4) The load will resume and the LOGO file and LOADALL file
         will be loaded. When the program stalls, reset out and reboot your
         monitor from the utility disk <> LOAD "8192",8,1 <>. When the
         load is complete, sys the monitor in with SYS 8192. Disassemble
         code at $C000 (D C000) now and scroll down through memory.
         You'll find a very long loader file. When you reach the code at
         $C27A you'll find a JMP C3FD. Disassembly of C3FD shows no valid
         code so this is a likely spot to place another break in the
         program flow. Using the MEMORY command (N C27A), place a 00
         (BRK) at $C27A. Now restart the program with another GO command
         (G C000). When the program stalls out, reset the computer again
         and reload and activate your 2000 monitor <> LOAD"8192",8,1 <>.
         Now we can disassemble memory at $C3FD and again follow the
         program flow (D C3FD). This returns a JMP to 0B40. Disassembly
         of memory at $0B40 reveals the decryption code that we discussed
         in the introduction. This is the heart of this protection
         scheme.

         5) Let's execute the code at $0B40. Make sure your original
         is in the drive. Start up the code with G 0B40. The drive should
         start up and soon stall again. Reset out, re-SYS your monitor in
         (SYS 49152), and disassemble code again starting at $0B40. You'll
         now find different code. Remove the original copy and place your
         formatted work disk in the drive. We can now save this new code
         to our work disk <> S "CODE",08,0B40,0C52 <>.

         Working with your backup:

         6) We now have the code necessary to break this title. Now we
         have to place it on the disk in the proper spot. Checking the disk
         log, we find the files LOGO, BNK12A, TITLE, and BOP1 all have
         the correct addressing to be likely places for this file. We
         must load and check in each one with our monitor the address
         $0B40. The file BNK12A turns out to be the correct file. Now all
         that is left is to place our changed code over the original
         code. Because BNK128 begins in screen memory, we will have to
         pull a few tricks out of the bag to replace our revised code.
         Remember, this file starts in screen memory, and we can't save
         screen memory properly. Follow these steps and try to reason
         them out as we go through them.

         A) Load DISK DR from your utility disk.  When the cursor
         reappears, type RUN and hit RETURN. Place your backup in the
         drive and hit RETURN. You'll be shown track 18, sector 1. The
         jump link to the BNH12A file is at position 195. Cursor over
         to position 195 and hit the J key. You will be taken to the
         first sector in the file. The first four bytes in the file
         are the pointer bytes. We want to change the program address
         from $0400 to $0900, so cursor over to position 3 and hit the
         @ key. Now, hit the 9 and press RETURN. Hit the R key to make

            K.J. REVEALED TRILOGY    PAGE [54]     (C)1990 K.J.P.B.