THE VALUES STORED.  THE STORY OF THE
2



*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*

][ PRESS SPACEBAR TO QUIT ][


***************************************
*                                     *
*                                     *
*                                     *
*                                     *
*                                     *
*     SINGLE-LOAD GAMES, STARTING     *
*     LOCATIONS, AND OBFUSCATION.     *
*                                     *
***************************************

     THE FIRST IN THIS SERIES WAS
STRAIGHTFORWARD, SINCE THE HARDWARE
RESET IS A NECESSITY TO BEGIN KRACKING.
AFTER THAT, THE PATH DIVIDES, AND THERE
ARE MANY MANY WAYS TO PRODUCING AN
UNPROTECTED VERSION OF A PROGRAM.  THE
PATH YOU FOLLOW IS GOVERNED BY THREE
THINGS: THE KIND OF PROGRAM, THE TYPE
OF PROTECTION EMPLOYED, AND YOUR OWN
PERSONAL STYLE (STYLE, BY THE WAY, IS
PRIMARILY THE RESULT OF LIMITATIONS.
TRY TO KEEP AN OPEN MIND AND DEVELOP AS
MUCH VERSATILITY AS POSSIBLE).  THE
EASIEST KIND OF PROGRAM TO DEAL WITH IS
THE ONE THAT IS SEEN LESS FREQUENTLY
EVERY MONTH: THE "SINGLE-LOAD" PROGRAM
OR GAME. THESE ARE PROGRAMS WHICH ARE
LOADED IN FROM DISK ONLY ONCE, AND THEN
ARE RUN STRICTLY FROM MEMORY WITH NO
DISK ACCESS.  IN THE GOOD OLD DAYS,
ALMOST EVERY GAME WAS LIKE THIS, AND
REMOVING PROTECTION WAS NOT THAT
DIFFICULT.  ON THE OTHER HAND, WHEN YOU
READ SOMETHING LIKE OLAF LUBECK'S
CHALLENGE IN TRACK 17, SECTOR D OF
CANNONBALL BLITZ: "YOU'LL NEVER CRACK
IT", THERE'S MORE SATISFACTION WHEN YOU
GET TO SAY "OH, YES I DID!".

     IN ORDER TO BECOME PROFICIENT AT
THIS AND THE TECHNIQUES TO BE DISCUSSED
IN FUTURE EPISODES, YOU WILL HAVE TO
GET USED TO COMMITTING A VERY UNNATURAL
ACT: INTERPRETING ASSEMBLER CODE WITH
NO COMMENTS OR INSTRUCTIONS TO GUIDE
YOU. THE DISASSEMBLER (MONITOR 'L'
COMMAND) IS A GREAT HELP IN THIS WORK,
SINCE IT TRANSLATES MACHINE CODE INTO
ASSEMBLER MNENONICS, BUT THE REAL
BURDEN FALLS ON THE INGENUITY OF THE
KRACKIST.  THERE IS NO SUBSTITUTE FOR
EXPERIENCE, AND NO ONE CAN TEACH YOU
HOW TO DO IT BEYOND POINTING OUT SOME
OF THE TECHNIQUES WE USE, AND WARNING
YOU ABOUT SOME OF THE TRICKS USED TO
KEEP YOU FROM SUCCEEDING.

