|
ZX Power #02
24 мая 1997 |
|
Likbez - Recovery Programs (On the causes of recovery, characterized by acteristic multifeysnogo hacking types multifeysnyh hacks recovery method of searching for old bootloader).
REHABILITATION PROGRAMS.
Alexander Desyatnichenko, Sumy
The first publication - magazine
"ZX REVIEW Ukraine, November 1995.
Revised and greatly expanded version - especially
e-magazine
"ZX POWER", November 1996.
________________________________
1.Prichiny need
rehabilitation programs.
Certainly, the vast majority of high-quality programs for
the ZX SPECTRUM - it game programs, written in
England, Italy, Spain and other countries. Pleasant at the time
Download this toy to admire a beautiful picture, but
after the end of the sound
pouring perky tunes to choose a control and plunge into this
wonderful little world Computer adventure.
But there are other cases
when it comes to long contemplate while loading the cosmic
black, no screen saver, screen, which is before you start
Program loaded some
trash in the form of slips and tochechek, sometimes taking it
polekrana, and then on top of the image appears game
menu immediately slaughtered in the same litter, and then
finishes loading and you are requested from the dump to deal
with management. Well, if you can guess the key, the screen is
cleared and starts game, but if the keyboard refuses to respond
to your efforts, if the game events are turn over all
, the previously downloaded, such as,
For example, this occurs in programs TITANIC, SATAN and CURRO
JIMENEZ, if the dynamics of your
your ears will enjoy only silence or, indeed, so long
Downloadable game just hang or fold? Moreover, according to
my statistics, such programs
- About half of all dispersed to our country!
Of course, immediately raises the question - is it really so
and was designed by the authors of the program, did the game
ever had no splash, no music,
neither easy management? Difficult
to believe, but initially these
ugly creatures were beautiful,
outside the box loaded with bright pictures and brought many
pleasant hours lovers computer games.
Why did they become so?
The answer is simple - they were not correctly broken.
Therefore, I and it was decided to try to write an article on
the ever previously unreported topic of recovery (in English -
RESTORE) of such programs to their proper form.
2.Firmennye program.
Before you do the restoration of broken or
corrupted software, bad
acquainted with the exhaust system on the market ready software
products, their structure and understand for yourself what is
someone took this program to crack.
Thus, corporate programs.
Each user ZX SPECTRUM,
For example, in Anlii, in order
To play a new toy, had to first go to
Shop and buy a tape with her. These were the tapes, all similar
to conventional audio cassettes with music, except for the fact
that they had other labels, and much less than tapes - just as
much need for one game. If this a loadable game, then
side "A" tapes were recorded by the main program blocks, and the
side "B" - game podgruzki.
You have already noticed this yourself by
messages like "REWIND TAPE ON
SIDE TWO "or" START TAPE ON
SIDE B - SEARCHING FOR LEVEL 1 "
that appear on the screen before loading levels. Imagine how it
was convenient - after your character dies, rewinds vnachalo
and ship back the first level. No longer any need to celebrate
the counter or the top unit to search on rumor. "Each cassette
staffed description of the game and wore a bright packaging
with depicting characters in the game,
suitable look and disk version.
Of course, this cassette
stood by our standards, quite a lot. This is understandable,
because the firm, to release the game should be for their
work to make a profit from selling their products. To impede
the illegal spread the word of their programs, the firm had
forced to take different measures. The main problem was to
protect the program from the dubbing (copying), followed by
selling pirated copies. Some firms have even declared the
reward to anyone who will report information that may be useful
when searching unauthorized channels
proliferation programs. Such
message you can read
after downloading games and SIGMA SEVEN
SABOTEUR 2 firms DARELL.
