$6177 : Execute Memory-Write command and output fast-loader 
              routine to drive, then send Memory-Execute command at 
              $61AD.

      $6013 : Direct I/O to drive through the serial port $DD00.
              After the Memory-Execute command is sent, the code at
              $61BB waits for a signal back from the drive. At $61D4, a
              byte comparison is done. If it fails, the JMP instruction
              at $6086 is altered to SFCE1 (C-64 system reset). It then
              Jumps back to the decryption routine which, this time,
              re-encrypts the code and then performs the system reset.
              Let's disable the reset by placing a "BEQ $61EC" at $61D8.
              Re-encrypt the code by again executing the routine at
              $606C. Note the new encryption values at $61D8. These will
              be written to the proper sector on your backup copy.
       
      4) Load the sector editor from the Utility Disk and trace the "GEOS
         BOOT" file on your backup copy. Address $61D8 would be in the
         second block of the file (it should be Track/Sector 1/4)
         starting at byte #$DE (222). Place our byte changes there and
         rewrite the sector back to the disk. Now reboot GEOS. What
         happens?  No reset this time but the drive shuts off and the
         screen fills with garbage. The real meat must be in the drive
         code.
      
      5) Use the sector editor to restore T/S 1/4 back to its original
         state. Again load the $C000 monitor and "GEOS BOOT". Decrypt the
         code again as mentioned above. The drive code starts at $623F
         but we want to relocate to an address we can equate to the
         actual drive address. This code is written to $0300 in drive
         memory so lets move our code to $1300 (T 632F 642B 1300).  The
         Memory-Execute command at $60CD jumps to $0375 in the drive so
         disassemble code at $1375. Remember to add or subtract $1000 
         from the address references (i.e. JSR $0300 - the subroutine 
         would be located at $1300) when appropriate.
      
      6) Study the code for a while just to get a feel for it. Remember
         from our scan of the disk that track 36 is suspicious. 36 in
         hexadecimal is $24. See any references to $24? That's right! At
         $143A, the accumulator is loaded with the value $24 then the
         subroutine at $13BB ($03BB) steps the head to track $24 (36).
         Then a counter of $8000 (32768) is set up, and a comparison for
         specific byte values read from track 36 begins. If the counter
         times-out to zero or all values don't match, the code at $148A
         is executed. Otherwise it branches to $1485. We want it to
         branch to $1485 unconditionally. A great place would be at the
         first byte comparison from $1463 - $1466: if the byte's not
         equal, make it go to $1485 (A 1465 BNE $1485). Apply this change
         to the equivalent drive code at $63A4.
      
            K.J. REVEALED TRILOGY    PAGE [96]     (C)1990 K.J.P.B.