WPC,  WP_TV86759050WPTVWPC2WPTVWPC2Wv  ZZ $  New York _ Word222Null'Geneva   HH  2$HH  Geneva  <Px443!#4$*$$*$ KK  Geneva  Geneva .,6  Times  sh HD: Times sh HD: Times WordPerfect8{WP}018{WP}01)P3.53.5, 1989, 1995 Novell, Inc.(P3.5Created with WordPerfect 3.5.`(#Wv`xHH@ Rt(HH g `' R d :StylBPSetrPJob~versSTR TStlWDatPtPt*+  Xc" e{   [Xck << n Word222NullNormal*{WP}01{WP}10{WP}10,HI##'  ',Wv{WP}10 <<KK ..,,..,,  WvTimes Wv  Times Wv  Times ۪Wv+Normal*HHZZ   $$  WvNew York WvGeneva ZZIHЫWwWv Wv$~$How to Crack: MAC [by The Vassal] 0 '  '0 Hopefully this will be an informative work. One in which I will attempt to instruct you all how tosuccessfully remove some of the more basic Mac protection schemes easily, the right way. Before westart anything, however, there are a few things that you will need. They are:<<H* Mac Plus or better w/1 meg of RAM suggestedHT* MacsBug (Debugger from APDA)T`* Programmers Key (Can invoke MacsBug from Keyboard) `l* DisAsm 3.1 (Shareware disassembler) lx* FEdit 3.21 (Shareware Sector editor)  x...and   * A working knowledge of 68000 Assembler   Ok, whether or not you believe in Shareware, it is a good system and the programs mentioned aboveare all capable of being commercial packages, so please pay the tiny shareware fee so the authors willcontinue to make them better. Thanks. Chapter 1- It's a Scheme Game The first thing you should do before you crack any ware is to identify completely what scheme they areusing to protect their ware. On the Mac, schemes are usually basic and easy to get around. Some of themore common ones include:   ,* Password Protection,8* Serial Number Protection,8D* Key Disk ProtectionDP* Date Expiration Protection (for Betas usually) P\* HardWare Key Protection\hhtWell look at these schemes one at a time and I will provide examples for each later. Right now, I wantto explain how to determine what protection is what. First off, before you do anything make a backup ofthe application you are going to tamper with. This way if you screw up you will have something to goback to later.#t$Ok, now when you launch the application a couple of different protection schemes will surfaceimmediatly. If a dialog comes up immediatly and asks you to type something in, it is almost always aPassword Protection Scheme or a Serial Number Scheme. Key Disk Protection Schemes will ask you toinsert a floppy so it can read important data from it and then continue with the program as normal. TheDate Expiration Protection Scheme is never really noticed until it expires, then everytime you run theprogram it will tell you it has expired and will then quit.*+Probably the most overated protection scheme going is that of hardware 'key' or 'dangle' protection.Usually the software package would ship with a hardware device that you would connect to the ADBport, Serial Port, or SCSI port. The different methods of checking the hardware will be described indetail later on in this document. No need to swamp you with technical stuff just yet./404@Chapter 2- The Tools of Cracking  1@L!2LXAs I mentioned earlier you will need certain programs to help you along in the deprotection process."3Xd#4dpMacsBug: Is a full-featured debugger that allows you to set traps in$5p| programs and then trace through instruction byJ%6| ||66 HJ instruction. This is an immeasurably useful program. It7 has loads of commands, but I only use these commands$8'  '$ for cracking:9:atb [trap] ; lets you set a trap that which will break you into MacsBug if ; the program tries to exectute it. Mac Traps are from A000-< AFFF and do many different things like _Eject & _ExitToShell= and stuff like that.>atc ; this will clear all of the traps t hat you set with atb ?es ; quit current application and exit to shell @ea ; quit current application then launch it again A G ; go. Continue the application as normal. Turn off MacsBug. B(GT [addr] ; lets you GO from a selected address. C(4il [addr] n ; lists from selected address "n"= number of linesD4@? ; This displays the online help file, very usefulE@LFLXThese are the commands I use most of the time. There are other commands which are more complicatedand do some special things but there is no need to explain them here. I will do that in a future issue.HXpIp|FEdit 3.21: This is a very good sector/file editor with good search functions for finding certain codeand changing it. This is very much like any other editor so there is no need to explain its functions.K|LDisAsm 3.1: This is a disassembler, the only one I have seen on the Mac so far and it works prettygood. All functions are operated from the Menus, but the main ones I use are the Search functions. Likefinding certain traps, or certain addresses. I dont really use this much but if needed it is good to havea disassembler