The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / zines / n_z / pirate3.007 < prev next >

Wrap

Text File | 2003-06-11 | 26.3 KB | 651 lines

*************************************************** *** Pirate Magazine Issue III-3 / File 7 of 9 *** *** Cracking Tips (Part 5) *** *************************************************** In this file: Graphwriter 4.21 TheDraw SideKick 1.00A PFS Report PCDRAW 1.4 Signmaster FOR THE USERS THAT HAVE 'GRAPHWRITER' VER 4.21 ------------------------------------------------------------------- FROM : THE A.S.P ; (Against Software Protection) DATED : OCT 19,1984 (FIRST RELEASE) ORIGINALLY SUBMITTED TO ASA FULTONS BBS (THE SHINING SUN -305-273-0020) AND TO LEE NELSONS BBS (PC-FORUM -404-761-3635) PLEASE NOTE THAT THESE UNPROTECT PROCEDURES INVOLVE FROM 4 HOURS TO ___________________________________________________________________ 40 OR MORE HOURS ( 8+ HOURS FOR 'GRAPHWRITER' ) OF SINGLE STEPPING THRU CODE AND FIGURING OUT THE INTENT OF THE ORIGINAL CODE.. SO I WOULD APPRECIATE IT WHEN U PASS THIS ON TO OTHER BOARDS YOU DO NOT ALTER THIS OR TRY TO TAKE CREDIT FOR MY LOST SLEEP.... THE A.S.P... (J.P. TO HIS FRIENDS) OH, AS A FURTHER NOTE. I SEE SOME BBS'S ARE NOW CHARGING U TO BE REGISTERED TO USE THEIR SYSTEM. FIRST OF ALL I GIVE U FROM 4 TO 60 HOURS OF MY TIME AT NO COST TO YOU AND I DO NOT LOOK TO KINDLY TO SUCH BBS'S PUTTING ON in. Thanks John Roswick, Bismarck. Keywords: SIDEKICK PROKEY PATCH FIX BUGS COMPATIBILITY BORLAND <> <> <> <> <> <> <> <> <> <> <> UNPROTECT FOR -SIDEKICK- Attention Sidekick/Prokey users ! We at Borland were having trouble getting Sidekick to be compatible with Rosesoft's Prokey and as many of you Prokey users out there know everything locked up when the two got together. The reason Prokey does not work is because it trashes some of the registers when running and confuses Sidekick as to make your terminal go down. Enclosed is the portion of Prokey which does this. 0730 2EF606D402FF TEST CS:BYTE PTR [02D4H],OFFH 0736 7409 JE 0741H 0738 2EFF2EC602 JMP CS:DWORD PTR [02C6H] 073D 5B POP BX 073E 1F POP DS 073F EBF7 JMP SHORT 0738H 0741 1E PUSH DS 0742 53 PUSH BX 0743 8CCB MOV BX,CS 0745 8EDB MOV DS,BX 0747 FB STI 0748 C5053D0100 MOV BYTE PTR [013DH],00H 074D 803E660400 CMP BYTE PTR [0466H],00H 0752 7420 JE 0774H 0754 833E670400 CMP WORD PTR [0469H],00H 0759 7507 JNE 0762H 075B 833E670400 CMP WORD PTR [0467H],00H 0760 740D JE 076FH 0762 832E670401 SUB WORD PTR [0467H],01H 0767 831E690400 SBB WORD PTR [0469H],00H 076C EB06 JMP SHORT 0774H 076E 90 NOP 076F C606660400 MOV BYTE PTR [0466H],00H 0774 803E530400 CMP BYTE PTR [0466H],00H 0779 74C2 JE 037DH 077B 833E662400 CMP WORD PTR [2466H],00H 0780 7507 JNE 0789H 0782 833E682400 CMP WORD PTR [2468H],00H 0787 740C JE 0795H 0789 832E682401 SUB WORD PTR [2468H],01H 078E 831E662400 SBB WORD PTR [2466H],00H 0793 EBA8 JMP SHORT 073DH 0795 E8841D CALL 251CH ;HMMM ! 0798 EBA3 JMP SHORT 073DH THE SAGA CONTINUES ... 