the changes on
the disk. This is best done with a sector editor because to scratch and replace
the 1985 file will destroy neccessary code placed on the disk. This code is not
KRACKER JAX REVEALED PAGE C-8
accessed in the normal fashion, so it may be overwritten if we do a scratch and
save of the 1985 file. Finish the job by following these steps:
A/ We know the code was originally encrypted, so we must place our values on
the disk in encrypted form. The three bytes at $0A97 and the single byte a
$0AE5 are the only changes needed. Reload the 1985 file <> L 19* ff ,08 <>.
Again go to location $0D06 and place a 00 in memory. Inspect the three bytes at
$0A97. They should be 19 8E E8. The byte at $0AB5 should be an 8A. These are
the bytes we will look for on our backup with the sector editor.
8/ The code can now be decrypted by typing G 0C5F. Again, the screen will
turn black. After a few seconds, reset the computer and reactivate the monitor
with SYS 49152. Using the MEMORY command (M 0A97), change the code at $0A97
from 8D B5 0A to EA EA EA. Change the code at $0AB5 from AC to 00.
C/ Now that our changes are in memory, we may re-encrypt the file (and our
byte changes) by again typing G 0C5F. Again reset out and SYS the monitor back
in with SYS 49152 and hit RETURN. Examine memory at *0A97 and find the
encrypted byte changes. They should be 7E Di 08. The byte at $0ABS has changed
to 28, Now we know the changes, and the location so we may now do the actual
changes to the backup.
D/ Reset the computer and load the sector editor from the utility disk
<> LOADED I SK DR\8,i <>. When the cursor appears, type RUN and hit RETURN.
Remove the utility disk and place your backup in the drive. Hit RETURN. You
will be shown track 18, sector 1. By placing the cursor at position 35, you
will be on the file pointers of the 1985 file. Press the J key to jump to the
beginning of the 1985 file* When the sector comes on the screen, examine the
first four bytes. The first two are links to the next sector of the file. The
next two are the address bytes in reverse order ($0A00). We know our changes
are in memory block $0A00 so we are in the proper block to make our changes.
This block turned out to be track 17, sector 4 on our version. Yours could be
in a different location on the disk, but the idea will be the same.
E/ Using the cursor key to move through the code, we find the original three
bytes 19 8E E8 at location 155. The change to 7E Dl 08 can be accomplished with
the § key. The changes must be the decimal equivilant. These are 126 209 08.
Change each byte by placing the cursor over the byte to be changed, and type @
and the the decimal number change. Hit RETURN when the change is made to lock
it in. When all three bytes are changed, continue searching with the cursor for
the 8A byte. This can be found at position 185. Using the same change
procedure, change it to a decimal 38 ($26). When all changes have been made and
locked in, press C to copy the sector back to the disk.
7/ You now have a copy that can be fast copied. The placement of data on the
disk in methods other than directory files will not allow you to file copy. One
other point of interest is the fast loader installed in many pieces of this
publisher's software. This fast loader is NOT compatible with the 1571 disk
&civ%> In many (but not all) of the programs, you may disable the fast loader
and allow the program to load on the 1571 by changing the jump to the main
program in the autoboot. Fireworks Kit will work by doing this. Just change
the 3D 0C CJMP 0C3D) to 5F 0C (use DISK Doctor and the decimal equivi lents) .
This will bypass the fastloader and the logo screen. A small price to pay for
the 1571 owners.
KRACKER JAX REVEALED PAGE C-8
< < < PROGRAM! RINGS OF Z1LF1N <> PUBLISHER: S.S.I. > > >
Procedure:
Loading the original produces a rattle free load, and an error scanner shows
no standard errors. A backup made with Three Minute Backup produces a
non-working copy. A nibbled backup produces the same non-working copy. Before
starting to work on this program, please make a (non-working) backup of the
original, and a disk log to log the file addresses.
Working with your backup:
1/ Turn off your computer and insert your reset button assembly into the
cartridge port. Turn the computer on again. Load the backup disk
<> LOAD tt * tt ,8,l <>. Hit RETURN and the program will autoboot, Let the load
continue untill the screen turns black and the drive comes to a stop. The
program has failed protection and has "crashed".
2/ "Hit the reset button to return the system back to normal. Remove the
backup, and insert your utility disk in the drive. Load the $C000 monitior
<> LOAD "49152*, 8,1 <> and sys it in by typing SYS 49152 and hit RETURN* When
the monitor comes up, use the INTERPERET command to search memory for any drive
commands. Start your search at the beginning of BASIC memory (I 0801).
Scrolling down through memory, keep your attention on the left side of your
screen. When you come to the memory at $6FDE, you'll find a B-E (Block Execute)
and a M-R (Memory Read). This is the area of memory that contains the
protection code.
3/ Disassemble memory at $6F77 (D 6F77), and scroll slowly down through the
code. The code from $6F7A to $6FDD represents a subroutine that is called from
the main program* This code does a Block Execute from track 35 sector 10. This
means it loads that block from the program disk into the disk drive memory and
executes that routine. At the completion of the routine, the code returns to
computer RAM and resumes operation. Upon it's return, a Memory Read of the
drive memory is done, looking for a single byte placed in drive memory by the
protection check. This byte is transfered from the drive to computer RAM
location $6FDD and is then compared to an $FF. If the byte is not an $FF, the
code is directed to an endless loop. if it is an $FF, the code continues until
a JUMP FFC3 is encoutered. Because the kernal routine FFC3 has been acessed by
a JUMP and not a JSR, it forces an RTS in the code flow. This RTS returns the
protection check to the main program.