     THE PHILOSOPHY OF ATTACK WITH
THESE GAMES IS TO FIND THE STARTING
LOCATION--THE ADDRESS WHICH WILL ALWAYS
RESTART THE GAME, AND THEN TO SAVE THE
GAME (PROGRAM) AS A NORMAL DOS 3.3
BINARY FILE.  AS A SIMPLE EXAMPLE OF A
STARTING LOCATION, YOU PROBABLY ALREADY
KNOW THAT WHEN YOU MESS UP WITH APPLE'S
"FID" PROGRAM, YOU CAN RESTART BY
TYPING '803G' FROM THE MONITOR.
AT ONE TIME, BEFORE THE PUBLISHERS GOT
SMART, A STARTING LOCATION WAS LIKELY
TO BE A COMMON, EVEN NUMBER LIKE $800,
C00, 4000, OR 6000, AND IT'S STILL
WORTH CHECKING THESE 'OLD FAVORITES' IN
CASE YOU FIND A NAIVE OR LAZY AUTHOR.
IF THESE FAIL, WE WILL HAVE TO BEGIN
THE PROCESS OF MEMORY SNOOPING.  THIS
IS THE INTRODUCTION TO THE UNGLAMOROUS
ACTIVITY THAT OCCUPIES MOST OF THE TIME
OF THE DEDICATED KRACKIST.  AS ALWAYS,
INSPECTOR AND WATSON IN ROM ARE HIGHLY
RECOMMENDED, SINCE THEY MAKE THE
PROCESS INFINITELY EASIER.  WHAT WE ARE
TRYING TO DO IS DIRECTLY LOCATE THE
BEGINNING ADDRESS OF THE PROGRAM, OR TO
SEARCH BACK TO IT FROM SOMETHING WE CAN
RECOGNIZE.

     SINCE MANY GAMES BEGIN BY
DISPLAYING A HI-RES "BANNER" OR GAME
SCREEN, A GOOD PLACE TO START LOOKING
IS THE SERIES OF INSTRUCTIONS THAT SET
UP THE HI-RES SCREEN (THERE IS A
DISCUSSION OF THIS IN THE DOC FOR
MASTERKEY PLUS, BUT THEY MAKE A FEW TOO
MANY ASSUMPTIONS).  APPLE'S SCREEN
DISPLAY, AS YOU PROBABLY KNOW, IS SET
UP BY ACCESSING SOME "SOFT SWITCHES".
IN HEX, THESE ARE LOCATIONS $C050 TO
C057 (SORRY, BUT IF YOU'RE GOING TO
LEARN THE GENTLE ART OF KRACKING,
YOU'LL HAVE TO BECOME FLUENT IN
HEXADECIMAL--WE WON'T PULL ANY PUNCHES
WHEN IT COMES TO NUMBER SYSTEMS). IT
DOESN'T MATTER WHAT YOU DO TO THESE
LOCATIONS, AS LONG AS YOU MAKE A
REFERENCE, SO THE FOLLOWING
INSTRUCTIONS ALL ESTABLISH GRAPHICS
MODE:

   LDA $C050,   BIT $C050,   ROL $C050
   STA $C050,   CMP $C050,   EOR $C050

(ALSO, THIS ONE: LDY #$71; AND $BFAF,Y)

MANY AUTHORS HAVE ESTABLISHED THE
HABIT, HOWEVER, OF WRITING THE SEQUENCE

   LDA $C054   (SELECT PRIMARY PAGE)
   LDA $C057   (SELECT HI-RES GRAPHICS)
   LDA $C050   (SELECT GRAPHICS MODE)

AND SOMETIMES,

   LDA $C052   (PURE GRAPHICS SCREEN).

TO FIND THESE INSTRUCTIONS, USE THE
INSPECTOR'S 'FIND' FUNCTION, AND
PROGRAM IT TO SEARCH FOR THE TWO-BYTE
SEQUENCES OF '50 C0' AND '57 C0'.
GENERALLY, AS LONG AS THE WRITERS
AREN'T DELIBERATELY TRYING TO CONFUSE
YOU, YOU WILL FIND ONE TO SEVERAL
LOCATIONS WHERE THESE SEQUENCES ARE
CLOSE TO EACH OTHER. YOU WILL ALSO FIND
SOME ADDRESSES THAT DON'T REALLY
CONTAIN A SCREEN REFERENCE, SINCE THE
SEARCH IS ONLY FOR TWO BYTES (FOR YOU
TRIVIA/ STATISTICS BUFFS OUT THERE, A
GIVEN TWO-BYTE SEQUENCE WOULD OCCUR
LESS THAT ONCE IN THE ENTIRE RAM MEMORY
SPACE FROM 0 TO $BFFF IF THE
DISTRIBUTION WERE TRULY RANDOM. IT'S
NOT.).

