The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / zines / n_z / pirate3.008 < prev next >

Wrap

Text File | 2003-06-11 | 37.0 KB | 987 lines

*** Pirate Magazine Issue III-3 / File 8 of 9 *** *** Cracking Tips (Part 6) *** *************************************************** In this file: Lotus 123 Visicalc Microsoft word 1.1 ZORK Trivia Fever Wordstar 2000 1.00 dBase 3 PFS programs Double Dos UNPROTECTING LOTUS 1-2-3 1-2-3 Release 1-A ----------------- 1. Rename 123.exe 123.xyz 2. DEBUG 123.xyz 3. Type U ABA9 4. You should see INT 13 at this address 5. Type E ABA9 90 90 6. Type W 7. Type Q 8. Rename 123.xyz 123.exe 1-2-3 Release 1 --------------- 1. Rename 123.exe 123.xyz 2. DEBUG 123.xyz 3. Type S DS:100 FFFF E8 BE 71 The system will respond with xxxx:3666 where xxxx can vary 4. Type E xxxx:3666 90 90 90 (xxxx is the number from above) 5. Type W 6. Type Q 7. Rename 123.xyz 123.exe Compliments of THE BIG APPLE BBS (212) 975-0046 <> <> <> <> <> <> <> <> <> <> <> [[This patch was extracted from the PHOENIX IBM-PC Software Library newsletter. They received it from the HAL-PC users group of Houston, TX. Corrected by Jack Wright. Many thanks to them.]] **** CONVERT VISICALC TO A .COM FILE **** USE THE FOLLOWING PROCEDURE TO TRANSFER THE 80-COLUMN VISICALC PROGRAM FROM THE VISICALC DISK AND WRITE A STANDARD .COM FILE WHICH MAY BE FORMAT A DISK AS FOLLOWS: (FORMAT B:/S(ENTER)). START THE DEBUG SYSTEM. INSERT THE VISICALC DISK IN DRIVE A: THEN TYPE: -L 100 0 138 2 (LOAD THE VC80 LOAD/DECRYPTER) -M 0 3FF 7000 (DUPLICATE IT IN HIGHER MEMORY) -R CS (INSPECT COMMAND SEGMENT REGISTER) DEBUG WILL RESPOND WITH THE CONTENTS OF THE CS REGISTER (eg. 04B5) AND PROMPT WITH A COLON (:). TYPE THE OLD CONTENTS + 700 (HEX). (eg. 04B5 BECOMES 0BB5). DO THE SAME WITH THE 'DS' REGISTER. DEBUG response to R CS might be: CS 04B5 <-Save the value you get, we'll need it later. :0BB5 <-Type in your CS value + 700hex here -R DS <-Type DS 04B5 :0BB5 <-Type in your DS value + 700hex here NEXT: Take the low order byte of the CS you saved above and substitute it for LL in the next line. Substitute the high order byte for HH: -E 107 LL HH (ENTER BYTE-FLIPPED CS) Ex: -E 107 B5 04 -E 24D BB A8 00 90 (HARD-WIRE THE DECRYPTION KEY) NOW, WE MUST RUN THE LOADER/DECRYPTER, TYPE: -G =1B8 26B (EXECUTE FROM 1B8 TO 26B) THE ENTIRE PROGRAM WILL NOW BE LOADED AND DECRYPTED AND A REGISTER DUMP SHOULD APPEAR ON THE SCREEN. NOW RESTORE CS AND DS TO THEIR PREVIOUS VALUES AND SET THE FILE LENGTH IN CX. Set BX=0: -R CS CS 0BB5 <-Yours might be different :04B5 <-Type in the value of CS you saved above -R DS DS 0BB5 :04B5 <-Type in the value of DS you saved above -R BX BX F3FD :0 -R CX CX 0000 :6B64 (LENGTH = 6B64 FOR VERSION 1.1, 6802 FOR VERSION 1.0) NOW WE MUST NAME THE FILE, WRITE IT AND EXIT. REMOVE THE VISICALC DISK FROM A: INSERT THE NEW, FORMATTED, EMPTY DISK IN A: TYPE: -N VC.COM (OR WHATEVER YOU WISH TO NAME IT) -W (WRITE THE .COM FILE) -Q (EXIT FROM DEBUG) ***YOU ARE DONE***** Back in DOS, type VC to try it. The protection scheme for MS WORD is quite good. The last track is formatted with 256 byte sectors. One sector, however, has an ID that says it is a 1K sector. If you try to read it as a 256 byte sector, you'll get a sector not found. You can read it as a 1K sector with a guaranteed CRC error, and you will get the data and other sector overhead from 3+ sectors. They read it as 1K, and use the bytes after the first 256 for decryption. These bytes constitute the post-amble of the sector, the inter-sector gap, and the preamble to the next 256 byte sector. If it's not formatted with the correct inter-sector gap, the decryption key is different and the incorrectly decoded program bombs. The best way around this is to modify the MWCOPY program so it will let you make more than one copy. The below mods will let you make as many backups as you