4) An error scan of the original SB disk.
         
         5) A reset button that will reset the screen.
      
      Examining the disk map shows that the disk appears to be
      completely normal. This is common to many Epyx releases: they have
      an impressive fast loader routine that requires a slight
      modification to the sector headers. A fast copier will ignore 
      these eccentricities but a nybbler can reproduce them well enough to
      fool the fast loader. Obviously, this is not where the protection
      lies.
      
      Load the nybbled copy of SB and observe what happens: when the
      "Maxx-OUT" screen appears, the disk drive hangs. If you listen
      closely to the drive when this happens, you'll hear the drive head
      move a long way across the disk before it gets spindizzy. This,
      then, is where the protection check occurs.
      
      Load the $C000 monitor and the SB boot file1 which resides from
      $02A7 - $0303. The program start address can be found in the BASIC
      warm start vector at $0302 - $0303. The entry point is $02C1. This
      routine does little more than load the only other file in the
      directory "(C)  1987 EPYX" and then jumps to $7F06. This file
      resides from $7D09 to $7F73. Most of this routine is the fast
      loader initialization code and drive-to-computer transfer 
      routines.

      At $7D2C, you can see the text for the Block-Execute (B-E) command
      that starts up the drive code on track/sector (T/S) 18/6 
      ($12/$06).

      The drive code is interesting to study (see "L. A. Crackdown"
      elsewhere in this manual for all the gory details) but, if there's
      an easier way, why bother?
      
      Begin disassembly at the entry point of $7F06. You should be
      looking at a short routine that ends with a JMP to $67E9 at $7F24.
      Examine the other subroutine calls to $7EF1 and $7EF4. These are
      the initialization routines referred to above. A logical place to
      stop the loading process is the JMP $67E9. Change this instruction
      so that it JMP's to itself (JMP $7F24). Execute the code at $7F06
      (G 7F06). The program should freeze up. Press your reset button and
      load the $C000 monitor.
      
      Disassemble the code at $67E9. The subroutine call to $6909
      reveals several calls to the load routines we saw earlier, 
      followed by a comparison to a byte value at $6925. If the byte
      doesn't match, the code branches to $692E, where it
      executes an undocumented opcode ($02) that sends the computer into
      an infinite loop. What would happen if we just bypassed this code
      altogether?

      Again, we'll have to patch the backup disk.
      
      But where is this code? Try to find it with the Byte Pattern
      Searcher. Good luck! Epyx' fast load routine requires the disk 
      data
      
            K.J. REVEALED TRILOGY    PAGE [119]    (C)1990 K.J.P.B.