


#50 : KR> BOOT TRACING PART I

508 LINES - 62 SECTORS

***************************************
*     KRAKOWICZ'S KRACKING KORNER     *
*                                     *
*     THE BASICS OF KRACKING 108:     *
*                                     *
*      BOOT CODE TRACING PART 1       *
***************************************

            Distributed by
     The Safehouse - 612/724-7066

     AT LAST! THE LONG-AWAITED
DESCRIPTION OF BOOT-CODE TRACING AND
ITS APPLICATION TO DISK UNPROTECTION.
OY KRACKING LAW #7 SAYS "WHEN ALL ELSE
FAILS, BOOT TRACE." FOR MANY KRACKISTS,
NOTABLE AMONG WHOM WAS MR. XEROX (MAY
HE REST IN PEACE), THE MOTTO WAS
OPPOSITE: "BEFORE YOU DO ANYTHING ELSE,
TRACE THE BOOT CODE." DEPENDING ON
YOUR SKILL AND PREDISPOSITION, YOU'LL
SETTLE SOMEWHERE IN BETWEEN THESE
EXTREMES.

     IF MR. XEROX DIDN'T INVENT BOOT-
TREACING HE WAS CERTAINLY THE FIRST TO
DOCUMENT IT CLEARLY IN THE UNDERGROUND
PRESS. THE DESCRIPTION THAT FOLLOWS
BORROWS HEAVILY FROM HIS ORIGINAL
TREATISE ON THE PIRATE'S HARBOR
CRACKING DISO #1. IN ADDMTION,
"MYCROFT" WROTE A THOROUGH ARTICLE IN
HARDCORE COMPUTING UPDATE 3.1
DESCRIBING HIS OWN, SLIGHTLY DIFFERENT
APPROACH TO BOOT-TRACING. WHILE I FIND
HIS PROCESS A LITTLE MORE LABORIOUS, IT
MIGHT BE NECESSARY FOR SOME VERY
DIFFICULT CASES.

     THE PROCESS IS BASED FIRMLY ON THE
FRIST LAW: TRACK 0, SECTOR 0 OF EVGRY
DISK MUST <ALWAYS> LOAD INTO PAGE 8
($800-8FF). THE FURTHER ASSUMPTION IS
THAT, IF WE CAN VIEW EVERY STAGE OF THE
BOOT PROCESS, WE CAN LEARN ENOUGH TO
PRODUCE AN UNPROTECTED VGRSION OF THE
PROGRAM. IT DOES NOT HAVE MYSTICAL
POWERS, AND STILL REQUIRES THE ABILITY
TO TEAR APART AND UNDERSTAND ASSEMBLY
LANGUAGE, MUCH OF WHICH IS
INTENTIONALLY MISLEADING. WE'LL BEGIN
WITH BACKGROUND MATERIAL AND A REVIEW
OF THE NORMAL BOOT PROCESS (DAMMIT,
MAUDE, WE ALWAYS HAVE TO SIT THROUGH
THE SERMON FIRST!), AND PROCEED THROUGH
AN EXAMPLE OF A NEW PROGRAM.

     (AS WITH MOST KRACKING ACTIVITIES,
IT'S BEST TO HAVE ON HAND A BLANK
INITIALLIZED DISK FOR SAVING PIECES OF
THE CODE AS THEY BECOME AVAILABLE).

     ORDINARILY, WHEN YOU BOOT A 48K
SLAVE DISK (A MASTER IS SLIGHTLY
DIFFERENT, BUT WE'LL IGNORE THAT FOR
THE TIME BEING), A THREE-STAGE PROCESS
IS STARTED WHICH ENDS UP WITH THE
DESIRED (HELLO) PROGRAM RUNNING. FIRST,
THE CONTROLLER CARD ROM AT $C600-C6FF
LOADS T0, S0 INTO PAGE 8, THEN JUMPS TO
LOCATION $801. THIS IS A SHORT PROGRAM
THAT LOADS ALL 10 SECTORS OF RWTS FROM
T0, S0 THROUGH T0,S9 INTO PAGES $B6-BF
($B600-BFFF), THEN JUMPS TO LOCATION
$B700. THIS PROGRAM, IN TURN, LOADS $1B
(27) PAGES INTO $9D00-B5FF FROM T2, S4
THROUGH T0, SB (NOTE-THIS IS A
"BACKWARDS LOAD" FOR SPEED. APPLE KNEW
ABOUT IT, SO WHY DIDN'T DOS EVER USE IT
FOR QUICKLOADING FILES???). AFTER A
LITTLE HOUSEKEEPING, THE PROGRAM JUMPS
TO THE DOS COLDSTART IN $9D84, WHICH
RUNS OR EXECS THE HELLO PROGRAM. IN
SUMMARY:

