Chapter 4 Cracking Self Booters ------------------------------------------------------------- Now we'll take a look at cracking self booters. A few compa- nies have found this to be the best copy protection scheme for them, one of which is DataEast, makers of Ikari Warriors, Victory Road, Lock-On, Karnov, etc... This posses a special problem to the Amateur Cracker, since they seldom use stan- dard DOS formats. So let's jump right in! ------------------------------------------------------------- This is the area where a "Higher than Normal" knowledge of Assembly Language and DOS Diskette structures, so first of all, the Basic's. The Disk's Physical Structure Data is recorded on a disk in a series of concentric circles, called Tracks. Each track if further divided into segments, called Sectors. The standard double-density drives can record 40 tracks of data, while the new quad-density drives can record 80 tracks. However, the location, size, and number of the sectors within a track are under software control. This is why the PC's diskettes are known as soft-sectored. The characteristics of a diskette's sectors (Their size, and the number per track) are set when each track is formatted. Disk Formatting can be done either by the operating system or by the ROM-BIOS format service. A lot of self booters and almost all forms of copy protection create unusual formats via the ROM-BIOS diskette services. The 5 1/4-inch diskettes supported by the standard PC BIOS may have sectors that are 128,256,512, or 1,024 bytes in size. DOS, from versions 1.00 through 4.01 has consistently used sectors of 512 bytes, and it is quite possible that this will continue. Here is a table displaying 6 of the most common disk formats: _____________________________________________________________ Type Sides Sectors Tracks Size(bytes) _____________________________________________________________ S-8 1 8 40 160K D-8 2 8 40 320K S-9 1 9 40 180K D-9 2 9 40 360K QD-9 2 9 80 720K QD-15 2 15 80 1,200K _____________________________________________________________ S - Single Density D - Double Density QD - Quad Density Of all these basic formats, only two are in widespread use: S-8 and D-9. The newer Quad Density formats are for the 3 1/2" and 5 1/4" high density diskettes. The Disk's Logical Structure So, as we have already mentioned, the 5 1/4-inch diskette formats have 40 tracks, numbered from 0 (the outside track) through 39 (the inside track, closest to the center). On a double sided diskette, the two sides are numbered 0 and 1 (the two recording heads of a double-sided disk drive are also numbered 0 and 1). The BIOS locates the sectors on a disk by a three-dimensional coordinate composed of a track number (also referred to as the cylinder number), a side number (also called the head number), and a sector number. DOS, on the other hand, lo- cates information by sector number, and numbers the sectors sequentially from the outside to inside. We can refer to particular sectors either by their three-dimensional coordinates or by their sequential order. All ROM-BIOS operations use the three-dimensional coordinates to locate a sector. All DOS operations and tools such as DE- BUG use the DOS sequential notation. The BASIC formula that converts the three-dimensional coordi- nates used by the ROM-BIOS to the sequential sector numbers used by DOS is as follows: DOS.SECTOR.NUMBER = (BIOS.SECTOR - 1) + DIOS.SIDE * SECTORS.PER.SIDE + BIOS.TRACK * SECTORS.PER.SIDE * SIDES.PER.DISK And here are the formulas for converting sequential sector numbers to three-dimensional coordinates: BIOS.SECTOR = 1 + DOS.SECTOR.NUMBER MOD SECTORS.PER.SIDE BIOS.SIDE = (DOS.SECTOR.NUMBER \ SECTORS.PER.SIDE) MOD SIDE.PER.DISK BIOS.TRACK = DOS.SECTOR.NUMBER \ (SECTORS.PER.SIDE * SIDES.PER.DISK) (Note: For double-sided nine-sector diskettes, the PC's most common disk format, the value of SECTORS.PER.SIDE is 9 and the value of SIDES.PER.DISK is 2. Also note that sides and tracks are numbered differently in the ROM-BIOS numbering system: The sides and tracks are num- bered from 0, but the sectors are numbered from 1.) Diskette Space Allocation The formatting process divides the sectors on a disk into four sections, for four different uses. The sections, in the order they are stored, are the boot record, the file alloca- tion table (FAT), the directory, and the data space. The size of