Rastan (Taito 1990) backdoor by qkumba, 03rd June 2015
from http://www.hackzapple.com/phpBB2/viewtopic.php?t=952

Backdoor lives at 0/213F in RASTAN.SYSTEM. 

Code:
213F                 PHY 
2140                 LDX     loc_2187,Y ;table of handlers (move or decompress) 
2143                 LDA     loc_216B,Y ;table of segment/size pairs 
2146                 BEQ     loc_2190 ;end of list, restore values and run 2/0000. 
2148                 BPL     loc_2173 ;regular handler 
214A                 CMP     #$E000 ;signed value, but not the special case 
214D                 BCS     loc_2173 ;regular handler 
;one special case: used to prompt for side B 
214F                 STX     loc_2160+1 
2152                 XBA 
2153                 AND     #$7F 
2156                 TAX 
2157                 LDA     loc_216A,Y 
215A                 AND     #$FF00 
215D loc_215D: 
215D                 PHX 
215E                 PHA 
215F                 PHY 
2160 loc_2160: 
2160                 JSL     decompressfile ;self-modified 
2164                 BCC     loc_216E 
2166                 JSR     promptdisk 
2169                 PLY 
216A                 PLA 
216B                 PLX 
216C                 BRA     loc_215D 
216E loc_216E: 
216E                 PLY 
216F                 PLA 
2170                 PLX 
2171                 BRA     loc_218A 
;regular handler 
2173 loc_2173: 
2173                 STX     loc_2181+1 
2176                 XBA 
2177                 AND     #$FF 
217A                 TAX 
217B                 LDA     loc_216A,Y 
217E                 AND     #$FF00 
2181 loc_2181: 
2181                 JSL     decompressfile ;self-modified 
2185                 BCC     loc_218A 
2187                 JMP     loc_2D85 
218A loc_218A: 
218A                 PLY 
218B                 INY 
218C                 INY 
218D                 JMP     loc_213F


This is the table of segment/size pairs and their corresponding handlers. The high byte (e.g. $E0) is the segment, the low byte is the number of pages to write (i.e. $30==$3000 bytes, and $00==64kb). 

Code:
21B5                 .WORD $E030 ;RASTAN/TITLE (stored) 
21B7                 .WORD $E020 ;RASTAN/BONFIRE (stored) 
21B9                 .WORD $E044 ;RASTAN/THRONE (compressed) 
21BB                 .WORD $E059 ;RASTAN/ENDPIC1 (stored) 
21BD                 .WORD $E062 ;.RASTAN/ENDPIC2 (stored) 
21BF                 .WORD $E06B ;RASTAN/ENDPIC3 (stored) 
21C1                 .WORD $E074 ;RASTAN/ENDPIC4 (stored) 
21C3                 .WORD $E07D ;RASTAN/ART (compressed) 
21C5                 .WORD $200 ;RASTAN/RASTAN1 (compressed) 
21C7                 .WORD $300 ;RASTAN/RASTAN2 (compressed) 
21C9                 .WORD $E00 ;RASTAN/COIN (compressed) 
21CB                 .WORD $700 ;RASTAN/SOUND1 (compressed) 
21CD                 .WORD $82D4 ;RASTAN/SOUND4 (compressed), this one is on side B 
21CF                 .WORD 0 
21D1                 .WORD movefile 
21D3                 .WORD movefile 
21D5                 .WORD decompressfile 
21D7                 .WORD movefile 
21D9                 .WORD movefile 
21DB                 .WORD movefile 
21DD                 .WORD movefile 
21DF                 .WORD decompressfile 
21E1                 .WORD decompressfile 
21E3                 .WORD decompressfile 
21E5                 .WORD decompressfile 
21E7                 .WORD decompressfile 
21E9                 .WORD decompressfile


So we can see that if all "decompresfile" were replaced with "movefile" then no decompression would happen. It would then be trivial to disable the protection code or to add anything of interest.