7



Crack Micro Lab's Dino Eggs & Crisis Mt
=======================================
 
Micro Lab's protection scheme on their
Dino Eggs, and Crisis Mountain is very
minimal. To convert it to a COPYA
format, just load COPYA, go into monitor
and disable the RWTS address marker
checksum:
 
*B942:18  (A very basic technique that
            will copy many programs..)
 
Then make a copy of the Dino Eggs or
Crisis Mountain original with COPYA...
 
Now, their routines still try to read
in the old address marks. To modify the
readaddr routine to read normal DOS 3.3
just make the following mods on
Track $00, Sector $09 -->
 
   Byte  From  To:
   ----  ----  ---
   $35   $D5   $DE
   $91   $9E   $DE
   $94   $18   $EA
   $95   $60   $BD
   $9B   $E7   $AA
 
Now, their modified RWTS still de-
nibblizes the data abnormally, so to
normalize it, make the following mods
on Track $00, Sector $0C -->
 
   Byte  From  To:
   ----  ----  ---
   $FB   $BF   $BC
   $FC   $1A   $19
 
And on Track $00, Sector $0E -->
 
   Byte  From  To:
   ----  ----  ---
   $38   $4C   $08
   $39   $00   $B0
   $3A   $BB   $8E
 
(C): The Burglar and Apple Bandit/MPG
      [An Apple Bandit QuikFile]


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :8



Cracking Warrior of Ras III: Dunzhin
====================================
 
Warrior of Ras Volume III (Dunzhin) is
another protection scheme which uses a
modified address marker (specifically,
the epilogue bytes). Since the cracking
technique used isn't anything new, I'll
just go through the procedure --
 
]Call-151
*B942:18
*BRUN ADVANCED DEMUFFIN
 
Then change defaults to copy only
Track $00, Sector $00 thru Sector $0F.
Now to copy tracks $01-$22, boot your
original Dunzhin and break out into
monitor (see ABC #1). Then type:
 
  *6700<B700.BFFFM
 
Now boot normal DOS, load Advanced
Demuffin, and move Dunzhin's RWTS back:
 
]BLOAD ADVANCED DEMUFFIN
]CALL-151
*B700<6700.6FFFM
*801G
 
And copy tracks $01 thru $22 from the
original disk to your copy. Then make
these sector mods to your copy:
 
  Track   Sector   Byte   From  To:
  -----   ------   ----   ----  ---
   $00     $01     $35    $FF   $DE
   $00     $01     $3F    $FF   $AA
   $00     $03     $91    $FF   $DE
   $00     $03     $9B    $FF   $AA
   $00     $05     $2D    $F7   $00
   $00     $05     $36    $EE   $00
   $00     $05     $3F    $E5   $00
 
It's Cracked...
 
(C): Apple Bandit and The Burglar/MPG
      [An Apple Bandit QuikFile]


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :9



Cracking General Manager //e (v2.0Y)
====================================
 
The General Manager, version 2.0Y, by
Sierra On-Line is very easy to crack;
that is, once you know how. The disk
is in standard DOS 3.3 format, and
therefore can be copied with COPYA.
However, the program will not work due
to a small nibble count routine
cleverly hidden in one of the files on
the disk...
 
To disable the nibble count, just
type the following:
 
]BLOAD GENERAL MANAGER
]CALL-151
*631C:2C
*6322:2C
*BASVE GENERAL MANAGER,A$6000,L$6F0
 
It's cracked...
 
(C): Apple Bandit of Pirate's Guild
      [An Apple Bandit QuikFile]


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :10



Cracking Stoneware's GPS
========================
 
GPS is another example of a slightly
modified RWTS. This protection job goes
a little further, however, by tacking a
unique disk routine onto the end of the
boot file, which does some sort of
nibble count... If the disk check fails
you hear a cute little tune as the
program clears memory & reboots. Well,
we really don't care what this routine
is checking for, because we are just
going to jump over it...
 
First, make a copy of the disk by doing
*B942:18
and then running COPYA on it. Now,
change the modified address header back
to normal (sounds familiar by now, eh?)
 
Track $00, Sector $03 -->
 
   Byte $35   Was $DD  Change to $DE
   Byte $91   Was $DD  Change to $DE
 
Track $00, Sector $02 -->
 
   Byte $9E   Was $DD  Change to $DE
 
Now time for that check on the end of
the boot file
Track $05, Sector $09 -->
 
   Bytes $C4-C7 was 4C F4 0D ??
         change to: 18 4C 01 BF
 
This clears the carry (which tells
the calling routine that the disk-
check was OK) and jumps over the
rest of the routine, to $BF01.
 
It's cracked...
 
(C): Apple Bandit and The Burglar/MPG
      [An Apple Bandit QuikFile]


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :11



Cracking Micro Lab's "The Heist"
================================
 
Just like many of the previous ABQ's
(Apple Bandit QuikFiles) this crack
also involves normalizing the address
header. There's not a whole lot to
explain, except that, as you can see,
modified address headers (& epilogue
bytes) are one of the most common
protection schemes used, probably
because they are easy to write.
Fortunately for us, they are also quite
easy to crack! Well, here we go...
 
]LOAD COPYA
]CALL-151
*B942:18
*3D0G
]RUN
(Copy the disk)
Then use a disk editor and edit:
 
Track   Sector   Byte   Was   Change to
-----   ------   ----   ---   ---------
$00      $09     $0B    $38   $18
$00      $02     $9E    $D5   $DE
$00      $03     $35    $D5   $DE
$00      $03     $91    $9E   $DE
$00      $03     $9B    $E7   $AA
 
The first mod disables the nibble count
done on the disk. The other four make
Micro Lab's RWTS compatible with DOS
3.3.
 
It's cracked! Keep on Crackin'...
 
(C): Apple Bandit & The Burglar/MPG
      [An Apple Bandit QuikFile]
 
..Call Safehouse at 612/724-7066..


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :12



Cracking Micro Lab's Invoice Factory
====================================
 
The Invoice Factory, and The Mini
Factory both use the same protection.
The way I figured out how to crack it
was to boot up the original, hit reset
at the prompt, and then move the RWTS
up into memory where it won't get
written over by the boot:
 
   *6800<B800.BFFFM
 
Then I booted a system master, and
compared the ranges of RWTS that
contained code (some parts of RWTS
from B800 to BFFF are data, so you
want to skip those ranges). This
technique can be used to crack many
simple protection schemes, so I'll
show you what I compared (using the
monitor's {V}erify command):
 
*6800<B800.BA68V
*6A96<BA96.BAFFV
*6C56<BC56.BCDEV
*6D00<BD00.BFA7V
*6FB8<BFB8.BFC7V
 
After doing these comparisons, the only
two addresses I found to differ were:
 
        was:  should be:
  B900-  01      00
  B8FC-  B5      AD
 
SO... Copy tracks 0 thru 2 from the
original disk to your copy using any
normal copy program. Then use Advanced
Demuffin for tracks 3-22 (Advanced
Demuffin just reads from the original's
RWTS up at $B800-$BFFF and writes out
with normal DOS 3.3 RWTS):
 
]BLOAD ADVANCED DEMUFFIN
]CALL-151
*B900:01 N B8FC:B5
*801G
 
(Change defaults to copy trk 3-22)

Use Advanced Demuffin to copy trk 3-22
 
Now just modify those bytes we found,
by using a disk editor on
Track $00, Sector $06 -->
 
Byte $62 = 00
     $67 = AD
 
It's cracked...
 
(C): Apple Bandit and The Burglar/MPG
      [An Apple Bandit QuikFile]


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :13



Cracking Electronic Arts Last Gladiator
=======================================
 
The protection scheme used in The Last
Gladiator is almost identical to that
in Cut & Paste, so I won't bother to
fully explain it again. Here is the
procedure:
 
Copy tracks $00-$02 with any normal DOS
3.3 copy program. Then...
 