251C 50 PUSH AX 251D 1E PUSH DS 251E A05304 MOV AL,[0453H] 2521 3C01 CMP AL,01H 2523 7407 JE 252CH 2525 3C02 CMP AL,02H 2527 743F JE 2568H 2529 1F POP DS 252A 58 POP AX 252B C3 RET ?NEAR 252C BD9D2D MOV BP,2D9DH BP DESTROYED 252F E8480E CALL 337AH 2532 A16C24 MOV AX,[246CH] 2535 A39D2D MOV [2D9DH],AX 2538 BD9D2D MOV BP,2D9DH 253B E8E30D CALL 3321H 253E BD9D2D MOV BP,2D9DH 2541 BEE023 MOV SI,23E0H SI DESTROYED 2544 B601 MOV DH,01H DX DESTROYED 2546 B201 MOV DL,01H (BUT WILL BE RESTORED 2548 E8230C CALL 317FH BY THE BIOS) 254B E88407 CALL 2CD2H 254E 8B366024 MOV SI,[2460H] 2552 387D07 CALL 2CD2H 2555 A16224 MOV AX,[2462H] 2558 A36824 MOV [2468H],AX 255B C70666240000 MOV WORD PTR [2466H],000H 2561 C606530402 MOV BYTE PTR [0453H],02H 2566 EBC1 JMP SHORT 2529H 2568 BD9D2D MOV BP,2D9DH 256B E80C0E CALL 337AH 256E C606530400 MOV BYTE PTR [0453H],00H 2573 EBB4 JMP SHORT 2529H . . Prokey does not save and restore all registers when trapping interrupt 1C. The reason why this error occurs at a higher frequency when using Sidekick is beyond this discussion. However, to verify the error try the following: 1. Start Prokey 2. Define a key recursively 3. Notice prokey now issues an error message 4. terminate definition (fast...) 5. press return 100 times 6. if prokey did not crash repeat step 2-6 Register destroying occurs when Prokey is flashing error message. You must terminate and press return as fast as possible, and be logged on a floppy drive (important: let your prompt show the active directory in order to let dos read on the disk). The following program establishes a trap at interrupt 8 (to make sure Prokey or others does not overwrite it, bios int 8 then activates 1C). CODE SEGMENT ASSUME CS:CODE ORG 100H START PROC JMP SHORT SETUP START ENDP INT08SAVE DD INT08TRAP PROC FAR PUSH AX PUSH BX PUSH CX PUSH DX PUSH SI PUSH DI PUSH BP PUSH DS PUSH ES PUSHF CALL INT08SAVE POP ES POP DS POP BP POP DI POP SI POP DX POP CX POP BX POP AX IRET INT08TRAP ENDP EOTRAP: SETUP PROC MOV DS,AX MOV SI,20H CLI LES AX,DWORD PTR[SI] MOV WORD PTR INT08SAVE,AX MOV WORD PT MOV WORD PTR [SI],OFFSET INT08TRAP MOV [SI+2],CS STI MOV DX,OFFSET EOTRAP+1 SETUP ENDP CODE ENDS END START It may be faster to enter the following bytes using debug and writing them to the file profix.com, thus saving your original prokey file: e100 0100: EB 1D 00 00 00 00 50 53 51 52 56 57 55 1E 06 9C 0110: 2E FF 1E 02 01 07 1F 5D 5F 5E 5A 59 5B 58 CF 33 0120: C0 8E D8 BE 20 00 FA C4 04 2E A3 02 01 2E 8C 06 0130: 04 01 C7 04 06 01 8C 4C 02 FB BA 20 01 CD 27 RCX 3F NPROFIX.COM W NOW USE PROFIX INSTEAD OF PROKEY NOTE: THIS MAY NOT BE THE COMPLETE SOLUTION AS THE WORD STILL DOES NOT WORK WITH PROKEY. FURTHERMORE THIS HAS ONLY BEEN TESTED USING PROKEY VERSION 3.0 - OLDER VERSIONS MAY HAVE OTHER BUGS! INSTRUCTIONS FOR UNPROTECTING PFS-FILE AND PFS-REPORT. IMPORTANT! COPY FILE.EXE AND/OR REPORT.EXE TO ANOTHER DISK FIRST. DON'T MAKE THESE PATCHES ON YOUR ORIGINAL DISK! (USE THE USUAL DOS COPY COMMAND) FOR PFS-FILE: RENAME FILE.EXE TO FILE.ZAP HAVE DEBUG.COM HANDY TYPE -> DEBUG FILE.ZAP TYPE -> U 9243 YOU SHOULD SEE, AMONG OTHER THINGS: PUSH BP MOV AX,DS MOV ES,AX (ETC) IF YOU DON'T SEE THIS, TYPE -> Q (YOU DON'T HAVE THE RIGHT VERSION) OTHERWISE, TYPE -> E 9248 EB 2B TYPE -> W TYPE -> Q BACK IN DOS, RENAME FILE.ZAP TO FILE.EXE. YOU NOW HAVE AN UNPROTECTED COPY OF PFS-FILE. FOR PFS-REPORT: RENAME REPORT.EXE TO REPORT.ZAP HAVE DEBUG.COM HANDY, AND TYPE -> DEBUG REPORT.ZAP