Your Spectrum
Issue 14, May 1985 - Codebusters
Home Contents KwikPik
Now I've said it before in the previous Codebuster articles but it's worth repeating just in case there's anyone who still doesn't believe that software piracy is illegal or wrong. It is, on both counts and neither I nor Your Spectrum will ever condone it. It harms the magazine, it harms the software companies but, worst of all, it harms you and me, the people who buy software.
So, if you've got any ideas that this article will aid you in your attempt to make a killing at tape copying, you'd be better off reading Computing for Petty Criminals or similar unworthy rags. I'm writing only for the dedicated hacker who is excited by the challenge of breaking into programs 'because they're there'. Nuff said.


Generally the only way to get into a protected program is to nobble it before it runs! Once the code gets control, the programmer will have fixed things so that you can never seize the reins again. The dedicated hacker gets around this inconvenient fact by using a customised ROM incorporating his own BREAK routines. But clever and/or unusually paranoid Protection Artists have taken to adding routines to check that the standard Spectrum ROM is still there before allowing the program to continue!
Some programs do this during the LOADing, and then use up several Kbytes in pure misdirection before getting to a bit of code that unscrambles the encrypted program and then erases itself, disappearing up its own tailpipe. Others apparently check for the presence of the ROM constantly during play, and it immediately crashes when the customised ROM is paged in.


How do they check that the ROM is there? Obviously they can't check the whole ROM, byte for byte, without LOADing a copy of it, a pure waste of 16K. They can check the whole thing by adding up all the bytes modula 256, which means throwing away any part of the sum which overflowed one byte. You would then have only one chance in 256 of your custom ROM adding up to the same byte. However, this actually takes some time, so it can hardly be used within the action.
Usually only a few key bytes can be checked, so which are chosen? Obvious candidates are the various bits of the initialisation code, starting at
The true hacker enjoys the battle of wits with the protective programmer. Terry Bulfib tips the scales your way.
address 0. This address is often used as a 'crash and burn' jump for destroying anything that the program thinks might have been feloniously LOADed by a hacker. This is the address that all the crash on BREAK protection tapes rely on to wipe the memory when you fiddle, and so a customised ROM might be expected to disable this initialisation routine, as we suggested in our last article.


Another candidate is the non-maskable interrupt routine at 66H. This has been wasted in the Spectrum. It almost provides a redirectable reset to the address stored in the two 'spare' locations in the system variables at 23728, but for a 'jump not zero' instruction being used instead of a 'jump if zero'. In my custom ROM, I have rewritten this non-maskable interrupt to jump to my own de-trap and BREAK routine.
The non-maskable interrupt is activated by its own line (NMI) on the
expansion bus being grounded momentarily, and the 'non-maskable' means that it can't be disabled by the 'disable interrupt' instruction. This makes it an obvious choice for the hacker's custom ROM rewrite, and therefore a target for the Protection Artist's search and destroy routine.
Checking for hacker's rewrites is made easier by the fact that there is not a lot of code in the ROM that can be displaced by one's own routines without causing trouble with programs that use the ROM for printing, etc. If you have a large custom ROM, or rather EPROM, or even RAM, then you can use the area from 386EH to 3CFFH for your own code, as the Spectrum doesn't use it. However, if you have only a small custom ROM (mine is just a 1K 2708 EPROM programmer board designed originally for use with an Ohio superboard and now heavily messed about), then you can make use of the memory in the 'token table' from 95H to 1FDH. Your BASIC keywords will not be recognisable if you rewrite this section, but everything else
boxing illustration

will work. Unless the Protection Artist checks up on this area, that is.


Ideally, a custom ROM or RAM board will be set up so you can easily switch it in or out of the memory map. Indeed, with RAM this is a necessity, or you would never be able to start the Spectrum up in the mornings. With 1K of RAM located in the lowest 1K of the address space, the sequence goes something like this: Turn on the Spectrum with the RAM paged out, SAVE the Speccy ROM to tape (SAVE "rom" CODE 0,1025), type in LOAD "" CODE then play the tape, as soon as the header has LOADed switch in the RAM. This has to be after the header, or the printing of the header name, which uses a jump at address 10h, will cause a crash. You then have a copy of the ROM on board in rewriteable RAM. This will only work with a 1K custom RAM, as the tape routines start at about the beginning of the second K, and they would disappear when the RAM was switched in. Larger custom boards will require a small M/C routine.
One thing to watch out for when using RAM in the ROM area is that the Spectrum BASIC actually corrupts the first few bytes of the RAM at addresses 0 to 5. This seems to happen every time you drop out of a program with STOP or an error message or even when you enter a command for immediate execution. Ordinarily, this won't matter, because this part of the ROM is only used at power-up, but since the Protection Artist is likely to check here, it makes using a ROM-in-RAM type of custom ROM rather more difficult. Why the Speccy ROM tries to write over itself is a mystery to me. If and when I find the bit that's doing it, I expect to be appalled at the sloppiness, but as I haven't found it, I had better control the ribald disparagement for now.
Some programs load not just the whole of the RAM, but also load over the ROM, so if you don't page out your ROM-in-RAM customisation while LOADing, it will be converted back to the standard ROM contents!
If the custom ROM (or rewritten RAM) can be switched in at exactly the same time that the NMI is activated, then no amount of checking up by the Protection Artist will keep you out. With computer speeds, 'exactly' means that you will have to use a bit of silicon to do the switching, rather than just a double pole mechanical switch, but if you have
already built yourself a piece of moveable memory map then the extra few gates won't give you any problem.


