6) Inspection of the disk log tells us that the file BSSO is
         the likely candidate to contain the protection code. You may, as
         we did, load BSSO and inspect the proper addresses to ensure our
         save is to the proper file. Then, when satisfied, just redo step
         five and, when the code has been replaced again1 save the file
         back to your BACKUP disk. The disk log tells us the file resides
         for $0800-$1600. Be sure to add one byte to the end address
         <> S "@0:BSSO",08,0800,1601 <>.

         When this save is complete, your backup will be completely broken,
         and may be copied with any fast copier. For those who want to
         inspect the protection code, just load in the BSSO file and do a GO
         to 09E1. After about one second, reset out and re-SYS the monitor
         in and inspect that memory area. You'll find the protection code
         intact. If you allow the drive to run for long, the protection code
         will be replaced by valid program code.


         EXPRESS RAIDER : DATAEAST

         Procedure:

         Loading the original disk produces a rattle free load, and an
         error scan shows no standard errors. A backup made with the C-64
         Fast Copier produces a non working copy, A backup made with a
         nybbler produces the same non working backup. Before starting to
         work on this title, make a fast-copier backup and a formatted work
         disk. Because the only file on the directory of this title is the
         loader, special procedures will be required. You will need a reset
         button of some sort.

         Working with your backup:

         1) With the reset switch in place, load the backup three or
         four times to get the feel of when the program stalls. When you
         have gotten the timing down, try to reset the computer just before
         that stall occurs. You will hear the head swing out if you are
         too late. We want to reset just before it does. After reset,
         from the Utility disk, load the $C000 monitor
         < LOAD "49152",8,1 > and after the load sys it in .

         2) If you have performed previous breaks in Section E, you
         will remember that we are looking for a decrypter that hides the
         protection check. That decrypter ALWAYS begins with A0 00 A9. So
         we can search most of memory, flip out the BASIC Interpreter by
         changing memory location $0001 from a $37 to a $36 ($76 on the
         C-128) < M 0001 >. Now do a hunt for the key bytes in memory
         < H 0800 BFFF AO 00 A9 >. If you have reset out at the proper
         time, the following addresses will be returned: 84C0 8759 9629

            K.J. REVEALED TRILOGY    PAGE [58]     (C)1990 K.J.P.B.