4) Again insert the Utility Disk and load and activate the 49152
         monitor. Load the " 1986  " file into memory < L "19*",08 >
         After the load, start disassembly of code at $2500 < D 2500 >
         Also do an ASCII dump < I 2500 > to check for DOS commands.
         Examine  the  routines  carefully.  You  will  soon  find  a
         Block-Execute  (B-E 2,0,1,1) drive command at $271E.  Further
         examination of the code reveals that the protection scheme is
         doing a lot of direct access to the serial port at $DD00.  The
         key to cracking this variation on Activision's standard
         protection scheme is to ignore this code because it has a rather
         involved loop that is a pain to follow and de-protect. With this
         code, the drive is where the action's at. Let's take a closer
         look at that Block-Execute code on track/sector 1/1.  (Before
         going on to step five, change the load address of the " 1986  "
         file back to $0500. Use the same procedure as outlined in step
         3.

      5) Reset the computer and load TRANSLOADER from the Utility Disk
         < LOAD "TRANSLOADER",8 >, < RUN > and follow the instructions.
         Reload the 49152 monitor and < SYS 49152 >. In the drive, the
         code would be located at $0300. We will be using $2300 (in the
         computer). Disassemble the code at $2300 < D 2300 >. The
         routine at $2321 - $2349, despite it's apparent complexity, does
         nothing more than load the code in track/sectors 1/2 - 1/5 into
         drive memory locations $0400 - $07FF. The TRANSLOADER routine
         has conveniently loaded these for us already. The code, from
         $2400 - $27FF is encrypted. A routine at $2355 does the
         decryption. We can modify the code to decrypt it for us by
         simply adding $2000 to the LDA and STA address references, i.e.
         $0400 becomes $2400, $0500 becomes $2500, etc... < A 2357 LDA
         $2400,Y etc. >. Also put a break command at $237E
         < A 237E BRK > and run the code < G 2355 >.

         Now examine the code starting at $2400 < D 2400 >. Most of this
         code is the fast loader. Armed with the knowledge that
         Activision fat tracks start with track 35 ($23), we find a
         suspicious routine at $24B4 - $250F. This is it, folks. This
         itty-bitty loop is the heart and soul of this protection scheme.
         It can be disabled easily with one byte change. Change the LDA
         operand byte at $24C2 from $80 to $01 < A 24C1 LDA #$01 >.
         Instead of reading the intended sector, the $01 byte tells the
         drive's DOS that the job was completed successfully. This is
         exactly what you want it to do. The fringe benefit of this
         method is that the program loads about 8 seconds faster and
         you'll hear a pleasant clicking noise when the protection scheme
         executes the code with your byte change (when the title screen
         appears).

      6) Re-encrypt the code using the same routine at $2355 < G 2355 >.
         Before we load up the sector editor to write the bytes back,

            K.J. REVEALED TRILOGY    PAGE [42]     (C)1990 K.J.P.B.