3) A disk log of the RW disk to get the load addresses.
         
         4) An error-scan of the original RW disk.
         
         5) A reset button that will reset the screen.

      Examining the disk map shows that the disk appears to be
      completely normal. This is common to most Epyx releases. They have
      a VERY fast loader routine that requires a slight modification to
      the sector headers. A fast copier will ignore these eccentricities
      but a nybbler can reproduce them well enough to fool the fast
      loader. Obviously, this is not where the protection lies.
      
      Load the nybbled copy of RW and observe what happens. When the
      "Maxx-OUT" screen appears, the disk drive hangs. If you listen
      closely to the drive when this happens, you will hear the drive
      head move a long way across the disk before it goes into a coma.
      This, then, is where the protection check occurs.
      
      The RW boot file resides from $02A7 - $0303. The program start
      address can be found in the BASIC warm start vector at $0302 -
      $0303. The entry point is $02C1. This routine does little more 
      than load the only other file in the directory ( "(C) 1987 EPYX" )
      and then jumps to $0600. The file resides from $0409 to $0626:
      SCREEN MEMORY! This makes it a little tougher for us to examine. A
      software based monitor like KrackerMon has to use screen 
      memory to display. Anything loaded there will be immediately
      destroyed. We must relocate the file as we load it.
      
      Load the $C000 monitor and relocate the file by entering:

         L "(C)*",08,1409
      
      The file will now reside at $1409. Begin disassembly at the
      entry point of $0600 (for consistency's sake, I'll refer to the
      actual address. Just add $1000 to any address within $0409 -
      $0626). You should be looking at a short routine that ends with a
      JMP to $67E9 at $061E. Examine the other subroutine calls to $05F1
      and $05F4. These are the initialization routines that start the
      drive code and fast loader. A logical place to stop the loading
      process is the JMP $67E9, but its location (screen memory) 
      requires us to use the supplied File Tracer utility to patch this
      JMP on the nybbled backup disk so that it JMP's to itself
      (JMP $061E). Then we'll reset the computer and check the code at
      $67E9.
      
      After applying the above patch to your backup, boot it. The
      program should lock up. Press your reset button and load the $C000
      monitor. Disassemble the code at $67E9. The subroutine call to

            K.J. REVEALED TRILOGY    PAGE [117]    (C)1990 K.J.P.B.