Impossible Mission (Hacking Tips #8)

By Mr. Spock

Originally published in EUG #71

Impossible Mission - Kevin Edwards loader - decryption and pushing return address onto stack, similar to Xor.

0400 LDA #15    \Clear keyboard
0402 LDX #0     \buffer, *FX15,0
0404 JSR OSbyte \equivalent
0407 JMP &04E2  \Continue execution at &4E2

Next part is junk to fill up space

0408 ** ** 50 72 6F 74 65 63   Protec
0410 74 69 6F 6E 20 28 63 29 tion (c)
0418 20 4B 65 76 69 6E 20 45  Kevin E
0420 64 77 61 72 64 73 20 31 dwards 1
0428 39 38 36 00 00 00 00 00 986.....
0430 00 00 00 00 00 00 00 00 ........
0438 00 00 00 00 00 00 00 00 ........
0440 00 00 00 00 00 00 00 00 ........
0448 00 00 00 00 00 00 00 00 ........
0450 00 00 00 00 00 00 00 00 ........
0458 00 00 00 00 00 00 00 00 ........
0460 00 00 00 00 00 00 00 00 ........
0468 00 00 00 00 00 00 00 00 ........
0470 00 00 00 00 00 00 00 00 ........
0478 00 00 00 00 00 00 00 00 ........
0480 00 00 00 00 00 00 00 00 ........
0488 00 00 00 00 00 00 00 00 ........
0490 00 00 00 00 00 00 00 00 ........
0498 00 00 00 00 00 00 00 00 ........
04A0 00 00 00 00 00 00 00 00 ........
04A8 00 00 00 00 00 00 00 00 ........
04B0 00 00 00 00 00 00 00 00 ........
04B8 00 00 00 00 00 00 00 00 ........
04C0 00 00 00 00 00 00 00 00 ........
04C8 00 00 00 00 00 00 00 00 ........
04D0 00 00 00 00 00 00 00 00 ........
04D8 00 00 00 00 00 00 00 00 ........
04E0 00 00 ** ** ** ** ** ** ..

04E2 SEI      \disable interrupts
04E3 LDX #&FF \Minimise stack pointer
04E5 TXS      \destroying all return addresses
04E6 INX      \X=0
04E7 LDA #&03  \disable Escape and clear mem on Break
04E9 STA &0258 \*FX200,3 equivalent
04EC LDA #&4B  \
04EE STA &70   \values used for
04F0 LDA #&45  \decryption process
04F2 STA &71
04F4 LDA #&56
04F6 STA &72
04F8 LDA #&49
04FA STA &73
04FC LDA #&4E
04FE STA &74
0500 LDA &0500
0503 EOR &70
0505 INC &0511
0508 EOR &72
050A INC &71
050C INC &71
050E EOR &71
0510 EOR #&ED
0512 EOR &0600,X
0515 LDY &74
0517 STY &051B
051A EOR #&EC
051C EOR &0601,X
051F EOR &73
0521 STA &0600,X
0524 LDA &73
0526 EOR &74
0528 STA &73
052A CLC 
052B ADC #&F4
052D STA &74
052F EOR &0511
0532 STA &72
0534 LSR A
0535 EOR &74
0537 STA &70
0539 INX 
053A BNE &0500
053C LDY #&03  \*FX200,3 equivalent
053E STY &0258
0541 INC &0501
0544 BNE &0500 \loop till done
0546 BEQ &058E \always

\more junk to fill up space

0548 2A 2A 2A 2A 2A 2A 2A 2A ********
0550 2A 2A 2A 2A 2A 2A 2A 2A ********
0558 2A 2A 2A 2A 2A 2A 2A 2A ********
0560 2A 2A 2A 2A 2A 2A 2A 2A ********
0568 2A 2A 2A 2A 2A 2A 2A 2A ********
0570 2A 2A 2A 2A 2A 2A 2A 2A ********
0578 2A 2A 2A 2A 2A 2A 2A 2A ********
0580 2A 2A 2A 2A 2A 2A 2A 2A ********
0588 2A 2A 2A 2A 2A 2A ** ** ******


