Master Index Current Directory Index Go to SkepticTank Go to Human Rights activist Keith Henson Go to Scientology cult

Skeptic Tank!

EXAMINING PROTECTED APPLESOFT BASIC PROGRAMS. BY THE DISK JOCKEY. Many protected programs are written in APPLESOFT. Of course, most publishers are sly enough to protect against break ing out of their program with CTRL C or reset. Also, most protect against re-entering BASIC from the monitor by changing the typical BASIC re-entry poi nt (at $3D0) so that it points to disaster. And lastly, many change the R UN flag vector at $D6 so if you manage to get out of their program and into BA SIC, anything you type will RUN their BASIC program. I will describe how to b eat all these protection schemes, assuming you have an old style F8 monit or ROM. First, we must determine if the protect ed program is written in APPLESOFT. If after you boot the progra m a BASIC prompt appears, this is a good indicator that at least some of the program is written in BASIC. Further more, if the program prints a l ot of text on the screen, or requires a good deal of user inputs, it is a goo d guess that the program is written in BASIC. The reason for this is that p rinting text on the screen and inputing data from the keyboard is easi ly accomplished from BASIC using PRINT and INPUT statements. To do this from ASSEMBLY language requires a great deal more work. Also, we should relieze why a programmer uses ASSEMBLY language. The only real advantage to AS SEMBLER is speed. If speed is not critical, most (non-sadist) programmers will use BASIC. With this in mind, look at how the prog ram runs and prints on the screen. If it runs at about the same speed as t he BASIC programs you have written run, it is a good guess that it is in B ASIC. Remember, ASSEMBLY language is considerably faster than BASIC in every respect. Finally, read the package the program c ame in. It usually says what it was written it. If it doesn't, a dead give away is in the hardware requirements. If the program requires APPLESOFT in RO M, then at least part of the program is probably written in APPLESOFT. Now that you have figured out your prot ected program is written in BASIC, it is time to LIST their code. The firs t step is to reset into the monitor when the program is running. Now you can try to enter the immediate BASIC mode by typing: *3D0G This is the normal BASIC re-entry point . But if the protection is worth anything, this will not work. Assuming that didn't work, reload the p rogram and reset into the monitor again. The next thing is to try typing 9D84G or 9DBFG. These are the DOS cold and warm start routines, respectively. If you are lucky enough to get a BASIC prompt, you have done well. Most of the time, you won't. If in either case you succeed in gettin g a BASIC prompt, try LISTing the program or CATALOGing the disk. If anyt hing you type starts the program running again, the protection has chang ed the RUN flag at $D6. So reset into the monitor again. The RUN flag is a zero page location (a t $D6) which will run the BASIC program in memory if $D6 contains $80 o r greater (128 or greater in decimal). This is easy to defeat after you have r eset into the monitor by typing: *D6:00 This resets the RUN flag to normal. Now if 3D0G, 9D84G or 9DBFG previously rewarded you with a BASIC prompt, this will solve the problem of the program re-running when you type a command. For debugging efforts, the RUN flag can get changed from within a BASIC progra m by issuing the code: 10 POKE 214,255 or by poking location 214 with anything greater than 127. From ASSEMBLY language, the code would most likely lo ok like this: 800- A9 FF LDA #$FF 802- 85 D6 STA $D6 or by loading a register with $80 or gr eater and storing it at $D6. Now if 3D0G, 9D84G or 9DBFG did not pro duce a BASIC prompt, then the DOS being used is more elaborate. So re-loa d the program and reset into the monitor after it is