Now I've said it before in the previous
Codebuster articles but it's worth repeating just in case there's anyone who still
doesn't believe that software piracy is
illegal or wrong. It is, on both counts and
neither I nor Your Spectrum will ever
condone it. It harms the magazine, it
harms the software companies but, worst
of all, it harms you and me, the people
who buy software.|
So, if you've got any ideas that this article will aid you in your attempt to make a killing at tape copying, you'd be better off reading Computing for Petty Criminals or similar unworthy rags. I'm writing only for the dedicated hacker who is excited by the challenge of breaking into programs 'because they're there'. Nuff said.
TAKING CONTROLGenerally the only way to get into a protected program is to nobble it before it runs! Once the code gets control, the programmer will have fixed things so that you can never seize the reins again. The dedicated hacker gets around this inconvenient fact by using a customised ROM incorporating his own BREAK routines. But clever and/or unusually paranoid Protection Artists have taken to adding routines to check that the standard Spectrum ROM is still there before allowing the program to continue!
Some programs do this during the LOADing, and then use up several Kbytes in pure misdirection before getting to a bit of code that unscrambles the encrypted program and then erases itself, disappearing up its own tailpipe. Others apparently check for the presence of the ROM constantly during play, and it immediately crashes when the customised ROM is paged in.
CRASH BARRIERSHow do they check that the ROM is there? Obviously they can't check the whole ROM, byte for byte, without LOADing a copy of it, a pure waste of 16K. They can check the whole thing by adding up all the bytes modula 256, which means throwing away any part of the sum which overflowed one byte. You would then have only one chance in 256 of your custom ROM adding up to the same byte. However, this actually takes some time, so it can hardly be used within the action.
Usually only a few key bytes can be checked, so which are chosen? Obvious candidates are the various bits of the initialisation code, starting at
This address is often used as a 'crash and
burn' jump for destroying anything that
the program thinks might have been feloniously LOADed by a hacker. This is the
address that all the crash on BREAK
protection tapes rely on to wipe the
memory when you fiddle, and so a customised ROM might be expected to disable
this initialisation routine, as we suggested
in our last article.
NON-MASKED BALLAnother candidate is the non-maskable interrupt routine at 66H. This has been wasted in the Spectrum. It almost provides a redirectable reset to the address stored in the two 'spare' locations in the system variables at 23728, but for a 'jump not zero' instruction being used instead of a 'jump if zero'. In my custom ROM, I have rewritten this non-maskable interrupt to jump to my own de-trap and BREAK routine.
The non-maskable interrupt is activated by its own line (NMI) on the
expansion bus being grounded
momentarily, and the 'non-maskable' means
that it can't be disabled by the 'disable
interrupt' instruction. This makes it an
obvious choice for the hacker's custom
ROM rewrite, and therefore a target for
the Protection Artist's search and destroy routine.|
Checking for hacker's rewrites is made easier by the fact that there is not a lot of code in the ROM that can be displaced by one's own routines without causing trouble with programs that use the ROM for printing, etc. If you have a large custom ROM, or rather EPROM, or even RAM, then you can use the area from 386EH to 3CFFH for your own code, as the Spectrum doesn't use it. However, if you have only a small custom ROM (mine is just a 1K 2708 EPROM programmer board designed originally for use with an Ohio superboard and now heavily messed about), then you can make use of the memory in the 'token table' from 95H to 1FDH. Your BASIC keywords will not be recognisable if you rewrite this section, but everything else
will work. Unless the Protection Artist
checks up on this area, that is.
CUSTOM BOARDSIdeally, a custom ROM or RAM board will be set up so you can easily switch it in or out of the memory map. Indeed, with RAM this is a necessity, or you would never be able to start the Spectrum up in the mornings. With 1K of RAM located in the lowest 1K of the address space, the sequence goes something like this: Turn on the Spectrum with the RAM paged out, SAVE the Speccy ROM to tape (SAVE "rom" CODE 0,1025), type in LOAD "" CODE then play the tape, as soon as the header has LOADed switch in the RAM. This has to be after the header, or the printing of the header name, which uses a jump at address 10h, will cause a crash. You then have a copy of the ROM on board in rewriteable RAM. This will only work with a 1K custom RAM, as the tape routines start at about the beginning of the second K, and they would disappear when the RAM was switched in. Larger custom boards will require a small M/C routine.
One thing to watch out for when using RAM in the ROM area is that the Spectrum BASIC actually corrupts the first few bytes of the RAM at addresses 0 to 5. This seems to happen every time you drop out of a program with STOP or an error message or even when you enter a command for immediate execution. Ordinarily, this won't matter, because this part of the ROM is only used at power-up, but since the Protection Artist is likely to check here, it makes using a ROM-in-RAM type of custom ROM rather more difficult. Why the Speccy ROM tries to write over itself is a mystery to me. If and when I find the bit that's doing it, I expect to be appalled at the sloppiness, but as I haven't found it, I had better control the ribald disparagement for now.
Some programs load not just the whole of the RAM, but also load over the ROM, so if you don't page out your ROM-in-RAM customisation while LOADing, it will be converted back to the standard ROM contents!
If the custom ROM (or rewritten RAM) can be switched in at exactly the same time that the NMI is activated, then no amount of checking up by the Protection Artist will keep you out. With computer speeds, 'exactly' means that you will have to use a bit of silicon to do the switching, rather than just a double pole mechanical switch, but if you have
already built yourself a piece of moveable memory map then the extra few
gates won't give you any problem.
EASY ENTRYNot everyone, I realise, has the skill, time, or even the cash for building the kind of hacking hardware we're talking about here. Don't be downhearted, though, as it still is - and always will be - possible to hack into the headers of Speccy progs, whatever the Protection Artist hurls at you. Hardware just makes it easier, or at least it used to before the PAs started in on that too.
However, it is occasionally possible to catch the PA out in an uncharacteristic lapse. It is when he is feeling most secure that he is likely, while assembling his armour, to absentmindedly drop the codpiece behind the sofa. The fastloader has brought out the laziness in some of the breed, and they forget all they have learned at their computer's knee.
There is a very simple trick which I have kept under my hat until now because once everyone knows about it, steps will be taken against it in all future programs. Luckily for you, I can contain myself no longer. This is one that anyone can use, sans hardware, sans money, sans mental effort.
First the lazy Protection Artist thoroughly disables the BREAK key, and finds that this also takes care of any 'STOP in INPUT' type of BREAK. He may then decide to use a Basic routine for INPUT instead of writing his own when he wants you to input a name, especially if SAVing or LOADing a partly completed adventure, say, on tape. Certainly the usual Basic BREAKs like Capshift 6 or entering 'STOP' will be useless. He will have checked for those before he got lazy.
The trick is to erase the quotation marks with the cursor keys and DELETE, and then type CHR$ USR 4867 and ENTER (using the keywords). This is accepted by the Basic as a string which it must find by converting a CODE into a character, and the CODE is to be found by calling the machine code routine at 4867 decimal. Naturally, calling this machine code address results in a BREAK, because 4867 decimal is our old buddy 1303 hex! If the crash-on BREAK traps were set, then this would cause a crash, but the DF SZ trap cannot be used, because the INPUT command uses the lower screen, and the ERR SP trap is simply by-passed by the USR call directly to the end-of- program routine at 1303H. I know of at
least two recent top selling programs that
this wheeze does work on, neither of
which is an adventure, as it happens.|
Any program that gives you a flashing cursor flanked by quotation marks will fall for this, so get digging in that pile of old tapes, 'cause you will not find it on any new ones from now on. That's the problem with blabbermouths like me.