058E LDA #&00    \Decode page 6
0590 STA &70
0592 STA &71
0594 TAY 
0595 LDA &71
0597 EOR &0600,Y
059A STA &71
059C LDX #&08
059E LDA &71
05A0 ROL A
05A1 BCC &05AF
05A3 LDA &71
05A5 EOR #&08
05A7 STA &71
05A9 LDA &70
05AB EOR #&10
05AD STA &70
05AF ROL &70
05B1 ROL &71
05B3 DEX 
05B4 BNE &059E
05B6 INY 
05B7 CPY #&14
05B9 BNE &0595
05BB LDA &70
05BD CMP &06FE  \checksum values
05C0 BNE &05D6  
05C2 LDA &71
05C4 CMP &06FF
05C7 BEQ &0600  \If matched continue 
05C9 BNE &05D6  \else freeze

\a greeting message

05C8 ** ** ** 48 69 20 42 54    Hi BT
05D0 57 20 2E 2E 2E 2E A9 C8 W ......


0600 LDX #&E6  \Stack pointer
0602 TXS 
0603 LDA #&0D  \Return address
0605 PHA        
0606 LDA #&FF  \&DFF
0608 PHA 
0609 LDA #&7A  \values used
060B PHA       \
060C LDA #&95  \for decryption
060E PHA 
060F LDX #&35    \Check vectors in
0611 LDA &0200,X \page 2, if any hi bytes   
0614 BPL &05DD   \are +ve they have been
0616 DEX         \altered by the user!
0617 DEX 
0618 BPL &0611
061A LDA #0      \erase part of program
061C TAY         \from &600-&61C
061D STA &0600,Y \to fool the pirate
0620 INY 
0621 CPY #&1D
0623 BNE &061D
0625 CLI        \reenable interrupts
0626 LDA #&8C   \Select tape
0628 LDX #&0C   \*FX140,12
062A JSR OSbyte \or *TAPE equivalent
062D LDX #&7D   \execute *command
062F LDY #&06   \at &67D
0631 JSR OScli  \*L.GAME?? E00
0634 SEI       \disable interrupt
0635 LDA #&03  \disable Esc and clear
0637 STA &0258 \mem on break
063A LDY #&00 
063C LDX #&4A
063E PLA 
063F STA &70   \?&70=&95
0641 STA &71   \?&71=&95
0643 PLA 
0644 STA &72     \?&72=&7A
0646 LDA &0E00,Y \decrypt
0649 EOR &70     \game code
064B DEC &71
064D EOR &71
064F EOR &72
0651 STA &0E00,Y
0654 INC &72
0656 LDA &72
0658 SEC 
0659 SBC #&5F
065B EOR &71
065D STA &72
065F EOR &70
0661 STA &70
0663 EOR #&E4
0665 STA &71
0667 EOR &72
0669 INY 
066A BNE &0646
066C INC &0648
066F INC &0653
0672 DEX 
0673 BNE &0646
0675 CLI       \renable interrupts
0676 LDX #&8A  \*command at
0678 LDY #&06  \&68A
067A JMP OScli \*L.GAME2?? 400
               \then return to &DFF

\*commands

0678 ** ** ** ** ** 4C 2E 47      L.G
0680 41 4D 45 81 7F 20 45 30 AME. E0
0688 30 0D 4C 2E 47 41 4D 45 0.L.GAME
0690 32 82 7F 20 34 30 30 0D 2. 400.

\junk and message to pirate

0698 50 72 6F 74 65 63 74 69 Protecti
06A0 6F 6E 20 28 63 29 20 4B on (c) K
06A8 65 76 69 6E 20 45 64 77 evin Edw
06B0 61 72 64 73 20 31 39 38 ards 198
06B8 36 20 59 6F B0 E5 B1 AA 6 You to
06C0 6F 6B 20 79 6F 75 72 20 ok your 
06C8 74 69 6D 65 20 21 20 20 time !  
06D0 20 20 20 20 20 20 20 20         
06D8 20 20 20 20 20 20 20 20         
06E0 20 20 20 20 20 20 20 20         
06E8 20 20 20 20 20 20 20 20         
06F0 20 20 20 20 20 20 20 20         
06F8 20 20 20 20 E5 E5 1E 6C     ...l

Mr Spock 1 Apr 2004