ON 1 WARMUP: ******************************************************* ** ** ** PPPPP I RRRRR AAAAA TTTTT EEEEE ** ** P PP I R RR A A T E ** ** PPP I RRR AAAAA T EEEEE ** ** P I R R A A T E ** ** P I R R A A T EEEEE ** **keepin' the dream alive ** ******************************************************* *************************************************** *** Pirate Magazine Issue III-3 / File 1 of 9 *** or 11(your choice)wins the game. *************************************************** Welcome to the third issue of *PIRATE MAGAZINE*. Special thanks for getting this issue out go to: Flint Gene & Roger Hatchet Molly Jedi Knight Lightning Mikey Mouse Taran King The California Zephyr The Institute The Hillside Pirates Special thanks to those who took the time to write the unprotects, including Buckaroo Banzai, Super Dave, Company of Wolves, Bentley Bear, The Asp, and all the others. Any comments, or if you want to contribute, most of us can be reached at one of the following boards: GREAT ESCAPE >>> PIRATE HOME BOARD RIPCO (Illinois) SYCAMORE ELITE (815-895-5573) THE ABYSS (201-671-8954) PACIFIC ALLIANCE (California) Chris Robin BITNET = TK0EEE1@NIU +++++++++++++++++++++++++++++++++++++++++++++++++++++ Dedicated to sharing knowledge, gossip, information, and tips for warez hobbyists. ******************************************************* * EDITORS' CORNER * ******************************************************* ** CONTENTS THIS ISSUE ** File #1. Introduction, editorial, and general comments File #2. News Reprint: Who's the REAL software threat?? File #3. Unprotects and cracking tips (part 1) File #4. Unprotects and cracking tips (part 2) File #5. Unprotects and cracking tips (part 3) File #6. Unprotects and cracking tips (part 4) File #7. Unprotects and cracking tips (part 5) File #8. Unprotects and cracking tips (part 6) File #9. Gene n' Roger's "review of the month" (DEAD ZONE) Welcome to the third edition of *PIRATE*, a bit late, but here it is. Still can't seem to please everybody, and it's a toss-up between those wanting more law/virus type stuff and those wanting nuts and bolts for "how to crack," so this issue we're giving more cracking tips that were sent in. Next issue we'll bring back some of the legal stuff, virus info, and keep the unprotect section as a regular feature. Last issue pissed some people off, mostly the kiddie klubbers who thought we were a bit unfair. Well, like we keep saying, there's a pirate ethic, and if you can't figure it out, you ain't one. Lots of feedback on "what's a pirate!" Add it up anyway you want to, keeps coming out the same: PIRATES AREN'T RIPPING OFF--they're warez hobbyists who enjoy the challenge or the collecting. Bad news, sad news--more national pirate boards have gone down. Seems that the "fly-by-night" crowd springs up, drains off enough clients to cut into the elite boards, and the sysops all say the same thing: Too many kids calling and tying up the lines, and a decrease in good users caused by the competition. A few sysops have also requested that we don't print the numbers of boards where PIRATE staff can be reached because too many lamerz started calling. The boards are pretty easy to find, though, and a few will tolerate their numbers being published for one more issue. If you have any suggestions or ideas for future issues, call or get ahold of us--just leave a message on any of the top boards and we'll get to it sooner or later. <-----<>-----> ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! *************************************************** *** Pirate Magazine Issue III-3 / File 2 of 9 *** *** Who's the REAL Warez Threat? *** *************************************************** Multiple choice quiz: Who's the biggest threat to the computer industry: a) Phreaks b) Hackers c) Pirates d) Ducks without condoms e) The software industry itself If you answered "e)", you passed. The tendancy of the mega-corps to try to eat each other, with lawyers as the only winners, costs more in dollars and feel" of an idea. The mega-corp czars keep saying that pirates and phreaks will put the "small programmer" out of business, but the following article suggests it's quite the opposite. What's the bottom line? The computer underground is resistance, and like the PIRATE crew says, we gotta "keep the dream alive." ** and Pru Dohn** * * * * "Softare Industry Growing Jaded over Copyright Disputes" by Tom Schmitz (THE CHICAGO TRIBUNE, December 26, 1989-Sect. 3, p.3) SAN JOSE--When it comes to copyright lawsuits, the computer software industry is starting to sound a bit like victims of the recent earthquake. They've already been through the Big Shake. And they're getting a bit jaded about the aftershocks. "When the Apple-Microsoft suit hit, everybody got frightened," said Heidi Roizen, president of the Software Publishers Association. "A Month later, 99 percent of us were back to normal. I get the sense companies aren't going to do much this time." "This time" is the Xeroz-Apple lawsuit, in which Xerox Corp. is claiming Apple Computer Inc. infringed its copyright in designing the display and command system for its enormously popular Macintosh computer. Filed in San Francisco two weeks ago, the suit comes 21 months after Apple brought a similar case against Microsoft Corp. and Hewlett-Packard Co., saying they had infringed Apple's own copyright on the distinctive display software. The Macintosh's graphic display has such "user-friendly" features as pull-down menus; easy-to-identify symbols, or "icons"; and "windows" that allow users to display text, menus and illustrations simultaneously. By pressing its claim to the "look and feel" of Macintosh softare, Apple set off alarms at hundreds of smaller companies that were developing to forge ahead. So while the Xerox suit again raises the question of just who can use what software, those awaiting the battle's outcome say they see no reason to drop their wait-and-see attitude. They just have more to watch. "It throws a little scare in, but I'm not going to program any less," said Andy Hertzfeld, and independent programmer in Palo Alto, Calif., and one of the original designers of the Macintosh software. "If people want to sue me, they can." All agree the issue of who can rightfully use the display system is important and must be settled quickly. But more troubling, industry observers say, is increasing use of lawsuits to settle such disputes. "Basically the whole thing is anticustomer and prolawyer," Hertzfeld said. "All that money that Apple is paying their lawyers could be going into products." What's more, a litigious atmosphere can stifle innovation. "If every time I come up with an idea I have to hire a team of lawyers to find out if it's really mine, my product development will slow way down." Some hope the Xeroz-Apple suit will finally put an end to that process. Unlike the Apple-Microsoft ase, the suit does not involve a specific contract. That could allow the court to tackle the look-and-feel issue head-on without bogging down over technicalities. And both companies have war chests large enough to see the fight through. "I think Ethe suitL is good," said Dan Bricklin, president of Software Garden, Inc. in Cambridge, Mass., who wrote the first computer spreadsheet program. "We need the issue resolved by the courts, and we can't have people pulling out for lack of money." Yet even among those who say the industry needs a clear set of rules, there remains a certain nostalgia for the freewheeling days when software designers wrote what they wanted and settled their differences outside the courtroom. <-----<>-----> ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! *************************************************** *** Pirate Magazine Issue III-3 / File 3 of 9 *** *** Cracking Tips (Part 1) *** *************************************************** In this file: Jordan v. Bird Gauntlet Sierra Games Cracking is about learning computer programming, and the fun is in increasing skills. We've been sent some reprints of tips, and even if you have the programs, it's neat to make a backup copy and experiment. For some, these tips may be old hat, but for novices they show some of the basic techniques the that "pros" use. The more programing you know, the easier cracking is, and we recommend taking an intro course in your school. But most programs can be worked on using DOS DEBUG. Think of DEBUG like a text editor. The difference is that, instead of writing ASCII type stuff, you're working in BINARY files. Debug lets you "edit" (or alter) the contents of a program and then immediately re-execute to see if your changes worked. Before reading the following, check your DOS manual and read the DEBUG instructions. We've included old unprotects here for a reason: If you have some of these old programs laying around, dig them out and use them for practice. "Cracking" is one of the best (and most fun) ways to learn about what makes a program work. ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ^^^^^^^^^^^^^^^ We reprint the following tips by BUCKAROO BANZAI that beginners and intermediates should find helpful. ^^^^^^^^^^^^^^^^ **************************************** * B U C K A R O O B A N Z A I * * aka the Reset Vector * * * * presents * * * * Cracking On the IBMpc * * Part I * * * **************************************** Introduction ------------ For years, I have seen cracking tutorials for the APPLE computers, but never have I seen one for the PC. I have decided to try to write this series to help that pirate move up a level to a crackest. In this part, I will cover what happens with INT 13 and how most copy protection schemes will use it. I strongly suggest a knowledge of Assembler (M/L) and how to use DEBUG. These will be an important figure in cracking anything. INT-13 - An overview -------------------- Many copy protection schemes use the disk interrupt (INT-13). INT-13 is often use to either try to read in a illegaly formated track/sector or to write/format a track/sector that has been damaged in some way. INT-13 is called like any normal interupt with the assembler command which command to be used, with most of the other registers used for data. INT-13 Cracking Collage ----------------------- Although, INT-13 is used in almost all protection schemes, the easiest to crack is the DOS file. Now the protected program might use INT-13 to load some other data from a normal track/sector on a disk, so it is important to determine which tracks/sectors are inportant to the protection scheme. I have found the best way to do this is to use LOCKSMITH/pc (what, you don't have LS. Contact your local pirate for it.) Use LS to to analyze the diskette. Write down any track/sector that seems abnormal. These track are must likely are part of the protection routine. Now, we must enter debug. Load in the file execute a search for CD 13. Record any address show. If no address are picked up, this mean 1 or 2 things, the program is not copy protected (bullshit) or that the check is in an other part of the program not yet loaded. The latter being a real bitch to find, so I'll cover it in part II. There is another choice. The CD 13 might be hidden in self changing code. Here is what a sector of hidden code might look like -U CS:0000 1B00:0000 31DB XOR BX,BX 1B00:0002 8EDB MOV DS,BX 1B00:0004 BB0D00 MOV BX,000D 1B00:0009 3412 XOR AL,12 1B00:000D DF13 FIST WORD... to DF at location 1B00:0007. When you XOR DF and 12, you would get a CD(hex) for the INT opcode which is placed right next to a 13 ie, giving you CD13 or INT-13. This type of code cann't and will command. Finding Hidden INT-13s ---------------------- The way I find best to find hidden INT-13s, is to use a program called PC-WATCH (TRAP13 works well also). This program traps the interrupts and will print where they were called from. Once running this, you can just disassemble around the address until you find code that look like it is setting up the disk interupt. An other way to decode the INT-13 is breakpoint at the address give by PC-WATCH (both programs give the return address). Ie, -G CS:000F (see code above). When debug stops, you will have encoded not only the INT-13 but anything else leading up to it. What to do once you find INT-13 ------------------------------- Once you find the INT-13, the hard part for the most part is over. All that is left to do is to fool the computer in to thinking the protection has been found. To find out what the computer is looking for, examine the code right after the INT-13. Look for any branches having to do with the CARRY FLAG or any CMP to the AH register. If a JNE or JC (etc) occurs, then jump. If it is a CMP then just read on. Here you must decide if the program was looking for a protected track or just a normal track. If it has a CMP AH,0 and it has read in a protected track, it can be assumed that it was looking to see if the program had successfully complete the READ/FORMAT of that track and that the disk had been copied thus JMPing back to DOS (usually). If this is the case, Just NOP the bytes for the CMP and the corrisponding JMP. If the program just checked for the carry flag to be set, and it isn't, then the program usually assumes that the disk has been copied. Examine the following code INT 13 <-- Read in the Sector JC 1B00 <-- Protection found INT 19 <-- Reboot 1B00 (rest of program) The program carries out the INT and find an error (the illegaly formatted sector) so the carry flag is set. The computer, at the next instruction, see that the carry flag is set and know that the protection has not been breached. In this case, to fool the computer, just change the "JC 1B00" to a "JMP 1B00" thus defeating the