4/ Defeating this protection scheme is simple. We can place a RTS at the
beginning of the routine. This will short circuit the protection check
completely by sending the program flow back to the code that called for it
originally. Before changing code, let's find out which file contains the
protection check. Looking over the disk log, we find that the file P99 is the
only likely candidate. The starting address is $6000 and the ending address is
$6FF4. Remove your utility disk from the drive and again insert the backup in
it's place. Double check the file by loading P99 directly from the backup
<> L n P99 n ,08 <> . Again disassemble code around $6F7A (D 6F7A) and make sure
this file is the correct one that has the protection check. When satisfied, use
the MEMORY command to change the byte at the address $6F7A (M 6F7A) to a 60.
KM£KES J AX SEVEALED PAGE C-10
Now scratch and save this file to your backup. Remember to add one byte to the
ending address, <> S *§0:P99 W ,08,6000, 6FF5 <>.
5/ Your backup is now completely broken. It can be fast copied and, because
we have forced the program to not use the protection check, it can even be file
copied. Remember, the Block Execute (which now is not used) accesses a specific
spot on the disk, and is not picked up by directory files. Finally, note the
name placed on the diskette directory. YouMl find it on many programs. Now
you know the secret of XEHAG 2.0 protection.
KRACKER J AX REVEALED PAGE D-l
< < < INTRODUCTION: PROTECTION SCHEME TYPE D > > >
When this protection scheme was first introduced, the copy programs available
were unable to backup any software that used it. Most of the nibble utilities
on the market today have the capability of producing a backup. This scheme is
usually referred to as the "long sector"- The following similarities are
characteristic of this protection. A nibble utility can back up the title,
while a fast copier can't. The load is rattle free and smooth. An error scan
produces a number twenty read error on the last sector of any particular track.
This protection is based on placing an extra sector on any chosen track
(sometimes more than one track) on the original disk. This sector contains one
block of valid program data. A non-nibbler or file copy utility will not pick
up this sector, because it is not standard disk format. This will prevent the
program from operating properly. Our job in each of the following programs will
be to gather the block of data and place it in the program at the proper
location.
The protection itself is nothing more than a special Block Read set up to read
the non-standard block of data. The routine almost always starts out as an
encrypted block. This block begins as a decryption routine that decrypts one
block of data. This, in turn, reveals a protection check that does nothing more
than read in the long sector and place that long sector data directly over
itself. By doing this, the valid code completly hides the protection check
itself.
Recognizing the decryption routine is the best way to locate the protection
check. Once located, we will start the routine up and let it gather the data we
need to break the title. Then a simple memory save is all that's needed to
complete the job.
The benefit of breaking the programs using this protection scheme is the fact
that almost all of them are file copiable afterwards. This means they can be
placed on a disk with other programs.
Please note that this protection scheme is very important to understand. The
reason for this is the fact that there is a new scheme now on the market that
very closely resembles it (at least in the break method). This new scheme is
NOT copiable by any nibble utility and must be hand broken. YouM 1 find this
new scheme discussed in the next chapter.
KRACKER JAX REVEALED PAGE D-2
< < < PROGRAM: IMPOSSIBLE MISSION <> PUBLISHER: EPYX > > >
Procedure:
Loading the original produces a rattle free load, and an error scan shows a
number twenty error on track 16, sector 20. A backup made with Three Minute
Backup provides a non-working backup. Nibble utilities are capable of providing
a backup. Loading the backup results in a load that stalls rather quickly. We
can assume the protection is in the loader file* Before starting to work on
this title, please, make a Three Minute backup and do a disk log (print-out is
best)*
Working with your original;
1/ Turn off your computer and insert your reset button assembly into the
cartridge port. Turn the computer on again and, from the utility disk, load the
$8000 monitor <> LOAD "32768", 6, 1 <>. Sys the monitor in with SYS 32768 and hit
RETURN. Let's begin by loading and inspecting the boot file
<> L "RUN ME", 08 <>. At the end of the load, start disassembly at $02A7
(D 02A7). Scroll down through the code and notice that the boot loads the file
LOADER <LQ*) and jumps to $B000.
2/ Load the LOADER file <> L "LO*",08 <>. Because this file resides in the
BASIC interpreter loacatidn, we must turn BASIC off before we can examine any
code. Change address iocaiion $0001 from 37 (77 on C-128) to 36 (76 on C-128).
Use the MEMORY command. (M 0001) to make your change, When the change has been
made, we can inspect the code beginning at $B000.
3/ Disassemble starting at $B000 CD B000) and inspect the code from $B000 to
B00F. This is a decryption routine and is the heart of this protection scheme,
as discussed in the introduction. Our job will be to trade the protection code
for the val.id program code. Believe it or not, this is the easy part.
4/ Make sure you have a write protect on your ORIGINAL and that the original
is in the disk drive. Start the program working by typing GO B000 and hit
RETURN. The drive shouid start up and, a few moments later, the screen should
change colors. At this point, reset your computer and turn the disk drive off
and on again. Resys the monitor back in (SYS 32768) and again turn off BASIC as
described above. Disassemble code at SB000 (D B000) again and note that the
code has, indeed, changed. The encrypted code has been replaced with loader
code. All that's left now is to save the file back to the backup.
Working! with your backup:
5/ Checking the disk log provides the start and ending addresses <$B000-$B1A2)
ot the LOADER file. When saving it, be sure to add one byte to the end address
<> S tt ©0:LOADER M ,08,B000,BlA3 <>.
6/ Your backup is now protection free and may be file copied. One small
problem remains. That is the directory. The repair for this is simple. Using
the Name/Id Changer on the utility disk, change the disk name AND the ID number.
You must use five figures when' changing the ID number. For example, you could
name the disk IMPOSSIBLE and renumber it IM 2A. When this is completed, your
break will be complete and even the directory can be viewed.
