Phrack #1 file 3

                  ==Phrack Inc.==
        Volume One, Issue One, Phile 3 of 8

////////////////////////////////////////////////////////////////
/                                                              /
/                    Boot Tracing Made Easy                    /
/                          Written by                          /
/                       ________________                       /
/                       \Cheap/ \Shades/                       /
/                        \___/   \____/                        /
/                          2600 CLUB!                          /
/                                                              /
////////////////////////////////////////////////////////////////
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
\                                     \
\           Be sure to call           \
\                                     \
\  Kleptic Palice......(314)527-5551  \
\    5 Meg BBS/AE/CF                  \
\  Metal Shop..........(314)432-0756  \
\    Elite BBS  (Home of 2600 CLUB!   \
\                and Phrack Inc. )    \
\                                     \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

About 3 or four years ago, a real good friend of mine was teaching a ML Programming course for the Apple 2 series. I, being a good friend and quite bored, asked him about cracking Apple games. He told me that he had spent the last summer cracking programs. He showed me a method that he came up with entirely on his own, boot tracing. Little did he know that this was already quite popular but he developed his own method for doing it which from reading other files about it, is the simplest I've ever seen. (To give you an idea, I had SN0GGLE (I've never played the game but a friend had it on disk.) completely loaded into memory ready to be dumped in about 12 minutes.) Ok, first of all, ALL programs can be boot traced. The only thing is that some may not be easily converted into files. The only programs that you should try if you aren't real good at ML, are ones that load completely into memory. Also to do this you will need a cassette recorder. (don't worry the program we will save won't take too long to save, and if all goes well it will only be saved loaded once.) I hate learning the theory behind anything so I'm not gonna give any theory behind this. If you want the theory, read some other phile that does this the hard way.

First make sure your cassette recoder works by BLOADing some program and typing:

CALL -151
AA60.AA73

You'll see something that looks like this:

AA60-30 02 xx xx xx xx xx xx
AA68-xx xx xx xx xx xx xx xx
AA70-xx xx 00 08

or whatever...The 30 02 is the length ($0230 bytes). The 00 08 is the starting address ($0800). Oh well, now you need to try and save the program. Type:

800.A2FW   (A2F=$800+$230-1)
1000<800.A2FM
800:00 N 801<800.A2FM
800.A2FR
1000<800.A2FV

Once you are sure that the cassette works, (by the way do be stupid and try that on a //c!) we can get to the good stuff... First move the ROM boot-up code into RAM...(all steps will be from the monitor * prompt.)

8600
(Now load in step 1 of the boot.)
8600G
C0E8  (turn the drive off)

(Now you have successfully loaded in track 0 sector 0) Now since we won't want
to overwrite what we've loaded in this time, Type:
8500<800.8FFM
86F9:01 85
8501L

Lets see what you've gotten...
First see if they move this part into the keyboard buffer. (A lot of programs
do this and the boot trace files that I've read don't even deal with this.)
LDX 00
LDA 800,X
STA 200,X
INX
BNE $803
JMP $211  (or any $2xx)

(sometimes done with Y's instead of X's.)
Then the next part will scramble what's in $08xx. but we don't have to worry
about that. Anyways find that JMP $2xx and change it to 4C xx 85 leaving the
xx the same. Usually this will be the next address but just to be safe...
Ok, now scan the code for any other JMP's if you find one that's direct
(indirect ones have the address in parenthesis) change it to 4C 5C FF, but
write down the location that it used to jump to first so you know where to
look.  It'll probably be 301 or B700. If it's the B700, you got lucky.  If it's
the 301 then you've got some more work ahead. If it was an indirect JMP, most
likely it was JMP ($003E). No if you change that to 4C 5C FF then check 3E
from monitor you'll find that 3E is 00 and 3F is 3E...Monitor uses that
place in zero page for its current memory location. So what you need to do is
8400:A5 3F 00 20 DA FD A5 3E 20 DA FD 4C 5C FF

then change that indirect jump to
85xx:4C 00 84

(by the way if the indirect jump is anything other than 3E then most likely
you can can just look at it from monitor if not write a little routine like
the one above to print out the address hidden. (Oh, check the location after
the next run. For now change it to 4C 5C FF.))
Anyways this little game will probably go on no longer than 2 or 3 loads, each
time just move the newly loaded part to another part of memory and change the
jump to jump to monitor (4C 5C FF) and the jump from the part before it to
go to the moved code.
When you find the part that JMP's up to a high area of memory (usually $B700)
you're almost done. The exit routine of the will most likely be the start of
the program.  Once you intercept it there, all you have to do now is save it to
cassette and re-load DOS.  The starting address for saving should be the
address that the B700 routine exits through. If this is higher than $6000 then
start saving at $2000 to get the Hi-Res pictures. Using WXYZ as your starting
address type:
WXYZ.9CFFW   (This will have the main program.)
800.WXYZW    (Save this are in case there is something needed down here we
              don't have to start over from scratch.)

Ok now reboot:
C600G   (with a DOS disk in the drive!)
CALL -151
WXYZ.9CFFR
Bsave PROGRAM,A$WXYZ,L$(Whatever 9CFF-WXYZ+1 is)

If the it gives you an error the file is too big. A quick DOS patch to fix
that is:
A964:FF

and try again.
Now that the program is saved, try and run it. (It's a good idea to take the
disk out of the drive, there's no telling what the program might try and do
if it sees that DOS is loaded in.)
WXYZG

(If it works, just to make sure that it's a good crack, power down the system
and try and BRUN it after a cold boot.)
If your saved the pictures with the program, most likely, it won't run. You
need to add a JMP at 1FFD to JMP to the main program. Then re-BSAVE it with a
starting address of A$1FFD, and add 3 to the length.  If the program tries to
go to the drive while its running, I'd suggest giving up unless you really
understand non-DOS disk usage. (but if you did you probably wouldn't be
reading this.)  If you get a break at an address less than $2000 then you need
to load in the second program that you saved to cassette. Put a jump in at
$800 to the main program and save the whole damn thing. If it still don't work
you're gonna need to really get fancy.
Now that you've got the thing running, it's time to figure out what is used and
what is just wasted memory. This is where I really can't help you but just
make sure that you keep a working copy and before every test power down the
machine to clear anything that might be remaining.


Have phun and good luck.....

                      ________________
                      \Cheap/ \Shades/
                       \___/   \____/
                         2600 CLUB!

Be sure and get a copy of PHRACK INC., available on finer BBS/AE's everywhere.