protection scheme. NOTE: the PROTECTION ROUTINE might be found in more than just 1 part of the program Handling EXE files ------------------ As we all know, Debug can read .EXE files but cannot write them. To get around this, load and go about cracking the program as usual. When the protection scheme has been found and command) to save + & - 10 bytes of the code around the INT 13. Exit back to dos and rename the file to a .ZAP (any extention but .EXE will do) and reloading with debug. Search the program for the 20+ bytes surrounding the code and record the address found. Then just load this section and edit it like normal. Save the file and exit back to dos. Rename it back to the .EXE file and it should be cracked. ***NOTE: Sometimes you have to fuck around for a while to make it work. DISK I/O (INT-13) ----------------- This interrupt uses the AH resister to select the function to be used. Here is a chart describing the interrupt. AH=0 Reset Disk AH=1 Read the Status of the Disk system in to AL AL Error ---------------------------- 00 - Successful 01 - Bad command given to INT *02 - Address mark not found 03 - write attempted on write prot *04 - request sector not found 08 - DMA overrun 09 - attempt to cross DMA boundry *10 - bad CRC on disk read 20 - controller has failed 40 - seek operation failed 80 - attachment failed (* denotes most used in copy protection) AH=2 Read Sectors input DL = Drive number (0-3) DH = Head number (0or1) CH = Track number CL = Sector number AL = # of sectors to read ES:BX = load address output AH =error number (see above) AL = # of sectors read AH=3 Write (params. as above) AH=4 Verify (params. as above -ES:BX) AH=5 Format (params. as above -CL,AL ES:BX points to format Table) For more infomation on INT-13 see the IBM Techinal Reference Manuals. Comming Soon ------------ In part II, I will cover CALLs to INT-13 and INT-13 that is located in diffrents overlays of the program Happy Cracking..... Buckaroo Banzai <-------+-------> PS: This Phile can be Upload in it's unmodified FORM ONLY. PPS: Any suggestion, corrections, comment on this Phile are accepted and encouraged..... * * * * * * * * * * **************************************** * B U C K A R O O B A N Z A I * * aka the Reset Vector * * * * presents * * * * Cracking On the IBMpc * * Part II * * * **************************************** Introduction ------------ Ok guys, you now passed out of Kopy Klass 101 (dos files) and have this great new game with overlays. How the phuck do I crack this bitch. You scanned the entire .EXE file for the CD 13 and it's nowhere. Where can it be you ask yourself. In part II, I'll cover cracking Overlays and the use of locksmith in cracking. If you haven't read part I, then I suggest you do so. The 2 files go together. Looking for Overlays -------------------- I won't discuss case 1 (or at least no here) because so many UNP files are devoted to PROLOCK and SOFTGUARD, if you can't figure it out with them, your PHUCKEN stupid. If you have case 3, use the techinque in part I and restart from the beg. And if you have case 4, shoot your self. Using PC-Watch to Find Overlays ------------------------------- You Have Found the Overlays --------------------------- Locksmith and Cracking ---------------------- The copy/disk utility program Locksmith by AlphaLogic is a great tool in cracking. It's analyzing ability is great for determining what and where the protection is. I suggest that you get locksmith if you don't already have it. Check your local pirate board for the program. I also suggest getting PC-Watch and Norton Utilities 3.1. All of these program have many uses in the cracking world. Have Phun Phucker Buckaroo Banzai The Banzai Institute special thanks to the Honk Kong Cavliers Call Spectrum 007 (914)-338-8837 <-----<>-----> ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! *************************************************** *** Pirate Magazine Issue III-3 / File 4 of 9 *** *** Cracking Tips (Part 2) *** *************************************************** In this file: Curse of the Azure Gods Gauntlet (alt. unprotect) Silpheed Simcity Carmen San Diego Sargon IV zdddddddddddddddddddddddddQ 3 The Baji Man 3 3 PRESENTS 3 3 3 3 JORDAN V.S. BIRD DOCS 3 3 Cracked by: DAY STAR 3 Game Play Options: 1 ON 1 FULL GAME: M. Jordan and L. Bird play one on one for either 2,5,8, or 12 mins per quarter. You can set the computers skill level in the options menu with Recreational being the easiest to Professional being the hardest. Winners Outs option is where if you score you get the ball back. Instant replay, Fouls, amd Music/Sowndz DR.J JAM- Start from the jumpers circle and let go of the ball just as you man is descending. Wait until your sure he's descending,but not too long. Windmill - Start from the right baseline area and and let go Back Slam- Same as a Two-Handed-Hammer Statue Of Liberty - Same as Dr. J. Dunk Skim-The-Rim - Exactlt like the Air-Jordan except let go of the ball a lil' bit sooner. Toss Slam- This dunk seems the hardest but its the easiest. Start from the left side baseline area and let go when your almost in front of the basket. My version of Jordan v.s. Bird ahs a bug in it which doesn't display semifinal stats and standings. You just play the finals and thats it. Other versions may differ. FOLLOW THE LEADER: This is just a "You do as I do" dunk contest with do or die rules. 3 POINT CONTEST- Shoot the first ball on the first rack, go to the next rack, and so on.... when you get to the last rack make your way back to the first rack. The object is to get as any baskets as possible in 30 or something secondz. Hintz and Tipz: To get past your opponent in one on one games just press the %Q! your designated direction and you will speed up dramatically. To dunk just gain a little speed by running up to the basket from as far as possible and holding the insert key. Its almost impossible to explain defensive techniques because this is one of those "u gotta be in the right place at the right time gamez" The best thing I can tell ya is to Experiment with the game a little and pratice. have Phun!!!! The Baji Man ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ * * This is how I unlocked Gauntlet by Mindscape * By : LM * *************************************** Gauntlet was one of those games in the arcade that I liked a lot. So when I walked into the Computer Store and saw it on the shelf, I just had to have it. The price of the game wasn't bad at all and the game was really good. But Mindscape gives you only ONE install. What kind of $hi* is that. I mean only one install to your hard disk and then you must uninstall before you optimize you disk or you have lost ------------ NO MORE INSTALL's. ------------- mistake I got out my DEBUG and statred to look at the game. I found that Mindscape writes two hidden files to your C:f when you install Gauntlet. DEMAA.COM and DEMAB.COM. The first file (DEMAA.COM) is just junk. The second file (DEMAB.COM) has some info about where the first file is at on your hard disk. (The starting cluster number) When you load Gauntlet it calls GINTRO.EXE and GINTRO.EXE checks for this information. Then it calls GPORG.EXE and it check for the same information. My fix for this was to load gintro.exe and gprog.exe with fake data. After you fix gauntlet you DON'T have to use Mindscape install to play the game, just copy the files to your disk and go. It has worked fine for Me and I hope it is what you need to fix your game. **************************************** * To fix Gauntlet you will need the following: * * 1. A copy of your Gauntlet master diskette(you can use dos to make a copy) * * 2. Debug * * 1. Rename gintro.exe gintro * * 2. debug gintro * * 3. e 3EB7 90 90 90 90 This was a check for drive A:,B:,C: * * 4. e 4339 EB 21 Jump around file read (demaa.com) * * 5. e 435C B8 C3 02 A3 22 03 B8 3D FD Replace file info with dummy data * * 6. e 4097 EB 14 Jump around file read (demab.com) * * 7. w * * 8. q * * 9. Rename gintro gintro.exe * * 10. Rename gprog.exe gprog * * 11. debug gprog * * 12. e 7F57 90 90 90 90 This was a check for drive A:,B:,C * * 13. e 83D9 EB 21 Jump around file read (demaa.com) * * 14. e 83FC B8 C3 02 A3 22 03 B8 3D FD Replace file info with dummy data * * 15. e 8137 EB 14 Jump around file read (demab.com) * * 16. w * * 17. q * * 18. Rename gprog gprog.exe * ************************************************** * Now you can copy you game to any hard disk or flex many times. ************************************************** * If you would like more information as to HOW and WHY. * * You can leave Me a message on the following BBS : * * Inner Sanctum (813) 856 5071 * ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ Unprotect for all Sierra Games using the version 3.0 SIERRA.COM game loader and the AGI (Adventure Game Interpreter). This text written July 11, 1988 Sierra-On-Line Software utilizes a copy protection scheme which, upon the execution of the game loader (usually SIERRA.COM), loads some key data from a specially formatted track. Normal DOS copy and diskcopy commands cannot copy this specially formatted track (usually track 6). Only image hardware copy devices such as the "OPTION BOARD" can copy the specially formatted track properly - and even this will not allow stand-alone hard disk usage. This unprotect is accomplished by running the program to the point where it loads the key data, and then copying the key data into the loader. Then the loader is further modified by jumping around the call to the "opening original disk" request screens. The last step is to change the bx and cx registers to allow for the inclusion of the key data in the loader. There are three things to determine before you can start the unprotect. The first is to verify that your game contains the version 3.0 game loader (usually the file SIERRA.COM) and the file "AGI". This applies to about 90% of all Sierra games. The others contain a slightly modified version 3.0 game loader and the file MAIN. This unprotect does not apply to Sierra games that contain the file "MAIN". Some games which use the "MAIN" file are: 3-D Helicopter, Thexder and a few others. Check this BBS for a different unprotect for Sierra games using the "MAIN" file. Run a directory on your Sierra game disk 1 to verify that is does contain the files "SIERRA.COM" and "AGI". The next step is to determine which version of the 3.0 game loader (SIERRA.COM) your game has. Yes, there are two different versions of the 3.0 version game loader. In the code of the SIERRA.COM file is listed either the date 1985 or 1987 - the 1985 being one version and the 1987 being another version. You must run a debug operation as follows to determine your version of the game loader: Arrange your configuration so that SIERRA.COM and DEBUG.EXE are on the same disk, directory or path. DEBUG SIERRA.COM -d 100 Some text will now appear to the right of your screen, somewhere containing "LOADER v.3 Copyright Sierra On-Line, Inc. 198?". Note the year appearing in this text. Now you can quit debug by typing a "q" at the "-" prompt. The unprotect differs for the 1985 and 1987 versions, so, if your version is the 1985 version, refer to the file SIERRA85.UNP contained in this package. Likewise, if your version is the 1987 version, refer to the file SIERRA87.UNP contained in this package. =| ++++++++++++++++++++++++++++++++++++++++++++++++++++++ Please read the file READTHIS.1ST before proceeding to read this file. Unprotect for all Sierra Games using the version 3.0 SIERRA.COM game loader and the AGI (Adventure Game Interpreter). THE FOLLOWING PROCESS APPLIES TO THE 1987 version of the 3.0 version SIERRA.COM game loader! Make a copy of your original game disk 1 using the dos copy *.* command. But don't put away your factory original game disk yet, you will need it during the unprotect. Arrange your configuration so that SIERRA.COM and DEBUG.EXE are on the same disk, directory or path. Using THE COPY of the game disk 1, start as follows: DEBUG SIERRA.COM -r screen, including the prompt to insert your original disk (write protect it to be safe). The key data from the specially formatted track will be loaded into memory. When the program breaks back to debug (the registers will be listed again), be sure you have the COPY you made of your original disk in the disk drive.) -rbx : <-type in here the value of BX register that you were instructed to write down in step one. -rcx CX XXXX : <-type in here the value of CX register that you were instructed to write down in step one. (In the above line you have inserted NO-OP's (90's) to jump around the protection check and opening screen calls) -w (this will write back to disk the unprotected game loader) Writing xxxx bytes -q (quits debug) This completes the Sierra game 1987 version 3.0 game loader unprotect. Use this unprotect to allow proper hard disk usage or to make an archival backup copy. Please do not promote theft by using this procedure to distribute unauthorized copies. Bart Montgomery Atlanta PCUG BBS (404) 433-0062 <-----<>-----> ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! *************************************************** *** Pirate Magazine Issue III-3 / File 5 of 9 *** *** Cracking Tips (Part 3) *** *************************************************** In this file: Curse of the Azure Bonds Gauntlet Silpheed Carmen San Diego Saragon * * * * * * How to fix copy protection from and supercharge characters for Curse of the Azure Bonds. FROM: THE COMPANY OF WOLVES ----------------------------------------------------------------- NEEDED: 1. Norton Utilities (or similar program) 2. A copy of the file start.exe from your Azure Bonds disk A 3. A bit of your time ----------------------------------------------------------------- 1. HOW TO UNPROTECT CURSE OF THE AZURE BONDS: First load START.EXE into Norton. Then search for the string 80 3E CC. This should take you to file offset 9BA hex. Go back to 9B5 hex this should be 9A (the first machine language code for a far call). Change the values of the bytes from 9B5 hex - 9b9 hex to 90's Save the changes Now the program will skip the part where it asks for code letter, you now can put away that annoying code disk until needed for decoding ----------------------------------------------------------------- 2. SUPERCHARGING YOUR CHARACTERS: Copy the program CHARFIX.EXE (included with this fix) into the directory that your saved games reside. Change to that directory. Run the program, it is self explanitory. ----------------------------------------------------------------- If you have any problems with any of the patches above check the date of the file START.EXE on your original disk A for the date and time 07/27/89 16:44. If your file has a different date then they probably changed the copy protection method and your out of luck with this patch. For other problems leave The Company of Wolves a message, I can be reached on EXCEL BBS (414)789-4210 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ How to fix copy protection from Mindscape's Gauntlet. FROM: THE COMPANY OF WOLVES ----------------------------------------------------------------- NEEDED: 1. Norton Utilities (or similar program) 2. A copy of the file's gintro.exe and gprog.exe from your original disk. 3. A bit of your time ----------------------------------------------------------------- 1. HOW TO UNPROTECT GAUNTLET: First load one of the above files into Norton. Then search for the string F3 A7. Change the byte immediately following (74) to EB. Continue the search and once again change the 74 to EB. Save the changes Repeat the steps above for the other .EXE file. For you Debug fans rename each of the two files to 1.aaa and 2.aaa respectivaly. Search (the S command) for F3 A7, you should get at least 3 matches. You will need to unassemble each of the matches, the first copy protection match should read REPZ CMPSW, JZ 2D96, ect..., and the second REPZ CMPSW, JZ 2DB1, ect... th the E command using the FULL address of the JZ commands change the 74's to EB's. Write the files with the W command and repeat the process for the other file. When finishes erase Gintro.exe and Gprog.exe and rename 1.aaa gintro.exe and 2.aaa gprog.exe. In this version of the program will still look for the copy protection (which is a sector at the end of the hard disk that the install program writes then marks bad to prevent overwriting to that sector) but will continue the program as if the comparison (F3 A7) was successful. ----------------------------------------------------------------- If you have any problems with any of the patches above check the date of the file GINTRO.EXE on your original disk A for the date 03/25/88. If your file has a different date then they probably changed the copy protection method and your out of luck with this patch. If you have any questions leave The Company of Wolves a message, I can be reached on EXCEL BBS (414)789-4210 under the name Nicodemus Keesarvexious. Also included is another patch for a different version of Gauntlet in case you have a different version from the one I * * * * * * * * ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ To unprotect SilpHeed By Sierra! Use Norton and change these bytes in the SIMCITY.EXE file: Change: 80 3e cc 06 01 74 0c To....: 80 3e cc 06 01 eb 0c ^^ Then when it asks the question just hit ENTER. Another software crack by Bentley Bear! ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ To unprotect SimCity! Use Norton and change these bytes in the SIMCITY.EXE file: Change: 0c 87 00 75 3c To....: 0c 87 00 eb 3c ^^ Another software crack by Bentley Bear! Unprotect for Where in Time is Carmen Sandiego. This program checks for the original key disk each time you are promoted in the game. I found another unprotect on this BBS (CARMNTME.ZIP) which did not work at all. If fact, it made it so you can not even get into the program! Here's mine. You can patch the file either with a hex editor, or with debug. Using a hex editor, such as those in PC-Tools or Norton's Utilities: Search for the hex byte string: 02 E1 07 C3 FA 55 Change the first byte only: 12 ------------ Using debug >ren carmen.exe car 'ug car -S0000 FFFF 02 E1 07 C3 FA 55 xxxx:yyyy (note value of yyyy) -e yyyy (type e, then value of yyyy above) xxxx:yyyy 02.12 -w -q >ren car carmen.exe ------------- That's it. And a lot easier then the other patch that didn't work! Although this patch only changes one byte, it was difficult to come up with. They used a far call which was hard to follow, and could not be nop'ed out. Good Luck. 5 -e XXXX:YYYY b8 00 10 : Edit the contents of the returned address Now write the new sargon game back to the disk: -w Writing XXXX bytes Then Quit Debug: -q Now it is time to rename sargon back to sargon.exe C>ren sargon sargon.exe Now try to run the new (Hopefully) unprotected version of Sargon IV. When the question comes up answer '1924' C>sargon ----------------------------------------------------------------- Unprotect Brought to you courtesy of Super Dave Super Dave can be reached at: Hackers Paradise BBS (803) 269-7899 Greenville, SC <-----<>-----> ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! *************************************************** *** Pirate Magazine Issue III-3 / File 6 of 9 *** *** Cracking Tips (Part 4) *** *************************************************** In this file: Memory shift 2.1 Lotus 123 ver 1a Multilink ver 2.06 Chartmaster Enable ver. 1.00 EZWriter ver. 1.1 Flight Simulator 1.00 How to Unprotect MEMORY-SHIFT, Version 2.1 A>FORMAT b:/s/v With Memory Shift Master in drive A: and your fresh diskette in B: A>COPY A:*.*,B: Replace the Memory Shift Master in drive A: with your DOS diskette A>RENAME B:MS.EXE,B:MS.XXX A>DEBUG B:MS.XXX -s 0 l 8000 e8 22 00 72 <- look for this string in memory xxxx:7F68 <- one occurance should be found -e 7F68 xxxx:7F68 E8.eb 22.08 -e 80ec xxxx:80EC AD.e9 AB.9e AD.fe -e 7f8d xxxx:7F8D 06.b8 1E.00 B8.01 xxxx:7F90 40.ab 00.b8 8E.f0 D8.ff BF.01 3E.d8 00.ab 8A.b8 xxxx:7F98 95.d0 04.40 00.89 80.c1 E2.b8 03.b8 8E.03 46.e9 xxxx:7FA0 00.54 33.01 -w Writing 8000 bytes -q A>RENAME B:MS.XXX,B:MS.EXE That is all there is to it! December 28, 1983 <> <> <> <> <> <> <> <> <> <> <> I have just seen a new copy of Lotus 1-2-3 v1a that has a modified protection scheme for which the currently published unprotect scheme will not work. Here is a modified unprotect that will work properly with both the old and new v1a releases ..... 1) Rename 123.exe to 123.xyx 2) Type (to DOS) the command C> debug 123.xyx 3) Type (to debug) the command -s 100 efff cd 13 (The "-" is a prompt from debug.) 4) Debug should respond with something like: xxxx:ABA9 where xxxx is a hex number that may vary 5) Type -e aba9 fb f9 (Use whatever debug gave you in the -w last step instead of "aba9" if it is -q different.) 6) Rename 123.xyx to 123.exe For those of you who want to understand this, it is replacing an "INT 13" instruction that checks the disk in drive A: for some funny stuff with STI, STC instructions A little while ago, there was a patch for 123.EXE listed here that effectively unprotected the copy-protected disk and allowed hard-disk to run without the floppy. I just received the new version of Lotus 123 and retrofitted the patch (it is a different technique). To unprotect 123.EXE Version 1A, 1. Rename 123.EXE 123.XYZ 2. DEBUG 123.XYZ 3. type U ABA9 4. you should see INT 13 at that address 5. type E ABA9 90 90 6. type W 7. type Q 8. Rename 123.XYZ 123.EXE That's it. Good Luck. <> <> <> <> <> <> <> <> <> <> <> The following is a method to unprotect MultiLink Ver 2.06 to allow booting directly from hard disk without the need to insert the MultiLink distribution disk. ENTER COMMENTS ------------------------- --------------------------------------- C>copy mlink.com mlink.bak Make a backup first! C>debug mlink.com Start debug session. -u 2dfa Unassemble from address 2DFA. You should see: xxxx:2DFA CALL 2F01 xxxx:2DFD JNB 2E10 xxxx:2DFF MOV CX,2908 xxxx:2E02 CALL 2F01 xxxx:2E05 JNB 2E10 xxxx:2E07 DEC BYTE PTR [2E0F] xxxx:2E0B JG 2DF2 xxxx:2E0D JMP 07C4 xxxx:2E10 XOR BYTE PTR [2E0D],32 xxxx:2E15 MOV AX,[23C4] xxxx:2E18 CMP [2705],AX If you don't see this, you have another version. If so, enter 'q' to quit the debug session. Otherwise, continue. The instructions at xxxx:2dfa, xxxx:2e02, and xxxx:2e1c need to be replaced. -e 2dfa f8 90 90 CALL 2F01 is replaced by CLC, NOP, NOP -e 2e02 f8 90 90 CALL 2F01 is replaced by CLC, NOP, NOP -e 2e1c 90 90 JNZ 2E0D is replaced by NOP, NOP -w Save the changes to disk -q End the debug session. <> <> <> <> <> <> <> <> <> <> <> In the spirit of a recent patch to unprotect LOTUS 1-2-3, I discovered the same logic can be applied to unprotect MEMORY/SHIFT. 1. Rename MS.EXE MS.XYZ 2. DEBUG MS.XYZ 3. type U 1565 4. you should see INT 21 at that address 5. type E 1565 90 90 type E 1567 90 90 6. type W 7. type Q 8. Rename MS.XYZ MS.EXE Finally, make sure command.com resides on the disk where MEMORY/ SHIFT is initiated. 65399 '** DONE - PRESS ENTER TO RETURN TO MENU ** There is another version of Lotus 123 also called Release 1A but with a different copy-protection technique. It can be identified by an "*" that displays on the first screen under the "s" in the word "Release" Release 1A * To unprotect this version so it can be run on a hard disk without requiring the SYSTEM DISK in drive A, do the following: 1. RENAME 123.EXE 123.XYZ 2. DEBUG 123.XYZ 3. Type U AB8C press ENTER You should see MOV CX,0002 if you don't, something is different and this won't work. 4. Type E AB8C C3 press ENTER 5. Type W 6. Type Q 7. RENAME 123.XYZ 123.EXE That's it. It will now run from any drive. As always, this patch is provided so that honest people don't have to suffer the inconvienences imposed upon them by software manufacturers. FOR THE USERS THAT HAVE 'CHARTMASTER' VER 6.04 <> <> <> <> <> <> <> <> <> <> <> ------------------------------------------------------------------- FROM : THE A.S.P ; (Against Software Protection) DATED : OCT 18,1984 (FIRST RELEASE) ORIGINALLY SUBMITTED TO ASA FULTONS BBS (THE SHINING SUN -305-273-0020) AND TO LEE NELSONS BBS (PC-FORUM -404-761-3635) PLEASE NOTE THAT THESE UNPROTECT PROCEDURES INVOLVE FROM 4 HOURS TO 40 OR MORE HOURS ( 4+ HOURS FOR 'CHARTMASTER' ) OF SINGLE STEPPING THRU CODE AND FIGURING OUT THE INTENT OF THE ORIGINAL CODE.. SO I WOULD APPRECIATE IT WHEN U PASS THIS ON TO OTHER BOARDS YOU DO NOT ALTER THIS OR TRY TO TAKE CREDIT FOR MY LOST SLEEP.... THE A.S.P... (J.P. TO HIS FRIENDS) OH, AS A FURTHER NOTE. I SEE SOME BBS'S ARE NOW CHARGING U TO BE REGISTERED TO USE THEIR SYSTEM. FIRST OF ALL I GIVE U FROM 4 TO 60 HOURS OF MY TIME AT NO COST TO YOU AND I DO NOT LOOK TO KINDLY TO SUCH BBS'S PUTTING ON MY PROCEDURES AND THEN CHARGING U TO GET ACCESS TO THEM. THEY DIDNT SPEND TIME AND COST (SAY 'X' HOURS * $40+) TO MAKE THE PROCEDURES AVAIL. , SO I WOULD APPRECIATE THAT SUCH BOARDS DID NOT USE ANY OF THE 'A.S.P'S' PROCEDURES, UNLESS THEY ARE WILLING TO PUT THEIR WORKS TRULY IN THE PUBLIC DOMAIN.. ENOUGH SAID.. THANK YOU. IF YOU HAVE A HARD DISK OR WANT TO CREATE A BACKUP COPY THAT IS NOT TIED INTO THE 'CHARTMASTER' DISKETTE...IN CASE YOUR ONLY COPY GOES BAD . THIS PATCH WILL REMOVE THE COPY PROTECTION COMPLETELY. AS ALWAYS THIS IS FOR YOUR PERSONAL PEACE OF MIND ONLY IT IS NOT MEANT TO BYPASS ANY COPYRIGHTS..YOU ARE BY LAW BOUND BY YOUR PURCHASE LICENSE AGREEMENT. IF YOU HAVE A HARD DISK AND WANT TO PUT THE PROGRAM ON SUCH WHY SHOULD YOU BE TIED TO A FLOPPY. YOU HAD TO GIVE UP A LOT OF 'BIG MACS' TO GET YOUR HARD DISK. FORMAT 1 SYSTEM DISK UNDER DOS 2.0 OR 2.1 OR 3.0 LABEL IT ACCORDING TO THE ORIGINAL 'CHARTMASTER' SYSTEM DISKETTE COPY THE (UNHIDDEN) FILES FROM THE ORIGINAL DISKETTE TO THE CORRESPONDING 2.X OR 3.X FORMATTED DISKETTE I WONT TELL U HOW TO USE DEBUG OR ANY 'PATCHER' PROGRAMS ON THE BBS'S, I ASSUME U HAVE A BASIC UNDERSTANDING. RENAME CM1.EXE CM1 DEBUG CM1 D CS:A67 YOU SHOULD SEE 75 03 E9 09 00 E CS:A67 90 90 E9 F7 01 D CS:D139 YOU SHOULD SEE 5F E CS:D139 CB W Q RENAME CM1 CM1.EXE OTHER NOTES: ------------------------------------------------------------------------- CHECKS FOR SPECIALLY FORMATTED TRACKS COMPLETELY REMOVED U MAY LOAD ALL THE FILES ON THE NEWLY FORMATTED AND UNPROTECTED DISKETTE DIRECTLY TO HARD OR RAM DISK, IN ANY SUB-DIRECTORY U SET UP SOMEONE WANTED TO KNOW WHY I USED UPPER CASE FOR EVERYTHING. FIRST AFTER ABOUT 8 TO 20 HOURS OF STARING AT THE TUBE., I AM NOT ABOUT TO SHIFT THE CHARACTERS, AND SECONDLY I AM SO EXCITED , AFTER DOING SOMETHING THAT AT FIRST SEEMED IMPOSSIBLE, AND IN A HURRY TO GET IT OUT ON A BBS, SO THAT U MAY USE THE NEWLY GLEAMED KNOWLEDGE. ALSO IN SOME CASES THE PROGRAM STILL TRIES TO GO TO THE "A" AND "B" DRIVES, SO I USED AN ASSIGN TO ASSIGN THEM TO THE 'C'. THIS PROBABLY CAN BE OVERCOME WITH THE CORRECT CONFIGURATION PARAMETERS. ENJOY YOUR NEW FOUND FREEDOM..HARD DISKS FOREVER!!!!! <> <> <> <> <> <> <> <> <> <> <> This is the procedure to unprotect the intregrated software package called ENABLE , Vers 1.00 If you have a hard disk or want to create a backup copy that is not tied to the original ENABLE system disk, this will remove the copy protection completly. This procedure is to be used by legitimate owners of ENABLE only, as you are entitled to make a back up for archive purposes only. You are bound by your licence agreement. Format a blank disk using DOS 2 or 2.1 (Do not use the /s option.) Label it the same as the original ENABLE system disk. Copy the files from the original ENABLE system to the formatted blank disk using *.