Xor (Hacking Tips #12)

Xor - a Kevin Edwards loader. Disassembly of XOR2 with comments.

0400 LDA #3    \Disable escape & clear break
0402 STA &0258 \*FX200,3 equivalent
0405 LDA #15   \clear keyboard buffer
0407 LDX #0    \*FX15,0
0409 JSR OSbyte
040C JMP &04E2 \continue execution at &4E2

This next dump is just a copyright message and some asterisks to fill up memory - not used for decryption etc.

0408 ** ** ** ** ** ** ** 50        P
0410 72 6F 74 65 63 74 69 6F rotectio
0418 6E 20 28 63 29 20 4B 65 n (c) Ke
0420 76 69 6E 20 45 64 77 61 vin Edwa
0428 72 64 73 20 31 39 38 37 rds 1987
0430 2A 2A 2A 2A 2A 2A 2A 2A ********
0438 2A 2A 2A 2A 2A 2A 2A 2A ********
0440 2A 2A 2A 2A 2A 2A 2A 2A ********
0448 2A 2A 2A 2A 2A 2A 2A 2A ********
0450 2A 2A 2A 2A 2A 2A 2A 2A ********
0458 2A 2A 2A 2A 2A 2A 2A 2A ********
0460 2A 2A 2A 2A 2A 2A 2A 2A ********
0468 2A 2A 2A 2A 2A 2A 2A 2A ********
0470 2A 2A 2A 2A 2A 2A 2A 2A ********
0478 2A 2A 2A 2A 2A 2A 2A 2A ********
0480 2A 2A 2A 2A 2A 2A 2A 2A ********
0488 2A 2A 2A 2A 2A 2A 2A 2A ********
0490 2A 2A 2A 2A 2A 2A 2A 2A ********
0498 2A 2A 2A 2A 2A 2A 2A 2A ********
04A0 2A 2A 2A 2A 2A 2A 2A 2A ********
04A8 2A 2A 2A 2A 2A 2A 2A 2A ********
04B0 2A 2A 2A 2A 2A 2A 2A 2A ********
04B8 2A 2A 2A 2A 2A 2A 2A 2A ********
04C0 2A 2A 2A 2A 2A 2A 2A 2A ********
04C8 2A 2A 2A 2A 2A 2A 2A 2A ********
04D0 2A 2A 2A 2A 2A 2A 2A 2A ********
04D8 2A 2A 2A 2A 2A 2A 2A 2A ********
04E0 2A 2A ** ** ** ** ** ** **

04E2 SEI       \Disable interrupts
04E3 LDX #255  \Stack pointer=255 ie lose all
04E5 TXS       \previous return addresses
04E6 INX       \X=0
04E7 LDA #3    \disable Escape and clear memory on break
04E9 STA &0258 \*FX200,3 equivalent
04EC LDA #75   \Store some numbers in
04EE STA &70   \which are used for decryption 
04F0 LDA #69   \in &70 -
04F2 STA &71
04F4 LDA #86
04F6 STA &72
04F8 LDA #73
04FA STA &73
04FC LDA #78
04FE STA &74   \ &74

0500 LDA &0500 \beginning of loop that decrypts
0503 EOR &70   \next part of loader
0505 INC &0511
0508 EOR &72
050A INC &71
050C INC &71
050E EOR &71
0510 EOR #237
0512 EOR &0600,X
0515 LDY &74
0517 STY &051B \replaces #236 in next line
051A EOR #236
051C EOR &0601,X
051F EOR &73
0521 STA &0600,X
0524 LDA &73
0526 EOR &74
0528 STA &73
052A SEC
052B ADC #244
052D STA &74
052F EOR &0511 \see 0510 EOR #237
0532 STA &72
0534 LSR A
0535 EOR &74
0537 STA &70
0539 INX
053A BNE &0500
053C LDY #3
053E STY &0258
0541 INC &0501
0544 BNE &0500 \loop till all done
0546 BEQ &058E \go to next part of loader

This is more junk to fill up space:

0548 2A 2A 2A 2A 2A 2A 2A 2A ********
0550 2A 2A 2A 2A 2A 2A 2A 2A ********
0558 2A 2A 2A 2A 2A 2A 2A 2A ********
0560 2A 2A 2A 2A 2A 2A 2A 2A ********
0568 2A 2A 2A 2A 2A 2A 2A 2A ********
0570 2A 2A 2A 2A 2A 2A 2A 2A ********
0578 2A 2A 2A 2A 2A 2A 2A 2A ********
0580 2A 2A 2A 2A 2A 2A 2A 2A ********
0588 2A 2A 2A 2A 2A 2A ** ** ******

058E LDA #0
0590 STA &70
0592 STA &71 
0594 TAY        \Y=0
0595 LDA &71
0597 EOR &0600,Y
059A STA &71
059C LDX #8
059E LDA &71
05A0 ROL A
05A1 BCC &05AF
05A3 LDA &71
05A5 EOR #8
05A7 STA &71
05A9 LDA &70
05AB EOR #16
05AD STA &70
05AF ROL &70
05B1 ROL &71
05B3 DEX
05B4 BNE &059E
05B6 INY
05B7 CPY #20
05B9 BNE &0595
05BB LDA &70
05BD CMP &06FE
05C0 BNE &05D6
05C2 LDA &71
05C4 CMP &06FF
05C7 BEQ &0600 \if bytes match checksum goto &600
05C9 BNE &05D6 \else loop forever

Some more scrap - including a hello message

05C8 37 D0 0B 48 69 20 42 54 7..Hi BT
05D0 57 20 2E 2E 2E 2E ** ** W ....