TYPE -> U 98BF YOU SHOULD SEE, AMONG OTHER THINGS: PUSH BP MOV AX,DS MOV ES,AX (ETC) IF YOU DON'T SEE THIS, TYPE -> Q (YOU DON'T HAVE THE RIGHT VERSION) OTHERWISE, TYPE -> E 98C4 EB 2B TYPE -> W TYPE -> Q BACK IN DOS, RENAME REPORT.ZAP TO REPORT.EXE. YOU NOW HAVE AN UNPROTECTED COPY OF PFS-REPORT. For those of you whose PFS:FILE and PFS:REPORT do not match the other PFS zaps on this board, try these: ---------------------------------------------------------------------- For PFS:FILE, copy FILE.EXE to another disk, and do: RENAME FILE.EXE FILE.ZAP DEBUG FILE.ZAP U 9213 should show ... PUSH BP MOV CX,0004 which is the first part of a timing loop. if it doesn't, quit; else do: E 9217 EB 18 U 9213 should show ... PUSH BP MOV CX,0004 JMP 9231 if so, do: W Q RENAME FILE.ZAP FILE.EXE ---------------------------------------------------------------------- For PFS:REPORT, copy REPORT.EXE to another disk, and do: RENAME REPORT.EXE REPORT.ZAP DEBUG REPORT.ZAP U 9875 should show ... PUSH BP MOV AX,DS MOV ES,AX if it doesn't, quit; else do: E 987A EB 11 U 9875 should show ... PUSH BP MOV AX,DS MOV ES,AX JMP 988D if so, do: W Q RENAME REPORT.ZAP REPORT.EXE ---------------------------------------------------------------------- if everything was OK, your new versions of PFS:FILE and PFS:REPORT should run just fine without the original diskettes. ---------------------------------------------------------------------- Zaps provided by Lazarus Associates <> <> <> <> <> <> <> <> <> <> <> ----------------------------------------------------------UNPROTECT IBM PERSONAL 1. REN MCEMAIL.EXE X 2. DEBUG X DOS 2.xx Version 3. A EB47 JMP EB4F (was JNZ EB4F) 4. A EBEF NOP NOP (was JZ EC0B) 5. A EC06 NOP NOP (was JNZ EC0B) 6. W 7. Q 8. REN X MCEMAIL.EXE IMPORTANT! All copies of PCM must have this patch (i.e. the programs on both ends of a connection). This has been tested on a PCjr and PC. <> <> <> <> <> <> <> <> <> <> <> FOR THE USERS THAT HAVE 'PC-DRAW' V1.4 ------------------------------------------ FROM : THE A.S.P ; (Against Software Protection) ORIGINALLY SUBMITTED TO ASA FULTONS BBS - SHINING SUN :305-273-0020 AND WHIT WYANTS BBS - PC-CONNECT :203-966-8869 PLEASE NOTE THAT THESE UNPROTECT PROCEDURES INVOLVE FROM 4 HOURS TO (+1 HOURS FOR PC-DRAW V1.4) 40 OR MORE HOURS OF SINGLE STEPPING THRU CODE AND FIGURING OUT THE INTENT OF THE ORIGINAL CODE.. SO I WOULD APPRECIATE IT WHEN U PASS THIS ON TO OTHER BOARDS YOU DO NOT ALTER THIS OR TRY TO TAKE CREDIT FOR MY LOST SLEEP.... THE A.S.P... ORLANDO FLA. (J P , TO HIS FRIENDS) IF YOU HAVE A HARD DISK OR WANT TO CREATE A BACKUP COPY THAT IS NOT TIED INTO THE PC-DRAW DISKETTE...IN CASE YOUR ONLY COPY GOES BAD . THIS PATCH WILL REMOVE THE COPY PROTECTION COMPLETELY.... AS ALWAYS THIS IS FOR YOUR PERSONAL PEACE OF MIND ONLY IT IS NOT MEANT TO BYPASS ANY COPYRIGHTS..YOU ARE BY LAW BOUND BY YOUR PURCHASE LICENSE AGREEMENT. IF YOU HAVE A HARD DISK AND WANT TO PUT THE PROGRAM ON SUCH WHY SHOULD YOU BE TIED TO A FLOPPY. YOU HAD TO GIVE UP A LOT OF 'BIG MACS' TO GET YOUR HARD DISK. THIS WRITE UP ASSUMES THAT YOU ARE FAMILIAR WITH DEBUG, 1). FORMAT A CORRESPONDING EQUAL NUMBER OF DOS2.0 OR 2.1 DISKS AS SYSTEM DISKS 2). LABEL EACH OF THE 2.X FORMATTED DISKS THE SAME AS EACH ONE OF THE ORIGINAL 'PC-DRAW' DISKS 3). COPY THE FILES FROM THE ORIGINAL DISKS TO THE 2.X FORMATTED DISK ON A ONE FOR ONE BASIS, USING 'COPY' COMMAND 4). PLACE THE ORIGINAL DISKS IN A SAFE PLACE, WE DONT NEED THEM ANY MORE. 5). PLACE 'DISK 1' IN THE 'A' DRIVE 6). RENAME PC-DRAW.EXE PC-DRAW 7). DEBUG PC-DRAW 8) ENTER -S CS:100 L EFFF CD 13 9). FIRST YOU SHOULD SEE THE FOLLOWING CODE AT ADDRESS CS:4D45 CD 13 INT 13 IF U DONT U MAY HAVE A DIFFERENT VERSION SO DONT PROCEED ANY FARTHER, ENTER THE CHANGE TO CHANGE "INT 13" TO "NOP" AND "STC", AND FORCE A JUMP 10). ENTER -E 4D45 90 F9 EB 28 11). ENTER -W 12). ENTER -Q 13). RENAME PC-DRAW PC-DRAW.EXE NOTE: PC-DRAW IS NOW COMPLETELY UNPROTECTED. IF U WANT TO USE 'PC-DRAW' FROM HARD DISK OR RAM DISK U MUST USE THE CORRECT 'ASSIGN=', SINCE 'PC-DRAW' APPEARS TO HAVE DRIVES HARD CODED. ALSO FOR V1.2 AND 1.3 THE BAD TRACK CHECK WAS IN DIAGRAM.EXE, NOTE THAT THE CHECK IS NOW DONE IN PC-DRAW.EXE. ENJOY YOUR NEW FOUND FREEDOM..HARD DISKS FOREVER!!!!! END OF TRANSFER - PRESS ENTER TO RETURN TO MENU This procedure will unprotect the version 1.10A of SIDEKICK. Many thanks to the individual who provided the procedure for the version 1.00A. The only major difference between the two versions is the offset address of the instructions to be modified. Using DEBUG on SK.COM, NOP out the CALL 8C1E at location 07CA ----+ | Change the OR AL,AL at 07D9 to OR AL,01 --------+ | | | .....and that's it! | | | | (BEFORE ZAP) | | 78A7:07CA E85184 CALL 8C1E <----------------------------+ 78A7:07CD 2E CS: | | 78A7:07CE 8E163E02 MOV SS,[023E] | | 78A7:07D2 2E CS: | | 78A7:07D3 8B264002 MOV SP,[0240] | | 78A7:07D7 1F POP DS | | 78A7:07D8 59 POP CX | | 78A7:07D9 0AC0 OR AL,AL <----------+ | | | (AFTER ZAP) | | 78A7:07CA 90 NOP <-----------------------------+ 78A7:07CB 90 NOP <-----------------------------+ 78A7:07CC 90 NOP <-----------------------------+ 78A7:07CD 2E CS: | 78A7:07CE 8E163E02 MOV SS,[023E] | 78A7:07D2 2E CS: | 78A7:07D3 8B264002 MOV SP,[0240] | 78A7:07D7 1F POP DS | 78A7:07D8 59 POP CX | 78A7:07D9 0C01 OR AL,01 <----------+ ------------------------------------------------------------------- <> <> <> <> <> <> <> <> <> <> <> UNPROTECT FOR -SIGNMASTER FROM : THE A.S.P ; (Against Software Protection) 1). FORMAT 1 SYSTEM DISK UNDER DOS 2.0 OR 2.1 OR 3.0 2). LABEL IT ACCORDING TO THE ORIGINAL 'SIGNMASTER' SYSTEM DISKETTE 3). COPY THE (UNHIDDEN) FILES FROM THE ORIGINAL DISKETTE TO THE CORRESPONDING 2.X OR 3.X FORMATTED DISKETTE 4). I WONT TELL U HOW TO USE DEBUG OR ANY 'PATCHER' PROGRAMS ON THE BBS'S, I ASSUME U HAVE A BASIC UNDERSTANDING. 5). RENAME SIGN.EXE SIGN 6). DEBUG SIGN 7). D CS:99C YOU SHOULD SEE 75 03 E9 09 E CS:99C 90 90 EB 1F D CS:D407 YOU SHOULD SEE 5F E CS:D407 CB W Q 8). RENAME SIGN SIGN.EXE OTHER NOTES: ------------------------------------------------------------------------- 1). CHECKS FOR SPECIALLY FORMATTED TRACKS COMPLETELY REMOVED 2). U MAY LOAD ALL THE FILES ON THE NEWLY FORMATTED AND UNPROTECTED DISKETTE DIRECTLY TO HARD OR RAM DISK, IN ANY SUB-DIRECTORY U SET UP 3). SOMEONE WANTED TO KNOW WHY I USED UPPER CASE FOR EVERYTHING. FIRST AFTER ABOUT 8 TO 20 HOURS OF STARING AT THE TUBE., I