sequences. We can use the monitor "H" command to hunt through
memory for these patterns. Type < H 0800 BFFF A9 10 24 01 >
After a brief wait, the monitor should return addresses: 0AA2
112F A03C.
7) Disassemble each of these addresses using the < D > command. Use
the cursor-down key to scroll through the next couple of
addresses. At the top after each assembly, change the LDA #$10
command to: LDA #$00 (see intro). i.e. - < D 0AA2 >, < A 0AA2
LDA #$00 >... do the same for the other two addresses. The rest
of the byte changes are performed in this manner, so they won't
be in detail.
8) Type < H 0800 BFFF A9 40 4A 4A AA >. Monitor finds: 1245 9D20.
9) Disassemble both addresses, and change the LDA #$40 command to
LDA #$00 (see intro).
10) Type < H 0800 BFFF AD 01 00 >. Monitor finds: 9AE0.
11) Disassemble $9AE0 and cursor down 10 or 11 times. Find the BCS
instruction and replace it with two NOPs (see intro).
< A 9AE8 NOP > < A 9AE9 NOP >
12) Type < H 0800 BFFF 58 FF >. Monitor finds: 14D1 A6F4.
13) First, disassemble a few bytes before $14D1, say at $14C0. You
will discover a routine that looks something like the
following:
LDX #$09
LDA $14D8,X
EOR #$FF
STA $FF58,X
Notice that this routine decrypts a sequence of bytes beginning
at $14D8 by EOR'ing it with the value of #$FF and stores it in
hi-memory hidden beneath the Kernal ROMs. The routine itself
breaks into the IRQ routine and checks the dongle bit every
time the IRQ routine pointed to by vector $0314-$0315 is
executed. To see the decrypted code, you will have to point the
routine to a location in RAM that is easily visible, say $0801
(FF58 0801). If you do, be sure to start the break procedure
over, for you will have corrupted our work up to now.
14) To "trick" the routine into thinking that the dongle is always
in, type < M 14D8 >. The monitor should return a sequence of 8
bytes.
15) Edit the 4th byte over (should be $EF) and change it to $FF.
K.J. REVEALED TRILOGY PAGE [78] (C)1990 K.J.P.B.
<<previous page -
next page>>