Tunnels of Armageddon (California Dreams, 1989), by LoGo from http://www.hackzapple.com/phpBB2/viewtopic.php?t=829 Strap yourself in as you embark on the mind-numbing, heart pounding, futurist roller coaster ride of your life. And what's more, the fate of mankind rides with you. Some say you're the best rocket jockey in the solar system, but can you handle the TUNNELS OF ARMAGEDDON(tm)? I like that IIgs game very much, the atmosphere is great: sound, music and animation are great! And just like other California Dreams games for the Apple IIgs, it is off-disk protected: a soft-of password protection. From a wheel, the program selects an outer color and an inner color, it asks for the color corresponding to one of the eight holes inside the wheel. Should you enter the right password, you can play, otherwise you quit the game! There are two ways to crack the game: you 1/ either bypass the entire password protection routine or 2/ let the password protection routine and disable the check. I have chosen the second option for two reasons: it is a one-byte change and it lets you enter the Demo mode which is not accessible if you bypass the entire protection. It is also a IIgs program, running on a 3.5" disk. The approach to cracking on such a machine is different: more room on disk (800 vs 143), big files and plenty of memory on the machine (4MiB vs 64KiB) I will describe the approach to cracking GS/OS, ProDOS 16 programs in another message in this thread. The tools to use You have several friends that are mandatory to help you in cracking: - Visit Monitor (IIgs ROM) Press control-apple-escape and enter the monitor, search for patterns using the monitor routines, that is really powerful. - GSBug (Apple) You can set breakpoints, trace code, etc. Another really powerful tool. - The Flaming Bird Disassembler (Ferox) The most powerful disassembler for the Apple IIgs, a must-have for disassembling code and a very good help for cracking. - Block.Warden (Glen Bredon) A good P8 tool to edit blocks on all Apple II disks. Developed for ProDOS but also useful to follow files and change bytes in them. There are dozens of other tools, I use all of the above but GSBug. How to crack? - Launch Block.Warden - Press P(refix), enter /TUNNELS - Press F(ollow), enter TEXE - Press -> to edit relative block 2 - At offset 1, change D0 03 with 80 03 - Press S(ave), press Y(es) Find the image at http://www.brutaldeluxe.fr/crack/ Enjoy! LoGo 3/2014 The approach to IIgs cracking We are dealing with big program files which are divided into segments, a disassembler is required to determine where in files and memory strings or other kinds of data are. The first thing to do is to launch the program and "listen" to its behaviour. That is similar to an on-disk protection on the 8-bit Apple II. For Tunnels of Armageddon: - Boot the disk, you arrive on the desktop - You double-click on TUNNELS.SYS16 - The game displays two pages of graphics with a great music - The SHR screen is turned off and something is loaded *BELL RINGS* Yes, on an Apple IIgs, when control is given to another program (load, quit), the text screen is turned on with a non-blinking cursor on the upper left corner of the screen. That is what we have here. So, let's see the other files on the disk... There is an EXE file named TEXE. What does that mean? > The protection routine is not on the TUNNELS.SYS16 file but on the TEXE file, therefore we will study that file. We launch TFBD and study it. That is the second step in off-disk protection checks: where are the damn text strings saved. Why do we search for them? Because, there are pointers to them, pointers are used in the code, so we will rewind from strings to code to code to the main calling address of the off-disk protection routine. There, we have pointers to the strings of the different colors that are part of the protection. 05/0000: 4C742E4772 ASC 'Lt.Green'00 05/0009: 59656C6C6F ASC 'Yellow'00 05/0010: 42726F776E ASC 'Brown'00 05/0016: 52656400 ASC 'Red'00 05/001A: 4461726B20 ASC 'Dark Blue'00 05/0024: 50696E6B00 ASC 'Pink'00 05/0029: 4C742E5075 ASC 'Lt.Purple'00 05/0033: 4461726B20 ASC 'Dark Green'00 05/003E: 4461726B20 ASC 'Dark Purple'00 05/004A: 4772617900 ASC 'Gray'00 05/004F: 4C742E426C ASC 'Lt.Blue'00 05/0057: 4F72616E67 ASC 'Orange'00 05/005E: 64656D6F00 ASC 'demo'00 05/0063: 00000500 ADRL $00050000 05/0067: 09000500 ADRL $00050009 05/006B: 10000500 ADRL $00050010 05/006F: 16000500 ADRL $00050016 05/0073: 1A000500 ADRL $0005001A 05/0077: 24000500 ADRL $00050024 05/007B: 29000500 ADRL $00050029 See below: prot.pck is the image loaded for protection color display. After, we find the text that is written on the SHR screen. 