Yie Ar Kung Fu (Hacking Tips #13)

By Mr. Spock
Originally published in EUG #71

Yie Ar Kung Fu - example self-decrypting loader and returning to Basic II's RUN routine at &BD13, by pushing that address onto the stack so RTS will go to it at the end and start the Basic program. 

0DE8 LDY #0      \
0DEA STY &70     \
0DEC LDA &0E00,Y \ decrypt PAGE &E
0DEF EOR #&FF    \ by EORing bytes with &FF
0DF1 DEC &0DF5   \ and a byte going &CB down to &CC
0DF4 EOR #&CC
0DF6 EOR &70     \ and a byte going 0 up to &FF
0DF8 INC &70 
0DFA STA &0E00,Y
0DFD INY
0DFE BNE &0DEC

The next bit can be 'zapped' by typing the following, which is a Basic version of the above code: 

*LOAD YIE3 1DE8
Y%=203:Z%=0:FORX%=0TO&FF:X%?&1E00=X%?&1E00 EOR&FF EORY% EORZ%:Y%=(Y%-1)
AND&FF:Z%=(Z%+1)AND&FF:NEXT
*SAVE YIE3Z 1DE8+118 DE8 DE8

File YIE3Z now contains the decrypted code. By the time we get here the code is decrypted 

0E00 LDA #3    \Disable Escape and clear memory on Break
0E02 STA &0258 \*FX200,3 equivalent
0E05 LDA #&B3  \&56B13
0E07 STA &12   \is the TOP of the Basic control program
0E09 LDA #&56 
0E0B STA &13
0E0D LDA #&BD  \&BD13 is the Basic II rom RUN routine 
0E0F PHA       \so when we RTS at the end of this
0E10 LDA #&13  \it will be like typing RUN to start 
0E12 PHA       \the game
0E13 LDA #&CC  \value used later for decryption
0E15 PHA       \pushed on stack
0E16 LDX #&16  \fill &E00-&E16 with &16 to corrupt 
0E18 TXA       \program to prying eyes
0E19 STA &0E00,X
0E1C DEX
0E1D BPL &0E19
0E1F LDA #140  \*FX140,12
0E21 LDX #12   \*TAPE equivalent
0E23 JSR OSbyte
0E26 LDX #&4D  \string at &E4D
0E28 LDY #&0E
0E2A JSR OScli \do *LOAD YIE3??? 5200
0E2D LDY #0
0E2F LDX #&47  \prepare to decrypt &47 pages 
0E31 PLA       \retrieve value stacked earlier 
0E32 STA &0E39
0E35 LDA &1100,Y
0E38 EOR #3      \this is EOR #&CC see line &E32
0E3A STA &1100,Y \in Basic this would be
0E3D INY         \FORX%=&1100TO&47FF:?X%=?X% EOR&CC:NEXT
0E3E BNE &1E35
0E40 INC &0E37   \increment hi byte of source address
0E43 EE 3C 0E INC &0E3C   \increment hi byte of destination address
0E46 DEX
0E47 BNE &0E35   \loop till all pages done
0E49 STY &0E39   \so instruction at &E38 is EOR #0
0E4C RTS         \return to &BD13 - Basic RUN

The next bit is the OSCLI string - *L. YIE3??? 5200 

0E48 ** ** ** ** ** 4C 2E 20      L. 
0E50 59 49 45 33 7F 7F 7F 20 YIE3...
0E58 35 32 30 30 0D ** ** ** 5200.

Mr Spock 26 Mar 2004