*************************************** * * * * * KRAKOWICZ'S KRACKING KORNER * * * * SSI'S RDOS * * * * * *************************************** IT'S REALLY NOT FAIR WHEN ONE PUBLISHER HAS A SYSTEM THAT KEEPS THEIR SOFTWARE FROM BEING CONVENIENTLY BACKED UP, ESPECIALLY WHEN SO MANY OF THE OTHER "PROTECTION" SCHEMES HAVE FALLEN TO THE GROWING CORPS OF TALENTED KRACKISTS. WITH THAT IN MIND, AND BECAUSE WE ALL LOVE A CHALLENGE, WE WILL TAKE A LONG LOOK AT THE APPROACH USED BY STRATEGIC SIMULATIONS, INC. (SSI) IN PROVIDING COPY PROTECTION FOR THEIR SERIES OF WAR SIMULATIONS AND "RAPID-FIRE" SERIES, AS WELL AS SOME RECENT GAMES WHICH HAVE A LITTLE REDEEMING SOCIAL MERIT: EPIDEMIC, RINGSIDE SEAT, AND GALACTIC ADVENTURES. AS WE'VE DISCUSSED IN THE BASICS OF KRACKING SERIES, YOU CAN EITHER PROTECT A PROGRAM BY VARIOUS MEANS, OR YOU CAN PROTECT A DISK FULL OF PROGRAMS WITH SOME SORT OF DOS MODIFICATION. DOS MODIFICATIONS ARE USUALLY NOT TOO SUCCESSFUL, SINCE SOME ENTERPRISING PERSON OUT IN PIRATELAND WILL SOONER OR LATER FIGURE A WAY TO COPY ALL THE FILES ONTO A NORMAL DOS DISK, MAKING ALL THE DISK PROTECTION WORTHLESS. SSI'S ANSWER TO THIS PROBLEM WAS NOT ONLY TO WRITE AN EXTENSIVELY REVISED DOS, BUT TO COUPLE IT WITH "ENHANCEMENTS" TO APPLESOFT USING THE AMPERSAND VECTOR (MORE ON THIS LATER). THIS WAY, EVEN IF YOU COULD STRIP THE FILES OFF THE DISK, YOU WOULD NEED TO WRITE A DOS WHICH WAS: A. DOS 3.3 COMPATIBLE, B. AS SHORT AS RDOS ($B100-$BFFF), SINCE THE PROGRAMS FREQUENTLY USE ALL OF THE FREE SPACE, AND C. CAPABLE OF CORRECTLY INTERPRETING THE AMPERSAND COMMANDS WHICH ARE LIBERALLY SPRINKLED THROUGH ALL THE APPLESOFT PROGRAMS. THE AMOUNT OF EFFORT REQUIRED TO DO THIS HAS KEPT KRACKISTS AT BAY, AT LEAST UNTIL NOW. FIRST, HOW TO APPROACH THIS TYPE OF KRACKING JOB? THE SEVENTH LAW OF KRACKING SAYS: "WHEN YOU'RE TOTALLY LOST, BOOT-TRACE" (I KNOW, I KNOW -- I PROMISE THAT I'LL WRITE A COMPLETE COLUMN ON BOOT-TRACING SOON. IF YOU JUST CAN'T WAIT, TRY TO GET HOLD OF THE HARDCORE MAGAZINE UPDATE 3.1, PAGES 6-15. IT HAS A LUCID, WELL-EXAMPLED DISCUSSION OF THE BOOT-TRACING PROCESS). WHEN YOU LOAD T0, S0 INTO $800, YOU WILL IMMEDIATELY SEE THE FAMILIAR "BRODY LOADY" (NAMED AFTER THAT FUN-LOVING BUNCH OF SCANDAHOOVIANS AT BR0DERBUND) WHICH MOVES THE ENTIRE PAGE DOWN TO PAGE 2 AND JUMPS TO $20F TO COMPLETE THE BOOT. THIS IS A FAIRLY TRICKY BOOT WHICH HAS BEEN USED FOR ALL TYPES OF PROTECTION SCHEMES, BUT IF YOU PUZZLE OVER IT LONG ENOUGH, YOU'LL SEE THAT THE JMP ($003E) AT LOCATION 343 DOUBLES AS A JUMP TO THE SECTOR READ ROUTINE, THEN AS A JUMP TO THE PROGRAM START WHEN ALL THE SECTORS ARE READ IN. THE PROGRAM START IN THIS CASE IS $B300, WHICH IS A JMP $B974 THAT DROPS YOU INTO A DISCOURAGINGLY COMPLEX SERIES OF JSR'S AND JMP'S. AT THIS POINT, DISCRETION IS THE BETTER PART OF VALOR (REMEMBER THE SECOND LAW: THERE'S ALWAYS ANOTHER WAY). WHAT THE BOOT-TRACE HAS TOLD US IS THAT THE DOS CODE LIVES FROM $B300 TO $BFFF, AND IS NOT STRAIGHTFORWARD, "LINEAR" CODE. YOU MAY RECALL THAT WE DESCRIBED HOW TO LIST AN RDOS APPLESOFT FILE IN BASICS 103: RESET, D6:00, C081, CTRL-C, "LIST". YOU WILL BE IMMEDIATELY STRUCK BY A WHOLE NEW LIST OF COMMANDS THAT MOTHER APPLE NEVER TOLD YOU ABOUT. THESE ARE AMPERSAND (&) COMMANDS WHICH HAVE BEEN ADDED TO IMPLEMENT THE RDOS COMMANDS, AND THEY WORK AS FOLLOWS: WHENEVER THE "&" IS ENCOUNTERED, APPLESOFT JUMPS TO LOCATION $3F5. LOOKING AT THAT LOCATION WILL TELL YOU WHERE THE AMPERSAND EVALUATION ROUTINE IS LOCATED; IN THIS CASE, IT CONTAINS 4C 03 B3 OR JMP $B303. EXAMINATION OF THE CODE THERE REVEALS THAT THE ACCUMULATOR IS COMPARED TO A TABLE OF NUMBERS IN $B320-$B330, AND THE ADDRESS OF THE ROUTINE TO BE EXECUTED IS PICKED UP FROM A TABLE IN $B331-$B352. YOU CAN EASILY SEE ALL THIS CODE BY RESETTING ANY OF THE RDOS SSI GAMES, AND IF YOU'RE REALLY INTERESTED, YOU CAN CONTACT YOUR LOCAL PIRATE FOR A COPY OF THE SOURCE CODE LISTINGS, IN BIG MAC FORMAT, FOR BOTH THE ORIGINAL AND DOS 3.3 COMPATIBLE VERSIONS OF RDOS. THE DISK ALSO CONTAINS OBJECT CODE FOR RDOS 3.3 AND LISTINGS OF THE OTHER PROGRAMS USED FOR SECONDARY PROTECTION AND INITIALIZING. IF THERE'S ENOUGH INTEREST, THE SYSOP MIGHT BE PERSUADED TO INCLUDE THEM ON HIS APPLE TREK KRACKING DISK #2. NOW WE'RE STARTING TO MAKE PROGRESS. EACH TIME THE & COMMAND IS ENCOUNTERED, APPLESOFT OBLIGINGLY JUMPS UP TO $B303 WITH THE HEX VALUE OF THE NEXT BASIC TOKEN IN THE ACCUMULATOR, AND THEN DECIDES WHAT TO DO NEXT. THE TOKENS, WITH THEIR VALUE, SUBROUTINE ADDRESS START, AND FUNCTION ARE SHOWN BELOW: & --- HEX DEC ADDR FUNCTION IN RDOS ----- --- --- ---- ---------------- C 43 67 B353 CATALOG (&C AT) LOAD B6 182 B371 LOAD APLSFT FILE RUN AC 172 B446 RUN APLSFT FILE GOTO AB 171 B44C EXEC (?) SAVE B7 183 B48D SAVE APLSFT FILE STORE A8 168 B511 BSAVE (WITH A,L) RECALL A7 167 B52B BLOAD, A OPTIONAL DEF B8 184 B544 ? PRINT BA 186 B56C WRITE TO TEXTFILE READ 87 135 B582 READ TEXT FILE END 80 128 B5A9 CLOSE A FILE DEL 85 133 B5AE DELETE A FILE LEN E3 