When done, hit Run/Stop-Restore and again sys the monitor in
with . Again disassemble code at $8000 and cursor
down through the code. You'll find that if the comparison to $FF
is satisfactory, the programming falls through to $808B, which
is a JUMP to $FFC3. This is a KERNAL routine that when JUMPed
to, does a RTS which in this case returns the program flow back
to the basic program (TRIO FILE in this case).
5) Turn the computer off, insert the Hesmon, and power up again. X
to BASIC and from the Utility Disk, load the Block Read file
< LOAD "BLOCK READ",8 >. When the ready prompt comes up. LIST
the file and on line 10 set the TRack variable to 35 and the
SEctor variable to 10. Hit RETURN to lock your changes in and
relist the file to check your changes. This utility will now
Block Read Track 35/Sector 10 and send the code to $C000 in the
computer where we can inspect it. Place the backup in the drive
and start the Block Read by typing RUN and hitting RETURN. The
drive will spin and in about 30 seconds, the READY prompt will
appear. Return to the monitor by hitting Run/Stop-Restore.
Disassemble code at $C000 . Cursor down through the
code. The code from $C000-$C010 is the decryptor and will have
to be executed before we can inspect the drive code. You'll see
that it is set to decrypt this code in the $0400 Buffer in the
drive and must be readdressed to decrypt at $C000. Using the
Memory Command, change the 04 at $C005 and $C00B to C0. Notice
the ADC $08 at $C007. This instruction uses the value in the
drive at location $08 to help decrypt this code. The location
$08 is the track value last loaded into the Buffer at $0400. We
know that this was track 35 (remember the BLOCK EXECUTE to Track
35/Sector 10). Let's change the instruction from a ADC $08 to a
ADC #$23. We are now using the known value of $23 (decimal 35)
and not using any values in drive memory. The bytes for this
instruction change are $69, $23. Use the MEMORY command to make
your changes at $C007 < M C007 >. Again disassemble memory at
$C000 and cursor down through the code to check to see the
changes are correct.
6) Let's execute the decrypter and inspect code. Type , and
when the monitor breaks, disassemble code at $C000 and
cursor down through the code. The code from $C011-$C043 checks
Track 35, bumps the head a half track and if the check is
satisfactory, stores a 0 in $0009. The instruction at $C044
loads the accumulator with the value in $0009. Next, if that
value is not a 0, the code branches around the next two
instructions. These are the keys to the protection. The value of
$FF is stored at $01FF in the drive memory. Later a Memory Read
in the computer code will check for the $FF and if it is in
place at $01FF, the protection check will be passed. Our job now
is to force this routine to pass even if the protection isn't in
place.
K.J. REVEALED TRILOGY PAGE [38] (C)1990 K.J.P.B.
<<previous page -
next page>>