Copier provides a non-working backup. Nybble utilities also
         provide a non-working backup. Before starting to work on this title
         please make a backup, and do a disk log (printout is best).

         Working vith the original:

         1) Make sure to place a write protect tab on the original to
         protect it during the breaking process.

         2) Turn the computer off and insert your reset assembly into
         the cartridge port. Turn the computer on again and from your
         utility disk, load the $C000 monitor <> LOAD "C000",8,1 <>. Sys
         the monitor in with SYS 49152. Remove the utility disk from the
         drive and replace it with your original. Load the boot file BSS
         <> L "BSS",08 <>. Using the disk log to guide us, let's
         disassemble memory at $02C4 (D 02C4). Cursor down through memory
         and notice the loader loads the file BSSL and does a jump to
         $7000. Let's load the BSSL file ourselves and follow the load
         sequence <> L "BSSL",08 <>.

         3) When the drive stops, disassemble memory at $7000 (D 7000)
         Cursor down through memory, and inspect the long loader file
         that loads in the entire program and the jumps to the start
         address. At the address $20C7 you'll find a JMP 0803. Using the
         MEMORY command (M 70C7) type a 00 over the 4C and hit RETURN.
         This will allow the loader to operate, and, when done, will
         BREAK just before the jump to $0803. We can then follow the
         program flow, beginning at $0803. Start the loader execution by
         doing a GO 7000 (G 7000). The drive will start up and the files
         will appear on the screen as they are being loaded. When the
         drive finally stops, reset the computer and re-sys the monitor
         back in (SYS 49152).

         4) Now let's disassemble memory at $0803 (D 0803). The first
         instruction we find is a JSR 09E1, so disassemble $09E1 (D
         09E1). This disassembly reveals the decryption scheme that is
         hiding the protection check. You'll find it resides at $09E1 -
         $09F2. Study it closely, for it is the heart of this protection
         scheme.

         5) Be sure your original disk is in the drive and start the
         code up by doing a GO 09E1 (G 09E1). The drive will start up and in
         a few seconds will stall again. Again, reset the computer and re-
         SYS the monitor in with SYS 49152. Disassemble memory at $09E1
         (D 09E1) and inspect the code again. It has changed into valid
         program code. Now all that's left is to save the changed code
         back to the disk.

         Working with the backup:

            K.J. REVEALED TRILOGY    PAGE [57]     (C)1990 K.J.P.B.