want (and you can leave the write protect tab on your master disk). Of course, this method should only be used by registered owners of Word. If you, or any of your IMF force is killed, the secretary will disavow any knowledge of these patches. We will copy MWCOPY to another disk, using another name (MWCP) so you'll know it's the special version, and then modify MWCP. (with master disk in A:, B: has any disk with debug on it) A>copy mwcopy.com b:mwcp.com B>debug mwcp.com -e103 xxxx:0103 0x.00 -e148 xxxx:0148 A5.a7 -e194 xxxx:0194 02.04 -e32a xxxx:032A 1C.1e -e32e xxxx:032E 1C.1e -e3372 xxxx:3372 01.03 -ecfe xxxx:0CFE CD.90<space>26.90<space> xxxx:0D00 5B.90 -e4ab xxxx:04AB 1B.84 -e69a xxxx:069A C1.b9<space>38.ff<space>28.b9 -e7b3 xxxx:07B3 A2.5f<space>08.e9 -e66f xxxx:066F E5.d8<space> xxxx:0670 94.29<space>90.ff<space>29.b9 Writing 332D bytes -q B>mwcp (try making a copy..remember, leave the write-protect on the master) (Just follow the prompts in the program, except when they ask you to remove the write protect tab) I think this will also work for the hard disk copy portion. Another way to unprotect Word gets rid of the need for any weird disk formats. But it is MUCH more complicated to do. Enjoy! <> <> <> <> <> <> <> <> <> <> <> Unprotection for Microsoft "WORD" Version 1.1 using the Ultra-utilities (U-Format and U-Zap). June 22, 1984 The following information is presented for those legitimate owners who feel somewhat insecure when the availability of an important program is dependent on the survival of a single floppy disk. Microsoft's WORD uses a very good protection method. This consists of a track (Side 1, Track 39) which is formatted with twelve sectors. Sectors 1,2,3,4,6,7,8,9,10 & 11 are all 256 byte sectors. Sector 5 is formatted as a 1024 byte sector with a inherent CRC error. The sectors on this track have an ASCII text on the subjects of not stealing software and the names of the people who worked on the development of the WORD package. Sectors 1,2,3 & 4, while presenting an interesting message, do not directly affect the copy protection scheme. They would appear to be a "red herring", to divert attention from the actual protection area. Earlier versions of WORD were supplied with a program called MWCOPY.COM which permitted a single floppy disk copy and a single hard disk copy. If you have these versions use WORD.UNP or WORDNEW.UNP which can be found on many BBS's. Version 1.1 is furnished with a single back-up floppy and the utility programs furnished are MWCOPY1.COM, MWCOPY.BAT, and MWCOPY2.BAT. These programs only permit a one-time copy to a hard disk. No provision is included for a floppy copy. To make a floppy copy you will need the Ultra-Utilities, a userware set of programs available on many BBS's. Of this set you specifically need U-FORMAT.EXE and U-ZAP.EXE. 1) Place a write protect tab on your copy of WORD. 2) Make a copy of WORD with the standard DOS DISKCOPY command. (NOTE: There are hidden files, so the use of COPY will not work. DISKCOPY will report "Unrecoverable read errors on source Track 39 Side 1". Just ignore this. 3) Start the U-FORMAT.EXE program. This can be done by removing the WORD disk and inserting your Ultra-Utilities disk. Once U-Format is started you can remove the Ultra-utilities disk and return the WORD disk to the drive. 4) Select #5 (Display Radix) from the U-Format menu and change to decimal display. 5) Select #4 (Display/Modify Disk Parameter Table) and set the following: #4 Bytes per sector = 001 #5 Highest sector number per track = 012 #8 Formatting gap length = 010 All other values remain at the default settings. Quit to the main menu. 6) Select menu item #3 (Format a Non-Standard Track) The program will ask if you intend to format a track with 12 sectors. Answer = YES The program will then ask for the following information: SIDE = 1 DRIVE = (enter letter of the drive with the COPY disk) TRACK = 39 The program will then prompt for the following information: Physical Sector # Logical Sector # Sector Size 1 1 1 2 2 1 3 3 1 4 4 1 5 5 3 6 6 1 7 7 1 8 8 1 9 9 1 10 10 1 11 11 1 12 12 1 After pressing "enter" in response to the prompt, you may exit U-Format. 