around. Sometimes MacsBug wont quite work if a program steals memory away fromit and DisAsm must be used as a last resort.QRProgrammer's Key: This is a nifty little INIT that lets you invoke MacsBug from the keyboard.Basically you hit the Command-Reset keys and it dumps you into MacsBug, you can also hitControl-Command-Reset to restart your computer. Which is kind of neat. I recommend using thisinstead of the hardware interupt switch on the machine itself, mostly because its a pain to keepreaching in back of your machine to do it.W$X$0Chapter 3- Assembly is the key to the crackY0<Z<HIt is extremely important to have a background in Assembly language if you want to get far cracking.To tell you the truth I used to be into programming the Apple II and IIgs in Assembly language. When Imoved over to the Mac, I found out everything was C and Pascal, which disturbed me. C and Pascalallow you to program without having a clue what is really going on. I dont like the idea of it at all. Mostpeople think cracking is something for people who know how to program, but the truth is, I haventwritten a damn thing for the Mac as far as applications go, because I dont know how. I could probablywrite something in assembly, but I just dont have a nice assembler like Merlin on the Mac.aHbSome day, I recommend you buy a good 68000 reference manual so you can learn the processor. Thatswhat I did but Apple II assembly knowledge helped me out alot. Assembly languange on the Mac is a bitmore complicated than that of the Apple II; on the Mac memory is moved not loaded or stored. efOn the Apple II and IIgs there are three registers you would normally use to store data in. The A orAccumulator, the X Register, and the Y Register. The Mac has 16 registers that can be used in thismanner. They are D0-D7 which are 8 data registers for storing data, they are all capable of holding32-bits worth of data. You can access or change these the low 8-bits, the low 16-bits or all 32-bits,changing the low byte or word has no affect on the remaining unchanged portion. There are also 8address registers from A0-A7 but A7 is usually used as a stack pointer for the 68020 and is also6 |6l H6known as the SP in this situation. The address registers are basically the same as the data registersbut they can only be accessed using all 32-bits. Changing the low word of an address registerreplicates the bit 15 in bits 16-31. This is called sign extension, which converts a two's complement16-bit quantity into an equivalent 32-bit quantity. p`q`lAnother register on the Mac worth noting is the program counter (PC) register. This holds the addressof the next instruction to be executed, and is very useful in tracing code.sltThere are many more opcodes in the 68000 instruction set then there are in the 6502 or 65c816, toomany to list here. In the crack examples I will explain everything very thoroughly so you can get anidea of what is going on, and understand it. wxMacsBug and DisAsm both list Assembler in the same manner. They list the address on the left handside, the opcode and effected address or values in the middle and the hex values on the right hand side.This is how I will lit my code, but I will add in descriptions on what it is the code is actually doing. Hereis an example of what I mean:|}611F04: Move.L D0,D1 ;2200 : this moves the contents of ~ D0 into D1   That's just an example, but it is very common to see code like that. The thing that is cool aboutMacsBug is that it lists all of the Address and data registers on the left part of the screen from top tobottom along with other system registers.  D DPAnother important aspect of 68000 and higher processors is that they use branches the same way theApple II did, only that there are many more different branch instructions and they are much morepowerful. Here are a examples of branch opcodes for the 68000 series processors (used in Macs):PttHex Instr. Ex. Meaning [$60] $60xx BRA (BRanch Always). This instruction always  branches to an address $xx bytes in front of  where the instruction was passed. [$66] $66xx BNE (Branch if Not Equal). This instruction will  branch ahead $xx bytes in front of where the  instruction was just passed. There are 16 in all but I would rather not make this publication into an Assembler Reference book. I willput out one of those in the future maybe. I do suggest getting a 68000 quick reference though. On we go.Chapter 4 - Key Code Protection Example: Quick Format 7.0 ((4The first type of protection scheme I would like to explain is the Key Code Scheme. This is used in QuickFormat 7.0, which is a Public Domain Shareware program that is very good at formatting floppies anddesigning your own labeling scheme those floppies. It is definately worth the Shareware fee, so Isuggest if