And now about the structure itself
proprietary programs. Any program, as you know, starts with the
bootloader, written in BASIC. Spouts the most the first games
released in 1982 was not protected at all. They
just downloaded something like
pictures (graphics editors did not yet exist!) directly into
screen, and then loaded onto an open
block codes and ran the program with the desired address. In
the next two years, have already begun made efforts to protect
program from being copied by
instantly appears pirated software, copiers means excessive
length of the file (on the tape a special procedure
landed all memory of the 16,384
65535) and methods of implementation in
file names unprintable characters. You also have to see this
when the name of the first file after the message Program:
printed in a different color or
printed in a different location on the screen. In 1984, the
year started well first methods used to protect the program in
BASIC on view, and code blocks to start coding, so that others
programmers could not peek, as the program's authors have
implemented one or the other interesting algorithm. After
appearing in 1986 compressing copiers, which tightened the
program when it is loaded and unpacked during unloading on the
go and thus allows you to copy long files, started
using the methods of copy protection by mutations both time
constants and demonstrate how the non-standard loading
procedure. At the same time there
famous multi-protection-type and SPEEDLOCK PROTECTION
ALCATRAZ LOADER. There were also
attempts to protect the program from
copying from tape to
tape without a Copy by measuring noise clean tape
pauses between the blocks. In subsequent years the defense
carried the improvement of all the above methods. Moreover,
with the invention of new methods of protection were invented
and new ways of visual representation download the program.
First it there were changes in the color and width
bands on the Border, and then in their
complete disappearance and display
download using counters and
flashing squares, and then
in the loading of images and code
snippet file to any location in memory or musical accompaniment
during the download. This to some extent, entertained
Users in the process of waiting and created additional
effects of protection measures, gave
solidity to them and the game itself.
A good example of
looked like a proprietary program that can serve as a game
DEVIANTS (Cassette version, of course). This
program somehow managed to
take us in the form in which it has released a firm PLAYER
PREMIER. Firstly, the first file
after boot yavletsya time saver, which displays not all at once
in the form of charts and forms routines in machine code, and
secondly, in the same file is the loader for the remaining two
blocks, and Thirdly, this file has a custom header, which
creates impression that the file is downloaded without the
title of BASIC. The following file is loaded by a non-standard
procedure to boot from changed the color bands on the Border, a
constant scrolling in center of the screen, and most original,
even during the boot sequence, you start to play - the program
checks your reaction and corrects for this game itself:
appear on the screen the numbers from 1
to 4, and you need to have time to press the same key. After
then downloaded the latest file
game, and loaded into the screen, but it is completely
transparent to the same appears on the screen flashing. But
it's not all. The program checks the volume of computer memory,
and If you find that you have it
128K, then add to the load an additional block of musical
accompaniment for the music. CPU AY8910.
That's about, and looked
the real game. So why do we
just do not watch where
as did these ugly version
programs that we have to use? The answer is simple.
Branded versions of the game bought
in specialized departments of stores and then transported for
abroad, in countries where the sale is not made, for example,
in Poland. Local "artisans"
seeking to capitalize on the propagation of game and not having
any possibility to copy them (because the game is very well
protected from copy!) nor sufficient
programming skills to
this protection is well removed
simply resorted to multifeysnomu (ie the system rather than
software) cracking of these programs. Then these muddy brook
"Masterpieces" hacking thousands of feet of magnetic
Tape has spread across both
say netsivilizirovanomu "the world, including the hit to us.
3. Characterization
multifeysnogo burglary.
In order to properly again with cracked software, or
just scraps of files again
to restore something that most
approximate to the original, beautifully
and smoothly running game, you first need to deal with
how the program is cracked through and multifeysov
it after such a break
looks like a tape or disk.
So, what is multifeys.
This is a special additional
device in the form of cartridges, which podklyuchaetsya to the
system connector on the computer. Such devices are manufactured
and used mostly by programmers for setting up and tracking of
work written by his own hand programs, and is thus,
an indispensable tool for
creating games. They are allowed to press a button at any time
stop execution of any
program, an in-memory
computer, make changes to it, and, if necessary, and
unload all of RAM
on magnetic media. Then
could restart the program to run with the place where it was
interrupted. The operation of such systems are well known now,
anyone with a computer connected to the controller drive with a
special MAGIC button to upload the entire
RAM with
addresses 16384 to 65535 on disc.
