After applying the patch to your backup, boot it. The program
      should freeze up. Press your reset button and load the $C000
      monitor. Disassemble the code at $67E9. The subroutine call to
      $68CA (V2 = $68E6) reveals several calls to the load routines in
      screen memory, followed by a comparison to a byte value at $68E6
      (V2 = $6902). If the byte doesn't match, the code branches to 
      $68EF (V2 = $690B), where it executes an undocumented opeode ($02)
      that sends the computer into an infinite loop. What would happen
      if we just bypassed this code altogether? Again, we'll have to
      patch the backup disk.
      
      But where is this code? Try to find it with the Byte Pattern
      Searcher. You won't find it. Epyx' fast load routine requires the
      disk data to be written a special way that Commodore DOS doesn't
      understand. But we CAN patch the code in memory, after it's 
      loaded.
      
      Use the drivemon (see Rad Warrior elsewhere in this manual) to 
      load the last sector of the "(C) 1987 EPYX" file
      (T/S 17/4 or $11/$04).
      
      Change the JMP $67E9 at position $13 (V2 = $14) to read:

         LDA #$60               ;An "RTS"
         STA $68CA (V2 = $68E6) ;is placed at top of
         JMP $67E9              ;of protection check
                                ;and then JMP

      You also must alter the last-byte pointer at position 1 in the
      sector to reflect our added code (from $16 to $1A (V2 = $1B)) so
      that it loads properly. Write the sector back to the nybbled 
      backup and boot it. It worked! The protection check is bypassed.
      You may apply the same procedure to the other side of the disk.



      < < < EPYX : RAD WARRIOR > > >
      
      Epyx, like many other major software producers, uses many
      different protection schemes in their program releases. The
      complexity of the protection is apparently related to anticipated
      sales of the release. Hence, their "U.S. Gold" and "Maxx Out"
      (bargain division) series are easily nybbled, with only a few
      requiring a (usually) short parameter. "Rad Warrior" falls into
      this group - it appears that the protection on this title was
      designed to thwart only software based nybblers. The actually
      protection is easy to disable - once you find it.
      
      You will need the following:
      
         1) An original "Rad Warrior" (RW) diskette.
         
         2) A backup copy of RW using any good nybbler.

            K.J. REVEALED TRILOGY    PAGE [116]    (C)1990 K.J.P.B.

<<previous page - next page>>