*************************************** * * * * * KRAKOWICZ'S KRACKING KORNER * * * * * * KAMEARI FROM ADO-SOFT (JAPAN) * * * * * * * *************************************** BOTH BECAUSE MR. KRAC-MAN WAS GENEROUS ENOUGH TO SEND ME AN ORIGINAL OF THE PROGRAM, AND BECAUSE THE ORIGINAL PUCKMAN WAS THE FIRST REAL PROTECTED DISK I EVER BROKE, IT WAS FUN TO GET MY HANDS ON THE NEW "SUPER PUCKMAN", OR KAMEARI. IT TURNED OUT TO BE NOT QUITE AS HARD TO BREAK AS THE FIRST ONE, BUT IT PROVIDED SOME INTERESTING CHALLENGES. IF YOU CATCH THE PROGRAM AT THE RIGHT POINT, IT'S SMALL ENOUGH TO FIT IN A NORMAL DOS BFILE, SO WE WON'T GET TO GO THROUGH THE THEORY AND PRACTICE OF PROGRAM PACKING ON THIS ONE. THE SEQUENCING USED TO LOAD THE GAME AND ACCESS THE DISK LATER IS A LITTLE UNUSUAL, AND WOULD HAVE BEEN TOUGHER IF THEY HADN'T MADE A FEW MISTAKES. A FIRST-STAGE BOOT TRACE REVEALS THE FIRST INTERESTING TRICK--THE CONTENTS OF $814-8FF ARE EXCLUSIVE-ORED WITH THE ADDRESS LOW BYTE AND STUFFED INTO PAGE ONE WITH SOME CUTE CODE: 0801- LDX $26 0803- TXS 0804- DEC $27 0806- LDA ($26),Y 0808- EOR $26 080A- TSX 080B- PHA 080C- DEC $26 080E- CPX #$14 0810- BNE $806 0812- RTS NOW, THIS IS NOT BAD FOR THE FIRST PART OF A PROTECTION SCHEME, BECAUSE IT REQUIRES A REASONABLE KNOWLEDGE OF THE DOS BOOT PROCESS AS WELL AS 6502 STACK/PAGE ONE USAGE. THE TRICKS ARE: 1. YOU HAVE TO KNOW (OR GUESS) THAT $26 CONTAINS 0 AND $27 CONTAINS 9 AFTER THE FIRST STAGE BOOT, 2. YOU HAVE TO UNDERSTAND HOW THE INDEXED, INDIRECT LOAD WORKS AT $806, 3. YOU NEED AN UNDERSTANDING OF THE TSX AND TXS INSTRUCTIONS, AND 4. YOU NEED TO INTERPRET THE FINAL RTS CORRECTLY. (IF YOU KNOW ALL THESE, SKIP THIS EXPLANATION AND GO ON TO THE MEAT OF THE PROTECTION SCHEME BELOW). IN THE ORDER LISTED ABOVE, LOCATION $26 CONTAINS 0 FROM THE BOOT ROM AT LOCATION $C652, WHERE THE ACCUMULATOR WAS STORED THERE AFTER CALLING THE "WAIT" ROUTINE AT $FCA8 (ACC=0 ON EXIT FROM "WAIT"). LOCATION $27 IS THE HIGH BYTE OF THE TWO-BYTE STORAGE POINTER, AND IT IS INCREMENTED FROM $08 TO $09 IN CASE THERE'S MORE THAN ONE SECTOR TO LOAD IN ON THE FIRST STAGE BOOT. LDA ($26),Y MEANS LOOK AT THE LOCATION POINTED TO BY $26 AND $27, ADD THE CONTENTS OF THE Y-REGISTER TO IT, AND LOAD THE ACCUMULATOR WITH THE CONTENTS OF THAT LOCATION: IF $26=32, $27=08, AND THE Y-REG=17, THE ADDRESS IS $832+$17, OR $849. NEXT, AS THOSE OF YOU WHO STAYED AWAKE THROUGH THE DESCRIPTION OF THE STACK AND STACK POINTER IN THE ARCADE MACHINE FILE WILL RECALL, THE TSX AND TXS INSTRUCTIONS REFER TO TRANSFERRING A BYTE BETWEEN THE ->STACK POINTER<- AND THE X-REGISTER, NOT BETWEEN THE STACK AND THE REGISTER. THE FIRST BYTE FETCHED FROM $26 THROUGH THE X-REG IS USED TO INITIALIZE THE STACK POINTER AT $00, MEANING THAT THE NEXT BYTE PUSHED ON THE STACK WILL BE PLACED IN LOCATION $100. SINCE THE STACK POINTER IS A NINE BIT HARDWARE REGISTER WITH THE MOST SIGNIFICANT BIT SET, IT WILL ALWAYS CONTAIN A VALUE BETWEEN $100 AND $1FF. IF YOU 'PUSH' (PHA) ANOTHER BYTE ONTO THE STACK, IT GOES NOT INTO $FF, BUT INTO $1FF. SUCCESSIVE BYTES GO INTO $1FE, $1FD, ETC. THIS IS KNOWN AS "STACK WRAPAROUND", AND WAS USED BY IDSI IN THEIR 'JUGGLER' PROTECTION, AMONG OTHERS. AFTER THE FIRST TIME THROUGH, EACH BYTE FROM $8FF DOWN TO $814 IS EXCLUSIVE-ORED WITH THE ADDRESS LOW BYTE ($FF-$14), AND PUSHED ON THE STACK IN THE CORRESPONDING LOCATION FROM $1FF TO $114. EACH TIME THROUGH, THE STACK POINTER IS LOADED INTO THE X-REGISTER TO COMPARE IT WITH #$14 TO FIND OUT IF ENOUGH BYTES HAVE BEEN TRANSFERRED. WHEN $14 IS FOUND, THEY DO AN 'RTS'. THIS TAKES THE TWO BYTES ABOVE THE STACK POINTER, INCREMENTS THE LOW BYTE, AND PLACES THEM INTO THE PROGRAM COUNTER. THE PROGRAM CONTINUES TO RUN AT THE NEW LOCATION (A VARIATION OF "JUMPING THROUGH THE STACK"). THE NEW STARTING LOCATION IS $116 (IT MAY SEEM A LITTLE STRANGE TO EXECUTE CODE OUT OF WHAT IS NORMALLY THE STACK PAGE, BUT THERE'S NOTHING ILLEGAL ABOUT IT. APPLESOFT, IN FACT, HAS A SHORT SUBROUTINE CALLED 'CHRGET' AT $B1-C8 IN ZERO PAGE!). BRIEFLY, THE PROGRAM RUNS A CHECKSUM ON $120-1FF TO MAKE SURE THOSE NASTY KRACKISTS HAVEN'T CHANGED ANYTHING, THEN CLEARS ALL OF MEMORY FROM $800-B7FF. AFTER SETTING UP THE SCREEN TO VIEW HIRES PAGE TWO (SO YOU CAN'T SEE THE READ ROUTINE LOADING IN ACROSS THE TEXT SCREEN MEMORY), TRACK 0 OF THE DISK IS SEARCHED FOR THE BYTE SEQUENCE "DD AD DA". ASTUTE READERS OF THIS COLUMN WILL RECALL THAT THIS IS THE OLD SIRIUS TRADEMARK, AND JUST THE BEGINNING OF THE RIP-OFF OF SIRIUS PROTECTION TECHNIQUES USED BY THE PUBLISHER (APPARENTLY, IT'S ALL RIGHT TO