1) Turn off your computer and insert your reset button
         assembly into the cartridge port. Turn the computer on again. Load
         the $C000 monitor from your utility disk <> LOAD"49152",8,1 <>. At
         the completion of the load, type SYS 49152 and hit RETURN. The
         monitor should be active now.

         Working with your backup:

         2) With your backup in the drive and the monitor active,
         load the boot file <> L "COP*",08 <>. When the load is complete,
         disassemble memory at $02E0. You'll find a loader routine that
         loads in the 1985 file and jumps to $0C3D.

         3) Load the 1985 file into memory <> L "19*",08 <>. After
         the load, start disassembly of code at $0C3D (D 0C3D). The code is
         as follows: $0C3D-$0C5B sets up a fast loader and loads in the
         logo screen. $0C5C is a JSR (GOSUB in BASIC) to the logo screen.
         $0C5F is the start of the main program load. It is this code
         that is of interest to us.

         4) The code at $0CE5-$0D06 is a decryption routine. Examine
         it, because it is the key to the de-protection. This routine allows
         decryption and examination of the protection code. At the end of
         this decryption routine is a RTS ($0D06). Using the MEMORY
         command (M 0D06), change the 60 to a 00. This will allow a
         normal operation of code until the 00  (Break or Stop)  is
         encountered. The program, once started, will stop right after
         the decryption, allowing us to examine the protection routine.

         5) For our purposes, we will skip over the fast loader and
         logo screens. Let's start the program after the logo screen is run
         ($0C5F). Type G 0C5F and hit RETURN. The screen should turn
         black. Wait for about five seconds and reset the computer.
         Return to the monitor with SYS 49152. Using the INTERPRET
         command, examine code from $0A00 on (I 0A00). Code at $0AB6
         reveals a Block Execute (executes the protection check placed in
         drive memory) and code at $0AC2 reveals a Memory Read that reads
         the value placed in the drive by the protection check. This
         value is, in this scheme, always an $FF. Examine code at $0A92.
         The value is being returned to the computer by a Memory Read
         with a kernal routine. The $FFCF routine brings back the value
         $FF. It is then EORed with $FF which turns it into a $00 and
         then stores it at location $0AB5. Our job is to place the
         correct value in $0AB5 and disable the routine overwriting it.
         This can be accomplished by placing three NOPs at $0A97 which
         will allow the routine to Memory Read the value but not place it
         in computer RAM. All that is left is to place the value of $00
         at $0AB5.

         6) Now we have the correct values to plug into the code to
         disable


            K.J. REVEALED TRILOGY    PAGE [25]     (C)1990 K.J.P.B.