Mikie (Hacking Tips #10)

By Mr. Spock

Originally published in EUG #71

Mikie. Disassembly of MIKIE! which decrypts the second part of itself, loads in the short Basic program (MIKIE3). This resides at PAGE=&4D00 and is decrypted before returning to Basic's RUN address in rom by pushing that address onto the stack.

0DE8 LDY #0      \In Basic A%=&CB
0DEA STY &70     \FOR X%=0 TO &FF
0DEC LDA &0E00,Y \X%?&E00
0DEF EOR #&FF    \=X%?&E00 EOR &FF
0DF1 DEC &0DF5
0DF4 EOR #&CC    \EOR A%
0DF6 EOR &70     \EOR X%
0DF8 INC &70
0DFA STA &0E00,Y \A%=(A%-1)AND&FF
0DFD INY         \NEXT
0E00 LDA #3    \Disable Escape and clear mem on Break
0E02 STA &0258 \*FX200,3 equivalent
0E05 LDA #&4D
0E07 STA &18   \PAGE=&1D00
0E09 LDA #&77  \ of Basic program
0E0B STA &12   \ on top of code
0E0D LDA #&56  \ loaded in later
0E0F STA &13   \TOP=&5677
0E11 LDA #&BD  \&BD13 is address
0E13 PHA       \of Basic's RUN routine
0E14 LDA #&13  \so pushing onto stack then RTS
0E16 PHA       \is like typing RUN
0E17 LDA #&BB  \
0E19 PHA       \decryption value used later
0E1A LDX #&1A
0E1D STA &0E00,X \erase part of program
0E20 DEX         \&E00-&E1A
0E21 BPL &0E1D
0E23 LDA #140   \*FX140,12
0E25 LDX #12    \or *TAPE
0E27 JSR OSbyte \equivalent
0E2A LDX #&51  \
0E2C LDY #&0E  \*command at
0E2E JSR OScli \&E51
0E31 LDY #&00
0E33 LDX #&47  \decrypt &47 pages
0E35 PLA 
0E36 STA &0E3D   \in Basic this is
0E39 LDA &1100,Y \FOR X%=0 TO &46FF
0E3C EOR #&03    \X%?&1100=X%?&1100 EOR &BB 
0E3E STA &1100,Y \
0E41 INY 
0E42 BNE &0E39
0E44 INC &0E3B
0E47 INC &0E40
0E4B BNE &0E39
0E4D STY &0E3D
0E50 RTS \returning to &BD13, Basic's RUN address

\*command executed at &E2A-&E2E
\*LOAD MIKIE3??? 4D00
\short Basic program that sits atop MIKIE3
0E50 ** 4C 2E 4D 49 4B 49 45  L.MIKIE
0E58 33 7F 7F 7F 20 34 44 30 3... 4D0
0E60 30 0D ** ** ** ** ** ** 0.

Mr Spock 4 Apr 2004