7) Start the U-ZAP.EXE program. This can be done by removing the WORD disk and inserting your Ultra-Utilities disk. Once U-Zap is started you can remove the Ultra-utilities disk and return the WORD disk to the drive. 8) Select #8 (Display Radix) from the U-Format menu and change to decimal display. 9) Select #11 (Display/Modify Disk Parameter Table) and set the following: #4 Bytes per sector = 001 #5 Highest sector number per track = 012 All other values remain at the default settings. Quit to the main menu. 10) Select #3 (Copy Disk Sectors) and use the following information: SOURCE DISK DESTINATION DISK SIDE = 1 SIDE = 1 DRIVE = (enter drive letter DRIVE = (enter drive letter for WORD disk) for COPY disk) TRACK = 39 TRACK = 39 SECTOR = 6 SECTOR = 6 NUMBER OF SECTORS TO COPY = 7 The program will report "Sector Not Found"... "Re-Try (Y/N)" Answer = NO The program will then ask how many sides for the disk. Answer = 2 The program will then show the copy process. (NOTE: DO NOT copy the information from sectors 1,2,3,4, or 5.) You may then quit from U-zap to DOS. YOUR' DONE. The copy disk should workHow to backup Infocom's ZORK III game: *Insert DOS disk in drive A A>DISKCOPY A: B: <-- Ignore the errors on tracks 1-3! *Place your ZORK I or ZORK II disk in drive A and a blank disk in drive B. BE SURE THAT YOUR ORIGINAL IS WRITE-PROTECTED!!! A> *Now take out your ZORK disk and insert your DOS disk in A. A>DEBUG -R CS xxxx :0000 <-- you enter this -R DS xxxx :0040 -R IP xxxx :7C00 -R ES xxxx :0000 -L 0:7C00 0 0 8 -G =0:7C00 0:7C32 -G 0:7C44 <-- Don't take a shortcut here! -R ES xxxx :04C5 -G 0:7C46 -E 7C0:007C 02 08 -W 800:0000 1 8 8 -E 07C0:007C 03 04 -G 0:7C44 -R BX xxxx :0000 -G 0:7C46 -E 07C0:007C 02 08 -W 04C5:0000 1 10 8 -E 07C0:007C 03 04 -G 0:7C44 -R BX xxxx :0000 -E 07C0:007C 02 08 -W 04C5:0000 1 18 8 -E 0:7C41 B8 08 02 -W 0:7C00 1 0 8 -Q <> <> <> <> <> <> <> <> <> <> <> UNPROTECT FOR INFOCOMO'S -ZORK III- *This patch was done under DOS 1.1 - I haven't tried it under DOS 2.0 yet - which may cause unpredictable results... *Take out your new disk in drive B and write-protect it. It is now DISKCOPY-able. *Reboot your system - press ALT-CTRL-DEL. How to backup Infocom's ZORK III game: *Insert DOS disk in drive A A>DISKCOPY A: B: <-- Ignore the errors on tracks 1-3! *Place your ZORK III disk in drive A and a blank disk in drive B. A> *Now take out your ZORK III disk and insert your DOS disk in A. A>DEBUG -R CS xxxx :0000 <-- you enter this -R DS xxxx :0040 -R IP xxxx :7C00 -R ES xxxx :0000 -L 0:7C00 0 0 1 -G =0:7C00 0:7C2A -R AX xxxx :0800 -G 0:7C63 -E 800:14E5 B8 08 02 -E 800:211A 02 08 -W 800:0000 1 8 18 -L 0:7C00 0 0 8 -E 0:7C7C 02 08 -E 0:7C41 B8 08 02 -W 0:7C00 1 0 8 -Q *Take out your new disk in drive B and write-protect it. It is now DISKCOPY-able. *Reboot your system - press ALT-CTRL-DEL. <> <> <> <> <> <> <> <> <> <> <> This is the procedure to unprotect the game software package called TRIVIA FEVER (This procedure also works on the demo disk of TRIVIA FEVER available with the blank XIDEX disks!) If you have a hard disk or want to create a backup copy that is not tied to the original TRIVIA system disk, this will remove the copy protection completly. This procedure is to be used by legitimate owners of TRIVIA FEVER ONLY ... as you are entitled to make a back up for archive purposes only. You are bound by your licence agreement. Format a blank system disk using DOS 2 or 2.1 Label it the same as the original TRIVIA system disk. Copy the files from the original TRIVIA system to the formatted blank disk using *.