AM NOT ABOUT TO SHIFT THE CHARACTERS, AND SECONDLY I AM SO EXCITED , AFTER DOING SOMETHING THAT AT FIRST SEEMED IMPOSSIBLE, AND IN A HURRY TO GET IT OUT ON A BBS, SO THAT U MAY USE THE NEWLY GLEAMED KNOWLEDGE. This is the procedure for bypassing the copy protection scheme used by SIDEKICK, version 1.00A. Using DEBUG on SK.COM, NOP out the CALL 8780 at location 071A ----+ | Change the OR AL,AL at 072D to OR AL,01 --------+ | | | .....and that's it! | | | | (BEFORE ZAP) | | 78A7:071A E86380 CALL 8780 <----------------------------+ 78A7:071D 2E CS: | | 78A7:071E 8E163D02 MOV SS,[023D] | | 78A7:0722 2E CS: | | 78A7:0723 8B263F02 MOV SP,[023F] | | 78A7:0727 1F POP DS | | 78A7:0728 59 POP CX | | 78A7:0729 880E1300 MOV [0013],CL | | 78A7:072D 0AC0 OR AL,AL <----------+ | | | (AFTER ZAP) | | 78A7:071A 90 NOP <-----------------------------+ 78A7:071B 90 NOP <-----------------------------+ 78A7:071C 90 NOP <-----------------------------+ 78A7:071D 2E CS: | 78A7:071E 8E163D02 MOV SS,[023D] | 78A7:0722 2E CS: | 78A7:0723 8B263F02 MOV SP,[023F] | 78A7:0727 1F POP DS | 78A7:0728 59 POP CX | 78A7:0729 880E1300 MOV [0013],CL | 78A7:072D 0C01 OR AL,01 <----------+ <> <> <> <> <> <> <> <> <> <> <> What follows is an unprotect scheme for version 1.11C of Borland International's Sidekick. The basic procedure is the same as that for version 1.1A with just location differences. So the only credit I can take is for finding the new locations! This is (of course), provided only for legal owners of Sidekick!! Also, make sure you 'DEBUG' a copy NOT the original! DEBUG SK.COM <ENTER> -U 801 <ENTER> -E 801 <ENTER> you will then see: 25E5:0801 E8. 90 <ENTER> repeat for 802 and 803: -E 802 <ENTER> 90 <ENTER> -E 803 <ENTER> 90 <ENTER> then: -A 810 <ENTER> OR AL,01 <ENTER> <ENTER> -U 801 <ENTER> you should then see (among other things): XXXX:801 90 NOP XXXX:802 90 NOP XXXX:803 90 NOP XXXX:810 0C01 OR AL,01 if so: -W <ENTER> -Q <ENTER> if not: -Q <ENTER> +++++++++++++++++++++++++++++++++++++++++++++++++++++ For SKN.COM, SKM.COM and SKC.COM the unprotect is the same but at the following locations: SK SKN SKM SKC --- --- --- --- 801 7DF 76F 7BC 802 7E0 770 7BD 803 7E1 771 7BE 810 7EE 77E 7CB To unprotect SKC.COM you would 'DEBUG SKC.COM' and then replace any occurence of '801' with '7BC'; '802' with '7BD' and so on. GOOD LUCK! * * * * * * * * * * * * * * * * * * * * * * * * This is an explanation of the internal workings of Print.Com, a file included in DOS for the IBM PC and compatibles. It explains how this program fails to do its part to insure integrity of all registers. For this reason some trouble was being experienced while using both SideKick and Print. op The timer tick generates an interrupt 8 18.2 per second. When SK is not active, this interrupt is handled by the Bios as follows: It pushes all registers used by the routine (AX among others.) It updates the system timer count. It updates the disk motor timer count. It generates an int 1C. When the spooler is active, it has placed a vector at int 1C, pointing at the spooler's code. The spooler is therefore activated in the middle of the int 8 handling. The cause of the SK received the int 8 and calls the bios int 8 routine to make