running. Now comes the final steps in trying to examine a BASIC program. If you are using a ROM card in slot zero with an o ld style F8 monitor ROM to reset into the monitor, turn on the mother board R OMs and turn off the ROM card INTEGER ROMs by typing: *C081 Now reset the RUN flag to normal, just to be sure. Type: *D6:00 Finally, enter APPLESOFT the sure fire way by typing: * You should see an APPLESOFT prompt. Now type: ]LIST and your APPLESOFT program should now a ppear. Applying this to a real world example, try this method with one of Strategic Simulations releases (SSI). SSI uses a highly modified DOS called RDOS for their protection. SSI uses all the tric ks mentioned to prevent you from LISTing their programs. But using the a bove procedure, you can LIST their BASIC programs. In addition, the DOS used by SSI (RDOS) uses the appersand in all of its DOS commands. So if you see any ampersands from within their BASIC program, you know it is a DOS command. For example, to catalog a SSI disk, after you follow the above procedure and you are in BASI C, type: ]&CAT This will display SSI's catalog. Very d ifferent, eh! Well, back at the ranch, if you want to save your APPLESOFT program to a norma l DOS disk, do these steps: 1) Reset into the monitor after the pro gram is running. 2) If you are using a ROM card in slot zero, Type: *C081 3) Now type: *D6:00 *9500<800.8FFM 3) Check where the APPLESOFT program en ds by typing: *AF.B0 4) Write down the two bytes listed some where. 5) Boot a 48K normal DOS 3.3 slave disk with no HELLO program. 6) Enter the monitor by typing: ]CALL-151 7) Restore the APPLESOFT program by typ ing: *800<9500.95FFM *AF: enter the two bytes you wrote down here, separated by spaces. 8) Enter BASIC and save the program by typing: *3D0G ]SAVE PROGNAME What you have done is to move $800 to $ 8FF out of the way so you can boot a slave disk. After normal DOS is up, you restore $800 to $8FF from $9500 to $95FF, and then restore the end of APPL ESOFT program pointers so DOS knows how big your BASIC program is. Next you just save it to your disk! Of course there are other more automated ways of getting programs to a normal DOS 3.3 disk (such as Demuffin Plus or CopyB), but this is a quick and dirty method that will always work. Keep in mind tha t the program may not run from normal DOS because of more secondary pr otection from within the BASIC program itself. Any curious CALLs, POKE s or PEEKs to memory above 40192 (this is memory where DOS resides) or b elow 256 (zero page memory) should be examined closely. I hope this will help you learn more ab out the protected programs you own that are written in APPLESOFT. -------------------------------------- COPYB DOCUMENTATION FILE. BY THE DISK JOCKEY. INTRODUCTION: There are probably hundreds of ways to protect a program from being copied. But generally speaking, protection fall s under two categories: protect the actual program (by various means), or p rotect a disk full of programs with some sort of DOS modification. DOS modi fications are the most common since they are the easiest to deal with (from the publisher's point of view). DOS modifications are also the least succes sful of protection, since someone always seems to find a way to copy all the files onto a normal DOS disk, eluding all the protection. The classic program for dealing with modified DOS' s is DEMUFFIN PLUS. It works much the sam e way as Apple's MUFFIN program works. MUFFIN was written to read files from a DOS 3.2 disk and then write the m to a DOS 3.3 disk. DEMUFFIN was a varia tion of MUFFIN, allowing the hardcore 3.2 user to copy files from DO S 3.3 to DOS 3.2. DEMUFFIN PLUS operates on the same principle, but use s whatever DOS is in memory to read the disk, and then writes out to an ini tialized DOS 3.3 disk. While this is a powerful utility, it only works with programs that are based on DOS file structures and that have a