1

-> Ctrl-S Start/Stop & Ctrl-X abort <-

***************************************
*                                     *
*     BOZO'S PROGRAM CRACKER ROM      *
*    REVISION 1.1 -- JANUARY 1982     *
*                                     *
***************************************
*
* NOTE: THIS PGM WILL NOT WORK UNLESS 'TO', 'FROM', AND 'STOP' ALL EQUATE TO
*       PAGE BOUNDRIES (E.G. 2000, 4400, ETC)
*
***************************************
* THE BASIS OF THIS LITTLE PROGRAM IS THE USE OF ABSOLUTE INDEXED INCREMENT *
* ADDRESSING  (E.G.  LDA  400,X   STA 2400,X   INX). TO KEEP THE LENGTH  AS *
* SHORT AS POSSIBLE,  SELF-MODIFYING CODE IS USED.   THE  ABSOLUTE INDEXING *
* MODE CAN ONLY  MOVE 1 PAGE AT A TIME,   THE SELF-MODIFICATION PART ALLOWS *
* ONE TO MOVE MORE THAN 1 PAGE, WITHOUT HAVING TO DUPLICATE THE CODE OVER & *
* AND  OVER FOR EACH  PAGE ($FF BYTES).   SINCE SELF-MODIFYING CODE MUST BE *
* RAM  BASED,  THE FIRST PART OF THIS PGM MOVES THE SECOND  PART  FROM  ROM *
* INTO RAM; IT THEN JUMPS TO THE BEGINNING OF THE CODE IT JUST MOVED....... *
* !!!!! WARNING !!!!!  NOTE THAT MOST ASSEMBLERS WILL CODE THE:  LDA FROM,X *
* INCORRECTLY WHEN FROM EQUATES IN THE ZERO PAGE;   THIS WILL RESULT IN TWO *
* OP-CODES  BEING GENERATED INSTEAD  OF  THREE,  AND WILL MESS UP THE SELF- *
* MODIFYING PART.  THIS SOURCE IS MEANT MOSTLY AS AN AID  TO UNDERSTANDING; *
* USE THE OBJECT CODE WHICH FOLLOWS,  WHEN MODIFYING YOUR F8 MONITOR.       
*
*        ORG $FCC9 ;THIS IS THE TAPE WRITE SECTION OF F8 ROM
*                  ;AND THE BEGINNING OF ROM BASED CODE
    FROM EQU $0000 ;BEGINNING OF MEMORY TO SAVE
      TO EQU $2000 ;LOCATION TO BEGIN SAVING CODE
    STOP EQU $2800 ;LOCATION + 1 TO STOP SAVING CODE
    CODE EQU $2800 ;BEGINNING OF RELOCATED (RAM) BASED CODE
   RESET EQU $FF59
*                  ;!!! PROGRAM START !!!
         CLD
         LDX #0
   LOOP1 LDA MOVE,X
         STA CODE,X
         INX
         CPX #$1B ;LENGTH OF ROM CODE TO MOVE
         BNE LOOP1
         JMP CODE
    MOVE LDY #/STOP
         LDX #0
   LOOP2 LDA FROM,X
         STA TO,X 
         INX
         BNE LOOP2
         INC CODE+6
         INC CODE+9
         CPY CODE+9
         BNE LOOP2
         JMP RESET
         END

HERE'S THE ASSEMBLED OBJECT,  READY TO DROP IN AT $FCC9.  THIS IS
THE  ONE OF THE TAPE WRITE ROUTINES IN THE F8 ROM;  SINCE I DON'T
USE TAPE, AND I WANTED TO PRESERVE THE ROM ROUTINES, I CHOSE THIS
LOCATION.   IF YOU WANT TO LOCATE IT SOMEWHERE ELSE,  FEEL  FREE,
BUT BEWARE THAT IT IS NOT RELOCATABLE WITHOUT A FEW CHANGES.