* . Place DOS system disk containing DEBUG in drive A: Place the new copy of TRIVIA in drive B: Rename the file called TF.EXE to TF A>DEBUG B:TF -E 257E (enter) -75.90 03.90 (enter) -W -Q Rename B:TF B:TF.EXE Now all the copy protection has been removed, and you may copy the files as required. All checks for specially formatted tracks has been removed. Disk needs no longer to be in the A drive on start up. <> <> <> <> <> <> <> <> <> <> <> Wordstar 2000 version 1.00 - Unprotect by Gerald Lee derived from dBase III version 1.10 - Unprotect by The Lone Victor The following instructions show you how to bypass the SoftGuard copy protection scheme used on WORDSTAR 2000 version 1.00. This is the same scheme used for FrameWork 1.10 and for dBase III version 1.10. Wordstar 2000 version 1.10 does not use a copy protection scheme, while versions 1.00 of dBase III and FrameWork used ProLock. To unprotect Prolock disks read the file PROLOCK.UNP. First, using your valid, original Wordstar 2000 diskettes, install it on fixed disk. Softguard hides two files in your root directory: CML0200.HCL and VDF0200.VDW. WS2000.EXE is the real Wordstar 2000 program, encrypted. When you run Wordstar, the program WS2000.COM loads CML0200.HCL high in memory and runs it. CML decrypts itself and reads VDF0200.VDW. The VDF file contains some code and data from the fixed disk FAT at the time of installation. By comparing the information in the VDF file with the current FAT, CML can tell if the CML, VDF, and WORDSTAR.EXE files are in the same place on the disk where they were installed. If they have moved, say from a backup & restore, then WORDSTAR 2000 will not run. Second, un-hide the two files in the root directory. You can do this with the programs ALTER.COM or FM.COM, or UNHIDE.COM and HIDE.COM found on any BBS. PC-SWEEP2 is the easiest it will copy the files to another directory unhidden. Make copies of the two files, and of WS2000.COM and WS2000.EXE, into some other directory. Hide the two root files again if using ALTER or FM. Leave alone if using PC-SWEEP2. Following the WORDSTAR instructions, UNINSTAL WORDSTAR 2000. You can now put away your original WORDSTAR diskettes. We are done with them. Next we will make some patches to CML0200.HCL to allow us to trace through the code in DEBUG. These patches will keep it from killing our interrupt vectors. DEBUG CML0200.HCL E 3F9 <CR> 2A.4A <CR> ; change the 2A to 4A E 49D <CR> F6.16 <CR> ; if any of these numbers don't show up E 506 <CR> E9.09 <CR> ; it's not working. E A79 <CR> 00.20 <CR> ; E AE9 <CR> 00.20 <CR> ; E 73C 97 FA FA F4 F1 7E <CR> ; this is an encrypted call to 0:300 W <CR> ; write out the new CML file Q <CR> ; quit debug Now copy your four saved files back into the root directory and hide the CML0200.HCL and VDF0200.VDW files using ALTER, FM or PC-SWEEP2. We can now run WS2000.COM using DEBUG, trace just up to the point where it has decrypted WORDSTAR.EXE, then write that file out. DEBUG WS2000.COM R <CR> ; write down the value of DS for use below. A 0:300 <CR> ; we must assemble some code here POP AX <CR> CS: <CR> MOV [320],AX <CR> ; save return address POP AX <CR> CS: <CR> MOV [322],AX <CR> PUSH ES <CR> ; set up stack the way we need it MOV AX,20 <CR> MOV ES,AX <CR> MOV AX,0 <CR> CS: <CR> JMP FAR PTR [320] <CR> ;jump to our return address <CR> G 406 <CR> ; now we can trace CML T <CR> G 177 <CR> ; this stuff just traces past some G 1E9 <CR> ; encryption routines. T <CR> G 54E <CR> ; wait while reading VDF & FAT G=559 569 <CR> G=571 857 <CR> ; WS2000.EXE has been decrypted rBX <CR> ; length WS2000.EXE = 1AC00 bytes :1 <CR> ; set BX to 1 rCX <CR> :AC00 <CR> ; set CX to AC00. nWS12 <CR> ; name of file to write to W XXXX:100 <CR> ; where XXXX is the value of DS that ; you wrote down at the begining. Q <CR> ; quit debug Last, unhide and delete the two root files CML0200.HCL, VDF0200.VDW, and WS2000.COM and WS2000 directory. Rename WS12 to WS2000.COM and replace in the WS2000 directory. This is the routine that starts the real WS2000.EXE program without any SoftGuard code or encryption. It requires the .OVL and .MSG files to run. I have not tried it on a two disk systems but I think it should work. If you have any comments on this unprotect routine, please leave them GERALD LEE - 5/12/85 <> <> <> <> <> <> <> <> <> <> <> dBase III version 1.10 - Unprotect by The Lone Victor The following instructions show you how to bypass the SoftGuard copy protection scheme used on dBase III version 1.10. This is the same scheme used for FrameWork 1.10 and for Wordstar 2000 1.00. Wordstar 2000 version 1.10 does not use a copy protection scheme, while versions 1.00 of dBase III and FrameWork used ProLock. To unprotect Prolock disks read the file PROLOCK.UNP. This scheme also reportedly works on Quickcode 1.10 QuickReport 1.00. First, using your valid, original dBase III diskette, install it on a fixed disk. Softguard hides three files in your root directory: CML0200.HCL, VDF0200.VDW, and DBASE.EXE. It also copies DBASE.COM into your chosen dBase directory. DBASE.EXE is the real dBase III program, encrypted. When you run dbase, the program DBASE.COM loads CML0200.HCL high in memory and runs it. CML decrypts itself and reads VDF0200.VDW. The VDF file contains some code and data from the fixed disk FAT at the time of installation. By comparing the information in the VDF file with the current FAT, CML can tell if the CML, VDF, and DBASE.EXE files are in the same place on the disk where they were installed. If they have moved, say from a backup & restore, then dBase will not run. Second, un-hide the three files in the root directory. You can do this with the programs ALTER.COM or FM.COM found on any BBS. Make copies of the three files, and of DBASE.COM, into some other directory. Hide the three root files again using ALTER or FM. Following the dBase instructions, UNINSTALL dBase III. You can now put away your original dBase diskette. We are done with it. Next we will make some patches to CML0200.HCL to allow us to trace through the code in DEBUG. These patches will keep it from killing our interrupt vectors. debug cml0200.hcl e 3F9 <CR> 2A.4A <CR> ; change the 2A to 4A e 49D <CR> F6.16 <CR> ; if any of these numbers don't show up e 506 <CR> E9.09 <CR> ; it's not working. e A79 <CR> 00.20 <CR> ; e AE9 <CR> 00.20 <CR> ; e 73C 97 FA FA F4 F1 7E <CR> ; this is an encrypted call to 0:300 w ; write out the new CML file q ; quit debug Now copy your four saved files back into the root directory and hide the CML0200.HCL, VDF0200.VDW, and DBASE.EXE files using ALTER or FM. We can now run DBASE.COM using DEBUG, trace just up to the point where it has decrypted DBASE.EXE, then write that file out. debug dbase.com r <CR> ; write down the value of DS for use below. a 0:300 <CR> ; we must assemble some code here pop ax cs: mov [320],ax ; save return address pop ax cs: mov [322],ax push es ; set up stack the way we need it mov ax,20 mov es,ax mov ax,0 cs: jmp far ptr [320] ; jump to our return address <CR> g 406 ; now we can trace CML t g 177 ; this stuff just traces past some g 1E9 ; encryption routines. t g 54E ; wait while reading VDF & FAT g=559 569 g=571 857 ; DBASE.EXE has been decrypted rBX <CR> ; length DBASE.EXE = 1AC00 bytes :1 ; set BX to 1 rCX <CR> :AC00 ; set CX to AC00. nDBASE ; name of file to write to w XXXX:100 ; where XXXX is the value of DS that ; you wrote down at the begining. q ; quit debug Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW, and DBASE.EXE. Delete DBASE.COM and rename DBASE to DBASE.EXE. This is the real dBase III program without any SoftGuard code or encryption. It requires only the DBASE.OVL file to run. If you have any comments on this unprotect routine