JSR's and then a JMP to $4000. Look at the code in the first
      subroutine at $C9F1. Careful tracing will reveal that this routine
      boots the fast loader code in the drive by issuing a
      'Block-Execute' command to the drive. The command string is located
      at $C955 and the drive code is stored on track/sector (T/S) 18/6
      ($12/$06). We'll look at that in a moment. The second subroutine is
      the computer side of the loader that communicates with the drive
      and retrieves the data. After the load has completed, the JMP to
      $4000 is executed.
      
      Let's stop the program after the load. Replace the JMP to $4000
      with JMP $CA16. This creates an endless loop that we can interrupt
      with RUN/STOP-RESTORE. Then, fill memory from $4000 - $BFFF with an
      oddball value (I use $99). Make sure the ORIGINAL LAC disk is in
      the drive and then execute the code at $CA00. The screen should
      blank, followed by a flurry of disk activity. When the screen
      re-appears (full of garbage) press RUN/STOP-RESTORE and re-enter
      the monitor (SYS 4096). Switch in the RAM underneath BASIC (place a
      $36 at location $02 if you are using Kracker-Mon) and look for the
      start of your filler bytes. You should find them at $A900. The data
      loaded from $4000 to $A8FF.
      
      If you try to execute the code at $4000, the computer will lock
      up. Why? Because the fast loader in the drive is still running and
      it polls the serial bus constantly, waiting for the next load
      command. Only a complete reset of the drive will re-establish
      communication. What we must do is start up the drive code before
      executing the code at $4000. Recall that the routine at $C9F1 was
      the routine that activated the drive code. Turn the drive off for
      three seconds, then back on. Place a JSR $C9F1 at $3FFD and save
      the code from $4000 - $A900 to your work disk. Re-insert the
      ORIGINAL LAC diskette and again load the "(C) 1988 EPYX" file, then
      execute the code at $3FFD. If the title screen appears after a
      moment, you've done everything right. The code from $4000 - $A900
      CAN be saved from memory, reloaded and started back up if the "(C)
      1988 EPYX" file is also loaded.

      Now let's look at the drive code on T/S 18/6 ($12/$06). Reload
      "MON1000", insert the ORIGINAL LAC, and initialize the drive. Use
      the drive monitor to load the sector into drive buffer $02 ($0500
      in drive memory) so we can disassemble it. Please refer to the Rad
      Warrior section elsewhere in this manual. The $0500 buffer is
      accessed at drive locations $OA (Track) and $OB (Sector). Use
      location $02 to execute the command byte $80. The code from $0500 -
      $051F is a decryption routine. It then JMP's to $0160. If we let it
      JMP, we will lose control of the drive to the fast loader. To view
      the decrypted code at $0160, place a 'JMP $F969' (job completed) at
      $0522 and $E0 (execute) in drive job queue $02. After the drive
      motor shuts down, disassemble the code at $0160. This routine reads
      and decrypts the drive code located in the protected sectors on

            K.J. REVEALED TRILOGY    PAGE [131]    (C)1990 K.J.P.B.