track 18. How are we going to trap that drive code so we can use it
      on an un-protected disk?
      
      Clearly, we must let the routine continue and interrupt it at
      the right moment. Study the code. The protected drive code is
      stored from $0300 through $06FF by the routine. At $01AD, a JSR
      $03BE is executed. Since this is the first call made to the newly
      loaded drive code, this seems a good place to stop it. Again, place
      a 'JMP $F969' at $01AD. To continue execution of the code, place a
      'JMP $0160' at $0500 and place $E0 in drive job queue $02. After
      the drive motor shuts down, disassemble the code at $0300 - 
      $06FF.
      
      Now we need to save it. Insert your backup copy and initialize
      the disk (@I). The error-scan shows that there are several unused
      directory sectors on side 1 so we can safely save our
      newly-captured code to these - we'll use sectors 15 - 18 ($0F -
      $12). Using the drivemon, place the following bytes into job queue
      $06 - $0D: 12 0F 12 10 12 11 12 12. Then place $90 (write job) into
      job queue $00, $01, $02, and $03. Wait until the drive motor shuts
      off. The needed drive code is now stored on your backup disk.
      
      The next step is to trap and save the decrypted code on T/S
      $12/$06 and write a short routine to load up our four drive code
      sectors. Again, read T/S $12/$06 into drive memory $0500 and place
      "JMP $F969" at $0522. Place $E0 in drive job queue $02 to decrypt
      the code. Transfer the decrypted code from $0160 - $01FF to $0560.
      Our new start-up routine at $0500 will load the four drive code
      sectors using the DOS job queue. Use the assembly capability of the
      monitor to enter the following into drive memory:

           ]A      0500: SEI
           ],      0501: LDX 10        ;move code to a safe place
           ],      0503: LDA $0500,X
           ],      0506: STA $0700,X
           ],      0509: INX
           ],      050A: BNE $0503
           ],      050C: JNP $070F     ;continue execution

      Transfer the code from $0500 - $05FF to $0700. Continue entering
      code at $070F:

           ]A      070F: LDX #$0D      ;load up the job queue with T/S
           ],      0711: LDA $0740,X   ;numbers and read commands ($80)
           ],      0714: STA $00,X
           ],      0716: DEX
           ],      0717: BPL $0711
           ],      0719: LDX #$03      ;wait until all sectors have
           ],      071B: LDA $00,X     ;been loaded
           ],      071D: BMI $071B
           ],      071F: DEX

            K.J. REVEALED TRILOGY    PAGE [132]    (C)1990 K.J.P.B.