Bed Bugs (Hacking Tips #1)

By Mr. Spock
Originally published in EUG #71

Bed Bugs starts with BED.BUGS, a file that is a mixture of Basic. machine code and data. Although parts of the Basic program are protected by hidden control codes, it is not of importance to the actual loading of the game so these case notes ignore BED.BUGS to concentrate on the loaders BED.BUGS1; BED.BUGS2; and BED.BUGS3. The two latter programs each contain an encrypted Basic program headed by a small section of machine code to decode and RUN it by means of feeding characters into the keyboard buffer.

After running BED.BUGS ?&99=&85, ?&86=&56 and ?&87=&DC. Disassembly of BED.BUGS1: 

2B05 SEI 
2B06 LDA &86
2B08 STA &0204
2B0B LDA &87
2B0D STA &0205
2B10 LDA #&EA
2B12 STA &2B21
2B15 LDX #&09
2B17 LDA &8F,X
2B19 CMP &2B3B,X
2B1C BNE &2B2E
2B1E DEX 
2B1F BNE &2B17
2B21 RTS 
2B22 LDA #&2D
2B24 STA &70
2B26 LDA #&0D
2B28 STA &71
2B2A CLI 
2B2B JMP &2B46
2B2E LDA #&00
2B30 STA &2B3C,X
2B33 DEX 
2B34 BNE &2B2E
2B36 INC &2B32
2B39 BNE &2B2E
2B3B RTS 

New address?2B3C
2B3C 42 45 44 2E 42 55 47 53 BED.BUGS
2B44 31 0D A2 00 BD 53 2B 45 1....S+E

New address?24B46
2B46 LDX #&00
2B48 LDA &2B53,X
2B4B EOR &99
2B4D STA &2B53,X
2B50 INX 
2B51 BNE &2B48
2B53 NOP 
2B54 LDA #&12
2B56 JSR OSbyte
2B59 LDA #&0F
2B5B LDX #&00
2B5D JSR OSbyte
2B60 LDA #&85
2B62 STA &0D00
2B65 LDX #&91
2B67 LDY #&2B
2B69 JSR OScli 
2B6C LDX #&C9
2B6E LDY #&2B
2B70 JSR OScli 
2B73 LDA #&15
2B75 JSR OSwrch
2B78 LDA #&8A
2B7A LDX #&00
2B7C LDY #&80
2B7E JSR OSbyte
2B81 LDX #&06
2B83 LDY #&2C
2B85 JSR OScli 
2B88 LDA #&C8
2B8A LDX #&03
2B8C LDY #&00
2B8E JSR OSbyte

New address?2B90
2B90 ** 4B 45 59 30 7C 55 7C  KEY0|U|
2B98 4D 50 41 47 45 3D 26 32 MPAGE=&2
2BA0 35 30 30 7C 4D 4F 4C 44 500|MOLD
2BA8 7C 4D 52 55 4E 7C 46 7C |MRUN|F|
2BB0 4D 2A 52 55 4E 20 42 45 M*RUN BE
2BB8 44 2E 42 55 47 53 32 85 D.BUGS2.
2BC0 7C 46 7C 4D 0D 85 85 85 |F|M....
2BC8 85 4B 45 59 31 7C 55 7C .KEY1|U|
2BD0 4D 50 41 47 45 3D 26 32 MPAGE=&2
2BD8 35 30 30 7C 4D 4F 4C 44 500|MOLD
2BE0 7C 4D 52 55 4E 7C 46 7C |MRUN|F|
2BE8 4D 2A 52 55 4E 20 42 45 M*RUN BE
2BF0 44 2E 42 55 47 53 33 85 D.BUGS3.
2BF8 7C 46 7C 4D 0D 85 85 85 |F|M....
2C00 A0 85 85 85 85 85 42 41 ......BA
2C08 53 49 43 0D 85 85 85 85 SIC.....
2C10 85 85 85 85 85 85 85 85 ........
2C18 85 85 85 85 85 85 85 85 ........

Disassembly of BED.BUGS2: 

2480 LDX #&00
2482 LDA &248D,X
2485 EOR &0D00   \?&D00=133
2488 STA &248D,X
248B INX 
248C BNE &2482
248E LDA &258D,X
2491 EOR &0D00
2494 STA &258D,X
2497 INX 
2498 BNE &248E
249A INC &2490
249D INC &2496
24A0 LDA &2496
24A3 CMP #&2D
24A5 BNE &248E
24A7 LDA #&0F
24A9 JSR OSbyte
24AC LDA #&C8
24AE LDX #&03
24B0 LDY #&00
24B2 JSR OSbyte
24B5 LDA #&3D
24B7 STA &0D01
24BA LDA #&15
24BC JSR OSwrch
24BF LDA #&8A
24C1 LDX #&00
24C3 LDY #&81
24C5 JSR OSbyte
24C8 LDX #&CF
24CA LDY #&24
24CC JSR OScli 
24CF ??? 

New address?24CF
24CF 42 41 53 49 43 0D 49 4E BASIC.IN

Disassembly of BED.BUGS3: 

0D80 LDX #&00
0D82 LDA &0D8D,X
0D85 EOR &0D01    \?&D01=61
0D88 STA &0D8D,X
0D8B INX 
0D8C BNE &0D82
0D8E INC &0D84
0D91 INC &0D8A
0D94 LDA &0D8A
0D97 CMP #&2F
0D99 BNE &0D82
0D9B LDA &0DA6,X
0D9E EOR &0D00   \?&D00=133
0DA1 STA &0DA6,X
0DA4 INX 
0DA5 BNE &0D9B
0DA7 INC &0D9D
0DAA INC &0DA3
0DAD LDA &0DA3
0DB0 CMP #&2F
0DB2 BNE &0D9B
0DB4 LDA #&0F
0DB6 JSR OSbyte
0DB9 LDA #&C8
0DBB LDX #&03
0DBD LDY #&00
0DBF JSR OSbyte
0DC2 LDX #&DE
0DC4 LDY #&0D
0DC6 JSR OScli 
0DC9 LDA #&15
0DCB JSR OSwrch
0DCE LDA #&8A
0DD0 LDX #&00
0DD2 LDY #&80
0DD4 JSR OSbyte
0DD7 LDX #&FB
0DD9 LDY #&0D
0DDB JSR OScli 

New address?1DD8
0DD8 FB A0 0D 20 F7 FF 4B 45 ... ..KE
0DE0 59 30 7C 4D 50 41 2E 3D Y0|MPA.=
0DE8 26 31 41 30 30 7C 4D 4F &1A00|MO
0DF0 2E 7C 4D 52 55 4E 7C 46 .|MRUN|F
0DF8 7C 4D 0D 42 2E 0D 3D AF |M.B..=.
0E00 00 00 01 00 00 00 00 00 ........

Mr Spock 6 Apr 2004