When a loading system loads, it appears as a big block of data on tape. Within this data is, say, 20 or 30 bytes of runnable machine code and loads and loads of garbage. The runnable machine code takes the garbage, byte by byte, and changes it into something else. Part or all of this new data will be some more machine code, and, eventually, it will all be runnable, in which case you've found the loading system.
As yow saw last month, to put pokes into a protected game, you need to make the computer load it in, then go back to your hack to put in the infinite lives (or whatever) poke. To do that, you need to change the JP to the game in the loading system, but to even be able to do THAT you need to have access to it. Surprise surprise, to get access you need to crack the decrypter(s) in front of it.
A decrypter will change bytes in memory. If you like, they are like putting POKEs in, but the value of the POKE depends on what's already there, eg POKE addr,PEEK addr+4, although in practise they are more complex than that (usually). We saw in the first column that PEEK is denoted in machine code by brackets, so you are looking for brackets, and the end of the loop will be a JP, JR or RET followed by Z or NZ.
This is a special register which is very often used in decrypters. Alkatrazz and the various Speedlocks use it, as well as a lot of others. Every time a machine code instruction is executed, the R register goes up. It is possible to calculate how much it goes up by, for example XOR A increments R by one, but LD IX,23000 increments R by two. If R is given a predetermined value at the start of the protection system, its value is known after every instruction until the loading system starts. Therefore, if you start a decrypter with LD A,200: LD R,A then you can reference the value of R (and decrypt with it) at any point until you actually resume loading.
These decrypters work out the number to put in memory by using the last number put in memory. For instance, it is known that if 44 has just been put in memory, then the next number will be PEEK address-44 (or whatever the instruction says- it may be PEEK address+44).
*Load the basic and see what you get:
Zolyx LINE 0 LEN 142
Now *List it, remembering that 0 is the first line executed:
10 PAPER 0: INK 0: BORDER 0: CLEAR 32767
20 LOAD ""CODE 65024
30 RANDOMIZE USR 65024
40 POKE 23418,84
50 SAVE "Zolyx" LINE 0
60 LOAD "Mast0"
So we know to CLEAR 32767, and that the loader runs from address 65024. Load the code in and disassemble from 65024
FE00 DI
FE01 LD HL,FE80
FE04 XOR A
FE05 LD R,A
FE07 LD A,R
FE09 XOR (HL)
FE0A LD (HL),A
FE0B INC HL
FE0C LD A,H
FE0D OR L
FE0E JP NZ,FE07
FE11 JP FE80
The DI simply stops R getting corrupted. It stands for Disable Interrupts, which in English means that the processor doesn't stop every 50th of a second to read the keyboard. HL is then set to FE80, and A and R are set to 0. The loop itself starts now. A is set to the value of R (which remember is constantly changing), and this is then XORed with PEEK HL. (XOR is a logical function, and is used in the same way as you would use ADD or SUBtract). The new value is then put back into memory with the LD (HL),A instruction, and HL incremented (has 1 added to it), so it points to the next address in memory. LD A,H: OR L is just a way of seeing if HL=0. If it does not, it JPs to FE07, and does the same thing all over again with the next address in memory. If HL does equal 0, it JPs to FE80. Incidentally, doing INC HL when HL=FFFF makes HL equal 0. So we know that this particular decrypter changes every byte in memory from FE80 to FFFF inclusive.
FE80-FE8F makes the screen black
FE90-FEA3 loads the two game blocks
FEA4-FEB1 moves the routine at FEB2 to 6000 and JPs to it. The routine is 50 bytes long.
FEB2-FEBF moves the game from FDFF to FFFF, and JPs to it. The game is 5001 bytes long. Change the BOOO at FEBE to something convenient to put pokes in.
If you want to hack a protected game, it is more than likely that it will crash if you try to load it and then return to Basic. The following routine will cause a NEW to 6400 (I have never seen a game where the code from 4000 to 6400 is needed to get infinite lives), so you can return to Basic which makes hacking easier. Note, that sometimes (as with Zolyx above) the game is loaded at a certain place in memory, but is moved to somewhere else. Keep a look-out for that before you hack the game itself. Generally, if the JP to the game is very low (say, 5B00-6000) or very high (FA00-FFFF) the game will be moved.
DI
XOR A
LD DE,6400 (change this if you want, but not lower than about 5D00)
JP 11CB
