Ok, Keith Henrickson's guide to reverse engineering QLink:
USE AN EMULATOR! One with a monitor feature. I recommend Vice. It can emulate QLink's (fast?) loader, and also has a built in monitor.
First of all, do not load "0006". The four digit files are never accessed by name. They simply reserve space so that when a user validates the disk, the blocks are not deallocated. The three letter filenames contain track/sector pointers to load. Each 'load' consists of many many operations. Each file 'fork' has a header and some light obfuscation.
So, load "*",8,1
Break into the monitor and search for BASIC text, which we find at $1301. Soft reset the emulator. Type "POKE 44,19". Now we can accurately list the program.
Now I broke the program down into three logical blocks. The green screen, the blue screen (flashy qlink logo within blue boxes), main menu. I could see by listing the program that everything up to the main menu was printed by this program. I begain making notes.
Line 13 - Call dialer on line 40000 (Green screen starts here)
Line 500 - Connect to the correct X.25 network (second half of green screen)
Line 600 - Initialize machine code half of Qlink, and draw the blue screen on 630
Line 900 - Drawing main menu
So, I begin working on how to make it through each of these sections of code.
Line 13 - set modem type to manual dial. <RETURN> skips this block
Line 500 - Dragged up some memories that "/555-1212" would correspond with the section of code expecting "IDENTIFIER". Wrote a little test app to print the expected values COM2, and mapped Vice to COM1. Null modem cable between the two. A couple of tries, and I was at the blue screen.
The first place the BASIC program sits is on line 650. The GOSUB 15000 just cycles the colors in the logo. Boring. But the SYS is interesting, and it is looking for 782 to be 0 or 10. Hmmmmm.... 0 or 10. I pulled one out of my butt here and said, "Hey, it's trying to start a protocol. That location is the number of bad attempts. If it reaches 10, we're dead. When it succeeds, it will be set to 0." So, we look at the assembly for the routine being SYSed.
It turns out to be a VERY simple routine at $9AC0, that flips out BASIC ROM, reads the location $B9B5 underneath it to Y, and restores BASIC ROM. 782 is of course the shadow register for Y. So, we're retreiving a value from the ML code. And flipping out ROMS in my monitor, and looking at that location, YEP, it's a $01 by default. Ok, so, now I need to know how to set this to 0.
A simple hunt for "b5 b9" gives me 5 easy possibilities. $BB2F is the ONLY case where it is being set to 0. Look back two instructions to find a JMP. So, let's guess that $BB27 is the first instruction of this subroutine. Hunt for it. ONE reference in all of memory, a JMP from B82F.
Looking back up, and around $B883, we look for the 5a. $B890 starts processing packets in earnest. The CRC is unpacked on $B8A0, it is calculated in one of the calls around $B8B6, and it is checked in $B8CF.
One good resource I had was when the CRC fails, an error packet is sent. This is done by a routine at $BACA. It puts together a perfectly normal packet 23. That ALSO taught me a lot about the packet format.
Anyway, we finally have a valid packet, and begin seeing what type it is. The JMP $BB27 that we need to kick things off is going to be called if a certain byte in the packet is $24.
So, I wrote a program (which I don't have anymore), that waited for the first packet from the client, and printed out everything I could tell about it. This is how I validated my CRC routine. Took me several hours to find all the typos I'd made in it. Slowed me up HARD for a while. Once I had that, I sent back a packet 24, no payload. The client immediately printed, "Verifying your account information".
The next packet I got was of type $20. It contained "DD1234567890ABCD". I guessed that DD was the command, and the rest was some type of login info. But what POSSIBLE responses could their be?
Again, BACK to the Batmobile! I mean, the monitor!
This time, use the 'interrogate' command to see things as text, just in case I could find a DD anywhere in text. At $BDD2, there it is. Every possible command the client can send. Keep looking.
And at $C86C, we have another list of two letter commands. Everything the client expects to receive? Hopehope!
So, I modified my program to send a command in a packet type $20 in response to the DD packet, made a list of the possible commands, and went to it. One by one.
At DO, I saw the client clear the screen in an all too familar fashion, as if it WANTED to go to the main menu, but couldn't.
I found lots of commands that did nothing. Much pain, some that gave errors on the client screen, like "no time left on account, goodbye".
FINALLY, at D3, the client responded with SS, and said, "Verifying your disk..." I'm like, "Oo! That was the next step!" It sent me an SS. and waited. Huh.
Well, I have an "SS" too. So, I'll send it an SS if it sends me an SS. This makes the emulated disk run. "Oo! It was supposed to do that!" and then it sends me an "SG" and a "D6".
I noticed that between line 650 (where we start layer to with the $24 packet), and line 900, there is one other place the BASIC program can loop. I'm like, "I'll bet it's waiting for the disk to be validated before it lets it go to the main menu." So, rework the program to wait for DD, send D3, wait for SS, send SS, wait for D6, send DO. And BANG! I was at the main menu.
Now, layer 2 is very fiddly with it's sequence numbers. All command packets $20 type with two letter commands in them, MUST increment the sequence number. All control packets $21 and greater, MUST NOT increment the sequence number. Also, getting the second number right takes a while. My fingers are very tired, so I'm not going to go into that right now.
As to whether I am still interested, yes.
I have not touched the server for some time. But I still poke at learning more commands. I spend my xmas vacation with a server simulator I knocked up on my mac (and then lost), learning the command set for SuperQ and puzzler. I played a game of puzzler. Painfully at times. No player graphics, but the puzzle was up, and the letters popped up and everything.