* . Place DOS system disk containing DEBUG in drive A: Place the new copy of ENABLE in drive B: DEBUG B:SYSTEM.TSG S CS:0 L EFFF B8 01 04 (You should see) XXXX:069C XXXX:XXXX < this one doest matter! (If you dont - type q and enter - you have a different version!) (If you do) E 69C (enter) B. EB 01.2D 04.90 (enter) W Q Now all the copy protection has been removed, and you may copy the files as required. All checks for specially formatted tracks has been removed. Disk needs no longer to be in the A drive on start up. ***** UNPROTECT EZWRITER 1.1 ***** BY JPM - ORLANDO FLA THIS PROGRAM IS TO HELP ALL OF YOU THAT HAVE FOUND THAT YOU COPIED YOUR EZWRITER 1.1 BACKUP TO SINGLE SIDED DISKETTE AND NOW YOU HAVE A DOUBLE SIDED DRIVE OR FIXED DISK, OR RAM DISK AND YOU ARE UP THE I/O CHANNEL WITHOUT A BYTE. THE WAY THE EZWRITER PROTECTION WORKS IS: <> <> <> <> <> <> <> <> <> <> <> 1). A BAD TRACK IS CREATED ON THE DISKETTE (LAST TRACK) SO THAT DISK COPY WOULD NOT WORK. IT REALLY DOES WORK THOUGH, BUT THE BAD TRACK IS IS NOT COPIED. THIS BAD TRACK IS THE KEY. WITH OUT THE BAD TRACK , WHICH EZWRITE NEEDS TO READ THE PROGRAM WILL NOT RUN. 2). EW1.COM IS READ IN (YOU DO THIS). EW1.COM INTURN LOADS "IBM88VMI.COM", WHICH INTURN LOADS "TARGET.COM". TARGET.COM IS THE GUTS OF EZWRITER. "IBM88VMI.COM" CHECKS FOR THE BAD TRACK, AND IF IT IS THERE LOADS "TARGET.COM" OTHERWISE BYE-BYE. WHAT THIS SIMPLE PROGRAM DOES IS TELLS "IBM88VMI.COM" TO IGNORE THE RESULTS OF THE CHECK FOR THE BAD TRACK. THIS WAY AFTER YOU DO A "COPY *.*" OR "DISKCOPY" YOU CAN THE USE AND MOVE THE EZWRITER PROGRAM TO ANY MAGNETIC STORAGE MEDIA. *************************************************************** TO MAKE A UNPROTECTED COPY OF EZWRITER: 1). PUT THE ORIGINAL OR BACKUP IN DRIVE "A" 2). PUT A FORMATED (SINGLE OR DOUBLE) DISKETTE IN DRIVE "B:" 3). COPY *.* B: 4). REMOVE EZWRITER FROM DRIVE "A:" 5). LOAD BASIC FROM "A:" AND ONCE IN BASIC LOAD THIS PROGRAM 6). RUNTHIS PROGRAM , LOW AND BEHOLD THE COPIED EZWRITER DISKETTE IN DRIVE "B: SHOULD NOW BE UNPROTECTED AND TRANSPORTABLE AS WELL AS TOTALLY FUNCTIONAL. 7). AS ALWAYS PUT YOUR BACKUP DISKETTES IN A SAFE PLACE IN CASE OF PROBLEMS WITH THE COPIES. SINCE YOU NOW HAVE A UNPROTECTED VERSION OF EZWRITER THE COPIES SHOULD BE FOR YOUR USE ONLY. YOU ARE STILL BOUND BY THE LICENSE AGREEMENT WHEN YOU PURCHASED THE PACKAGE. CLS CLOSE DEFINT A-Z YOU SHOULD NOP RECORD(BYTE) 390 AND 391 THEY CONTAIN HEX(CD20) WHICH IS A BRANCH IF BAD TRACK NOT FOUND THIS ONE LITTLE INSTRUCTION KEEPS YOU FROM RUNNING THERE IS NO ERROR CHECKING DONE , SUCH AS FOR MISSING FILE, WRITE PROTECTED DISKETTE OR OTHER POSSIBLE I/O ERRORS. NOP$=CHR$(144) BRANCH.BYTE1$=CHR$(205) BRANCH.BYTE2$=CHR$(32) OPEN "B:IBM88VMI.COM" AS #1 LEN=1 GET #1,390 FIELD 1,1 AS A$ BYTE$=A$ PRINT "VAULE READ FOR BYTE 390 WAS ";ASC(BYTE$) IF BYTE$<>BRANCH.BYTE1$ THEN GOTO 770 LSET A$=NOP$ PUT 1,390 GET #1,391 FIELD 1,1 AS A$ BYTE$=A$ PRINT "VALUE READ FOR BYTE 391 WAS ";ASC(BYTE$) IF BYTE$<>BRANCH.BYTE2$ THEN GOTO 770 LSET A$=NOP$ PUT 1,391 CLOSE END PRINT "THE BYTE YOU WERE TRYING TO NOP WAS ";ASC(BYTE$) PRINT "THE BYTE SHOULD HAVE BEEN EITHER 32 OR 205" PRINT "IF THE BYTE READ WAS 144 YOU HAVE PROBABLY" PRINT "UNPROTECTED THE PROGRAM ONCE BEFORE" PRINT "IF PROBLEMS GOTO YOUR BACKUP DISKETTES" <> <> <> <> <> <> <> <> <> <> <> To make a backup of Microsoft Flight Simulator 1.00, do the following: *Take un UNFORMATTED (never used) disk and place it in drive B. *Place your DOS disk (which has DEBUG) into drive A. A>DEBUG -E CS:0000 B9 01 00 BA 01 00 BB 00 01 0E 07 06 1F 88 E8 53 5F AA 83 C7 03 81 FF 1C 01 76 F6 B8 08 05 CD 13 73 01 90 FE C5 80 FD 0C 76 E1 90 CD 20 -E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02 00 00 04 02 00 00 05 02 00 00 06 02 00 00 07 02 00 00 08 02 -R IP xxxx :0000 <-- YOU ENTER THIS, NOW INSERT FLT. SIM DISK INTO A: -G =CS:0000 CS:22 CS:2A -E CS:02 0E -E CS:27 19 -G =CS:0000 CS:22 CS:2A -E CS:02 27 -E CS:27 27 -G =CS:0000 CS:22 CS:2A -L DS:0000 0 0 40 -W DS:0000 1 0 40 -L DS:0000 0 40 28 -W DS:0000 1 70 30 -L DS:0000 0 A0 30 -W DS:0000 1 A0 30 -L DS:0000 0 138 8 -W DS:0000 1 138 8 -Q A> *Now write protect the new disk. *This procedure may not work on the version which has color on RGB monitors. To make a backup of Microsoft Flight Simulator 1.00, do the following: *Take un UNFORMATTED (never used) disk and place it in drive B. *Place your DOS disk (which has DEBUG) into drive A. A>DEBUG -E CS:0000 B9 01 00 BA 01 00 BB 00 01 0E 07 06 1F 88 E8 53 5F AA 83 C7 03 81 FF 1C 01 76 F6 B8 08 05 CD 13 73 01 90 FE C5 80 FD 0C 76 E1 90 CD 20 -E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02 00 00 04 02 00 00 05 02 00 00 06 02 00 00 07 02 00 00 08 02 -R IP xxxx :0000 <-- YOU ENTER THIS, NOW INSERT FLT. SIM DISK INTO A: -G =CS:0000 CS:22 CS:2A -E CS:02 0E -E CS:27 19 -G =CS:0000 CS:22 CS:2A -E CS:02 27 -E CS:27 27 -G =CS:0000 CS:22 CS:2A -L DS:0000 0 0 40 -W DS:0000 1 0 40 -L DS:0000 0 40 28 -W DS:0000 1 70 30 -L DS:0000 0 A0 30 -W DS:0000 1 A0 30 -L DS:0000 0 138 8 -W DS:0000 1 138 8 -Q A> *Now write protect the new disk. *This procedure may not work on the version which has color on RGB monitors. The following fix will eliminiate the bothersome requirement to insert the FOCUS "activator" diskette in the A-drive everytime you bring FOCUS up. This change was made to a version of FOCUS that had file dates of 05/11/84. Be sure that you verify the code that is in place before applying this zap. RENAME FCPCINIT.EXE FCPCINIT.XXX DEBUG FCPCINIT.XXX U 22AB L 5 (You should see "9A C5 02 14 02 CALL 0214:02C5" display on the screen) E 22AB 90 90 90 90 90 W Q RENAME FCPCINIT.XXX FCPCINIT.EXE That all there is to it. Have fun. The Ancient Mariner Note added 6 DEC 84 Same procedure continues to work, only 5 bytes want to no-op are at location 0C57:23E0 What you see at that location is CALL 021C:02C5 <-----<>-----> ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! *************************************************** *** Pirate Magazine Issue III-3 / File 7 of 9 *** *** Cracking Tips (Part 5) *** *************************************************** In this file: Graphwriter 4.21 TheDraw SideKick 1.00A PFS Report PCDRAW 1.4 Signmaster FOR THE USERS THAT HAVE 'GRAPHWRITER' VER 4.21 ------------------------------------------------------------------- FROM : THE A.S.P ; (Against Software Protection) DATED : OCT 19,1984 (FIRST RELEASE) ORIGINALLY SUBMITTED TO ASA FULTONS BBS (THE SHINING SUN -305-273-0020) AND TO LEE NELSONS BBS (PC-FORUM -404-761-3635) PLEASE NOTE THAT THESE UNPROTECT PROCEDURES INVOLVE FROM 4 HOURS TO ___________________________________________________________________ 40 OR MORE HOURS ( 8+ HOURS FOR 'GRAPHWRITER' ) OF SINGLE STEPPING THRU CODE AND FIGURING OUT THE INTENT OF THE ORIGINAL CODE.. SO I WOULD APPRECIATE IT WHEN U PASS THIS ON TO OTHER BOARDS YOU DO NOT ALTER THIS OR TRY TO TAKE CREDIT FOR MY LOST SLEEP.... THE A.S.P... (J.P. TO HIS FRIENDS) OH, AS A FURTHER NOTE. I SEE SOME BBS'S ARE NOW CHARGING U TO BE REGISTERED TO USE THEIR SYSTEM. FIRST OF ALL I GIVE U FROM 4 TO 60 HOURS OF MY TIME AT NO COST TO YOU AND I DO NOT LOOK TO KINDLY TO SUCH BBS'S PUTTING ON in. Thanks John Roswick, Bismarck. Keywords: SIDEKICK PROKEY PATCH FIX BUGS COMPATIBILITY BORLAND <> <> <> <> <> <> <> <> <> <> <> UNPROTECT FOR -SIDEKICK- Attention Sidekick/Prokey users ! We at Borland were having trouble getting Sidekick to be compatible with Rosesoft's Prokey and as many of you Prokey users out there know everything locked up when the two got together. The reason Prokey does not work is because it trashes some of the registers when running and confuses Sidekick as to make your terminal go down. Enclosed is the portion of Prokey which does this. 0730 2EF606D402FF TEST CS:BYTE PTR [02D4H],OFFH 0736 7409 JE 0741H 0738 2EFF2EC602 JMP CS:DWORD PTR [02C6H] 073D 5B POP BX 073E 1F POP DS 073F EBF7 JMP SHORT 0738H 0741 1E PUSH DS 0742 53 PUSH BX 0743 8CCB MOV BX,CS 0745 8EDB MOV DS,BX 0747 FB STI 0748 C5053D0100 MOV BYTE PTR [013DH],00H 074D 803E660400 CMP BYTE PTR [0466H],00H 0752 7420 JE 0774H 0754 833E670400 CMP WORD PTR [0469H],00H 0759 7507 JNE 0762H 075B 833E670400 CMP WORD PTR [0467H],00H 0760 740D JE 076FH 0762 832E670401 SUB WORD PTR [0467H],01H 0767 831E690400 SBB WORD PTR [0469H],00H 076C EB06 JMP SHORT 0774H 076E 90 NOP 076F C606660400 MOV BYTE PTR [0466H],00H 0774 803E530400 CMP BYTE PTR [0466H],00H 0779 74C2 JE 037DH 077B 833E662400 CMP WORD PTR [2466H],00H 0780 7507 JNE 0789H 0782 833E682400 CMP WORD PTR [2468H],00H 0787 740C JE 0795H 0789 832E682401 SUB WORD PTR [2468H],01H 078E 831E662400 SBB WORD PTR [2466H],00H 0793 EBA8 JMP SHORT 073DH 0795 E8841D CALL 251CH ;HMMM ! 0798 EBA3 JMP SHORT 073DH THE SAGA CONTINUES ... 251C 50 PUSH AX 251D 1E PUSH DS 251E A05304 MOV AL,[0453H] 2521 3C01 CMP AL,01H 2523 7407 JE 252CH 2525 3C02 CMP AL,02H 2527 743F JE 2568H 2529 1F POP DS 252A 58 POP AX 252B C3 RET ?NEAR 252C BD9D2D MOV BP,2D9DH BP DESTROYED 252F E8480E CALL 337AH 2532 A16C24 MOV AX,[246CH] 2535 A39D2D MOV [2D9DH],AX 2538 BD9D2D MOV BP,2D9DH 253B E8E30D CALL 3321H 253E BD9D2D MOV BP,2D9DH 2541 BEE023 MOV SI,23E0H SI DESTROYED 2544 B601 MOV DH,01H DX DESTROYED 2546 B201 MOV DL,01H (BUT WILL BE RESTORED 2548 E8230C CALL 317FH BY THE BIOS) 254B E88407 CALL 2CD2H 254E 8B366024 MOV SI,[2460H] 2552 387D07 CALL 2CD2H 2555 A16224 MOV AX,[2462H] 2558 A36824 MOV [2468H],AX 255B C70666240000 MOV WORD PTR [2466H],000H 2561 C606530402 MOV BYTE PTR [0453H],02H 2566 EBC1 JMP SHORT 2529H 2568 BD9D2D MOV BP,2D9DH 256B E80C0E CALL 337AH 256E C606530400 MOV BYTE PTR [0453H],00H 2573 EBB4 JMP SHORT 2529H . . Prokey does not save and restore all registers when trapping interrupt 1C. The reason why this error occurs at a higher frequency when using Sidekick is beyond this discussion. However, to verify the error try the following: 1. Start Prokey 2. Define a key recursively 3. Notice prokey now issues an error message 4. terminate definition (fast...) 5. press return 100 times 6. if prokey did not crash repeat step 2-6 Register destroying occurs when Prokey is flashing error message. You must terminate and press return as fast as possible, and be logged on a floppy drive (important: let your prompt show the active directory in order to let dos read on the disk). The following program establishes a trap at interrupt 8 (to make sure Prokey or others does not overwrite it, bios int 8 then activates 1C). CODE SEGMENT ASSUME CS:CODE ORG 100H START PROC JMP SHORT SETUP START ENDP INT08SAVE DD INT08TRAP PROC FAR PUSH AX PUSH BX PUSH CX PUSH DX PUSH SI PUSH DI PUSH BP PUSH DS PUSH ES PUSHF CALL INT08SAVE POP ES POP DS POP BP POP DI POP SI POP DX POP CX POP BX POP AX IRET INT08TRAP ENDP EOTRAP: SETUP PROC MOV DS,AX MOV SI,20H CLI LES AX,DWORD PTR[SI] MOV WORD PTR INT08SAVE,AX MOV WORD PT MOV WORD PTR [SI],OFFSET INT08TRAP MOV [SI+2],CS STI MOV DX,OFFSET EOTRAP+1 SETUP ENDP CODE ENDS END START It may be faster to enter the following bytes using debug and writing them to the file profix.com, thus saving your original prokey file: e100 0100: EB 1D 00 00 00 00 50 53 51 52 56 57 55 1E 06 9C 0110: 2E FF 1E 02 01 07 1F 5D 5F 5E 5A 59 5B 58 CF 33 0120: C0 8E D8 BE 20 00 FA C4 04 2E A3 02 01 2E 8C 06 0130: 04 01 C7 04 06 01 8C 4C 02 FB BA 20 01 CD 27 RCX 3F NPROFIX.COM W NOW USE PROFIX INSTEAD OF PROKEY NOTE: THIS MAY NOT BE THE COMPLETE SOLUTION AS THE WORD STILL DOES NOT WORK WITH PROKEY. FURTHERMORE THIS HAS ONLY BEEN TESTED USING PROKEY VERSION 3.0 - OLDER VERSIONS MAY HAVE OTHER BUGS! INSTRUCTIONS FOR UNPROTECTING PFS-FILE AND PFS-REPORT. IMPORTANT! COPY FILE.EXE AND/OR REPORT.EXE TO ANOTHER DISK FIRST. DON'T MAKE THESE PATCHES ON YOUR ORIGINAL DISK! (USE THE USUAL DOS COPY COMMAND) FOR PFS-FILE: RENAME FILE.EXE TO FILE.ZAP HAVE DEBUG.COM HANDY TYPE -> DEBUG FILE.ZAP TYPE -> U 9243 YOU SHOULD SEE, AMONG OTHER THINGS: PUSH BP MOV AX,DS MOV ES,AX (ETC) IF YOU DON'T SEE THIS, TYPE -> Q (YOU DON'T HAVE THE RIGHT VERSION) OTHERWISE, TYPE -> E 9248 EB 2B TYPE -> W TYPE -> Q BACK IN DOS, RENAME FILE.ZAP TO FILE.EXE. YOU NOW HAVE AN UNPROTECTED COPY OF PFS-FILE. FOR PFS-REPORT: RENAME REPORT.EXE TO REPORT.ZAP HAVE DEBUG.COM HANDY, AND TYPE -> DEBUG REPORT.ZAP TYPE -> U 98BF YOU SHOULD SEE, AMONG OTHER THINGS: PUSH BP MOV AX,DS MOV ES,AX (ETC) IF YOU DON'T SEE THIS, TYPE -> Q (YOU DON'T HAVE THE RIGHT VERSION) OTHERWISE, TYPE -> E 98C4 EB 2B TYPE -> W TYPE -> Q BACK IN DOS, RENAME REPORT.ZAP TO REPORT.EXE. YOU NOW HAVE AN UNPROTECTED COPY OF PFS-REPORT. For those of you whose PFS:FILE and PFS:REPORT do not match the other PFS zaps on this board, try these: ---------------------------------------------------------------------- For PFS:FILE, copy FILE.EXE to another disk, and do: RENAME FILE.EXE FILE.ZAP DEBUG FILE.ZAP U 9213 should show ... PUSH BP MOV CX,0004 which is the first part of a timing loop. if it doesn't, quit; else do: E 9217 EB 18 U 9213 should show ... PUSH BP MOV CX,0004 JMP 9231 if so, do: W Q RENAME FILE.ZAP FILE.EXE ---------------------------------------------------------------------- For PFS:REPORT, copy REPORT.EXE to another disk, and do: RENAME REPORT.EXE REPORT.ZAP DEBUG REPORT.ZAP U 9875 should show ... PUSH BP MOV AX,DS MOV ES,AX if it doesn't, quit; else do: E 987A EB 11 U 9875 should show ... PUSH BP MOV AX,DS MOV ES,AX JMP 988D if so, do: W Q RENAME REPORT.ZAP REPORT.EXE ---------------------------------------------------------------------- if everything was OK, your new versions of PFS:FILE and PFS:REPORT should run just fine without the original