     TO SEE IF EACH OCCURANCE OF THE
PATTERN IS THE STARTING LOCATION, LOOK
BACKWARDS UNTIL YOU FIND AN ABSOLUTE
END FOR THE PREVIOUS SUBROUTINE SUCH AS
'RTS' OR 'JMP'.  YOUR SUBROUTINE SHOULD
BEGIN IMMEDIATELY AFTER THAT, AND YOU
SHOULD ASSUME FOR THE MOMENT THAT IT'S
THE STARTING LOCATION.  IF, FOR
EXAMPLE, THE LOCATION YOU FOUND IS
$4123, TEST IT BY RELOADING THE GAME,
RESETTING IT, AND TYPING '4123G'.  IF
IT RUNS, SIT BACK AND GLOAT, OTHERWISE
READ ON (IT SOUNDS UNNECESSARY TO
RELOAD, BUT THE INSPECTOR USES A FEW
LOCATIONS IN PAGES 0, 2, AND 3, SO IT'S
BEST TO BE SAFE). IF MURPHY'S LAW OF
DYNAMIC NEGATIVES IS WITH YOU AND THE
GAME DIDN'T START, IT'S USUALLY BECAUSE
YOU HAVEN'T FOUND THE TRUE STARTING
LOCATION.  YOU THEN NEED TO TRACE BACK
FURTHER IN THE PROGRAM SEQUENCE TO FIND
THE REAL START.

     THERE ARE THREE WAYS FOR ANOTHER
ROUTINE TO GET TO THE ONE YOU'RE
LOOKING AT: JMP, JSR, AND THE FAMILY OF
BRANCH INSTRUCTIONS.  TO ELIMINATE THE
THIRD POSSIBILITY, KEEP IN MIND THAT
BRANCHES CAN REACH UP TO $7F (127)
ENSFUL) BEFORE AND RARELY AFTER
WHAT LOOKED LIKE A POSSIBLE START. IF
YOU FIND A 'BNE 4123', OR 'BCC 4123',
ETC., YOU WILL HAVE TO TRACK BACK TO
THE BEGINNING OF THAT ROUTINE AND TRY
AGAIN.  REPEAT THIS PROCESS UNTIL YOU
FIND A LOCATION THAT CAN ONLY BE
REACHED BY A JMP OR JSR.

     TO FIND OUT HOW THE PROGRAM GOT TO
THIS LOCATION, DO A 3-BYTE SEARCH WITH
THE INSPECTOR FOR A JSR $4123: 20 23
41. IF NOTHING SHOWS UP, TRY THE JMP
$4123: 4C 23 41.  ONE OF THESE MUST
PRODUCE A REFERENCE, OR YOU MESSED UP
THE EARLIER CHECK FOR BRANCHES.  ONCE
YOU FIND THE EARLIER REFERENCE, GO
THROUGH THE SAME PROCEDURE TO FIND
THE START OF THIS ROUTINE, AND TRY IT
OUT AS A STARTING LOCATION FOR THE
GAME.  IF IT DOESN'T  WORK, TRY ONE
MORE STEP FURTHER BACK (KRAKOWICZ'S
FOURTH LAW OF KRACKING SAYS THAT IF YOU
HAVE TO GO BACK MORE THAN TWO STEPS,
YOU'RE PROBABLY NOT ON THE RIGHT
TRAIL).

     A NUMBER OF GAMES STILL DO US THE
FAVOR OF PUTTING UP A SCREEN, PERHAPS
PLAYING A LITTLE MUSIC, AND THEN
WAITING FOR THE SPACE BAR OR OTHER KEY
TO BE PRESSED.  IF IT'S NOT POSSIBLE TO
FIND THE SCREEN SETUP, WE STILL HAVE A
FAIRLY OBVIOUS "HOOK" INTO FINDING THE
STARTING ADDRESS, AND IN MANY CASES THE
GAME CAN BE SAVED 'AS IS' BY USING THE
KEYBOARD ROUTINE AS THE STARTING
ADDRESS. DON'T WORRY FOR NOW ABOUT
EXACTLY HOW WE WILL "SAVE THE GAME".
WE'LL GO THROUGH THAT CAREFULLY AND
THOROUGHLY IN THE NEXT EPISODE.