you like the program to buy it, you can probably find it on many online services and fromuser groups.4pp|The author decided to put in a registration algorithm which requires its users to type in a key code toaccess the advanced features of the program. When you first launch the Quick Format 7.0 application, adialog box comes up and asks you to enter in the key code. If no key code is entered or you hit thereturn key, the program would continue to run, but with the advanced options turned off. |J! |6 HJThe author is doing a couple of different little things. First, he is going to check somewhere within hisresource files to see if the current application being used is registered. Usually there is a register bytein a resource somewhere in the app. He will then do a compare to see if it really is registered. If it is,it continues like normal, if it isnt registered, it will jump to another routine which turns off theadvanced options and then runs the app as normal.There are a few options we have when deprotecting this app. We can use MacsBug to trace through forthe routine, then disassemble it to see where it does the compare; or we can use ResEdit to find aresource that looks suspicious and delete it. The latter might be a little tedious and it is always muchmore interesting tracing through code.@@LNow we will deprotect Quick Format 7.0. For best results and for speed and memory purposes quit allother applications you are currently running. When you are back at the Finder, hit  Command-Resetor reach in back of your machine and press the hardware interrupt switch, this will activate MacsBug.Your screen should have cleared and you should be looking at a white screen with numbers on the lefthand quadrant of the screen running from TOP to BOTTOM. Those numbers are the various addressesand registers in memory.LRunning along the bottom of the screen from LEFT to RIGHT are two separate boxes. The box on the bigbox with the numbers in it is a disassembly of the location in memory you just broke into withMacsBug. The smaller box under it is the MacsBug command line. On the far left you should notice ablinking cursor. From the command line you can execute different commands to help you trace throughprograms, especially useful in deprotecting software. At the command line type  ? (help). This willprint up a list of different topics. If you keep hitting return it will give you information about each topicin the order they are shown on the screen. So play around and hit return a few times to get an idea ofwhat commands you can use.  Now that you are done playing lets get started. I almost always set a TRAP for an _InitGraf. You cando this by typing  $ 'ATB INITGRAF'  $ 0  0 <A message should appear above the disassembly box saying 'A-Trap Break at A86E (_InitGraf)'everytime. What this means is that the program will be stopped and MacsBug will take over everytimethe program tries to execute an _InitGraf. This works the same way for all of the other trpas that theMac toolbox has as well.  < l  l xOk, now type 'G' on the MacsBug command line. This should bring you right back to the Finder whereyou started, and you will regain control of your Mac. Locate Quick Format 7.0 and launch it. Almostimmediately your screen should change back into the MacsBug screen. There should be a messagesaying 'A-Trap break at XXXXXXX : A86E (_InitGraf)'. This means when you launched the program,MacsBug halted it because the program tried to pass an _InitGraf trap. Now that the program is halted,you can TRACE through the program to find the copy protection. You may not successfully pinpoint theprotection to any one specific area until you have traced through a number of times. x  Use the 'T' command to trace through. The object is to continue hitting 'T' and return until theprotection scheme comes up. Eventually it will. When you do get it up look at the last few lines of codethat was passed and you should see something like this:  Addr Instruction Hex Bytes  583834 JSR SETUPMEN 4EBA FE14  583838 JSR INITIALI 4EAD 02E2 ,58383C JSR INITGLOB 4EBA FEBE , 8583840 JSR VIRALCHE 4EBA FF22 8 D583844 JSR CHECKMOR 4EBA F82AJ D P D|6 P HJܿ ` lNow, its pretty obvious from just looking at the labels they used that you can determine what is goingon. In most cases people would not use LABELS like the ones above, but since it is shareware and not a$500 commercial package I can see why the author opted the easier route for programming ease. Thefirst JSR would probably be him initializing his menus and stuff. The second JSR would be to initializethe screen and the fonts or whatever, the third JSR would be initializing the global variables he wouldneed and the fourth would be to check for any virus, persay. The fifth however is the routine he uses tocheck if the program has been registered and brings up the dialog asking you to enter a key code. If ithasnt been registered with the correct keycode the program turns off some options. But, that is notnecessary, as by omitting this JSR CHECKMOR you will remove the check and the program will runwith all options available.  