diskettes. ---------------------------------------------------------------------- Zaps provided by Lazarus Associates <> <> <> <> <> <> <> <> <> <> <> ----------------------------------------------------------UNPROTECT IBM PERSONAL 1. REN MCEMAIL.EXE X 2. DEBUG X DOS 2.xx Version 3. A EB47 JMP EB4F (was JNZ EB4F) 4. A EBEF NOP NOP (was JZ EC0B) 5. A EC06 NOP NOP (was JNZ EC0B) 6. W 7. Q 8. REN X MCEMAIL.EXE IMPORTANT! All copies of PCM must have this patch (i.e. the programs on both ends of a connection). This has been tested on a PCjr and PC. <> <> <> <> <> <> <> <> <> <> <> FOR THE USERS THAT HAVE 'PC-DRAW' V1.4 ------------------------------------------ FROM : THE A.S.P ; (Against Software Protection) ORIGINALLY SUBMITTED TO ASA FULTONS BBS - SHINING SUN :305-273-0020 AND WHIT WYANTS BBS - PC-CONNECT :203-966-8869 PLEASE NOTE THAT THESE UNPROTECT PROCEDURES INVOLVE FROM 4 HOURS TO (+1 HOURS FOR PC-DRAW V1.4) 40 OR MORE HOURS OF SINGLE STEPPING THRU CODE AND FIGURING OUT THE INTENT OF THE ORIGINAL CODE.. SO I WOULD APPRECIATE IT WHEN U PASS THIS ON TO OTHER BOARDS YOU DO NOT ALTER THIS OR TRY TO TAKE CREDIT FOR MY LOST SLEEP.... THE A.S.P... ORLANDO FLA. (J P , TO HIS FRIENDS) IF YOU HAVE A HARD DISK OR WANT TO CREATE A BACKUP COPY THAT IS NOT TIED INTO THE PC-DRAW DISKETTE...IN CASE YOUR ONLY COPY GOES BAD . THIS PATCH WILL REMOVE THE COPY PROTECTION COMPLETELY.... AS ALWAYS THIS IS FOR YOUR PERSONAL PEACE OF MIND ONLY IT IS NOT MEANT TO BYPASS ANY COPYRIGHTS..YOU ARE BY LAW BOUND BY YOUR PURCHASE LICENSE AGREEMENT. IF YOU HAVE A HARD DISK AND WANT TO PUT THE PROGRAM ON SUCH WHY SHOULD YOU BE TIED TO A FLOPPY. YOU HAD TO GIVE UP A LOT OF 'BIG MACS' TO GET YOUR HARD DISK. THIS WRITE UP ASSUMES THAT YOU ARE FAMILIAR WITH DEBUG, 1). FORMAT A CORRESPONDING EQUAL NUMBER OF DOS2.0 OR 2.1 DISKS AS SYSTEM DISKS 2). LABEL EACH OF THE 2.X FORMATTED DISKS THE SAME AS EACH ONE OF THE ORIGINAL 'PC-DRAW' DISKS 3). COPY THE FILES FROM THE ORIGINAL DISKS TO THE 2.X FORMATTED DISK ON A ONE FOR ONE BASIS, USING 'COPY' COMMAND 4). PLACE THE ORIGINAL DISKS IN A SAFE PLACE, WE DONT NEED THEM ANY MORE. 5). PLACE 'DISK 1' IN THE 'A' DRIVE 6). RENAME PC-DRAW.EXE PC-DRAW 7). DEBUG PC-DRAW 8) ENTER -S CS:100 L EFFF CD 13 9). FIRST YOU SHOULD SEE THE FOLLOWING CODE AT ADDRESS CS:4D45 CD 13 INT 13 IF U DONT U MAY HAVE A DIFFERENT VERSION SO DONT PROCEED ANY FARTHER, ENTER THE CHANGE TO CHANGE "INT 13" TO "NOP" AND "STC", AND FORCE A JUMP 10). ENTER -E 4D45 90 F9 EB 28 11). ENTER -W 12). ENTER -Q 13). RENAME PC-DRAW PC-DRAW.EXE NOTE: PC-DRAW IS NOW COMPLETELY UNPROTECTED. IF U WANT TO USE 'PC-DRAW' FROM HARD DISK OR RAM DISK U MUST USE THE CORRECT 'ASSIGN=', SINCE 'PC-DRAW' APPEARS TO HAVE DRIVES HARD CODED. ALSO FOR V1.2 AND 1.3 THE BAD TRACK CHECK WAS IN DIAGRAM.EXE, NOTE THAT THE CHECK IS NOW DONE IN PC-DRAW.EXE. ENJOY YOUR NEW FOUND FREEDOM..HARD DISKS FOREVER!!!!! END OF TRANSFER - PRESS ENTER TO RETURN TO MENU This procedure will unprotect the version 1.10A of SIDEKICK. Many thanks to the individual who provided the procedure for the version 1.00A. The only major difference between the two versions is the offset address of the instructions to be modified. Using DEBUG on SK.COM, NOP out the CALL 8C1E at location 07CA ----+ | Change the OR AL,AL at 07D9 to OR AL,01 --------+ | | | .....and that's it! | | | | (BEFORE ZAP) | | 78A7:07CA E85184 CALL 8C1E <----------------------------+ 78A7:07CD 2E CS: | | 78A7:07CE 8E163E02 MOV SS,[023E] | | 78A7:07D2 2E CS: | | 78A7:07D3 8B264002 MOV SP,[0240] | | 78A7:07D7 1F POP DS | | 78A7:07D8 59 POP CX | | 78A7:07D9 0AC0 OR AL,AL <----------+ | | | (AFTER ZAP) | | 78A7:07CA 90 NOP <-----------------------------+ 78A7:07CB 90 NOP <-----------------------------+ 78A7:07CC 90 NOP <-----------------------------+ 78A7:07CD 2E CS: | 78A7:07CE 8E163E02 MOV SS,[023E] | 78A7:07D2 2E CS: | 78A7:07D3 8B264002 MOV SP,[0240] | 78A7:07D7 1F POP DS | 78A7:07D8 59 POP CX | 78A7:07D9 0C01 OR AL,01 <----------+ ------------------------------------------------------------------- <> <> <> <> <> <> <> <> <> <> <> UNPROTECT FOR -SIGNMASTER FROM : THE A.S.P ; (Against Software Protection) 1). FORMAT 1 SYSTEM DISK UNDER DOS 2.0 OR 2.1 OR 3.0 2). LABEL IT ACCORDING TO THE ORIGINAL 'SIGNMASTER' SYSTEM DISKETTE 3). COPY THE (UNHIDDEN) FILES FROM THE ORIGINAL DISKETTE TO THE CORRESPONDING 2.X OR 3.X FORMATTED DISKETTE 4). I WONT TELL U HOW TO USE DEBUG OR ANY 'PATCHER' PROGRAMS ON THE BBS'S, I ASSUME U HAVE A BASIC UNDERSTANDING. 5). RENAME SIGN.EXE SIGN 6). DEBUG SIGN 7). D CS:99C YOU SHOULD SEE 75 03 E9 09 E CS:99C 90 90 EB 1F D CS:D407 YOU SHOULD SEE 5F E CS:D407 CB W Q 8). RENAME SIGN SIGN.EXE OTHER NOTES: ------------------------------------------------------------------------- 1). CHECKS FOR SPECIALLY FORMATTED TRACKS COMPLETELY REMOVED 2). U MAY LOAD ALL THE FILES ON THE NEWLY FORMATTED AND UNPROTECTED DISKETTE DIRECTLY TO HARD OR RAM DISK, IN ANY SUB-DIRECTORY U SET UP 3). SOMEONE WANTED TO KNOW WHY I USED UPPER CASE FOR EVERYTHING. FIRST AFTER ABOUT 8 TO 20 HOURS OF STARING AT THE TUBE., I AM NOT ABOUT TO SHIFT THE CHARACTERS, AND SECONDLY I AM SO EXCITED , AFTER DOING SOMETHING THAT AT FIRST SEEMED IMPOSSIBLE, AND IN A HURRY TO GET IT OUT ON A BBS, SO THAT U MAY USE THE NEWLY GLEAMED KNOWLEDGE. This is the procedure for bypassing the copy protection scheme used by SIDEKICK, version 1.00A. Using DEBUG on SK.COM, NOP out the CALL 8780 at location 071A ----+ | Change the OR AL,AL at 072D to OR AL,01 --------+ | | | .....and that's it! | | | | (BEFORE ZAP) | | 78A7:071A E86380 CALL 8780 <----------------------------+ 78A7:071D 2E CS: | | 78A7:071E 8E163D02 MOV SS,[023D] | | 78A7:0722 2E CS: | | 78A7:0723 8B263F02 MOV SP,[023F] | | 78A7:0727 1F POP DS | | 78A7:0728 59 POP CX | | 78A7:0729 880E1300 MOV [0013],CL | | 78A7:072D 0AC0 OR AL,AL <----------+ | | | (AFTER ZAP) | | 78A7:071A 90 NOP <-----------------------------+ 78A7:071B 90 NOP <-----------------------------+ 78A7:071C 90 NOP <-----------------------------+ 78A7:071D 2E CS: | 78A7:071E 8E163D02 MOV SS,[023D] | 78A7:0722 2E CS: | 78A7:0723 8B263F02 MOV SP,[023F] | 78A7:0727 1F POP DS | 78A7:0728 59 POP CX | 78A7:0729 880E1300 MOV [0013],CL | 78A7:072D 0C01 OR AL,01 <----------+ <> <> <> <> <> <> <> <> <> <> <> What follows is an unprotect scheme for version 1.11C of Borland International's Sidekick. The basic procedure is the same as that for version 1.1A with just location differences. So the only credit I can take is for finding the new locations! This is (of course), provided only for legal owners of Sidekick!! Also, make sure you 'DEBUG' a copy NOT the original! DEBUG SK.COM -U 801 -E 801 you will then see: 25E5:0801 E8. 90 repeat for 802 and 803: -E 802 90 -E 803 90 then: -A 810 OR AL,01 -U 801 you should then see (among other things): XXXX:801 90 NOP XXXX:802 90 NOP XXXX:803 90 NOP XXXX:810 0C01 OR AL,01 if so: -W -Q if not: -Q +++++++++++++++++++++++++++++++++++++++++++++++++++++ For SKN.COM, SKM.COM and SKC.COM the unprotect is the same but at the following locations: SK SKN SKM SKC --- --- --- --- 801 7DF 76F 7BC 802 7E0 770 7BD 803 7E1 771 7BE 810 7EE 77E 7CB To unprotect SKC.COM you would 'DEBUG SKC.COM' and then replace any occurence of '801' with '7BC'; '802' with '7BD' and so on. GOOD LUCK! * * * * * * * * * * * * * * * * * * * * * * * * This is an explanation of the internal workings of Print.Com, a file included in DOS for the IBM PC and compatibles. It explains how this program fails to do its part to insure integrity of all registers. For this reason some trouble was being experienced while using both SideKick and Print. op The timer tick generates an interrupt 8 18.2 per second. When SK is not active, this interrupt is handled by the Bios as follows: It pushes all registers used by the routine (AX among others.) It updates the system timer count. It updates the disk motor timer count. It generates an int 1C. When the spooler is active, it has placed a vector at int 1C, pointing at the spooler's code. The spooler is therefore activated in the middle of the int 8 handling. The cause of the SK received the int 8 and calls the bios int 8 routine to make sure that the timer tick is properly handles. The bios int 8 me as above: It pushes all registers used by the routine (AX among others). It updates the system timer count. It updates the disk motor timer count. It generates an int 10. SK has replaced the vector that the spooler placed here with a IRET, so nothing happens. This is because we cannot allow the timer tick to pass through to programs which use it, for example to write on the screen. It generates an end-of-interrupt to the interrupt controler. It pops the registers that were pushed. It does an interrupt return. Back in SK's int 8 routine we make a call to the address that was stored at int 10 when SK was first started. In this way he still services any resident programs that were loaded before SK. With the spooler active we therefore make a call to the spooler. The spooler again corrupts the AX register because it uses it without saving it first. Back in SK we have no way of restoring the original contents of the AX register because we did not save it (why should we, we don't use it.) In short, the root of the trouble is that the spooler destroys the AX register. The fact that the Bio's int 8 routine saves and stores it is pure coincidence. I quote from the Technical Reference Manual, Pages 2-5, Section Interrupt Hex 1C-timer tick: "It is the responsibility of the application to save and restore all registers that will be modified." Relying on a version of the Bios which happens to save register AX is bad programming practice. However, the guy who wrote the print spooler did not rely on this because at another point in his program he does correctly save AX. Obviously he simply forgot and fortunately for him the Bios saved him. The following patch will fix the problem: SK.COM unprotected version change 7F8: 55 to 7F8: 50 SK.COM unprotected version change 805: 5D to 805: 58 SK.COM protected version change 801: 55 to 801: 50 SK.COM protected version change 80E: 5D to 80E: 58 Also on both above change 012C: 41 to 012C: 42 UNPROTECT IBM TIME MANAGER (80 Column Version) Version 1.00 - 1. Have a formatted, blank disk ready if copying to a floppy. Hard disk is OK, also. 2. Startup DEBUG from drive A. Just type DEBUG 3. Place the TIME MANAGER program disk in drive A. 4. Type L 600 0 A5 40 5. Type F 100,600 90 6. Type RCX 7. Type 8000 8. Place the formated, blank floppy in drive B 9. Type NTM.COM 10. Type W 11. Type Q That's it. You now have the 80-column version of Time Manager on the disk in Drive B. It is called TM.COM and can be started by simply typing TM. BE AWARE!!! - the data diskette is non-dos and cannot be placed on a hard disk. Also, while the program itself can be loaded from any drive letter (A-Z), the data disk can only be on drives A or B. The data disk is not protected and may be copied with DISKCOPY. For the 40-column version, replace line4 with: 4. Type L 600 0 65 40 All others steps are the same. If you wish to have both a 40 and 80 column version, change line 9 so that the name is descriptive of the version, i.e. NTM40.COM or NTM80.COM. <-----<>-----> ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! *** Pirate Magazine Issue III-3 / File 8 of 9 *** *** Cracking Tips (Part 6) *** *************************************************** In this file: Lotus 123 Visicalc Microsoft word 1.1 ZORK Trivia Fever Wordstar 2000 1.00 dBase 3 PFS programs Double Dos UNPROTECTING LOTUS 1-2-3 1-2-3 Release 1-A ----------------- 1. Rename 123.exe 123.xyz 2. DEBUG 123.xyz 3. Type U ABA9 4. You should see INT 13 at this address 5. Type E ABA9 90 90 6. Type W 7. Type Q 8. Rename 123.xyz 123.exe 1-2-3 Release 1 --------------- 1. Rename 123.exe 123.xyz 2. DEBUG 123.xyz 3. Type S DS:100 FFFF E8 BE 71 The system will respond with xxxx:3666 where xxxx can vary 4. Type E xxxx:3666 90 90 90 (xxxx is the number from above) 5. Type W 6. Type Q 7. Rename 123.xyz 123.exe Compliments of THE BIG APPLE BBS (212) 975-0046 <> <> <> <> <> <> <> <> <> <> <> [[This patch was extracted from the PHOENIX IBM-PC Software Library newsletter. They received it from the HAL-PC users group of Houston, TX. Corrected by Jack Wright. Many thanks to them.]] **** CONVERT VISICALC TO A .COM FILE **** USE THE FOLLOWING PROCEDURE TO TRANSFER THE 80-COLUMN VISICALC PROGRAM FROM THE VISICALC DISK AND WRITE A STANDARD .COM FILE WHICH MAY BE FORMAT A DISK AS FOLLOWS: (FORMAT B:/S(ENTER)). START THE DEBUG SYSTEM. INSERT THE VISICALC DISK IN DRIVE A: THEN TYPE: -L 100 0 138 2 (LOAD THE VC80 LOAD/DECRYPTER) -M 0 3FF 7000 (DUPLICATE IT IN HIGHER MEMORY) -R CS (INSPECT COMMAND SEGMENT REGISTER) DEBUG WILL RESPOND WITH THE CONTENTS OF THE CS REGISTER (eg. 04B5) AND PROMPT WITH A COLON (:). TYPE THE OLD CONTENTS + 700 (HEX). (eg. 04B5 BECOMES 0BB5). DO THE SAME WITH THE 'DS' REGISTER. DEBUG response to R CS might be: CS 04B5 <-Save the value you get, we'll need it later. :0BB5 <-Type in your CS value + 700hex here -R DS <-Type DS 04B5 :0BB5 <-Type in your DS value + 700hex here NEXT: Take the low order byte of the CS you saved above and substitute it for LL in the next line. Substitute the high order byte for HH: -E 107 LL HH (ENTER BYTE-FLIPPED CS) Ex: -E 107 B5 04 -E 24D BB A8 00 90 (HARD-WIRE THE DECRYPTION KEY) NOW, WE MUST RUN THE LOADER/DECRYPTER, TYPE: -G =1B8 26B (EXECUTE FROM 1B8 TO 26B) THE ENTIRE PROGRAM WILL NOW BE LOADED AND DECRYPTED AND A REGISTER DUMP SHOULD APPEAR ON THE SCREEN. NOW RESTORE CS AND DS TO THEIR PREVIOUS VALUES AND SET THE FILE LENGTH IN CX. Set BX=0: -R CS CS 0BB5 <-Yours might be different :04B5 <-Type in the value of CS you saved above -R DS DS 0BB5 :04B5 <-Type in the value of DS you saved above -R BX BX F3FD :0 -R CX CX 0000 :6B64 (LENGTH = 6B64 FOR VERSION 1.1, 6802 FOR VERSION 1.0) NOW WE MUST NAME THE FILE, WRITE IT AND EXIT. REMOVE THE VISICALC DISK FROM A: INSERT THE NEW, FORMATTED, EMPTY DISK IN A: TYPE: -N VC.COM (OR WHATEVER YOU WISH TO NAME IT) -W (WRITE THE .COM FILE) -Q (EXIT FROM DEBUG) ***YOU ARE DONE***** Back in DOS, type VC to try it.  