Using SPY Disks

When you disassemble a boot disk (BOOTGAME.ATR for example), sometimes, you will see that only a small part of the code is readable and the rest is crypted. Usually the readable part contains a loop to modify the rest of the code. It is used to prevent people from disassembling the code. The simplest algorithm is to EOR all the crypted code with a value.

To be able to disassemble that kind of code, the best way would be to run the small part that transforms crypted code to readable (and executable) code and disassemble it after.

This is what SPY disks can do for you.

At this point, you have

Now, you need to select one of the several SPY programs that will run in your Atari. It is the same program but assembled at different addresses. You have to look at the code of the boot disk and choose a memory location that is not used by the code. The possible addresses are $1000, $3000, $5000, $7000, $9000 and $B000. They are provided as boot disk under the name SPYxxxx.ATR where xxxx is one of the address (SPY1000.ATR for SPY program that runs at $1000).

Now you should have 3 disks (.ATR files):

Follow theses steps:

You now have a SPYDATA.ATR where some part of the memory has been saved. To examine the results, you have to run the 6502 disassembler for Atari. In the File menu, choose 'Open spy disk image data...'. Choose SPYDATA.ATR Now, if everything goes fine, you should be able to see the code that was previously crypted !

There are some disks that are heavily protected and that run a first decrypt code, then a second, then a third,...

In this case, you have to repeat the previous operations untill all the code is readable.

For example if you have some code at address $4000 that unprotects code from $4100 to $5000 and after, code at $4100 unprotects code from $4200 to $5000.

In many cases, you won't have to do that but look at the following code:

This code decrypts 256 bytes at label CRYPT. To use the SPY program to reveal the code, you need to select an address for the patch:

You can not use the normal SPY program to reveal this kind of code because you don't know where to put the patch (JMP instruction to get back to SPY program). You need to edit SPY.M65 and customize it for one particular case.

When you edit SPY.M65, you see a big comment like this one:

You don't need to look at the file SPYCORE.M65 that does the dirty work of applying the patch, removing the old one, saving memory to SPYDATA.ATR, and many other things...

What you need to know is that code at label USERCONTROL is executed when there are no more patches (it means that all the patches in the list have been applied or that the patch list was empty). Here, you can put your own code to do something. When your code has finished its work, it can call JMP USEREND to continue normal SPY program execution. The SPY program will then ask for the SPY disk and save the memory areas on disk.

What can we do here ? If we continue with our exemple, we could set a patch address at label START (LDY #0). Then type in the small piece of code that unprotects the 256 bytes:

This code will execute when there will be no more patch. When the SPY program boots, it asks for the SPY data disk. When you press the START key, the spy data are loaded. It then asks for the boot disk. When you press the Start key again, it loads the boot sectors as if the Atari has just been turned on. Then it applies the first patch and jumps to the init address of the boot disk. When the code patch (JMP instruction) is executed, it returns the control to the SPY program. The SPY program remove the first patch and search for the next patch. It sees that there is no more patch (patch address is $0000) so it jumps to the USERCONTROL label. Here, the code that we added unprotects the 256 bytes. Then we jump to USEREND to resume execution of the SPY program which prompts the user for the SPY data disk to save memory.

You have to assemble the source at the desired address (for example $3000. Then you have to use 6502 Disassembler for Atari to convert your SPY3000.COM file to a boot disk (SPY3000.ATR).

If you see another part of the code that is protected, it means that you have to do 2 patches, the first one is the code that you customized in SPY.M65. If the second patch can be applied the normal way (without modificatins to SPY.M65), you should do it this way:

Again, you have to assemble the source at the desired address (for example $3000. Then you have to use 6502 Disassembler for Atari to convert your SPY3000.COM file to a boot disk (SPY3000.ATR).

The test CMP #1 prevents the code at label PATCH1 to be executed twice.