KR ACKER J AX REVEALED PAGE D-3
< < < PROGRAM; BREAK DANCE <> PUBLISHERS EPYX > > >
Procedure:
Loading the original produces a rattle free load, and an error scan shows a
number twenty error on track 16, sector 20 and track 15, sector 20. A backup
made with Three Minute Backup provides a non-working backup* Nibble utilities
are capable of providing a backup. Before starting to work on this title,
please make a Three Minute backup and do a disk log (print-out is best).
Working with your original:
1/ Turn off your computer and insert the reset assembly into the cartridge
port. Turn your computer on again. From your utility disk, load the $8000
monitor <> LOAD n 32768 n ,8,1 <>, Now, type NEW, and hit RETURN. When loading
the boot file on this disk, it will autoboot and continue running. In order to
inspect it, here's a trick to use. We're going to load the autoboot into BASIC
memory for 1 the purposes of inspection. Load the boot file this way:
<> LOAD "BOOT", 8 <>. When the load is complete (you may have to hit
RUNSTOP/RESTQRE), sys the monitor in with SYS 32768 and hit RETURN. You can now
find the boot file in BASIC memory at $0801. Interpret memory and scroll down
from $0801 (I 0801). Notice the INTRO. Disassembly of memory at $0801 (D 0801)
and scrolling down reveals a loader file that loads the INTRO file and jumps to
$2015.
2/ Load the INTRO file <> L "INTRO", 08 <>. Start by disassembling memory at
$2015 (D 2015). Scroll down through memory, and at $201A note the JSR $26B9.
Disassemble $26B9 (D 26B9). Here we find the decryption routine that is the
heart of this protection scheme. Refer to the Introduction for general
information on this. Our task is to replace the encrypted data with valid
program data. This is relatively easy. Be sure you have a write protect on
your original and that the ORIGINAL is in the drive. Type GO 26B9 to start the
program up. The drive will run for a short time, and then stall. When the
drive stops, reset the computer and resys the monitor back in (SYS 32768).
Disassemble memory at $26B9 again and notice that the code has indeed changed.
This is the valid program code we needed for the break.
Working with your backup:
3/ Now, all that's left is to save the retrieved data back to the backup.
Checking the disk log provides the start and end addresses of $2000-2A00. Be
sure to add one byte to the end address and save it to the backup
<> S "@0; INTRO", 08, 2000, 2A01 <>.
4/ Turn the computer off and on, and boot up your backup. It should load past
the point that it loaded before our break. Unf ortunatly, It still refuses to
load fully. Remember, we did find two seperate number twenty errors on the
original. We have disabled half of the protection, now let's do the rest.
5/ Reload the $8000 monitor <> LOAD "32768", 8, 1 <>. Sys it in with SYS 32768.
From the half broken BACKUP, reload the INTRO file <> L "INTRO" 08 <> . Again,
start your disassembly at $2015 (D 2015), Scroll down* and try to follow the
program flow. At $2140 you'll find a JUMP $C000. Using the MEMORY command
KBACKEB.JAX REVEALED
PAGE D-4
change the 4C at $2140 <M 2140) to 00 and hit RETURN. This will stop or BREAK
the program flow just before it jumps to $C000, allowing us to inspect memory in
the LOADER file. Activate the INTRO file by typing GO 2015.
6/ When the drive stops, reset the computer and reload your $8000 monitor
<> LOAD w 32768 n ,8,l <> . Sys it in with SYS 32768* Start by disassembling the
code at $C000 (D C000). You'll find a jump to $C024. Disassembly of $C024
reveals another decryption scheme. This is the second protection routine.
Working with your original:
7/ Place the original disk in the drive and Type GO C024 to start the program
up. The drive should start up and in a short time the game menu will come on
the screen. At this point, reset the computer and resys the monitor back in
with SYS 32768.
Working wiyh your backup:
8/ Checking the disk log provides us with the start and end address of the
LOADER file. Again, remember to add an exrta byte to the end address. Save it
back to your BACKUP <> S *@0 : LOADER", 08, C000,CF8i <>. When the save is complete
your backup will be completely broken. One small problem remains. The
directory cannot be read properly. To fix it easily, just use the NAME/ID
CHANGER on your utility disk. Be sure to use five figures when you give it a
new ID number. For example, you could name it BREAK DANCE and renumber it
BD 2A.
KR ACKER J AX REVEALED PAGE D-5
< < < PROGRAM; F1TSTQP II <> PUBLISHER: EPYX > > >
Procedure:
Loading the original produces a rattle free load, and an error scan shows a
number twenty error on track 16, sector 20. A backup made with Three Minute
Backup provides a non-working backup. Nibble utilities are capable of providing
a backup. Before starting to work on this title, please make a Three Minute
backup, format a blank work disk, and do a disk log (print-out is best).
Working with your original:
1/ Turn off your computer and insert your reset button assembly into the
cartridge port. Turn the computer on again and, from the utility disk, load the
$C000 monitor <> LOAD "49152" ,8, i <>, Sys the monitor in with SYS 49152 and hit
RETURN. Let's begin by loading and inspecting the boot file
<> L "PITSTOP",08 <>. At the end of the load, start disassembly at $02A7
(D 02A7). Scroll down through the code and notice that the boot loads the file
RUN ME and jumps to $0820.
2/ Load the RUN ME file <> L "RUN ME", 08 <> . Disassemble memory starting at
$0820 (D 0820) and scroll down through the code. This file loads all game files
and then at $08E4 does a jump to $9403. The disk log tells us this address is
located in the PITS file. Load the PITS file <> L "PITS n ,08 <>. When the load
is complete, we can start our inspection at $9403.