PLAGIARIZE CODE FROM A COMPETITOR'S PROTECTION SCHEME, BUT NOT TO MAKE BACKUP COPIES OF SOFTWARE PROTECTED WITH THE STOLEN CODE!). THE REAL LOADER PROGRAM IS LOADED INTO $400-7FF (REMEMBER CYCLOD AND FRIENDS?), AND AFTER CHECKING FOR A SINGLE EPILOG BYTE OF $EE ON THE TRACK, WE DO A CHECKSUM ON ZERO PAGE AND JUMP TO $400 WITH THE CHECKSUM BYTE IN THE ACCUMULATOR. THE OLD "4+4" NIBBLIZING FROM SIRIUS IS USED, AND THE PROGRAM IS CONTAINED IN A SINGLE RECORD WHICH IS $800 NIBBLES LONG AND FOLLOWS SECTOR 0, WHICH IS IN NORMAL DOS FORMAT, ON TRACK 0 (THE NICE THINGS ABOUT 4+4 NIBBLIZING ARE THAT INDIVIDUAL BYTES CAN BE LOCATED AND CHANGED, AS DESCRIBED IN THE 'WAY OUT' FILE, AND THE NUMBER OF NIBBLES IS ALWAYS EXACTLY EQUAL TO TWICE THE NUMBER OF BYTES IN THE RECORD). AT $400, THE CHECKSUM OF ZERO PAGE IS REPEATED AND COMPARED (THEY ONLY NEED TO BE THE SAME), AND THERE IS A BUNCH OF LANGUAGE CARD DEPROTECTION AND CHECKING OF THE RESET AND NMI VECTORS. IF ANY OF THE CHECKS FAIL, AN ERROR MESSAGE IS PRINTED AND THE ILLEGAL OPCODE $12 IS EXECUTED TO CAUSE THE SYSTEM TO HANG. TRUE TO THE SIRIUS HERITAGE, THE LOADER THEN FILLS UP MEMORY BY READING TRACKS 1-D (TWELVE PAGES EACH) INTO $0800-A3FF, USING AN ADDRESS MARKER OF DD AD DA AND THE $EE EPILOG BYTE. AFTER JUMPING TO $612, THE MAIN SCREEN IS MOVED FROM $8000-9FFF TO $4000-5FFF, AND THE MAIN PROGRAM IS ENTERED AT $800. SOURCE CODE FOR THE READER IS SHOWN BELOW: ORG $0579 STA $05 ;DESTINATION PHA ;HIGH BYTE LDY H03FE ;NUMBER OF STY $06 ;PAGES TO READ LDY #$00 ;CLEAR DEST'N STY $04 ;LOW BYTE. LDX H03FF H0588 LDA HC08C,X ;BEGIN TO SEARCH BPL H0588 ;FOR THE 'DD AD H058D CMP #$DD ;DA' SEQUENCE BNE H0588 H0591 LDA HC08C,X BPL H0591 CMP #$AD BNE H058D H059A LDA HC08C,X BPL H059A CMP #$DA BNE H058D ;AFTER HEADER, H05A3 LDA HC08C,X ;GET THE FIRST BPL H05A3 ;NIBBLE, SET THE SEC ;CARRY, ROTATE ROL ;LEFT, AND STORE STA $0F ;IT IN $0F H05AC LDA HC08C,X ;GET THE SECOND BPL H05AC ;NIBBLE: AND IT AND $0F ;WITH THE FIRST STA ($04),Y ;STORE COMPLETE INY ;BYTE AND GO ON BNE H05A3 ;TO THE NEXT. INC $05 ;DEST'N ADDRESS DEC $06 ;PAGE COUNTER BNE H05A3 H05BE LDA HC08C,X ;CHECK FOR BPL H05BE ;EPILOG BYTE CMP #$EE BNE H0578 PLA RTS AT THIS POINT, ALL THE PROGRAM RESIDES IN $0000-8000, SO IT'S A GOOD PLACE TO INTERRUPT AND