or the PROLOCK.UNP routine, please leave them on the Atlanta PCUG BBS (404) 634-5731. The Lone Victor - 4/15/85 <> <> <> <> <> <> <> <> <> <> <> INSTRUCTIONS FOR UNPROTECTING PFS-FILE, PFS-REPORT AND PFS-WRITE. IMPORTANT! COPY FILE.EXE AND/OR REPORT.EXE TO ANOTHER DISK FIRST. DON'T MAKE THESE PATCHES ON YOUR ORIGINAL DISK! (USE THE USUAL DOS COPY COMMAND) YOU SHOULD SEE, AMONG OTHER THINGS: PUSH BP MOV AX,DS MOV ES,AX (ETC) IF YOU DON'T SEE THIS, TYPE -> Q (YOU DON'T HAVE THE RIGHT VERSION) OTHERWISE, TYPE -> E 9248 EB 2B TYPE -> W TYPE -> Q BACK IN DOS, RENAME FILE.ZAP TO FILE.EXE. YOU NOW HAVE AN UNPROTECTED COPY OF PFS-FILE. FOR PFS-REPORT: RENAME REPORT.EXE TO REPORT.ZAP HAVE DEBUG.COM HANDY, AND TYPE -> DEBUG REPORT.ZAP TYPE -> U 98BF YOU SHOULD SEE, AMONG OTHER THINGS: PUSH BP MOV AX,DS MOV ES,AX (ETC) IF YOU DON'T SEE THIS, TYPE -> Q (YOU DON'T HAVE THE RIGHT VERSION) OTHERWISE, TYPE -> E 98C4 EB 2B TYPE -> W TYPE -> Q BACK IN DOS, RENAME REPORT.ZAP TO REPORT.EXE. YOU NOW HAVE AN UNPROTECTED COPY OF PFS-REPORT. For PFS-Write: RENAME PFSWRITE.EXE TO PFSWRITE.ZAP DEBUG PFSWRITE.ZAP U 235A YOU SHOULD SEE, AMONG OTHER THINGS: INT 13 JNB 2362 IF YOU DONcT SEE THIS, TYPE -> Q (you don't have the right version) OTHERWISE, TYPE -> E235A 90 90 90 90 TYPE -> E2360 90 90 TYPE -> A2369 TYPE -> CMP AX,AX TYPE -> <cr> TYPE -> W TYPE -> Q RENAME PFSWRITE.ZAP TO PFSWRITE.EXE. YOU NOW HAVE AN UNPROTECTED COPY OF PFS-WRITE. ============================================================================ P.S. From another author than the one who wrote the above. The routine above is excellent, however I had a different version of PFS FILE and PFS REPORT. If you dont find the locations listed above try these: PFS FILE TYPE -> U 9223 YOU SHOULD SEE PUSH BP MOV AX,DS MOV ES,AX (ETC) IF SO TYPE -> E 9228 EB 2B TYPE -> W TYPE -> Q AND FOLLOW THE DIRECTIONS GIVEN ABOVE ABOUT RENAME ETC. PFS REPORT TYPE -> U 988F YOU SHOULD SEE PUSH BP MOV AX,DS MOV ES,AX (ETC) IF SO TYPE -> E 9894 EB 2B TYPE -> W TYPE -> Q AND FOLLOW THE DIRECTIONS GIVEN ABOVE ABOUT RENAME & ETC. My thanks to the original author who worked so hard to help us. Please use these routines for your own use. I needed to add DOS 2.1 and place these programs on double sided disks. Don't rip off these software manufacturers. PROKEY 3.0 and several other programs. The approach I outline here works with any of these that are in COM file format. If anyone can improve it to work for EXE files PLEASE post it. This general copy scheme uses a short sector of 256 bytes to store an essential piece of the program code. On startup, location 100H contains a JMP instruction to the code which reads this short sector. Locations 103H - 110H contain HLT instructions (hex F4). After the sector is read, its contents are overlayed onto locations 100H - 110H, replacing the dummy instruction codes. A branch to 100H then begins the actual program. All we need to do is to stop execution after the changes are made and write down the contents of 100H - 110H; reloading the program and POKEing these changes results in an unprotected program. Here's how its done: (1) Put PROTECTED disk in A: (you can write-protect it for safety) and a disk containing DEBUG in B: (2) A: Make A: the default. (3) B:DEBUG ULTIMAII.COM (or PKLOAD.COM, LAYOUT.COM...) (4) -u 0100 Tell DEBUG to disassemble 0100-0120 DEBUG responds with: 0100 JMP 88A0 (or whatever) 0103 HLT 0104 HLT ...etc. (5) -u 88A0 Look at short-sector decrypting code. DEBUG responds with: 88A0 JMPS 88A7 Next "statements" are data locations; ignore. (6) -u 88A7 Now look for where program restarts at 100H. DEBUG responds with: 88A7 CALL 88C4 88AA CALL 892E 88AD JC 88BF (If Carry is set, the disk is a copy. Go to DOS!) .. 