l  Write down the last 10 or so bytes on a piece of paper noting that 4EBA F82A is what you will have tochange. Since you want to omit these bytes you are best off using two NOP (or No OPeration)commands. The hex value for a NOP is 4E71. Now run FEdit and open up the Quick Format 7.0 programand do a HEX SEARCH for the bytes you wrote down on the paper. Then change the proper values andyou will be all set. Here is what you should be looking for and the change you should be making: , , 8Byte Changes (You should find the SEARCH string only ONE TIME!) 8 D D PSearch : 4EBA FE14 4EAD 02E2 4EBA FEBE 4EBA FF22 4EBA F82A P \Change : 4E71 4E71  \ h  h tThe protection showed above is obviously an easy scheme to get around, and to tell you the truth, therereally arent that many hard schemes on the Mac, like there are or were on the Apple II. It is importantto check the routine you are disabling. Sometimes variables (or globals) are passed in betweendifferent parts of protection schemes, if you skip the entire protection scheme there is a pretty goodchance you will miss a variable (or global) getting passed and your program will crash on you in thefuture.  t   The best way to check is to use the program after you have initially deprotected it, if it works ok, thenchances are no globals were passed. In the example above, all of the globals were passed in the priortwo JSRs, which made things very easy.    Chapter 5 - Serial Number Schemes    Serial Number Protection Schemes are the same as Password Protection Schemes in most cases. Bothare checked with memory using a compare instruction, but they do have differences. For example,certain serial number schemes are actually mathematical answers where the application will performsome complex arithmetic equation using such information as your name or company name, if theequations solution matches the serial number you type in the program will continue on like normal.  L L XSome serial number schemes are easy and do not use any arithmetic at all, some check to see if youenter a prime number, etc. There are many ways. Probably the most common is; the company makingthe software will add a resource to the application housing the serial number. When the package firstloads, it will ask you for your serial number then will do a compare with the value entered and thevalue stored in the serial number resource.  X  Chapter 6- Key Disk Protection Schemes   There are a couple of different ways commercial software authors implement Key Disk Protection. Keydisk protection essentially is software that requires the original floppy diskettes to run correctly.These types of programs come with an installer for copying them onto a hard drive. Some packagesoffer three installs to a hard drive; if you need more copies, you have to use the original disk each time6 |6 H6you run that program.   Essentially what is happening here is this. On the floppy disk there are files with their INVISIBLE bit setmeaning they will not bee seen or accounted for in the volume info. Therefore, if you try to copy theprogram onto a hard drive the invisible files will not be copied and the copy will not work properly. Ifyou just turn the INVISIBILITY bit off using ResEdit and then copy the files, the program will work. But,this is only for programs that do not always need the key disk. Other programs require the key diskevery time you run the application. In those cases, the key disk has a purposely bad block. When yourun the application, it will read from the floppy and test the blocks status. If it is bad it will continueon knowing it is the original disk, it the block is ok it means that the program has been copied ontoanother disk which is not the original or key disk. The best way to operate around this scheme is totrace through the program to where it actually reads from the floppy, then change the BRANCHcondition after the COMPARE. This will fool the program into always thinking that the block that is readis bad.     Chapter 7- Date Expiration Schemes   These schemes occur out of the blue without notice most of the time. Most apps that use this schemeare beta apps that are expected to be updated before too long or demos of games and such. There areonly two ways to read the current date or time on a Macintosh, one is to use the _GetDateTime trap theother is to use the Macintosh Global variable memory address $020C at which the current number ofseconds that has elapsed since Midnight, January 1st is stored. Basically both routines are extremelysimilar and would probably look something like this:&  '$_GetDateTime (Protection Method) ($0 )0< _GetDateTime (Get current # of secs since 12am 01/01/04) *<H CMPI.L expiredate,D1 (Compare the date with expiration date) +HT BLE notexpired (If less than, then it hasn't expired),T` JSR EXPIRED! (Otherwise show the dialog and bomb out!)