catalog trac k. INTRODUCING COPYB: COPYB is a highly modified version of C OPYA which converts a protected disk that uses a modified DOS and/or RWTS to normal DOS 3.3 format. The protected disk may have a normal DOS file structu re, or it may not. Since COPYB copies on a track by track basis, this does not matter. This makes COPYB a far more flexible tool than DEMUFFIN PLUS. COPYB uses the protected disk's RWTS to read in the tracks and then uses norma l DOS 3.3 to write them back out to an in itialized disk. Unless otherwise instructed, COPYB copies track $03 to t rack $22, sector $0F to sector $00 of each track. Here are the parameters for COPYB: LOCATION NORMALLY HEX DEC DESCRIPTION HEX DEC NT. --------------------------------------- 22E 558 FIRST TRACK TO READ 03 03 (1) 236 556 FIRST SECTOR TO READ 0F 15 (2) 365 869 RESET SECTOR NUMBER 0F 15 (2) 3A1 929 STOP ON ERROR($18=NO) 38 56 (3) 302 770 TRK TO STOP READING+1 23 35 (4) 35F 863 TRK TO STOP READING+1 23 35 (4) NOTES (NT.): 1) This is the first track that COPYB s tarts reading at. This is normally set at track 3, so not to copy the protecte d DOS which normally resides on track 0 through track 2. 2) These two parameters are normally se t to $0F for 16 sector disks. Change these two parameters to $0C for 13 sect or disks. Most of today's protection schemes are based on 16 sect ors. Yet there are still a few using 13 sectors (such as Muse). Intere stingly enough, there is a handful of authors that also us sectori ng other than 13 or 16 sectors per track. An example of this is "Thief " from Datamost. This program uses 11 sectors per track. COPYB can al so accommodate these programs. at upon reading a 'bad sector' COPYB will stop and display an error. To let COPYB keep going after a read error, change this byte to $18 (24 in decimal) . The equivalent sector on the copied disk will be written blank. 4) These two parameter determine where COPYB will stop reading the protected disk. Normally, this is set to the last track, $22 (34 in decimal) , plus one. To change this, add one to the last tra ck you want to copy and change these two parameters. CREATING COPYB: After entering or downloading the BASIC program, save the program by typing: ]SAVE COPYB Now you must enter the ASSEMBLY languag e subroutines that COPYB uses. COPYB uses the main subroutines that CO PYA uses, so we only have to modify the file COPY.OBJ0 that is on the DOS 3 .3 System Master. But first I will explain the added subroutines that COPY B needs. Remember that COPYB uses the protected program's RWTS to read the disk by moving it from $8000 to $B700 - $BFFF. After COPYB is done reading the protected disk, normal RWTS is moved ba ck up to $B700 - $BFFF from $8900 to write to a normal DOS disk. This is han dled by some subroutines which will add to the existing file COPY.OBJ0. Her e are the routines (formatted in 80 columns): 0220- 20 B0 02 JSR $02B0 :save the registers. 0223- A0 B7 LDY #$B7 :botto m page to move from. 0225- A9 89 LDA #$89 :desti nation page to move to. 0227- 20 80 02 JSR $0280 :copy normal RWTS from $B700-BFFF to 89 00-91FF. 022A- 20 B4 03 JSR $03B4 :subro utine to locate RWTS ($3E3). 022D- A9 03 LDA #$03 :start ing track to read from. 022F- 8D D1 02 STA $02D1 :store track. 0232- 8D D2 02 STA $02D2 :store track. 0235- A9 0F LDA #$0F :start ing sector to read from. 0237- 8D D3 02 STA $02D3 :store sector. 023A- 8D D4 02 STA $02D4 :store sector. 023D- 4C E7 02 JMP $02E7 :jump to read routine. 0240- 20 B0 02 JSR $02B0 :save the registers. 0243- A0 80 LDY #$80 :botto m page to move from. 0247- 20 80 02 JSR $0280 :move normal RWTS from $8900 back to $B700 -BFFF. 024A- 4C F7 02 JMP $02F7 :jump to write routine. 0260- 20 B0 02 JSR $02B0 :save the registers. 0263- A0 89 LDY #$89 :botto m page to move from. 0265- A9 B7 LDA #$B7 :desti nation page to move to. 0267- 20 80 02 JSR $0280 :move normal RWTS from $8900 back to $B700 -BFFF. 026A- 4C 17 03 JMP $0317 :jump to write routine 0270- 20 B0 02 JSR $02B0 :save the registers. 