]BLOAD ADVANCED DEMUFFIN
]CALL-151
*B858:BB
*B8F1:BB
*B85D:CF
*B8FC:CF
*801G
 
Then use Advanced Demuffin to copy
tracks $02-$20. Then use a disk editor
to modify the following (hex!):
 
Trk $01  Sec $0F  Byt $68-$6A = 18 60 EB
Trk $01  Sec $0C  Byt $05-$06 = 18 60
Trk $01  Sec $0C  Byt $68-$69 = 18 60
Trk $02  Sec $03  Byt $47     = AA
Trk $02  Sec $03  Byt $51     = AD
Trk $1F  Sec $0E  Byt $05-$06 = 18 60
Trk $1F  Sec $0E  Byt $68-$69 = 18 60
Trk $1F  Sec $0F  Byt $05-$06 = 18 60
Trk $1F  Sec $0F  Byt $68-$69 = 18 60
 
It's cracked...
 
(C): The Burglar and Apple Bandit/MPG
      [An Apple Bandit QuikFile]


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :14



Cracking Micro Lab's Miner 2049'er
==================================
 
The protection used in Miner 2049'er
is very similar to that used in Dino
Eggs and Crisis Mountain... The
epilogue bytes of the address header
are modified, and there is a small
jump stuck in the RWTS where it
shouldn't be...
 
To convert the disk to COPYA format,
as in other Micro Lab games:
 
]LOAD COPYA
*B942:18
*3D0G
 
Then let COPYA your original Miner
2049'er. Now the copy will still try
to read the old address marks, so fix
Track $00, Sector $03 -->
 
   Byte  From  To:
   ----  ----  ---
   $35   $D5   $DE
   $91   $9E   $DE
   $9B   $E7   $AA
 
Now take out the jump that's stuck
right in the middle of nowhere (normal
RWTS doesn't have it, so we don't need
it!)
Track $00, Sector $08 -->
 
   Byte  From  To:
   ----  ----  ---
   $38   $4C   $08
   $39   $6A   $B0
   $3A   $BA   $8E
 
(C): Apple Bandit and The Burglar/MPG
      [An Apple Bandit QuikFile]


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :15



Cracking Electronic Arts' One on One
====================================
 
The protection on One one One is the
best of Electronic Arts so far, but is
still very similar to all the others.
 
Note that One on One *could* be NMI'd
and with disk access taken out, could
be made into a file. However, it would
not support the Mockingboard.
 
Here is the procedure:
 
Copy tracks $00-$02 with any normal DOS
3.3 copy program. Then...
 
]BLOAD ADVANCED DEMUFFIN
]CALL-151
*B858:BB
*B8F1:BB
*B85D:CF
*B8FC:CF
*801G
 
Then use Advanced Demuffin to copy
tracks $02-$20. Then use a disk editor
to modify the following (hex!):
 
Trk $01  Sec $0F  Byt $68-$6A = 18 60 EB
Trk $01  Sec $0C  Byt $05-$06 = 18 60
Trk $01  Sec $0C  Byt $68-$69 = 18 60
Trk $02  Sec $03  Byt $47 = AA (was BB)
Trk $02  Sec $03  Byt $51 = AD (was CF)
Trk $09  Sec $02  Byt $1F = FD (was 01)
Trk $0C  Sec $04  Byt $04 = 18 (was A0)
   "        "     Byt $06 = 60 (was 18)
   "        "     Byt $07 = C8 (was 88)
   "        "     Byt $DC = 18 (was A0)
   "        "     Byt $DD = 60 (was FF)
 
It's cracked...
 
(C): The Burglar and Apple Bandit/MPG
      [An Apple Bandit QuikFile]


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :Q
=====================================