88BA MOV AX,0100 88BD JMP AX Paydirt! If you got this far, the program has .. written the REAL code into 0100 - 0120H. (7) -g 88BD Tell DEBUG to run the program, stop here. (8) -d 0100 011F Dump out the changed code. DEBUG responds with: 8C C8 05 25 07 8E D8 05-10 03 8E D0... Two lines. WRITE DOWN for (12) (9) -q Get out of DEBUG. You must reload to deprotect. (10) Make a copy of the disk; you can use copy *.* Put copy in A: (11) B:DEBUG ULTIMAII.COM load copy (12) -e 0100 Patch locations 0100 - 011F with what you wrote down above. Follow each entry with a SPACE until last entry; then hit ENTER. (13) -w Write out new version of ULTIMAII.COM (14) -q You've done it! I've been detailed because this works generally for any COM file. This method doesn't work for EXE files because while DEBUG can load relocatable modules and execute them with breakpoints (step 7 above), you cannot use debug to write an EXE file in relocatable form. Any suggestions? L.Brenkus <> <> <> <> <> <> <> <> <> <> <> DOUBLEDOS - Unprotect Based on The Lone Victor's routine. The following instructions show you how to bypass the SoftGuard copy protection scheme used on DOUBLEDOS version 1.00. This is the same scheme used for FrameWork 1.10 and for Wordstar 2000 1.00. Wordstar 2000 version 1.10 does not use a copy protection scheme, while versions 1.00 of dBase III and FrameWork used ProLock. To unprotect Prolock disks read the file PROLOCK.UNP. First, using your valid, original DOUBLEDOS diskette, install it on a fixed disk. Softguard hides three files in your root directory: CML0200.HCL, VDF0200.VDW, and DOUBLEDO.EXE. It also copies DOUBLEDO.COM into your chosen DOUBLEDOS directory. DOUBLEDO.EXE is the real DOUBLEDOS program, encrypted. When you run DOUBLEDOS, the program DOUBLEDO.COM loads CML0200.HCL high in memory and runs it. CML decrypts itself and reads VDF0200.VDW. The VDF file contains some code and data from the fixed disk FAT at the time of installation. By comparing the information in the VDF file with the current FAT, CML can tell if the CML, VDF, and DOUBLEDO.EXE files are in the same place on the disk where they were installed. If they have moved, say from a backup & restore, then DOUBLEDOS will not run. Second, un-hide the three files in the root directory. You can do this with the programs ALTER.COM or FM.COM found on any BBS. Make copies of the three files, and of DOUBLEDO.COM, into some other directory. Hide the three root files again using ALTER or FM. Following the DOUBLEDOS instructions, UNINSTALL DOUBLEDOS. You can now put away your original DOUBLEDOS diskette. We are done with it. Next we will make some patches to CML0200.HCL to allow us to trace through the code in DEBUG. These patches will keep it from killing our interrupt vectors. debug cml0200.hcl e 3F9 <CR> 2A.4A <CR> ; change the 2A to 4A e 49D <CR> F6.16 <CR> ; if any of these numbers don't show up e 506 <CR> E9.09 <CR> ; it's not working. e A79 <CR> 00.20 <CR> ; e AE9 <CR> 00.20 <CR> ; e 73C 97 FA FA F4 F1 7E <CR> ; this is an encrypted call to 0:300 w ; write out the new CML file q ; quit debug Now copy your four saved files back into the root directory and hide the CML0200.HCL, VDF0200.VDW, and DOUBLEDOS.EXE files using ALTER or FM. We can now run DOUBLEDO.COM using DEBUG, trace just up to the point where it has decrypted DOUBLEDO.EXE, then write that file out. debug dOUBLEDO.COM r <CR> ; write down the value of DS for use below. a 0:300 <CR> ; we must assemble some code here pop ax cs: mov [320],ax ; save return address pop ax cs: mov [322],ax push es ; set up stack the way we need it mov ax,20 mov es,ax mov ax,0 cs: jmp far ptr [320] ; jump to our return address <CR> g 406 ; now we can trace CML g 177 ; this stuff just traces past some g 1E9 ; encryption routines. t g 54E ; wait while reading VDF & FAT g=559 569 g=571 857 ; DOUBLEDO.EXE has been decrypted rBX <CR> ; length DOUBLEDO.EXE = 04800 bytes :0 ; set BX to 0 rCX <CR> :4800 ; set CX to 4800. nDOUBLEDO ; name of file