SAVE IT. IT SEEMS STRANGE THAT, WITH ALL THE OTHER SIRIUS-TYPE PROTECTION, THERE'S NO CHECKSUM ON THE LOADER, SO WE CAN GO IN AND CHANGE BYTES ON A COPY OF THE DISK. IT'S EASY TO COPY THE DISK BY USING NIBBLES AWAY WITH AN ADDRESS MARKER OF DD AD DA FOR TRACKS 0-E, BUT YOU CAN ACTUALLY GET BY WITH ONLY COPYING TRACK 0 ONTO A SEPARATE DISK (NA OR LOCKSMITH WILL BOTH COPY IT WITHOUT PARMS, SINCE THERE IS A STANDARD DOS 3.3 SECTOR ON IT). THERE IS NO DISK ERROR HANDLING, SO A DISK WITH ONLY TRACK ZERO ON IT JUST SITS AND SPINS, ALLOWING YOU TO REMOVE IT AND INSERT THE ORIGINAL TO LOAD IN TRACKS 1-D. AS IN DAYS OF OLD, READ IN TRACK ZERO USING THE TRACK EDITOR FROM NIBBLES AWAY, THEN TYPE 'Z' TO MAKE IT ANALYZE THE TRACK. SET THE DISPLAY TO THE POINTER PAGE WITH 'G6800', THEN SEARCH FOR THE STRING "AA EE AA AA AE AA", WHICH IS "4C 00 08" OR 'JMP $0800' IN 4+4 NIBBLEZE. CHANGE THIS TO "AE EE AE FB FF FF", WHICH MEANS 'JMP $FF59', OR "AE EE EE EF FF FE" WHICH IS 'JMP $FECD' FOR USE WITH A KRAKROM (THE RIGHT ONE TO USE HERE IS KRAKROM4, SINCE $2000-3FFF CONTAINS PROGRAM CODE AND $4000-5FFF HAS ONLY A HI-RES PICTURE). WRITE THE ALTERED TRACK TO A BLANK DISK WITH THE 'W' COMMAND. BOOT THE NEW DISK, AND WHEN IT SPINS, INSERT THE ORIGINAL. AFTER THE NORMAL LOAD, THE BANNER WILL BE DISPLAYED FOR ABOUT 5 SECONDS BEFORE YOUR MODIFICATION AT $66E REDIRECTS THE PROGRAM INTO THE MONITOR. ASSUMING THAT YOU USED A KRAKROM, THE ENTIRE PROGRAM IS NOW CONTAINED IN $900-7FFF AND CAN BE SAVED AS A BFILE AFTER BOOTING A SLAVE DISKETTE. MODIFICATIONS ARE EASY NOW, AND THIS IS ONE SET OF 'CLEANUP' ACTIVITIES THAT WILL BRING THE PROGRAM INTO CONDITION TO BRUN: 1. BOOT A SLAVE DISK, THEN MOVE PAGE 8 BACK FROM $4800-48FF. 2. MOVE THE STORED ZERO PAGE MEMORY FROM $4000-40FF TO $8000-80FF. 3. WRITE A MEMORY MOVE ROUTINE AT $8050 WHICH WILL RESTORE ZERO PAGE TO $0-FF (SEE BELOW). DON'T FORGET TO SET UP HIRES PAGE 2 AND CLEAR THE KEYBOARD STROBE. 4. REPLACE THE PICTURE IN $4000-5FFF WITH ONE CONTAINING YOUR OWN ADVERTISING (YOU CAN RESET THE ORIGINAL AFTER THE BOOT AND SAVE THE PICTURE AS A BINARY FILE FOR MODIFICATION). 5. PUT '4C 50 80' OR 'JMP 8050' AT $7FD TO START THE PROGRAM. 