Change the code at $03C5 to JMP $2000 and execute the code at
      $0334 (G 0334). The screen will turn black, the disk drive will
      activate, and after a short time, control will return to the
      monitor. Disassemble the code at $0F00. The routine from $0F00 -
      $0F22 copies the freshly-loaded code from $0C3C - $123B to
      $033C - $093B, then JMP's to $0623. This makes viewing the code in
      its proper location more difficult. By locating and executing the
      protection code in screen memory ($0400- $07F7), MBTT protects
      itself from a monitor like the one we are using. In addition, a
      normal reset of the computer will destroy ALL of this code. We can
      relocate it ourselves to a more convenient area ($733C) by using
      the monitor's (T)ransfer command:
      
         T 0C3C 123B 733C

      When disassembling this relocated code, remember to add $7000 to
      all address references in the program and the following text.
      The entry point here is at $0623 ($7623 - remember: add
      $7000). The routine at $0633 copies the drive fast loader code to
      $5000 - $52FF, then calls the subroutine at $0342 to send it to the
      drive, execute it, and change the KERNAL LOAD vector to point to
      the fast loader. The next step at $064F is the key to the
      protection scheme: what appears to be a normal load routine is
      actually reading the protected sector into $0C00. The KERNAL SETNAM
      call at $0654 is pointing to a rather odd file name consisting of 
      4 hex bytes at $0690 with the values $01 $24 $10 $01. Hex 24 ($24)
      36 decimal and $10 = 16. Track/sector (T/S) 36/16 is the sector
      containing the protected data! The data is then decrypted and moved
      to $C002, where it is executed to continue the loading process.
      
      The easiest way past a protection scheme like this is to capture
      the data ourselves, write it to a safe place on our backup copy,
      and change the protection code to look at our new location. This
      will be especially easy because the code is not encrypted. To do
      this, enter the drivemon, insert an ORIGINAL MBTT, and initialize
      the drive. Use the drive's job queue to read in T/S $24/$10 (our
      protected sector) and write it to your backup copy. An unused
      directory sector is usually a good bet, so we'll use T/S $12/$12
      (18/18).
      
      The last step is to change the reference to the original
      protected sector to our newly relocated sector. Recall that the
      code we've been analyzing was loaded from track 35. Use the
      provided Byte Pattern Scanner to search for the 4 hex bytes ($01,
      $24, $10, $01) that we discussed earlier. Enter 35 for the starting
      AND ending tracks. The scanner should report the bytes' location on
      T/S 35/14 ($23/$0E) at position $54 (84). Use any sector editor or
      the drivemon to change the 2 bytes at position $55 on T/S 35/14
      ($23/$0E) from $24/$10 to $12/$12 and rewrite them to your backup

            K.J. REVEALED TRILOGY    PAGE [128]    (C)1990 K.J.P.B.