0273- A0 89 LDY #$89 :botto m page to move from. 0275- A9 B7 LDA #$B7 :desti nation page to move to. 0277- 20 80 02 JSR $0280 :move normal RWTS from $8900 to $B700 -BFFF. 027A- 4C BC 03 JMP $03BC :Resto re the registers and exit. 0280- 84 07 STY $07 :store original page to move from. 0282- 85 09 STA $09 :store destination page to move to. 0284- A2 09 LDX #$09 :load X with number of pages to move. 0286- A9 00 LDA #$00 :load accum with $00. 0288- A8 TAY :trans fer #$00 to Y. 0289- 85 06 STA $06 :store #$00 at $06. 028B- 85 08 STA $08 :store #$00 at $08. 028D- B1 06 LDA ($06),Y:load accum with the address pointed to by locations $06 & $07 (lo-hi order), index ed by Y. 028F- 91 08 STA ($08),Y:store accum at the address pointed to by locations $07 & $08 (lo-hi order) index ed by Y. 0291- C8 INY :incre ment Y. 0292- D0 F9 BNE $028D :conti nue until end of page. 0294- E6 07 INC $07 :incre ment original page. 0296- E6 09 INC $09 :incre ment destination page. 0298- CA DEX :decre ment X. 0299- D0 F2 BNE $028D :if ha ven't moved 9 pages, do again. 029B- 60 RTS :retur n from subroutine. 02B0- 8D C7 03 STA $03C7 :store accumulator at $3C7. 02B3- 8E C8 03 STX $03C8 :store X-register at $3C8. 02B6- 8C C9 03 STY $03C9 :store Y-register at $3C9. 02B9- 60 RTS :retur n from subrotine. So to create the objective file for COP YB, we should first enter the monitor by typing: ]CALL-151 Next we should initialize the memory ar ea by typing: *220:FF N 221<220.2CDM Now bload the file COPY.OBJ0 from the D OS 3.3 System Master by typing: *BLOAD COPY.OBJ0 Now type in the new code and some chang es: *228:80 02 20 B4 03 A9 03 8D *230:D1 02 8D D2 02 A9 0F 8D *238:D3 02 8D D4 02 4C E7 02 *240:20 B0 02 A0 80 A9 B7 20 *248:80 02 4C F7 02 *260:20 B0 02 A0 89 A9 B7 20 *268:80 02 4C 17 03 *270:20 B0 02 A0 89 A9 B7 20 *278:80 02 4C BC 03 *280:84 07 85 09 A2 09 A9 00 *288:A8 85 06 85 08 B1 06 91 *290:08 C8 D0 F9 E6 07 E6 09 *298:CA D0 F2 60 *2B0:8D C7 03 8E C8 03 8C C9 *2B8:03 60 *2C1:20 *2C4:40 *2C7:60 02 *2CB:13 7F B0 60 *2D0:01 03 03 0F 0F *2D8:B4 *2DD:02 *2F8:B4 *318:B4 *3C7:02 9D C0 B3 C4 C4 *220:20 B0 02 A0 B7 A9 89 20 After entering these changes, save the file by typing: *BSAVE COPYB.OBJ,A$220,L$1AB USING COPYB: To use COPYB, you must capture the fore ign RWTS and put it at locations $8000 through $88FF. You can do this on e of two ways: 1) Boot the protected disk and after th e foreign DOS is loaded, reset into the monitor. The foreign DOS will usual ly be loaded a few seconds after the boot starts. You can tell this beca use many times a BASIC prompt will appear at the bottom of the text screen . Use the monitor move command to move RWTS down to $8000 as so: *8000! ! -! ! ! ! . . . . . . . . . . . . ! !/ / / / / / / / / / / / ! !12 11 10 9 8 7 6 5 4 3 2 1 ! --------------------------------------- Now your soldering skills come in handy ! Using some short, hi-gauge wire (wire-wrap is preferable, but anything in the 26-30 gauge will work), solder a piece between pins 21 and 24, and solde r a piece between pins 12 and 18. Be extremely careful not to short out t he wire or to cross solder any pins! Also, try and solder as close to the ba se of the socket as possible, since you have to cut off pins 18 and 21 afte r you have finished soldering them. Now cut of pins 18 and 21 as close to t he base of the socket without cutting the freshly soldered wires! Remember, p ins 18 and 21 should be short enough so that they will not touch the socket you will be plugging this one into. The socket should now look like this: --------------------------------------- ! 13 14 15 16 17 18 19 20 21 22 23 24! ! ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ ! ! x x / ! ! / / / ! ! / /--------/ - ! /--------/ ! ! / -!6 ! / ! ! / . . . . . . . . . . . ! !