05/01DF: 6D63657267 ASC 'mcergt'0D 05/01E6: 00 ASC 00 05/01E7: 70726F742E ASC 'prot.pck'00 05/01F0: 4C696E6520 ASC 'Line up '00 05/01F9: 206F6E2074 ASC ' on the outer'00 05/0207: 776865656C ASC 'wheel with '00 05/0213: 206F6E2074 ASC ' on the'00 05/021B: 696E6E6572 ASC 'inner wheel and look at the'00 05/0237: 636F6C6F72 ASC 'color in box '00 05/0245: 256400 ASC '%d'00 05/0248: 2E20497420 ASC '. It is:'00 05/0251: 00 DB $00 05/0252: 00 DB $00 05/0253: 00 DB $00 05/0254: 00 DB $00 05/0255: 00 DB $00 05/0256: 00 DB $00 05/0257: 00 DB $00 05/0258: 00 DB $00 05/0259: 00 DB $00 The code below loads the "prot.pck" file, the address of the entry point of the routine is $01/6665. We'll search for that pattern in the next screen. 01/6665: 0B PHD 01/6666: 3B TSC 01/6667: 38 SEC 01/6668: E9FB00 SBC #$00FB 01/666B: 5B TCD 01/666C: 69CE00 ADC #$00CE 01/666F: 1B TCS 01/6670: A90F01 LDA #$05010F 01/6673: A20500 LDX #^$05010F 01/6676: 86F2 STX $F2 01/6678: 85F0 STA $F0 01/667A: F40500 PEA ^$050981 01/667D: F48109 PEA $050981 01/6680: F40600 PEA ^$06078E 01/6683: F48E07 PEA $06078E 01/6686: F40500 PEA ^$0501E7 01/6689: F4E701 PEA $0501E7 01/668C: 22B15A02 JSL $025AB1 01/6690: A8 TAY 01/6691: 3B TSC The previous code can be found in another routine, let's get its entry point address and navigate through the code... 01/6229: B003 BCS $622E 01/622B: A90000 LDA #$0000 01/622E: 8F020007 STAL $070002 01/6232: A20000 LDX #$0000 01/6235: 7B TDC 01/6236: 18 CLC 01/6237: 69E600 ADC #$00E6 01/623A: 86E4 STX $E4 01/623C: 85E2 STA $E2 01/623E: 22656601 JSL $016665 01/6242: 85D0 STA $D0 01/6244: ADDD03 LDA $0703DD 01/6247: F04B BEQ $6294 01/6249: F40D00 PEA $000D 01/624C: AE2804 LDX $070428 01/624F: AD2604 LDA $070426 01/6252: DA PHX 01/6253: 48 PHA 01/6254: A203102200 _SetVector 01/625B: B003 BCS $6260 We have found the main entry point which is at $01/01B5. Let's study the code: - Protection routine is called - Result is saved at $EE - If result is <> from #$0000, the program continues ($01C1) or goes to $0259. This address is the exit part of the main loop. We have found the main check. 01/01AD: AD2500 LDA $070025 01/01B0: F003 BEQ $01B5 01/01B2: 82A400 BRL $0259 01/01B5: 22816101 JSL $016181 01/01B9: 85EE STA $EE 01/01BB: A8 TAY 01/01BC: D003 BNE $01C1 01/01BE: 829800 BRL $0259 01/01C1: A5EE LDA $EE 01/01C3: C9FEFF CMP #$FFFE 01/01C6: D003 BNE $01CB 01/01C8: 826B00 BRL $0236 01/01CB: 9C1103 STZ $070311 01/01CE: 9C1303 STZ $070313 01/01D1: 9C1B03 STZ $07031B 01/01D4: 9C1D03 STZ $07031D 01/01D7: 220E0901 JSL $01090E 01/01DB: F40500 PEA ^$050981 01/01DE: F48109 PEA $050981 01/01E1: F40600 PEA ^$06078E What can we do now? Patch the BNE *+3 (jumps if different from 0) with a BRA *3 (branch always, whatever the value). We will change the byte D0 with 80 using BLOCK.WARDEN. Block: $0009 (9) Volume name: TUNNELS Friday 15-Mar-14 3:34 Prefix: /TUNNELS/ Following: TEXE, Type $B5, Rel block 2, Byte $000200 1000: A8 TAY ( 1032: 7A PLY z 1001: D0 03 BNE $1006 .. 1033: 7A PLY z 1003: 82 98 00 BRL $109E ... 1034: F4 00 00 PEA $0000 t.. 1006: A5 EE LDA $EE %n 1037: F4 DE 81 PEA $81DE t^. 1008: C9 FE CMP #$FE I~ 103A: F4 00 00 PEA $0000 t.. 100A: FF D0 03 82 SBCL $8203D0,X P.. 103D: F4 8E 07 PEA $078E t.. 100E: 6B RTL k 1040: F4 E1 00 PEA $00E1 ta. 100F: 00 BRK . 1043: F4 00 20 PEA $2000 t. 1010: 9C 11 03 STZ $0311 ... 1046: 22 C5 06 00 JSL $0006C5 "E.. 1013: 9C 13 03 STZ $0313 ... 104A: A8 TAY ( 1016: 9C 1B 03 STZ $031B ... 104B: 3B TSC ; 1019: 9C 1D 03 STZ $031D ... 104C: 18 CLC . 101C: 22 0E 09 00 JSL $00090E "... 104D: 69 0C ADC #$0C i. 1020: F4 00 00 PEA $0000 t.. 104F: 00 BRK . 1023: F4 81 09 PEA $0981 t.. 1050: 1B TCS . 1026: F4 00 00 PEA $0000 t.. 1051: 98 TYA . 1029: F4 8E 07 PEA $078E t.. 1052: 22 0E 09 00 JSL $00090E "... 102C: 22 BB 08 00 JSL $0008BB ";.. 1056: A5 F0 LDA $F0 %p 1030: 7A PLY z 1058: D0 11 BNE $106B P. 1031: 7A PLY z 105A: A9 01 LDA #$01 ). Yeah ;)