The protection scheme for MS WORD is quite good. The last track is formatted with 256 byte sectors. One sector, however, has an ID that says it is a 1K sector. If you try to read it as a 256 byte sector, you'll get a sector not found. You can read it as a 1K sector with a guaranteed CRC error, and you will get the data and other sector overhead from 3+ sectors. They read it as 1K, and use the bytes after the first 256 for decryption. These bytes constitute the post-amble of the sector, the inter-sector gap, and the preamble to the next 256 byte sector. If it's not formatted with the correct inter-sector gap, the decryption key is different and the incorrectly decoded program bombs. The best way around this is to modify the MWCOPY program so it will let you make more than one copy. The below mods will let you make as many backups as you want (and you can leave the write protect tab on your master disk). Of course, this method should only be used by registered owners of Word. If you, or any of your IMF force is killed, the secretary will disavow any knowledge of these patches. We will copy MWCOPY to another disk, using another name (MWCP) so you'll know it's the special version, and then modify MWCP. (with master disk in A:, B: has any disk with debug on it) A>copy mwcopy.com b:mwcp.com B>debug mwcp.com -e103 xxxx:0103 0x.00 -e148 xxxx:0148 A5.a7 -e194 xxxx:0194 02.04 -e32a xxxx:032A 1C.1e -e32e xxxx:032E 1C.1e -e3372 xxxx:3372 01.03 -ecfe xxxx:0CFE CD.9026.90 xxxx:0D00 5B.90 -e4ab xxxx:04AB 1B.84 -e69a xxxx:069A C1.b938.ff28.b9 -e7b3 xxxx:07B3 A2.5f08.e9 -e66f xxxx:066F E5.d8 xxxx:0670 94.2990.ff29.b9 Writing 332D bytes -q B>mwcp (try making a copy..remember, leave the write-protect on the master) (Just follow the prompts in the program, except when they ask you to remove the write protect tab) I think this will also work for the hard disk copy portion. Another way to unprotect Word gets rid of the need for any weird disk formats. But it is MUCH more complicated to do. Enjoy! <> <> <> <> <> <> <> <> <> <> <> Unprotection for Microsoft "WORD" Version 1.1 using the Ultra-utilities (U-Format and U-Zap). June 22, 1984 The following information is presented for those legitimate owners who feel somewhat insecure when the availability of an important program is dependent on the survival of a single floppy disk. Microsoft's WORD uses a very good protection method. This consists of a track (Side 1, Track 39) which is formatted with twelve sectors. Sectors 1,2,3,4,6,7,8,9,10 & 11 are all 256 byte sectors. Sector 5 is formatted as a 1024 byte sector with a inherent CRC error. The sectors on this track have an ASCII text on the subjects of not stealing software and the names of the people who worked on the development of the WORD package. Sectors 1,2,3 & 4, while presenting an interesting message, do not directly affect the copy protection scheme. They would appear to be a "red herring", to divert attention from the actual protection area. Earlier versions of WORD were supplied with a program called MWCOPY.COM which permitted a single floppy disk copy and a single hard disk copy. If you have these versions use WORD.UNP or WORDNEW.UNP which can be found on many BBS's. Version 1.1 is furnished with a single back-up floppy and the utility programs furnished are MWCOPY1.COM, MWCOPY.BAT, and MWCOPY2.BAT. These programs only permit a one-time copy to a hard disk. No provision is included for a floppy copy. To make a floppy copy you will need the Ultra-Utilities, a userware set of programs available on many BBS's. Of this set you specifically need U-FORMAT.EXE and U-ZAP.EXE. 1) Place a write protect tab on your copy of WORD. 2) Make a copy of WORD with the standard DOS DISKCOPY command. (NOTE: There are hidden files, so the use of COPY will not work. DISKCOPY will report "Unrecoverable read errors on source Track 39 Side 1". Just ignore this. 3) Start the U-FORMAT.EXE program. This can be done by removing the WORD disk and inserting your Ultra-Utilities disk. Once U-Format is started you can remove the Ultra-utilities disk and return the WORD disk to the drive. 4) Select #5 (Display Radix) from the U-Format menu and change to decimal display. 5) Select #4 (Display/Modify Disk Parameter Table) and set the following: #4 Bytes per sector = 001 #5 Highest sector number per track = 012 #8 Formatting gap length = 010 All other values remain at the default settings. Quit to the main menu. 6) Select menu item #3 (Format a Non-Standard Track) The program will ask if you intend to format a track with 12 sectors. Answer = YES The program will then ask for the following information: SIDE = 1 DRIVE = (enter letter of the drive with the COPY disk) TRACK = 39 The program will then prompt for the following information: Physical Sector # Logical Sector # Sector Size 1 1 1 2 2 1 3 3 1 4 4 1 5 5 3 6 6 1 7 7 1 8 8 1 9 9 1 10 10 1 11 11 1 12 12 1 After pressing "enter" in response to the prompt, you may exit U-Format. 7) Start the U-ZAP.EXE program. This can be done by removing the WORD disk and inserting your Ultra-Utilities disk. Once U-Zap is started you can remove the Ultra-utilities disk and return the WORD disk to the drive. 8) Select #8 (Display Radix) from the U-Format menu and change to decimal display. 9) Select #11 (Display/Modify Disk Parameter Table) and set the following: #4 Bytes per sector = 001 #5 Highest sector number per track = 012 All other values remain at the default settings. Quit to the main menu. 10) Select #3 (Copy Disk Sectors) and use the following information: SOURCE DISK DESTINATION DISK SIDE = 1 SIDE = 1 DRIVE = (enter drive letter DRIVE = (enter drive letter for WORD disk) for COPY disk) TRACK = 39 TRACK = 39 SECTOR = 6 SECTOR = 6 NUMBER OF SECTORS TO COPY = 7 The program will report "Sector Not Found"... "Re-Try (Y/N)" Answer = NO The program will then ask how many sides for the disk. Answer = 2 The program will then show the copy process. (NOTE: DO NOT copy the information from sectors 1,2,3,4, or 5.) You may then quit from U-zap to DOS. YOUR' DONE. The copy disk should workHow to backup Infocom's ZORK III game: *Insert DOS disk in drive A A>DISKCOPY A: B: <-- Ignore the errors on tracks 1-3! *Place your ZORK I or ZORK II disk in drive A and a blank disk in drive B. BE SURE THAT YOUR ORIGINAL IS WRITE-PROTECTED!!! A> *Now take out your ZORK disk and insert your DOS disk in A. A>DEBUG -R CS xxxx :0000 <-- you enter this -R DS xxxx :0040 -R IP xxxx :7C00 -R ES xxxx :0000 -L 0:7C00 0 0 8 -G =0:7C00 0:7C32 -G 0:7C44 <-- Don't take a shortcut here! -R ES xxxx :04C5 -G 0:7C46 -E 7C0:007C 02 08 -W 800:0000 1 8 8 -E 07C0:007C 03 04 -G 0:7C44 -R BX xxxx :0000 -G 0:7C46 -E 07C0:007C 02 08 -W 04C5:0000 1 10 8 -E 07C0:007C 03 04 -G 0:7C44 -R BX xxxx :0000 -E 07C0:007C 02 08 -W 04C5:0000 1 18 8 -E 0:7C41 B8 08 02 -W 0:7C00 1 0 8 -Q <> <> <> <> <> <> <> <> <> <> <> UNPROTECT FOR INFOCOMO'S -ZORK III- *This patch was done under DOS 1.1 - I haven't tried it under DOS 2.0 yet - which may cause unpredictable results... *Take out your new disk in drive B and write-protect it. It is now DISKCOPY-able. *Reboot your system - press ALT-CTRL-DEL. How to backup Infocom's ZORK III game: *Insert DOS disk in drive A A>DISKCOPY A: B: <-- Ignore the errors on tracks 1-3! *Place your ZORK III disk in drive A and a blank disk in drive B. A> *Now take out your ZORK III disk and insert your DOS disk in A. A>DEBUG -R CS xxxx :0000 <-- you enter this -R DS xxxx :0040 -R IP xxxx :7C00 -R ES xxxx :0000 -L 0:7C00 0 0 1 -G =0:7C00 0:7C2A -R AX xxxx :0800 -G 0:7C63 -E 800:14E5 B8 08 02 -E 800:211A 02 08 -W 800:0000 1 8 18 -L 0:7C00 0 0 8 -E 0:7C7C 02 08 -E 0:7C41 B8 08 02 -W 0:7C00 1 0 8 -Q *Take out your new disk in drive B and write-protect it. It is now DISKCOPY-able. *Reboot your system - press ALT-CTRL-DEL. <> <> <> <> <> <> <> <> <> <> <> This is the procedure to unprotect the game software package called TRIVIA FEVER (This procedure also works on the demo disk of TRIVIA FEVER available with the blank XIDEX disks!) If you have a hard disk or want to create a backup copy that is not tied to the original TRIVIA system disk, this will remove the copy protection completly. This procedure is to be used by legitimate owners of TRIVIA FEVER ONLY ... as you are entitled to make a back up for archive purposes only. You are bound by your licence agreement. Format a blank system disk using DOS 2 or 2.1 Label it the same as the original TRIVIA system disk. Copy the files from the original TRIVIA system to the formatted blank disk using *.* . Place DOS system disk containing DEBUG in drive A: Place the new copy of TRIVIA in drive B: Rename the file called TF.EXE to TF A>DEBUG B:TF -E 257E (enter) -75.90 03.90 (enter) -W -Q Rename B:TF B:TF.EXE Now all the copy protection has been removed, and you may copy the files as required. All checks for specially formatted tracks has been removed. Disk needs no longer to be in the A drive on start up. <> <> <> <> <> <> <> <> <> <> <> Wordstar 2000 version 1.00 - Unprotect by Gerald Lee derived from dBase III version 1.10 - Unprotect by The Lone Victor The following instructions show you how to bypass the SoftGuard copy protection scheme used on WORDSTAR 2000 version 1.00. This is the same scheme used for FrameWork 1.10 and for dBase III version 1.10. Wordstar 2000 version 1.10 does not use a copy protection scheme, while versions 1.00 of dBase III and FrameWork used ProLock. To unprotect Prolock disks read the file PROLOCK.UNP. First, using your valid, original Wordstar 2000 diskettes, install it on fixed disk. Softguard hides two files in your root directory: CML0200.HCL and VDF0200.VDW. WS2000.EXE is the real Wordstar 2000 program, encrypted. When you run Wordstar, the program WS2000.COM loads CML0200.HCL high in memory and runs it. CML decrypts itself and reads VDF0200.VDW. The VDF file contains some code and data from the fixed disk FAT at the time of installation. By comparing the information in the VDF file with the current FAT, CML can tell if the CML, VDF, and WORDSTAR.EXE files are in the same place on the disk where they were installed. If they have moved, say from a backup & restore, then WORDSTAR 2000 will not run. Second, un-hide the two files in the root directory. You can do this with the programs ALTER.COM or FM.COM, or UNHIDE.COM and HIDE.COM found on any BBS. PC-SWEEP2 is the easiest it will copy the files to another directory unhidden. Make copies of the two files, and of WS2000.COM and WS2000.EXE, into some other directory. Hide the two root files again if using ALTER or FM. Leave alone if using PC-SWEEP2. Following the WORDSTAR instructions, UNINSTAL WORDSTAR 2000. You can now put away your original WORDSTAR diskettes. We are done with them. Next we will make some patches to CML0200.HCL to allow us to trace through the code in DEBUG. These patches will keep it from killing our interrupt vectors. DEBUG CML0200.HCL E 3F9 2A.4A ; change the 2A to 4A E 49D F6.16 ; if any of these numbers don't show up E 506 E9.09 ; it's not working. E A79 00.20 ; E AE9 00.20 ; E 73C 97 FA FA F4 F1 7E ; this is an encrypted call to 0:300 W ; write out the new CML file Q ; quit debug Now copy your four saved files back into the root directory and hide the CML0200.HCL and VDF0200.VDW files using ALTER, FM or PC-SWEEP2. We can now run WS2000.COM using DEBUG, trace just up to the point where it has decrypted WORDSTAR.EXE, then write that file out. DEBUG WS2000.COM R ; write down the value of DS for use below. A 0:300 ; we must assemble some code here POP AX CS: MOV [320],AX ; save return address POP AX CS: MOV [322],AX PUSH ES ; set up stack the way we need it MOV AX,20 MOV ES,AX MOV AX,0 CS: JMP FAR PTR [320] ;jump to our return address G 406 ; now we can trace CML T G 177 ; this stuff just traces past some G 1E9 ; encryption routines. T G 54E ; wait while reading VDF & FAT G=559 569 G=571 857 ; WS2000.EXE has been decrypted rBX ; length WS2000.EXE = 1AC00 bytes :1 ; set BX to 1 rCX :AC00 ; set CX to AC00. nWS12 ; name of file to write to W XXXX:100 ; where XXXX is the value of DS that ; you wrote down at the begining. Q ; quit debug Last, unhide and delete the two root files CML0200.HCL, VDF0200.VDW, and WS2000.COM and WS2000 directory. Rename WS12 to WS2000.COM and replace in the WS2000 directory. This is the routine that starts the real WS2000.EXE program without any SoftGuard code or encryption. It requires the .OVL and .MSG files to run. I have not tried it on a two disk systems but I think it should work. If you have any comments on this unprotect routine, please leave them GERALD LEE - 5/12/85 <> <> <> <> <> <> <> <> <> <> <> dBase III version 1.10 - Unprotect by The Lone Victor The following instructions show you how to bypass the SoftGuard copy protection scheme used on dBase III version 1.10. This is the same scheme used for FrameWork 1.10 and for Wordstar 2000 1.00. Wordstar 2000 version 1.10 does not use a copy protection scheme, while versions 1.00 of dBase III and FrameWork used ProLock. To unprotect Prolock disks read the file PROLOCK.UNP. This scheme also reportedly works on Quickcode 1.10 QuickReport 1.00. First, using your valid, original dBase III diskette, install it on a fixed disk. Softguard hides three files in your root directory: CML0200.HCL, VDF0200.VDW, and DBASE.EXE. It also copies DBASE.COM into your chosen dBase directory. DBASE.EXE is the real dBase III program, encrypted. When you run dbase, the program DBASE.COM loads CML0200.HCL high in memory and runs it. CML decrypts itself and reads VDF0200.VDW. The VDF file contains some code and data from the fixed disk FAT at the time of installation. By comparing the information in the VDF file with the current FAT, CML can tell if the CML, VDF, and DBASE.EXE files are in the same place on the disk where they were installed. If they have moved, say from a backup & restore, then dBase will not run. Second, un-hide the three files in the root directory. You can do this with the programs ALTER.COM or FM.COM found on any BBS. Make copies of the three files, and of DBASE.COM, into some other directory. Hide the three root files again using ALTER or FM. Following the dBase instructions, UNINSTALL dBase III. You can now put away your original dBase diskette. We are done with it. Next we will make some patches to CML0200.HCL to allow us to trace through the code in DEBUG. These patches will keep it from killing our interrupt vectors. debug cml0200.hcl e 3F9 2A.4A ; change the 2A to 4A e 49D F6.16 ; if any of these numbers don't show up e 506 E9.09 ; it's not working. e A79 00.20 ; e AE9 00.20 ; e 73C 97 FA FA F4 F1 7E ; this is an encrypted call to 0:300 w ; write out the new CML file q ; quit debug Now copy your four saved files back into the root directory and hide the CML0200.HCL, VDF0200.VDW, and DBASE.EXE files using ALTER or FM. We can now run DBASE.COM using DEBUG, trace just up to the point where it has decrypted DBASE.EXE, then write that file out. debug dbase.com r ; write down the value of DS for use below. a 0:300 ; we must assemble some code here pop ax cs: mov [320],ax ; save return address pop ax cs: mov [322],ax push es ; set up stack the way we need it mov ax,20 mov es,ax mov ax,0 cs: jmp far ptr [320] ; jump to our return address g 406 ; now we can trace CML t g 177 ; this stuff just traces past some g 1E9 ; encryption routines. t g 54E ; wait while reading VDF & FAT g=559 569 g=571 857 ; DBASE.EXE has been decrypted rBX ; length DBASE.EXE = 1AC00 bytes :1 ; set BX to 1 rCX :AC00 ; set CX to AC00. nDBASE ; name of file to write to w XXXX:100 ; where XXXX is the value of DS that ; you wrote down at the begining. q ; quit debug Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW, and DBASE.EXE. Delete DBASE.COM and rename DBASE to DBASE.EXE. This is the real dBase III program without any SoftGuard code or encryption. It requires only the DBASE.OVL file to run. If you have any comments on this unprotect routine or the PROLOCK.UNP routine, please leave them on the Atlanta PCUG BBS (404) 634-5731. The Lone Victor - 4/15/85 <> <> <> <> <> <> <> <> <> <> <> INSTRUCTIONS FOR UNPROTECTING PFS-FILE, PFS-REPORT AND PFS-WRITE. IMPORTANT! COPY FILE.EXE AND/OR REPORT.EXE TO ANOTHER DISK FIRST. DON'T MAKE THESE PATCHES ON YOUR ORIGINAL DISK! (USE THE USUAL DOS COPY COMMAND) YOU SHOULD SEE, AMONG OTHER THINGS: PUSH BP MOV AX,DS MOV ES,AX (ETC) IF YOU DON'T SEE THIS, TYPE -> Q (YOU DON'T HAVE THE RIGHT VERSION) OTHERWISE, TYPE -> E 9248 EB 2B TYPE -> W TYPE -> Q BACK IN DOS, RENAME FILE.ZAP TO FILE.EXE. YOU NOW HAVE AN UNPROTECTED COPY OF PFS-FILE. FOR PFS-REPORT: RENAME REPORT.EXE TO REPORT.ZAP HAVE DEBUG.COM HANDY, AND TYPE -> DEBUG REPORT.ZAP TYPE -> U 98BF YOU SHOULD SEE, AMONG OTHER THINGS: PUSH BP MOV AX,DS MOV ES,AX (ETC) IF YOU DON'T SEE THIS, TYPE -> Q (YOU DON'T HAVE THE RIGHT VERSION) OTHERWISE, TYPE -> E 98C4 EB 2B TYPE -> W TYPE -> Q BACK IN DOS, RENAME REPORT.ZAP TO REPORT.EXE. YOU NOW HAVE AN UNPROTECTED COPY OF PFS-REPORT. For PFS-Write: RENAME PFSWRITE.EXE TO PFSWRITE.ZAP DEBUG PFSWRITE.ZAP U 235A YOU SHOULD SEE, AMONG OTHER THINGS: INT 13 JNB 2362 IF YOU DONcT SEE THIS, TYPE -> Q (you don't have the right version) OTHERWISE, TYPE -> E235A 90 90 90 90 TYPE -> E2360 90 90 TYPE -> A2369 TYPE -> CMP AX,AX TYPE -> TYPE -> W TYPE -> Q RENAME PFSWRITE.ZAP TO PFSWRITE.EXE. YOU NOW HAVE AN UNPROTECTED COPY OF PFS-WRITE. ============================================================================ P.S. From another author than the one who wrote the above. The routine above is excellent, however I had a different version of PFS FILE and PFS REPORT. If you dont find the locations listed above try these: PFS FILE TYPE -> U 9223 YOU SHOULD SEE PUSH BP MOV AX,DS MOV ES,AX (ETC) IF SO TYPE -> E 9228 EB 2B TYPE -> W TYPE -> Q AND FOLLOW THE DIRECTIONS GIVEN ABOVE ABOUT RENAME ETC. PFS REPORT TYPE -> U 988F YOU SHOULD SEE PUSH BP MOV AX,DS MOV ES,AX (ETC) IF SO TYPE -> E 9894 EB 2B TYPE -> W TYPE -> Q AND FOLLOW THE DIRECTIONS GIVEN ABOVE ABOUT RENAME & ETC. My thanks to the original author who worked so hard to help us. Please use these routines for your own use. I needed to add DOS 2.1 and place these programs on double sided disks. Don't rip off these software manufacturers. PROKEY 3.0 and several other programs. The approach I outline here works with any of these that are in COM file format. If anyone can improve it to work for EXE files PLEASE post it. This general copy scheme uses a short sector of 256 bytes to store an essential piece of the program code. On startup, location 100H contains a JMP instruction to the code which reads this short sector. Locations 103H - 110H contain HLT instructions (hex F4). After the sector is read, its contents are overlayed onto locations 100H - 110H, replacing the dummy instruction codes. A branch to 100H then begins the actual program. All we need to do is to stop execution after the changes are made and write down the contents of 100H - 110H; reloading the program and POKEing these changes results in an unprotected program. Here's how its done: (1) Put PROTECTED disk in A: (you can write-protect it for safety) and a disk containing DEBUG in B: (2) A: Make A: the default. (3) B:DEBUG ULTIMAII.COM (or PKLOAD.COM, LAYOUT.COM...) (4) -u 0100 Tell DEBUG to disassemble 0100-0120 DEBUG responds with: 0100 JMP 88A0 (or whatever) 0103 HLT 0104 HLT ...etc. (5) -u 88A0 Look at short-sector decrypting code. DEBUG responds with: 88A0 JMPS 88A7 Next "statements" are data locations; ignore. (6) -u 88A7 Now look for where program restarts at 100H. DEBUG responds with: 88A7 CALL 88C4 88AA CALL 892E 88AD JC 88BF (If Carry is set, the disk is a copy. Go to DOS!) .. 88BA MOV AX,0100 88BD JMP AX Paydirt! If you got this far, the program has .. written the REAL code into 0100 - 0120H. (7) -g 88BD Tell DEBUG to run the program, stop here. (8) -d 0100 011F Dump out the changed code. DEBUG responds with: 8C C8 05 25 07 8E D8 05-10 03 8E D0... Two lines. WRITE DOWN for (12) (9) -q Get out of DEBUG. You must reload to deprotect. (10) Make a copy of the disk; you can use copy *.* Put copy in A: (11) B:DEBUG ULTIMAII.COM load copy (12) -e 0100 Patch locations 0100 - 011F with what you wrote down above. Follow each entry with a SPACE until last entry; then hit ENTER. (13) -w Write out new version of ULTIMAII.COM (14) -q You've done it! I've been detailed because this works generally for any COM file. This method doesn't work for EXE files because while DEBUG can load relocatable modules and execute them with breakpoints (step 7 above), you cannot use debug to write an EXE file in relocatable form. Any suggestions? L.Brenkus <> <> <> <> <> <> <> <> <> <> <> DOUBLEDOS - Unprotect Based on The Lone Victor's routine. The following instructions show you how to bypass the SoftGuard copy protection scheme used on DOUBLEDOS version 1.00. This is the same scheme used for FrameWork 1.10 and for Wordstar 2000 1.00. Wordstar 2000 version 1.10 does not use a copy protection scheme, while versions 1.00 of dBase III and FrameWork used ProLock. To unprotect Prolock disks read the file PROLOCK.UNP. First, using your valid, original DOUBLEDOS diskette, install it on a fixed disk. Softguard hides three files in your root directory: CML0200.HCL, VDF0200.VDW, and DOUBLEDO.EXE. It also copies DOUBLEDO.COM into your chosen DOUBLEDOS directory. DOUBLEDO.EXE is the real DOUBLEDOS program, encrypted. When you run DOUBLEDOS, the program DOUBLEDO.COM loads CML0200.HCL high in memory and runs it. CML decrypts itself and reads VDF0200.VDW. The VDF file contains some code and data from the fixed disk FAT at the time of installation. By comparing the information in the VDF file with the current FAT, CML can tell if the CML, VDF, and DOUBLEDO.EXE files are in the same place on the disk where they were installed. If they have moved, say from a backup & restore, then DOUBLEDOS will not run. Second, un-hide the three files in the root directory. You can do this with the programs ALTER.COM or FM.COM found on any BBS. Make copies of the three files, and of DOUBLEDO.COM, into some other directory. Hide the three root files again using ALTER or FM. Following the DOUBLEDOS instructions, UNINSTALL DOUBLEDOS. You can now put away your original DOUBLEDOS diskette. We are done with it. Next we will make some patches to CML0200.HCL to allow us to trace through the code in DEBUG. These patches will keep it from killing our interrupt vectors. debug cml0200.hcl e 3F9 2A.4A ; change the 2A to 4A e 49D F6.16 ; if any of these numbers don't show up e 506 E9.09 ; it's not working. e A79 00.20 ; e AE9 00.20 ; e 73C 97 FA FA F4 F1 7E ; this is an encrypted call to 0:300 w ; write out the new CML file q ; quit debug Now copy your four saved files back into the root directory and hide the CML0200.HCL, VDF0200.VDW, and DOUBLEDOS.EXE files using ALTER or FM. We can now run DOUBLEDO.COM using DEBUG, trace just up to the point where it has decrypted DOUBLEDO.EXE, then write that file out. debug dOUBLEDO.COM r ; write down the value of DS for use below. a 0:300 ; we must assemble some code here pop ax cs: mov [320],ax ; save return address pop ax cs: mov [322],ax push es ; set up stack the way we need it mov ax,20 mov es,ax mov ax,0 cs: jmp far ptr [320] ; jump to our return address g 406 ; now we can trace CML g 177 ; this stuff just traces past some g 1E9 ; encryption routines. t g 54E ; wait while reading VDF & FAT g=559 569 g=571 857 ; DOUBLEDO.EXE has been decrypted rBX ; length DOUBLEDO.EXE = 04800 bytes :0 ; set BX to 0 rCX :4800 ; set CX to 4800. nDOUBLEDO ; name of file to write to w XXXX:100 ; where XXXX is the value of DS that ; you wrote down at the begining. q ; quit debug Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW, and DOUBLEDO.EXE. Delete DOUBLEDO.COM and rename DOUBLEDO to DOUBLEDO.EXE. This is the real DOUBLEDOS program without any SoftGuard code or encryption. It requires only the DOUBLGD2.PGM and DDCONFIG.SYS files to run. DOUBLEDOS - Unprotect Based on The Lone Victor's routine. <> <> <> <> <> <> <> <> <> <> <> The following instructions show you how to bypass the SoftGuard copy protection scheme used on DOUBLEDOS version 1.00. This is the same scheme used for FrameWork 1.10 and for Wordstar 2000 1.00. Wordstar 2000 version 1.10 does not use a copy protection scheme, while versions 1.00 of dBase III and FrameWork used ProLock. To unprotect Prolock disks read the file PROLOCK.UNP. First, using your valid, original DOUBLEDOS diskette, install it on a fixed disk. Softguard hides three files in your root directory: CML0200.HCL, VDF0200.VDW, and DOUBLEDO.EXE. It also copies DOUBLEDO.COM into your chosen DOUBLEDOS directory. DOUBLEDO.EXE is the real DOUBLEDOS program, encrypted. When you run DOUBLEDOS, the program DOUBLEDO.COM loads CML0200.HCL high in memory and runs it. CML decrypts itself and reads VDF0200.VDW. The VDF file contains some code and data from the fixed disk FAT at the time of installation. By comparing the information in the VDF file with the current FAT, CML can tell if the CML, VDF, and DOUBLEDO.EXE files are in the same place on the disk where they were installed. If they have moved, say from a backup & restore, then DOUBLEDOS will not run. Second, un-hide the three files in the root directory. You can do this with the programs ALTER.COM or FM.COM found on any BBS. Make copies of the three files, and of DOUBLEDO.COM, into some other directory. Hide the three root files again using ALTER or FM. Following the DOUBLEDOS instructions, UNINSTALL DOUBLEDOS. You can now put away your original DOUBLEDOS diskette. We are done with it. Next we will make some patches to CML0200.HCL to allow us to trace through the code in DEBUG. These patches will keep it from killing our interrupt vectors. debug cml0200.hcl e 3F9 2A.4A ; change the 2A to 4A e 49D F6.16 ; if any of these numbers don't show up e 506 E9.09 ; it's not working. e A79 00.20 ; e AE9 00.20 ; e 73C 97 FA FA F4 F1 7E ; this is an encrypted call to 0:300 w ; write out the new CML file q ; quit debug Now copy your four saved files back into the root directory and hide the CML0200.HCL, VDF0200.VDW, and DOUBLEDOS.EXE files using ALTER or FM. We can now run DOUBLEDO.COM using DEBUG, trace just up to the point where it has decrypted DOUBLEDO.EXE, then write that file out. debug dOUBLEDO.COM r ; write down the value of DS for use below. a 0:300 ; we must assemble some code here pop ax cs: mov [320],ax ; save return address pop ax cs: mov [322],ax push es ; set up stack the way we need it mov ax,20 mov es,ax mov ax,0 cs: jmp far ptr [320] ; jump to our return address g 406 ; now we can trace CML t g 177 ; this stuff just traces past some g 1E9 ; encryption routines. t g 54E ; wait while reading VDF & FAT g=559 569 g=571 857 ; DOUBLEDO.EXE has been decrypted rBX ; length DOUBLEDO.EXE = 04800 bytes :0 ; set BX to 0 rCX :4800 ; set CX to 4800. nDOUBLEDO ; name of file to write to w XXXX:100 ; where XXXX is the value of DS that ; you wrote down at the begining. q ; quit debug Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW, and DOUBLEDO.EXE. Delete DOUBLEDO.COM and rename DOUBLEDO to DOUBLEDO.EXE. This is the real DOUBLEDOS program without any SoftGuard code or encryption. It requires only the DOUBLGD2.PGM and DDCONFIG.SYS files to run. <-----<>-----> ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ! *************************************************** *** Pirate Magazine Issue III-3 / File 9 of 9 *** *** Gene and Roger at the BBS *** *************************************************** NOW REVIEWING -- DEAD ZONE (214-522-5321) We kept hearing about this Dallas board that's part camp, part lame, part punk, and mostly heavy metal, so we thought we'd check into it, 'cause it's been around for awhile and seems to have a loyal, if somewhat brain-dead claim to be heavy metal junkies, and a few log-ins and message readings convinced us that too much of this stuff can rot your brain, but maybe that's what comes from living in Dallas. We were on last year and found it all a bore, but lost our account and had to re-enter. The chat is mostly mindless, the sysop is into posturing a lot, and the whole thing is pretty pretentious. Great for kids through age 14. We didn't bother to re-apply for higher access. Here's what ya see when you log in, and here's a sample of the messages. If you're into mindless drivel, maybe this board's your thing, but the R&G rating for DEAD ZONE is <><>BOOOOOOORRRING!!