610  Open a channel to the drive.
      
         620  Send a Block Execute command to the drive.  CHR$(66)=B,
              CHR$(44)=-, CHR$(69)=E. In other words read Track 34, Sector
              8 from the disk and send it to a buffer in the drive.
              Execute that code starting at the first byte.
      
         630  Close channels: RETURN to GOSUB that called the check in
              line 65.
      
      3) Let's examine the Block Execute code. From the utility disk,
         load the program called BLOCK READ. < LOAD "BLOCK READ",8,1 >.
         list the code and in line 10 set the TRack to 34 and the Sector
         to 8. Place the backup in the drive and type RUN. The drive will
         read the proper block and transfer the code to $C000 in the
         computer  memory. When the READY prompt comes up, hit
         RUNSTOP/RESTORE to enter the monitor.
      
      4) Begin disassembly at $C000 < D C000 >. Examine the code from
         $C015-$C02A. The drive reads Track 35/Sector 0 through the job
         Queue. The Error message is read at position $00 and if equal
         to $02 (header block not found), the code falls through and
         places a value of $7F at $003B in the drive and returns to the
         BASIC program that called the B-E in the first place.  If the
         check is not satisfied, a Branch is taken to $C038 which causes
         the head to go to track one and go in an endless loop.
      
      5) The break is now quite simple.  If we place two NOPs at $C029
         and $C030, the code will not be able to Branch and must fall
         through even if the protection doesn't pass.  The changes can be
         made with Disk Dr. Power down and remove your Hesmon cartridge.
         Power up and with the Utility Disk in the drive,
         < LOAD "DISK D*",8,1 >. Use the < b > command to read in Track
         34/Sector 8 from the backup. At pos $29 (decimal 41) you'll
         find the BNE command. Using the <@> key, change position 41 and
         42 to 234 ($EA=NOP).
      
      6) This title is now broken and can be fast copied with any data 
         copier. Because it still uses the B-E command, you will not be
         able to file copy.  One way to possibly break the B-E code might
         be to store the $7F at $3B in the drive using a M-W
         (Memory-Write) command.  Replace the B-E in the ME file with a
         M-W (Line 620). We will leave this to you as an exercise for
         further practice.

            K.J. REVEALED TRILOGY    PAGE [103]    (C)1990 K.J.P.B.