227 B5CD ? D 44 68 B620 DRIVE? S 53 83 B62E SLOT? NEW BF 191 B64F ? USR D5 213 B670 CHG RTN FROM & AS YOU CAN SEE, NOT ALL HAVE BEEN CHASED DOWN. INTERESTED PARTIES ARE INVITED TO INVESTIGATE AND SHARE THE RESULTS WITH US ALL. BUT THIS, TOO HAS ONLY A LIMITED VALUE, SINCE WE RUN OUT OF INFORMATIVE TOKENS AT ABOUT $B679 IN A LISTING THAT CONTINUES UP TO $BFFF. THE ONLY WAY TO GET THERE IS TO CALL UP THE INFANTRY AND SLOG OUR WAY THROUGH THE CODE, BRUTE FORCE. SINCE IT'S A DOS, THERE MUST BE READ AND WRITE CODE OF SOME SORT, SO LOOKING AROUND FOR DISK ACCESSES ($C08C,X) IS A GOOD PLACE TO START. THE FIRST ENCOUNTER IS AT $BB6B, WHICH IS CLEARLY A "WRITE" SECTION-- $C08F,X = OUTPUT; $C08E,X = SENSE WRITE PROTECT. IT'S FOLLOWED BY A READ SECTOR ROUTINE AT $BBFD-BC64, AND READ ADDRESS ROUTINE AT $BC65-BCC0. ON CLOSE EXAMINATION, IT CAN BE SEEN THAT THE ROUTINES HAVE BEEN LIFTED ALMOST VERBATIM FROM DOS 3.2, WITH THE ADDRESS MARKER CHANGED TO D4 AA B7 (IN MOST CASES). AHA! MAYBE WE CAN SNEAK IN THE APPROPRIATE ROUTINES FROM DOS 3.3 AND MAKE IT DO D5 AA 96'S? TO MAKE A LENGTHY STORY SHORT, THE ANSWER IS YES, BUT. DOS 3.2 USES, AS YOU PROBABLY KNOW, "6+2" NIBBLIZING IN STORING DATA ON THE DISK, WHILE 3.3 USES "5+3". THE END RESULT IS THAT THE PRE- AND POST-NIBBLIZING ROUTINES MUST BE TRANSPLANTED FROM DOS 3.3, AS WELL AS BOTH READ AND WRITE BYTE TRANSLATE TABLES. THE ADDRESS MARKERS AND THE SIZE OF THE NIBBLE BUFFERS MUST ALSO BE ADJUSTED. WHEN THIS IS DONE (WITH MUCH WAILING AND GNASHING OF TEETH), THE END RESULT IS A FUNCTIONAL, DOS 3.3 COMPATIBLE RDOS: RDOS 3.3. (AS A BRIEF ASIDE, THE ESSENTIAL TOOLS IN THIS TASK ARE (OF COURSE), BENEATH APPLE DOS, AND THE DOSSOURCE COMMENTED LISTING OF ALL THE DOS CODE). NOW, WE KNOW FROM PREVIOUS GAMES LIKE CRISIS MOUNTAIN AND MING'S CHALLENGE THAT WE CAN READ THE SECTORS INTO MEMORY FROM A DISK WITH MODIFIED RWTS ROUTINES BY USING ITS OWN RWTS AND THE INSPECTOR, THEN SWAPPING RWTS ROUTINES TO STANDARD DOS 3.3 AND WRITING THEM OUT AGAIN ON A FORMATTED DISK. THE PROSPECT OF DOING ALL THE SSI GAMES BY HAND BOGGLES THE MIND, HOWEVER, AND REQUIRES AN AUTOMATED APPROACH (THEY WERE SUPPOSED TO WORK FOR ->US<-, REMEMBER?). THE ANSWER TO THIS PROBLEM WAS THE PROGRAM NOW KNOWN AS COPYB - A HIGHLY MODIFIED VERSION OF COPYA WHICH DOES THE RWTS SWAP FOR YOU, AND EVEN INITIALIZES DISKS AS A BONUS. THE VERSION OF COPYB IN GENERAL CIRCULATION INCLUDES RWTS ROUTINES WHICH HAVE BEEN MODIFIED FOR READING AND WRITING RDOS. REASONABLE DIRECTIONS