     SINCE THE KEYBOARD ADDRESS IS
C000, WE CAN USUALLY LOCATE ALL THE
INPUTS BY SEARCHING FOR THE 3-BYTE
SEQUENCE OF 'AD 00 C0' WITH THE
INSPECTOR. OCCASIONALLY, THE X OR Y
REGISTER IS USED TO LOAD KEYBOARD DATA,
SO THE SEQUENCES AC 00 C0 AND AE 00 C0
SHOULD BE TRIED IF THE FIRST COMES UP
BLANK (ONLY THE REAL BASTARDS LIKE
SIRIUS USE LDY #$67; LDA $BF99,Y FOR
THE KEYBOARD INPUT).  ALSO, KEEP IN
MIND THAT ALL THE ADDRESSES FROM C000
TO C00F WILL ACCESS THE KEYBOARD, AND
IF SOMEONE WAS REALLY DETERMINED TO
CONFUSE YOU THEY COULD USE C007 ONE
TIME, C00D THE NEXT, AND SO ON.  IF YOU
KNOW THAT THE GAME USES THE KEYBOARD
AND THE PRELIMINARY SEARCHES DON'T SHOW
HOW, KEEP ON LOOKING FOR THESE
ADDRESSES, OR THE SIRIUS-TYPE COMPUTED
ADDRESSES.  IT PROBABLY MEANS THEY HAVE
SOMETHING TO KIDE, AND LOCATING THE
KEYBOARD READ WILL REVEAL ENOUGH TO
MAKE THE SEARCH WORTHWHILE.

     IF THE PROGRAM IS WAITING FOR THE
SPACE BAR, YOU WILL USUALLY FIND A
SEQUENCE LIKE:

  78E0: LDA $C000   ;READ THE KEYBORARD
        BPL $78E0   ;NO KEY PRESSED
        STA $C010   ;RESET KBD STROBE
       *CMP #$A0    ;WAS IT SPACE?
       *BNE $78E0   ;NOPE, KEEP TRYING
        JMP $6012   ;YES, GO TO START

*THESE TWO LINES ARE ELIMINATED IF
PRESSING ANY KEY WILL START THE GAME.

     TO CHECK OUT 6012 AS A STARTING
ADDRESS, SET UP TO VIEW THE HI-RES
SCREEN (OTHERWISE THE GAME MIGHT BE
RUNNING WHILE YOU WATCH A BLANK TEXT
SCREEN) WITH: C050 (CR) C057 (CR), THEN
TYPE 6012G. AS BEFORE, YOU WILL KNOW AT
ONCE IF YOU WERE SUCCESSFUL.

     ANOTHER WAY TO FIND A RESTART
POINT IS TO SEARCH THROUGH THE KEYBOARD
INPUT ROUTINES FOR A RESTART KEY.  IT
HAS BECOME CONVENTIONAL TO USE CTRL-R
AS THE RESTART COMMAND (OCCASIONALLY
CTRL-S OR CTRL-B), AND THIS IS EVEN
EASIER TO TRACE. IN ONE OF THE ROUTINES
FOLLOWING A C000 REFERENCE, YOU WILL
FIND A CMP #$92 (SEE THE REFERENCE
MANUAL, P. 7 FOR THE HEX VALUES OF THE
KEYBOARD). THE LOCATION BRANCHED TO OR
JUMPED TO BY A SUCCESSFUL COMPARE WILL
BE THE RESTART FOR THE GAME. AGAIN, YOU
CAN SAVE THE GAME AS IS AND USE YOUR
NEW-FOUND STARTING LOCATION.