each section varies between formats, but the struc- ture and the order of the sections don't vary. The Boot Record: This section is always a single sector located at sector 1 of track 0, side 0. The boot record contains, among other things, a short program to start the process of loading the operating system on it. All diskettes have the boot record on them even if they don't have the operating system. Asisde from the start-up program, the exact contents of the boot record vary from format to format. The File Allocation Table: The FAT follows the boot record, usually starting at sector 2 of track 0, side 0. The FAT contains the official record of the disk's format and maps out the location of the sectors used by the disk files. DOS uses the FAT to keep a record of the data-space usage. Each entry in the table con- tains a specific code to indicate what space is being used, what space is available, and what space is unusable (Due to defects on the disk). The File Directory: The file directory is the next item on the disk. It is used as a table of contents, identifying each file on the disk with a directory entry that contains several pieces of information, including the file's name and size. One part of the entry is a number that points to the first group of sec- tors used by the file (this number is also the first entry for this file in the FAT). The Data Space: Occupies the bulk of the diskette (from the directory through the last sector), is used to store data, while the other three sections are used to support the data space. Sectors in the data space are allocated to files on an as-needed basis, in units known as clusters. The clusters are one sector long and on double-sided diskettes, they are a pair of adjacent sectors. (From here on I'll continue to describe the basics of DOS disk structures, and assembly language addressing technics. ------------------------------------------------------------- Here is a simple routine to just make a backup copy of the Flight Simulator Version 1.0 by Microsoft. I know the latest version is 3.x but this version will serve the purpose of demonstrating how to access the data and program files of a selfbooter. ------------------------------------------------------------- By: PTL Title: Microsoft Flight Simulator 1.00 Unprotect This procedure will NOT convert the Flight Simulator disk to files that can be loaded on a hard drive. But... it will read off the data from the original and put it onto another floppy. And this should give you an idea of how to read data directly from a disk and write it back out to another disk. First of all take UNFORMATTED disk and place it in drive B:. This will be the target disk. Now place your DOS disk (which has Debug) into drive A:, or just load Debug off you hard disk. A>DEBUG Then we are going to enter (manually) a little program to load the FS files off the disk. -E CS:0000 B9 01 00 BA 01 00 BB 00 01 0E 07 06 1F 88 E8 53 5F AA 83 C7 03 81 FF 1C 01 76 F6 B8 08 05 CD 13 73 01 90 FE C5 80 FD 0C 76 E1 90 CD 20 -E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02 00 00 04 02 00 00 05 02 00 00 06 02 00 00 07 02 00 00 08 02 Next we'll [R]eset the IP Register by typing. -R IP And then typing four zeros after the address prefix. xxxx:0000 Next insert the original Flight Simulator disk into drive A: and we'll run our little loader. -G =CS:0000 CS:22 CS:2A Now enter a new address to load from. -E CS:02 0E -E CS:27 19 And run the Loader again. -G =CS:0000 CS:22 CS:2A New address -E CS:02 27 -E CS:27 27 Run Loader -G =CS:0000 CS:22 CS:2A Here we'll do some [L]oading directly from the disk our- selves. -L DS:0000 0 0 40 And the in turn, write it back out to the B: (1) drive -W DS:0000 1 0 40 Etc... -L DS:0000 0 40 28 -W DS:0000 1 70 30 -L DS:0000 0 A0 30 -W DS:0000 1 A0 30 -L DS:0000 0 138 8 -W DS:0000 1 138 8 When we are all through, [Q]uit from debug and you should have a backup copy of the Flight Simulator. -Q And that's all there is to it. END. /////////////////////////////////////////////////////// // The PIRATES' HOLLOW // // 415-236-2371 // // over 12 Megs of Elite Text Files // // ROR-ALUCARD // // Sysop: Doctor Murdock // // C0-Sysops: That One, Sir Death, Sid Gnarly & Finn // // // // "The Gates of Hell are open night and day; // // Smooth is the Descent, and Easy is the way.." // ///////////////////////////////////////////////////////