#######################################
#                                     #
#        CRACKING WITH COPY CAT       #
#         <>H/H<> & WARE LORDS        #
#                                     #
#######################################
RETURN OF HERACLES, BY QUALITY SOFTWARE
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
RETURN OF HERACLES USES THE ALL TOO
FAMILIAR CHECKSUM PROTECTION WHICH IS
ALSO FOUND ON INFOCOMS, XEROXES, ETC.
ONCE AGAIN WE GO THROUGH THE SAME DAMN
PROCEDURE:
 
]RUN COPYA
<CTRL-C>
]CALL-151
*B925:18 60
*B988:18 60
*BE48:18
*B8FB:29 00
*<CTRL-C><RETURN>
]RUN
 
NOW COPY THE ENTIRE DISK.  USING ANY
SECTOR EDITOR, CHANGE:
 
TRACK 17 SECTOR 5 BYTES 48-49
 
FROM A5 E0 (LOAD 0-PAGE ACCUMULATOR)
TO   A9 10 (LOAD ACCUMULATOR WITH 10)
 
DO THE SAME TO T17, S6, BYTES AF-B0.
WHAT THIS DOES IS RETURN FROM THE
NIBBLE COUNT SUBROUTINE WITH A VALUE
WHICH PREVENTS A DELAYED-CRASH NIBBLE
COUNT, LAST SEEN ON THE STICKYBEAR
SERIES.
 

C'EST LA VIE BY ADVENTURE INTERNATIONAL
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
C'EST LA VIE, STRANGELY ENOUGH, USES
PROTECTION ALMOST IDENTICAL TO YE OLDE
GAME "ELIMINATOR".  TO KRAK IT YOU NEED
ONLY DEMUFFIN IT AND REMOVE THE RATHER
OBVIOUS NIBBLE COUNT AT THE BEGINNING.
SO, BLOAD DEMUFFIN PLUS AT $6000, BOOT
C'EST LA VIE, BREAK OUT, MOVE DEMUFFIN
BACK TO $803, RUN IT, COPY ALL FILES
AND LOOK AT WHAT YOU HAVE.  THE BOOT
PROGRAM RUNS "CLV", SO BRUN CLV.  IT
MAKES A VERY LOUD WHEEZE AND CRASHES.
LOOKING AT THE BEGINNING OF THE PROGRAM
REVEALS A JSR AT $4000, THE SECOND
STAGE OF THE PROGRAM.  JUST "EA" THE 3
BYTES OUT, AND RUN IT.  NOW THE GAME
MORE OR LESS WORKS, BUT AFTER PLAYING
IT FOR A WHILE YOU WILL GET ON THE HIGH
SCORE LIST.  OOPS!  IT SAVES THE HIGH
SCORES IN A PROTECTED FORMAT AND WIPES
OUT A TRACK ($6 I THINK IT WAS).  SO,
TO REMOVE THE DISK ACCESS LOOK FOR
REFERENCES TO $C0E8, $C0E9 AND $B9A0.
YOU WILL FIND A WHOLE CLUSTER OF THEM
AROUND PAGES $1D-1E, I THINK, AND MORE
AROUND PAGES $66-67.  ANYWAYS, IT IS
NOT TOO DIFFICULT TO SEARCH MEMORY FOR
THIS STUFF SINCE YOU HAVE ANY DOS YOU
WANT IN MEMORY (DAVID-DOS WORKS FINE).
ALSO IT WOULD BE HELPFUL TO LOOK AT THE
BEGINNING OF THE PROGRAM AGAIN TO CHECK
THE FIRST FEW JSRS.  TWO OF THOSE ARE
ROUTINES TO LOAD THE HIGH SCORES FROM
DISK, WHICH WILL NOT KILL THE DISK BUT
WILL PREVENT THE GAME FROM WORKING WITH
THE EXCELLENT BEAUTIFUL BOOT MENU PROG.
BY MINI-APPLER AND APPLE BANDIT.  SO,
ALTHOUGH THIS HAS JUST BEEN A SET OF
VAGUE KRAKING INSTRUCTIONS, THEY SHOULD
ALLOW MOST OF YOU TO FIGURE OUT HOW TO
UNPROTECT THIS GAME.  NEXT TIME I'LL
GIVE COMPLETE BYTE-BY-BYTE BLOWS.
 

         GENERAL CRACKING INFO
         ^^^^^^^^^^^^^^^^^^^^^

 
THE CHECKSUM TRICK IS USED WELL WHEN IN
CONJUNCTION WITH A SECTOR EDITOR (I USE
NIBBLES AWAY II) SINCE YOU CAN DISABLE
THE CHECKSUM FROM THE MENU (IN NA II,
HIT O FOR OPTIONS, C TO TOGGLE CHECKSUM
).  THIS WAY YOU CAN READ THE TEXT AS
WELL AS DISASSEMBLE EACH INDIVIDUAL
SECTOR.  OBVIOUSLY, THE BRANCH COMMANDS
ARE CHANGED, BUT THE JSR AND JMP'S ARE
INTACT.  A GOOD WAY TO KRAK DISKS THAT
ARE COPYA-BLE BUT HAVE A NIBBLE COUNT,
AND ARE NOT IN FILE FORMAT, IS TO JUST
BREAK OUT OF THE PROGRAM RIGHT BEFORE
THE PROGRAM EXECUTES THE NIBBLE COUNT.
I DID THIS WITH THE DICTIONARY, BY
SIERRA ON-LINE.  DICTIONARY CAN BE
CATALOGED BUT HAS A FAKE BOOT-UP THAT
DOES NOT ACTUALLY OCCUR WHEN DOING A
GENUINE "PR#6".  THUS YOU MUST LOOK AT
THE DISK DIRECTLY, INSTEAD OF TRACING
THROUGH THE FILES SUCH AS WITH THE AI
(ASSHOLES INTERNATIONAL) SERIES.  THE
DICTIONARY LOADS IN COMPLETELY AND DOES
A NIBBLE COUNT RIGHT BEFORE IT GOES TO
THE MENU.  THANKS TO SOME INCOMPETENT
PROTECTORS, IT IS QUITE OBVIOUS TO SEE
THE NIBBLE COUNT.  AS WITH SCREENWRITER
II, THE SCREEN CLEARS (MEMORY WIPE) AND
REBOOTS.  SO, AFTER A FEW BOOTS, YOU
SHOULD BE USED TO THE APPROXIMATE TIME
THE NIBBLE COUNT OCCURS.  HIT RESET
THERE, AND LOOK THROUGH MEMORY FOR ANY
DISK ACCESS REFERENCES.  EVENTUALLY YOU
WILL TRACK THE NIBBLE COUNT DOWN TO THE
$1100 AREA (I THINK THE EXACT ADDRESS
WAS $116F OR SOMETHING).  NOW TO TEST
THIS, SIMPLY "EA" THE THREE JSR BYTES
OUT AND THE PROGRAM RUNS.  THE PROBLEM
IS, YOU DON'T KNOW EXACTLY WHERE THIS
JSR IS ON THE DISK.  NO PROBLEM; BOOT
UP DARK1, SEARCH, AND "EA" THE TWO
ADDRESSES WITH THE JSR TO $116F (???).
 

          CRACK THE DICTIONARY
          ^^^^^^^^^^^^^^^^^^^^

HERE ARE THE ACTUAL BYTES TO ZAP TO
KRAK THE DICTIONARY, BY SIERRA ON-LINE:
 
TRACK 1, SECTOR 0, BYTES A9 - AB CHANGE
FROM "20 2B 6D" TO "EA EA EA"
 
TRACK 9, SECTOR 3, BYTES 62 - 64 CHANGE
FROM "20 2B 6D" TO "EA EA EA"
 
OF COURSE, IT'S A GOOD IDEA TO COPY THE
ORIGINAL FIRST BEFORE BYTE-ZAPPING.....
BUT THAT'S PRETTY OBVIOUS STUFF.  ALSO,
I WILL BE KRAKING BUBBLE-HEAD TODAY, BY
TELLUS SYSTEMS.  NEW COMPANY, PROBABLY
EASY PROTECTION, BUT YOU NEVER CAN TELL
WITH APPLE COPY PROTECTION.  NEXT TIME
I SIGN ON I WILL POST THE EXACT BYTES
TO CHANGE TO KRAK A DEMUFFINNED COPY OF
C'EST LA VIE.  'TIL THEN,
 

          C'EST LA VIE BYTES
          ^^^^^^^^^^^^^^^^^^

HERE THEY ARE DUDES...THERE ARE A LOT
OF THEM...PUT "2C" AT EACH PLACE,
EVEN THOUGH THERE MAY BE SOME OVERLAP.
 
200F 20C3 20C5 20C7 20C9 20D2 20E2 20EE
20FB 2104 210F 2159 215D 260A 2617 2632
2634 264A 2662 2685 26A8 26C0 26E3 2737
273E 2747 2750 2763 2768 66F6 66F8 6700
6702 6721 6723 6725 6727 6736 6738 673A
6741 6743 6795
 
WHEW!  ANYWAYS, IT MAY NOT BE THE MOST
EFFICIENT WAY, BUT IT WORKS, AND THERE
IS NO POSSIBLE WAY TO HAVE THE DISK
CRASH WHEN THE DISK ROUTINES ARE ALL
GONE, EH?  BY THE WAY, THE NIBBLE COUNT
LOCATION IS $2768.  THE FIRST SET OF
BYTES (PAGES $20-21) ARE THE HI SCORE
READ ROUTINES (I THINK), THE SECOND SET
(PAGES $26-27) ARE THE NIBBLE COUNT AND
PROTECTION ROUTINES (I THINK), AND THE
THIRD SET (PAGES $66-67) ARE THE WRITE
HI SCORE ROUTINES (I KNOW, I FOUND OUT
THE HARD WAY).
 
          KRAK PRINT SHOP DEMO
          ^^^^^^^^^^^^^^^^^^^^


PRINT SHOP DEMO WAS COPYA, BUT IT WAS
UNCATALOGABLE.  CONSIDERING THOSE GREAT
GRAPHICS, I'M SURE YOU MACHINE LANGUAGE
WIZARDS OUT THERE APPRECIATE BEING ABLE
TO EXAMINE THE "MERRIMATION" TECHNIQUE.
TO MAKE IT "FIDABLE", YOU MUST CHANGE
THE SECOND REFERENCE TO "11 01" TO A
"11 09" ON TRACK 11 SECTOR 0.  THEN FID
THE FILES TO A REGULAR DISK.  NO BIGIE.

           KRAK OTHER PROGRAMS
           ^^^^^^^^^^^^^^^^^^^

NEW MUSIC CONSTRUCTION SET - SAME AS
THE OLD MUSIC CONSTRUCTION SET!
 
MICRO GOLF - DEMUFFIN PLUS
 
EASTER ISLAND - ADVANCED DEMUFFIN
 
KRELL SAT'S - ADVANCED DEMUFFIN, THEN
              COPY NORMAL DOS ON TOP.
 
ALL NEW HAYDEN - ADVANCED DEMUFFIN 13
SECTOR, IGNORE ERRORS ON TRACK 5, USE
FIXCAT ON COPIED DISK AND COPY 3.3 DOS
ON TOP
 
KOALA MICRO ILLUSTRATOR - DEMUFFIN PLUS
 
OK, SORRY ABOUT THOSE ABOVE CHEAPIES,
BUT I USED MY OTHER ONES ABOVE...

            KRAK SUMMER GAMES
            ^^^^^^^^^^^^^^^^^


BOOT BACK SIDE
FROM "FLIP" PROMPT, HIT RESET
CALL-151
8800<B800.BFFFM
BOOT DOS 3.3
BSAVE SG.RWTS,A$8800,L$800
BRUN ADVANCED DEMUFFIN 1.1
LOAD NEW RWTS MODULE & COPY BOTH SIDES
COPY TRACK 0 OF DOS 3.3 ONTO BOTH SIDES
BRUN NIBBLES AWAY II
READ T0,S1 WITH CHECKSUM OFF FROM ORIG.
TURN ON CHECKSUM, WRITE TO CRACKED DISK
DO THE SAME FOR T0,SA FOR BOTH SIDES
READ T22,S2 FROM CRACKED COPY
CHANGE BYTES 0D-0F FROM "20 03 D0" TO
"EA EA EA" ON BOTH SIDES OF DISK
 
IT'S CRACKED!
 