ARE INCLUDED ON THE DISK, SO IT SHOULD BE POSSIBLE TO BACK UP YOUR OWN SSI DISKS, USING THE ADDITIONAL INFORMATION PROVIDED BELOW. ARMED WITH RDOS 3.3 AND COPYB, IT IS NOW POSSIBLE TO BEGIN ATTACKING ONE OF THE SSI PROTECTED DISKS. SINCE RDOS IS BASED ON DOS 3.2, THE DISKS ARE ALL 13-SECTOR FORMAT, AND SINCE THE DOS IS ALL ON TRACK ZERO, YOU WANT TO BEGIN THE TRACK COPYING PROCESS WITH TRACK ONE. TO REITERATE THE COPYB INSTRUCTIONS, RUN COPYB, THE TYPE CTRL-C OR RESET WHEN THE PROMPT FOR SOURCE DISK COMES UP. GET INTO THE MONITOR AND TYPE 22E:1 TO SET THE STARTING TRACK TO 1, THEN, IF THE ADDRESS MARKER BYTES WERE D4 AA B7, BLOAD THE FILE CALLED "RDOS READ RWTS" (IT GOES INTO $8000 AS THE DEFAULT LOCATION). NEXT, BLOAD "RDOS WRITE",A$7000, THEN MOVE IT TO THE NORMAL RWTS LOCATIONS WITH B700<7000.78FFM (THIS IS NECESSARY BECAUSE YOU'RE USING THE RWTS ROUTINES TO READ IN THE FILES; WRITING ON TOP OF OPERATING CODE CAN LEAD TO VERY UNPLEASANT RESULTS). RETURN TO BASIC, DELETE LINE FIVE, AND TYPE 'RUN'. ANSWER THE QUESTION "13 SECTOR", ENTER THE APPROPRIATE SLOTS AND DRIVES, AND YOU'RE OFF AND RUNNING TO CREATE AN RDOS 3.3 COPY (WHEN YOU'RE FINISHED, YOU'LL HAVE A 16-SECTOR DISKETTE WITH ONLY 13 SECTORS OCCUPIED PER TRACK, BUT YOU WON'T NOTICE IT IN USE). SOME OF THE SSI GAMES USE THE NORMAL DOS 3.2 ADDRESS MARKER BYTES OF D5 AA B5. THESE SHOULD BE READ IN USING THE "DOS 3.2 RWTS" FILE, BUT YOU STILL NEED TO USE THE "RDOS WRITE" RWTS FOR THE WRITING ROUTINE. RDOS USES TRACK 1 FOR THE CATALOG, AND IDENTIFIES FILES VIA A 24-CHARACTER ALPHANUMERIC NAME, A LENGTH IN "BLOCKS" AS IN PASCAL, AND THE LOCATION OF THE STARTING BLOCK ON THE DISK: TRACK 01 SECTOR 0 SLOT 6 DRIVE 1 BUFFER 0800 DOS 16 2BCC ======================================= 0 1 2 3 4 5 6 7 8 9 A B C D E F --------------------------------------- 00- R D O S 2 . 1 C O P Y R I G 10- H T 1 9 8 1 B 1A0010 001A0000 20- S Y S T E M B O O T 30- T 0100B1 00011A00 40- R E G 1 / B 0A6009 DC091B00 / / \ / \ /\ / / FILE TYPE \/ \/ \/ PROGRAM A,T,B / / FIRST NAME / / BLOCK / NUMBER STARTING OF LOCATION BLOCKS THE STARTING BLOCK IS EQUAL TO THE TRACK NUMBER MULTIPLIED BY 13 PLUS THE SECTOR NUMBER (1A00 IS REALLY 001A, WHICH IS DECIMAL 26, OR TRACK 2, SECTOR 0). IF YOU LOOK THROUGH THE CATALOG TRACK WITH THE INSPECTOR, YOU FIND THE BEGINNING OF THE CATALOG AS EXPECTED IN T1,S0. LOOKING FOR THE CONTINUATION IN T1,S1, HOWEVER, BRINGS YOU TO THE NEXT SURPRISE HELD BY RDOS: THERE IS NO SECTOR INTERLEAVING IN SOFTWARE; IT IS ALL DONE BY THE SECTOR NUMBER SEQUENCING DURING SSI'S INITIALIZE ROUTINE. THE IMPORTANCE OF SECTOR INTERLEAVING IS DISCUSSED IN "BAG OF TRICKS", AND IN A SOFTALK ARTICLE ABOUT A YEAR AGO BY WORTH AND LECHNER. (DOS USES A LOOKUP TABLE AT $BFA8 TO CHANGE THE SECTOR NUMBER READ FROM THE VALUE READ OFF THE DISK ("PHYSICAL SECTOR") TO THE NUMBER IT THINKS IT SHOULD BE ("LOGICAL SECTOR"). SSI USES AN "ASCENDING 7" INTERLEAVE SCHEME, WHICH MEANS THAT THE SEQUENCE OF SECTORS ON THE DISK, AS READ BY DOS 3.3 WITH ITS INTERLEAVE TABLE, IS: 0,7,E,6,D,5,C,4,B,3,A,2,9,1,8,F. THE SECOND CATALOG SECTOR, THEN, APPEARS TO BE SECTOR 7. IF YOU INTEND TO DO ANY AMOUNT OF PLAYING AROUND WITH ONE OF THESE DISKS, USE THE "RDOS WRITE" RWTS FROM THE COPYB DISK, OR CHANGE BYTES $BE2A-BE2D TO $EA'S WITH THE INSPECTOR. THIS OMITS THE TABLE LOOKUP AND MAKES THE SECTOR NUMBERS FOLLOW THE SEQUENCE AS USED BY RDOS. NEXT, COPY THE FILE CALLED RDOS 3.3 FROM THE COPYB DISK (OR TRACK 0 OF ANY OF THE RECENTLY UNPROTECTED SSI SERIES) ONTO TRACK ZERO, SECTORS 0-D. YOU WOULD EXPECT TO HAVE A WORKING COPY OF THE GAME AT THIS POINT, BUT THERE ARE STILL A COUPLE OF SURPRISES IN STORE FOR YOU (I SAID IT WAS A CHALLENGE!). THERE ARE SEVERAL DIFFERENT SECONDARY PROTECTION SCHEMES USED TO DEFEAT VARIOUS COPIERS, USUALLY GOING UNDER THE INNOCUOUS NAME OF "QWERTY". THE MOST COMMON OF THESE READS IN AN ADDRESS FIELD FROM TRACK 0, DELAYS A BIT, AND LOOKS FOR AN $EE AS THE NEXT BYTE ON THE TRACK. IF IT FINDS IT, A 0 IS STORED IN LOCATION 0, OTHERWISE THE DISK SPINS FOREVER. BY CHANGING BYTES $28-29 TO A9 00, THIS ANNOYANCE IS REMOVED. A SIMILAR ROUTINE, SEEN ONLY ONCE OR TWICE, IS CALLED @WERTY, LOOKS FOR AN $AA FOLLOWING THE ADDRESS FIELD ON ANY TRACK, AND REBOOTS IF IT'S NOT FOUND. THE REMEDY HERE IS TO PUT A9 00 IN BYTES $20-21. RECENTLY, A MUCH MORE SOPHISTICATED TECHNIQUE HAS BEEN USED (GALACTIC GLADIATORS, ROAD TO GETTYSBURG), WHICH DOES THE SSI EQUIVALENT OF "QUARTER-TRACKING" OR "SPIRALLING". THIS VERSION OF QWERTY READS IN FOUR PAGES OF SEQUENCIAL BYTES FROM EACH OF THE FOUR ADJACENT HALF-TRACKS FROM 20.5 TO 22.0, STORING THEM AT $1000-1FFF. THE THREE BYTES FOLLOWING THE FOUR PAGES WORTH ARE USED AS THE ADDRESS MARKER FOR THE DATA ON THE NEXT HALF-TRACK (AS WITH ALL THESE PROTECTION TECHNIQUES, THE "SECTORS" ARE SKEWED SO THAT THERE IS NEVER VALID DATA OVERLAPPING ON ADJACENT HALF-TRACKS). THIS APPROACH EFFECTIVELY DEFEATS COPIERS LIKE NA II AND LOCKSMITH, WHICH WRITE AN ENTIRE TRACK AND OBLITERATE DATA ON ANY ADJACENT HALF-TRACK. AFTER READING IN THE DATA, THE MEMORY VALUES ARE EXCLUSIVE-ORED WITH THE ADDRESS (1000 CONTAINS 00, 1001 CONTAINS 01, ETC.), AND IF AN ERROR IS FOUND, IT REBOOTS THE DISK. PLACING AN RTS ($60) AT THE ENTRY POINT OF $A0F0 WILL AVOID THE ENTIRE ISSUE AND MAKE THE COPYA VERSION RUN. THE FINAL (I HOPE) HURDLE TO USING RDOS 3.3 IS THE PROGRAM WHICH INITIALIZES A SAVE GAME DISKETTE IN AN RDOS-COMPATIBLE FORMAT. IT IS CALLED SSI.INIT AND LOADS INTO $800-AFF (IT IS USUALLY ACCESSED VIA A 'CALL 2800' FROM A BASIC PROGRAM). SINCE IT ONLY WRITES ADDRESS FIELDS, AND NOT DATA SECTORS (WITH NO VERIFY), IT IS A VERY FAST INIT. ALL THAT'S NECESSARY TO GENERATE A DISK COMPATIBLE WITH RDOS 3.3 IS TO REPLACE THE D4 AA B7 (OR D5 AA B5) ADDRESS MARKER BYTE WITH D5 AA 96: CHANGE BYTES $8F5 TO $D5 AND $8FF TO $96. NOW FOR THE BAD NEWS: WHILE RDOS IS FAST, PRIMARILY BECAUSE ALL FILES ARE STORED IN SEQUENCIAL BLOCKS, RDOS 3.3 IS SLOW BECAUSE OF THE SECTOR INTERLEAVE USED BY SSI (THE DISK MUST MAKE AN ALMOST AN ENTIRE REVOLUTION FOR EACH SECTOR THAT IS READ IN). IT IS FAIRLY EASY TO ADD AN INTERLEAVE LOOKUP TABLE TO RDOS 3.3 (IT'S CALLED RDOS 3.3A ON THE DISK), BUT BAD THINGS HAPPENED DURING MY ATTEMPTS TO INCORPORATE IT INTO THE SSI.INIT PROGRAM. THE CODE FROM $851 TO $86B NEEDS MORE ALTERATION THAN I HAD PATIENCE FOR (THERE'S ROOM FOR A PATCH IN $9D7-9FF), AND WOULD BE WORTH THE EFFORT IF SOME AMBITIOUS KRACKIST OUT THERE COULD FIND THE TIME... FINALLY, AS A TYPICAL EXAMPLE OF MURPHY'S LAW ("IF ANYTHING CAN GO WRONG, IT WILL, AND AT THE WORST POSSIBLE MOMENT), THAT AFTER DOING ALL THIS AND CONVERTING SOME 20 GAMES, THE VERY LAST ONE I TRIED WAS GERMANY 1985. THIS IS A FAIRLY RECENT PUBLICATION OF SSI WHICH IS COMPLETELY WRITTEN IN MACHINE LANGUAGE, DOES NOT USE RDOS AT ALL, AND WILL REQUIRE A TOTALLY DIFFERENT APPROACH TO UNPROTECTION. IN THE WORDS OF RICKY SKAGGS ("HEARTBROKE", FROM HIS "HIGHWAYS AND HEARTACHES" ALBUM): "PRIDE, WHEN YOU'RE RICH, IS A BORE WHEN YOU'RE LONELY, STILL MADNESS PREVAILS UPON REASON TO YIELD. BUT ALL IS NOT LOST, IT IS ONLY MISTAKEN, IT'S A SMALL CONSOLATION, BUT I KNOW JUST HOW YOU FEEL. NOBODY SAID IT WAS GOING TO BE EASY, WE ALL HAVE OUR WEAK SIDES AND NEED SOME GOOD TOUCHIN'. NOBODY SAID THAT IT WOULD NOT BE WORTH IT, THE HUMAN CONDITIONS -- CONTINUE AS SUCH." SEE YOU "SOON" WITH ANOTHER IN THE BASICS OF KRACKING SERIES--"WHERE DO I BEGIN..."  SORRY, NO MORE FOR THIS CALL! =================== .