#51 : KR> BOOT TRACING PART II

492 LINES - 59 SECTORS

***************************************
*     KRAKOWICZ'S KRACKING KORNER     *
*                                     *
*     THE BASICS OF KRACKING 109:     *
*                                     *
*    BOOT-TRACING PART 2- RDF 1985    *
*                                     *
***************************************

            Distributed by           
     The Safehouse - 612/724-7066

     THIS IS THE SECOND PART OF THE
BOOT-TRACING EPISODE--IT'S PROBABLY NOT
HAZARDOUS TO YOUR HEALTH TO READ THIS
BEFORE YOU LOOK AT PART 1 (BASICS 108),
BUT IT'LL MAKE A MORE SENSE TO READ 108
FIRST IF YOU'RE NOT INTIMATELY FAMILIAR
WITH THE SUBJECT. THE THEORY (?) WAS
ALL IN THE FIRST PART; THIS IS JUST AN
EXAMPLE, WITH A LOT OF DISASSEMBLED
CODE, OF THE USE OF BOOT-TRACING TO
LOOK AT (BUT NOT REALLY TO KRACK) A
NOT-TOO-UNUSUAL DISK: RDF 1985 FROM
THOSE FUN-LOVING WAR GAME FREAKS AT
SSI. THIS LOADER/DOS APPEARS TO BE
THE SUCCESSOR TO RDOS 2.1, WHICH WAS
THE LATE UNLAMENTED OPERATING SYSTEM
THAT KEPT SO MANY DISKS FROM BEING
UNPROTECTED FOR SO LONG.

     APPROACHING THIS DISK AS WE WOULD
ANY OTHER, WE ENTER THE MONITOR AND SET
THE FIRST BREAKPOINT BY TYPING:

         9600<C600.C6FFM
         96F9:59 FF
         9600G

AFTER THE BEEP, AND C0E8 TO DESPIN THE
DISK, 801LLLL GETS US THE FOLLOWING:


0801-   A6 2B       LDX   $2B
0803-   8E 1F 02    STX   $021F
0806-   A9 02       LDA   #$02
0808-   8D 20 02    STA   $0220
080B-   18          CLC
080C-   08          PHP
080D-   BD 8C C0    LDA   $C08C,X
0810-   10 FB       BPL   $080D
0812-   49 D5       EOR   #$D5
0814-   D0 F7       BNE   $080D
0816-   BD 8C C0    LDA   $C08C,X
0819-   10 FB       BPL   $0816
081B-   C9 AA       CMP   #$AA
081D-   D0 F3       BNE   $0812
081F-   EA          NOP
0820-   BD 8C C0    LDA   $C08C,X
0823-   10 FB       BPL   $0820
0825-   C9 B5       CMP   #$B5
0827-   F0 09       BEQ   $0832
0829-   28          PLP
082A-   90 DF       BCC   $080B
082C-   49 AD       EOR   #$AD
082E-   F0 20       BEQ   $0850
0830-   D0 D9       BNE   $080B

0832-   A0 03       LDY   #$03
0834-   84 2A       STY   $2A
0836-   BD 8C C0    LDA   $C08C,X
0839-   10 FB       BPL   $0836
083B-   2A          ROL
083C-   85 3C       STA   $3C
083E-   BD 8C C0    LDA   $C08C,X
0841-   10 FB       BPL   $083E
0843-   25 3C       AND   $3C
0845-   88          DEY
0846-   D0 EE       BNE   $0836

0848-   28          PLP
0849-   CD 20 02    CMP   $0220
084C-   D0 BD       BNE   $080B
084E-   B0 BC       BCS   $080C
0850-   A0 00       LDY   #$00
0852-   A9 00       LDA   #$00
0854-   85 47       STA   $47
0856-   BD 8C C0    LDA   $C08C,X
0859-   10 FB       BPL   $0856
085B-   29 55       AND   #$55
085D-   0A          ASL
085E-   85 46       STA   $46
0860-   BD 8C C0    LDA   $C08C,X
0863-   10 FB       BPL   $0860
0865-   29 55       AND   #$55
0867-   05 46       ORA   $46
0869-   45 47       EOR   $47
086B-   85 47       STA   $47
086D-   99 00 10    STA   $1000,Y
0870-   C8          INY
0871-   D0 E3       BNE   $0856
0873-   BD 8C C0    LDA   $C08C,X
0876-   10 FB       BPL   $0873
0878-   29 55       AND   #$55
087A-   0A          ASL
087B-   85 46       STA   $46
087D-   BD 8C C0    LDA   $C08C,X
0880-   10 FB       BPL   $087D
0882-   29 55       AND   #$55
0884-   05 46       ORA   $46
0886-   45 47       EOR   $47
0888-   F0 02       BEQ   $088C
088A-   D0 A4       BNE   $0830
088C-   4C 00 10    JMP   $1000

