I had a quick look at this today, based on the SVN comment from David Haywood that the decryption is done but it still doesn't start.
It still doesn't start because the entrypoint value is wrong. Right now, it's pointing in the middle of an instruction, like this:
BRK #$20 MVP $22, $CF ROL $A3
which makes no sense at all. However, if we shift that by just one byte, we get a more meaningful disassembly:
LDY #$00 JSR $CF44
That aside, the interrupt handler looks like this:
LDX $12 JSR ($8875,X)
but the first 32 pages are full of #$55, so ($8875,55) points right into code, because there are only 12 entries in the table. It also appears that there's a REP #$20 that should be active but isn't, because of this:
A326: LDA #$FC A328: ORA ($85,X) A32A: JSR $20E2 A32D: LDA #$E0
makes much more sense like this:
A326: LDA #$01FC A329: STA $20 A32B: SEP #$20 A32D: LDA #$E0
especially because $20xx is full of #$A0. The code is interspersed with #$00 which look like they're supposed to the high byte for constant loads. The disassembler doesn't seem to notice when REP #$20 is active, which complicates things a bit.
|