


#44 : COPY PROTECTION

295 LINES - 59 SECTORS
CONTRIBUTED BY DIAMOND JIM

-----*

COPY PROTECTING YOUR OWN DISKS
BY THOMAS T. BRYLINSKI
08/04/82

INTRODUCTION:

   For those new-commers to the world of APPLE Computers, and to the history of
 software development, here is a brief summary.
   In ancient times (1978-1979), the APPLE Corporation was just getting started
, and absolutely no software was available for your $1530 toy. So most people wh
o bought this expensive little tan box had to write their own software. If you w
ere among the mo


re fortunate users who had a good sales pitch, you talked your boss into buying
 you an APPLE, and then spent your company's time learning the in's and out's of
 programming. In any case, you could not purchase ANY good software for your mac
hine. Shortly af


ter the first early programmers crawled out of their shells, APPLE users groups
 started to form. The prime function of these groups was to share programs and t
o exchange the secrets which one had learned in the previous month. (also it was
 a good excuse t


o get away from the kids at home, for a night)! Four or five months passed and 
a few early programmers got the idea that they would market their software and m
ake a few bucks for their hard hours programming. And thus, the first APPLE soft
ware companies f


ormed. These companies were very small and usually started in someone's basemen
t. The prime buyers of this software were the APPLE DEALERS. The dealers could n
ow demonstrate these marvelous machines with some "GREAT" software. By the way, 
this great softw


are came on cassettes, (you know, those little plastic things you used to recor
d music on). These cassettes were copyable by normal means, (eg. tape recording)
, and the dealers started giving some programs away with each system that they s
old.

   In the summer of the DARK AGES (1979), APPLE COMUPTER released their first d
isk drive system (3.2 DOS). This disk system made copying programs easier, faste
r, and much more reliable. At this time copying was encouraged by both programme
r and dealer. So


on the software companies realized the increasing market for their products, an
d theorized that if they could produce a disk that could not be copied by normal
 means they could sell more software, hence more profit. APPLE'S disk system was
 the perfect ans


wer to their problem. APPLE chose to make their disk system totally "SOFT", whi
ch means that all information pertaining to the disk operation is stored on disk
. This information is then loaded into RAM (random access memory), upon a system
 boot (PR#6). Al


l commands typed at the keyboard are examined by the "disk operating system" (D
OS), and then by the apple ROM's (that row of big fat chips inside the machine).
 Now the software writers had an edge on the normal user, change how the APPLE r
esponds to user 


commands, and keep them out of your programs. The only problem was that the cop
y program that came with your disk drive was able to copy the complete disk. Wit
h a "soft" DOS, the programmers could change how the information is read from di
sk and modify th


eir DOS to read it. As Apple users became more aware of the internal workings o
f their machines, programmers made more and more changes to DOS, and the race wa
s on!

  So much for the history lesson (boring out-of-date information anyway), and o
n to the meat of the lecture.


TERMS USED IN THE TEXT:

BIT- the smallest piece of information that the computer can recognize or proce
ss.

NIBBLE- four bits in a row, or a block

BYTE- eight bits in a row or block. It is the smallest piece of information tha
t people like to work with. (00000000)

VTOC- Volume Table Of Contents: DOS uses this sector to tell it which sectors a
re used and which are free on the disk.

SELF-SYNC BYTE- a special byte used for locating information on the disk. This 
byte differs from a normal byte in that it is made up of nine bits. (111111111)


PROTECTION METHODS


DISK COMMAND CHANGES- changes to the DOS that make those familiar words like Lo
ad, Delete, and Save, give the user that cold, unforgiving response...SYNTAX ERR
OR

CATALOG TRACK LOCATION- moving the catalog to a non-standard track (normally tr
ack HEX $11, DEC 17)

CHECKSUM ALTERATION- the portion of each sector that DOS automatically checks t
o make sure that the information it has read is correct.

$D6,VECTOR- an Applesoft pointer used by the machine to make "carriage return" 
= RUN.

LOADER DOS- a DOS whose sole purpose is to Load and execute one program from di
sk.

HALF-TRACKING- writing information between the normal tracks on the disk.

DOS HOOK- designating a specific track on the disk, where the only information 
on the track is a track & sector number, to tell DOS where to read next.

PROGRAM LOCK- a line of programming that looks at a specific memory location an
d compares its contents to a programmed number. (x=peek(y))

HARDWARE LOCK- Using a hardware modification to lock the program.

NIBBLE COUNTING- setting aside a specific track on the disk where a number of s
elf-sync nibbles are written.




