Newsgroups: comp.sys.apple2 Path: news.uiowa.edu!news.physics.uiowa.edu!math.ohio-state.edu!howland.reston.ans.net!ix.netcom.com!netcom.com!sheldon From: sheldon@netcom.com (Sheldon Simms) Subject: Re: 'undocumented' 6502 opcodes? Message-ID: Organization: Netcom Online Communications Services (408-241-9760 login: guest) References: <4jkjfr$i4a@acme.freenet.columbus.oh.us> Date: Sun, 31 Mar 1996 02:51:43 GMT Lines: 309 Sender: sheldon@netcom14.netcom.com In article <4jkjfr$i4a@acme.freenet.columbus.oh.us> rschaefe@freenet.columbus.oh.us (Robert Schaefer) writes: > >Hi everyone. I have been following that 6502 OS thread, and I'm curious >about the 'undocumented' instructions that have come up. What are they? >An URL or FTP site would be much appreciated. Here's a post I saved... Well, since there seemed to be no comprehensive summary of all undocumented NMOS 6502 opcodes, I set myself the task of creating such a document. Some old software does use these opcodes for purposes of obfuscation; confusing the hackers and crackers following the PC's scent through memory. Note that most of these programs will work if NOPs are substituted for the illegal bytes; they probably won't rely on the effects of the more esoteric instructions. Please email any comments, corrections, or information on the various 6502 processors and undocumented opcodes (or names of programs that use them) to me so that I can incorporate these into the next version. Cheers, Nick. +--------------------------------------------------+------------------------+ | Nick Westgate BSc: email nico@kcbbs.gen.nz | In vino veritas | | Digital Jellyfish Design Ltd: +64 9 307 8812 | Vox populi, vox dei | +--------------------------------------------------+------------------------+ ----->8----------------------------- CUT ------------------------------->8----- NMOS 6502 Undocumented Instructions V1.0 ---------------------------------------- System used: Apple //e (Rev B, Unenhanced) CPU: R6502-40 Reference: Apple ][GS Hardware Reference, 2nd Edition (Addison-Wesley) a) New Mnemonics for Undocumented Instructions: +-----------------------------------------------+-----------------------------+ |Opc Nb Description | Nb Operation | +-----------------------------------------------+-----------------------------+ |AAX - "AND" Memory with Accumulator | (M "AND" A) -> A,X | | into Accumulator and Index X | | +-----------------------------------------------+-----------------------------+ |ANC - "AND" Memory with Accumulator | (M "AND" A) -> A | | [1] THEN Copy Bit 7 of Result into Carry | THEN msb(A) -> C | +-----------------------------------------------+-----------------------------+ |ARC - "AND" Memory with Accumulator | (M "AND" A) -> A | | THEN Copy Bit 7 of Result into Carry | THEN msb(A) -> C | | THEN Rotate Accumulator One Bit | [2] THEN ROR A | | Right (Carry unaffected) | | +-----------------------------------------------+-----------------------------+ |ASR - "AND" Memory with Accumulator | (M "AND" A) -> A | | THEN Shift Accumulator One Bit Right | THEN LSR A | +-----------------------------------------------+-----------------------------+ |ASX - "AND" Stack Pointer with Memory | (SP "AND" M) -> A,SP,X | | into Accumulator, Stack Pointer | | | and Index X | | +-----------------------------------------------+-----------------------------+ |AXA - "AND" Memory with Index X | (M "AND" X) -> A | | into Accumulator | | +-----------------------------------------------+-----------------------------+ |DCP - Decrement Memory by One | (M - 1) -> M | | THEN Compare Memory with Accumulator | THEN CMP M | +-----------------------------------------------+-----------------------------+ |HLT - Halt Processor (Until RES Signal) | ? | +-----------------------------------------------+-----------------------------+ |INS - Increment Memory by One | (M + 1) -> M | | THEN Subtract Memory from | THEN (A - M - ~C) -> A | | Accumulator with Borrow | | +-----------------------------------------------+-----------------------------+ |LXA - Load Index X and Accumulator | M -> X,A | | with Memory | | +-----------------------------------------------+-----------------------------+ |RLA - Rotate Memory One Bit Left | ROL M | | THEN "AND" Memory with Accumulator | THEN (M "AND" A) -> A | +-----------------------------------------------+-----------------------------+ |RRA - Rotate Memory One Bit Right | ROR M | | THEN Add Memory to Accumulator | THEN (A + M + C) -> A | | with Carry | | +-----------------------------------------------+-----------------------------+ |SAS - "AND" Accumulator with Index X | (A "AND" X) -> SP | | into Stack Pointer | | | THEN Store Result "AND" | THEN (SP "AND" | | [3] (MSB(Address)+1) in Memory | [4] (MSB(adr)+1)) -> M | +-----------------------------------------------+-----------------------------+ |SAX - Store Accumulator "AND" | [4] (A "AND" (MSB(adr)+1) | | [3] (MSB(Address)+1) "AND" | "AND" X) -> M | | Index X in Memory | | +-----------------------------------------------+-----------------------------+ |SBX - Subtract Memory from Index X | [5] (X - M) -> X | | _without_ Borrow or Decimal Mode | | +-----------------------------------------------+-----------------------------+ |SLO - Shift Memory One Bit Left | ASL M | | THEN "OR" Memory with Accumulator | THEN (M "OR" A) -> A,M | | into Accumulator and Memory | | +-----------------------------------------------+-----------------------------+ |SMX - [3] Store (MSB(Address)+1) "AND" | [4] ((MSB(adr)+1) "AND" | | Index X in Memory | X) -> M | +-----------------------------------------------+-----------------------------+ |SMY - [3] Store (MSB(Address)+1) "AND" | [4] ((MSB(adr)+1) "AND" | | Index Y in Memory | Y) -> M | +-----------------------------------------------+-----------------------------+ |SRE - Shift Memory One Bit Right | LSR M | | THEN "Exclusive OR" Memory | THEN (M "EOR" A) -> A | | with Accumulator | | +-----------------------------------------------+-----------------------------+ |SXA - Store Index X "AND" | (X "AND" A) -> M | | Accumulator in Memory | | +-----------------------------------------------+-----------------------------+ Notes: [1] Bit 7 is the leftmost and most significant bit of a byte [2] C not affected [3] MSB(Address) equals the Most Significant Byte (or High Order Byte) of the given (and not _effective_) absolute address [4] MSB(adr) _not_ MSB(adr+index.reg) [5] C and D do not affect operation [6] Bitwise logical operations are enclosed in speechmarks, eg "AND" [7] Operations described as 'A THEN B' imply that operation B occurs after and including the results of operation A +----------+------------------------------------------------------------------+ | Symbol | Meaning in Operation | +----------+------------------------------------------------------------------+ | A | Accumulator | | adr | A 16-bit (2-byte) memory address | | ASL | Shift Left Operation, ie b7<-b6...b1<-b0<-0 (flags set) | | b7(Z) | Bit 7 of byte Z | | C | Carry Flag | | CMP | Compare Operation, ie A - M (flags set) | | D | Decimal Mode Flag | | LSR | Shift Right Operation, ie 0->b7->b6...b1->b0 (flags set) | | M | Value of byte at Memory specified by given addressing mode | | msb(Z) | Most Significant Bit of Z, ie bit 7 of a byte | | MSB(Z) | Most Significant Byte of Z, eg High Order Byte of an address | | ROL | Rotate Left Operation, ie C<-b7<-b6...b1<-b0<-C (flags set) | | ROR | Rotate Right Operation, ie C->b7->b6...b1->b0->C (flags set) | | S | Stack Pointer Register | | X | X Index Register | | Y | Y Index Register | | "Z" | Bitwise Z operation, eg "AND", "EOR", "OR" | | ~Z | Z Bar, ie "NOT" Z | | E -> Q,R | Q and R both take value E | +----------+------------------------------------------------------------------+ b) Operation Code Information Opcode; Mnemonic and operand(s) if any; number of Bytes comprising the instruction and operand(s); Cycle count; flags affected; Processor legally claiming that opcode (C = 65C02, 8 = 65816/65802); software Using the undocumented opcode; Notes (refer below) +----+-------------+---+---+----------+---+------------+-----+ | Op | Mnemonic(s) | B | C | NVRBDIZC | P | Used by | Nb | +----+-------------+---+---+----------+---+------------+-----+ | 02 | HLT | 1 | ? | ???????? | 8 | | | | 03 | SLO (zpg,x) | 2 | ? | ???????? | 8 | | | | 04 | NOP imd | 2 | ? | ???????? | C | Ms Pacman | | | 07 | SLO zpg | 2 | ? | ???????? | 8 | Ms Pacman | | | 0B | ANC imd | 2 | ? | ???????* | 8 | | [1] | | 0C | NOP abs | 3 | ? | ???????? | C | | | | 0F | SLO abs | 3 | ? | ???????? | 8 | | | | 12 | HLT | 1 | ? | ???????? | C | | | | 13 | SLO (zpg),y | 2 | ? | ???????? | 8 | | | | 14 | NOP imd | 2 | ? | ???????? | C | | | | 17 | SLO zpg,x | 2 | ? | ???????? | 8 | | | | 1A | NOP | 1 | ? | ???????? | C | | | | 1B | SLO abs,y | 3 | ? | ???????? | 8 | | | | 1C | NOP abs | 3 | ? | ???????? | C | | | | 1F | SLO abs,x | 3 | ? | ???????? | 8 | | | | 22 | HLT | 1 | ? | ???????? | 8 | | | | 23 | RLA (zpg,x) | 2 | ? | ???????? | 8 | | | | 27 | RLA zpg | 2 | ? | ???????? | 8 | | | | 2B | ANC imd | 2 | ? | ???????* | 8 | | [1] | | 2F | RLA abs | 3 | ? | ???????? | 8 | | | | 32 | HLT | 1 | ? | ???????? | C | | | | 33 | RLA (zpg),y | 2 | ? | ???????? | 8 | | | | 34 | NOP imd | 2 | ? | ???????? | C | | | | 37 | RLA zpg,x | 2 | ? | ???????? | 8 | | | | 3A | NOP | 1 | ? | ???????? | C | | | | 3B | RLA abs,y | 3 | ? | ???????? | 8 | | | | 3C | NOP abs | 3 | ? | ???????? | C | | | | 3F | RLA abs,x | 3 | ? | ???????? | 8 | | | | 42 | HLT | 1 | ? | ???????? | 8 | | | | 43 | SRE (zpg,x) | 2 | ? | ???????? | 8 | | | | 44 | NOP imd | 2 | ? | ???????? | 8 | | | | 47 | SRE zpg | 2 | ? | ???????? | 8 | | | | 4B | ASR imd | 2 | ? | ???????? | 8 | | | | 4F | SRE abs | 3 | ? | ???????? | 8 | | | | 52 | HLT | 1 | ? | ???????? | C | | | | 53 | SRE (zpg),y | 2 | ? | ???????? | 8 | | | | 54 | NOP imd | 2 | ? | ???????? | 8 | | | | 57 | SRE zpg,x | 2 | ? | ???????? | 8 | | | | 5A | NOP | 1 | ? | ???????? | C | | | | 5B | SRE abs,y | 3 | ? | ???????? | 8 | | | | 5C | NOP abs | 3 | ? | ???????? | 8 | | | | 5F | SRE abs,x | 3 | ? | ???????? | 8 | | | | 62 | HLT | 1 | ? | ???????? | 8 | | | | 63 | RRA (zpg,x) | 2 | ? | ???????? | 8 | | | | 64 | NOP imd | 2 | ? | ???????? | C | | | | 67 | RRA zpg | 2 | ? | ???????? | 8 | | | | 6B | ARC imd | 2 | ? | ???????* | 8 | | [1] | | 6F | RRA abs | 3 | ? | ???????? | 8 | | | | 72 | HLT | 1 | ? | ???????? | C | | | | 73 | RRA (zpg),y | 2 | ? | ???????? | 8 | | | | 74 | NOP imd | 2 | ? | ???????? | C | | | | 77 | RRA zpg,x | 2 | ? | ???????? | 8 | | | | 7A | NOP | 1 | ? | ???????? | C | Roundabout | | | 7B | RRA abs,y | 3 | ? | ???????? | 8 | | | | 7C | NOP abs | 3 | ? | ???????? | C | | | | 7F | RRA abs,x | 3 | ? | ???????? | 8 | | | | 80 | NOP imd | 2 | ? | ???????? | C | | | | 82 | NOP imd | 2 | ? | ???????? | 8 | | | | 83 | SXA (zpg,x) | 2 | ? | ???????? | 8 | | | | 87 | SXA zpg | 2 | ? | ???????? | 8 | | | | 89 | NOP imd | 2 | ? | ???????? | C | | | | 8B | AXA imd | 2 | ? | ???????? | 8 | | | | 8F | SXA abs | 3 | ? | ???????? | 8 | | | | 92 | HLT | 1 | ? | ???????? | C | | | | 93 | SXA (zpg),y | 2 | ? | ???????? | 8 | | | | 97 | SXA zpg,y | 2 | ? | ???????? | 8 | | | | 9B | SAS abs,y | 3 | ? | ???????? | 8 | | | | 9C | SMY abs,x | 3 | ? | ???????? | C | | | | 9E | SMX abs,y | 3 | ? | ???????? | C | | | | 9F | SAX abs,y | 3 | ? | ???????? | 8 | | | | A3 | LXA (zpg,x) | 2 | ? | ???????? | 8 | | | | A7 | LXA zpg | 2 | ? | ???????? | 8 | | | | AB | AAX imd | 2 | ? | ???????? | 8 | | | | AF | LXA abs | 3 | ? | ???????? | 8 | | | | B2 | HLT | 1 | ? | ???????? | C | | | | B3 | LXA (zpg),y | 2 | ? | ???????? | 8 | | | | B7 | LXA zpg,y | 2 | ? | ???????? | 8 | Bug Attack | | | BB | ASX abs,y | 3 | ? | ???????? | 8 | | | | BF | LXA abs,y | 3 | ? | ???????? | 8 | | | | C2 | NOP imd | 2 | ? | ???????? | 8 | | | | C3 | DCP (zpg,x) | 2 | ? | ???????? | 8 | | | | C7 | DCP zpg | 2 | ? | ???????? | 8 | | | | CB | SBX imd | 2 | ? | ???????? | C | | | | CF | DCP abs | 3 | ? | ???????? | 8 | | | | D2 | HLT | 1 | ? | ???????? | C | | | | D3 | DCP (zpg),y | 2 | ? | ???????? | 8 | | | | D4 | NOP imd | 2 | ? | ???????? | 8 | | | | D7 | DCP zpg,x | 2 | ? | ???????? | 8 | | | | DA | NOP | 1 | ? | ???????? | C | | | | DB | DCP abs,y | 3 | ? | ???????? | C | | | | DC | NOP abs | 3 | ? | ???????? | 8 | | | | DF | DCP abs,x | 3 | ? | ???????? | 8 | | | | E2 | NOP imd | 2 | ? | ???????? | 8 | | | | E3 | INS (zpg,x) | 2 | ? | ???????? | 8 | | | | E7 | INS zpg | 2 | ? | ???????? | 8 | | | | EB | SBC imd | 2 | ? | ???????? | 8 | | [2] | | EF | INS abs | 3 | ? | ???????? | 8 | | | | F2 | HLT | 1 | ? | ???????? | C | | | | F3 | INS (zpg),y | 2 | ? | ???????? | 8 | | | | F4 | NOP imd | 2 | ? | ???????? | 8 | | | | F7 | INS zpg,x | 2 | ? | ???????? | 8 | | | | FA | NOP | 1 | ? | ???????? | C | | | | FB | INS abs,y | 3 | ? | ???????? | 8 | | | | FC | NOP abs | 3 | ? | ???????? | 8 | Bug Attack | | | FF | INS abs,x | 3 | ? | ???????? | 8 | | | +----+-------------+---+---+----------+---+------------+-----+ Notes: [1] See mnemonic table for calculation of C flag [2] Normal SBC operation Addressing Modes Used: +------------+----------------------------+ | Operand(s) | Addressing Mode | +------------+----------------------------+ | | Implied | | abs | Absolute | | abs,x | Absolute Indexed With X | | abs,y | Absolute Indexed With Y | | imd | Immediate | | zpg | Zero Page (Direct) | | zpg,x | Zero Page Indexed With X | | zpg,y | Zero Page Indexed With Y | | (zpg,x) | Zero Page Indexed Indirect | | (zpg),y | Zero Page Indirect Indexed | +------------+----------------------------+ Planned Additions: ----------------- - Cycle times - Flags affected - Whether HLT is broken by interrupts other than RES - Corrections found after checking all info Please don't distribute modified versions of this document. Email any comments, corrections, or information on the various 6502 processors and undocumented opcodes (or names of programs that use them) to me so that I can incorporate these into the next version. +--------------------------------------------------+------------------------+ | Nick Westgate BSc: email nico@kcbbs.gen.nz | In vino veritas | | Digital Jellyfish Design Ltd: +64 9 307 8812 | Vox populi, vox dei | +--------------------------------------------------+------------------------+