from the Utility disk, load the $C000 monitor
        < LOAD "49152",8,1 > and after the load sys it in < SYS 49152 >.

        2) If you have performed the previous breaks in Section E, you
        will remember that we are looking for a decrypter that hides the
        protection check. That decrypter ALWAYS begins with A0 00 A9. So
        we can search most of memory, flip out the BASIC interpreter by
        changing memory location $0001 from a $37 to a $36 ($76 on the
        C-128) < M 0001 >. Now do a hunt for the key bytes in memory
        < H 0800 BFFF A0 00 A9 >. If you have reset out at the proper
        time, the following addresses will be returned: 0F13 B4ED B9E8
        Start by disassembling $0F13 < D 0F13 > and inspecting the code
        below that address. If the code is clean, it is not what we are
        looking for. Inspect all the returned addresses and look for
        programming that has code beneath it that does not disassemble
        properly (usually you'll find a lot of ?) You'll find that
        $0F13 fits the bill exactly. Here you'll find the decrypter with
        about a sector of encrypted code beneath it.

        3) Because of the no directory files problem, this break poses
        a slight inconvenience. We will have to search the disk for the
        proper place to lay down the break code. This type of loader
        uses a Track & Sector method of loading. You'll find that each
        page in memory occupies its own sector on the disk. Because the
        break code is between $0F00 and $1100, we need to record the
        first 5 or 6 bytes from $0F00 and $1000 to make it easier to
        locate these on the disk. (Remember these will be the first
        bytes in the sectors they occupy. Using the Memory command,
        inspect and record the first few bytes in each: $0F00= 8D 5A 0D
        A9 81 85 02/$1000= 00 00 00 00 00 00 00. Again disassemble
        memory at the decrypter and use the cursor key to scroll down
        through memory < D 0F13 >. You must scroll down at least a full
        sector ($1013) and a bit more, until you see clean code again.
        From $1013-$1041 you'll find all zero bytes. Record this
        information for later reference.

        Working with your original:

        4) Power off and on again to clear memory. Load the original
        disk until the game has started up and again hit the reset button.
        From the Utility Disk, again load and activate the $C000 monitor
        as before. Start disassembly at $0F13 < D 0F13 >. You'll find
        new code has replaced the previous encrypted code. The key to
        breaking this type of protection is to replace the encrypted
        code with this new code. Disassemble again at $0F13 and cursor
        down through memory. At $1013-$1041, you'll find the same zero
        bytes as we recorded earlier. This tells us that the code from
        here on is the same as it was in the unrun and encrypted state.
        Place your formatted work disk in the drive and save the new
        code < S "BLOCK",08,0F13,1014 >.


            K.J. REVEALED TRILOGY    PAGE [62]     (C)1990 K.J.P.B.