***************************************
* *
* KRAKOWICZ'S KRACKING KORNER *
* *
* THE BASICS OF KRACKING I: *
* ROMS AND PROMS AND F8'S *
* *
***************************************
Along with a number of requests for material useful to those who are
not yet in the ranks of professionals in this field, it has been pointed
out to me that I am all too willing to suggest burning this PROM,
installing that ROM, and generally making wholesale hardware changes in
an unsuspecting Apple, without providing background information for the
up-and-coming krackists of the future.
This series, while aimed at the beginning to intermediate krackist,
will still assume a reasonable knowledge of assembly language. If you
find these discussions are still too heavy into machine code for you,
then it's best to buy a book like Roger Wagner's "Assembly Lines" or
equivalent, and study it carefully (if, on the other hand, you find that
this is all beneath you, just keep a knowing smirk on your lips as you
skip lightly over these episodes - there might be something you missed
because you had a bad hangover one day in Kracking 101).
In this and future episodes in the 'basics of kracking' series, we'll
deal with the fundamentals of the krackist's art, starting with the how
(and why) of making alterations in the Apple's "permanent" memory. First
of all, the most important single tool available to the aspiring
krackist is replacing the autostart ROM on the mother board with an "old
monitor" ROM. With this ROM in place, you can hit 'reset' whenever you
want, and always be returned to the monitor for the beginning of the
snooping process. This change, incidentally, will make available to you
a reasonable set of "step and trace" utilities (see the Apple II
reference manual. pp 51-53).
To understand what the differences are between the two ROMs, let's
take a minute to examine what pressing the 'reset' key does (omigosh,
Maude, there he goes again on that detailed technical crap!). Instead of
going through the keyboard input routine at C000, the reset key is
connected directly to pin 40 of the 6502 microprocessor chip. When this
pin is connected to ground (0 volts), the computer jumps unconditionally
to the address contained in locations fffc and fffd. This is not a true
interrupt, since the Apple forgets what it was doing before the line was
"yanked", but it is an example of 'vectoring' or sending the computer to
a specific place by setting an address into the program counter. In the
autostart ROM, these two locations contain 62 FA, so the next
instruction to be executed is at FA62. This series of routines (see p.
143 and pp. 36-38 of the reference manual) checks to see if the computer
is being powered up for the first time (coldstart) or reset with the
power on (warmstart). If it is a warmstart, the system jumps to the
instructions at locations 3F2 and 3F3, and begins running the program
found there (usually basic at E000).
The "old monitor" ROM, however, has 59 FF stored in FFFC-D. This
causes an Apple II (or a II+ with an integer card and the red switch
"up") to go to routines which set up the keyboard for input, the TV for
output, and wind up in the monitor with the '*' prompt displayed. In
contrast to the autostart ROM, where anyone can tell the reset button
where to go, there is no way to prevent a reset from going to FF59 and
winding up in the monitor. This is obviously essential if you want to
break into a game and start examining the code, but it has its own set
of problems.
In the process of setting up the I/O described above, especially in
setting up the text window on the screen, a number of locations in zero
page must be changed. The following locations will probably be altered
(all hex): 20,21,22,23,24,25,28,29,32,33,35, 36,37,38,39, and 48. Worse
than that, the entire screen scrolls up one line when the monitor prompt
is printed, which loses the entire top row of the text screen (locations
400-427), and alters the contents of all the other locations from
400-7FF, with the exception of the "scratchpad" regions at 478-47F,
4F8-4FF, etc. (the computer wimp at your school says that the top line
"falls into the bit bucket", but you know how everyone feels about
him.)
As most software protectors know, this will keep most of the amateurs
out of the program, and you'll see evidence of this technique in the
form of a lot of "garbage" on the text screen when you reset out of a
protected game. Our job, then, is to keep these zero page and screen
memory locations from being lost, since most protection schemes use
these areas in some way or other (Broderbund, for example, has recently
been storing the address marker for the disk track in locations 20, 21,
and 22).
The safe way to prevent information from being lost from these
"volatile" locations is to transfer all of the contents to a safe area
-- locations 2000 & up (or 4000 & up) where a hi-res picture normally
resides. In fact, it would be best to save everything from 0 to 8FF,
since booting a diskette to save the data also destroys locations
800-8FF. (remember the first law of disk kracking - track 0, sector 0
always starts with D5 AA 96 and always loads into 800-8FF). Because this
is the beginning class, let's look at two examples of short binary
subroutines that will do the "save" for us. Both start, as will be
explained later, at location fecd in the F8 ROM. The first is the most
straightforward and easist to follow:
ldy #$00 ;clear y-register
lda $00,y ;get a byte from 0+y
sta $2000,y ;store at 2000+y
lda $0100,y ;then from 100+y
sta $2100,y ;to 2100+y
lda $0200,y ;and so on until
sta $2200,y ;we have covered
lda $0300,y ;all the memory
sta $2300,y ;'pages' from 0 to 8
lda $0400,y ;and stored into
sta $2400,y ;pages 20 to 28
lda $0500,y
sta $2500,y
lda $0600,y
lda $2600,y
lda $0700,y
sta $2700,y
lda $0800,y
sta $2800,y
iny ;then add 1 to y-reg
bne $fed0 ;and repeat if < 256
jmp $ff59 ;when we're all done
;jump to monitor start
This 61-byte routine, if it could be executed automatically when the
reset key is pressed, would safely stash all of the changeable memory
and exit gracefully into the monitor.
A more compact and general, but less obvious routine is shown below.
It is included because it is typical of the "memory move programs" that
we will eventually have to write in kracking almost any program.
ldy #$00 ;clear y-register
lda $00,y ;xfer the zero page to
sta $2000,y ;2000-20ff so we can use
iny ;the zero page memory
bne $fed0 ;for the other moves
lda #$00 ;set up locns 0 & 1 as a
sta $00 ;2-byte pointer for the
sta $02 ;source address, use 2&3
lda #$01 ;as 2-byte pointer for
sta $01 ;the destination address
lda #$21 ;starting at $2100
sta $03
lda ($00)<- ;get a byte from 100-up
sta ($02) ^ ;store at 2100-up
inc $02 ^ ;increment lo-order byte
inc $00 ^ ;of source & destination
bne ->->->^ ;(back to lda ($00) if
^ ;lo-order is <256
inc $03 ^ ;if lo-order=0, inc the
inc $01 ^ ;hi byte of each
lda $01 ^ ;check to see if hi-byte
cmp $#09 ^ ;is 9 -we're thru at 8ff
bne ->->->^ ;if not, loop back to
;the load/store until
;we're all done
jmp $ff59 ;exit thru monitor
Unlike the first routine, this one (at 47 bytes) uses ram locations 0
through 3, so the zero page must be transferred before it is altered by
using those addresses as pointers. While the first routine must grow by
six bytes for each additional page transferred, the second needs only to
have the "9" in the compare statement changed to the appropriate value
one higher than the last page number being transferred.
To return to the business of altering roms, it is easy to see that an
autostart ROM could be made to behave like an old ROM just by changing
locations FFFC-D to 59 FF from 62 FA. (a note to the faint-hearted--you
can buy an old monitor F8 ROM for about $10 and plug it directly into
you Apple's F8 socket, but you won't have all the benefits we've been
talking about). As long as we're going to the effort of making a change,
though, we might as well add one of the routines above and allow the new
ROM to save the volatile memory for us. To do this, we'll have to give
up something in the ROM, and the most easily surrendered area for most
of us is the tape read/save routines at $FECD. If we then changed FFFC-D
to CD FE, the memory from 0 to 8FF would be saved to 2000-28FF every
time the 'reset' key was pressed. Since it's sometimes inconvenient to
have that happen when the reset key is pressed, we can require that a
specific key be also pressed to make it occur. These few instructions
inserted before either of the routines above will give a "reset and
save" when the "-" key is held down (or was the last key pressed), while
giving a regular "old reset" the rest of the time.
lda $c000 ;look at the keyboard
rol ;mask off high bit
cmp #$5a ;was it "-"?($2d x 2=$5a)
bne ->->-> ;if not, branch to the
! ;location with the
! ;"jump ff59" instruction
! ;at the end of the save
! ;subroutine.
Ok, ok - we all agree that these would be neat things to have in the
F8 ROM, so how do we get it there? first, get hold of a promburner
(promblaster, eprom programmer, etc.) that will program 2716 eproms.
Each one is different, so I won't try to give detailed instructions on
the actual programming. Buy or borrow a friend's old F8 ROM (or get the
binary file) then type in or load in the changes you want to make at
FECD & up and at FFFC-D, and program a 2716 eprom with our modified
version of Apple's F8 monitor ROM.
All that remains to take full advantage of the new F8 ROM is to make a
slightly modified socket and plug it in. Both the 2716 and the original
9316 ROM used by Apple are read-only-memory devices holding 2K by 8 bits
of information ("16K" roms), but the pinout, or assignment of chip
functions to pin numbers is slightly different. To use the 2716 in a
board designed for a 9316, you need to tie pin 21 to 5 volts (pin 24)
and tie pin 18 to ground (pin 12). You could modify the PROM itself, but
you're liable to ruin the chip, and it creates a real magilla if you
need to reprogram it. (a ROM card, such as an integer card, can be used
for 2716's if two jumpers are connected at the top of the card, and
->only<- 2716's are used in all of its sockets after that).
Get a 24-pin, preferably low-profile ic socket, and orient it with the
pins up and the notch indicating the 'pin one' end to the right. It
should look like:
---------------------------------------
! 13 14 15 16 17 18 19 20 21 22 23 24!
! ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ ./ !
! !
! !
! /
! (notch)->!
! \
! !
! . . . . . . . . . . . . !
!/ / / / / / / / / / / / !
!12 11 10 9 8 7 6 5 4 3 2 1 !
---------------------------------------
Using a low-wattage soldering iron, solder a short piece of 26-30
gauge wire between pins 21 and 24, and another one between pins 12 and
18. Make the connection as close to the socket as possible, and try to
avoid getting any solder on the ends of pins 12 and 24. Cut off pins 21
and 18, again as close as possible to the socket. (plugging another
socket into the one being modified will help to prevent distortion
during the surgery). The socket now looks like:
---------------------------------------
! 13 14 15 16 17 18 19 20 21 22 23 24!
! ./ ./ ./ ./ ./ / ./ ./ / ./ ./ ./ !
! X X / !
! / / / !
! / /-------/ /
! /---------/ !
! / \
! / !
! / . . . . . . . . . . . !
!/ / / / / / / / / / / / !
!12 11 10 9 8 7 6 5 4 3 2 1 !
---------------------------------------
X=no pin
Double check the connections on the bottom of the socket, and plug the
2716 into the socket, being careful to match the notched end of the chip
to the socket. Make sure that the power to the Apple is turned off, and
plug the assembly into the F8 socket on the mother board with the notch
toward the front (keyboard) end of the Apple. Cross your fingers and
turn on the Apple. If there is no familiar "beep", or if the TV screen
stays white, or if the system doesn't respond to the reset key, turn off
the power and examine the chip and socket carefully to find the error.
If black clouds of smoke roll out from the Apple, forget where you read
this. Actually, the most common mistake of inserting the chip backwards
is seldom harmful to it, but does lock up the Apple's bus. Remember that
both the 2716 and the 9316 that you removed can be damaged by static
electricity, so handle with care and don't scuff your feet on the
cat.
Next time - now what do I do with it?
This file was brought to you by Christer Ericson. (christer@cs.umu.se)