AOH :: P01-03.TXT

Boot Tracing

				=Phrack Inc.=
		     Volume One, Issue One, Phile #3 of 8

/									     /
/			    Boot Tracing Made Easy			     /
/				  Written by				     /
/			       ________________ 			     /
/			       \Cheap/ \Shades/ 			     /
/				\___/	\____/				     /
/				  2600 CLUB!				     /
/									     /
\				      \
\	    Be sure to call	      \
\				      \
\  Kleptic Palice......(314)527-5551  \
\    5 Meg BBS/AE/CF		      \
\  Metal Shop..........(314)432-0756  \
\    Elite BBS	(Home of 2600 CLUB!   \
\		 and Phrack Inc. )    \
\				      \

  About 3 or four years ago, a real good friend of mine was teaching a ML
Programming course for the Apple 2 series.  I, being a good friend and quite
bored, asked him about cracking Apple games.  He told me that he had spent the
last summer cracking programs.	He showed me a method that he came up with
entirely on his own, boot tracing.  Little did he know that this was already
quite popular but he developed his own method for doing it which from reading
other files about it, is the simplest I've ever seen.  (To give you an idea, I
had SN0GGLE (I've never played the game but a friend had it on disk.) completely
loaded into memory ready to be dumped in about 12 minutes.) Ok, first of all,
ALL programs can be boot traced.  The only thing is that some may not be easily
converted into files.  The only programs that you should try if you aren't real
good at ML, are ones that load completely into memory.	Also to do this you will
need a cassette recorder.  (don't worry the program we will save won't take too
long to save, and if all goes well it will only be saved loaded once.) I hate
learning the theory behind anything so I'm not gonna give any theory behind
this.  If you want the theory, read some other phile that does this the hard

  First make sure your cassette recoder works by BLOADing some program and

CALL -151
You'll see something that looks like this:
AA60-30 02 xx xx xx xx xx xx
AA68-xx xx xx xx xx xx xx xx
AA70-xx xx 00 08
or whatever...The 30 02 is the length ($0230 bytes). The 00 08 is the starting
address ($0800).  Oh well, now you need to try and save the program. Type:
800.A2FW   (A2F=$800+$230-1)
800:00 N 801<800.A2FM

  Once you are sure that the cassette works, (by the way do be stupid and try
that on a //c!) we can get to the good stuff...

  First move the ROM boot-up code into RAM...(all steps will be from the monitor
* prompt.)

86F9:5C FF
(Now load in step 1 of the boot.)
C0E8  (turn the drive off)
(Now you have successfully loaded in track 0 sector 0) Now since we won't want
to overwrite what we've loaded in this time, Type:
86F9:01 85
Lets see what you've gotten...
First see if they move this part into the keyboard buffer. (A lot of programs
do this and the boot trace files that I've read don't even deal with this.)
LDX #00
LDA 800,X
STA 200,X
BNE $803
JMP $211  (or any $2xx)
(sometimes done with Y's instead of X's.)

  Then the next part will scramble what's in $08xx.  but we don't have to worry
about that.  Anyways find that JMP $2xx and change it to 4C xx 85 leaving the xx
the same.  Usually this will be the next address but just to be safe...  Ok, now
scan the code for any other JMP's if you find one that's direct (indirect ones
have the address in parenthesis) change it to 4C 5C FF, but write down the
location that it used to jump to first so you know where to look.  It'll
probably be 301 or B700.  If it's the B700, you got lucky.  If it's the 301 then
you've got some more work ahead.  If it was an indirect JMP, most likely it was
JMP ($003E).  No if you change that to 4C 5C FF then check 3E from monitor
you'll find that 3E is 00 and 3F is 3E...Monitor uses that place in zero page
for its current memory location.  So what you need to do is

8400:A5 3F 00 20 DA FD A5 3E 20 DA FD 4C 5C FF
then change that indirect jump to
85xx:4C 00 84

  (by the way if the indirect jump is anything other than 3E then most likely
you can can just look at it from monitor if not write a little routine like the
one above to print out the address hidden.  (Oh, check the location after the
next run.  For now change it to 4C 5C FF.))

  Anyways this little game will probably go on no longer than 2 or 3 loads, each
time just move the newly loaded part to another part of memory and change the
jump to jump to monitor (4C 5C FF) and the jump from the part before it to go to
the moved code.

When you find the part that JMP's up to a high area of memory (usually $B700)
you're almost done. The exit routine of the will most likely be the start of
the program.  Once you intercept it there, all you have to do now is save it to
cassette and re-load DOS.  The starting address for saving should be the
address that the B700 routine exits through. If this is higher than $6000 then
start saving at

AOH Site layout & design copyright © 2006 AOH