logo screen. $0C5C is a JSR (GOSUB in BASIC) to the logo screen.
         $0C5F is the start of the main program load. It is this code
         that is of interest to us.

         4) The code at $0CE2-$0D03 is a decryption routine. Examine
         it, because it is the key to the de-protection. This routine allows
         decryption and examination of the protection code. At the end of
         this decryption routine is a RTS ($0D03). Using the MEMORY
         command (M 0D03), change the 60 to a 00. This will allow a
         normal operation of code until the 00 (Break or Stop)  is
         encountered. The program, once started, will stop right after
         the decryption, allowing us to examine the protection routine.

         5) For our purposes, we will skip over the fast loader and
         logo screens. Let's start the program after the logo screen is run
         ($0C5F). Type G 0C5F and hit RETURN. The screen should turn
         black. Wait for about five seconds and reset the computer.
         Return to the monitor with SYS 49152. Using the INTERPRET
         command, examine code from $0A00 on (I 0A00). Code at $0AB6
         reveals a Block Execute (executes the protection check placed in
         drive memory) and code at $0AC2 reveals a Memory Read that reads
         the value placed in the drive by the protection check. This
         value, in this scheme, is always an $FF. Examine code at $0A92.
         The value is being returned to the computer by a Memory Read
         with a kernal routine. The $FFCF routine brings back the value
         $FF. It is then EORed with $FF which turns it into a $00 and
         then stores it at location $0AB5. Our job is to place the
         correct value in $0AB5 and disable the routine overwriting it.
         This can be accomplished by placing three NOPs at $0A97 which
         will allow the routine to Memory Read the value but not place it
         in computer RAM. All that is left is to place the value of $00
         at $0AB5.

         6) Now we have the correct values to plug into the code to
         disable and give the protection check what it wants. The last step
         is to place the changes on the disk. This is best done with a
         sector editor because to scratch and replace the 1985 file will
         destroy necessary code placed on the disk. This code is not
         accessed in the normal fashion, so it may be overwritten if we do
         a scratch and save of the 1985 file. Finish the job by following
         these steps:

         A) We know the code was originally encrypted, so we must
         place our values on the disk in encrypted form. The three bytes at
         $0A97 and the single byte a $0AB5 are the only changes
         needed. Reload the 1985 file <> L " 19*",08 <>. Again go to
         location $0D06 and place a 00 in memory. Inspect the three
         bytes at $0A97. They should be 19 8E E8. The byte at $0AB5
         should be an BA. These are the bytes we will look for on our
         backup with the sector editor.


            K.J. REVEALED TRILOGY    PAGE [28]     (C)1990 K.J.P.B.