the ROM and bank in the RAM so we can view the "B" file code.
Using the memory command, change memory location $0001 to 36
(76 on the 128) < M 0001 >.
6) Now, we will began searching for the certain "dongle-check"
byte sequences. We can use the monitor "H" command to hunt
through memory for these patterns. Type
< H 9000 BFFF A9 10 24 01 >. After a brief wait, the monitor
should return address: A03C
7) Disassemble this address using the "D" command. Use the
cursor-down key to scroll through the next couple of addresses.
At the top, change the LDA #$10 command to: LDA #$00. i.e. -
< D A03C >, < A A03C LDA #$00 >. The rest of the byte changes
are performed in this manner, so they won't be in detail!
8) Type < H 9000 BFFF A9 40 4A 4A AA >. Monitor finds: 9D20.
9) Disassemble and change the LDA #$40 command to LDA #$00.
10) Type < H 9000 BFFF A9 10 24 00 >. Monitor finds: 93EF.
11) Disassemble and change LDA #$10 to LDA #$00.
12) Type < H 9000 BFFF AD 01 00 0A AA >. Monitor finds: 9AE0.
13) Disassemble $9AE0 and scroll down 6 or 7 times. Find the BCS
instruction and replace it with two NOP's. < A 9AE8 NOP >,
< A 9AE9 NOP >.
14) Type < H 9000 BFFF 58 FF >. Monitor finds: A6F4.
15) Disassemble memory a few bytes before $A6F4 by typing
< D A6E0 >. Use cursor-down to display the next 14 or 15 bytes.
The monitor should show you something like:
LDX #$09
CLC
ADC $FF58,X
DEX
16) This group of instructions is simply a checksum check of the
IRQ dongle-check routine we worked with in the Leaderboard
portion of this manual. In other words, they are
"double-checking" their protection code. Find the instruction
that compares the checksum value in the accumulator with a set
value. Notice the BEQ immediately afterwards that bypasses
protection failure. Simply change CMP #$5A with LDA #$00 . We
have just set the zero flag permanently, and the routine is
tricked.
K.J. REVEALED TRILOGY PAGE [83] (C)1990 K.J.P.B.
<<previous page -
next page>>