  CODE    # OF   DEST    NAME   NEXT
LOCATION  SECT.  PAGE           JUMP
--------  -----  ----  -------  ----
C600-C6FF    1    08   STAGE 0   801
0801-08FF    9  B6-BF  STAGE 1  B700
B700-B7FF   27  9D-B5  STAGE 2  9D84


OF COURSE, IN A NONSTANDARD FORMAT
INTENDED FOR PROTECTION, THINGS AREN'T
NECESSARILY THE SAME. TO SEE THE
DIFFERENCES, YOU NEED TO EXAMINE EACH
STAGE SEPARATELY TO SEE WHAT IT DOES
AND WHERE IT GOES.

     THE THEORY OF BOOT-TRACING IS
STRAIGHTFORWARD: FOLLOW THE BOOT
PROCESS ONE STEP AT A TIME TO SEE WHERE
IS LEADS YOU, BY CREATIVELY ALTERING
THE THE CODE TO PREVENT IT FROM RUNNING
AWAY FROM YOU. IN SUMMARY, WE WILL:

1. READ IN THE STAGE 1 BOOT CODE, BUT
   NOT ALLOW IT TO EXECUTE,
2. ALTER THE FIRST STAGE BOOT SO IT
   WILL EXECUTE TO LOAD IN STAGE TWO,
   WHILE PREVENTING THE NEW STAGE FROM
   RUNNING,
3. IF NECESSARY, REPEAT THE PROCESS OF
   ALTERING, LOADING, AND HALTING UNTIL
   ALL THE STAGES OF THE BOOT HAVE BEEN
   EXAMINED AND UNDERSTOOD.

IN PRACTICE, THE FIRST TWO STEPS ARE
RELATIVELY STANDARD, BUT STEP THREE CAN
GET QUITE INVOLVED AS THE TRACE
PROGRESSES.

     THE TECHNIQUE FOR INTERRUPTING THE
ORDERLY FLOW OF THE BOOT IS REFERRED TO
AS "SETTING BREAK POINTS". THE
TERMINOLOGY IS BORROWED FROM THE DARK
AGES WHEN COMPUTERS HAD REAL FRONT
PANELS WITH KNOBS AND SWITCHES AND
LIGHTS, AND YOU COULD ACTUALLY
"DIAL-IN" AN ADDRESS WHERE YOU WANTED
THE COMPUTER TO HALT FOR EXAMINATION
(IS ANYONE OUT THERE OLD ENOUGH TO
SHARE MY FOND RECOLLECTION OF
'EXECUTE-STOP' AND 'FETCH-STOP'
KNOBS?). SOPHISTICATED SYSTEMS WITH
HIGH-LEVEL EXECUTIVE PROGRAMS STILL
ALLOW THIS TODAY, BUT IN THE APPLE WE
HAVE TO BE A LITLE MORE IMAGINATIVE.

     IN ALL APPLE II SYSTEMS, THE
INSTRUCTION SEQUENCE '4C 59 FF' OR JMP
FF59 GOES TO THE RESET CODE AND
PROVIDES A POSITIVE, PERMANENT STOPPING
PLACE FROM ANYPLACE IN ASSEMBLY
LANGUAGE CODE, AND HALTS WITH A
WELL-DEFINED MACHINE STATE. WHENEVER WE
WANT TO SET A "BREAKPOINT" IN THE
APPLE, WE CAN REPLACE ANY THREE BYTES
OF CODE WITH '4C 59 FF'.