3/ Because this file occupies memory in the BASIC interpreter ($A000-$BFFF) ,
we have to turn BASIC off. This can be accomplished by changing $0001 from a 37
(77 on the C-128) to a 36 (76 on the C-128). Use the MEMORY command to make
your changes (M 0001). When done, start disassembly at $9403 (D 9403). You'll
find a decrytion scheme at this location ($9403-$9412) that is the heart of this
protection scheme (see the Introduction). Make sure your ORIGINAL has a write
protect tab on it and is in the drive. Start the program working by typing
G 9403 and hit RETURN. The drive should start up and a few moments later, the
game menu should come on the screen. At this point, reset your computer and
remove the original disk from the drive. From the utility disk, reboot the
$C000 monitor and sys it in again (SYS 49152). Again turn off BASIC, Now place
your formated work disk in the drive and save the changed code from $9403-$9512
<> S "SECTOR", 08, 9403,9512 " <>. When the save is complete, remove the work
disk from the drive.
Working with your backup:
4. Complete the break by following the steps below.
A- Reset the computer. Place your backup in the drive and scratch the PITS
file <> OPEN15,8,15,"S0:PITS" <>. Resys the monitor back in (SYS 49152).
B- From the original disk, load the PITS file <> L "PITS", 08 <>.
C- From the work disk, load the saved SECTOR file <> L "SECTOR", 08 <>. This
will lay the code retrieved from the break process over the encrypted
KSACKER JAX REVEALED PAGE D-6
protection check code*
D- Turn off BASIC again as described above.
E- Place your backup in the drive and save the PITS file now in memory
<> S tt PITS n ,08,1000,C000 <>.
5/ Your Backup is now broken. All that's left is to repair the directory.
This can be accomplished easily with the NAME/ID CHANGER on the utility disk.
Be sure to use five figures in the new ID number- For example, you could name
the disk PITSTOP and renumber it PS-I1. When this is complete, you can view the
directory and file copy this title.
KRACKER JAX REVEALED PAGE D-7
< < < THE BODY TRANSPARENT <> PUBLISHER: DES1GNWARE > > >
Procedure:
Loading the original produces a rattie free load, and an error scan shows a
number twenty error on track 32, sector 16. A backup made with Three Minute
Backup provides a non-working backup. Nibble utilities are capable of providing
a backup. Before starting to work on this title, please make a Three Minute
Backup, and do a disk log (print-out is best).
Working with your backup;
1/ Let's begin our break by preparing the backup to receive the changes we
will be making. From your utility disk, load the NAME/ID Changer and rename and
re-ID your backup. Be sure to use five figures in the new ID. For example, you
could name the backup BODY TRANS and number it BT-2A. This will make the
directory 1 istabie.
2/ Because this program does not use directory files to store information, we
run the risk of overwriting program code when we save our changes to the backup.
There is a sure way to avoid this. That is to allocate or use all availabe
blocks in the BAM. What we are going to do is fool the drive into believing
that there are no blocks free on the disk. When we scratch a file* the blocks
used by THAT file will become free for use. Then when we save that file back to
the disk, they will be placed on the exact same blocks that they came from.
3/ From the utility disk, load and run DISK DR. Place the backup in the drive
and press RETURN to get to track 18, sector i. Press - to go to track 18,
sector 0* This is the BAM Sector and here is where we will allocate all blocks.
Use the cursor key to cursor to position 4 (aii references will be in decimal).
With the cursor on position 4 press the § key and then press 0. Repeat the ©
key and key untill all values from position 4 thru 71 are changed to zero.
This takes care of tracks 1 thru 17. Now cursor over to position 76 and do the
same changes from position 76 thru 143. This will take care of tracks 19 thru
35. Now, to make the changes to the disk, press R and then Y and hit RETURN.
The new BAM is now on the backup. Your backup is now ready to receive new
information. Load the directory and check it. You should have a listable
directory with zero blocks free.
Working with your original;
4/ Turn off the computer and insert the reset assembly into the cartridge
port. Turn the computer on again and load the boot file from the original
<> LOAD "DWARF", 8: <>. You can list this file and inspect it. You'll find it
loads the file called B00T2 and then a SYS 43152 ($C000).
5/ From your utility disk, load the $2000 monitor <> LOAD n 8192",8,i <>. Sys
it in with SYS 8192. Now load the B00T2 file <> L tt BOOT2 w ,08 <> and start
disassembly at $C000 (D C000). The first instruction at $C000 is a JSR to
$C028. Disassemble $C028 (D C028) and here youM I find the decryption routine
that is the heart of this protection scheme. It resides from $C028 to $C037.
The break itself is very simple* Make sure you have a write protect tab on the
ORIGINAL and that it is in the drive. Start the program by typing G C028 and
KRACKER JAX REVEALED
PAGE D-8
press RETURN. The drive will spin for a short time and then stop. At this
point, reset the computer and resys the monitor back in with SYS 8192. Again
disassemble code at *C028. You should find new code in the place of the
encrypted code. All that's left is to save this broken loader back to the
backup.
Working with your backup:
6/ Reset the computer and place your prepared backup in the drive, Scratch
the B00T2 file <> 0PEN15, 8, 15, tt S0:BOOT2 ff <> . Resys the monitor in with
SYS 8192. The disk log provides the start and end addresses of the B00T2 file.
Be sure to add one byte to the end address. With your backup in the drive, save
the B00T2 file back to the backup <> S W BOOT2*,08,C000»C151 <>,
7/ Your backup is completely broken and can now be copied with any whole disk
copier. Unf ortunatly, it remains non-file copiable because of the way the
programers set up the disk files.