     IF THESE RELATIVELY SIMPLE
APPROACHES FAIL, YOU'LL HAVE TO RESORT
TO THE REAL GRUNT TYPE OF DETECTIVE
WORK--LOOKING FOR SOMETHING PROMISING
(WE'LL DISCUSS BOOT-TRACING AS AN
ALTERNATIVE WAY OF GETTING TO THIS
POINT IN ANOTHER EPISODE DEVOTED
ENTIRELY TO THAT TECHNIQUE).  LIKELY
THINGS TO LOOK FOR ARE "SETUPS", WHERE
A LOT OF ZERO PAGE LOCATIONS ARE
INITIALIZED TO BEGIN THE GAME:

           LDA #$00
           STA $23
           STA $57
           LDA #$12
           STA $30
           LDA #$E9
           STA $72
           ETC.
           ETC

OR, SOMETIMES, A GAME START IS
INDICATED BY A SUBROUTINE SEQUENCE
WHICH MAPS OUT THE PATH FOR THE GAME
(THIS IS AN INDICATION OF AN
EXPERIENCED, WELL-DISCIPLIED
PROGRAMMER, AND THUS IS MORE COMMONLY
SEEN IN BUSINESS OR PROFESSIONAL
PROGRAMS; RARELY IN GAME PROGRAMMING).

        JSR $8CD
        JSR $CE4
        JSR $2020
        JSR $203D
        JSR $8FE
        ETC.

AND, ALTHOUGH IT'S LESS OFTEN THE START
OF A PROGRAM OR GAME, A "JUMP TABLE"
CAN BE A SIGNIFICANT CLUE TO THE
ORGANIZATION OF THE PROGRAM:

        JMP $204D
        JMP $2433
        JMP $EF2
        JMP $2077
        ETC.

     UNFORTUNATELY, SNOOPING FOR THESE
IS A TIME-CONSUMING, HIT-AND-MISS
OPERATION - THE REAL STARTING ADDRESS
CAN BE ANYWHERE FROM 0000 TO BFFF (OR
EVEN VIA A BASIC SUBROUTINE IN
D000-F7FF, BUT I DON'T WANT TO
DISCOURAGE YOU YET).

     WHILE IT WILL BE DISCONCERTING TO
THE BEGINNER, AS YOU GET MORE
EXPERIENCE YOU BEGIN TO ENJOY DEFEATING
VARIOUS DELIBERATE ATTEMPTS TO THROW
YOU OFF THE TRAIL--THE GENERAL SUBJECT
OF OBFUSCATION, OR INTENTIONAL LACK OF
CLARITY.  BECAUSE THE MAJOR SOFTWARE
COMPANIES KNOW WE'RE OUT HERE WAITING
FOR THEIR LATEST OUTPUT, THEY OFTEN TRY
TO MISDIRECT US OR FIND INNOVATIVE WAYS
OF HIDING SENSITIVE PORTIONS OF THE
PROGRAM WITH A VARIETY OF TECHNIQUES.
TAKE A LOOK AT THE FOLLOWING PIECE OF
CODE FROM ON-LINE'S CANNONBALL BLITZ:

59E4-   CE E7 59    DEC   $59E7
59E7-   CF          ???
59E8-   EA          NOP
59E9-   59 EF EA    EOR   $EAEF,Y
59EC-   59 AD 51    EOR   $51AD,Y
59EF-   C0 AD       CPY   #$AD
59F1-   54          ???
59F2-   C0 AD       CPY   #$AD
59F4-   57          ???
59F5-   C0 AD       CPY   #$AD
59F7-   52          ???
59F8-   C0 20       CPY   #$20
59FA-   60          RTS
59FB-   5B          ???
59FC-   20 C5 5B    JSR   $5BC5
59FF-   20 4E 5B    JSR   $5B4E

THIS IS AN EXAMPLE OF "SELF-MODIFYING
CODE"-INSTRUCTIONS THAT CHANGE AS THE
PROGRAM IS RUN.  IT'S DANGEROUS AND
GENERALLY POOR PROGRAMMING PRACTICE,
BUT IT CAN BE USED TO THROW THE DOGS
OFF THE SCENT. AT FIRST GLANCE, IT
LOOKS LIKE DATA OR GARBAGE STUCK IN
BEFORE SOME REAL CODE. LET'S LOOK AT
EXACTLY HOW IT WORKS. EXECUTING THE
FIRST INSTRUCTION CHANGES THE SECOND
INSTRUCTION FROM JUNK INTO A LEGAL
INSTRUCTION:

