r57 1 R13 ************************ * The Cracker Handbook * ************************ by DARTH WADER Lord of the SITH --------------------------------------- This Handbook will permit you to crack a game in a few "easy" steps. The protection that I am going to deal with are from the most trivial to the most complicated mind-boggling ... ok, fasten you seat belts and let's go ... --------------------------------------- Basic material to have : *2 monitors: 1 loading at $c000:49152 1 loading at lower in ram (so you have virtually a monitor to disassemble everything in mem : if you have a machine language (m.l.)prg that loads at $c000 then you could use the monitor that is loaded between the adress $0801 and $a000 and not be bothered to load and relocate it somewhere else where it will not damage the functionning of the monitor.). -The ultimate monitor is the one furni shed with the Final Cartridge, you can disassemble from $0000 to $ffff without any fears and tears.(the moni tor resides outside the normal cbm rom/ram system ) - The monitors on other cartridges are are using memory and will overwrite any program placed at the same adress than them ... so : no good .... *Programming the Commodore 64: it has an expanded Kernal routines list with a complete list of how to use it. and a list of Unlisted M.L. opcodes. (the title of the book sounds childish ,not the contents...) *Mapping the c-64: may be a plus but is optional. the 2 previous books are important sincethey not only list all the INFOS (zero page adresses,what they are, all the stuff used by the internal system AND they give an explication of their use : not a 1 line explication, but a very precise explication from 3 lines to 5 pages .... definitely an asset to have. --------------------------------------- let's go cracking !!! --------------------------------------- 1) the easiest : The companies that are using these protection schemes must have been cut from the world. such schemes are used by SSI (yes IT) and few other but not worth mentioning (the one that produced the shit game HUEY ...)(and I mean it) the protection are in Basic and hidden a)hidden directory: (SSI) they play with the filenames:you do a disk directory and suddenly nothing appear on the screen, no cursor,no "ready"... and you say: My computer is dead !!! naaahh, just change the background color with poke 53281,1 and you will see the ²ä :what happened ? : they put in the disk name some characters that will change the character color of what will be printed on the screen. (like the trick with the REM statement) -another trick is when you do a list and see only one file and ended by some weird characters ::: take a monitor, load it,run it and look at the memory from $0800 you will then see the COMPLETE dir. what happened ? : when you do a disk dir. you do a list to see it. the list of the directory is treated like a basic program, it list whatever is in memory until it sees 3 following $00 bytes. The publisher have hidden somewhere in one filename of the dir 3 $00 bytes and so like in basic, it will stop showiing what is after 'em The monitor bypasses the Basic LIST routine. You can have 100 following $00 bytes, you still can look at the memory... -the disk protection: in basic:it is often a "block-read" and check for a byte. if not corresponding then: bad copy ... the basic program is really easy to understand to crack so i will no explain it. ( you can bypass it by putting a GOTO ... i.e: start of program check disk if bad disk then crash else continue let the game begin can be unlocked to be: start of prg. goto "continue" <-- disk Protection "continue" <-- let the game begin -why not simply remove the disk prot. instead of putting the goto ? -The main program may later check if the protection program is still there - some of these protection reset the disk loading vectors: preventing the use of a fast loader ... practical example: Computer ambush: :hidden directory and instaspeed basic disk protection ..(a compiled basic) -copy all the files using "fast file copY" (you get rid of the hidden dir protection). - you can see 3 !!! boots : the first calls the second,the 2nd calls the 3rd.... all of them in basic or instaspeed the protection is in the second one ok ... that's it, all one have to do is to load the 3rd boot and that will do the trick ...