*************************************** * * * * * KRAKOWICZ'S KRACKING KORNER IV * * * * * * * * * * * * THE ARCADE MACHINE * * * * * * * * WITH NOTES ON NMI AND IDSI'S JUGGLER* * * * * * * *************************************** AFTER A NINE-MONTH DELAY, BR0DERBUND HAS FINALLY RELEASED THE ARCADE MACHINE (A.M.). THE PROTECTION SCHEME IS A NEW CHALLENGE FOR COPIERS, SINCE IT USES THE TECHNIQUE KNOWN AS SPIRALING OR QUARTER-TRACKING, AS WELL AS THE STANDARD BR0DERBUND SYSTEM OF A NEW ADDRESS MARKER FOR EACH TRACK. AN ATTEMPT TO COPY THE DISK WITH A CONVENTIONAL NIBBLE COPIER QUICKLY REVEALS THAT TRACKS 0 AND 3-11 ARE EASILY COPIED WITH AN ADDRESS MARKER OF D5 AA 96, WHILE THE REST OF THE TRACKS ARE A MYSTERY. PROBING INTO THE LOADER REVEALS THE FOLLOWING INFORMATION ABOUT TRACK USAGE: TRACK CONTENTS ----- -------- T0/S0 PRELOADER --> 800-8FF (AS ALWAYS) /S1-5 LOADER --> 300-7FF T1-2 HIRES SPLIT "BR0DERBUND" LOGO AND PROGRAM T12-20 MAIN PROGRAM WHICH LOADS INTO 800-BFFF T12-13.5 FOUR HALFTRACKS USED FOR QUARTER-TRACKING T3-4 #1 SHAPE CREATOR T5-6 #2 PATH CREATOR T7-8 #3 GAME OPTIONS T9-A #4 LEVEL OPTIONS TC-D #5 BKGD/TITLE CREATOR TE-F #6 LOAD/SAVE GAME T10-11 #7 CREATE GAME DISK (OPTION #8 JUMPS TO 0800 TO RUN THE GAME) THE APPROACH TO KRACKING THIS TYPE OF PROGRAM SEEMS STRAIGHTFORWARD:LOAD THE PROGRAM INTO MEMORY, RESET IT, AND SAVE IT OUT TO DISK AS A BINARY FILE, WITH THE APPROPRIATE MEMORY MOVES. HOPEFULLY, YOU'LL LOCATE THE STARTING ADDRESS AND BE ABLE TO RUN THE BINARY FILE AT WILL. IF YOU WISH TO INCLUDE ALL OF THE ADVERTISING FOR BR0DERBUND AT THE BEGINNING, THIS WORKS. IF YOU TRY TO DELETE THE DUAL BANNER, IT CRASHES. THE REASON IS THAT MODULE SWITCHING IS VIA THE STACK--THEY PUSH THE CORRECT LOCATION ONTO THE STACK AND DO AN RTS. SO, UNLESS YOU HAPPEN TO KNOW THE VALUE OF THE PROGRAM COUNTER (THAT IS, EXACTLY WHAT THE ADDRESS WAS WHEN YOU STOPPED), THE STACK POINTER (S) AND THE PROCESSOR STATUS WORD (P), AND RESTORE THEM EXACTLY AS THEY WERE BEFORE THE RESET, THE PROGRAM PROBABLY WON'T RUN. ANYONE WHO TRIED TO BREAK JUGGLER FOUND THIS TO BE FRUSTRATING IN THE EXTREME, SINCE SOMETIMES THE GAME WOULD RUN ALL THE WAY THROUGH THE FIRST LEVEL BEFORE CRASHING - THE SAME TECHNIQUE WAS USED THERE, BUT WITH EVEN MORE PROTECTION. THERE IS A HARD WAY AND AN EASY WAY TO DO EVERYTHING, AND IF YOU ARE COMPLETELY RESTRICTED TO SOFTWARE DEVICES, IT IS STILL