A 06C4 JMP $06E0

      This "patch" will load our sector into drive buffer $0400 and
      exit the same way as the original code.

      Because the loader is encrypted we must also re-encrypt the code
      containing our patch. To do this, re-execute step #3 above.
      Rewrite the re-encrypted code at $0600 back to T/S $12/$12 by
      placing the value $90 into drive memory $03. When the drive LED
      turns off, reset the computer and try out your newly broken
      backup.


      < < < RAINBIRD: STARGLIDER > > >
      
      Examination and analysis of the protection code in "Starglider"
      (SG) is a frustrating process: there are many, MANY code transfer
      and decryption routines. It is very easy to get lost and 
      eventually one gets tired of tracing this nonsense. There must be
      an easier way.
      
      There is. But first, make a FAST COPY of your original SG and
      then boot it several times in a row so that you're familiar with
      the sequence of events that occur during the load. It's especially
      important to listen carefully to the drive while the program is
      loading so that you get the "feel" or sense of rhythm of the
      loading process. Timing is critical to discovering the protection
      check.
      
      Let's examine the loading process. The auto-boot routine blanks
      the screen, there is some disk activity, then nothing for about 5
      seconds. The title screen appears and. the load continues. After
      about 45 seconds the screen again blanks and the drive shuts off. A
      few seconds later, the drive activates and you can hear the drive
      head swing a long distance across the disk and back again. If you
      are loading from the original disk, the first game screen will
      appear. Otherwise, a backup copy will produce garbage. So for now,
      we can assume that the protection check occurred sometime during
      that long head swing.
      
      The next step is to find the protection code. Repeat the loading
      process and wait for the long head swing we discussed above. When
      it starts to move back, hit your reset button. Load the $1000
      monitor and start searching for drive command text (B-E, M-W, M-E,
      etc...). Often, these drive command strings are stored in memory 
      in reverse, so keep trying. You should find a reversed 'M-W' and
      'M-E' stored respectively at $90A6 and $90AB. These commands write
      to and execute code at $0300 in the drive. Disassemble the code at
      $9000. Careful study will reveal what the drive is being told to
      do.

            K.J. REVEALED TRILOGY    PAGE [123]    (C)1990 K.J.P.B.