KRACKER JAX REVEALED PAGE E-l
< < < INTRODUCTION: PROTECTION: SCHEME TYPE E > > >
This protection scheme is, at this writing, one of the most effective and
prevalent methods of defeating today's nibble copiers* When you know what to
look for, you'll find this scheme is being employed by many different software
houses. I like to think of this protection as the "big brother" of the long
sectors discussed in the previous section.
This scheme can be recognized by the following similarities. When a disk
error check is done, no write errors will be found on the original. When
booted, no drive rattle will be encountered. The program cannot be backed up
with either a fast copier or a nibbler. Usually, you will find data in the
directory other than normal directory data. Most important: when tracing the
program through it's loading process, you will generally run into a decryption
routine and a sector or two of encrypted code. When this encryption is located,
you can be sure it is hiding the protection check code*
Remember, I stated that a sector or two in memory will be encrypted, and that
this area in memory surely contained the protection check. Well, one other
thing needs to be mentioned. This is the fact that this encrypted memory starts
out as garbled code, then decrypts into a protection check routine and finally
after the protection check has been satisfied, is REPLACED with valid program
code. This code, as previously stated, is one or two sectors in length and can
be found anywhere on the program disk. You* 1 1 find that the directory track
(track 18) is the most likely spot. In most cases, we can let the program
insert the hidden code in it's proper place. Then a memory save and replacement
over the encrypted code in the proper file will not only defeat protection but
will totally remove the check for it.
Most of the programs protected with this scheme can be defeated with a simple
memory save, but a few have had to have some of the code re-written by hand.
This is relatively uncommon and cannot be explained in the scope of this manual.
Experience will prove to be the best teacher.
Before starting to work on the following programs, please do a disk file log
(print out is best), format a blank work disk, and have a (non-working) backup
available. Please make sure you have a write protect tab on your original
program disk as you will be using it in the breaking process. Now let's get on
to the specifics.
KRACKER JAX REVEALED PAGE E-2
< < < PROGRAM: INFILTRATOR <> PUBLISHER: H1NDSCAPE > > >
Procedure:
Loading the original produces a rattle free load, and an error scan shows no
standard errors. A backup made with Three Minute Backup provides a non-working
backup. Nibble utilities also provide a non-working backup. Loading the backup
results in a load that stalls rather quickly. We can assume the protection is
in the loader file. Before starting to work on this title, please make a backup
(non-working) and a disk log (printout is best).
Working with your original:
1/ Place a write protect tab on your original to protect it during the
breaking process.
2/ Turn off your computer and insert the reset assembly into the cartridge
port. Turn your computer on again. From your utility disk, load the $C000
monitor <> LOAD "49152* ,8,1 <>. When the load is complete, sys the monitor in
with SYS 49152* When loading the boot file on this disk, it will autoboot and
continue running. In order to inspect it, here's a trick to use. We're going
to load the autoboot in BASIC memory for the purposes of inspection. With the
monitor active, type X and hit RETURN. You are now back to BASIC. Type NEW and
hit RETURN. Now load the boot file this way: <> LOAD n INFILT n , 8 <>. When the
load is complete, return to the monitor by hitting RUNSTOP/RESTORE. Then resys
the monitor back in with SYS 49152. You can now find the boot file in BASIC
memory at $0801. Interperet memory and scroll down from $0801 (I 0801). Notice
the INTRO. Disassembly of memory at $0801 (D 0801) and scrolling down reveals a
loader file at $082D~$0854. This loader loads the INTRO file and jumps to
$0880.
3/ Load the INTRO file <> L "INTRO", 08 <>. When the load is complete,
disassemble memory at $0880 (D 0880). Scroll down through memory to $089A.
YouMl find a JSR 0A25. Disassemble $0A25 (D 0A25) and scroll down to $0A25.
Here you'll find a JSR 0C18. Disassemble $0C18 (D 0C18) and notice that we have
just run into a decryption routine. Inspect this routine because this is the
heart of this protection scheme. Scroll down through the code and notice that
it is garbled for about one sector ($0C18-$0D18) . As mentioned in the
introduction, this code is an encrypted protection scheme that will decrypt into
a protection checker and then load valid program code over itself. This will
not only allow the program to operate properly, but will also hide the
protection code from the curious.
4/ The break is fairly simple now that we know where the protection is. Start
the program code up by typing G 0C18 and hit RETURN. The drive should start up
and run for a short time. When the drive stops, turn the drive OFF and ON again
and reset the computer with your reset button. Restart the monitor by again
typing SYS 49152 an hit RETURN. Now go back and disassemble code at $0C16 again
(D 0C18). Surprise; the code has changed into good code. To get an idea what
is there, interperet memory at $0C1S (I 0C18) and scroll down through memory.
YouMl see that this is the completion of the loader file. All the data needed
to run the loader file properly is now in memory. Ail that is left to do is
replace the INTRO file on the disk with the INTRO file NOW in memory. This can
KIACKER J AX REVEALED PAGE E-3
be accomplished with a small memory save. From the disk log, we know that the
INTRO file starts at $0880 and ends at *16C3. Remove the original disk from the
drive and insert your backup in it's place. Replace the INTRO file now in
memory with the one now on your disk. Remember to add one byte to the ending
address <> S n @0: INTRO?, 08, 0880, 16C4 <>.
5/ Your backup is now broken and will not even check for protection. For
those wishing to look at the protection check code, redo the steps above but
when you type G 0C18, reset the computer in about one second. If the drive is
allowed to run more than a moment or two, the protection code will be hidden.
KBACKER J AX REVEALED PAGE E-4
< < < PROGRAM: BOP 'N WRESTLE <> PUBLISHER: H1NDSCAPE > > >
Procedure;
Loading the original produces a rattle free load, and an error scan shows no
standard errors, A backup made with Three Minute Backup provides a non-working
backup. Nibble utilities also provide a non-working backup. Before starting to
work on this title, please make a backup (non-Working), format a blank disk, and
do a disk log (printout is best).
