HOBBLING GEOS v1.3's TROJAN HORSE : BERKELEY SOFTWORKS
      
      The now infamous 'Trojan Horse', is an incredibly sneaky and
      rather sloppily-executed scheme that deletes your system files
      "GEOS", "GEOS BOOT", "KERNAL" and "DESKTOP" from an unauthorized
      copy of GEOS v1.3 while you are rearranging your directory pages.
      It usually occurs within four moves. It actually doesn't delete the
      files, it completely zeroes out their directory entries.
      
      The mechanism, located in "DESKTOP", is rather simple. A counter
      is incremented randomly during directory moves. At certain
      intervals, a checksum routine is performed on "GEOS BOOT". If the
      checksum is wrong, the Desktop checks the first four entries of the
      first directory page for GEOS file-type soc (system boot file). If
      they match, it fills them with 00's and writes the block back to
      disk. The disk is no longer bootable unless you can re-create the
      directory entries.
      
      The GEOS file-type I.D. is located in byte # 24 (18) of each
      file's directory entry. If this byte is changed to a GEOS system
      file-type ($04) in the above-mentioned files, the old horse never
      gets rolled into Troy and you can rearrange your directory with
      peace-of-mind.
      
      
      
                        GEOS v1.2 : BERKELEY SOFTWORKS
      
      1) A fast-copied or nybbled copy of GEOS v1.2 will not run. It will
         merely do a system reset after the protection check. An error
         scan shows no normal DOS errors but there is data on track 36
         (visible with a good GCR Editor). Track 36 is not normally
         copyable because it has no sync marks.
      
      2) Load the $C000 monitor "49152" from your Utility Disk then load
         "GEOS" from a backup copy of GEOS v1.2. Disassemble the code at
         $0123. This routine loads "GEOS BOOT" and jumps to $6000. Load
         in "GEOS BOOT" and disassemble the code at $6000. Examination of
         the code reveals that the majority of it is encrypted but the
         decryption routine at $606C is rather simple. The code will
         decrypt it for us by placing a BRK instruction at $6086 and
         executing the code at $606C.
      
      3) Now look at the code again. Sharp-eyed hackers will notice the
         drive code starting at $623F. Here's some of the other high
         points of the loader:
      
         $6167 : Print "Booting GEOS...".
      
            K.J. REVEALED TRILOGY    PAGE [95]     (C)1990 K.J.P.B.