Not everyone, I realise, has the skill, time, or even the cash for building the kind of hacking hardware we're talking about here. Don't be downhearted, though, as it still is - and always will be - possible to hack into the headers of Speccy progs, whatever the Protection Artist hurls at you. Hardware just makes it easier, or at least it used to before the PAs started in on that too.
However, it is occasionally possible to catch the PA out in an uncharacteristic lapse. It is when he is feeling most secure that he is likely, while assembling his armour, to absentmindedly drop the codpiece behind the sofa. The fastloader has brought out the laziness in some of the breed, and they forget all they have learned at their computer's knee.
There is a very simple trick which I have kept under my hat until now because once everyone knows about it, steps will be taken against it in all future programs. Luckily for you, I can contain myself no longer. This is one that anyone can use, sans hardware, sans money, sans mental effort.
First the lazy Protection Artist thoroughly disables the BREAK key, and finds that this also takes care of any 'STOP in INPUT' type of BREAK. He may then decide to use a Basic routine for INPUT instead of writing his own when he wants you to input a name, especially if SAVing or LOADing a partly completed adventure, say, on tape. Certainly the usual Basic BREAKs like Capshift 6 or entering 'STOP' will be useless. He will have checked for those before he got lazy.
The trick is to erase the quotation marks with the cursor keys and DELETE, and then type CHR$ USR 4867 and ENTER (using the keywords). This is accepted by the Basic as a string which it must find by converting a CODE into a character, and the CODE is to be found by calling the machine code routine at 4867 decimal. Naturally, calling this machine code address results in a BREAK, because 4867 decimal is our old buddy 1303 hex! If the crash-on BREAK traps were set, then this would cause a crash, but the DF SZ trap cannot be used, because the INPUT command uses the lower screen, and the ERR SP trap is simply by-passed by the USR call directly to the end-of- program routine at 1303H. I know of at
least two recent top selling programs that this wheeze does work on, neither of which is an adventure, as it happens.
Any program that gives you a flashing cursor flanked by quotation marks will fall for this, so get digging in that pile of old tapes, 'cause you will not find it on any new ones from now on. That's the problem with blabbermouths like me.


If you followed all the Codebuster articles you're probably a pretty proficient hacker by now. Or perhaps you reckon you were one anyway. Well, now's your chance to put your skill to the test.
That's right we're setting you some hacking homework. Terry has written a cracker of a program designed to test all the techniques which you've picked up in his articles.
So, heads down and get cracking - it's the only way you're ever going to make it to a fully fledged Codebuster.
Follow the instructions exactly as listed below.
1 Type the program in exactly as shown. Don't even mess about with the line numbers.
2. SAVE it with GO TO 9999 to have an unprotected copy to use again. This is especially important in case you've made an error when typing it in.
3 RUN it to produce the protected CODE LOAD, after which it NEWs itself. Make sure you've followed the instructions in 2 above or you'll have to type it all in again.
4 Do LOAD "" CODE to load the protected program.
10 CLEAR 50000
20 FOR i=50001 TO 50024
40 READ a: POKE i,a: NEXT i
50 DATA 237, 123, 178, 92, 59, 33, 81, 195, 229, 237, 115, 61, 92, 175, 50, 68, 92, 33, 110, 0, 251, 195, 158, 27
60 POKE 65358,63: POKE 65359,5
70 POKE 65360,81: POKE 65361,195
90 SAVE "protected" CODE 16384,49152
110 INPUT "NAME? ";a$
120 GO SUB 200
130 GO TO 110
200 CLS
210 FOR i=1 TO 704/(LEN a$+1)
220 PRINT a$;" ";
9999 SAVE "demobasic"
OK, busters, can you crack it? There are at least three ways to crack this one and all have been revealed in Codebusters. One is a snap, one is a chore, and one is so-so. Maybe you'll be the one to find us a fourth, but remember - nobody loves a clever dick, so there are no prizes (and no, it's not 'cos we're too mean - Ed). But think of the satisfaction you'll get from knowing that you've done a bit of breaking and entering and got away with it.
So hackers, drop us a line with all your clever tales of how you managed to take us to the cleaners. Get bustin'.

;Mustn't have interrupt with no ROM
;Move ROM contents to high

;Wait until SPACE is pressed to
;give time to switch in the RAM
;Move contents back to the RAM
;now in the ROM's slot

;Otherwise locked out
This is the machine code routine if you are using a custom board larger than 1K.
Home Contents KwikPik