Working with your original:
1/ Make sure a write protect tab is on your original to protect it during the
breaking process.
2/ Turn off your computer and insert the reset assembly into the cartridge
port. Turn your computer on again. From your utility disk, load the $2000
monitor <> LOAD n 8192 w ,8,1 <>. When the load is complete, sys the monitor in
with SYS 8192. When loading the boot file on this disk, it will autoboot and
continue running* In order to inspect it, here's a trick to use. We're going
to load the autoboot in BASIC memory for the purposes of inspection* With the
monitor active, type X and hit RETURN. You are now back to BASIC. Type NEW and
hit RETURN. Now load the boot file this way: <> LOAD ff B n ,8 <>. When the load
is complete, return to the monitor by hitting' RUNSTOP/RESTORE then resys the
monitor back in with SYS 8192. You can now find the boot file in BASIC memory
at $0801. Interperet memory and scroll down from $0801 (I 0801). Notice the
B0P1. Disassembly of memory at $0801 (D 0801) and scrolling down reveals a
loader file at $082D-$0854. This loader loads the BOPi file and jumps to $0816.
3/ Load the BOPI file <> L tt BOPl n ,08 <>. When the load is complete,
disassemble memory at $0816 (D 0816). Scroll down through memory to $0889.
You'll find a JMP C000. Using the MEMORY command (M 0889), place a 00 (BRK) at
$0889. If we start the code running from $0816 it will execute and stop just
before it would have jumped to $C000. We can then disassemble memory at $C000
and trace the program flow. Use the GO command to execute this code (G 0816).
4/ The load will resume and the LOGO file and LOADALL file will be loaded.
When the program stalls, reset out and reboot your monitor from the utility disk
<> L0AD t, 8192 tt ,8, 1 <>. When the load is complete, sys the monitor in with
SYS 8192. Disassemble code at $C000 (D C000) now and scroll down through
memory. You'll find a very long loader file. When you reach the code at $C27A
you'll find a JMP C3FD. Disassembly of C3FD shows no valid code so this is a
likely spot to place another break in the program flow. Using the MEMORY
command (M C27A), place a 00 (BRK) at $C27A. Now restart the program with
another GO command (G C000). When the program stalls out, reset the computer
again and reload and activate your 2000 monitor <> L0AD"8192 n , 8, 1 <>. Now we
can disassemble memory at $C3FD and again follow the program flow (D C3FD).
This returns a JMP to 0840. Disassembly of memory at $0B40 reveals the
decryption code that we discussed in the introduction. This is the heart of
this protection scheme.
5/ Let's execute the code at $0B40. Make sure your original is in the drive.
Start up the code with G 0B40. The drive should start up and soon stall again.
KIACKEfi JAX REVEALED PAGE E-5
Reset out, resys your monitor in (SYS 49152), and disassemble code again
starting at $0B40. You ? i 1 now find different code. Remove the original copy
and place your formated work disk in the drive. We can now save this new code
to our work disk <> S "CODE", 08, 0B40,0C52 <>.
Working with your backup:
6/ We now have the code necessary to break this, title. Now we have to place
it on the disk in the proper spot. Checking the disk log, we find the files
LOGO, BNK12A, TITLE, and BOPi all have the correct addressing to be likely
places for this file. We must load and check in each one with our monitor the
address $0B40. The file BNK12A turns out to be the correct file. Now all that
is left is to place our changed code over the original code. Because BNK128
begins in screen memory, we will have to pull a few tricks out of the bag to
replace our revised code. Remember, this file starts in screen memory, and we
can't save screen memory properly. Follow these steps and try to reason them
out as we go through them.
A- Load DISK DR from your utility disk. When the cursor reappears, type RUN
and hit RETURN. Place your backup in the drve and hit RETURN. You* 1 1 be
shown track 18, sector 1. The jump link to the BNH12A file is at position
195. Cursor over to position 195 and hit the J key. You will be taken to
the first sector in the file. The first four bytes in the file are the
pointer bytes. We want to change the program address from $0400 to $0900,
so cursor over to position 3 and hit the @ key. Now, hit the 9 and press
RETURN. Hit the R key to make the change to the backup.
B- Reset the computer and load the $C000 moniter from your utility disk
<>L0AD n 49i52*,8, 1 <>. Sys it in with SYS 49152. Now, from your formated
disk, load the CODE file <> L"CODE W ,08 <>. We now will transfer it to a
holding spot in memory, for later use <> T 0B40 0C50 7B40. This will send
the code to $7B40.
C- Now from the BACKUP load the altered file BND128 <> L *BND128",08 <>.
Remember, it will now load five sectors ahead of it's normal spot (from
$0400 to $0900). When the load is complete, disassemble the code at
$1040. Again here is our decryption routine.
D- Transfer the code we placed at $7B40 to its proper place in the altered
file <> T 7B40 7C50 1040 <>. When the cursor reappears, check the code at
$1040. It should now contain the new code we saved from the break.
E- Save the altered file back to the backup <> S "@0;BNK12A n , 08,0900,6101 <>.
Note we are adding five sectors to every address, plus one byte to the end
address.
F- Now all that f s left is to change the file address back to $0400. Follow
the same procedure as in step 6a, except change the address pointer from
an 09 to an 04.
7/ You now have a completely broken copy. The protection scheme has been
totaly wiped out.
