When done, hit Run/Stop-Restore and again sys the monitor in
         with . Again disassemble code at $8000 and cursor
         down through the code. You'll find that if the comparison to $FF
         is satisfactory, the programming falls through to $808B, which
         is a JUMP to $FFC3. This is a KERNAL routine that when JUMPed
         to, does a RTS which in this case returns the program flow back
         to the basic program (TRIO FILE in this case).
         
      5) Turn the computer off, insert the Hesmon, and power up again. X
         to BASIC  and from the Utility Disk, load the Block Read file
         < LOAD "BLOCK READ",8 >. When the ready prompt comes up. LIST
         the file and on line 10 set the TRack variable to 35 and the
         SEctor variable to 10. Hit RETURN to lock your changes in and
         relist the file to check your changes. This utility will now
         Block Read Track 35/Sector 10 and send the code to $C000 in the
         computer where we can inspect it. Place the backup in the drive
         and start the Block Read by typing RUN and hitting RETURN. The
         drive will spin and in about 30 seconds, the READY prompt will
         appear.  Return to the monitor by hitting Run/Stop-Restore.
         Disassemble code at $C000 . Cursor down through the
         code. The code from $C000-$C010 is the decryptor and will have
         to be executed before we can inspect the drive code. You'll see
         that it is set to decrypt this code in the $0400 Buffer in the
         drive and must be readdressed to decrypt at $C000. Using the
         Memory Command, change the 04 at $C005 and $C00B to C0. Notice
         the ADC $08 at $C007. This instruction uses the value in the
         drive at location $08 to help decrypt this code. The location
         $08 is the track value last loaded into the Buffer at $0400. We
         know that this was track 35 (remember the BLOCK EXECUTE to Track
         35/Sector 10). Let's change the instruction from a ADC $08 to a
         ADC #$23. We are now using the known value of $23 (decimal 35)
         and not using any values in drive memory. The bytes for this
         instruction change are $69, $23. Use the MEMORY command to make
         your changes at $C007 < M C007 >. Again disassemble memory at
         $C000 and cursor down through the code to check to see the
         changes are correct.

      6) Let's execute the decrypter and inspect code. Type , and
         when the monitor breaks, disassemble code at $C000  and
         cursor down through the code. The code from $C011-$C043 checks
         Track 35, bumps the head a half track and if the check is
         satisfactory, stores a 0 in $0009. The instruction at $C044
         loads the accumulator with the value in $0009. Next, if that
         value is not a 0, the code branches around the next two
         instructions. These are the keys to the protection. The value of
         $FF is stored at $01FF in the drive memory. Later a Memory Read
         in the computer code will check for the $FF and if it is in
         place at $01FF, the protection check will be passed. Our job now
         is to force this routine to pass even if the protection isn't in
         place.

            K.J. REVEALED TRILOGY    PAGE [38]     (C)1990 K.J.P.B.