Fantasia Diamond (Hacking Tips #6)

By Mr. Spock
Originally published in EUG #71

Fantasia Diamond - decryption and use of events to poke the real execute address into the cassette header area. 

1E50 LDY #&5A    \FOR Y=&5A TO 0 STEP-1
1E52 LDA &2FFF,Y \Y?&6FF=Y?&2FFF
1E55 EOR #&42    \EOR 42
1E57 STA &06FF,Y
1E5A DEY 
1E5B BNE &1E52   \NEXT
1E5D JMP &0702

This decrypts data stored at &3000-&335A and relocates it to page 7: 

0700 EQUW &3E \real execute address 
0701 EQUB &00 \is &3E00
0702 LDA #&30
0704 STA &0716
0707 STA &071B
070A LDA #&00
070C STA &071A
070F STA &0715
0712 LDY #&5A    \FOR Y=&305A TO &35000
0714 LDA &1900,Y \Y?addr=Y?addr
0717 EOR #55     \EOR 55
0719 STA &1150,Y
071C INY 
071D BNE &0714
071F INC &0716
0722 INC &071B
0725 LDA &0716
0728 CMP #&35    
072A BNE &0714   \NEXT
072C SEI 
072D LDA #&32  \first event routine
072F STA &0221 \at &3225
0732 LDA #&25
0734 STA &0220
0737 CLI 
0738 LDA #14  \*FX14,4
073A LDX #4   \enable start of vertical sync
073C LDY #&00 \event
073E JSR OSbyte
0741 LDA #&31 \push return
0743 PHA      \address onto stack
0744 LDA #&50 \&3150
0746 PHA                   NVB DIZC
0747 LDA #&11 \push flags %00010001
0749 PHA 
074A LDA &0730 \?&730=&21
074D EOR #51   \EOR51=3 
074F STA &0258 \disable Escape, clear memory on break
               \*FX200,3 equivalent
0752 RTI  \return from interrupt
\flags register and program counter pulled from stack

The next section of code to be executed is at &3150 because that was the address pushed onto the stack 

3150 SEI       \disable interrupts
3151 LDY #&0D  \
3153 LDX &FFB7 \low byte of default vector table 
3156 INX       
3157 INX 
3158 INX 
3159 INX       \+4
315A STX &70
315C LDA &FFB8   \high byte of vector table
315F STA &71
3161 LDA (&70),Y \Copy default vectors
3163 STA &0204,Y \into page 2
3166 DEY         \makes sure no naughty user
3167 BNE &3161   \vectors have been set up!
3169 CLI 
316A LDA #4    \Enter OSFSC with A=4
316C LDX #&74  \and XY pointing to filename
316E LDY #&31  \equivalent to *RUN
3170 JMP (&021E)

3174 EQUS"FD"+CHR$&D \file to run

The next section, itself an event, sets up the second event routine. 

3225 PHP         \preserve flags
3226 PHA         \and A
3227 LDY #&1E    \FOR Y=&1E TO 1 STEP-1
3229 LDA &32FF,Y \X?&94F=X?&32FF
322C STA &094F,Y
322F DEY 
3230 BNE &3229   \NEXT
3232 LDA #&50    \event routine
3234 STA &0220   \at &950
3237 LDA #&09
3239 STA &0221
323C PLA 
323D PLP 
323E RTS

The second event routine that runs while the tape file is being *RUN. 

0950 PHP       \preserve flags
0951 PHA       \and A
0952 LDA &0700 \store real execute
0955 STA &03C3 \address in cassette block header
0958 LDA &0701 \area of memory so the game
095B STA &03C2 \will execute at this address
095E PLA       \and not the one of the file
095F PLP 
0960 RTS

Mr Spock 31 Mar 2004