PACKER JAX REVEALED _ PAGE E-6
< < < PROGRAM: PRINT SHOP COMPANION <> PUBLISHER; BBQDERBUMD > > >
Procedure:
Loading the original produces a rattle free load, and an error scan shows no
standard errors. A backup made with Three Minute Backup provides a non-working
backup. Nibble utilities also provide a non-working backup* Before starting to
work on this title, please make a backup (non-working) of both sides, and do a
disk log (printout is best),
I must admit that this program was fairly difficult to trace through the
loading sequence. After several tries, it was time to reason the situation out.
Watching the backup load a few times lit up the old mental light bulb. The load
seemed complete; the only problem were the ICONS on the first menu screen. They
were there, but non-operative. Checking the directory provided the file I felt
deserved immediate attention.
Working with the original:
1/ Make sure to place write protect tabs on the original to protect it during
the breaking process.
2/ Turn the computer off and insert your reset assembly into the cartridge
port. Turn the computer on again and from your utility disk, load the $C000
monitor <> LOAD t, C000 w ,8, 1 <>. Sys the moniter in with SYS 49152. Remove the
utility disk from the drive and replace it with your original (Side A). Load
the file ICONS <> L "ICONS", 08 <>. The disk log tells us this file resides at
$6000 in memory, so let's start our disassembly at $6000 (D 6000). Cursor down
through memory and notice the decryption scheme at $6005-$6012* Remember from
the introduction, this is the heart of this protection scheme.
3/ Let's execute the code at the beginning of the decryption scheme. Start it
working with G 6005. The drive should start up, and in a short time, stall
again. Reset the computer and resys the monitor back in with SYS 49152.
Disassemble memory at $6000 again. Cursor down through memory and notice the
code HAS changed. We now have all the data neccesary in memory to break this
program. Let's save our altered ICONS file back to the backup.
Working with your backups
4/ Checking the disk log shows that the ICONS file starts at $6000 and ends at
$69AD in memory. With the backup in the drive, save the ICONS file, remembering
to add one byte to the end address <> S "§0: ICONS", 08, 6000, 69AE <>. Now turn
the disk over and save the file to Side B as well.
5/ You may now load and check your backup. You' 1 1 find it to be completely
broken, and now it can even be fast copied. For those who want to see the
actual protection check, you can go back through the same steps as before. When
you do the G 6005, just reset out after about ONE second. If the drive is
allowed to run, it will pick up the break data from the original, and hide the
protection check in memory.
KRACKER JAX REVEALED _ pAgg £ „ ?
< < < PROGRAM: BANK STREET SPELLER <> PUBLISHER; BRQDERBUND > > >
Procedure:
Loading the original produces a rattle free load, and an error scan shows no
standard errors. A backup made with Three Minute Backup provides a non-working
backup* Nibble utilities also provide a non-working backup- Before starting to
work on this title, please make a backup (non-working), and do a disk log
(printout is best).
Working with the original:
1/ Make sure to place a write protect tab on the original to protect it during
the breaking process.
2/ Turn the computer off and insert your reset assembly into the cartridge
port. Turn the computer on again and from your utility disk, load the $C000
monitor <> LOAD ff C000 tt ,8, i <>. Sys the monitor in with SYS 49152. Remove the
utility disk from the drive and replace it with your original. Load the boot
file BSS <> L "BSS"^ <>. Using the disk log to guide us, let's disassemble
memory at $02C4 (D 02C4). Cursor down through memory and notice the loader
loads the file BSSL and does a jump to $7000. Let's load the BSSL file
ourselves and follow the load sequence <> L "BSSL", 08 <>.
3/ When the drive stops, disassemble memory at $7000 (D 7000). Cursor down
through memory, and inspect the long loader file that loads in the entire
program and the jumps to the start address. At the address $20C7 you' 1 1 find a
JMP 0803. Using the MEMORY command (M 70C7) type a 00 over the 4C and hit
RETURN. This will allow the loader to operate, and, when done, will BREAK just
before the jump to $0803. We can then follow the program flow, beginning at
$0803. Start the loader execution by doing a GO 7000 (G 7000). The drive will
start up and the files will appear on the screen as they are being loaded. When
the drive finally stops, reset the computer and re-sys the monitor back in (SYS
49152).
4/ Now let's disassemble memory at $0803 (D 0803). The first instruction we
find is a JSR 09E1, so disassemble $09E1 (D 09E1). This disassembly reveals the
decryption scheme that is hiding the protection check. You* 1 1 find it resides
at $09E1 - $09F2. Study it closely, for it is the heart of this protection
scheme.
5/ Be sure your original disk is in the drive and start the code up by doing a
GO 09E1 (G 09E1). The drive will start up and in a few seconds will stall
again. Again, reset the computer and resys the monitor in with SYS 49152.
Disassemble memory at $09Ei (D 09E1) and inspect the code again. It has changed
into valid program code. Now all that's left is to save the changed code back
to the disk.
Working with the backup;
6/ Inspection of the disk log tells us that the file BSS0 is the likely
candidate to contain the protection code. You may , as we did, load BSS0 and
inspect the proper addresses to ensure our save is to the proper file. Then,
KMCKE1 J AX REVEALED PAGE E-8
when satisfied, just redo step five and, when the code has been replaced again,
save the file back to your BACKUP disk. The disk log tells us the file resides
for $0800-$1600, Be sure to add one byte to the end address
<> S n @0:BSS0 w ,08,0800 ? 160i <>.
7/ When this save is complete, your backup will be completely broken, and
be copied with any fast copier. For those who want to inspect the protection
code, just load in the BSS0 file and do a GO to 09E1. After about one second,
reset out and resys the monitor in and inspect that memory area* You'll find
the protection code intact. If you allow the drive to run for long, the
protection code will be replaced by valid program code.