FCC9: D8 A2 00 BD DA FC 9D 00
FCD1: 28 E8 E0 1B D0 F5 4C 00
FCD9: 28 A0 28 A2 00 BD 00 00
FCE1: 9D 00 20 E8 D0 F7 EE 06
FCE9: 28 EE 09 28 CC 09 28 D0
FCF1: EC 4C 59 FF
                                        HAVE FUN (?)
---------------------------------------
Enter: M]ain den, ?=Menu, [1-19] :->2

-> Ctrl-S Start/Stop & Ctrl-X abort <-

---------------------------------------
--  How to modify the 16k Ram Board  --
             By: Axe Man 
---------------------------------------

WRITE PROTECT:
    LIFT PIN #3 FROM U18 CHIP & CONNECT
    TO ONE SIDE OF SWITCH.
    CONNECT SOCKET AND PIN #13 74LS175
    TO CENTER OF SWITCH
    CONNECT TOP OF R3 TO OTHER SIDE OF
    THE SWITCH

R3---------------------O
                       !
                       /  NORMAL OPEN
                       !
PIN #13----------------O
74LS175                !
                       /  NORMAL CLOSED
                       !
PIN #3-----------------0
U18

CHANGES FOR RAM & ROM
    LIFT PIN #3 FROM U14 CHIP & CONNECT
    TO ONE SIDE OF SWITCH
    CONNECT SOCKET AND PIN #5 74LS175
    TO CENTER OF SWITCH
    CONNECT GROUND TO OTHER SIDE

GROUND-----------------O
                       !
                       /  NORMAL OPEN
                       !
PIN #5-----------------O
74LS175                !
                       /  NORMAL CLOSED
                       !
PIN #3-----------------O
U14

* * * * * * * W A R N I N G * * * * * *
THIS IS DONE AT YOUR OWN RISK
IT WILL VOID YOUR GUARANTEE
WE ASSUME NO RESPONSIBILITY FOR RESULTS
* * * * * * * W A R N I N G * * * * * *

IT SEEMS THERE'S A DEMAND FOR A W/P
SWITCH ON THE ANDROMEDA -- SO HERE IT
IS ...
 
 LOCATED ON THE ANDROMEDA RAM CARD IS
 A PIN NUMBER 25 WHICH HAPPENS TO BE 
 THE POWER (+5V) PIN. IF THIS PIN IS
 FOLLOWED ONTO THE PC BOARD, THERE WILL
 BE TWO RESISTORS (SMALL TUBE-LIKE 
THINGS WITH COLOR BANDS AND ONE LEAD
OUT OF EACH END). AT ONE END THE POWER
WILL GO INTO THIS RESISTOR, AT THE OTHE
R ANOTHER TRACE WILL GO OFF TO SOME
OF THE OTHER ELECTRONICS ON THE BOARD.
WE WANT TO USE THE END THAT HAS THE
TRACES GOING TO OTHER CHIPS ON THE 
BOARD. (CALL THIS POINT #1 (USE EITHER
RESISTOR - THERE ARE TWO)). POINT NUMBE
R TWO IS WHERE PIN 18 FROM THE APPLE
CONNECTOR (7 PINS DOWN FROM 25 ON THE
SAME SIDE) ENTERS ONTO THE PC BOARD
AND IMMEDIATELY GOES THROUGH TO THE
OTHER SIDE (AFTER ABT 1/2 "). THIS
IS POINT #2.  IF YOU TRACE WHERE TH
E THING COMES OUT ON THE OTHER SIDE, 
YOU'LL FIND OUT THAT IT POPS BACK ON
THE SIDE IT STARTED FROM ABOUT 1/2" 
LATER... THIS LITTLE LINK IS WHEERE WE
CUT THE TRACE TO INSERT THE SWITCH.
OK, WE CUT THE TRACE BETWEEN THE TWO
POINTS THAT IT GOES THROUGH THE PC
BOARD. LABEL THE OTHER PLACE WHERE THE
TRACE GOES THROUGH POINT#3.  NOW WE
WILL ATTACH AN SPDT SWITCH TO THE BOARD
 SOLDER ONE WIRE TO POINT 3, AND ATTACH
IT TO THE CENTER TERMINAL OF THE SWITCH
THEN SOLDER A WIRE TO POINT 1 AND 
ATTACH IT TO EITHER SIDE OF THE CENTER
SWITCH. LASTLY, TAKE A WIRE AND SOLDER
IT TO POINT 2 AND THEN TO THE UNUSED
PIN ON THE SWITCH. THERE YOU HAVE IT!
WHEN THE SWITCH HANDLE IS ON THE SAME
SIDE AS THE WIRE FROM POINT #1, REG-
ULAR OPERATION WILL TAKE PLACE. IF THE
SWITCH IS THROWN IN THE OTHER DIRECTION
THE CARD WILL BE WRITE PROTECTED.
(*PLEASE NOTE THAT THIS MODIFICATION
 WILL VOID YOUR WARRANTY AND THAT THE
USER ASSUMES AND WILL BE RESPONSIBLE
FOR ALL RISKS AND DAMAGES INCURRED IN
THE MAKING OR THE USE OF THIS MOD-
IFICATION, AND THAT THIS MODIFICATION
IS NOT GUARANTEED TO BE SUITABLE FOR
ANY PARTICULAR PURPOSE*)
----------------------------------------
Enter: M]ain den, ?=Menu, [1%19] :->3

