5 2



Cracking AppleWriter //e
========================
 
According to the Burglar, this is all
there is to it...
 
[1]  Copya the disk
 
[2]  Sector mod:
 
     Track $04, Sector $0C
     Bytes $B1-B3 = EA EA EA
 
It just disables a small disk routine.
 
(C): The Burglar and Apple Bandit/MPG
      [An Apple Bandit QuikFile]


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :3



Cracking BC's Quest for Tires
=============================
 
Track $21 (hex) is a nibble count track
and contains no data needed by the
game. Otherwise, the disk format is
standard DOS 3.3...so...
 
Copy the disk (skipping track $21)
onto a blank. Or, if you want to modify
your original, just use Bag of Tricks'
"INIT" or similar utility, and format
track $21 on the original disk.
 
Now, the disk can be copied by COPYA,
but it won't boot because of the
nibble count. We can just NOP the JSR
to the nibble count by changing the
following bytes with ZAP or INSPECTOR:
 
   Track  Sector  Byte  From  To:
   -----  ------  ----  ----  ---
    $06    $07    $E8   $20   $EA
    $06    $07    $E9   $00   $EA
    $06    $07    $EA   $96   $EA
 
There...it's cracked! (Easy, eh?)
 
(C): The Burglar of Pirate's Guild
     [An Apple Bandit QuikFile]


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :4



How to boot from Drive 2
========================
 
Well, here's an interesting technique
that sometimes comes in handy when
drive speed seems to be critical in
a protection scheme, and you can't
pull out the controller cards and swap
them because your computer desk is full
of printouts and other garbage...
 
]CALL-151
*8600<C600.C700M (Move boot0 routine
                  from controller card
                  down into RAM where
                  we can modify it.)
*8636:8B (Address for Drive 2. Was set
          previously to "8A" for D1.)
 
Now put the disk in Drive 2, and type:
 
*8600G
 
It will boot up. If you wanted to boot
from a different slot other than 6,
just move the boot routine from C600 to
8000+slot*256. (i.e. slot 5 would be
$8500, slot 4 $8400, etc.)
 
Just a little tid-bit from...
 
Apple Bandit of Midwest Pirate's Guild
                   [And the 1200 Club]


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :5


ABCABCABCABCABCABCABCABCABCABCABCABCABC
B                                     B
C    Apple Bandit's CrakFile - #01    A
A                                     C
B  Copy ][+ 4.4B - Single Load Crack  B
C                                     A
ABCABCABCABCABCABCABCABCABCABCABCABCABC
 
 
First of all, let me just say that this is not a 'hard' crack. If you're an
experienced cracker, you may just want to skim this article, watching for the
'->' symbols, which precedes the step-by-step procedure for the crack.
 
Copy ][+ 4.4B is Central Point Software's newest version of their popular copy
utility. The program itself is comprised of two parts: [1] A Utility Program
which allows you to catalog, copy, delete, lock/unlock files, etc., and [2] A
Bit Copy Program, which is one of the best bit copiers out on the market. As
the program is first booted, the utility menu is loaded. If you wish to use the
bit copier, you may select it from this menu, and it is loaded in seperately.
 
The usual approach to a program with multiple disk access would be to use
Advanced Demuffin, by 'The Stack' of Corrupt Computing. We would use Advanced
Demuffin to read data from the Copy ][+ original, and write it out to our blank
DOS 3.3 disk. However, since the disk access in Copy ][+ is minimal, it would
be feasible to just save the Bit Copier and Utility programs seperately.
Additionally, since both parts reside in 'normal' parts of memory (within the
normal 48K of the Apple and not below $800), these two parts can easily be
saved out as binary files, which can be individually BRUN'ed by the user. The
only sacrifice in this method is that we don't get the fast-booting that the
original program had, and that when we select the 'Bit Copy' option from the
Utility menu, it doesn't load. It would be possible to write a boot routine for
the Utility program, and write another small routine to directly use RWTS to
load in the Bit Copier upon selection from the Utility menu, but that is beyond
the scope of this CrakFile. Here we will trade speed and ease of use for disk
space and the ability to have the programs in the format of a file, which are
two of the main reasons of cracking in general. Anyway, on with the show...
 
After booting Copy ][+ 4.4B, you will soon see the Utility menu. At this point
we would like to stop the program, and save it as a file. To do this, we have a
few options: [1] We can press <Reset> on our Apple ][+ or Apple //e or other
computer with autostart ROM (as opposed to the 'old monitor' ROM) and discover
that this only causes the program to clear memory and re-boot; [2] we can
boot-trace the disk up to the point where the program begins execution; [3] we
can use a Crackshot, Wildcard, or other NMI board to halt the execution of the
program and leave us in the Apple's monitor; [4] we can press <Reset> if we
have installed  an old monitor F8 ROM or other modified ROM that leaves us in
monitor upon pressing that key; or [5] if we do not have an old monitor or
other modified F8 rom available, we can use the ram card to simulate one, since
Copy ][+ ignores the top 16K of a 64K Apple.

Which method should we use? Well option #1 isn't going to help too much, option
#2 (boot-tracing) is an art in itself (which will be the topic of a future
CrakFile), and option #3 (using a cracking/NMI board) is not the easiest, so
we'll concentrate on the last two options. If you have an F8 ROM to dump you
into monitor upon <Reset> use that -- otherwise you can easily make your 16K
language card look like one. (Unless you're using a //e. If this is the case,
the language card trick will not work because pressing <Reset> on the //e will
automatically turn off the 'built-in' language card; You're stuck with either
boot-tracing or using a cracking card).
 
Using the language card to reset into monitor:
 
]Call-151  (go into monitor)
*C081 N C081 (write-enable language card)
*D000<D000.FFFFM (copy your ROM's to the language card)
*C083 N C083 (turn on language card and ignore the ROM's)
*FFFC:59 FF (set the 6502 reset locaton to jump into monitor)
 
Now we come to the actual cracking process of Copy ][+ 4.4B:
 
 -> Clear memory by typing from monitor:
    0<ctrl-P> 0<ctrl-K> N 300:0 N 301<300.BFFFM
 -> Boot your original Copy ][+ disk
 -> At the Utility menu, break out into monitor using your old monitor ROM,
    modified language card, or cracking card
 
Now we can tell what parts of memory are actually used by the program by using
the memory dump command from monitor. If you type "800.BFFF" you will see the
program whiz by, until it reaches the $4C00 range of memory. Here you find all
zero's until $B000, where $B000-$BFFF seems to be used. Knowing that $800-$4C00
and $B000-$BFFF is used, we can save the program to our DOS 3.3 disk in file
format the following way:
 
 -> From monitor, type "4C00<B000.BFFFM" to save the range of memory up at
    $B000-$BFFF so it won't interfere with where DOS normally resides
 -> Type "6000<800.900M" to save the range of memory from $800-$900 which
    will get over-written when DOS is booted.
 -> Boot a DOS disk which you have previously INIT'ed and deleted the HELLO
    program from
 -> Go into monitor and type "800<6000.60FFM" to restore $800-$900
 
Now, we obviously can't just move the $B000-$BFFF range back up, because it
will interfere with DOS, so we'll have to write a short routine to move the
range from where it is now located (at $4C00-5C00) up to the destination.
Scanning through the $800 page, we find a JMP $11AD. This is the actual start
of the program, so we have some extra space before that point to put our move
routines. Here is the routine, all ready to type in:
 
 -> 82B:A9 00 85 00 85 02 A9 4C 85 01 A9 B0 85 03 A0 00 B1 00 91 02 C8 D0
         F9 E6 01 E6 03 A5 01 C9 5C D0 EF A9 60 8D FF 02

Note: Upon examination of the Copy ][+ program, it can be found that the
      program uses location $2FF to store the slot no. times 16. The last 5
      bytes of the above routine take care of this.
 
Now, before we save the program, there is one other feature we can add. Since
we can no longer run the Bit Copy program directly from the Utility menu, it
would be nice to disable the option completely. The following mod will take
care of this: 1A90:60. On our crack, The Burglar put a small routine at $1A90
that cleared the screen and went into monitor. Then he searched memory for the
menu, and changed the 'Bit Copy' text to 'Monitor '. You may think of something
else interesting to put here...
 
