===> THE BASICS OF BASIC CRACKING <=== BY : COPY/CAT OF */HI-RES<>HIJACKERS/* THIS ARTICLE WILL ATTEMPT TO SHOW HOW TO CRACK PROGRAMS AT THE VERY BEGINNING LEVEL USING EXAMPLES OF SEVERAL GAMES WHICH ARE NOT GOOD GAMES, BUT ARE GOOD TO DEMONSTRATE JUST HOW TO START OFF IN THE FIELD OF CRACKING. DEMUFFIN PLUS IS A PROGRAM THAT WAS MADE FROM THE PROGRAM "MUFFIN", FOUND ON THE SYSTEM MASTER. MUFFIN CONVERTS DOS 3.2 FILES TO DOS 3.3. DEMUFFIN PLUS, ON THE OTHER HAND, IS MODIFIED TO CONVERT ANY SEMI-NORMAL DOS TO DOS 3.3. HOW IT DOES THIS IS AS FOLLOWS: [1] READ FILES FROM THE PROTECTED DISK USING THE DOS IN MEMORY [2] WRITE THE FILES TO A NORMAL DOS 3.3 SINCE DEMUFFIN PLUS ITSELF HAS THE DOS 3.3 DATA INSIDE THE PROGRAM. YOU CAN TELL IF A PROGRAM MIGHT BE ABLE TO BE CRACKED WITH DEMUFFIN PLUS IF YOU SEE THE APPLESOFT PROMPT (]) WHILE THE PROGRAM BOOTS. IF IT DOES SHOW THAT PROMPT, DO THIS: ]BLOAD DEMUFFIN PLUS,A$6000 ]PR#6 (PROTECTED DISK) AS THE DISK BOOTS, HOLD DOWN AND THE REPEAT KEY. MOST OF THE TIME YOU WILL BREAK OUT, IF ONLY TEMPORARILY. ONCE YOU GET THE APPLESOFT PROMPT AND THE CURSOR, TRY A CALL-151 TO GET INTO THE MONITOR. AS AN EXAMPLE, KLONDIKE 2000 CAN BE BROKEN OUT OF AND CRACKED WITH CTRL-C AND THE STEP LISTED BELOW. IF, HOWEVER, YOU TRY A CALL-151 AND THE PROGRAM RESTARTS OR REBOOTS (TYPICAL OF OLD BR0DERBUND PROTECTIONS), THEN YOU WILL NEED AN OLD MONITOR OR AT LEAST A RAMCARD (A LISTING OF THE OLD MONITOR EMULATOR IS AT THE END OF THIS FILE). IF YOU HAVE EITHER THEN JUST BREAK OUT INTO THE MONITOR. ONCE IN THE MONITOR BY ANY METHOD, DO THIS: *803<6000.8000M N 803G THIS COMMAND MOVES DEMUFFIN PLUS FROM $6000 TO $803, WHERE IT CAN RUN. NOW JUST USE DEMUFFIN PLUS AS IF YOU WERE USING MUFFIN, EXCEPT SINCE YOU DON'T KNOW THE FILENAMES, YOU MUST USE THE "=" WILDCARD CHARACTER WHEN ASKED FOR THE FILENAME. THIS SHOULD COPY ALL THE FILES TO YOUR DOS 3.3 DISK, AND THE PROGRAM SHOULD BE CRACKED. IF ALL THE FILES COPY BUT THE PROGRAM DOESN'T WORK, THEN THERE MAY BE A NIBBLE COUNT OR OTHER CHECK. SEE PART ][. IF THE PROGRAM CAN'T EVEN READ ONE FILE FROM THE PROTECTED DISK, THEN DEMUFFIN PLUS CANNOT CRACK THAT PROGRAM. THE FOLLOWING STEPS ASSUME YOU HAVE AN APPLE ][+ (NOT ][E!) WITH A RAMCARD IN SLOT 0. ]CALL-151 *B800 (RETURN) *C081 (RETURN) *D000, YOU SEE A MESSAGE THAT SAYS "UNAUTHORIZED COPY". TO FIND OUT HOW THEY KNEW THAT, YOU MUST LOOK AT THE MACHINE LANGUAGE FILES. THE HELLO PROGRAM