-> Ctrl-S Start/Stop & Ctrl-X abort <-

---------------------------------------          Ram Card in Cracking
             By: Axe Man
---------------------------------------

SOME OF THE ENTRIES ARE AMUSING. ESP 
THE BRUTE FORCE METHOD OF CRACKING.
THERE ARE EVEN SOME THINGS LISTED THAT
WON'T WORK!!!! FIRST LET'S CLEAR UP
SOME COMMON MISCONCEPTIONS ABOUT WHAT
HAPPENS WHEN A PERSON PRESSES RESET.
1) NOTHING HAPPENS (AT ALL) TO ANY MEM-
ORY LOCATION UNTIL THE 'RESET' PROCESS
ROUTINE DOES SO.
2) THIS RESET PROCESS ROUTINE CAAN BE
MADE SO THAT MEMORY IS >NOT< WIPED OUT
3) ONLY THE REGISTERS AND PROGRAM CNTR
ARE MODIFIED WHEN RESET IS PRESSED 
INITIALLY.
- WHEN THE RESET KEY IS PRESSED, THE
6502 (THE LONG, SOMEWHAT WIDE CHIP
RESIDING BEHIND THE OTHER NOT SO LONG
WIDE CHIPS FOR THE UNINFORMED) TAKES
WHATEVER DATA (BYTES, NUMBERS, WHATEVER
) IN THE LOCATIONS $FFFC AND $FFFD AND
INTERPRETS THAT AS THE ADDRESS.
THEN THE 6502 JUMPS TO THAT ADDRESS TO
PROCESS THE RESET.  IF THERE IS A ROM 
IN THE $FF00 PAGE, THEN THERE IS NO
CHOICE BUT TO GO TO THE REGULAR RESET
ROUTINE. HOWEVER, SHOULD YOU BE THE 
LUCKY OWNER OF A RAM CARD, YOU CAN
MAKE THE RAM THINK IT IS ROM!!! 
NOW, MOST RAM CARDS, WHEN RESET IS 
PRESSED, WILL RE-ENABLE THE ROM MONITOR
(THIS INCLUDES THE LANGUAGE CARD, MICRO
SOFT'S CARD, AND ANY OTHERS THAT DON'T
HAVE THAT SWITCH ON THE BACK) THE 
ANDROMEDA RAM CARD HAS A LITTLE SWITCH
ON THE BACK THAT FORCES THE CONTENTS
OF THE RAM CARD TO ACT LIKE THE ROM
UPON RESET. NOW, DUE TO THE FACT THAT
MOST PROTECTION SCHEMES LIKE TO USE THE
NORMAL TEXT PAGE ($400-$800) TO STORE
INITIALIZATION AND BOOTUP ROUTINES THAT
ARE ESSENTIAL FOR THE PROGRAM TO RUN IN
HIGHER MEMORY, SOME WAY HAS TO BE USED
THAT DOESN'T ALTER ANY OF THE MEMORY
FROM $0-$7FF. NOW, WOULDN'T IT BE NICE
IF WE COULD, UPON RESET, MOVE ALL OF
THE MEMORY FROM $0-$7FF TO $800 AND UP
?? YES, IT WOULD. THAT WAY, WE COULD
EXAMINE IT AT OUR LEISURE TO  FIND OUT
WHAT IS GOING ON IN OUR TEXT PAGE THA\
THE PROGRAM MAKERS WANTED TO HIDE SO
BADLY. YOU CAN SAVE THIS STUFF ON A
DISKETTE (REMEMBER TO PUT IT WHERRE
THE DOS BOOTUP WON'T BOTHER IT, SAY
$5000-$57FF FOR 48K SLAVE DISKETTES)
AND THEN LOAD IN THE PROGRAM AGAIN,
THIS TIME TO GET THE STUFF IN HIGHER
MEMORY ($800-$BFFF). NOW YOU WILL HAVE
THE COMPLETE IMAGE OF THE PROGRAM IN
TWO OR MORE FILES. THE BEST WAY TO 
INTERPRET THESE FILES IS TO FIND OUT
WHERE THE 2ND STAGE BOOT GOES TO (SEE
MY PREVIOUS MESSAGE ABOUT MOVING THE
DISK ROM INTO RAM) AND THEN TRACING
THE EXECUTION FROM THERE BY LOOKING
AT THE CODE YOU HAVE (REMEMBER THAT
YOUR ADDRESSES WILL BE OFFSET BY
A CERTAIN AMOUNT (I.E. $400 WILL BE
$C00 IF YOU MOVED THE MEMORY TO $800))
TO SEE WHERE THE INITIALIZATION POINT 
IS. THIS IS GENERALLY WHERE THE A 
X OR Y REGISTERS ARE LOADED WITH SOME
COSTANTS AND PLACED ELSEWHERE IN 
MEMORY TO SET UP THE PROGRAM. ONCE THIS
LOCATION IS FOUND, ALL OF THE FILES CAN
BE LOADED IN THEIR CORRECT PLACES USING
BLOADS, AND THEN A CALL CAN BE MADE TO
THE PLACE YOU THINK THAT THE PROGRAM
STARTS.  NOTE THAT ALL OF THIS ONLY
WORKS IF THE PROGRAM DOESN'T DETECT THE
RAM CARD AND DOESN'T PUT IT'S OWN 
INTERRUPT PROCESSING ROUTINE IN THE
RAM.  (ADD A SWITCH TO TRULY WRITE
PROTECT YOUR RAM CARD AND ALL WILL BE
FINE).
 HERE IS A SKELETAL ROUTINE THAT CAN
BE ASSEMBLED INTO YOUR RAM CARD.
 