KttACKEB JAX REVEALED
< < < MACHIN1 LANGUAGE MOtHTOR COMMANDS > > >
Assemble
Compare-
Disassemble-
Fill
Go
Hunt
Interpret— -
Registers
Save
Load
Transfer
Exit/Basic—
A aaaa ooo xxx
C ssss eeee ssss
D ssss (eeee)
F ssss eeee xx
G aaaa
H ssss eeee xx
I ssss (eeee)
R
S "file name", 08, ssss, eeee+i
L "file name", 08
T ssss eeee nnnn
X
a = address
o = opcode
x = bytes
() = optional
s = start address
e = end address
n = new address
< < < DISK D#CTQR CQMMAMDS > > >
© - Change Byte
+ = Scan Forward
n - Next Block
j = Jump to Link
b = New Block
r = Rewrite Block
s = Swap Disks
Q =Quit
t = Text Mode
- = Scan Back
N = Previous Block
J = Previous Link
B = Last Block
c = Copy Block
p = Print Block
Return
Clear = Renew the current sector display*
Home = Position the cursor over position 0.
Cursor Keys = Position the cursor R/L or U/D.
Position the cursor over the first byte of the next line*
< < < BOOKS FOB FURTHER READ IMG > > >
Commodore 1541 Disk Drive Owners Manual (c) Com®odore Business Machines
Commodore 64 Programmer's Reference Guide . . . . . <c) Commodore Business Machines
Inside Commodore Dos < c) Reston Publishing Co.
Machine Language For Beginners (c) Compute! Books Publication
Mapping The Commodore 64 (c) Compute! Books Publ ication
Program Protection Manual (Vol i & 2) For The C-64 (c) CSM Software Inc.
KIAC&ER JAX REVEALED
< < < MACHINE LANGUAGE HOW i TOR COMMANDS > > >
Assemble
Compare
Disasserable-
Fill
Go
Hunt
Interpret
Registers
Save
Load
Transfer
Exit/Basic—
A aaaa ooo xxx
C ssss eeee ssss
ssss (eeee)
F ssss eeee xx
G aaaa
H ssss eeee xx
1 ssss <eeee)
R
S M file name",&8, ssss, eeee+1
L "file name*, 08
T ssss eeee nnnn
X
a =
address
o =
opcode
x =
bytes
() =
optional
s =
start address
e ~
end address
n =
new address
< < < DISK DOCTOR COMMANDS > > >
Q x Change Byte
+ = Scan Forward
n = Next Block
j = Jump to Link
b = New Block
r s Rewrite Block
s = Swap Disks
Q -Quit
t = Text Mode
- = Scan Back
N * Previous Block
J - Previous Link
B = Last Block
c = Copy Block
p = Print Block
Clear 2 Renew the current sector display.
Home = Position the cursor over position 0.
Cursor Keys = Position the cursor R/L or U/D.
Return = Position the cursor over the first byte of the next line.
< < < BOOKS FOR FURTHER READING > > >
Commodore 1541 Disk Drive Owners Manual (c) Commodore Business Machines
Commodore 64 Programmer's Reference Guide (c) Commodore Business Machines
Inside Commodore Dos . .. (c) Reston Publishing Co.
Machine Language For Beginners (c) Compute! Books Publication
Mapping The Commodore 64 (c) Compute! Books Publication
Program Protection Manual (Vol 1 & 2) For The C-64 (c) CSM Software Inc.
KRACKER J AX REVEALED
< < < KRACKER J AX REVEALED > > >
< Copyright 1986 Kracker Jax Protection Busters <> All Rights Reserved >
Thank you for your purchase of Kracker Jax Revealed. This manual is the
product of countless hours of investigation, writing, and rewriting. I'd like
to thank my family - especially Hope, my computer widow - for their patience
while staring at my back*
I hope this manual provides you with the spark to fire your own curiosity.
Remember, as you go through the tutorials provided, that they are the
culmination of hours of hunt and search. What appears easy now was hidden and
difficult the first time through. Each protection scheme is a puzzle waiting to
be unraveled. Only the most inquisitive and curious will succeed.
Keep this in mind as you try new schemes. No rules apply, anything goes.
What worked before may or may not work now. It's you against the protection
programmers, and they play to win.
< < < LIMITED WARRANTY > > >
We have attemped to assure that this manual, along with the software and
hardware, works as specified. We would appreciate receiving notice of any
errors you may find.
Neither the author nor any distributor of this product will be liable for any
damages which may be a result of errors or omisions, use or misuse of this
product. Should there be any defects in the software provided in this package,
we will replace the defective diskette within 90 days from the date of purchase.
You will find our software unprotected, and are encouraged to make a back up for
your own use.
Important Notice: This instructional material has been written for educational
and archival purposes only. You are advised that the Federal Copyright Law
allows you the right to back up, for archival purposes, any computer program you
have purchased. Any other use could be unlawful and is not advised nor
encouraged. By using this product, you agree to be bound by the terms of this
notice.
THE FOLLOWING TITLES ARE REGISTERED TRADEMARKS OF THE FIRMS LISTED BELOW.
Title Bout, Superbowl Sunday, Gulf Strike Avalon Hill.
Pitstop II, Break Dance, Impossible Mission Epyx.
Print Shop Companion, Bankstreet Speller Broderbund.
Countdown To Shutdown, Web Dimension, Fireworks Kit Activision.
Infiltrator, Bop 'N Wrestle , Mindscape.
Creative Contraptions Bantam Software.
The Body Transparent Designware.
The Rings of Zilfin • S.S.I.
Tapper Bally Midway.
Buckaroo Banzai Adventure International .
Sargon III Hayden Software.
The Slugger Mastertronics.
Comments
Post a Comment
Leave your comments.. Everything posted is the truth and it took decades to unravel.