     A FEW THINGS ARE WORTH POINTING
OUT BEFORE WE CONTINUE THE TRACE.
NOTICE THAT THE EARLY PART IS AN
ADAPTATION OF THE BOOT ROM CODE: IF THE
CARRY BIT IS CLEAR, IT'S LOOKING FOR D5
AA B5 TO READ IN THE ADDRESS FIELD
(SOME THINGS NEVER CHANGE), IF THE
CARRY IS SET, D5 AA AD IS BEING SOUGHT
FOR THE DATA FIELD PROLOG. AFTER
VERIFYING THE VOLUME, TRACK, AND SECTOR
(832-846), WE READ IN A SINGLE
"PSEUDO-SECTOR" IN 4+4 NIBBLIZING,
STORING IT AT $1000. IF THE CHECKSUM IS
RIGHT ($888), THEN WE JUMP TO 1000 TO
CONTINUE THE BOOT. IF YOU'VE BEEN
KEEPING UP, YOU KNOW THE NEXT SERIES OF
MONITOR INSTRUCTIONS TO SET BREAKPOINT
#2:

           96F9:01 08
           9659:20
           088C:4C 59 FF
           9600G

THE CODE LOADED INTO PAGE $10 IS:


1000-   D8          CLD
1001-   D8          CLD
1002-   A9 00       LDA   #$00
1004-   8D F2 03    STA   $03F2
1007-   A9 E0       LDA   #$E0
1009-   8D F3 03    STA   $03F3
100C-   49 A5       EOR   #$A5
100E-   8D F4 03    STA   $03F4
1011-   A9 4C       LDA   #$4C
1013-   8D D0 03    STA   $03D0
1016-   A9 00       LDA   #$00
1018-   8D D1 03    STA   $03D1
101B-   A9 BD       LDA   #$BD
101D-   8D D2 03    STA   $03D2
1020-   AD 1F 02    LDA   $021F
1023-   8D D3 03    STA   $03D3
1026-   A9 01       LDA   #$01
1028-   8D D4 03    STA   $03D4
102B-   A9 03       LDA   #$03
102D-   8D 20 02    STA   $0220

1030-   A9 BD       LDA   #$BD
1032-   8D 99 10    STA   $1099

1035-   18          CLC
1036-   08          PHP
1037-   BD 8C C0    LDA   $C08C,X
103A-   10 FB       BPL   $1037
103C-   49 D5       EOR   #$D5
103E-   D0 F7       BNE   $1037
1040-   BD 8C C0    LDA   $C08C,X
1043-   10 FB       BPL   $1040
1045-   C9 AA       CMP   #$AA
1047-   D0 F3       BNE   $103C
1049-   EA          NOP
104A-   BD 8C C0    LDA   $C08C,X
104D-   10 FB       BPL   $104A
104F-   C9 B5       CMP   #$B5
1051-   F0 09       BEQ   $105C
1053-   28          PLP
1054-   90 DF       BCC   $1035
1056-   49 AD       EOR   #$AD
1058-   F0 20       BEQ   $107A
105A-   D0 D9       BNE   $1035
105C-   A0 03       LDY   #$03
105E-   84 2A       STY   $2A
1060-   BD 8C C0    LDA   $C08C,X
1063-   10 FB       BPL   $1060
1065-   2A          ROL
1066-   85 3C       STA   $3C
1068-   BD 8C C0    LDA   $C08C,X
106B-   10 FB       BPL   $1068
106D-   25 3C       AND   $3C
106F-   88          DEY
1070-   D0 EE       BNE   $1060
1072-   28          PLP
1073-   CD 20 02    CMP   $0220
1076-   D0 BD       BNE   $1035
1078-   B0 BC       BCS   $1036
107A-   A0 00       LDY   #$00
107C-   A9 00       LDA   #$00
107E-   85 47       STA   $47
1080-   BD 8C C0    LDA   $C08C,X
1083-   10 FB       BPL   $1080
1085-   29 55       AND   #$55
1087-   0A          ASL
1088-   85 46       STA   $46
108A-   BD 8C C0    LDA   $C08C,X
108D-   10 FB       BPL   $108A
108F-   29 55       AND   #$55
1091-   05 46       ORA   $46
1093-   45 47       EOR   $47
1095-   85 47       STA   $47

1097-   99 00 10    STA   $1000,Y

109A-   C8          INY
109B-   D0 E3       BNE   $1080
109D-   BD 8C C0    LDA   $C08C,X
10A0-   10 FB       BPL   $109D
10A2-   29 55       AND   #$55
10A4-   0A          ASL
10A5-   85 46       STA   $46
10A7-   BD 8C C0    LDA   $C08C,X
10AA-   10 FB       BPL   $10A7
10AC-   29 55       AND   #$55
10AE-   05 46       ORA   $46
10B0-   45 47       EOR   $47
10B2-   F0 02       BEQ   $10B6
10B4-   D0 A4       BNE   $105A
10B6-   EE 99 10    INC   $1099
10B9-   AD 99 10    LDA   $1099
10BC-   C9 C0       CMP   #$C0
10BE-   F0 06       BEQ   $10C6
10C0-   EE 20 02    INC   $0220
10C3-   4C 35 10    JMP   $1035
10C6-   A9 BA       LDA   #$BA
10C8-   85 00       STA   $00
10CA-   A9 BC       LDA   #$BC
10CC-   85 01       STA   $01
10CE-   A9 01       LDA   #$01
10D0-   85 03       STA   $03
10D2-   A9 00       LDA   #$00
10D4-   85 04       STA   $04
10D6-   A9 06       LDA   #$06
10D8-   85 05       STA   $05
10DA-   20 D0 03    JSR   $03D0
10DD-   A9 F0       LDA   #$F0
10DF-   85 36       STA   $36
10E1-   A9 FD       LDA   #$FD
10E3-   85 37       STA   $37
10E5-   4C 00 BA    JMP   $BA00

     THE EARLY PART FROM 1002-102D SETS
UP THE 3D0-3FF REGION AS VECTORS FOR
THE "DOS" CALLS TO BE MADE, THEN STORES
$BD IN $1099 FOR THE PAGE NUMBER TO
BEGIN LOADING IN THE NEXT PORTION OF
THE BOOT. AFTER THAT, THE CODE FROM
80C-847 IS MIRRORED TO LOAD IN THE NEXT
STAGE. THE THREE LINES AT 10B6-10BF
INDICATE THAT THE LOAD CONTINUES UNTIL
PAGES BD, BE, AND BF HAVE BEEN LOADED,
THEN QUITS AT PAGE $C0. YOU WOULD
NORMALLY EXPECT TO FIND A "JMP BD00" AS
THE EXIT POINT FROM THIS STAGE OF THE
BOOT; INSTEAD THERE IS A "JMP BA00" AT
10E5. THE REASON IS THAT LINES 10C6-
10DA CALL THE NEWLY-LOADED LOADER
ROUTINE AT BD00 THROUGH THE VECTOR AT
3D0. BY LOOKING AT THE SETUP FOR THAT
LOAD, WE CAN LEARN A LITTLE ABOUT THE
LOADER. THE IMPORTANT PARTS OF ANY
LOADER ROUTINE ARE THE DESTINATION
PAGE, THE LENGTH OF THE LOAD, AND THE
TRACK AND SECTOR TO BEGIN LOADING FROM.
IN THIS CASE, THE FIRST AND LAST
DESTINATION PAGE ARE LOADED INTO
LOCATIONS 0 AND 1, AND THE TRACK AND
SECTOR IN 4 AND 5. AFTER THAT, A CALL
TO THE 3D0 VECTOR JUMPS MERRILY UP TO
BD00, WHICH IS THE "RWTS" ROUTINE FOR
THIS PROGRAM.

     WE CAN VIEW ALL OF THAT BY SETTING
THE NEXT BREAKPOINT AT 10E5 AND
REBOOTING FOR WHAT IS HOPEFULLY THE
LAST TIME:

           086F:20
           088C:4C 00 10
           10E5:4C 59 FF
           9600G

SINCE THE EXIT POINT SAID JUMP BA00,
LETS LOOK AT THAT CODE:


BA00-   D8          CLD
BA01-   4C 00 BC    JMP   $BC00
BA04-   A5 8D       LDA   $8D
BA06-   9E          ???

THE REST OF THE PAGE IS OF NO INTEREST,
SO LET'S FOLLOW THE JUMP TO BC00:


BC00-   AD 00 08    LDA   $0800
BC03-   C9 EA       CMP   #$EA
BC05-   D0 0D       BNE   $BC14
BC07-   A2 05       LDX   #$05
BC09-   BD BE BC    LDA   $BCBE,X
BC0C-   95 00       STA   $00,X
BC0E-   CA          DEX
BC0F-   10 F8       BPL   $BC09
BC11-   20 D0 03    JSR   $03D0
BC14-   AD D7 BC    LDA   $BCD7
BC17-   D0 48       BNE   $BC61
BC19-   AD 81 C0    LDA   $C081
BC1C-   A9 00       LDA   #$00
BC1E-   8D F2 03    STA   $03F2
BC21-   A9 BC       LDA   #$BC
BC23-   8D F3 03    STA   $03F3
BC26-   A9 19       LDA   #$19
BC28-   8D F4 03    STA   $03F4
BC2B-   A9 00       LDA   #$00
BC2D-   8D 11 03    STA   $0311
BC30-   A9 00       LDA   #$00
BC32-   8D 13 03    STA   $0313
BC35-   A2 05       LDX   #$05
BC37-   BD AC BC    LDA   $BCAC,X
BC3A-   95 00       STA   $00,X
BC3C-   CA          DEX
BC3D-   10 F8       BPL   $BC37
BC3F-   20 D0 03    JSR   $03D0
BC42-   A9 00       LDA   #$00
BC44-   8D 12 03    STA   $0312
BC47-   20 00 A8    JSR   $A800
BC4A-   EE D7 BC    INC   $BCD7
BC4D-   AD 12 03    LDA   $0312
BC50-   C9 02       CMP   #$02
BC52-   F0 70       BEQ   $BCC4
BC54-   A2 05       LDX   #$05
BC56-   BD B2 BC    LDA   $BCB2,X
BC59-   95 00       STA   $00,X
BC5B-   CA          DEX
BC5C-   10 F8       BPL   $BC56
BC5E-   20 D0 03    JSR   $03D0
BC61-   AD 12 03    LDA   $0312
BC64-   D0 5E       BNE   $5CC4
BC66-   A9 25       LDA   #$25
BC68-   85 03       STA   $03
BC6A-   A9 00       LDA   #$00
BC6C-   8D 10 03    STA   $0310
BC6F-   2C 10 C0    BIT   $C010
BC72-   A2 06       LDX   #$06
BC74-   A9 80       LDA   #$80
BC76-   95 F6       STA   $F6,X
BC78-   CA          DEX
BC79-   10 FB       BPL   $BC76
BC7B-   AD 50 C0    LDA   $C050
BC7E-   AD 54 C0    LDA   $C054
BC81-   AD 57 C0    LDA   $C057
BC84-   AD 09 03    LDA   $0309
BC87-   F0 06       BEQ   $BC8F
BC89-   AD 52 C0    LDA   $C052
BC8C-   4C 92 BC    JMP   $BC92
BC8F-   AD 53 C0    LDA   $C053
BC92-   A9 00       LDA   #$00
BC94-   8D 14 03    STA   $0314
BC97-   8D 07 03    STA   $0307
BC9A-   20 00 65    JSR   $6500
BC9D-   AD 11 03    LDA   $0311
BCA0-   D0 8E       BNE   $BC30
BCA2-   AD 12 03    LDA   $0312
BCA5-   C9 01       CMP   #$01
BCA7-   F0 1B       BEQ   $5CC4
BCA9-   4C 00 E0    JMP   $E000

BCAC-   A8          TAY
BCAD-   BB          ???
BCAE-   00          BRK
BCAF-   01 01       ORA   ($01,X)
BCB1-   00          BRK

BCB2-   A8          TAY
BCB3-   BB          ???
BCB4-   00          BRK
BCB5-   01 13       ORA   ($13,X)
BCB7-   00          BRK

BCB8-   A8          TAY
BCB9-   BB          ???
BCBA-   00          BRK
BCBB-   01 15       ORA   ($15,X)
BCBD-   00          BRK

BCBE-   08          PHP
BCBF-   14          ???
BCC0-   00          BRK
BCC1-   01 03       ORA   ($03,X)
BCC3-   00          BRK

BCC4-   A2 05       LDX   #$05
BCC6-   BD B8 BC    LDA   $BCB8,X
BCC9-   95 00       STA   $00,X
BCCB-   CA          DEX
BCCC-   10 F8       BPL   $BCC6
BCCE-   20 D0 03    JSR   
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~O
LOCATIONS 0-5, THEN CALL THE LOADER
ROUTINE, AND PAGES 8-14 ARE LOADED FROM
TRACK 3, SECTOR 0. AT BC1C-BC2B, WE SET
THE RESET VECTOR TO RETURN TO BC00 (AND
RESTART THE GAME) WHENEVER RESET IS
PRESSED (THE REFERENCE MANUAL TELLS YOU
HOW ON P. 37; IT'S P. 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~O
ER ELSE IT IS GOING TO DO. ALSO,
NOTICE THAT THE CODE AT BC54 AND AT THE
ALTERNATIVE DESTINATION OF BCC4 BOTH
LOAD OVER PAGES A8-BB. IF NECESSARY,
WE COULD CONTINUE WITH THIS PROCESS,
PUTTING A BREAKPOINT AFTER EACH LOAD,
UNTIL WE HAVE EXAMINED, SAVED, OR
ALTERED EVERY ACCESSIBLE PART OF THE
PROGRAM.

     SO MUCH FOR THE "EASY" PART--NOW
THE HARD WORK BEGINS. WE HAVE LEARNED
ABOUT ALL WE NEED TO KNOW ABOUT THE
LOADER, BUT NOW WE HAVE TO FIND A WAY
TO PUT ALL OF THIS INTO A FORMAT WHICH
USES STANDARD DOS 3.3 FILES (UNLIKELY,
UNLESS WE CAN USE DOS ON THE LANGUAGE
CARD, CONSIDERING THAT ALL OF THESE
FILES LOAD RIGHT OVER THE MIDDLE OF
DOS), OR CONVERT THE 4+4 NIBBLIZED
SECTORS INTO STANDARD DOS 3.3 SECTORS
(ALSO NOT TOO EASY, CONSIDERING THAT WE
ONLY HAVE 3 PAGES FOR THE "DOS").

     IN CONCLUSION, YOU SHOULD BE AWARE
THAT THE TECHNIQUES DESCRIBED HERE WORK
EQUALLY WELL ON AN APPLE IIE (I HELD
OUT FOR ALMOST 8 MONTHS, BUT NOW I CAN
CONTEND THAT ALL THE TYPOS IN THIS
EPISODE ARE THE RESULT OF HAVING FUNNY
KEYS LIKE "][" ON AN APPLE KEYBOARD
AFTER 5+ YEARS OF TYPING ON GOOD OLD
APPLE II S/N 3603). STAY TUNED FOR AN
EXAMPLE WHICH IS A LITTLE MORE
COMPLICATED THAN THIS ONE, AND REQUIRES
CHANGES IN THE BOOT-TRACE TECHNIQUE.
ALSO IN THE WINGS IS (WHAT ELSE)
HARDWARE MODIFICATIONS TO THE IIE (NO
MOTHER BOARD SURGERY, I PROMISE) TO
ALLOW KRAKROMS, HARD RESETS, AND
KREATIVE KRACKING USE OF THE 64K
80-COLUMN BOARD.
----------------*