RUNS "OBJ.HELLO", SO BLOAD THAT FILE. BY CHECKING BYTES $AA72 AND $AA73 YOU SEE THAT THE FILE STARTS AT $803. LIST THE PROGRAM (803L) AND LOOK AT THE PROGRAM TO SEE WHAT IT DOES. YOU'LL SEE A BUNCH OF ??? COMMANDS, WHICH USUALLY INDICATES TEXT. BY LOOKING AT THEIR ASCII VALUES YOU'LL SEE THAT IT SPELLS OUT "BLOAD HEAD.PIC" SO YOU KNOW WHERE YOU ARE IN TERMS OF TIME. SINCE THE PROGRAM CRASHES AFTER LOADING THE FILE LOOK AT THE PART AFTER THE BLOAD. YOU WILL SEE A JSR TO $4000 WHICH IS STRANGE SINCE THAT'S THE END OF HI-RES PAGE 1. GET OUT OF THE MONITOR AND CATALOG THE DISK. HMM! THE PICTURES HEAD.PIC AND HAWK.PIC ARE BOTH 35 SECTORS, ONE TOO LONG FOR A REGULAR PICTURE. BLOADING THE PICTURE AND LOOKING AT $4000 SHOWS A LITTLE SUBROUTINE THAT UPON RUNNING, RUNS THE DISK DRIVE. VERY PECULIAR. INSTEAD OF NO-OPING (EA) THE ENTIRE END OF BOTH PICTURE, SIMPLY LOOK FOR JSR'S TO $4000. IN THE FILE "OBJ.HELLO" THERE ARE TWO; ONE AT $844 AND ANOTHER AT $864. "EA" ALL THREE BYTES FOR BOTH LOCATIONS. BSAVE THE FILE (A$803,L$BD) AND BOOT THE DISK. THIS TIME WE GOT TO THE SECOND TITLEPAGE BUT IT ALSO CRASHED SO LOOK AT THE SECOND FILE, OBJ.DEMO. A QUICK LISTING WILL GET US TO THE MAIN PROGRAM PAST ALL THE BRK'S (00) AND THE FIRST THING YOU SEE, IS AT 8E3 WHICH IS ANOTHER JSR TO $4000. "EA" THAT JSR AND SAVE THE FILE (A$803,L$765). NOW BOOT ONCE AGAIN, AND THE GAME RUNS. SHADOWHAWK ONE IS NOW CRACKED. THIS IS THE USUAL WAY TO NIBBLE COUNT (JSR) BUT NOT THE USUAL WAY OF FINDING IT. MOST TIMES YOU WILL NOT BE GIVEN REGULAR DOS 3.3 AND FILES THAT CAN BE LOOKED OVER SO EASILY. IT MAY TAKE DEMUFFIN PLUS TO CONVERT THE FILES, THEN REMOVE THE JSR USING "EA EA EA". PART /// - HIDDEN NIBBLE COUNTS NOW THAT YOU HAVE SEEN HOW NIBBLE COUNTS USUALLY OPERATE, WE WILL GO INTO THE AREA OF HIDDEN NIBBLE COUNTS. THE BEST EXAMPLE OF A HIDDEN NIBBLE COUNT IS IN THE SCOTT ADAMS ADVENTURE SERIES. ALTHOUGH I PERSONALLY HAVE ONLY SEEN SAGA #3, CRACKER JACK HAS TOLD ME THAT IN #2 A SIMILAR PROTECTION WAS USED. IN ANY EVENT, SAGA #3 CAN BE EASILY DEMUFFINED TO A DOS 3.3 DISK. ONCE YOU HAVE DONE THAT (USING THE STEPS IN PART I) TRY BOOTING UP THE DISK. IT WILL SEEM TO WORK FINE, BUT TRY GOING WEST TWICE TO THE LOCKER ROOM. IN THE ROOM IS A PAIL. PICK IT UP (NO, THIS ISN'T A SOLVER FILE). THE DISK DRIVE WILL RUN NORMALLY, THEN MAKE A FUNNY "SHLOOK" NOISE. THIS IS ALWAYS IS A SIGN OF A NIBBLE COUNT (ESPECIALLY THE ADVENTURE INTERNATIONAL TYPE). IT WILL BEEP AND SAY "O.K." AND REBOOT. WELL NOW ALL YOU HAVE TO DO IS FIND THE NIBBLE COUNT AND REMOVE IT. EASIER SAID THAN DONE. BY LOOKING AT THE LOADER PROGRAM, YOU WILL FIND THAT THE MAIN FILES ARE M1, M2 AND M3. LET THE LOADER PROGRAM LOAD THEM IN AT THE CORRECT PLACES FOR YOU, THEN GO INTO THE MONITOR. SINCE THE WAY THE PROGRAM ACCESSES THESE FILES IS IN MACHINE LANGUAGE, THERE ISN'T TOO MUCH TO DO EXCEPT LOOK AT THE BEGINNING OF EACH FILE AND POKING AROUND. AFTER SEVERAL ATTEMPTS AT RUNNING LIKELY SUBROUTINES BY DOING A ####G AT THE STARTS OF ROUTINES, YOU WILL FIND THAT THE NIBBLE COUNT IS SIMPLY NOT THERE. IN FACT, THERE IS VERY LITTLE ACTUAL PROGRAM IN MEMORY. NOW THE POSSIBILITY OF THE NIBBLE COUNT BEING IN ANOTHER FILE SEEMS LIKELY. INSTEAD OF LOADING ALL HUNDRED OR SO PICTURE FILES, A GOOD WAY TO LOOK IS TO LET THE ADVENTURE LOAD IT IN FOR YOU. SO BOOT IT AGAIN AND PLAY UP TO THE ROOM WITH THE PAIL. TYPE "GET PAIL", AND WHEN THE DRIVE STARTS MAKING THAT FUNNY SOUND AGAIN, HIT . NOW WE CAN LOOK AT MEMORY THAT IS PRESENT DURING THE ACTUAL NIBBLE COUNT. AFTER SEVERAL FRUITLESS ATTEMPTS AT RUNNING SUBROUTINES, YOU SHOULD EVENTUALLY FIND THAT THE NIBBLE COUNT'S STARTING LOCATION IS AT $1E7B. SINCE WE DON'T KNOW WHAT FILE LOADED IN $1E7B, WE LOOK AT THE THREE ORIGINAL FILES (M1, M2, M3) TO SEE IF ANY OF THEM CONTAIN THE ADDRESS (NOT NECESSARILY THE ACTUAL NIBBLE COUNT) WHERE THE NIBBLE COUNT STARTS. YOU WILL FIND THAT "M1" RUNS OVER THE LOCATIONS AROUND $1E7B. NOW LIST FROM $1E70 TO THE PRINTER. THEN WE CAN COMPARE THAT TO THE SAME LISTING AFTER THE NIBBLE COUNT APPEARS. A QUICK EXAMINATION SHOWS THAT THE LOCATIONS $1E70 THROUGH $1E7A ARE THE SAME. WHILE IT LOOKS LIKE GARBAGE, WHEN THE NIBBLE COUNT ROUTINE APPEARS AT LOCATION $1E7B IT IS ACTUALLY PART OF THE PROGRAM. NOW WE HAVE TWO OPTIONS. THE FIRST WOULD BE TO FIND WHERE THE MAIN ADVENTURE JSR'S TO $1E70 OR THEREABOUTS. THE SECOND IS TO SKIP OVER THE NIBBLE COUNT SUBROUTINE AND RETURN WITHOUT ACTUALLY DOING THE NIBBLE COUNT. SINCE THE ADVENTURE MAY JSR TO THE NIBBLE COUNT MORE THAN ONCE, IT WOULD BE WISER TO USE THE SECOND OPTION. TO MAKE THE ROUTINE RETURN WITHOUT DOING ANYTHING, JUST PUT AN "EA" (NOP OR NO OPERATION) AT LOCATION $1E70 AND A "60" (RTS OR RETURN FROM SUBROUTINE) AT LOCATION $1E71. BSAVE M1 TO THE DISK AND RUN THE GAME. THE PAIL CAN NOW BE PICKED UP WITHOUT ANY DISK DRIVE ACCESS, AND THE GAME IS CRACKED. .