original code are found, the program will not run even if the
         break is correct. Here's a trick to break the drive code and
         still keep the checksums intact.
      
      4) Turn the computer off and back on again to clear memory. X to
         BASIC  and from the Utility Disk, load the Block Read file
         < LOAD"BLOCK READ",8 >. When the ready prompt comes up. LIST
         the file and on line 10 set the TRack variable to 03 and the
         SEctor variable to 00. Hit RETURN to lock your changes in and
         relist the file to check your changes. This utility will Block
         Read Track 3/Sector 0 and send the code to $C000 in the computer
         where we can inspect it. Place the backup in the drive and start
         the Block Read by Typing RUN and hitting return. The drive will
         spin and in about 30 seconds, the ready prompt will appear.
         Return to the monitor by hitting Run/Stop-Restore. Disassemble
         code at $C000 . Cursor down through the code. The code
         from $C000-$C011 is the decryptor and will have to be executed
         before we can inspect the drive code. You'll see that it is set
         to decrypt this code in the $0400 buffer in the drive and must
         be readdressed to decrypt at $C000. Using the Memory Command,
         change the 04 at $C006, $C009, $C00C, and $C00F to C0. Now
         Disassemble starting at $C000 again and check the decrypter
         again. It should now be set up to decrypt code in the $C000
         buffer.

      5) Let's execute the decrypter and inspect code. Type , and
         when the monitor breaks, Disassemble code at $C000  and
         cursor down through the code. The code from $C012-$C04C checks
         Track 35, bumps the head a half track and if the check is
         satisfactory, stores a 0 in $0009. The Instruction at $C04D
         loads the accumulator with the value in $0009. Next, if that
         value is not a 0, the code branches around the next two
         instructions. These are the keys to the protection. The value of
         $FF is stored at $01FF in the drive memory. Later a Memory Read
         in the computer code will check for the $FF and if it is in
         place at $01FF, the protection check will be passed. Our job now
         is to force this routine to pass even if the protection isn't in
         place. One way would be to place two NOPs ($EA) at $C050 to
         erase the BNE C057. This would force the code to fall through
         and store the $FF byte even if protection wasn't passed. This
         would work, but the checksum would catch us. Here's a trick to
         force the code to fall through and still pass the checksum.
      
      6) Because the key to this break is the BNE command at $C050, let's
         flip those bytes and see what instruction comes up. Use the
         Memory command to change the D0 05 at $C050 to 05 D0 .
         Disassemble $C050 again . The BNE instruction has now
         become an ORA D0. This has effectively negated the BNE because
         this instruction is essentially worthless and performs no task
         that is actually used. The checksum will also pass because we

            K.J. REVEALED TRILOGY    PAGE [33]     (C)1990 K.J.P.B.