Then this file can be re-run the command GO TO and he is loaded
into memory at the same a place where he stayed until landing,
then registers CPU ENTERED data is in them before unloading, and
Thus, the program will start from the place where
She was stopped by pressing the
button MAGIC.Kak you in such cases seen, the screen area on the
download time of this file looks very strange and suspicious -
it appear, disappear and move different kind of lines and dots.
Of course, because for download MAGIC-file
needs a place in the operational
computer memory under machine
stack and a value that later will be restored in the registers
of all protsessora.Poskolku useful memory at this time occupied
a download, this work takes place in the display area.
Roughly the same look and
multifeysov work, except that the unloading is performed in the
"cutting" as a there is not one file length
49152 bytes, and more. Usually unloaded a long file
holds in itself the information is above the address specified
in the operator CLEAR and one or two short file display area
and informaschiey located in
buffer area printer, system variables and BASIC programs. In
the file display area were recorded as a stack machine
and, often, the values of all registers
together with the routine of their extraction from there before
launch. When download this program first
in memory of the program in BASIC
loaded the longest block
then in the screen area - something
what was in it before pressing the
multifeysa button, then on top of this - the last very short
block, which subsequently program, native moved to his place,
because of the BASIC download its just not there. Now you, of
course, it became clear why the incorrect hack program so ugly,
using the display area are loaded and do not always work
effectively. I also left surveillance to introduce you to types
encountered multifeysnyh breakups and their structure, and then
turn immediately to restore them.
4. Types multifeysnyh breakups.
The very first program, hacked by multifeysa and
come down to us, it's FLYING
SHARK, HEARTLAND, AVENGER, DAN
DARE, AIRWOLF 2, CHAIN REACTION,
NETHER EARTH, and many others, and
also cassette version of THE
ARTIST 2. Let's look at
them closer. Is first loaded BASIC loader, which
hidden mashinnokodovaya procedure
gruzyaschaya without titles 5 other files, namely: headband
length 6912 bytes (right in the screen), then
two blocks 20000 and 20536 bytes for
addresses with the 25000 and higher until the end
memory, then the screen is cleared and
it loaded in the game menu
a picture of length 6916 bytes
which in addition are
native stack and the values of CPU registers, and then under
Address 23296 loaded the last piece of length 1705 bytes
The program recovers the values of registers, the game runs.
Typically, after the restoration of such a program it to tape
or disk holds twice less space, since this
multifeysny hacking has
Firstly, uncompressed
files, and, secondly, the game menu stored twice - in the form
Pictures of length 6916 bytes and
a program located in
block length. Besides the fact that
it is the oldest way of hacking
he is also very high quality,
failures still has not been noticed, the splash screen for the
game is absolutely not spoil, even though there are also
programs in which a file is missing her - instead it is loaded
once game menu (games 2 and AIRWOLF NETHER EARTH).
In 1986 appeared the most
known to you multifeysny
Hacking, after the loader starts, appears on the screen "M1
LOADING", later appeared and its modification "M128," she
cracked 48K games on 128K machine. Here are some of
the most extended ones programs
passed through this hack:
GREEN BERET (version ROBY'86),
ALIEN-HIGHWAY, FASTER THAN LIGHT
(LIGHTFORCE), THANATOS, TURBOBOAT, HOLLYWOOD POKER, PACMANIA,
TITANIC 1, 2, ELITE.
Program, these compromised
methods have the following structure. First BASIC loader,
which loads the file as long otkopressirovany address 24792
(M1 LOADING) or 25,048 (M128).
Then in the screen area under the load address 16384
otkompressirovanoe game menu. From the BASIC command is
RANDOMIZE USR 24830 (M1 LOADING) or 25086
(M128), runs the decompressor,
in memory "takes" the long block, and appears on the screen
game menu. Then on top of this
menu (the horror!) is loaded
Last segment of length 1968
B, no further action - transfer of these bytes in the 23296 and
incorrect start-up. The main drawback of this hack - dirty
screen, sometimes even during the game (remember TITANIC),
there are failures, and completely absent saver.
Some programs of 1989
year of production, namely A.M.C. 2
CORSARIOS 1, 2, COMMANDO 4, MAMBO, FREDDY HARDEST 3, ULISES and
others have the typical type loaders CARGADOR (in Spanish
"boot"). These are typical representatives of the Spanish
multifeysnogo hack successively loaded into memory: the screen
area with system variables (9216 bytes under 16384), a long
block (38388 bytes for the 25600) and
A short block (1536 under the
64000). This explains the breaking glitches in graphics and
codes in games 2 and CORSARIOS MAMBO.
There have been several developments and
adaptation under normal viewing
MAGIC-disk file. Thus, the greatest proliferation found
And ELVEN WARRIOR PRINCE CLUMSY,
logging in the two blocks of
24576 at address 16384 and 40960,
as well as compression MAGICfayly, cut into chunks (the game
SATAN 1 and CURRO JIMENEZ). This
the most foul break-ins, work
virtually unpredictable, a lot of failures in the schedule,
"trash" in the display area, the recovery of such programs most
laborious. Multiple system programs, adapting MAGIC-files to be
loaded with cartridges were developed in Russia in 1990-92
(MAGIC FILE COMPRESSOR and MAGIC COPY).
Large spread the word in our country have also received the
program, often labeled as IMPORTED BY RAJSOFT, with such
routine data: otkompressirovanaya below 50000 the picture, the
long block, otkompressirovany under 24,700, when it starts in
top of the screen being transferred from the end of memory
block codes, which, after decompression block length is set
in its place (under the address 23296)
then there is the usual flawed launch. Occur as
programs that are loaded by one
code-block, for example, SIRWOOD,
KENDO WARRIOR, and games that load chunks (TV ILO
for example), often before
starting the game by decompression
one of these pieces on display
deduced what was on it
when you click on multifeysa, sometimes with a hosted
at the top of the screen and start the routine incorrectly
block codes, which will be deployed in the buffer area of the
printer, system variables and the field of Basic.
Less common and other types of burglaries, for example,
games VENTURAMA, CAESEFIRE and LIVINGSTONE2 (All 1991 issues)
reached We as a BASIC loader, screensaver (6912 bytes), long
otkompressirovannogo block, which loaded at address 24500,
short block mashinnokodovymi procedures that intercept control,
and the block length of 1204 bytes, which, as you have been
able to understand, is loaded under the address 23296. You can
also remember the characteristic break-ins
Game GUN SMOKE, MONSTER MUNCH,
REBEL STAR 2.
It is worth a little understanding and
starting with the very flawed.
That's about a procedure you
will find in each
program, hacked earlier multifeysom - it is this, and starts to
hack the game with exactly the moment when pressed button:
DI
LD SP, (16384)
POP HL
LD (16384), HL
POP AF
POP DE
POP BC
EXX
POP IY
POP IX
POP HL
POP DE
POP BC
POP AF
PUSH AF
CP 1963
JR Z, L1
IM 2
L1 POP AF
LD I, A
JP PE, L2
POP AF
RET
L2 POP AF
EI
RET
As you can see, first determines where the stack. Often
all multifeys puts it
value in the first cell-screen memory area is visually
observed as a couple tochechek
or small lines in the left corner
screen kartinkah.Posle this,
from the stack begin to be drawn consistent data for all
processor registers, and then determined by the value of the
interrupt vectors (for IM 1, it is usually equal to 63)
interrupt mode, and in least, whether they were
allowed. Well, the command RET
subroutine falls out in
stack, and because the processor is already packed with all the
necessary data, the program jeopardized Several years ago,
continues their work from the place where
She was stopped by Pressing
click on the hacker. So imagine what would happen if
a stack of the game itself was allocated
byte commercials with ten and below were useful data or machine
code? So much for the failures at screen while playing games
ACTION FIGHTER or G. I. HERO!
Now, I hope you understand
as fluent distinguish correctly
cracked or repaired
program from incorrectly jeopardized - if the program is run
directly from the address run, do not use when downloading and
running the screen area and works fine - hence, no such program
intervention is not required if
the game runs the above manner, then such a program for its
valuable work and for aesthetic purposes clearly require
software intervention to give it form, as close to the original
corporate than we are with you and loans.
5.Vosstanovlenie programs
search method
an old boot.