6. BSAVE KAMEARI,A$7FD,L$7880. ORG $8050 LDY #$00 H8052 LDA H8000,Y ;RETURN ZERO STA H0000,Y ;PAGE TO $0-FF INY BNE H8052 LDX #$60 ;SET UP STACK TXS ;POINTER AND LDA TXTCLR ;GRAPHICS LDA HISCR LDA MIXCLR LDA HIRES LDA STROBE LDA #$80 ;LOAD UP THE LDX #$60 ;REGISTERS LDY #$00 JMP H0800 ;BEGIN PROGRAM TXTCLR = $C050 HISCR = $C055 MIXCLR = $C052 HIRES = $C057 STROBE = $C010 THE RESULTING PROGRAM WILL RUN JUST FINE UNTIL YOU CLEAR A BOARD AND ADVANCE TO THE NEXT LEVEL. AT THAT POINT, THE DISK STARTS TO SPIN AND THE SYSTEM REFUSES TO RESPOND TO ANY INPUTS. THE REASON IS THE INSTRUCTION AT $B5C WHICH JUMPS TO $403, WHICH JUMPS TO $5D5: ORG $05D5 TYA PHA LDY #$00 STA H03FE H05DC LDX H03FF LDA HC089,X;START THE DRIVE LDA #$30 JSR WAIT LDA #$7F JSR H0579 ;READ THE "TRACK" LDX H03FF ;INTO 7F00-UP LDA HC088,X;STOP DRIVE LDA #$00 TAY H05F5 EOR H7F00,Y ;CHECKSUM 7F00- INY ;7FFF BNE H05F5 CMP #$44 BNE H05DC JSR H7F00 ;DO SUBROUTINE LDY #$00 H0604 CLC ADC #$45 ;AND WIPE OUT STA H7F00,Y ;THE CODE SO INY ;IT MUST BE READ BPL H0604 ;IN EACH TIME PLA TAY JMP H0CE8 THIS ROUTINE LOADS THE SINGLE PAGE CONTAINED ON TRACK E INTO $7F00-7FFF, EXECUTES THE SUBROUTINE AT $7F00, AND MANGLES THE CODE IN PAGE $7F FOR GOOD MEASURE. BY LOADING THE CODE IN ONCE AND NOP'ING THE MANGLE ROUTINE, YOU CAN AVOID THE UNNECESSARY DISK ACCESS AND HAVE A 122-SECTOR KAMEARI PROGRAM TO USE AS YOU SEE FIT. CHANGE $B5C FROM '4C 03 04' TO '4C 80 1A', AND PUT THIS SHORT SUBSTITUTE ROUTINE AT $1A80: ORG $1A80 TYA PHA JSR H7F00 PLA TAY JMP H0CE8 KAMEARI IS A DECENT ENOUGH PACMAN, BUT IT LACKS THE "PAUSE" CONTROL WITH THE ESCAPE KEY THAT'S BECOME STANDARD IN GAMES FROM THE U.S.A. YOU CAN ADD ONE BY CHANGING LOCATIONS $1717-1719 TO '4C 40 14', AND ADDING THIS SHORT ROUTINE AT $1440: ORG $1440 CMP #$9B ;WAS IT 'ESC'? BEQ H144B CMP #$CB ;NO, CHECK FOR 'K BNE H145A ;NOTHING, EXIT JMP H175D ;IT WAS K, ->175D H144B LDA STROBE ;IT WAS ESC, CLR H144E LDA KEY ;THE STROBE AND BPL H144E ;WAIT FOR ANOTHER CMP #$9B ;'ESC' TO BE HIT BNE H144E LDA STROBE ;MUST CLEAR HERE! H145A RTS H175D = $175D STROBE = $C010 KEY = $C000 IT'S A PLEASANT BIT OF NOSTALGIA TO SEE SOMEONE USING THE OLD TECHNIQUES WITH A NEW TWIST, AND IT PROVIDES US A CHANCE TO REVIEW SOME OF THE KRACKING APPROACHES THAT USED TO BE "STATE-OF-THE-ART". SEE YOU IN A "WEEK" OR SO WITH THAT PROMISED ARTICLE FROM THE BASICS OF KRACKING SERIES.