HERE IS THE ROUTINE THAT CAN BE USED
 
RESET:  LDY #0  ;SET UP Y-REG
L1      LDA SOURCE,Y
L2      STA DEST,Y
L3      INY
        BNE L1
        INC L2-1  ;INCREMENT SOURCE LOC
        INC L3-1  ;INCREMENT DEST LOC
        LDA L3
        CMP #ENDPG ;SEE IF DONE
        BNE L1
;
; USE THIS IF YOU ARE GOING TO POP INTO
; MONITOR
;   
        LDA 0C082 ;DESELECT RAM, GET RO
;
; 
        JMP $FF65 ; ENTER REGULAR APPLE
;                   MONITOR
;
TO INITIALIZE THIS ROUTINE, DO THIS
 
          LDA #RADDR/256
          STA $FFFD
          LDA #RADDR MOD 256
          STA $FFFC
 PUT THAT CODE IN THE RAM CARD BY
DOING TWO READS FROM C083 AND
MOVE THE CODE UP. THE RADDR IS THE 
ADDRESS OF THE RESET ROUTINE THAT MOVES
THE MEMORY, AND IS PLACED IN THE RESET
VECTOR. FOR MORE INFO ON HOW TO WWRITE
PROTECT YOUR RAM CARD, CONTACT THE
SYSOP (MAYBE HE'LL HAVE KITS....)
- - - - - - - - - - - - - - - - -  - - 
GENERAL ADDITIONAL CLUES -
BDOS BASED PROGRAMS WRITTEN IN BASIC
USUALLY MAKE $D6 NON-ZERO WHICH CAUSES
ANY FP PROGRAM TO AUTO RUN UPON A 
RETURN FROM THE KEYBOARD AT AN APPLESFT
PROMPT. ()() DOS 3.3 PROTECTED PROGRAMS
(REALLY 16 SECTOR) SOMETIMES CHANGE
THE CATALOG TRACK (AT $AC01) TO SOME-
THING OTHER THAT $11 (17 DEC.)
IF WHEREVER POSSIBLE, THE PROGRAM'S 
DOS CAN BE USED AGAINST IT BY FINDING
WHERE IT BEGINS, AND USING THAT AS
THE ROUTINES THAT A COPY PROGRAM USES
FOR RWTS. (THE RWTS USUALLY STARTS ON
A $XD00 BOUNDARY, WITH THE FIRST TWO
INSTRUCTIONS BEING STY 48 STA 49 (HEX
CODES 84 48 85 49)) NIBBLE COUNTING
CAN BE DEFEATED BY FINDING THE ROUTINE
THAT COUNTS THE NIBBLES, AND MAKE IT
READ CORRECT NIBBLES WITHOUT EVER 
ACCESSING THE DISKETTE ! BY THE WAY, IT
IS POSSIBLE TO DEFEAT LOCKSMITH, BIU,
AND OTHER NIBBLE COPIERS....            ---------------------------------------
Enter: M]ain den, ?=Menu, [1-19] :->