This is the most simple, reliable and
effective method of recovery
programs. The principle of its very
simple. After every game, before
than the start, must be loaded into memory kompyutera.Esli
consider the fact that all multifeysy dumped on Magnetic
support all memory computer, including screen area, and, most
importantly for us domain BASIC program,
it can be assumed that the old
loader, which this game once (before pressing the button
multifeysnogo devices) loaded, could there, in his
place and remain in the file.
To find this place very
simple. We are well aware that
usually beginning BASIC program
located at 23755 for
work with tape and 23,867 for the disc. Hence, it is now
be in the very brief
block, which is loaded last or just below the address
23296, or the same is first loaded into the screen area, then
being transferred to his native
place. And now good examples.
Poroytes in his game stores and
Look for it in the program
HOLLYWOOD POKER, she cracked
multifeysom type "M1 LOADING".
For convenience (if you work
on the 48K machine) to download the latest unit of length 1968
bytes for the address 33296 (10 kb higher than
23296) and view it with any
disassembler or monitor
starting at the address (now)
33755. Exactly! This place is a simple BASIC-loader:
10 CLEAR 24999
20 LOAD "" CODE
30 LOAD "" CODE
40 RANDOMIZE USR 28070
As you can see, before the program
consisted of two blocks of code
sequentially loaded into the
memory and run from the address
28070. However, such downloaders
in pure BASIC are
very rarely, more often
feeders in BASIC with built-in procedure, native
or BASIC program, forming mashinnokodovye downloaders
somewhere at the end of memory. I guess I'm not mistaken if I
say that every one of you in the collection is a game TITANIC 1
and you of course, seen as rubbish on the screen appears during
startup, and what is harmful to the eyes, this garbage spoils
nice frame around the perimeter screen throughout the game!
Okay, now we
together with you to restore this
program and return it to the proper form.
As you can see, the program has been hacked multifeysnym
way of "M128" and has
The following files: long (address:
25048, length: 31,721) otkompressirovannoe game menu (address:
16384, Length: 4035), and short
Unit (Address: 16470, Length: 2352).
Load short block at address 33296, then you like
you disassembler, for example,
MONS 3 in any free space and
run it. We investigate the address
of 33,755 and vyshe.Tak is here
is an old beysikzagruzchik formed with the help of operators
DATA and READ mashinnokodovy loader in addresses with 65000 at
65,015. Let's see what's there. To do this we need to
decompress code length block. Reset the computer
(Meaning - click on
button RESET) and write a little
aaplet in BASIC (for simplicity, always cite examples of
loading and unloading when working with tape):
10 CLEAR 25047
20 LOAD "" CODE
30 LOAD "" CODE 16384
40 RANDOMIZE USR 25086
50 SAVE "titanic1"
CODE 25648,39887
What makes this program?
It loads the first two blocks
ill hack program, decompresses them (in this case
appears on the screen game menu) and then pressing any key, you
unload the decompression unit. Now, anticipating your
questions, deal with figures. Well, at the addresses
Operators CLEAR, LOAD and RANDOMIZE USR understand them, we
learned from of the boot "M128", but
where I got such precise figures
in SAVE? It's also not trudno.Smotrite: Last short block
length of 2352 should be placed
eventually at
23296. 23296 +2355 = 25648. This is the address of a new
beginning of a long decompression unit, as we are circumcised
bytes from address 25048 to 25647 is now no longer necessary to
us process decompression and restoration of registers. How to
calculate the length of the paged unit now also clear:
65535-25648 = 39887. Now unload the block on the tape and
viewing what is in it at 65,000 (after all, we learned
that here is an old boot the game). Proceed
to this address, see:
LD IX, 25500
LD DE, 38982
LD A, 255
SCF
CALL 1366
JP 52546
Now everything is clear. Game TITANIC
to hacking is a one code file length of 38,982, which
loaded at address 25500 and run with the address 52546. Try to
repair it. Part of this file from the address of 25648 and
above We already have saved, you need only cut short the last
block of the missing 148 bytes (those must be on the address
25,500 to 25,647), combine them,
loaded into memory in its place,
and stored on disk, ready
file, the same as it
once was before the break. Now
comes the most exciting moment - performance testing. Give
RANDOMIZE USR 52546. On appears clean, not corrupt, as before,
frames, game menu and melody.
