Disassembling 6502 code with Radare - Part II

Let’s crack a simple game. If you are not familiar with Radare, read Part I first. Creating and opening a VICE Snapshot file Let’s crack BC’s Quest For Tires since its copy-protection is easy to bypass. Unzip this file: http://tapes.c64.no/tapes/BCsQuestForTires.zip Open the tap file with VICE (the most popular Commodore 64 emulator), and.. …the game has some kind of copy-protection. If we enter invalid codes, we won’t be able to play the game. Since Radare supports VICE Snapshot File format, we can save an snapshot of the game, and analyze it with Radare. In VICE, go to the menu, Snapshot -> Save Snapshot Image… If we select “Save ROMs”, then the BASIC ROM and the KERNAL ROM will be saved inside the Snapshot file, and will be included as Radare sections. Radare VICE Snapshot File (VSF) support lets us inspect: The 64k RAM of the computer at the moment the snapshot was saved The BASIC and KERNAL ROMs in case they were saved. To open a VSF file, just pass the VSF file as the first argument: $ r2 bc_copy_protection_screen.vsf [0x00005689]> 0x00005689 is the PC (program counter) at the moment the snapshot was saved.

December 10, 2015 · 8 min · ricardoquesada

Disassembling 6502 code with Radare - Part I

Radare is an open source portable reversing framework that can do many things, among those things it can disassemble 6502 code. Download and install radare First, download radare from github. You need a recent version in order to disassemble 6502 code. And then install it by running sys/install.sh (or sys/user.sh for local installation): $ git clone https://github.com/radare/radare2.git $ cd radare2 $ ./sys/install.sh Loading a c64 .prg Radare has many command line options. But in order to load 6502 programs we need just two: -a6502 to specify the 6502 architecture. -mMemoryAddress to map the file to a certain memory address. Use 2047 for “normal” programs. Usually they start at $0801 (2049), but we have to subtract 2 from the .prg header. Example: $ r2 -a6502 -m2047 mygame.prg Disassembling Radare doesn’t have a GUI, like IDA. Instead is has a powerful command line interface (think of GDB). Example: $ r2 -a6502 -m2047 musicplayer.prg [0x000007ff]> And 0x7ff (2047) is the seek address, meaning that all commands will use that address as the base address. Let’s print the first 32 bytes. ( px = print hexa): [0x000007ff]> px 32 offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x07ff 0108 0b08 3905 9e32 3036 3100 0000 78ad ....9..2061...x. 0x080f 0ddc a212 a000 b9d4 1a99 f020 c8d0 f7ce ........... .... The “2061” that we see, is part of the BASIC “SYS 2061” command that usually appears in all C64 programs. So, let’s disassemble the first 12 instructions from 2061. ( pd = print disassemble): [0x000007ff]> pd 12 @ 2061 0x0000080d 78 sei 0x0000080e ad0ddc lda 0xdc0d 0x00000811 a212 ldx #0x12 0x00000813 a000 ldy #0x00 ┌┌─> 0x00000815 b9d41a lda 0x1ad4,y ││ 0x00000818 99f020 sta 0x20f0,y ││ 0x0000081b c8 iny └──< 0x0000081c d0f7 bne 0xf7 │ 0x0000081e ce1708 dec 0x0817 │ 0x00000821 ce1a08 dec 0x081a │ 0x00000824 ca dex └─< 0x00000825 d0ee bne 0xee In case we don’t know the meaning of a certain opcode, we can print its description with ?d: [0x00000815]> ?d sei set interrupt disable status Or if we want to print the description in every disassembled line, we can do: e asm.describe=true And then disassemble again: [0x0000080e]> pd 12 @2061 0x080d 78 sei ; set interrupt disable status 0x080e ad0ddc lda 0xdc0d ; load accumulator with memory 0x0811 a212 ldx #0x12 ; load index x with memory 0x0813 a000 ldy #0x00 ; load index y with memory ┌─> 0x0815 b9d41a lda 0x1ad4,y ; load accumulator with memory │ 0x0818 99f020 sta 0x20f0,y ; store accumulator in memory │ 0x081b c8 iny ; increment index y by one └─< 0x081c d0f7 bne 0xf7 ; branch on result not zero 0x081e ce1708 dec 0x0817 ; decrement memory by one 0x0821 ce1a08 dec 0x081a ; decrement memory by one 0x0824 ca dex ; decrement index x by one 0x0825 d0ee bne 0xee ; branch on result not zero For more disassembling options just type p?

November 19, 2015 · 5 min · ricardoquesada