/ / / / / / / / / / / / ! !12 11 10 9 8 7 6 5 4 3 2 1 ! --------------------------------------- Double check your soldering and the con nections (and notice that pin 18 and 21 are cut off!). Now carefully remove the ROM labelled F8 (it is the socket farthest on the left that has 24 pins a s you face the keyboard) and plug this jumper socket into the motherboard. Now plug your modified 2716 EPROM into thi s jumper socket and your all done! Make s ure you have the notch pointing in the same direction as the other ROMs (towar ds the keyboard). When you turn on the Apple you should s ee a screen full of garbage with the monitor prompt at the bottom of the scr een. To boot your Apple, just type "6 ctrlP", and your computer will act j ust as usual. --------------------------------------- INTRODUCTION TO KRAKING PART TWO.C. MAKING YOUR OWN NMI BOARD. BY THE DISK JOCKEY. In this article I will describe how to make your own NMI board that will work in conjunction with the modified F8 monitor EPROM you have (or will) create. Here is the parts lists for the NMI board: (1) 7400 or 74LS00 chip. Radio Shack part #276-1801. $0.59 (1) SPDT momentary push switch. Radio Shack part #275-1549. $2.19 (1) 14 pin low profile or wire wrap socket. Radio Shack part #276-1999 or #276-1993. $0.89 (2) 3.3k ohm resisters, 1/4 watt. Radio Shack part #271-1328. $0.39 (1) Dual plug-in interface board. Radio Shack part #276-164. $4.95 NOTE: This part has been discontinued by Radio Shack, but you can sometimes still find them in the junk bin. Cut the board so it will fit inside your Apple. ALTERNATIVELY: (1) Apple bare board number PAPGBP5001. $13.95 from Priority Electronics, 9161 Deering Ave., Chatsworth, CA 91311. After you have obtained all the parts above, you should solder the 14 pin socket and the two resistors somewhere convenient on the bare board. Next get some hi-gauge wire and make the following connections: 1) Connect pin 25 of the bare board to one leg of each of the two resistors. 2) Connect each of the other legs of the resistors to the two outside contacts of the switch. (one resistor goes to one contact, the other resistor goes to the other contact). Use some good wire. 3) Connect pin 25 of the bare board to pin 14 of the 14 pin socket. 4) Connect the middle contact of the switch to pin 7 of the 14 pin socket. 5) Connect pin 26 of the bare board to pin 7 of the 14 pin socket. 6) Connect pin 2 of the 14 pin socket to pin 6 of the 14 pin socket. 7) Connect pin 3 of the 14 pin socket to pin 4 of the 14 pin socket. 8) Connect pin 4 of the 14 pin socket to pin 29 of the bare board. 9) Connect the leg of one of the resistors that is connected to the switch to pin 5 of the 14 pin socket. 10) Connect the other leg of the resistor that is connected to the switch to pin 1 of the 14 pin socket. 11) Check all connections twice, and don't get confused on what pin is what on the bare board and the 14 pin socket. You have now completed building your own NMI board. This board may be plugged into any one of the peripheral slots. --------------------------------------- THE ROM CARD. BY THE DISK JOCKEY. OBJECTIVE: While being able to deprotect programs from files on Pirate's Harbor is certainly helpful in the quest for copyable software, it would be optimal to deprotect your own programs without the help of other sources. This works on the premise that you can give a man a fish and feed him today, or you can teach him to fish and feed him for life. With this in mind, our objective is to teach you the ways of deprotection in general, and mention some of the tools that will make this easier. Although some of these tools will cost money and are somewhat specialized, they will only increase your knowledge of the Apple computer, for what that's worth. INTRODUCING THE ROM CARD: The foremost of important tools for easily snooping through memory is the ROM card. The ROM card was originally developed for t`g{m(a|`(xzograms written in both INTEGER and APPLESOFT BASIC. Remember