TOOLS FOR LOCKING PROGRAMS


DOS BOSS - Beagle Brothers Software

BEANETH APPLE DOS - Quality Software

PROGRAMMER'S AIDS - Dakin 5 Corporation

BAG OF TRICKS - Quality Software

SUPER DISK COPY - Sensible Software

TASC - Microsoft

THE EXPEDITER - On Line Systems

THE DOS MANUAL - Apple Computer Corporation

APPLE II REFERENCE MANUAL - Apple Computer Corporation

WHAT'S WHERE IN THE APPLE - William F. Luebbert

SOFTALK magazine

NIBBLE magazine


   If you are familiar with the above manuals, software, and periodicals you ar
e well on your way to locking programs. Also you will need use of one of the nib
ble copiers on the market such as, LOCKSMITH, NIBBLES AWAY, or CLONE. CLONE is m
y choice because


 it is very fast compared to the others.


LOCKING TECHNIQUES:


MESS UP DOS
   Change some or all of the DOS commands. This in itself may be enough to prot
ect your programs. Go a little further. Bury some control characters in the cata
log. (control chrs. don't print usually). Change "CATALOG" to "LIST" and the Bas
ic command "List


" becomes unusable. Try it, you can't "list" a program in memory. Duplicate DOS
 commands are great. Only the first one encountered will work. Confuse the user 
by changing the disk error messages. For example do the following:
 1) Change the SAVE command to STORE
 2) Change the READ command to SAVE
 3) Change the "NOT DIRECT COMMAND" error 
    message to "NOT COPYABLE"
Now when anyone tries to load and save your program you get the "NOT COPYABLE" 
error message because he used the wrong command! *** EXPERIMENT ***
   
   Now the following can be done to any disk you want. We will move the catalog
 track from track $11 to track $5, just for convenience mind you. 
 1) Boot your favorite 3.3 system master to load DOS
 2) Placeyour DOS BOSS disk in the drive and type:LOAD DOS BOSS (return)
 3) Type: Poke 44033,5 (return)
 4) Place a blank disk into the disk drive and close the door. (something your 
parents keep telling you to do.)
 5) Type: RUN (return)
 6) Change a few commands...any one you want! 
 7) Before you leave DOS BOSS, change the disk volume heading to" SYNTAX ERROR"
 ... Don't forget the ctrl-G at the end!
 8) Exit the DOS BOSS program.
 9) Type: NEW (return) <--(by now you should remember) 
 10) Type: INIT HELLO
 11) Wait a minute or so and pull the disk out of the drive.
 12) Boot your system master again and try to catalog the disk you've just init
iallized.


If you have not noticed by now 44033 is the memory location that holds the cata
log track number. Type: PRINT PEEK(44033), and you will see that DOS is looking 
at track 17 to find the catalog. Now if one were rather clever you would use som
ething like SUPE


R DISK COPY to copy the catalog track from another disk onto your modified disk
. Also it will be necessary to change VTOC so that you do not overwrite real fil
es on the disk. VTOC is normally located on track $11, sector $00. However the V
TOC to fix on yo


ur modified disk i **
   T0 SYNC: 18=20 19=00 40=20 44=DD 45=AD
            46=DA 72=00 73=00 77=00
            78=00 79=12 7C=00
   T1.5-TB.5  SYNC 
   TD-T20  SYNC

BORG  **
   T0: 18=20 19=00 40=20 4D=00 4E=00 
       52=00 53=00 54=12 57=00
       72=00 73=00 77=00 78=00 79=12 
       7C=00 44=DD 45=AD 46=DA
   T1.5-TC.5 SYNC
   TD-T20 SYNC

BPI BUSINESS ACCTING SYSTEM (4 DISKS)
       (REVISED 10-26)
   T0-T22: 19=00 21=02 58=19 59=06            5A=1A 5B=FF BD=44 BE=E6          
  BF=45 C0=FF C1=40 C2=01
           C4=44 program RUN when any command is issued.

POKE 1010,102: POKE 1011,213: POKE 1012,112 -- Makes RESET run the program in m
emory.

POKE 2049,1 -- Makes the first program line list repeately.


   Well by this time you should be bored stiff or really into learning copy pro
tection. If the latter is the case continue to read, if the former, re-boot the 
system and fire up your favorite game.
   Now we shall take on the heavier ways to protect. If you were reading carefu
lly to this point, you now should know how to change your DOS commands and chang
e the catalog track. Also if you were experimenting you should have a few other 
tricks under you


r belt. So, if you're having trouble at this point it would be advised to start
 at the beginning!

  In this section we will discuss the heavier ways of protection.