(delete boot1 and boot 2) rename boot 3 as boot - to run the prg. load "boot",8:run --------------------------------------- enough easy stuff !!! --------------------------------------- 2) the regular stuff : here are the few rules: a) have an overview of the protection. b) all the error checking are made by way of kernal subroutine callings so they are easy to recognise c) THE MOST IMPORTANT: Do not try to UNDERSTANT everything you are disassembling. You WILL lose a lot of time understanding a prog. subroutine that does NOT have anything to do with the protection. Or if you have found the protection subroutine, FIND what the results of the subr. ARE. (in cracking ELITE, what made me lose a LOTSA time was that I was trying to understand how LENSLOCK (you put a crystal on the screen to find a code: no crystal no code and then crash ....) was working ... my mistake !!!! ok ,let's start ... first: always try to get the starting loading adress and ending adress of everyfile on the disk. and write them down... use a monitor to do so or one of your utilities. ie: on ZOOM you do a <-#filename and you get these 2 adresses. the most important adresses are the one for the boot. get them ... there are 2 possible cases: load and run automatically load and you have to type run first case: now lets say the starting address is $033c (use of hexadecimal is easier) ok, load your monitor: try to load the boot while in monitor the format is often: .L "boot",08,starting adress found in the example: .L "boot",08,033c now, after the loading of the boot, the disk should stop and the blinking cursor appear. now dissassemble from the starting address you found to the ending a address you found. you will see some garbage code,but after a while,you can see coherent code: have a kernal table near you the format of a boot is like : load the first file load the second file ..... load the last file jump (goto) an adress... write down the adress where the program booter goes to. now you can modify the boot: by putting a rts instead of the jump address ... in the following form : load first .... load last rts (is equivalent to END in basic or STOP.) how? ok, here is a simulated monitor: .D 033c ., 033c lda #$00 ., ... (other commands) ., 0349 jmp $6000 ., 034c . .A 0349 rts (same adress as the jump) the Rts will overwrite the JMP $6000 if you want you can save the new boot from the starting adress you got earlier to the ending ad. .S "boot 2 ",08,start,ending (the format may vary from mon to mon Why a RTS ? so we still have the computer under our control, and we can disassemble after all the important files having a role in the protection have been loaded. (you see the load have been successfull when the read light of the drive is off ) sometimes a run/stop + restore is required (these boots often switch off basic...) (the final cartridge is reallyhandy...) --------------------------------------- Relocated coding technique --------------------------------------- If for any reason you want to load and modify a program such a boot somewhere safe like in the ram ($0800 to $a000), then you have to do a transposition table. let say you have a boot that loads at $033c , it is a good idea to load it at $ 133c (in ram area) so if in the boot there is a reference to : JSR 0339 you could assume that it is equivalent to JSR 1339 for your relocated prg. do you see my point ? the $133c area is your working area so keep in mind that it will be loaded at $033c , not $133c when you will really load and play the super game you are cracking (drug dealers give it such a bad meaning ) ... now save the new version of the prg under a dif. name (ex:test,booty,alpha..) now get a disk editor:run it,look for track 18 sector1 : the dir is saved there. look for the file name you just saved if not found then look at the first 2 bytes of the sector: they represent the next sector of the disk where the disk dir is stored .do that until you find something that looks like your filename. when you have found it:look at the 2 bytes preceeding the filename: they represent the track§or where the frist block of hte file are stored on the disk. go to the track & sector. and look at the 3rd and fourth byte: they represent the loading adress of the fileall you need to do is to change them to their original value: Lobyte/hibyte in my exaple : I will see 3c 13 I will change it to 3c 03 easy .... now the program will load to 033c ... that is it ... this technique is used when some protection programs are laoded in the ram under the basic rom . That is it ... (lot of words but done in a few sec.) --------------------------------------- Hexadecimal is easier to work with. can you see the difference between $033c and $133c AND 828 and 4924 ??? 828 is decimal for $033c 4924 is decimal for 133c That eases the relocated coding. --------------------------------------- now the cracking itself. you have created a new boot, loaded all,kept the adress where the boot should have jumped to after all the LOADs. ok,from that adress, disassemble: and look for what might look like a Kernal routine call. (ie: jsr $FFd5) look for jsr $FFBD, and kernal routines that input/output bytes on the data/seril port... The first hint is the JSR $FFBD in the format lda #$04 ldx #$00 ldy #$09 JSR $ffbd look at the x and Y register: they represent the names of the opened file xy = address of the name a= its lenght so if you look at the adress 0900 (my example) you should see a filename of 4 characters: This filename is used to send commands to the disk drive and load: multipurposetask routine. if you find at 0900 names like game or part1, then that is ok, but if it looks like b-r 8 0 10 10 then you have found the bugger ... The key to success is to have a Kernal table handy and not to be afraid to read it as a reference.