that your motherboard (the big green printed circuit board inside your computer case) can house only one of the BASIC languages, either INTEGER or APPLESOFT. When the Apple was originally released, it was only available with INTEGER BASIC. So many programs were written in INTEGER, and would not run on the Apple II+ (with APPLESOFT on board) when it was introduced. Before RAM memory was very cheap, many people bought ROM cards for their Apple II+ that could be put in slot zero (as you would a RAM card), to enable them to run programs that were written in either BASIC language. It was just as though you had loaded INTEGER BASIC into you RAM card, like the DOS 3.3 System Master's HELLO program does. When RAM cards became available at a reasonable cost, everyone started buying them because they are so much more versatile for the average folk. That is why you don't see ROM cards for sale too much any more. But for deprotecting Apple programs, the ROM card is indespensible. Also, for the Apple II owner who wanted to run the newer APPLESOFT programs, the ROM card was available with APPLESOFT ROMs. The INTEGER and the APPLESOFT versions of the ROM card are identical, except for the actual ROMS on the card. In other words, one had INTEGER ROMs and the other had APPLESOFT ROMs, and there is no other differences. THE REASONS WHY: Their are several reasons the ROM card is so important. The least of the reasons is the need for INTEGER BASIC or the Programmer's Aid chip. If you can get a ROM card cheaply without INTEGER or the Programmer's Aid ROMs, do so. From a cost outlook, it is to your advantage. Besides, INTEGER is a dead dinosaur, and who really cares if it's faster than APPLESOFT? The reason we want a ROM card is so we can put an old style F8 monitor ROM and THE INSPECTOR ROM (from Omega Microware) on it. These two ROM chips are really essential for learning more about protected programs. Ultimately, we would like WATSON in conjunction with THE INSPECTOR, but to do so you will also need INTEGER BASIC ROMs, since WATSON uses some routines from the INTEGER BASIC ROMs. Watson enhances the Inspector by adding even more commands and flexibility. The combination of Watson and the Inspector provides you with great power for not only snooping, but also for general purpose utility chores. The reason we want the old style F8 ROM should be obvious by now. After reading several kraking articles and from your own experiences, you have noticed that it is impossible to break out of many programs with just an autostart F8 monitor ROM. The reason we should have the old style F8 ROM on the ROM card and not on the mother board is for convenience. The ROM card has a switch which determines which F8 monitor ROM is active when you hit reset. So you can have the convenience of the Autostart F8 monitor ROM, and when you need it, hit the switch and be able to break out of any program you want with the old style F8 monitor ROM. OBTAINING YOUR OWN ROM CARD: ROM cards are available used at very cheap prices. Check your local Apple users' group. Alternatively, you can get blank cards and stuff it yourse8f. I would suggest stuff your own since the parts are easy to get, and it is usually the least expensive route! I have also seen Japanese clone cards for sale at a very reasonable price. The best place to check for these is in The Computer Shopper, a bi-monthly newspaper of Apple and other computer bargins. OBTAINING YOUR OWN ROMs: You can either buy an old style F8 monitor ROM, or you can make one by changing your autostart F8 code slightly. After making the change, you can save the file to disk and have a friend or your local computer store burn the image into a 2716 EPROM. Here is the instructions for creating your own: 1) Boot a normal DOS 3.3 disk. 2) Enter the monitor by typing: ]CALL-151 3) Move the autostart F8 ROM image into RAM by typing: *4800


E-Mail Fredric L. Rice / The Skeptic Tank