     TO BEGIN THE PROCESS, LETS LOOK AT
SOME CODE FROM PART OF THE CONTROLLER
CARD BOOT ROM:

C600-   A2 20       LDX   #$20
C602-   A0 00       LDY   #$00
C604-   A2 03       LDX   #$03
           !
           !
C621-   20 58 FF    JSR   $FF58
C624-   BA          TSX
C625-   BD 00 01    LDA   $0100,X
C628-   0A          ASL
C629-   0A          ASL
C62A-   0A          ASL
C62B-   0A          ASL
C62C-   85 2B       STA   $2B
C62E-   AA          TAX
C62F-   BD 8E C0    LDA   $C08E,X
            !
            !
C658-   A9 08       LDA   #$08
C65A-   85 27       STA   $27
C65C-   18          CLC
C65D-   08          PHP
C65E-   BD 8C C0    LDA   $C08C,X
C661-   10 FB       BPL   $C65E
C663-   49 D5       EOR   #$D5
C665-   D0 F7       BNE   $C65E
C667-   BD 8C C0    LDA   $C08C,X
C66A-   10 FB       BPL   $C667
C66C-   C9 AA       CMP   #$AA
C66E-   D0 F3       BNE   $C663
C670-   EA          NOP
C671-   BD 8C C0    LDA   $C08C,X
C674-   10 FB       BPL   $C671
C676-   C9 96       CMP   #$96
C678-   F0 09       BEQ   $C683
             !
             !
C6E6-   91 26       STA   ($26),Y
C6E8-   C8          INY
C6E9-   D0 EE       BNE   $C6D9
C6EB-   E6 27       INC   $27
C6ED-   E6 3D       INC   $3D
C6EF-   A5 3D       LDA   $3D
C6F1-   CD 00 08    CMP   $0800
C6F4-   A6 2B       LDX   $2B
C6F6-   90 DB       BCC   $C6D3
C6F8-   4C 01 08    JMP   $0801
C6FB-   00          BRK
C6FC-   00          BRK
C6FD-   00          BRK


NOTICE THE INSTRUCTION 'JMP $0801' AT
C6F8. THIS IS THE "LINK" TO STAGE 1 OF
THE BOOT. IF WE COULD CHANGE IT TO 'JMP
FF59', *EVERY* DISK WE BOOTED WOULD
LOAD IN THE FIRST SECTOR, BEEP INTO THE
MONITOR, AND OBLIGINGLY WAIT WHILE WE
SNOOP THROUGH PAGE 8 TO OUR HEART'S
CONTENT. SINCE THE PROGRAM IS IN ROM,
WE CAN'T ALTER IT, BUT WE CAN COPY IT
DOWN TO A COMPATIBLE LOCATION AND
ALTER IT SO THAT THE PROGRAM HALTS
INSTEAD OF CONTINUING WITH THE BOOT
PROCESS. BECAUSE THE BOOT CODE HAS TO
EXECUTE FROM AN} SLOT, IT CONTAINS A
"WHERE ARE WE" ROUTINE AT C621-C62E TO
FIND OUT WHAT ITS CURRENT LOCATION IS.
HAPPILY FOR US, THIS KIND OF
RELOCATABLE CODE WILL RUN MANY PLACES
BESIDES THE C100-C7FF PERIPHERAL
ROM SPACE (SEE THE REFERENCE MANUAL P.
81 FOR A DESCRIPTION OF THE "WHERE ARE
WE" ROUTINE). MR. XEROX'S FAMOUS
MONITOR INSTRUCTIONS WHICH RELOCATE THE
BOOT ROM CODE AND INSERT THE FIRST
BREAKPOINT ARE:

        9600<C600.C6FFM
        96F8:4C 59 FF

(NOTE-PAGE 96 IS NOT REQUIRED, BUT THE
PAGE YOU USE MUST END IN 6 SO THAT SLOT
6 IS DECODED AS THE CONTROLLER CARD
LOACTION). THE LAST FEW LINES OF THE
(RELOCATED) BOOT ROM CODE NOW READ:

96F4-   A6 2B       LDX $2B
96F6-   90 DB       BCC $96D3
96F8-   4C 59 FF    JMP $FF59

SO THAT TYPING:

