instruction and replace it with two NOPs. < A 9B06 NOP > ,
< A 9B07 NOP > .
14) Type < H 0800 BFFF 58 FF >. Monitor finds: 14AC A5E7.
15) First, disassemble a few bytes before $14AC, say at $14A3. You
will discover a routine that looks something like the following
LDX #$09
LDA $14B3,X
EOR #$FF
STA $FF58,X
Notice that this routine decrypts a sequence of bytes beginning
at $14B3 by EOR'ing it with the value of #$FF and stores it in
hi-memory hidden beneath the Kernal ROMs. The routine itself
breaks into the IRQ routine and checks the dongle bit every
time the IRQ routine pointed to by vector $0314-0315 is
executed. To see the decrypted code, you will have to point the
routine to a location in RAM that is easily visible, say $0801
(FF58 = 0801). If you do, be sure to start the break procedure
over, for you will have corrupted our work up till now.
16) To "trick" the routine into thinking that the dongle is always
in, type < M 14B3 > . The monitor should return a sequence of
8 bytes.
17) Edit the 4th byte over (should be $EF) and change it to $FF.
18) Next, disassemble memory a few bytes before $A5E7 by typing
< D A5E1 >. Use cursor-down to display the next 14 or 15
bytes.
The monitor should show you something like:
LDX #$09
CLC
ADC $FF58,X
DEX
19) This group of instructions is simply a checksum check of the
IRQ dongle-check routine we just finished working with. In
other words, they are "double-checking" their protection code.
Find the instruction that compares the checksum value in the
accumulator with a set value. Notice the BEQ immediately
afterwards that bypasses protection failure. Simply change
CMP #$5A with LDA #$00. We have just set the zero flag
permanently, and the routine is tricked.
20) Now that we have finished removing all the dongle-check
routines, we need to re-save the two files to your backup disk.
K.J. REVEALED TRILOGY PAGE [81] (C)1990 K.J.P.B.
<<previous page -
next page>>