CG121
Inactive User
- Joined
- Jun 1, 2007
- Messages
- 520
- Reaction score
- 113
The Following is all you need to fix your OPOS card flash file...
BUT, there is one bit of information missing and that's the jump (XXXX'd out above) out of and back into the cards original routine....
You have to figure that out, jump to this code and then the rts instruction at the end will take you back.
You must execute this before the EMM though
So what does all that code above do, well this:
[1st we need to 'save' the accumulator (A) so we can restore it's value after we've finished]
88 pusha (value A is stored on the stack)
[Next we need to check for 2 locations of the instruction #$42 in the EMM BYTES DUMP]
[We're doing this because we want to detect both the new EMM and the one that appeared last May]
C6 00 A8 load the contents of address $A8 into A
A1 42 cmp A with #$42 (is #$42 stored at address $A8)
27 0C beq (jump 12 bytes if $A8 = #$42)
C6 00 A9 load the contents of address $A9 into A
A1 42 cmp A with #$42 (is #$42 stored at address $A9)
27 05 beq (jump 5 bytes if $A9 = #$42)
[above, if #$42 is not at either $A8 or $A9, we run the next 3 lines]
[if either $A8 or $A9 = #$42, the branch (beq) instructions would've caused us to skip the next 3 lines]
84 popa (original value of A is restored from the stack)
CD XX XX jsr to the sub routine that SHOULD have run instead of ours
81 rts (returns back to the point we broke away to our code)
[above, we recover the original value of A and jump to the sub routine that should've run instead of ours...We need the rts instruction to return from our routine back to the intial jump instruction where we forced the card to run our code]
[if we've got this far, we know that the EMM BYTES DUMP must contain #$42 at either $A8 or $A9]
[next we fix the May 07 call to register $07]
C6 00 8F load the contents of address $8F into A
A1 07 cmp A with #$07 (is #$07 stored at address $8F)
26 08 bne (jump 8 bytes if $8F does NOT = #$07)
A6 A6 load value #$A6 into A
B7 8E store A into address $8E
A6 03 load value #$03 into A
B7 8F store A into address $8F
[above, we check the EMM at $8F for the value #$07. This would be the May 2007 Register $07 call EMM. WE don't like that call so we write it out...See that we've replaced $8E and $8F to read A6 03. That's all that's needed before the original EMM executes to fix the problem and update your keys. We need this in case VM switch back to using this method in the future....]
[If $8F does NOT = #$07 we have a different key update so we branch (bne) 8 bytes to prevent the above code (A6 A6 to B7 8F) running...]
[the next few lines of code checks for the NEW EMM and fixes the problem]
C6 00 83 load the contents of address $83 into A
A1 4E cmp A with #$4E (is #$4E stored at address $83)
26 0E bne (jump 14 bytes if $83 does NOT = #$4E)
A6 A6 load value #$A6 into A
B7 81 store A into address $81
B7 8F store A into address $8F
A6 01 load value #$01 into A
B7 82 store A into address $82
A6 81 load value #$81 into A
B7 90 store A into address $90
[above, we check the EMM BYTES DUMP at address $83 for #$4E (the swapa instruction). If we don't find it, we branch (bne) 14 bytes to the code below as it can't be the new EMM. If it is, we write the value #$A6 into both $81 and $8F addresses. We also write the values #$01 and #$81 into addresses $82 and $90 respectively. To see what this does, look at the 2 EMM's at the end.]
[the following code is the same as the code above that runs if no keyroll was in the EMM buffer which restores the value of A and executes the original routine before we return back from our routine to the point we started our patch.]
84 popa (END of patch)
CD XX XX jsr to the sub routine that SHOULD have run instead of ours
81 rts (returns back to the point we broke away to our code)
Now let's see the results of the routine that fixes the new EMM....
Original EMM
DISASSEMBLY OF CODE:
------------------------------
0081: B6 02 lda $02 ; Load in A
0083: 4E swapa ; Nibble exchange of A
0084: A4 10 and #$10 ; A= A and ...
0086: B8 AD eor $AD ; A= A xor ...
0088: B7 AD sta $AD ; Store A in...
008A: 9B sei ; I <-- 1
008B: 11 02 bclr0 $02 ; Bit 0 <-- 0
008D: 1E 02 bset7 $02 ; Bit 7 <-- 1
008F: B6 02 lda $02 ; Load in A
0091: 4E swapa ; Nibble exchange of A
0092: A4 18 and #$18 ; A= A and ...
0094: B8 B2 eor $B2 ; A= A xor ...
0096: B7 B2 sta $B2 ; Store A in...
0098: 1F 02 bclr7 $02 ; Bit 7 <-- 0
009A: 9A cli ; I <-- 0
009B: A6 26 lda #$26 ; Load in A
009D: CC 6B 01 jmp $6B01 ; Jump
BYTES DUMP:
---------------------
00A0: 00 00 00 00 00 00 83 5D
00A8: 01 42 05 ED 74 0E 7A 5F
00B0: 6B 60 58 42 85 FF 6C C6
00B8: A0 EB 80 02 EA
Patched EMM
DISASSEMBLY OF CODE:
------------------------------
0081: A6 01 lda #$01 ; Load in A
0083: 4E swapa ; Nibble exchange of A
0084: A4 10 and #$10 ; A= A and ...
0086: B8 AD eor $AD ; A= A xor ...
0088: B7 AD sta $AD ; Store A in...
008A: 9B sei ; I <-- 1
008B: 11 02 bclr0 $02 ; Bit 0 <-- 0
008D: 1E 02 bset7 $02 ; Bit 7 <-- 1
008F: A6 81 lda #$81 ; Load in A
0091: 4E swapa ; Nibble exchange of A
0092: A4 18 and #$18 ; A= A and ...
0094: B8 B2 eor $B2 ; A= A xor ...
0096: B7 B2 sta $B2 ; Store A in...
0098: 1F 02 bclr7 $02 ; Bit 7 <-- 0
009A: 9A cli ; I <-- 0
009B: A6 26 lda #$26 ; Load in A
009D: CC 6B 01 jmp $6B01 ; Jump
BYTES DUMP:
---------------------
00A0: 00 00 00 00 00 00 83 5D
00A8: 01 42 05 ED 74 0E 7A 5F
00B0: 6B 60 58 42 85 FF 6C C6
00B8: A0 EB 80 02 EA
We are no longer loading the value stored in $02 (register $02) into A (at $81 or $8F), we're loading the values #$01 and #$81 instead as these would be the values read from the register if the opos correctly emulated it....
The routine runs because we DO have #$42 at $A9...
Now that the EMM has been altered, we return to the original card routines that execute the EMM (as we want it) and bingo, the keys are updated correctly...
Now ffs, someone apply it and keep me just slightly the right side of the law ta
Code:
You don't have permission to view the code content. Log in or register now.
BUT, there is one bit of information missing and that's the jump (XXXX'd out above) out of and back into the cards original routine....
You have to figure that out, jump to this code and then the rts instruction at the end will take you back.
You must execute this before the EMM though
So what does all that code above do, well this:
[1st we need to 'save' the accumulator (A) so we can restore it's value after we've finished]
88 pusha (value A is stored on the stack)
[Next we need to check for 2 locations of the instruction #$42 in the EMM BYTES DUMP]
[We're doing this because we want to detect both the new EMM and the one that appeared last May]
C6 00 A8 load the contents of address $A8 into A
A1 42 cmp A with #$42 (is #$42 stored at address $A8)
27 0C beq (jump 12 bytes if $A8 = #$42)
C6 00 A9 load the contents of address $A9 into A
A1 42 cmp A with #$42 (is #$42 stored at address $A9)
27 05 beq (jump 5 bytes if $A9 = #$42)
[above, if #$42 is not at either $A8 or $A9, we run the next 3 lines]
[if either $A8 or $A9 = #$42, the branch (beq) instructions would've caused us to skip the next 3 lines]
84 popa (original value of A is restored from the stack)
CD XX XX jsr to the sub routine that SHOULD have run instead of ours
81 rts (returns back to the point we broke away to our code)
[above, we recover the original value of A and jump to the sub routine that should've run instead of ours...We need the rts instruction to return from our routine back to the intial jump instruction where we forced the card to run our code]
[if we've got this far, we know that the EMM BYTES DUMP must contain #$42 at either $A8 or $A9]
[next we fix the May 07 call to register $07]
C6 00 8F load the contents of address $8F into A
A1 07 cmp A with #$07 (is #$07 stored at address $8F)
26 08 bne (jump 8 bytes if $8F does NOT = #$07)
A6 A6 load value #$A6 into A
B7 8E store A into address $8E
A6 03 load value #$03 into A
B7 8F store A into address $8F
[above, we check the EMM at $8F for the value #$07. This would be the May 2007 Register $07 call EMM. WE don't like that call so we write it out...See that we've replaced $8E and $8F to read A6 03. That's all that's needed before the original EMM executes to fix the problem and update your keys. We need this in case VM switch back to using this method in the future....]
[If $8F does NOT = #$07 we have a different key update so we branch (bne) 8 bytes to prevent the above code (A6 A6 to B7 8F) running...]
[the next few lines of code checks for the NEW EMM and fixes the problem]
C6 00 83 load the contents of address $83 into A
A1 4E cmp A with #$4E (is #$4E stored at address $83)
26 0E bne (jump 14 bytes if $83 does NOT = #$4E)
A6 A6 load value #$A6 into A
B7 81 store A into address $81
B7 8F store A into address $8F
A6 01 load value #$01 into A
B7 82 store A into address $82
A6 81 load value #$81 into A
B7 90 store A into address $90
[above, we check the EMM BYTES DUMP at address $83 for #$4E (the swapa instruction). If we don't find it, we branch (bne) 14 bytes to the code below as it can't be the new EMM. If it is, we write the value #$A6 into both $81 and $8F addresses. We also write the values #$01 and #$81 into addresses $82 and $90 respectively. To see what this does, look at the 2 EMM's at the end.]
[the following code is the same as the code above that runs if no keyroll was in the EMM buffer which restores the value of A and executes the original routine before we return back from our routine to the point we started our patch.]
84 popa (END of patch)
CD XX XX jsr to the sub routine that SHOULD have run instead of ours
81 rts (returns back to the point we broke away to our code)
Now let's see the results of the routine that fixes the new EMM....
Original EMM
DISASSEMBLY OF CODE:
------------------------------
0081: B6 02 lda $02 ; Load in A
0083: 4E swapa ; Nibble exchange of A
0084: A4 10 and #$10 ; A= A and ...
0086: B8 AD eor $AD ; A= A xor ...
0088: B7 AD sta $AD ; Store A in...
008A: 9B sei ; I <-- 1
008B: 11 02 bclr0 $02 ; Bit 0 <-- 0
008D: 1E 02 bset7 $02 ; Bit 7 <-- 1
008F: B6 02 lda $02 ; Load in A
0091: 4E swapa ; Nibble exchange of A
0092: A4 18 and #$18 ; A= A and ...
0094: B8 B2 eor $B2 ; A= A xor ...
0096: B7 B2 sta $B2 ; Store A in...
0098: 1F 02 bclr7 $02 ; Bit 7 <-- 0
009A: 9A cli ; I <-- 0
009B: A6 26 lda #$26 ; Load in A
009D: CC 6B 01 jmp $6B01 ; Jump
BYTES DUMP:
---------------------
00A0: 00 00 00 00 00 00 83 5D
00A8: 01 42 05 ED 74 0E 7A 5F
00B0: 6B 60 58 42 85 FF 6C C6
00B8: A0 EB 80 02 EA
Patched EMM
DISASSEMBLY OF CODE:
------------------------------
0081: A6 01 lda #$01 ; Load in A
0083: 4E swapa ; Nibble exchange of A
0084: A4 10 and #$10 ; A= A and ...
0086: B8 AD eor $AD ; A= A xor ...
0088: B7 AD sta $AD ; Store A in...
008A: 9B sei ; I <-- 1
008B: 11 02 bclr0 $02 ; Bit 0 <-- 0
008D: 1E 02 bset7 $02 ; Bit 7 <-- 1
008F: A6 81 lda #$81 ; Load in A
0091: 4E swapa ; Nibble exchange of A
0092: A4 18 and #$18 ; A= A and ...
0094: B8 B2 eor $B2 ; A= A xor ...
0096: B7 B2 sta $B2 ; Store A in...
0098: 1F 02 bclr7 $02 ; Bit 7 <-- 0
009A: 9A cli ; I <-- 0
009B: A6 26 lda #$26 ; Load in A
009D: CC 6B 01 jmp $6B01 ; Jump
BYTES DUMP:
---------------------
00A0: 00 00 00 00 00 00 83 5D
00A8: 01 42 05 ED 74 0E 7A 5F
00B0: 6B 60 58 42 85 FF 6C C6
00B8: A0 EB 80 02 EA
We are no longer loading the value stored in $02 (register $02) into A (at $81 or $8F), we're loading the values #$01 and #$81 instead as these would be the values read from the register if the opos correctly emulated it....
The routine runs because we DO have #$42 at $A9...
Now that the EMM has been altered, we return to the original card routines that execute the EMM (as we want it) and bingo, the keys are updated correctly...
Now ffs, someone apply it and keep me just slightly the right side of the law ta