        9600G

WILL INITIATE A BOOT SEQUENCE FROM OUR
CODE AT 9600 WHICH ENDS AT THE "BREAK
POINT" AT $96F8, RATHER THAN CONTINUING
THE BOOT. IF YOU TRY THIS, YOU'LL FIND
THAT THE DISK IS STILL SPINNING, AND YOU CAN TURN IT OFF BY INCLUDING THE
INSTRUCTION '2C E8 C0' (BIT C0E8)
AT 96F8 BEFORE THE JMP FF59, OR YOU CAN
JUST TYPE 'C0E8' FROM THE MONITOR.
AFTER PAGE 8 HAS BEEN LOADED WITH THE
STAGE 1 BOOT CODE, THE FUN BEGINS
(UNTIL YOU GET GOOD AT THIS, IT'S A
GOOD IDEA TO SAVE EACH PIECE OF BOOT
CODE AS A BFILE ON A SPARE DISK BEFORE
PROCEEDING. IT'S USUALLY EASIER THAN
RUNNING THROUGH THE ENTIRE SEQUENCE
EACH TIME A STEP DOESN'T WORK AS YOU
EXPECT, AND IT WILL MAKE IT EASIER TO
PRINT OUT A DISASSEMBLY OF THE CODE TO
FIGURE OUT WHAT IT DOES.

     AT THIS POINT, PAGE 8 MUST CONTAIN
STAGE 1 OF THE BOOT WITH LOCATION $801
AS THE STARTING POINT. IF THE FIRST
STAGE IS KOSHER, LOCATION $84A CONTAINS
'6C FD 08', WHICH IS AN INDIRECT JUMP
THROUGH THE LOCATION IN 8FD & 8FE. THIS
IS THE EXIT POINT OF THE STAGE ONE
BOOT, AND NORMALLY JUMPS TO B700 TO
BEGIN READING IN THE CODE FOR STAGE 2
(THE B6 AT 8FE BECOMES B7 DURING THE
10-SECTOR LOAD). TO CONTINUE OUR
MISSION, WE MUST LOCATE THE EXIT POINT
OF THIS STAGE AND INSERT A BREAKPOINT.

0801-   A5 27       LDA   $27
0803-   C9 09       CMP   #$09
0805-   D0 18       BNE   $081F
0807-   A5 2B       LDA   $2B
0809-   4A          LSR
080A-   4A          LSR
080B-   4A          LSR
080C-   4A          LSR
080D-   09 C0       ORA   #$C0
080F-   85 3F       STA   $3F
0811-   A9 5C       LDA   #$5C
0813-   85 3E       STA   $3E
0815-   18          CLC
0816-   AD FE 08    LDA   $08FE
0819-   6D FF 08    ADC   $08FF
081C-   8D FE 08    STA   $08FE
081F-   AE FF 08    LDX   $08FF
0822-   30 15       BMI   $0839
0824-   BD 4D 08    LDA   $084D,X
0827-   85 3D       STA   $3D
0829-   CE FF 08    DGC   $08FF
082C-   AD FE 08    LDA   $08FE
082F-   85 27       STA   $27
0831-   CE FE 08    DEC   $08FE
0834-   A6 2B       LDX   $2B
0836-   6C 3E 00    JMP   ($003E)
0839-   EE FE 08    INC   $08FE
083C-   EE FE 08    INC   $08FE
083F-   20 89 FE    JSR   $FE89
0842-   20 93 FE    JSR   $FE93
0845-   20 2F FB    JSR   $FB2F
0848-   A6 2B       LDX   $2B
084A-   6C FD 08    JMP   ($08FD)
084D-   00          BRK
084E-   0D 0B 09    ORA   $090B
0851-   07          ???
0852-   05 03       ORA   $03
0854-   01 0E       ORA   ($0E,X)
0856-   0C          ???
0857-   0A          ASL
0858-   08          PHP
0859-   06 04       ASL   $04
085B-   02          ???
085C-   0F          ???
085D-   00          BRK
         !
         !
08FD-   00          BRK
08FE-   B6 09       LDX   $09,Y