Code executed if checksums don't match, see &5BD-&5C9

05D6 LDA #200   \disable Escape and clear memory on break
05D8 LDX #3 
05DA JSR OSbyte
05DD INY        \freeze machine by
05E0 JMP &05DD  \looping forever!

Another copyright message:

05E0 ** ** ** ** 20 28 63 29      (c)
05E8 20 4B 65 76 69 6E 20 45  Kevin E
05F0 64 77 61 72 64 73 20 31 dwards 1
05F8 39 38 37 20 20 20 20 20 987

The next part is revealed when decrypted (see XORZAP at the end of the article). Instead of JMPing to an address to execute the game, note the pushing of the execute address (&28FF) onto the stack and then RTSing at the end of it all.

0600 LDX #&C5  \set stack pointer
0602 TXS 
0603 LDA #&28  \push values onto stack
0605 PHA 
0606 LDA #&FF  \&28FF is the execution address for game
0608 PHA 
0609 LDA #&56  \these are values
060B PHA
060C LDA #&DE  \used in the decryption routine
060E PHA
060F LDX #&35    \check vectors at &234/5 &232/3 etc.
0611 LDA &0200,X \If any have been altered ie poked by
0614 BPL &05DD   \would-be pirate the high byte will be
0616 DEX         \+ve high byte so go to loop forever routine
0617 DEX
0618 BPL &1611
061A LDA #0
061C TAY         \Y=0
061D STA &0600,Y \erase part of program at &600
0620 INY 
0621 CPY #&1D    \to &61C
0623 BNE &161D
0625 CLI         \reenable interrupts
0626 LDA #140    \Select cassette filing system
0628 LDX #12     \*FX140,12 or *TAPE
062A JSR OSbyte  \equivalent
062D LDX #&B8    \star command at
062F LDY #&06    \&6B8
0631 JSR OScli   \*LOAD game file
0634 SEI
0635 LDA #3    \disable Escape and clear memory on Break
0637 STA &0258 \*FX200,3 equivalent  
063A LDY #0
063C LDX #&4A  \decrypt &4A pages of game code
063E PLA       \A=&DE
063F STA &70   \?&70=&DE
0641 STA &71   \?&71=&DE
0643 PLA       \A=&56
0644 STA &72   \?&72=&56
0646 LDA &0E00,Y   \This address inc'd at &66C
0649 EOR &70       \
064B DEC &71       \The routine to decrypt the game code
064D EOR &71
064F EOR &72
0651 STA &0E00,Y   \This address inc'd at &66F
0654 INC &72
0656 LDA &72
0658 SEC 
0659 SBC #95
065B EOR &71
065D STA &72
065F EOR &70
0661 STA &70
0663 EOR #228
0665 STA &71
0667 EOR &72 
0669 INY
066A BNE &0646
066C INC &0648
066F INC &0653
0672 DEX         \loop until page count
0673 BNE &0646   \is zero
0675 CLI         \reenable interrupts
0676 LDX #&77    \erase code
0678 STA &0600,X \
067B DEX         \at &600-&677
067C BNE &0678   \
067E RTS         \return to address on stack - &28FF

More junk to fill up space:

0678 ** ** ** ** ** ** ** 2A        *
0680 2A 2A 2A 2A 2A 2A 2A 2A ********
0688 2A 2A 2A 2A 2A 2A 2A 2A ********
0690 2A 2A 2A 2A 2A 2A 2A 2A ********
0698 2A 2A 2A 2A 2A 2A 2A 2A ********
06A0 2A 2A 2A 2A 2A 2A 2A 2A ********
06A8 2A 2A 2A 2A 2A 2A 2A 2A ********
06B0 2A 2A 2A 2A 2A 2A 2A 2A ********

The OScli string:

06B8 4C 2E 47 41 88 80 BA 47 L.GA...G
06C0 20 45 30 30 0D ** ** **  E00.

And Kevin finally admits defeat:

06C0 ** ** ** ** ** 50 72 6F  E00.Pro
06C8 74 65 63 74 69 6F 6E 20 tection 
06D0 28 63 29 20 4B 65 76 69 (c) Kevi
06D8 6E 20 45 64 77 61 72 64 n Edward
06E0 73 20 31 39 38 37 20 59 s 1987 Y
06E8 6F 75 20 74 6F 6F 6B 20 ou took 
06F0 79 6F 75 72 20 74 69 6D your tim
06F8 65 20 21 20 E5 E5 F6 58 e ! ...X

06FE EQUB &96 \checksum bytes for routine at &5BB-&5C9
06FF EQUB &B2 \in encrypted state

This is a program to 'zap' the loader. XOR2 must be on disc. It will patch, execute and save out a decrypted version of XOR2 under the name XOR2Z. The 'zapped' code from &600 onwards can then be inspected with a disassembler.

   10 REM XOR loader zapper By Mr Spock
   20 oscli=&FFF7
   30 P%=&900
   40 [
   50 .c1:EQUS"L.XOR2 400"+CHR$&D
   60 .c2:EQUS"SAVE XOR2Z 400+301"+CHR$&D
   70 .go
   80 LDX#c1 MOD256:LDY#c1 DIV256:JSRoscli
   90 \RTS before too late
  100 LDA#&60:STA&5BB
  110 \Execute patched code
  120 LDX#0:JSR&4EC
  130 \Save decrypted version
  140 LDX#c2 MOD256:LDY#c2 DIV256:JMPoscli
  150 ]

Mr Spock 26 Mar 2004

Home

FAQs

Library

DVD

By Mr. Spock

Home FAQs Library DVD

Xor (Hacking Tips #12)

By Mr. Spock

Home

FAQs

Library

DVD