"ACTIVISION INC." file and jumps to $8000.
      
      3) Load the "ACTIVISION INC." file into memory < L"A*",08 >. After
         the load, start disassembly of code at $8000 < D 8000> . Also
         do an ASCII dump < I 8000 > to check for DOS commands. Examine
         the routines carefully. You will soon find a Block-Execute
         (B-E 2,0,18,7) drive command at $80DD. Further examination of
         the code reveals that the protection scheme is doing a lot of
         direct access to the serial port at $DD00.
      
         The key to cracking this variation on Activision's standard
         protection scheme is to ignore this code because it has a rather
         involved loop that is a pain to follow and de-protect. With this
         code, the drive is where the action's at. Let's take a closer
         look at that Block-Execute code on track/sector 18/7.
         
      4) Reset the computer and load ALIENSLOADER from the Utility Disk
         < LOAD "ALIENSLOADER",8 >, < RUN > and follow the instructions.
         Reload the 49152 monitor and < SYS 49152 >. In the drive, the
         code would be located at $0300. We will be using $2300 (in the
         computer). Disassemble the code at $2300 < D 2300 >. The
         routine at $2322 - $234A, despite it's apparent complexity, does
         nothing more than load the code in track/sector's 18/7 - 18/11
         into drive memory locations $0400 - $07FF. The ALIENSLOADER
         routine has conveniently loaded these for us already. The code,
         from $2400 - $27FF, is encrypted. A routine at $2356 does the
         decryption. We can modify the code to decrypt it for us by
         simply adding $2000 to the LDA and STA address references, i.e.
         $0400 becomes $2400, $0500 becomes $2500, etc. < A 2358 LDA
         $2400,Y etc. >. Also put a break command at $237F
         < A 237F BRK > and run the code < G 2356 >.
      
         Now examine the code starting at $2400 < D 2400 >. Most of this
         code is the fast loader. Armed with the knowledge that
         Activision fat tracks start with track 35 ($23), we find a
         suspicious routine at $24D0 - $24F8. This is it, folks. This
         itty-bitty loop is the heart and soul of this protection scheme.
         It can be disabled easily with one byte change. Change the LDA
         operand byte at $24DE from $80 to $01 < A 24DD LDA #$01 >.
         Instead of READING the intended sector, the $01 byte tells the
         drive's DOS that the job was completed successfully. This is
         exactly what you want it to do. The fringe benefit of this
         method is that the program loads about 8 seconds faster and
         you'll hear a pleasant clicking noise when the protection scheme
         executes the code with your byte change (when the screen
         blanks).

      5) Re-encrypt the code using the same routine at $2356 < G 2356 >.
         Before we load up the sector editor to write the bytes back,
         let's look back at the decryption loop at $2356 < D 2356 >

            K.J. REVEALED TRILOGY    PAGE [40]     (C)1990 K.J.P.B.