You will need the following:
      
         1) An original "Death Sword" (DS) diskette.
         
         2) A backup copy of both sides DS using any good nybbler.
         
         3) A disk log of the DS disk to get the load addresses.
         
         4) An error scan of the original DS disk.
         
         5) A reset button that will reset the screen.
         
      Examining the disk map shows that the disk appears to be
      completely normal. This is common to most Epyx releases. They have
      an impressive fast loader routine that requires a slight
      modification to the sector headers. A fast copier will ignore 
      these eccentricities, but a nybbler can reproduce them well enough
      to fool the fast loader. obviously1 this isn't where the protection
      lies.

      Load the nybbled copy of DS and observe what happens. When the
      fancy "EPYX" screen appears, the disk drive stops and the computer
      takes a permanent time-out. This, then, is where the protection
      check occurs.
      
      The DS boot file resides from $02A7 - $0303. The program start
      address can be found in the BASIC warm start vector in $0302 -
      $0303. The entry point is $02C1. This routine does little more 
      than load the only other file in the directory "(C) 1987 EPYX" and
      then jumps to $0600. The file resides from $0409 to $0618: SCREEN
      MEMORY! This makes it a little tougher for us to examine. A
      software based monitor like "Kracker-Mon" has to use screen memory
      to display. Anything loaded there will be immediately destroyed. 
      We must relocate the file as we load it.

      Load the $C000 monitor and relocate the file by entering:
      
         L "(C)*",08,1409
      
      The file will now reside at $1409. Begin disassembly at the entry
      point of $0600 (for consistency's sake, I'll refer to the actual
      address. Just add $1000 to any address within $0409 - $0618). You
      should be looking at a short routine that ends with a JMP to $67E9
      at $0614. Examine the other subroutine calls to $05F1 and $05F4.
      These are the initialization routines that start the drive code 
      and fast loader. A logical place to stop the loading process is the
      JMP $67E9, but its location (screen memory) requires us to use the
      supplied File Tracer utility to patch this JMP on the nybbled
      backup disk so that it JMP's to itself (JMP $0614). Then we'll
      reset the computer and check the code at $67E9.

            K.J. REVEALED TRILOGY    PAGE [115]    (C)1990 K.J.P.B.