bytes intact. A simple way is the byte swap. The code contains many
      branch instructions. What if we swapped a BEQ (branch-if-equal) and
      a BNE (branch-if-not-equal) instruction at just the right place?
      Experimentation will reveal that swapping the branch opcodes at
      $803C and $804B will force the code to go to $8064.
      
      Write this change to Track/Sector 35/0 using Disk Doctor from
      the Utility Disk. Load "GEOS" and boot "Graphics Grabber" (the only
      protected application on the disk). The protection fails. Look at
      the code at $8061-$8065 again. There are two sets of LDA
      instructions there, each loading a different value. Why not try
      another byte swap? Switch the two bytes that are being loaded at
      $8061-$8065. Now it will be forced to load a different value. Make
      this change to sector 0 on track 35. You should now have both sets
      of byte swaps written to 35/0. Boot "Graphics Grabber" again. This
      time it installs successfully. But you still can't use it with a
      different GEOS, only the copy from which it was installed.
      
      The serial number check is really the toughest part of some of
      the applications. Writer's Workshop and GEOdex both try to disguise
      the call to "GetSerialNumber", an internal GEOS routine ($C196). One
      uses encryption and the other uses GEOS's "CallRoutine" which does
      an indirect JSR (Jump-To-Subroutine) to the serial number routine.
      An additional problem is that GEOS workspace starts at $0400 in
      memory, which the C64 normally uses as screen memory. Resetting the
      computer will lose all the code located from $0400-$0800. Yet
      another problem is that some of the applications are stored in VLIR
      (variable length indexed record) files, which are split into
      multiple parts and special modifications have to be made to the
      directory to load these files like normal programs. We'll save
      these for a future exercise.
      
      Deskpak I's serial number check is conveniently located at $2362
      on our version. To catch this code, reset the computer while the
      application is loading. Load the "49152" monitor and disassemble
      the code at $2362. You'll see this same routine in most of the
      Berkeley applications. It first checks to see if the serial number
      is zero. If it is, it executes the install routine that we disabled
      earlier (the GetBlock and checksum routine starts at $2448). If the
      serial number is there, it branches to $240D and checks the serial
      number in GEOS to see if it matches. If it doesn't, it displays a
      Dialogue Box asking you to reboot with the correct GEOS.
      
      The whole protection and serial number check can be disabled
      rather simply by placing a CLC (clear-carry-flag) and RTS
      (return-from-subroutine) instruction at the top of the code
      ($2362). On our version of Deskpak I, the location on the original
      is Track/Sector 12/18, byte position #156 ($9C). You might have to
      calculate the position or do a manual search of the file to track
      down the offending code. Write byte values 24 ($18) and 96 ($60) to
      
            K.J. REVEALED TRILOGY    PAGE [99]     (C)1990 K.J.P.B.