and < L "S",08 >
5) Now, we will began searching for the certain "dongle-check"
byte sequences. We can use the monitor "H" command to hunt
through memory for these patterns. Type
< H 0800 9FFF A9 10 24 01 >. After a brief wait, the monitor
should return addresses: 0F66 17D0.
6) Disassemble each of these addresses using the < D > command.
Use the key to scroll through the next couple of
addresses. At the top after each assembly, change the LDA #$10
command to: LDA #$00. i.e. - < D 0F66 >, < A 0F66 LDA #$00 > ..
do the same for the other address. The rest of the byte changes
are performed in this manner, so they won't be in detail!
7) Type < H 0800 9FFF A9 40 4A 4A AA >. Monitor finds: 0FF9 16E6
8) Disassemble both addresses, and change the LDA #$40 command to
LDA #$00.
9) Type < H 0800 9FFF A9 10 25 01 >. Monitor finds 162B 1E3D.
10) Disassemble both addresses and change LDA #$10 to LDA #$00.
11) Type < H 0800 9FFF A5 01 29 10 >. Monitor finds 0EEC 11CA 1C5A
2C85 3141.
12) Disassemble each address and change AND #$10 to AND #$00.
13) Type < H 0800 9FFF A9 10 24 00 >. Monitor finds 1227.
14) Disassemble and change LDA #$10 to LDA #$00.
15) Type < H 0800 9FFF A9 08 0A EA 31 2B >. Monitor finds 2BB6.
16) Disassemble and change AND ($2B),Y to AND #$00.
17) Type < H 0800 9FFF A9 D0 49 FF D1 2B >. Monitor finds 2C37.
18) Disassemble the next 9 or 10 bytes. Find the BEQ instruction
and replace the next instruction immediately after it with an
RTS < A 2C3F RTS >. The BEQ instruction is executed if the
dongle is in, and it hits an RTS too, so putting another RTS
after the BEQ guarantees that the program will not crash with
the dongle out.
19) Type < H 0800 9FFF 18 A9 00 7D 00 C0 >. Monitor finds 6EC2.
20) Disassemble $6EC2 and scroll down 15 or 16 instructions. Find
the BEQ instruction and replace the next instruction after it
with an RTS again < A 6ED9 RTS >. (We just fixed a
K.J. REVEALED TRILOGY PAGE [85] (C)1990 K.J.P.B.
<<previous page -
next page>>