sure that the timer tick is properly handles. The bios int 8 me as above: It pushes all registers used by the routine (AX among others). It updates the system timer count. It updates the disk motor timer count. It generates an int 10. SK has replaced the vector that the spooler placed here with a IRET, so nothing happens. This is because we cannot allow the timer tick to pass through to programs which use it, for example to write on the screen. It generates an end-of-interrupt to the interrupt controler. It pops the registers that were pushed. It does an interrupt return. Back in SK's int 8 routine we make a call to the address that was stored at int 10 when SK was first started. In this way he still services any resident programs that were loaded before SK. With the spooler active we therefore make a call to the spooler. The spooler again corrupts the AX register because it uses it without saving it first. Back in SK we have no way of restoring the original contents of the AX register because we did not save it (why should we, we don't use it.) In short, the root of the trouble is that the spooler destroys the AX register. The fact that the Bio's int 8 routine saves and stores it is pure coincidence. I quote from the Technical Reference Manual, Pages 2-5, Section Interrupt Hex 1C-timer tick: "It is the responsibility of the application to save and restore all registers that will be modified." Relying on a version of the Bios which happens to save register AX is bad programming practice. However, the guy who wrote the print spooler did not rely on this because at another point in his program he does correctly save AX. Obviously he simply forgot and fortunately for him the Bios saved him. The following patch will fix the problem: SK.COM unprotected version change 7F8: 55 to 7F8: 50 SK.COM unprotected version change 805: 5D to 805: 58 SK.COM protected version change 801: 55 to 801: 50 SK.COM protected version change 80E: 5D to 80E: 58 Also on both above change 012C: 41 to 012C: 42 UNPROTECT IBM TIME MANAGER (80 Column Version) Version 1.00 - 1. Have a formatted, blank disk ready if copying to a floppy. Hard disk is OK, also. 2. Startup DEBUG from drive A. Just type DEBUG <enter> 3. Place the TIME MANAGER program disk in drive A. 4. Type L 600 0 A5 40 <enter> 5. Type F 100,600 90 <enter> 6. Type RCX <enter> 7. Type 8000 <enter> 8. Place the formated, blank floppy in drive B 9. Type NTM.COM <enter> 10. Type W <enter> 11. Type Q <enter> That's it. You now have the 80-column version of Time Manager on the disk in Drive B. It is called TM.COM and can be started by simply typing TM. BE AWARE!!! - the data diskette is non-dos and cannot be placed on a hard disk. Also, while the program itself can be loaded from any drive letter (A-Z), the data disk can only be on drives A or B. The data disk is not protected and may be copied with DISKCOPY. For the 40-column version, replace line4 with: 4. Type L 600 0 65 40 <enter> All others steps are the same. If you wish to have both a 40 and 80 column version, change line 9 so that the name is descriptive of the version, i.e. NTM40.COM or NTM80.COM. <-----<<END>>-----> ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ !