process and wait for the long head swing we discussed above. When
      it starts to move back, hit your reset button. Load the $8000
      monitor and start searching for drive command text (B-E, M-W, M-E,
      etc...). Often, these drive command strings are stored in memory 
      in reverse, so keep trying. You should find a reversed 'M-W' and
      'M-E' stored respectively at $09A6 and $09AB. These commands write
      to and execute code at $0300 in the drive. Disassemble the code at
      $0900. Careful study will reveal what the drive is being told to
      do. First, the drive routine at $90AE is sent to $0300 in the drive
      by a Memory-Write. Then, the routine is Memory-Executed after
      sending 3 additional bytes: $80, $28, and $0E. The drive routine
      stores these 3 bytes into job queue $01, producing a read ($80) of
      track 40 ($28)/sector 14 ($0E) into drive memory $0400. The
      computer waits for this read to complete then stores the sector of
      data at $9600 - $96FF, not caring if the read was successful or
      not. It assumes all the needed data is in place and starts up the
      game.
      
        Use the drive monitor and the original TK disk to look at this
      sector. Initialize the disk and place $28 and $0E into job queue
      $08 and $09. Then place $80 into $01. When the drive shuts off,
      check $01 for a successful read: if it contains a $01 then the job
      completed successfully (a backup should produce an error code 
      ($02-$0A). Disassemble the data at $0400. This is the code the
      protection is trying to load at $9600 in the computer. A bad read
      attempt will not produce the correct data, therefore whatever is
      loaded into $9600 will be executed, whether its valid code or not.
      This results in a system crash.

      To produce a copyable backup we must relocate this sector to a
      normal DOS track. We prefer to use directory sectors when possible.

      Track/sector 18/6 ($12/06) is available so use the job queue to
      write our data to it. Insert your backup copy, initialize the 
      drive and place a $12 into $08, $06 into $09 and $90 into $01. Our
      sector is now easily accessible - to us. The protection routine
      will still look for it on track 40. We must find a way to re-direct
      the sector read to our new location.
      
      There might be a simpler way, however. The nature of the 1541
      DOS is that a sector header error (which will occur with a backup
      copy of SG) will NOT corrupt the current contents of the drive
      buffer. That is, the data residing in the buffer will still be
      intact after a header error. If we can read our sector at the
      appropriate time, the protection check will not destroy the data,
      assuming it doesn't find a valid header in track 40. One way is to
      "wedge" ourselves into the drive code.
      
      One of the first things the auto-boot routine does is to execute
      the custom loader routine in the drive. This code reads in a sector
      of data and transmits it to the computer. What if we modified the
      routine to read our sector at $12/$06 AFTER it has

            K.J. REVEALED TRILOGY    PAGE [121]    (C)1990 K.J.P.B.