Change the code at $03C5 to JMP $2000 and execute the code at
$0334 (G 0334). The screen will turn black, the disk drive will
activate, and after a short time, control will return to the
monitor. Disassemble the code at $0F00. The routine from $0F00 -
$0F22 copies the freshly-loaded code from $0C3C - $123B to
$033C - $093B, then JMP's to $0623. This makes viewing the code in
its proper location more difficult. By locating and executing the
protection code in screen memory ($0400- $07F7), MBTT protects
itself from a monitor like the one we are using. In addition, a
normal reset of the computer will destroy ALL of this code. We can
relocate it ourselves to a more convenient area ($733C) by using
the monitor's (T)ransfer command:
T 0C3C 123B 733C
When disassembling this relocated code, remember to add $7000 to
all address references in the program and the following text.
The entry point here is at $0623 ($7623 - remember: add
$7000). The routine at $0633 copies the drive fast loader code to
$5000 - $52FF, then calls the subroutine at $0342 to send it to the
drive, execute it, and change the KERNAL LOAD vector to point to
the fast loader. The next step at $064F is the key to the
protection scheme: what appears to be a normal load routine is
actually reading the protected sector into $0C00. The KERNAL SETNAM
call at $0654 is pointing to a rather odd file name consisting of
4 hex bytes at $0690 with the values $01 $24 $10 $01. Hex 24 ($24)
36 decimal and $10 = 16. Track/sector (T/S) 36/16 is the sector
containing the protected data! The data is then decrypted and moved
to $C002, where it is executed to continue the loading process.
The easiest way past a protection scheme like this is to capture
the data ourselves, write it to a safe place on our backup copy,
and change the protection code to look at our new location. This
will be especially easy because the code is not encrypted. To do
this, enter the drivemon, insert an ORIGINAL MBTT, and initialize
the drive. Use the drive's job queue to read in T/S $24/$10 (our
protected sector) and write it to your backup copy. An unused
directory sector is usually a good bet, so we'll use T/S $12/$12
(18/18).
The last step is to change the reference to the original
protected sector to our newly relocated sector. Recall that the
code we've been analyzing was loaded from track 35. Use the
provided Byte Pattern Scanner to search for the 4 hex bytes ($01,
$24, $10, $01) that we discussed earlier. Enter 35 for the starting
AND ending tracks. The scanner should report the bytes' location on
T/S 35/14 ($23/$0E) at position $54 (84). Use any sector editor or
the drivemon to change the 2 bytes at position $55 on T/S 35/14
($23/$0E) from $24/$10 to $12/$12 and rewrite them to your backup
K.J. REVEALED TRILOGY PAGE [128] (C)1990 K.J.P.B.
<<previous page -
next page>>