(you dont read it as a novel ...). (the one like b-r , m-e ,etc.. are buggers ). now look at the result of the protectionchecking : 1) jump directly to the game start. no problem: you can jump pass it ie: start check disk if ok begin game will be: start jmp (goto) "now" check disk if ok "now" begin games where do I have the place to put the jump ? jump uses 3 bytes: you can overwrite the 3 first bytes of the disk protection checking. "now" is the adress of begin games : an invisible label. Why not NOP ? some games have use the area where the protections are as a constant area. :: Each op-codes of a M.L. prg. has a between 0 and 255 value. a jmp has a value, a jsr another one. A nop has a value of $ae. (double use of code: as constant and as commands..) 2) now lets look at the other aspect: the result of the disk checking are stored somewhere in memory. find the adress of the memory where they are stored. format : start check disk get 10 byte store them somwhere go game: these values are used as constant for the game: constant that will serve as parameters in the game: number of enemy space ships, color of the ships, value of the sprites, now after you have found the adress where all the bytes will be loaded: chnage the protection check: start check disk get 10 bytes store them somewhere (u know) RTS go game you have to put the rts after all the disk access have been done.(you can ove rwrite over the "go game part" now (you are still in the monitor arent you ?) (you know the adress where the protect ion starts): lets call it startad. . .G startad . you will see the drive blinking.a few noise,spin,and then stop: cursor blink ing: ready. now you must save the part where the values read by the disk are stored in for constant purpose. (it is often no more than 100 bytes for the games of broderbund). save it !!!!! did you keep the important adresses ? -where the disk read values are stored (lets call it alpha) -where the protections are .. ok, now on the list with all the file with their starting/ending adress, find the main files wich adresses are including the one of the alpha file.(in general, the file including the alpha file is the one with the protections.) ok, load the main file, with the load"main",08,01 now load the alpha load"alpha",08,01 the alpha must have overwritten a small part of the "main" file.now all you have to do is to bypass the disk checking routine (discussed earlier) and save the new version of the "main" file. that is it... what have you done ?: you have created a main file as it should be after a check, all the right datas at the right place. After you have experienced a few cracking, you will pass all the unimportant stuff, and get right to the protection: The first cracking witout doc took me 3 days (I disassembled everything) Lode runner championship: 10 mins. (I dont count the time spent to load type,and save) you have seen one, you have seen them all.... --------------------------------------- get a breathe and here comes the HEAVY LOADS !!!! --------------------------------------- 1)RAPID LOCK: they play with the track and the sectors: Wherever you load the boot, it will start automatically... psi 5 trade co 2)Pirate Buster: used in bard's tale. it plays with the internal stack.(not the public domain stuff). some few messages are worth mentioning in the boot it was programmed with TSDS and "lick my userport" 3)Custom DOS: the data are stored on disk in a very unusual way, only a different disk read can load the data (half track,fat track ... The WORKS) if the game has a lot of disk access, the the cracker should REWRITE all the routines dealing with the drive. lotsa work .... one Very very fast loading game is Koronis rift:200 blocks in 10 sec. from 0800 to d000 = hell ... to crack that you must have an above average knowledge on the technical side of the drive. the way of dealing with these games is like I said earlier: modified boot, --------------------------------------- how to deal with the isepic ... --------------------------------------- isepic is not perfect a way to prevent isepic copying is to store data in the disk drive ram ... (the isepic doesnt save them ..) so in the middle of the game the computer can look for a variable in the mem. of the drive. if nothing is found then crash...I havent found this yet... ---------------------------------------- if you have any question then send me mail, I am on many boards * DARTH WADER * Lord of the SITH 8-# UD 7: [ 64 Min. Left. ] Credit Pts: 1094 Protocol-Punter 10 Text-Files 1: 8: Text Philez A-O [UD:Punter][23 Min.][40]: