288 lines
11 KiB
Plaintext
288 lines
11 KiB
Plaintext
|
|
Chapter 4 Cracking Self Booters
|
|
|
|
|
|
|
|
-------------------------------------------------------------
|
|
Now we'll take a look at cracking self booters. A few compa-
|
|
nies have found this to be the best copy protection scheme
|
|
for them, one of which is DataEast, makers of Ikari Warriors,
|
|
Victory Road, Lock-On, Karnov, etc... This posses a special
|
|
problem to the Amateur Cracker, since they seldom use stan-
|
|
dard DOS formats. So let's jump right in!
|
|
-------------------------------------------------------------
|
|
|
|
|
|
This is the area where a "Higher than Normal" knowledge of
|
|
Assembly Language and DOS Diskette structures, so first of
|
|
all, the Basic's.
|
|
|
|
|
|
The Disk's Physical Structure
|
|
|
|
Data is recorded on a disk in a series of concentric circles,
|
|
called Tracks. Each track if further divided into segments,
|
|
called Sectors. The standard double-density drives can
|
|
record 40 tracks of data, while the new quad-density drives
|
|
can record 80 tracks.
|
|
|
|
However, the location, size, and number of the sectors within
|
|
a track are under software control. This is why the PC's
|
|
diskettes are known as soft-sectored. The characteristics of
|
|
a diskette's sectors (Their size, and the number per track)
|
|
are set when each track is formatted. Disk Formatting can be
|
|
done either by the operating system or by the ROM-BIOS format
|
|
service. A lot of self booters and almost all forms of copy
|
|
protection create unusual formats via the ROM-BIOS diskette
|
|
services.
|
|
|
|
The 5 1/4-inch diskettes supported by the standard PC BIOS
|
|
may have sectors that are 128,256,512, or 1,024 bytes in
|
|
size. DOS, from versions 1.00 through 4.01 has consistently
|
|
used sectors of 512 bytes, and it is quite possible that this
|
|
will continue.
|
|
|
|
Here is a table displaying 6 of the most common disk formats:
|
|
_____________________________________________________________
|
|
|
|
Type Sides Sectors Tracks Size(bytes)
|
|
_____________________________________________________________
|
|
|
|
S-8 1 8 40 160K
|
|
D-8 2 8 40 320K
|
|
S-9 1 9 40 180K
|
|
D-9 2 9 40 360K
|
|
QD-9 2 9 80 720K
|
|
QD-15 2 15 80 1,200K
|
|
_____________________________________________________________
|
|
|
|
|
|
|
|
S - Single Density
|
|
D - Double Density
|
|
QD - Quad Density
|
|
|
|
Of all these basic formats, only two are in widespread use:
|
|
S-8 and D-9. The newer Quad Density formats are for the 3
|
|
1/2" and 5 1/4" high density diskettes.
|
|
|
|
|
|
The Disk's Logical Structure
|
|
|
|
So, as we have already mentioned, the 5 1/4-inch diskette
|
|
formats have 40 tracks, numbered from 0 (the outside track)
|
|
through 39 (the inside track, closest to the center). On a
|
|
double sided diskette, the two sides are numbered 0 and 1
|
|
(the two recording heads of a double-sided disk drive are
|
|
also numbered 0 and 1).
|
|
|
|
The BIOS locates the sectors on a disk by a three-dimensional
|
|
coordinate composed of a track number (also referred to as
|
|
the cylinder number), a side number (also called the head
|
|
number), and a sector number. DOS, on the other hand, lo-
|
|
cates information by sector number, and numbers the sectors
|
|
sequentially from the outside to inside.
|
|
|
|
We can refer to particular sectors either by their
|
|
three-dimensional coordinates or by their sequential order.
|
|
All ROM-BIOS operations use the three-dimensional coordinates
|
|
to locate a sector. All DOS operations and tools such as DE-
|
|
BUG use the DOS sequential notation.
|
|
|
|
The BASIC formula that converts the three-dimensional coordi-
|
|
nates used by the ROM-BIOS to the sequential sector numbers
|
|
used by DOS is as follows:
|
|
|
|
DOS.SECTOR.NUMBER = (BIOS.SECTOR - 1) + DIOS.SIDE
|
|
* SECTORS.PER.SIDE + BIOS.TRACK * SECTORS.PER.SIDE
|
|
* SIDES.PER.DISK
|
|
|
|
And here are the formulas for converting sequential sector
|
|
numbers to three-dimensional coordinates:
|
|
|
|
BIOS.SECTOR = 1 + DOS.SECTOR.NUMBER MOD SECTORS.PER.SIDE
|
|
BIOS.SIDE = (DOS.SECTOR.NUMBER \ SECTORS.PER.SIDE)
|
|
MOD SIDE.PER.DISK
|
|
BIOS.TRACK = DOS.SECTOR.NUMBER \ (SECTORS.PER.SIDE
|
|
* SIDES.PER.DISK)
|
|
|
|
(Note: For double-sided nine-sector diskettes, the PC's
|
|
most common disk format, the value of SECTORS.PER.SIDE
|
|
is 9 and the value of SIDES.PER.DISK is 2. Also note
|
|
that sides and tracks are numbered differently in the
|
|
ROM-BIOS numbering system: The sides and tracks are num-
|
|
bered from 0, but the sectors are numbered from 1.)
|
|
|
|
Diskette Space Allocation
|
|
|
|
The formatting process divides the sectors on a disk into
|
|
four sections, for four different uses. The sections, in the
|
|
order they are stored, are the boot record, the file alloca-
|
|
tion table (FAT), the directory, and the data space. The
|
|
size of each section varies between formats, but the struc-
|
|
ture and the order of the sections don't vary.
|
|
|
|
The Boot Record:
|
|
|
|
This section is always a single sector located at sector
|
|
1 of track 0, side 0. The boot record contains, among other
|
|
things, a short program to start the process of loading the
|
|
operating system on it. All diskettes have the boot record
|
|
on them even if they don't have the operating system. Asisde
|
|
from the start-up program, the exact contents of the boot
|
|
record vary from format to format.
|
|
|
|
The File Allocation Table:
|
|
|
|
The FAT follows the boot record, usually starting at
|
|
sector 2 of track 0, side 0. The FAT contains the official
|
|
record of the disk's format and maps out the location of the
|
|
sectors used by the disk files. DOS uses the FAT to keep a
|
|
record of the data-space usage. Each entry in the table con-
|
|
tains a specific code to indicate what space is being used,
|
|
what space is available, and what space is unusable (Due to
|
|
defects on the disk).
|
|
|
|
The File Directory:
|
|
|
|
The file directory is the next item on the disk. It is
|
|
used as a table of contents, identifying each file on the
|
|
disk with a directory entry that contains several pieces of
|
|
information, including the file's name and size. One part of
|
|
the entry is a number that points to the first group of sec-
|
|
tors used by the file (this number is also the first entry
|
|
for this file in the FAT).
|
|
|
|
The Data Space:
|
|
|
|
Occupies the bulk of the diskette (from the directory
|
|
through the last sector), is used to store data, while the
|
|
other three sections are used to support the data space.
|
|
Sectors in the data space are allocated to files on an
|
|
as-needed basis, in units known as clusters. The clusters
|
|
are one sector long and on double-sided diskettes, they are a
|
|
pair of adjacent sectors.
|
|
|
|
|
|
|
|
(From here on I'll continue to describe the basics of DOS
|
|
disk structures, and assembly language addressing technics.
|
|
|
|
|
|
-------------------------------------------------------------
|
|
Here is a simple routine to just make a backup copy of the
|
|
Flight Simulator Version 1.0 by Microsoft. I know the latest
|
|
version is 3.x but this version will serve the purpose of
|
|
demonstrating how to access the data and program files of a
|
|
selfbooter.
|
|
-------------------------------------------------------------
|
|
|
|
|
|
By: PTL
|
|
Title: Microsoft Flight Simulator 1.00 Unprotect
|
|
|
|
|
|
This procedure will NOT convert the Flight Simulator disk to
|
|
files that can be loaded on a hard drive. But... it will
|
|
read off the data from the original and put it onto another
|
|
floppy. And this should give you an idea of how to read data
|
|
directly from a disk and write it back out to another disk.
|
|
|
|
First of all take UNFORMATTED disk and place it in drive B:.
|
|
This will be the target disk.
|
|
|
|
Now place your DOS disk (which has Debug) into drive A:, or
|
|
just load Debug off you hard disk.
|
|
|
|
A>DEBUG
|
|
|
|
Then we are going to enter (manually) a little program to
|
|
load the FS files off the disk.
|
|
|
|
-E CS:0000 B9 01 00 BA 01 00 BB 00
|
|
01 0E 07 06 1F 88 E8 53
|
|
5F AA 83 C7 03 81 FF 1C
|
|
01 76 F6 B8 08 05 CD 13
|
|
73 01 90 FE C5 80 FD 0C
|
|
76 E1 90 CD 20
|
|
|
|
-E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02
|
|
00 00 04 02 00 00 05 02 00 00 06 02
|
|
00 00 07 02 00 00 08 02
|
|
|
|
Next we'll [R]eset the IP Register by typing.
|
|
|
|
-R IP
|
|
|
|
And then typing four zeros after the address prefix.
|
|
|
|
xxxx:0000
|
|
|
|
Next insert the original Flight Simulator disk into drive A:
|
|
and we'll run our little loader.
|
|
|
|
-G =CS:0000 CS:22 CS:2A
|
|
|
|
Now enter a new address to load from.
|
|
|
|
-E CS:02 0E
|
|
-E CS:27 19
|
|
|
|
And run the Loader again.
|
|
|
|
-G =CS:0000 CS:22 CS:2A
|
|
|
|
New address
|
|
|
|
-E CS:02 27
|
|
-E CS:27 27
|
|
|
|
Run Loader
|
|
|
|
-G =CS:0000 CS:22 CS:2A
|
|
|
|
Here we'll do some [L]oading directly from the disk our-
|
|
selves.
|
|
|
|
-L DS:0000 0 0 40
|
|
|
|
And the in turn, write it back out to the B: (1) drive
|
|
|
|
-W DS:0000 1 0 40
|
|
|
|
Etc...
|
|
|
|
-L DS:0000 0 40 28
|
|
-W DS:0000 1 70 30
|
|
-L DS:0000 0 A0 30
|
|
-W DS:0000 1 A0 30
|
|
-L DS:0000 0 138 8
|
|
-W DS:0000 1 138 8
|
|
|
|
When we are all through, [Q]uit from debug and you should
|
|
have a backup copy of the Flight Simulator.
|
|
|
|
-Q
|
|
|
|
And that's all there is to it.
|
|
|
|
END.
|
|
|
|
|
|
|
|
|
|
|
|
///////////////////////////////////////////////////////
|
|
// The PIRATES' HOLLOW //
|
|
// 415-236-2371 //
|
|
// over 12 Megs of Elite Text Files //
|
|
// ROR-ALUCARD //
|
|
// Sysop: Doctor Murdock //
|
|
// C0-Sysops: That One, Sir Death, Sid Gnarly & Finn //
|
|
// //
|
|
// "The Gates of Hell are open night and day; //
|
|
// Smooth is the Descent, and Easy is the way.." //
|
|
///////////////////////////////////////////////////////
|
|
|
|
|