     NONSTANDARD FORMATS CAN HAVE ANY
NUMBER OF EXIT INSTRUCTIONS, AND THIS
IS WHERE YOUR KNOWLEDGE OF ASSEMBLY
LANGUAGE AND EXPERIENCE AT READING CODE
WILL START TO PAY OFF. UNLESS THE FIRST
STAGE IS RELATIVELY STANDARD, IT'S
NECESSARY TO SPEND TIME EXAMINING AND
TEARING APART THE CODE UNTIL YOU
UNDERSTAND WHAT'S GOING ON. LOOK FIRST
FOR A JUMP OR INDIRECT JUMP TO
SOMEPLACE OUTSIDE OF PAGE 8, AND CHANGE
THAT TO JMP FF59. IF NONE APPEARS, LOOK
FOR A "JUMP THROUGH THE STACK" TRICK AS
DESCRIBED IN THE ARCADG MACHINE FILE:
FOR EXAMPLE, TO GO TO $BB00 THERE WILL
BE, SOMEWHERE IN THE CODE, TWO "PHA'S"
AND AN "RTS". THE FIRST PUSH ONTO THE
STACK WOULD BE $BA; THE SECOND $FF.
WHEN THE RTS IS EXECUTED, THE TWO BYTES
ARE PULLED OFF THE STACK, INCREMENTED
BY ONE TO BB00, AND JUMPED TO. IN
ADDITION, MORE THAN ONE PAGE CAN BE
LOADED UNDER STAGE 0, AND ACCESSED BY A
RELATIVE BRANCH INSTRUCTIoN, SO YOU'LL
HAVE TO EXAMINE <ALL> THE CODE LOADED
IN (IT'S GOOD PRACTICE TO CLEAR OUT ALL
OF MEMORY BEFORE STARTING; THIS WILL
WORK IF DOS IS NOT ACTIVE:
800:0 N 801<800.BFFFM).

     WHEN YOU FIND THE EXIT POINT, MAKE
IT A BREAKPOINT WITH '4C 59 FF' TO
PREVENT THE CONTINUATION OF THE BOOT.
BEFORE PROCEEDING, TAKE A GOOD LOOK AT
ALL THE CODE TO BE SURE YOU UNDERSTAND
WHERE THE NEXT STAGE LOADS, AND ANY
UNUSUAL CONDITIONS OR INSTRUCTIONS.

     THE ALTERED PORTION OF CODE IS
NOW:

0839-   EE FE 08    INC   $08FE
083C-   EE FE 08    INC   $08FE
083F-   20 89 FG    JSR   $FE89
0842-   20 93 FE    JSR   $FE93
0845-   20 2F FB    JSR   $FB2F
0848-   A6 2B       LDX   $2B
084A-   4C 59 FF    JMP   $FF59
084D-   00          BRK

THE THEORY NOW IS TO ALLOW THE BOOT TO
PROCEED THROUGH ONE MORE STAGE, HALTING
AFTER RWTS HAS BEEN READ IN, AND GIVING
US A CHANCE TO EXAMINE THAT PORTION OF
THE PROGRAM FOR ALTERATIONS. IF WE JUST
REBOOTED WITH '9600G', THE ORIGINAL
CODE WOULD OVERWRITE OUR ALTERED PAGE
8, SO WE HAVE TO ARRANGE IT SO THAT THE
FIRST STAGE BOOT CODE IS SENT OFF INTO
OBLIVION. REFERRING BACK TO THE BOOT
CODE, LOCATION 9658 (ORIGINALLY C658)
CONTAINS THE PAGE NUMBER WHERE T0, S0
LOADS IN, NORMALLY 08. CHANGING IT TO
$20 WILL CAUSE T0, S0 TO LOAD INTO
$2000 INSTEAD OF $0800, AND THE BOOT
WILL CONTINUE THROUGH OUR ALTERED PAGE
8. NOTE THAT WE HAVE TO REMOVE THE
FIRST BREAK POINT AT 96F8 AND RESTORE
THE ORIGINAL JMP $0801:

           9658:20
           96F8:4C 01 08

NOW, WHEN WE TYPE '9600G', THE BOOT
CODE WILL LOAD T0, S0 INTO $2000-20FF,
WHERE IT WON'T BOTHER US AT ALL, THEN
JUMP TO 801 TO EXECUTE OUR CODE. AFTER
RWTS HAS BEEN LOADED IN, INSTEAD OF
JUMPING TO $B700 TO CONTINUE LOADING
DOS, THE PROGRAM HITS THE (SECOND)
BREAK POINT AT 84A AND HALTS.

