2) Turn off your computer and insert the reset assembly into
         the cartridge port. Turn your computer on again. From your utility
         disk, load the $C000 monitor <> LOAD "49152",8,1 <>. When the
         load is complete, sys the monitor in with SYS 49152. When
         loading the boot file on this disk, it will autoboot and
         continue running. In order to inspect it, here's a trick to use.
         We're going to load the autoboot in BASIC memory for the
         purposes of inspection. With the monitor active, type X and hit
         RETURN. You are now back to BASIC. Type NEW and hit RETURN. Now
         load the boot file this way: <> LOAD "INFILT*",8 <>.  When the
         load is complete, return to the monitor by hitting
         RUNSTOP/RESTORE. Then re-SYS the monitor back in with SYS 49152.
         You can now find the boot file in BASIC memory at $0801.
         Interpret memory and scroll down from $0801 . Notice the
         INTRO. Disassembly of memory at $0801  and scrolling
         down reveals a loader file at $082D-$0854. This loader loads the
         INTRO file and jumps to $0880.

         3) Load the INTRO file <> L "INTRO",08 <>. When the load is
         complete, disassemble memory at $0880 (D 0880). Scroll down
         through memory to $089A. You'll find a JSR 0A25. Disassemble
         $0A25 (D 0A25) and scroll down to $0A25. Here you'll find a JSR
         0C18. Disassemble $0C18 (D 0C18) and notice that we have just
         run into a decryption routine. Inspect this routine because this
         is the heart of this protection scheme. Scroll down through the
         code and notice that it is garbled for about one sector
         ($0C18-$0D18). As mentioned in the introduction, this code is an
         encrypted protection scheme that will decrypt into a protection
         checker and then load valid program code over itself. This will
         not only allow the program to operate properly, but will also
         hide the protection code from the curious.

         4) The break is fairly simple now that we know where the
         protection is. Start the program code up by typing G 0C18 and hit
         RETURN.
         
         The drive should start up and run for a short time. When the
         drive stops, turn the drive OFF and ON again and reset the
         computer with your reset button. Restart the monitor by again
         typing SYS 49152 an hit RETURN. Now go back and disassemble code
         at $0C18 again (D 0C18). Surprise; the code has changed into
         good code. To get an idea what is there, interpret memory at
         $0C18 (I 0C18) and scroll down through memory. You'll see that
         this is the completion of the loader file. All the data needed
         to run the loader file properly is now in memory. All that is
         left to do is replace the INTRO file on the disk with the INTRO
         file NOW in memory. This can be accomplished with a small memory
         save. From the disk log, we know that the INTRO file starts at
         $0880 and ends at $16C3. Remove the original disk from the drive
         and insert your backup in it's place. Replace the INTRO file now
         in memory with the one now on your disk. Remember to add one
         byte to the ending address <> S"@0:INTRO",08,0880,16C4 <>.

            K.J. REVEALED TRILOGY    PAGE [52]     (C)1990 K.J.P.B.