POSSIBLE TO BREAK ARCADE MACHINE. REFERRING TO THE NIBBLE ALTERATION TECHNIQUES DESCRIBED IN THE PREVIOUS EPISODE, IT IS POSSIBLE TO LOCATE AND ALTER THE GAME LOADER SO THAT IT HALTS WITH CONDITIONS WELL DEFINED AFTER THE ENTIRE PROGRAM IS IN MEMORY. IF IT IS YOUR PURPOSE IN LIFE TO LEARN AS MUCH AS YOU POSSIBLY CAN ABOUT DISK PROTECTION SCHEMES AND THE CIRCUMVENTION THEREOF (ONLY A FEW REALLY CRAZY PEOPLE ARE SO INCLINED), THIS IS REWARDING. IF YOU ARE INTERESTED IN PREPARING AN UNPROTECTED VERSION OF THE GAME WITH MINUMUM ADVERTISING AND MINIMUM EFFORT, HOWEVER, THERE IS AN EASIER WAY. THIS SOLUTION IS ELEGANT, BUT REQUIRES A VISIT TO THAT GOD OF THE UNDERWORLD =>HARDWARE<=. BY NOW EVERYONE IS FAMILIAR WITH THE TERM NMI, THANKS TO AN OVERSOLD CARD WHICH USES THIS TECHNIQUE TO REPLAY SINGLE-LOAD GAMES FROM DISK. NMI STANDS FOR NON-MASKABLE INTERRUPT, ONE OF FOUR TYPES OF INTERRUPT AVAILABLE ON THE 6502 (THE OTHERS ARE RESET, BREAK, AND THE IRQ OR INTERRUPT REQUEST). AS THE NAME OF THIS ONE IMPLIES, IT IS AN INTERRUPT WHICH MUST BE ATTENDED, REGARDLESS OF WHATEVER ELSE THE CPU HAD IN MIND TO DO NEXT. THIS LINE COMES DIRECTLY FROM PIN 6 OF THE CPU CHIP, IS HELD AT 5 VOLTS (LOGIC 1) BY A IK RESISTOR, AND RUN OUT TO PIN 29 OF THE PERIPHERAL CONNECTORS. CONNECTING THIS PIN MOMENTARILY TO GROUND (PIN 26) BEGINS A SMALL MICROPROGRAM WITHIN THE 6502 WHICH STORES THE PROGRAM COUNTER ('PC', TWO BYTES) AND THEN THE PROCESSOR STATUS WORD ('P', ONE BYTE) ON THE STACK, AND JUMPS TO THE ADDRESS STORED IN LOCATIONS FFFA AND FFFB IN THE F8 ROM. THIS BUSINESS OF PUSHING ONTO THE STACK IS A LITTLE OBSCURE, SO LET'S SPEND A FEW SECONDS DESCRIBING THE STACK STRUCTURE. WE ALL KNOW THAT THE STACK IS IN PAGE ONE OF MEMORY ($100-$1FF), AND THAT THERE IS A THING CALLED A STACK POINTER (S) WHICH POINTS TO AN ADDRESS WITHIN THAT RANGE. IF THE FOLLOWING PROGRAM WERE RUN, THE STACK WOULD LOOK LIKE WHAT'S SHOWN BELOW: 1000: TSX TXA JSR $1010 1010: JSR $1020 1020: JSR $1030 1030: TSX BRK --------------------------------------- (STACK) FINAL STACK POINTER LOCATION-> XX (ANY) 22 10 12 10 04 FIRST STACK POINTER LOCATION-> 10 --------------------------------------- THIS "PROGRAM" STORES THE FIRST VALUE OF THE STACK POINTER IN THE ACCUMULATOR, JSR'S TO THREE PLACES, STORES THE FINAL VALUE OF THE STACK POINTER IN THE X-REGISTER, AND THEN HALTS. (WE HAVE TO NEGLECT FOR THE MOMENT THAT APPLE'S