Select the control and try to
poigrat.Otlichno! No failures
great job, just download one file (not three as
earlier), while if it otkompressirovat and then the game will
occupy one-third less space on a magnetic nositele.Nu that like
it? Does not that such feeling as if you have repaired
hopelessly corrupt Television, which is now well earned.
Naturally, as soon as there is a desire to do the same job
with the second part of the game (TITANIC 2). Yes, all fully
match, its restoration is no different from the first part.
Let's try to run ... Well that was not expected? Still, the
program request code! Of course, since you
it is fully restored! And, as
known, usually the second part
programs (PHANTIS 2, HYPSYS 2
NAVY MOVES 2, etc.) always ask before the code that you can
see, going to the end of the first part. Nothing, get used to,
you still do not see this. After the restoration of some of the
programs will be given to you even several images or scrolling,
which you have not seen before. The reason is very simple.
After properly hacked program starts again from exactly the
same place where Hacker, "expert" clicked on
miltifeysa button. Naturally,
before he could dial the code,
and a couple of pictures to view or
maybe even half the game to go (for example, the so-called
"game" MIVISIS, representing the second level of the DOMINATOR,
individual levels LAST NINJA 2), and thereafter, only to lose
the game to tape and pripodnesti you this
gift in the form multifeysnogo
burglary.
Another example. The other day I
multifeysny caught hacking game
REBEL STAR 2. After loading
program hangs, does not show any messages, and only when I
ran his hand across the keyboard, clicking on some key made her
money. When, half an hour later, I ran this game in the reduced
form it, after cleaning the screen, put on the screen the
inscription: "Enter difficulty level 1 ... 9. "In other words,
a hacker to hack the game, pressed the button multifeysa if
this inscription appeared on the screen. Therefore, when you
run this hack has already started to work from their seats
waiting input level of complexity (clicking on the
keys 1 to 9).
Now you can do
rehabilitation and rest,
available in your collection
break-ins by searching old
loader. In the game you are TURBO-BOAT
of such a loader will know that
she loaded a file length 29440 under the address 31488, and
will run from address 32768. For Recovery of this game even
no gluing parts not needed - just download
The first two blocks, decompress and upload the ready-made
program. The game GILBERT ESCAPE
FROM DRILL, having the boot
type CARGADOR, an old boot
the codes can be found here
26000. In a compromised form of this
program after the launch begins
play the melody somewhere in the middle, but in the recovery
Of course, from the beginning.
Beginning of the article I talked about
that branded Program
had a very strong defense. Where
is she? After all of the above
examples suggest
These programs are loaded
protozoa loaders. Yes,
protozoa, but for whom? We should not forget that any
program can be perevzlamyvat
several times, and traces of perevzlomov repeatedly seen. For
example, the game was released in England, then in Holland with
her well-shot defense and wrote a simple boot loader in the
codes. In Poland, unlike from other countries that use
work with the drive operating
system + D or TR-DOS, found
spread the word theirs disk
system OPUS. Therefore, a user who does not know assembly,
especially without troubling themselves, uploaded playing with
tape and "adapt" its to disk button multifeysa. Not
Is it true familiar situation?
Indeed, in our country in 1989-91
from hand to hand went the whole disk with
this kind of "adapted" to
button MAGIC games
XECUTOR, CHRONOS, ZYNAPS and many others, have no such
already strong defense. Is it worth it
wonder if such, I may say, "disc version of"
someone want to lose again on the tape ... So it turns out that
game with the original simple loader, comes to us absolutely
izkalechennoy.
By the way, where should
located in the break-old
BASIC loader, you can sometimes
find a program in BASIC
or codes, which the programmer
prepares it for release,
unloaded code blocks of the program
on tape (often - on tape
mikrodrayv). Such findings, of course, also contribute to its
recovery.
To be continued ...
________________________________
Other articles:
Similar articles:
В этот день... 21 November