     THE FINAL PHASE OF THIS PROCESS IS
TO LOCATE THE EXIT POINT FROM THIS AREA
OF CODE, INSERT ANOTHER BREAKPOINT, AND
EXAMINE ALL THE CODE LOADED IN BY STAGE
2. AGAIN, WE HAVE TO MAKE SURE THAT THE
BOOT PROCESS DOESN'T OVERWRITE THE
CHANGES, WHICH MEANS WE HAVE TO
UNDERSTAND HOW THE DESTINATION
ADDRESSES ARE SET UP IN STAGE 1. EVEN
IN NORMAL DOS IT'S NOT OBVIOUS, BUT
ENOUGH HEAD-SCRATCHING OR READING OF
BENEATH APPLE DOS WILL REVEAL DHAT THE
BYTE IN LOCATION 8FE IS ONE HIGHER THAN
THE FIRST PAGE LOADED INTO, AND THE
BYTE AT 8FF IS ONE LESS THAN THE NUMBER
OF SECTORS TO BE LOADED. AS BEFORE, WE
REMOVE THE PREVIOUS BREAKPOINT, ALTER
THE DESTINATION OF THE REAL CODE LOADED
IN UNDER THIS STAGE, AND SET THE NEW
BREAKPOINT:

B700-   8E E9 B7    STX   $B7E9
B703-   8E F7 B7    STX   $B7F7
B706-   A9 01       LDA   #$01
B708-   8D F8 B7    STA   $B7F8
B70B-   8D EA B7    STA   $B7EA
B70E-   AD E0 B7    LDA   $B7E0
B711-   8D E1 B7    STA   $B7E1
B714-   A9 02       LDA   #$02
B716-   8D EC B7    STA   $B7EC
B719-   A9 04       LDA   #$04
B71B-   8D ED B7    STA   $B7ED
B71E-   AC E7 B7    LDY   $B7E7
           !
           !
B738-   20 93 B7    JSR   $B793
B73B-   A2 FF       LDX   #$FF
B73D-   9A          TXS
B73E-   8E EB B7    STX   $B7EB
B741-   4C C8 BF    JMP   $BFC8
B744-   20 89 FE    JSR   $FE89
B747-   4C 84 9D    JMP   $9D84

THE CHANGES ARE:


      84A:4C 00 B7
          (WE CAN'T USE THE INDIRECT
           JUMP IN THE ORIGINAL, SMNCE
           WE HAVE REDIRECTED THE BOOT)

      8FE:20 09
          (PAGE 20 OR ANYPLACE ELSE
           WHERE 10 PAGES OF CODE WON'T
           HURT ANYTHING)

      B747:4C 59 FF
           (JMP 9D84 IS THE DOS COLD-
            START. THE JMP BFC8 IS A
            PATCH WHICH RETURNS WITH
            A JMP B744)

THE LAST FEW LINES OF CODE ARE NOW:

B741-   4C C8 BF    JMP $BFC8
B744-   20 89 FE    JSR $FE89
B747-   4C 59 FF    JMP $FF59

     NOW TYPE '9600G', AND LET'S RECAP
THE PROCESS THAT WILL OCCUR:

1. THE MODIFIED STAGE 0 CODE AT
9600-96FF WILL LOAD T0, S0 INTO PAGE 20
(SINCE WE DON'T WANT IT), THEN JUMP TO
THE START OF OUR MODIFIED PAGE 8 AT
801.

2. THE MODIFIED PAGE 8 WILL LOAD T0, S0
THROUGH T0, S9 INTO PAGES 20 TO 2=,
THEN JUMP TO OUR MODIFIED CODE AT B700.

3. THE MODIFIED CODE AT B700 WILL LOAD
27 SECTORS OF DOS INTO PAGES 9A-B5,
THEN HALT WHEN IT HITS THE BREAKPOINT
AT B747.

     BEFORE THE NEXT EPISODE, TRY THIS
PROCeSS ON A FEW DIFFERENT DISKS,
INCLUDING SOME PROTECTED ONES--
PRACTICE IS ESSENTIAL. IN THE SECOND
PART, WE'LL TAKE ON SSI'S RDF 1985
---------------*