MONITOR DOES SOME WEIRD THINGS TO THE STACK AFTER THE 'BRK'). IF WE EXAMINE THE STACK MEMORY BETWEEN THE LOCATIONS IN THE ACC. AND X-REG, WE WILL FIND THE VALUES LISTED ABOVE. ALTHOUGH WE SPEAK OF THE STACK AS A "PUSH-DOWN" (ALSO "LIFO" FOR LAST-IN, FIRST-OUT) STACK, WHAT ACTUALLY HAPPENS IS THAT THE VALUE OF THE STACK POINTER IS DECREMENTED, SO THAT IT POINTS TO A LOCATION ONE LESS THAN IT WAS. THE SUBROUTINE ADDRESSES TO WHICH THE PROGRAM WHOULD RETURN (IF IT WERE GIVEN AN 'RTS') ARE STORED IN NORMAL FASHION OF LOW BYTE, HIGH BYTE, AT A LOCATION ONE HIGHER THAN THE VALUE OF THE STACK POINTER. THE RTS INSTRUCTION TRANSFERS THESE NUMBERS INTO THE PROGRAM COUNTER, INCREMENTS THE STACK POINTER BY TWO, INCREMENTS THE LOW BYTE BY ONE, AND STARTS THE PROGRAM EXECUTING AGAIN AT THE LOCATION OF THE PROGRAM COUNTER. THE STACK POINTER NOW POINTS TO (ONE BELOW) THE NEXT SUBROUTINE RETURN ADDRESS, AND THE NEXT 'RTS' INSTRUCTION ENCOUNTERED IN THE PROGRAM WILL RETURN TO THAT ADDRESS. NOTICE THAT THE FINAL LOCATION OF THE STACK POINTER CAN HAVE ANYTHING IN IT, SINCE IT POINTS TO THE LOCATION WHERE THE NEXT BYTE WILL BE STORED, NOT WHERE THE LAST ONE WAS STORED. THE DATA PAIRS '22,10', '12,10', AND '04, 10' CORRESPOND TO THE SUBROUTINE RETURN ADDRESSES 1023, 1013, AND 1005 FOR THE PROGRAM, EACH ONE BEING ONE LESS THAN THE ACTUAL RETURN POINT. THAT DIGRESSION WAS INTENDED TO CLARIFY THE STACK STRUCTURE THAT RESULTS FROM AN NMI SIGNAL: STACK POINTER: (ANYTHING) S+1: STATUS WORD (P) S+2: PROGRAM CTR LOW (PCL) S+3: PROGRAM CTR HI (PCH) THIS WAS SET UP TO ALLOW AN EXTERNAL DEVICE TO INTERRUPT THE APPLE, AND THEN TO RESUME THE INTERRUPTED PROGRAM EXACTLY WHERE IT WAS BEFORE THE INTERRUPT OCCURRED. THE INSTRUCTION THAT MAKES IT ALL HAPPEN IS 'RTI', WHICH OBLIGINGLY PUTS THE PROCESSOR STATUS WORD BACK, RESTORES THE ORIGINAL VALUE OF THE PC, AND CRANKS UP THE PROGRAM JUST AS IT WAS BEFORE THE NMI LINE WAS YANKED. THE PRACTICAL IMPLEMENTATION OF THIS TRICK IN KRACKING REQUIRES A MINIMUM OF TWO THINGS: AN ALTERED F8 ROM AND A SWITCH. A NORMAL F8 ROM HAS FB 03 AT FFFA-FFFB, WHICH MEANS THAT AN NMI SIGNAL WILL EXECUTE THE INSTRUCTION AT 03FB. PRUDENT SOFTWARE PUBLISHERS WILL PUT THERE EITHER A JUMP TO THE BEGINNING OF THE GAME OR TO A REBOOT: 4C 00 C6. TO GET AROUND THE PROBLEM, THE F8 ROM MUST BE MODIFIED. SINCE MOST SERIOUS KRACKISTS ALREADY HAVE A KRAKROM OR LOCKBUSTER, ETC., WHICH