2) With Hesmon in the cartridge port, load the boot < L"*",08 >.
         Checking with the disk log, start disassembly of code at $02D7
         < D 02D7 > and cursor down through the code. The code from $02E8
         to $0301 opens a channel for loading, sets the file name
         " 1985 ", loads that file in and jumps to $135A. We can load
         that file in ourselves and inspect it.

      3) Cursor down to a clear spot and load the 1985 file as
         < L "  1985*",08 >. Be sure to use two spaces before the 1985
         file name. The disk log shows this file ranges from 1000-143F.
         Look at the file in ASCII by using the Interpret command
         < I 1000 > and cursor down through memory. Take note of what it
         looks like, because we will be looking again later. Let's start
         disassembly at the Jump to $135A < D 135A >. Cursor down
         through the code and note the decrypter code from $139B to
         $13BC. We want to execute the decrypter and stop the execution
         after the decryption takes place. To do this we must place a 00
         (Break) at $1398. Use the Memory command to make your change
         < M 1398 > and change the 4C to a 00 and hit return. Now we can
         decrypt the code by executing at $137D. Use the GO command
         < G 137D >. After the monitor breaks, use the Interpret command
         to examine the code from $1000-$143F again < I 1000 >. You'll
         find it to be quite different now and you should be able to see
         quite a few commands in ASCII. Finally use the Memory command to
         change 00 we placed at $1398 back to a 4C < M 1398 >

      4) Let's trace the code starting at $135A commenting the code
         pertaining to the protection check.
      
            $135A-$1394    : Sets up the decryption values.
            $1395 JSR 139B : Executes decryption of  1985  file.
            $1398 JMP 13BD : Jump around decrypter already executed.
            $13BD JSR 1184 : JSR to protection check.
            $1184 JSR 1206 : Sets up for protection check.
            $1187 JSR 118E : checks drive memory for a value of $FF at
                             $0lFF. EORs that value with an $FF which
                             produces a Zero (0). Places that zero at
                             $1294. Later the value at $1294 is used in
                             the program decryption.
            $118A JSR 1269
            $118D RTS
            $13C0 JSR 1116 : Continue on.

      5) This protection would be simple to deprotect if it weren't for
         the checksums used throughout the code. Every strategic point
         has been checked and if we are caught tampering with the code,
         the program won't work, even if the break is sound. We need to
         trick the checksums. Testing in various spots has uncovered an
         area that is not checksummed. The decrypter routine is not
         checked and if moved, will provide us with a work area to place

            K.J. REVEALED TRILOGY    PAGE [35]     (C)1990 K.J.P.B.