to write to w XXXX:100 ; where XXXX is the value of DS that ; you wrote down at the begining. q ; quit debug Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW, and DOUBLEDO.EXE. Delete DOUBLEDO.COM and rename DOUBLEDO to DOUBLEDO.EXE. This is the real DOUBLEDOS program without any SoftGuard code or encryption. It requires only the DOUBLGD2.PGM and DDCONFIG.SYS files to run. DOUBLEDOS - Unprotect Based on The Lone Victor's routine. <> <> <> <> <> <> <> <> <> <> <> The following instructions show you how to bypass the SoftGuard copy protection scheme used on DOUBLEDOS version 1.00. This is the same scheme used for FrameWork 1.10 and for Wordstar 2000 1.00. Wordstar 2000 version 1.10 does not use a copy protection scheme, while versions 1.00 of dBase III and FrameWork used ProLock. To unprotect Prolock disks read the file PROLOCK.UNP. First, using your valid, original DOUBLEDOS diskette, install it on a fixed disk. Softguard hides three files in your root directory: CML0200.HCL, VDF0200.VDW, and DOUBLEDO.EXE. It also copies DOUBLEDO.COM into your chosen DOUBLEDOS directory. DOUBLEDO.EXE is the real DOUBLEDOS program, encrypted. When you run DOUBLEDOS, the program DOUBLEDO.COM loads CML0200.HCL high in memory and runs it. CML decrypts itself and reads VDF0200.VDW. The VDF file contains some code and data from the fixed disk FAT at the time of installation. By comparing the information in the VDF file with the current FAT, CML can tell if the CML, VDF, and DOUBLEDO.EXE files are in the same place on the disk where they were installed. If they have moved, say from a backup & restore, then DOUBLEDOS will not run. Second, un-hide the three files in the root directory. You can do this with the programs ALTER.COM or FM.COM found on any BBS. Make copies of the three files, and of DOUBLEDO.COM, into some other directory. Hide the three root files again using ALTER or FM. Following the DOUBLEDOS instructions, UNINSTALL DOUBLEDOS. You can now put away your original DOUBLEDOS diskette. We are done with it. Next we will make some patches to CML0200.HCL to allow us to trace through the code in DEBUG. These patches will keep it from killing our interrupt vectors. debug cml0200.hcl e 3F9 <CR> 2A.4A <CR> ; change the 2A to 4A e 49D <CR> F6.16 <CR> ; if any of these numbers don't show up e 506 <CR> E9.09 <CR> ; it's not working. e A79 <CR> 00.20 <CR> ; e AE9 <CR> 00.20 <CR> ; e 73C 97 FA FA F4 F1 7E <CR> ; this is an encrypted call to 0:300 w ; write out the new CML file q ; quit debug Now copy your four saved files back into the root directory and hide the CML0200.HCL, VDF0200.VDW, and DOUBLEDOS.EXE files using ALTER or FM. We can now run DOUBLEDO.COM using DEBUG, trace just up to the point where it has decrypted DOUBLEDO.EXE, then write that file out. debug dOUBLEDO.COM r <CR> ; write down the value of DS for use below. a 0:300 <CR> ; we must assemble some code here pop ax cs: mov [320],ax ; save return address pop ax cs: mov [322],ax push es ; set up stack the way we need it mov ax,20 mov es,ax mov ax,0 cs: jmp far ptr [320] ; jump to our return address <CR> g 406 ; now we can trace CML t g 177 ; this stuff just traces past some g 1E9 ; encryption routines. t g 54E ; wait while reading VDF & FAT g=559 569 g=571 857 ; DOUBLEDO.EXE has been decrypted rBX <CR> ; length DOUBLEDO.EXE = 04800 bytes :0 ; set BX to 0 rCX <CR> :4800 ; set CX to 4800. nDOUBLEDO ; name of file to write to w XXXX:100 ; where XXXX is the value of DS that ; you wrote down at the begining. q ; quit debug Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW, and DOUBLEDO.EXE. Delete DOUBLEDO.COM and rename DOUBLEDO to DOUBLEDO.EXE. This is the real DOUBLEDOS program without any SoftGuard code or encryption. It requires only the DOUBLGD2.PGM and DDCONFIG.SYS files to run. <-----<<END>>-----> ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ !