KRACKOWITZS CRACKING TIPS FROM THE ROM RAIDER DR. DIGITAL CALL HER MAJESTYS SECRET

---
Master Index Current Directory Index Go to SkepticTank Go to Human Rights activist Keith Henson Go to Scientology cult

Skeptic Tank!

*************************************** * KRACKOWITZ'S CRACKING TIPS * *************************************** FROM: THE ROM RAIDER DR. DIGITAL CALL HER MAJESTY'S SECRET SERVICE 3 0 3 - 7 5 1 - 2 0 6 3 ALONG WITH A NUMBER OF REQUESTS FOR MATERIAL USEFUL TO THOSE WHO ARE NOT YET IN THE RANKS OF PROFESSIONALS IN THIS FIELD, IT HAS BEEN POINTED OUT TO ME THAT I AM ALL TOO WILLING TO SUGGEST BURNING THIS PROM, INSTALLING THAT ROM, AND GENERALLY MAKING WHOLESALE HARDWARE CHANGES IN AN UNSUSPECTING APPLE, WITHOUT PROVIDING BACKGROUND INFORMATION FOR THE UP-AND-COMING KRACKISTS OF THE FUTURE. THIS SERIES, WHILE AIMED AT THE BEGINNING TO INTERMEDIATE KRACKIST, WILL STILL ASSUME A REASONABLE KNOWLEDGE OF ASSEMBLY LANGUAGE. IF YOU FIND THESE DISCUSSIONS ARE STILL TOO HEAVY INTO MACHINE CODE FOR YOU, THEN IT'S BEST TO BUY A BOOK LIKE ROGER WAGNER'S "ASSEMBLY LINES" OR EQUIVALENT, AND STUDY IT CAREFULLY (IF, ON THE OTHER HAND, YOU FIND THAT THIS IS ALL BENEATH YOU, JUST KEEP A KNOWING SMIRK ON YOUR LIPS AS YOU SKIP LIGHTLY OVER THESE EPISODES - THERE MIGHT BE SOMETHING YOU MISSED BECAUSE YOU HAD A BAD HANGOVER ONE DAY IN KRACKING 101). IN THIS AND FUTURE EPISODES IN THE 'BASICS OF KRACKING' SERIES, WE'LL DEAL WITH THE FUNDAMENTALS OF THE KRACKIST'S ART, STARTING WITH THE HOW (AND WHY) OF MAKING ALTERATIONS IN THE APPLE'S "PERMANENT" MEMORY. FIRST OF ALL, THE MOST IMPORTANT SINGLE TOOL AVAILABLE TO THE ASPIRING KRACKIST IS REPLACING THE AUTOSTART ROM ON THE MOTHER BOARD WITH AN "OLD MONITOR" ROM. WITH THIS ROM IN PLACE, YOU CAN HIT 'RESET' WHENEVER YOU WANT, AND ALWAYS BE RETURNED TO THE MONITOR FOR THE BEGINNING OF THE SNOOPING PROCESS. THIS CHANGE, INCIDENTALLY, WILL MAKE AVAILABLE TO YOU A REASONABLE SET OF "STEP AND TRACE" UTILITIES (SEE THE APPLE II REFERENCE MANUAL. PP 51-53). TO UNDERSTAND WHAT THE DIFFERENCES ARE BETWEEN THE TWO ROMS, LET'S TAKE A MINUTE TO EXAMINE WHAT PRESSING THE 'RESET' KEY DOES (OMIGOSH, MAUDE, THERE HE GOES AGAIN ON THAT DETAILED TECHNICAL CRAP!). INSTEAD OF GOING THROUGH THE KEYBOARD INPUT ROUTINE AT C000, THE RESET KEY IS CONNECTED DIRECTLY TO PIN 40 OF THE 6502 MICROPROCESSOR CHIP. WHEN THIS PIN IS CONNECTED TO GROUND (0 VOLTS), THE COMPUTER JUMPS UNCONDITIONALLY TO THE ADDRESS CONTAINED IN LOCATIONS FFFC AND FFFD. THIS IS NOT A TRUE INTERRUPT, SINCE THE APPLE FORGETS WHAT IT WAS DOING BEFORE THE LINE WAS "YANKED", BUT IT IS AN EXAMPLE OF 'VECTORING' OR SENDING THE COMPUTER TO A SPECIFIC PLACE BY SETTING AN ADDRESS INTO THE PROGRAM COUNTER. IN THE AUTOSTART ROM, THESE TWO LOCATIONS CONTAIN 62 FA, SO THE NEXT INSTRUCTION TO BE EXECUTED IS AT FA62. THIS SERIES OF ROUTINES (SEE P. 143 AND PP. 36-38 OF THE REFERENCE MANUAL) CHECKS TO SEE IF THE COMPUTER IS BEING POWERED UP FOR THE FIRST TIME (COLDSTART) OR RESET WITH THE POWER ON (WARMSTART). IF IT IS A WARMSTART, THE SYSTEM JUMPS TO THE INSTRUCTIONS AT LOCATIONS 3F2 AND 3F3, AND BEGINS RUNNING THE PROGRAM FOUND THERE (USUALLY BASIC AT E000). THE "OLD MONITOR" ROM, HOWEVER, HAS 59 FF STORED IN FFFC-D. THIS CAUSES AN APPLE II (OR A II+ WITH AN INTEGER CARD AND THE RED SWITCH "UP") TO GO TO ROUTINES WHICH SET UP THE KEYBOARD FOR INPUT, THE TV FOR OUTPUT, AND WIND UP IN THE MONITOR WITH THE '*' PROMPT DISPLAYED. IN CONTRAST TO THE AUTOSTART ROM, WHERE ANYONE CAN TELL THE RESET BUTTON WHERE TO GO, THERE IS NO WAY TO PREVENT A RESET FROM GOING TO FF59 AND WINDING UP IN THE MONITOR. THIS IS OBVIOUSLY ESSENTIAL IF YOU WANT TO BREAK INTO A GAME AND START EXAMINING THE CODE, BUT IT HAS ITS OWN SET OF PROBLEMS. IN THE PROCESS OF SETTING UP THE I/O DESCRIBED ABOVE, ESPECIALLY IN SETTING UP THE TEXT WINDOW ON THE SCREEN, A NUMBER OF LOCATIONS IN ZERO PAGE MUST BE CHANGED. THE FOLLOWING LOCATIONS WILL PROBABLY BE ALTERED (ALL HEX): 20,21,22,23,24,25,28,29,32,33,35, 36,37,38,39, AND 48. WORSE THAN THAT, THE ENTIRE SCREEN SCROLLS UP ONE LINE WHEN THE MONITOR PROMPT IS PRINTED, WHICH LOSES THE ENTIRE TOP ROW OF THE TEXT SCREEN (LOCATIONS 400-427), AND ALTERS THE CONTENTS OF ALL THE OTHER LOCATIONS FROM 400-7FF, WITH THE EXCEPTION OF THE "SCRATCHPAD" REGIONS AT 478-47F, 4F8-4FF, ETC. (THE COMPUTER WIMP AT YOUR SCHOOL SAYS THAT THE TOP LINE "FALLS INTO THE BIT BUCKET", BUT YOU KNOW HOW EVERYONE FEELS ABOUT HIM.) AS MOST SOFTWARE PROTECTORS KNOW, THIS WILL KEEP MOST OF THE AMATEURS OUT OF THE PROGRAM, AND YOU'LL SEE EVIDENCE OF THIS TECHNIQUE IN THE FORM OF A LOT OF "GARBAGE" ON THE TEXT SCREEN WHEN YOU RESET OUT OF A PROTECTED GAME. OUR JOB, THEN, IS TO KEEP THESE ZERO PAGE AND SCREEN MEMORY LOCATIONS FROM BEING LOST, SINCE MOST PROTECTION SCHEMES USE THESE AREAS IN SOME WAY OR OTHER (BR0DERBUND, FOR EXAMPLE, HAS RECENTLY BEEN STORING THE ADDRESS MARKER FOR THE DISK TRACK IN LOCATIONS 20, 21, AND 22). THE SAFE WAY TO PREVENT INFORMATION FROM BEING LOST FROM THESE "VOLATILE" LOCATIONS IS TO TRANSFER ALL OF THE CONTENTS TO A SAFE AREA -- LOCATIONS 2000 & UP (OR 4000 & UP) WHERE A HI-RES PICTURE NORMALLY RESIDES. IN FACT, IT WOULD BE BEST TO SAVE EVERYTHING FROM 0 TO 8FF, SINCE BOOTING A DISKETTE TO SAVE THE DATA ALSO DESTROYS LOCATIONS 800-8FF. (REMEMBER THE FIRST LAW OF DISK KRACKING - TRACK 0, SECTOR 0 ALWAYS STARTS WITH D5 AA 96 AND ALWAYS LOADS INTO 800-8FF). BECAUSE THIS IS THE BEGINNING CLASS, LET'S LOOK AT TWO EXAMPLES OF SHORT BINARY SUBROUTINES THAT WILL DO THE "SAVE" FOR US. BOTH START, AS WILL BE EXPLAINED LATER, AT LOCATION FECD IN THE F8 ROM. THE FIRST IS THE MOST STRAIGHTFORWARD AND EASIST TO FOLLOW: LDY #$00 ;CLEAR Y-REGISTER LDA $00,Y ;GET A BYTE FROM 0+Y STA $2000,Y ;STORE AT 2000+Y LDA $0100,Y ;THEN FROM 100+Y STA $2100,Y ;TO 2100+Y LDA $0200,Y ;AND SO ON UNTIL STA $2200,Y ;WE HAVE COVERED LDA $0300,Y ;ALL THE MEMORY STA $2300,Y ;'PAGES' FROM 0 TO 8 LDA $0400,Y ;AND STORED INTO STA $2400,Y ;PAGES 20 TO 28 LDA $0500,Y STA $2500,Y LDA $0600,Y LDA $2600,Y LDA $0700,Y STA $2700,Y LDA $0800,Y STA $2800,Y INY ;THEN ADD 1 TO Y-REG BNE $FED0 ;AND REPEAT IF < 256 JMP $FF59 ;WHEN WE'RE ALL DONE ;JUMP TO MONITOR START THIS 61-BYTE ROUTINE, IF IT COULD BE EXECUTED AUTOMATICALLY WHEN THE RESET KEY IS PRESSED, WOULD SAFELY STASH ALL OF THE CHANGEABLE MEMORY AND EXIT GRACEFULLY INTO THE MONITOR. A MORE COMPACT AND GENERAL, BUT LESS OBVIOUS ROUTINE IS SHOWN BELOW. IT IS INCLUDED BECAUSE IT IS TYPICAL OF THE "MEMORY MOVE PROGRAMS" THAT WE WILL EVENTUALLY HAVE TO WRITE IN KRACKING ALMOST ANY PROGRAM. LDY #$00 ;CLEAR Y-REGISTER LDA $00,Y ;XFER THE ZERO PAGE TO STA $2000,Y ;2000-20FF SO WE CAN USE INY ;THE ZERO PAGE MEMORY BNE $FED0 ;FOR THE OTHER MOVES LDA #$00 ;SET UP LOCNS 0 & 1 AS A STA $00 ;2-BYTE POINTER FOR THE STA $02 ;SOURCE ADDRESS, USE 2&3 LDA #$01 ;AS 2-BYTE POINTER FOR STA $01 ;THE DESTINATION ADDRESS LDA #$21 ;STARTING AT $2100 STA $03 LDA ($00)<- ;GET A BYTE FROM 100-UP STA ($02) ^ ;STORE AT 2100-UP INC $02 ^ ;INCREMENT LO-ORDER BYTE INC $00 ^ ;OF SOURCE & DESTINATION BNE ->->->^ ;(BACK TO LDA ($00) IF ^ ;LO-ORDER IS <256 INC $03 ^ ;IF LO-ORDER=0, INC THE INC $01 ^ ;HI BYTE OF EACH LDA $01 ^ ;CHECK TO SEE IF HI-BYTE CMP $#09 ^ ;IS 9 -WE'RE THRU AT 8FF BNE ->->->^ ;IF NOT, LOOP BACK TO ;THE LOAD/STORE UNTIL ;WE'RE ALL DONE JMP $FF59 ;EXIT THRU MONITOR UNLIKE THE FIRST ROUTINE, THIS ONE (AT 47 BYTES) USES RAM LOCATIONS 0 THROUGH 3, SO THE ZERO PAGE MUST BE TRANSFERRED BEFORE IT IS ALTERED BY USING THOSE ADDRESSES AS POINTERS. WHILE THE FIRST ROUTINE MUST GROW BY SIX BYTES FOR EACH ADDITIONAL PAGE TRANSFERRED, THE SECOND NEEDS ONLY TO HAVE THE "9" IN THE COMPARE STATEMENT CHANGED TO THE APPROPRIATE VALUE ONE HIGHER THAN THE LAST PAGE NUMBER BEING TRANSFERRED. TO RETURN TO THE BUSINESS OF ALTERING ROMS, IT IS EASY TO SEE THAT AN AUTOSTART ROM COULD BE MADE TO BEHAVE LIKE AN OLD ROM JUST BY CHANGING LOCATIONS FFFC-D TO 59 FF FROM 62 FA. (A NOTE TO THE FAINT-HEARTED--YOU CAN BUY AN OLD MONITOR F8 ROM FOR ABOUT $10 AND PLUG IT DIRECTLY INTO YOU APPLE'S F8 SOCKET, BUT YOU WON'T HAVE ALL THE BENEFITS WE'VE BEEN TALKING ABOUT). AS LONG AS WE'RE GOING TO THE EFFORT OF MAKING A CHANGE, THOUGH, WE MIGHT AS WELL ADD ONE OF THE ROUTINES ABOVE AND ALLOW THE NEW ROM TO SAVE THE VOLATILE MEMORY FOR US. TO DO THIS, WE'LL HAVE TO GIVE UP SOMETHING IN THE ROM, AND THE MOST EASILY SURRENDERED AREA FOR MOST OF US IS THE TAPE READ/SAVE ROUTINES AT $FECD. IF WE THEN CHANGED FFFC-D TO CD FE, THE MEMORY FROM 0 TO 8FF WOULD BE SAVED TO 2000-28FF EVERY TIME THE 'RESET' KEY WAS PRESSED. SINCE IT'S SOMETIMES INCONVENIENT TO HAVE THAT HAPPEN WHEN THE RESET KEY IS PRESSED, WE CAN REQUIRE THAT A SPECIFIC KEY BE ALSO PRESSED TO MAKE IT OCCUR. THESE FEW INSTRUCTIONS INSERTED BEFORE EITHER OF THE ROUTINES ABOVE WILL GIVE A "RESET AND SAVE" WHEN THE "-" KEY IS HELD DOWN (OR WAS THE LAST KEY PRESSED), WHILE GIVING A REGULAR "OLD RESET" THE REST OF THE TIME. LDA $C000 ;LOOK AT THE KEYBOARD ROL ;MASK OFF HIGH BIT CMP #$5A ;WAS IT "-"?($2D X 2=$5A) BNE ->->-> ;IF NOT, BRANCH TO THE ! ;LOCATION WITH THE ! ;"JUMP FF59" INSTRUCTION ! ;AT THE END OF THE SAVE ! ;SUBROUTINE. OK, OK - WE ALL AGREE THAT THESE WOULD BE NEAT THINGS TO HAVE IN THE F8 ROM, SO HOW DO WE GET IT THERE? FIRST, GET HOLD OF A PROMBURNER (PROMBLASTER, EPROM PROGRAMMER, ETC.) THAT WILL PROGRAM 2716 EPROMS. EACH ONE IS DIFFERENT, SO I WON'T TRY TO GIVE DETAILED INSTRUCTIONS ON THE ACTUAL PROGRAMMING. BUY OR BORROW A FRIEND'S OLD F8 ROM (OR GET THE BINARY FILE) THEN TYPE IN OR LOAD IN THE CHANGES YOU WANT TO MAKE AT FECD & UP AND AT FFFC-D, AND PROGRAM A 2716 EPROM WITH OUR MODIFIED VERSION OF APPLE'S F8 MONITOR ROM. ALL THAT REMAINS TO TAKE FULL ADVANTAGE OF THE NEW F8 ROM IS TO MAKE A SLIGHTLY MODIFIED SOCKET AND PLUG IT IN. BOTH THE 2716 AND THE ORIGINAL 9316 ROM USED BY APPLE ARE READ-ONLY-MEMORY DEVICES HOLDING 2K BY 8 BITS OF INFORMATION ("16K" ROMS), BUT THE PINOUT, OR ASSIGNMENT OF CHIP FUNCTIONS TO PIN NUMBERS IS SLIGHTLY DIFFERENT. TO USE THE 2716 IN A BOARD DESIGNED FOR A 9316, YOU NEED TO TIE PIN 21 TO 5 VOLTS (PIN 24) AND TIE PIN 18 TO GROUND (PIN 12). YOU COULD MODIFY THE PROM ITSELF, BUT YOU'RE LIABLE TO RUIN THE CHIP, AND IT CREATES A REAL MAGILLA IF YOU NEED TO REPROGRAM IT. (A ROM CARD, SUCH AS AN INTEGER CARD, CAN BE USED FOR 2716'S IF TWO JUMPERS ARE CONNECTED AT THE TOP OF THE CARD, AND ->ONLY<- 2716'S ARE USED IN ALL OF ITS SOCKETS AFTER THAT). GET A 24-PIN, PREFERABLY LOW-PROFILE IC SOCKET, AND ORIENT IT WITH THE PINS UP AND THE NOTCH INDICATING THE 'PIN ONE' END TO THE RIGHT. IT SHOULD LOOK LIKE: --------------------------------------- ! 13 14 15 16 17 18 19 20 21 22 23 24! ! ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ ! ! ! ! ! ! / ! (NOTCH)->! ! \ ! ! ! . . . . . . . . . . . . ! !/ / / / / / / / / / / / ! !12 11 10 9 8 7 6 5 4 3 2 1 ! --------------------------------------- USING A LOW-WATTAGE SOLDERING IRON, SOLDER A SHORT PIECE OF 26-30 GAUGE WIRE BETWEEN PINS 21 AND 24, AND ANOTHER ONE BETWEEN PINS 12 AND 18. MAKE THE CONNECTION AS CLOSE TO THE SOCKET AS POSSIBLE, AND TRY TO AVOID GETTING ANY SOLDER ON THE ENDS OF PINS 12 AND 24. CUT OFF PINS 21 AND 18, AGAIN AS CLOSE AS POSSIBLE TO THE SOCKET. (PLUGGING ANOTHER SOCKET INTO THE ONE BEING MODIFIED WILL HELP TO PREVENT DISTORTION DURING THE SURGERY). THE SOCKET NOW LOOKS LIKE: --------------------------------------- ! 13 14 15 16 17 18 19 20 21 22 23 24! ! ./ ./ ./ ./ ./ / ./ ./ / ./ ./ ./ ! ! X X / ! ! / / / ! ! / /-------/ / ! /---------/ ! ! / \ ! / ! ! / . . . . . . . . . . . ! !/ / / / / / / / / / / / ! !12 11 10 9 8 7 6 5 4 3 2 1 ! --------------------------------------- X=NO PIN DOUBLE CHECK THE CONNECTIONS ON THE BOTTOM OF THE SOCKET, AND PLUG THE 2716 INTO THE SOCKET, BEING CAREFUL TO MATCH THE NOTCHED END OF THE CHIP TO THE SOCKET. MAKE SURE THAT THE POWER TO THE APPLE IS TURNED OFF, AND PLUG THE ASSEMBLY INTO THE F8 SOCKET ON THE MOTHER BOARD WITH THE NOTCH TOWARD THE FRONT (KEYBOARD) END OF THE APPLE. CROSS YOUR FINGERS AND TURN ON THE APPLE. IF THERE IS NO FAMILIAR "BEEP", OR IF THE TV SCREEN STAYS WHITE, OR IF THE SYSTEM DOESN'T RESPOND TO THE RESET KEY, TURN OFF THE POWER AND EXAMINE THE CHIP AND SOCKET CAREFULLY TO FIND THE ERROR. IF BLACK CLOUDS OF SMOKE ROLL OUT FROM THE APPLE, FORGET WHERE YOU READ THIS. ACTUALLY, THE MOST COMMON MISTAKE OF INSERTING THE CHIP BACKWARDS IS SELDOM HARMFUL TO IT, BUT DOES LOCK UP THE APPLE'S BUS. REMEMBER THAT BOTH THE 2716 AND THE 9316 THAT YOU REMOVED CAN BE DAMAGED BY STATIC ELECTRICITY, SO HANDLE WITH CARE AND DON'T SCUFF YOUR FEET ON THE CAT.

---

E-Mail Fredric L. Rice / The Skeptic Tank