-`l.lx Address $020C (Protection Method)/x0 CMPI.L expiredate,$020C (Compare the current date with expire date)1 BGT EXPIRED (If current date is > then expire date, show dialog 2 & BOMB!)3 --------- (otherwise it hasn't expired and everything is 4 ok!)56That should have given you some idea what the protection schemes look like, they vary of course butthat is what they will normally be like. The simple way to disarm these routines is to change theBranch Condition, for instance in the first protection scheme shown above it would be extremely easyto change the BLE to a BRA which will automatically branch to the  notexpired portion of theprogram. ;< For the second routine has an easy way to eliminate the protection scheme. It would be to change the'BGT EXPIRED' into two NOPs. Which will totally eliminate the check and fool the program into thinkingeverything is ok. ? D@DPAP\Chapter 8- Hardware Key ProtectionB\hChtNot many people know too much about this protection scheme. But one obvious observation is that6 t|6Dt H6companies are making there own devices and confused companies with low marketshare are buying intothere hardware protection scheme, which really is not that good to tell you the truth.FtGBasically what the Eve) hardware key does is it hooks up to your ADB port and has a chip in it whichcan be read from. All of the packages I have seen that use the Eve) protection key come with an EveINIT. Basically this INIT reads one or more values from the Eve key and stores it somewhere inmemory. The program that will then do a Compare to the memory to see if the values match if they dothen the program will continue, however if there is a null value found the program will warn you thatthe Eve Key is not present and then quit. If the value is incorrect it will tell you that you either havethe Eve hooked up incorrectly or that you are using an Eve from a different software package.NOThe easiest way around the Eve Hardware key would be to change the Branch conditions of the checks itdoes 1) to locate Eve and 2) to compare the values. Once you have changed these branch conditions theprogram will work as it would have if the Eve protection had not been implemented. R8S8DFrom what I have heard some software locations or other important data to the program is stored inthe Eve) that may be needed upon run time. For example, if a program is encrypted and the decryptionroutine is stored on the Eve) key it would be almost impossible to deprotect the program without avalid Eve) key to work with. WDtXtSo, I would just use MacsBug the way we have been and just trace through for the checks. Eve) willlet you know when something is wrong through the use of dialogs, so tracing is pretty easy. Find thosebranches and change the conditions. [ \ ]Chapter 9- The Ultimate Protection Scheme ^ _This is a hotly debated topic. Most people would say that no protection scheme can go uncracked, but Ibeg to differ. I am sure I can stir something up that will boggle a few minds for at least 6 months ofeveryday tracing. Which will probably force that cracker to stop working on it. bcIn this day and age all software should be unprotected and should be available through the Sharewaresystem. Corporate America is crippling our economy and the only ones benefitting from it are the few'elite' businessmen or businesswomen.f(g(4The Shareware system ensures that the people/programmers who put their time and effort into theirprojects recieve all of the money they bring in. Thats what Corporate America should be like. Spreadthe wealth amongst everyone. And work for the money you make, dont cheat anyone out of it.j4XkXd'This article is written in memory of the old apple pirates who have paved the way for a new breed of"elite pirate" life form. Hadn't it been for their patience and instruction our generation of pirates wouldhave died off long ago. Now I pass onto you my knowledge and ideas in hope that you will all use it,share it, work together with it and be "elite" toward one another. 'od The VassalpqrMany thanks to: Hipcheck, Agent Orange, The Terrorist and HackManstAlso thanks to: Far Side, Jim Heebner, Zelig, ShadowMan, The Embalmer, Mr_T, u The Wahoo, Grimm, Enigmatic Simplicity, Gandalf Greyhame,v and (High Voltage for reminding me what the Apple II days werew really like)...@xIZ ##'  '@IHZWv~y p p5y HZdZ ##' '~Wv~$$Wv+ WvWv$$ ZHHWvWvNew YorkWvHHZZ$$