RELOCATES THE 0-7FF MEMORY WHEN RESET IS PRESSED, THIS IS NOT A MAJOR PROBLEM. YOU SHOULD PUT THE STARTING ADDRESS OF THE MEMORY MOVE ROUTINE IN LOCATIONS FFFA-B, AND BURN A NEW 2716 EPROM. AFTER THIS PROM IS INSTALLED IN THE F8 SOCKET, ACTIVATING THE NMI LINE WILL SAVE ALL OF THE VOLATILE MEMORY AS WELL AS THE PC AND P (A WORD OF CAUTION - IF YOU DON'T HAVE A SOLID-STATE SWITCH ON THE NMI LINE, YOU'LL STORE SOME ADDITIONAL GARBAGE ON THE STACK, BUT THE SYSTEM WILL STILL WORK). EACH TIME YOU USE THE NMI ROM, YOU'LL HAVE TO EXAMINE THE MEMORY AREA WHERE THE STACK IS STORED. SINCE THE STACK POINTER IS ALWAYS ONE LESS THAN THE LAST LOCATION STORED INTO, YOU SHOULD HAVE NO TROUBLE IDENTIFYING THE CORRECT VALUE OF PC AND P. AFTER SAVING THE GAME, WITH MEMORY MOVES IF REQUIRED, SET THE STACK POINTER TO THE LOCATION OF THE STATUS WORD-1 (USE LDX #NN, TXS), AND DO AN RTI INSTRUCTION. THE PROGRAM WILL START RIGHT BACK UP AS IF IT HAD NEVER BEEN INTERRUPTED. BE SURE THAT YOUR MEMORY RELOCATE ROUTINE IN ROM SAVES THE VALUE OF THE A, X, AND Y REGISTERS, AND RESTORES THE CORRECT VALUES BEFORE THE RTI. ONE FINAL CAUTION - SOME GAMES (LIKE JUGGLER) REQUIRE THAT YOU HAVE AN UNMODIFIED ROM IN THE F8 SOCKET - THIS REQUIRES A LITTLE MORE ASSISTANCE FROM THE GOD OF HARDWARE, AND WILL BE DEALT WITH IN A FUTURE EPISODE DESCRIBING OTHER APPLICATIONS OF THE NMI TECHNIQUE. RETURNING TO THE A.M. KRACK, YOU NOW CAN BOOT THE DISK AND GET TO THE MAIN MENU. DO THE NMI TRICK BY CLOSING A SWITCH WIRED BETWEEN PINS 29 AND 26 OF ANY PERIPHERAL CARD, AND MOVE THE EXCESS MEMORY TO 2000-3FFF (THE NORWEGIAN NURDS WERE NICE ENOUGH TO LEAVE US HI-RES PAGE ONE OPEN -- TAK!), INCLUDING 0-8FF AND B600-BFFF. ADD THE APPROPRIATE MEMORY MOVE ROUTINES AS WELL AS THE REGISTER RESTORE, STACK POINTER ADJUST, AND RTI, THEN BOOT A SLAVE DISK AND BSAVE THE MEMORY FROM 900-9600. COPY TRACKS 3-11 FROM THE ORIGINAL A.M. WITH YOUR FAVORITE COPIER, AND TELL THE VTOC THAT THOSE TRACKS ARE OCCUPIED. SAVE THE FILE ONTO ANY TRACKS ABOVE 11, AND, USING THE BOOT MODIFIER DESCRIBED IN THE KKK III ON WAY OUT, LOAD IN THE MAIN PROGRAM AS PART OF THE BOOT. YOU SHOULD NOW BE OFF AND RUNNING WITH YOUR OWN FRESHLY BROKEN COPY OF ARCADE MACHINE. IT'S NOT REALLY AS HARD AS IT SOUNDS, AND IF YOU REALLY LIKE TO PROGRAM YOUR OWN LEFT-RIGHT SHOOT-EM-UPS WITHOUT LEARNING TO PROGRAM, THE RESULT IS WORTH THE EFFORT. =>KRAKOWICZ<=