           KRAK MICRO HABITATS
           ^^^^^^^^^^^^^^^^^^^


THIS SHOULD WORK ON ALL READERS DIGEST.
 
RUN COPYA, CTRL-C OUT OF IT, CALL-151
 
B925:18 60
B988:18 60
BE48:18
B8FB:29 00
 
CTRL-C, RETURN, RUN, COPY ORIGINAL.
 

           KRAK NEUTRONS
           ^^^^^^^^^^^^^


NEUTRONS IS VERY OLD, BUT IT SHOWS ONE
OF THE EASIEST WAYS TO KRAK SINGLE LOAD
PROGRAMS.  ONE WAY IS TO BOOT-TRACE; A
PAIN.  ANOTHER IS NMI/CRACKING CARD; A
LOSER'S WAY TO KRAK.  THIS WAY INVOLVES
EXITING THE PROGRAM AND HIDING THE DATA
WHERE IT WON'T GET WIPED ON BOOT.  USE
AN OLD MONITOR OR A CRACKING ROM OR A
16K RAMCARD-BASED OLD MONITOR EMULATOR
TO BREAK AFTER BOOTING UP NEUTRONS. HIT
RESET.
 
A QUICK LOOK AT MEMORY SHOWS NEUTRONS
USING $800-$9600 ALONG WITH A SOUND
ROUTINE AT $300-$3FF.  NOW FOR THE MOVE
MEMORY COMMANDS:
 
2000<800.8FFM
(BOOT)
800<2000.20FFM
BSAVE N0,A$800,L$8FF
(BOOT ORIGINAL)
(RESET, BOOT DOS 3.3)
CALL-151
A964:FF (ALLOWS SAVING MORE THAN 7FFF)
CTRL-C, RETURN
BSAVE N1,A$900,L$8E00
(BOOT ORIGINAL)
2000<300.3FFM
(BOOT DOS 3.3)
300<2000.20FFM
CTRL-C, RETURN
BSAVE N2,A$300,L$FF
 
NOW WE HAVE THE ENTIRE GAME ON DISK.
WE COULD EITHER WRITE A MOVE ROUTINE TO
PUT PAGE 3 BACK TO WHERE IT BELONGS, OR
WE CAN LEAVE IT THERE AND RUN OVER THE
TEXT PAGE.  SINCE MOST OF NORMAL MEMORY
IS CLOGGED UP TO DOS, WE MIGHT AS WELL
JUST LET IT RUN OVER THE TEXT PAGE.
 
BLOAD N0
BLOAD N1
BLOAD N2
 

CALL-151
2FD:4C 00 08 (JUMP TO START OVER SOUND)
58C2:4C 00 C6 (FORCE REBOOT AFTER GAME)
A964:FF (ALLOWS SAVING MORE THAN $7FFF)
CTRL-C, RETURN
BSAVE NEUTRONS,A$2FD,L$9303
 
NOW FOR SOME EASIER KRAKS:
 
SAGA #3
 
BLOAD ADVANCED DEMUFFIN 1.1,A$6000
BOOT SAGA #3, CTRL-C OUT OF IT
CALL-151
800<6000.8000M N 800G
COPY BOTH SIDES OF ORIGINAL 0-21
(TRACK $22 IS THE NIBBLE-COUNTED TRACK)
BOOT SIDE:
BLOAD M1
CALL-151
1E71:60
CTRL-C, RETURN
BSAVE M1,A$800,L$1800
 
APVENTURE TO ATLANTIS
 
USE DEMUFFIN PLUS ON ALL FILES, BUT
COPY THEM ONTO A DISK WITH NO DOS.  TO
PLAY THE GAME, BOOT REGULAR DOS 3.3 AND
"BRUN HELLO"
 
LEARNING WITH FUZZYWOMP
 
BLOAD EMU.OBJ3
FILL 8B00-8C40 WITH 60'S (RTS)
BSAVE EMU.OBJ3,A$8A00,L$240
SECTMOD TA,SE,BYTES AB-AD TO "EA EA EA"
SECTMOD TA,SE,BYTES B3-B4 TO "EA EA"
 
^ AFTER COPYING ORIGINAL WITH COPYA ^