Now, the moment we've been waiting for! You can finally save your cracked copy:
 
  -> BSAVE COPY ][+ 4.4B UTILITY,A$82B,L$53FB
 
Now for the Bit Copy portion. The process is almost exactly the same:
 
  -> Boot your original Copy ][+ and select the "Bit Copy" option
  -> When Bit Copy is loaded, hit <Reset> (or whatever method you are using)
 
Now, we may not be able to tell by just scanning memory this time, but by
experimenting we can tell that the only portion of memory used by the Bit
Copier is $800-$3300. This will make our job easier...
 
  -> Type "6000<800.900" to save range from $800-900
  -> Boot your DOS slave diskette w/no HELLO program (the same disk as before)
  -> From monitor, type "800<6000.60FF" to restore range $800-900
  -> Type "808:A9 60 8D FF 02 4C 00 09" to set $2FF which is used by the
     program, and to jump to the starting location at $900
  -> BSAVE COPY ][+ 4.4B BIT COPY,A$808,L$2AFB
 
Congratulations...it's a 1st class Crack!
 
Coming soon: ABC #2 - How I cracked "SUNDOG", a new Pascal graphic adventue.
 
Apple Bandit & The Burglar of Midwest Pirate's Guild [MPG] 612/724-7066 (modem)


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :5


ABCABCABCABCABCABCABCABCABCABCABCABCABC
B                                     B
C    Apple Bandit's CrakFile - #01    A
A                                     C
B  Copy ][+ 4.4B - Single Load Crack  B
C                                     A
ABCABCABCABCABCABCABCABCABCABCABCABCABC
 
 
First of all, let me just say that this is not a 'hard' crack. If you're an
experienced cracker, you may just want to skim this article, watching for the
'->' symbols, which precedes the step-by-step proce


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :6



Cracking Electronic Arts' Cut & Paste
=====================================
 
The current Electronic Arts games all
use similar protection schemes; In fact
the protection schemes used in Cut &
Paste, One on One, Last Gladiator, and
probably Hard Hat Mack are almost
exactly the same...
 
Track $21 is unused on EA's protection,
and track $22 is reserved for a nibble
count. Other than the nibble count, EA
uses their own souped-up RWTS, which
loads very fast, but can be modified
very easily to read normal DOS 3.3
format. The procedure for Cut & Paste
follows:
 
Copy tracks 0 thru 2 with any normal
DOS copy program. These tracks are
unprotected...
 
Then convert tracks $03 thru $20 by
reading from the original with the data
marker set to "D5 BB CF" instead of the
normal "D5 AA AD", and writing to your
copy with normal RWTS. This can be
accomplished beautifully with Advanced
Demuffin:
 
]BLOAD ADVANCED DEMUFFIN
]CALL-151
*B858:BB
*B8F1:BB
*B85D:CF
*B8FC:CF
*801G
 
(Change defaults to copy trks $03-$20,
 and copy it..)
 
Then modify the EA's RWTS to read in
normal DOS (with D5 AA AD instead of
D5 BB CF) by editing:
Track $02, Sector $03 -->
 
   Byte $47   Was $BB  Change to $AA
   Byte $51   Was $AD  Change to $CF
 
Then you must find and disable the
nibble counts. The only way to do this
is to search the disk for code that
accesses the drive ("89 C0" are good
bytes to search for; they are used
whenever the drive is turned on).
The following is what has to be edited:
 
   Track   Sector  Byte   From   To:
   -----   ------  ----   ----   ---
    $01     $0C    $05    $A0    $18
    $01     $0C    $06    $20    $60
    $01     $0C    $68    $20    $18
    $01     $0C    $69    $A2    $60
    $01     $0F    $68    $20    $18
    $01     $0F    $69    $A2    $60
    $01     $0F    $6A    $A1    $EB
 
The last byte, "EB" is not executed,
but is needed for a valid checksum to
be computed by the routine. Leaving out
this byte will cause the program to
bomb out after it does a checksum on
itself (the protectionists have
anticipated the tampering with their
code...)
 
(C): The Burglar and Apple Bandit/MPG
      [An Apple Bandit QuikFile]


[1-15 ?=MENU/M=MAIN MENU/Q=QUIT] :7


YOUR 15 MINUTES ARE UP.  FOR $15 EXTRA,
YOU CAN GET 30 MINUTES!!




=======================================

 TOTAL CONNECT TIME IS 15 