59E4-   CE E7 59    DEC   $59E7
59E7-   CE EA 59    DEC   $59EA
59EA-   EF          ???
59EB-   EA          NOP
59EC-   59 AD 51    EOR   $51AD,Y
59EF-   C0 AD       CPY   #$AD

(IF YOU HAVE AN OLD MONITOR ROM, YOU
CAN TYPE 59E4S TO EXECUTE THE FIRST
INSTRUCTION).  IF WE EXECUTE THE SECOND
INSTRUCTION, THE ENTIRE PICTURE
CHANGES:

59E4-   CE E7 59    DEC   $59E7
59E7-   CE EA 59    DEC   $59EA
59EA-   EE EA 59    INC   $59EA
59ED-   AD 51 C0    LDA   $C051
59F0-   AD 54 C0    LDA   $C054
59F3-   AD 57 C0    LDA   $C057
59F6-   AD 52 C0    LDA   $C052
59F9-   20 60 5B    JSR   $5B60
59FC-   20 C5 5B    JSR   $5BC5
59FF-   20 4E 5B    JSR   $5B4E
5A02-   A9 04       LDA   #$04
5A04-   8D EC B7    STA   $B7EC
5A07-   A9 00       LDA   #$00
5A09-   8D EB B7    STA   $B7EB
5A0C-   A9 00       LDA   #$00
5A0E-   8D F0 B7    STA   $B7F0
5A11-   A9 60       LDA   #$60
5A13-   8D F1 B7    STA   $B7F1
5A16-   A9 40       LDA   #$40
5A18-   20 45 5A    JSR   $5A45
5A1B-   10 01       BPL   $5A1E
5A1D-   A9 20       LDA   #$20
5A1F-   91 5A       STA   ($5A),Y
5A21-   AD 50 C0    LDA   $C050
5A24-   A9 09       LDA   #$09

SUDDENLY, THE SCREEN SETUP CODE THAT
WAS ALWAYS THERE POPS INTO VIEW. THIS
POINTS OUT THE VALUE OF SEARCHING WITH
THE INSPECTOR, SINCE EVEN THE CLOSEST
SCRUTINY WOULD PROBABLY NOT HAVE MADE
YOU SUSPECT WHAT WAS ACTUALLY HERE.
NOTICE, TOO, THAT THE THIRD INSTRUCTION
INCREMENTS 59EA, SO ONCE IT'S BEEN RUN,
IT'S OBSCURED AGAIN.

     ANOTHER STANDARD TRICK, ALSO SHOWN
IN THIS EXAMPLE, IS CALLED "FALSE
DISASSEMBLY", AND IS DEAR TO EDU-WARE,
ON-LINE, IDSI, AND SCIENTIFIC RESEARCH
ASSOCIATES.  HERE, EXTRA BYTES ARE
ADDED FOR THE SOLE PURPOSE OF GIVING A
FALSE INDICATION OF PROGRAM FLOW; THE
FAKE BYTES ARE THEN BRANCHED AROUND.
LOOK CLOSELY AT THE INSTRUCTION IN
5A1B-IT SAYS BPL 5A1E.  THE NEXT
INSTRUCTIONS IN SEQUENCE APPEAR TO THE
CASUAL EYE TO BE LDA $#20; STA ($5A),Y.
ACTUALLY, THE NEXT INSTRUCTION IS JSR
$5A91. THIS IS CRUCIAL, SINCE THIS
SUBROUTINE LOADS IN THE GAME AND DOES A
NIBBLE COUNT.  TO SEE A WHOLE BUNCH OF
FALSE DISASSEMBLIES IN A ROW, LOOK AT
THE CODE IN THE ACTUAL SUBROUTINE:

5A91-   A9 00       LDA   #$00