CHECKSUM ALTERATION:
   In each sector on the disk is a byte which is the Checksum. This byte is the
 last byte to be written into a sector. The value of this byte varies with the a
mount of information stored in that sector. Normal Apple DOS reads in the inform
ation on the sec


tor, and then counts the bytes it has read. It then compares this number to the
 checksum, if they are equal it continues to read the next sector. If it is not 
equal DOS has made an error and tries to read it again. After three tries it sto
ps and gives the


 user an error message. In order to change the checksum we must change the byte
 directly on the disk. For this job I find BAG OF TRICKS very useful. However it
 should also be noted at this time, that your standard 3.3 DOS will no longer re
ad this sector. 


Now in order to read this sector, we must disable the Checksum routine in DOS. 
To do this from the keyboard type the following:
  1) CALL-151
  2) B942:18     REM 3.3 DOS
       or
     B963:18     REM 3.2 DOS
This changes a "set carry" instruction to a "clear carry" instruction.
  3) 3D0G
Now you're back in Basic.
I hav'nt found a way to INIT a disk with this changed DOS yet, but by using DAK
IN 5 PROGRAMMERS AIDS you can change DOS directly on your disk with the Patcher.
 The data to be zapped resides on track 0, sector 3.
    Byte $42  change $38 to $18  REM 3.3 DOS

    Byte $63  change $38 to $18  REM 3.2 DOS



$D6, VECTOR:
   The D6 memory location in the Apple can set from Applesoft by typing POKE 21
4,255; OR from assembly by:

             LDA  #$FF
             STA  D6

This is where the Applesoft Run pointer resides. By putting a number larger tha
n 128 in this location Applesoft equates a carriage return with the Applesoft RU
N command. Once set, all user commands cause the program in memory to be execute
d.



LOADER DOS:
   Loader DOS is the minimal DOS that can be utilized in the Apple. It consists
 of nothing more than RWTS and a table of track and sector numbers that are to b
e read in. Loader DOS has no DOS commands, as its only function is to load a pro
gram, and start 


running it. If you're interested in this consult the DOS manual. The manual exp
lains how to write the look-up table and how to utilize RWTS directly.



HALF-TRACKING:
   half- tracking is utilizing the tracks between the normal tracks on the disk
. This is possible because the disk drive is actually capable of writing to seve
nty tracks, as that is the number of stepped positions the read/write head has. 
However one cann


ot use these half tracks to double the amount of information stored on the disk
 due to hardware constraints in the Apple drive unit. In order to use half track
s the adjacent full tracks must not be written to because of the high risk of ov
erwriting or des


troying information on the half track. It is only possible to write to half tra
cks with assembly because the programmer must toggle the soft stepper switch onl
y once and then access RWTS directly.



DOS HOOK:
   In order to use a DOS HOOK one has to first write their own RWTS portion of 
DOS. Then write or modify the DOS boot routines to supply RWTS with a track and 
sector number and read that sector. This information is taken as data for RWTS a
nd the next read


. A program that utilizes the hook very effectively is MASTERTYPE from Lightnin
g Software.



PROGRAM LOCK:
   This is no more than a combination lock that is built into the program. To e
ffectively use it, it is necessary to modify the boot routine in DOS. This is do
ne by moving the PROM boot routine down into RAM where we can change it to stop 
after the first 


bootstrap routine is loaded. This is done by typing:
 1) CALL-151
 2) 9600<C600.C700M
 3) 96F9:59 FF
 4) 9600G
 
At this point the disk starts and loads the boot routine in at $800 but does no
t execute it. Now look at it by typing 800L. Hit L a few more times until you co
me to JMP $301. The OP codes should be 4C 01 03. This is the key that you will l
ook for on the d


isk. You will find them on track 00, sector 00 of the disk. Using PROGRAMMING A
IDS you will be able to change this information on the disk, and put into memory
 your own combination. Do this by typing in the OP codes for the following:
       LDA  #$XX      ;XX = PART OF COMB
       STA  YYYY      ;YYYY = MEMORY LOC
And don't forget to put the JMP $300 back in.

   Now all that is left is to doctor up your program to look for the combinatio
n that you stored in the boot. Do this by PEEKing that memory location, and comp
aring the contents.



HARDWARE LOCK:
   I won't spend much time on this because it is the worst way to protect softw
are. It works like this: You have to plug in something that looks like an integr
ated circuit into the game port. That will simulate the game paddles set at a sp
ecific spot. The


 program then reads the port and compares the input to the progeammed readings 
, if different....CRASH!!!



NIBBLE COUNTING:
   Unfortunately  the only thing I know for sure about this is it must access t
he memory locations

C080-C08F+16*(SLOT #)



SUMMARY:
  If you choose to write your programs in Basic, it is a very good idea to comp
ile the source code. The generated OP CODE is almost impossible to read or chang
e. In this way you can hide all sorts of locking schemes. Also don't forget to u
se the ONERR App


lesoft command, this will stop a ctrl-C Break from Applesoft.

-----*



< 19> 