<> ******** ! !!! !! ! !! ! !! !!! !! !! !! !! !! ! !! !! !!!!!!! !!!!!!!! !!!! !!! !!!!!!! !!!!!!!! !!!! !!!! !!!! !!!!!!!! !! !! !! !! !!! !! !! !! !! !! !!! !!! !!!! !! !! ! !! !!! !!! !! !! !! !!!! !! !!! !!! !! !!!! !! ! !! !! !!! !!! !! !!! !! ! !! !! !! !! !! !! !! !! !!!!!!!! !!!! !!!! !!!! !!!!!!!! !!!! !!! !! ! !! ! !!! !! !! ! ! !! !! !! !! ! ! ! ! !! ! ! ! ! ! ! ! ! ! ! ! ! ....... ! ......... .... NO! ... ... MNO! ... ..... MNO!! ...................... MNNOO! ... ..... MMNO! ......................... MNNOO!! . .... MNOONNOO! MMMMMMMMMMPPPOII! MNNO!!!! . ... !O! NNO! MMMMMMMMMMMMMPPPOOOII!! NO! .... ...... ! MMMMMMMMMMMMMPPPPOOOOIII! ! ... ........ MMMMMMMMMMMMPPPPPOOOOOOII!! ..... ........ MMMMMOOOOOOPPPPPPPPOOOOMII! ... ....... MMMMM.. OPPMMP .,OMI! .... ...... MMMM:: o.,OPMP,.o ::I!! ... .... NNM:::.,,OOPM!P,.::::!! .... .. MMNNNNNOOOOPMO!!IIPPO!!O! ..... ... MMMMMNNNNOO:!!:!!IPPPPOO! .... .. MMMMMNNOOMMNNIIIPPPOO!! ...... ...... MMMONNMMNNNIIIOO!.......... ....... MN MOMMMNNNIIIIIO! OO .......... ......... MNO! IiiiiiiiiiiiI OOOO ........... ...... NNN.MNO! . O!!!!!!!!!O . OONO NO! ........ .... MNNNNNO! ...OOOOOOOOOOO . MMNNON!........ ...... MNNNNO! .. PPPPPPPPP .. MMNON!........ ...... OO! ................. ON! ....... ................................ -cDc- -cDc- -cDc- _ _ ((___)) [ x x ] f / (' ') (U) -cDc- -cDc- -cDc- A [-Cult of the Dead Cow-] System [New Corpses enter -KILL ME-] [Grave ID]: ][-KILLE ME Enter your alias [Upper+Lower Case] :Roger City of Residence [Upper+Lower Case] :San Francisco State [XX] :CA Phone number [xxx-xxx-xxxx] :414-555-1212 Roger San Francisco, CA 415-555-1212 Abs0lutely 0k ? Y [P]=Password [G]=Guest -]-[-P Preparing Entrance... Hey d0rk, over here...Read This: Well, if you have actually made it this far, I sure hope you typed your name in upper/lower case like this sentence is. If not, you're going to probably have your access denied cause you showed me you aren't even aware enough to read. I'd really prefer you give me your REAL phone number, or somewhere I can reach you. I don't voice validate that much, and I don't take your number and randomly call it to annoy the hell out of you. Now, all you have to do is answer the following questions pretty keenly, and I'll give you access. Don't put smart ass answers....you don't amuse me when you do that. If it asks you a simple [Yes/No] question, don't answer "N" or "Y". Sure what the fuck is that supposed to mean...it means you can't type Yes or No. The board is mainly for people who like Metal/Speed Metal/Punk/etc and intelligent/semi-intelligent users. In other words you should be able to carry on a conversation somewhat. If not, you are a waste of life roper and ought to go get drunk in some bar and die. Now I'm outta here....answer these questions: Leper Messiah [Ctr-S Pauses : Spacebar Quits] What is your real FIRST name ? --ROGER How old are you ? --22 What type of computer do you have, and what is the maximum baud rate of your modem ? --IBM/2400 Do you phreak, hack, both, or neither ? --BOTH Do you pirate software and/or collect textfiles ? --Yes Are you related to any law enforcement agency and/or do you plan on reporting any information from this board to --No Who is your favorite musical group and how long have they been your favorite ? --Banshee Heaven Are you a cDc Member? --No SPECIFICALLY, where did you get the number to this BBS ? [Tell the person's handle, the board, or wherever you --?? Want to send Leper Messiah a Message ? No Enter a password to use [4-8 Characters] :Demon Grave ID #99 Password :DEMON Knife [RETURN] to login to The Dead Zone [Ctr-S Pauses : Spacebar Quits] 12/24/89 N00wz that you better fucking read... Ok, I got pissed off at a certain leech, so I deleted 200+ users from the userlist. I did delete a couple I didn't mean to, so if you got deleted, and you don't think you deserved it, you're probably right and I fucked up. Next off, if you would like a different user number for some reason, [F]eedback me, and I might change it. If you would like AE access and you aren't going to leech, send me [F]eedback. If you have AE access and you leech, you are going to have a large problem. If you would like upgraded access, [F]eedback me, and if I merit that you do, you'll get it. Lastly....Happy Hannukkah, and Merry Christmas, Have a Good New Year, and don't drink and drive....(seriously). Thanks. |-- Graveyard Shift :: 01:19:04 12/28/89 |-- Corpse :: Roger |-- Last Corpse :: Phantom Of The Opera |-- Undertaker :: Leper Messiah |-- Executioners :: The Wanderer |-- :: The Interloper |--There are 17967 fresh graves... -/- Rue Morgue -f- :M Nice fucking accent...why cant you speak like me! -/- Rue Morgue -f- :? User Menu B- Bulletin Boards C- Scream at Sysop D- Display Parms F- Feedback to Sysop I- System Information N- Re-Read System News P- Get a Password [Guests ONLY] R- Read Mail T- Terminate Yourself Y- Your Body Status -/- Rue Morgue -f- :B [Central Graveyard 1-100] :R Sequential Retrieval - Reverse Start where [-#, L)ast, -]:L [Ctr-S Pauses : Spacebar Quits] [Knife ENL for next grave] ____/ 100. f____ ____ Re: . Demolition War . ____ ____ by Madmartigan (#188) ____ f 12/27/89 at 23:48:22 / Bush was right to go into Panama. Otherwise he looks like an idiot who can let some wimpy dictator ruin his foriegn policy and screw up our image in the world. He had to do it... As for the Dead ZOne going down next year,,... Thank God! [A]utoReply [N]ext [R]eread [Q]uit: ____/ 99. f____ ____ I love typos. ____ ____ by M&M (#7) ____ f 12/27/89 at 23:10:21 / "If I did, me would want more." That was great. Psyche is Fuck Me. Roper::::> Let me explain this AGAIN. The lyrics I typed WERE NOT Pink Floyd lyrics but ALTERED lyrics. READ THEM. kicker up there reminds me of this asshole that came to our school... he was like... "What kind of music do you listen know all about him - but the question is, is he a good impression on you?" Fuckin' dick. I hate ignorant people. It's fine to be stupid but if you don't know what you're talking about DON 'T PRETEND! M&M [A]utoReply [N]ext [R]eread [Q]uit: ____/ 98. f____ ____ I did NOT............................................! ____ ____ by The Wanderer (#11) ____ f 12/27/89 at 22:56:04 / I did NOT rape SMI2le! There is an easy way to tell if I did it or not. If I did it, me would want more. Insane Fixx - Why would I want to trash my cowboy boots, and why would I want to dye my hair blond? A blond with freckles? I think not. Of course, I could bleech my skin too..... Rah! I got me a VCR for x-mas! Now I'm going to have to head down to the sordid side of town, say hi to sue as I pass the apropriate corner, and buy some trashy videos. The type that most of ya'll won't be able to buy for another 5 or 6 years. Hahahahahahaha! Tw /s /dammit! [A]utoReply [N]ext [R]eread [Q]uit: ____/ 97. f____ ____ pLaNeT cLaIrE ____ ____ by The Psychedelic Fur (#209) ____ f 12/27/89 at 21:42:50 / i DoN't WaNt YoUr LoVe...i WaNt yOuR sEx mOhEhAhO DuStBuStEr: YoU kNoW jUsT wHaT iT tAkEs AnD wHeRe To Go....WhAt MoRe CaN a PoOr BoY dO?...YoU'rE a HaRd AcT tO fOLLoW...i just looooove my pastel pink lace underwire push up bra and matching panties! But my crowning glory is the sexxxxxxxxxy pink silk nightie I bought...'TiS tOo MuCh FoR jUsT oNe GuY tO tAkE!! AcEybAbY: Sorry I missed ya...you didn't call me back...snif...methinks i am hurt...but i shall recover. I will call ya when i get back from the RaIdEr BoWL. ..i dOn'T wAnT tO sAy i LoVe YoU, ThAt WoULd GiVe AwAy ToO mUcH....i DoN't waNt To sAy I wAnT yOu, eVeN tHoUgH i wAnT yOu So MuCh....iT's No NeW YeAr'S rEsOLuTiOn, iT's MoRe ThAn ThAt... i just loooove SpLiT eNz! i think i will get on here early tomorrow morning before i leave, and say goodbye...i must pack now and i'm not in the mood to "bOn VoYaGe, bAbY!" tWo RoAdS dIvErGeD iN a WoOd aNd I - i ChOsE tHe OnE LeSs TrAvELeD bY AnD tHaT hAs MaDe aLL tHe DifFeReNcE... ShALL i CoMpArE tHeE tO a SuMmEr'S dAy ThOu ArT mOrE LoVeLy aNd MoRe TeMpErAtE... /| ShE wALkS iN bEaUtY LiKe ThE nIgHt oF cLoUdLeSs CLiMbS aNd StArRy SkIeS aNd aLL tHaT's BeSt Of DaRk AnD bRiGhT MeEt In ThE aSpEcT oF hEr EyEs... Name the movie, the authors, and who said them...and i'll do something eXXXtra special... oH cApTaIn, mY cApTaIn... [A]utoReply [N]ext [R]eread [Q]uit: ____/ 96. f____ ____ Death is near so come rape me! ____ ____ by Smi2le (#83) ____ f 12/27/89 at 18:01:59 / M&M: You're a sheepfucker, right? Some come on baby, I'm a sheep. Leper: While your at it, buy me a push up jockstrap. M&M just doesn't get the job done anymore. Have fun! Meat [A]utoReply [N]ext [R]eread [Q]uit: Gee... I may have to remember this for later use.! (sarcasm) Hey babe, wanna Pistachio?? (wink, snort, phlegm-hack) [A]utoReply [N]ext [R]eread [Q]uit: ____/ 92. f____ ____ . Hootenanny . ____ ____ by Leper Messiah (#1) ____ f 12/27/89 at 11:13:46 / Oh swell, I'm going to Valley View today, I think I'll stop by Vic's Secret also and pick me up something interesting.... Then again, maybe I won't. Maybe I'll visit Hastings instead and get some k000000000l album. GO Away, I wanna burn in hell... -There's something I haven't sdaid in a long time. Or spelled correctly for that matter. Well, well, well... Right now I'll go... somewhere else. Me [A]utoReply [N]ext [R]eread [Q]uit: ____/ 91. f____ ____ tHe UnIvErSe Is ExPaNdInG ____ ____ by The Psychedelic Fur (#209) ____ f 12/27/89 at 10:42:35 / SmI2Le: Me??? LaRgEr tHaN LiFe? How so? I tell ya this much, if I was "larger than life" I wouldn't be able to shop at ViC's SeCrEt... And I now have a real bustline... the most orgasmic thins, besides Godiva chocolates, silk lingerie, and great sex, are pistachios... pHaLLi C SyMb OLs!!! Board rape. Sounds fun. Reminds me of the time on PiL when ol' Karl and myself came up with this guy, "Mr. Awesome", who was a homosexual and sent bulk mail to all the guys on the board encouraging them to have anal sex, etc. We had everybody fooled. DaVe: Methinks you want to do the nasty...:) munching on a healthful aphrodisiac...sex on the mind...and less than 24 hours till I'm off to the bowl... maybe I'll get some in Birmingham... [A]utoReply [N]ext [R]eread [Q]uit: ____/ 88. ____ Re: and that was a song called "Yeah" by... you guessed it The Garden Bugs ____ ____ by Roper (#308) f 12/27/89 at 01:10:20 M&M ---- > O.K. so yer a bigger fuck than I thought, Although I was quite impressed that YOU would know the lyrics to a country tune. And by the way,... I did listen to the Pink Floyd lyrics again,... still sounds suicidal to me. JUST TRYIN TO HELP WHERE I CAN,... GIMME A BREAK! Roper [A]utoReply [N]ext [R]eread [Q]uit: ____/ 83. f____ ____ abcdefghijklmnopqrstuvwxyz.... ____ ____ by Ace of Diamonds (#36) ____ f 12/26/89 at 11:45:57 / now i no my abc's wont you come and fuck with me..... suebeast: nononono...ya can beg...but lananananana...oh lana...has moi dik first....cuzzz she luvz to suck it so sweet.....and u 'hate doin that shit'....so, [strike three, yer out!] .....glad ya missed loozer car 54.... its black and white anyway...ack..... yawn....i got sex on the brane....... in multicolor3D vision............... ohyeah...today i'm sposed to kall ya. i think i'm gonna ferget.....duH..... sycho-correct:aka MaDDFiXX........rahrah....d00d...yer so vEry sTraNGe.......sEE mY SelF iN ThE miRRoR..... SOMEBODY GET ME A DOCTOR!!!! need some new lyrix besides wiggin' dance tunez.....hmmmm.......... what's everyonez fav EmptyVee video... i must admit that my MeTalHeAd has turned soft cuz...i lUUUUUv paula halfbake abdul's The Way that U luv Me.... i lust everything in that video.... her bod, stereo equip, visagold (which i have already), mazerati 90'yackt, black limozine, pearl necklace ..(both kindz) etc.....but most of all ....iz her tItz.......yumyumyum gOts tO mAil Rezumayz, AoD [A]utoReply [N]ext [R]eread [Q]uit: ____/ 77. f____ ____ ..lOOks like rED skies at niTe.... ____ ____ by The Madd Fixx (#142) ____ f 12/25/89 at 23:47:35 / buT of cOurse.... tiN-roOf.... ruSTed! duDes.. i haD a pretty rocKin' ChrisTmas.. goT me a cD player... aND daT suIts me fiNe.... i goT dis biTchin' Indiana joNes lookin' haT... it roCks.. aNYone ever seen cherrIes in liquoR?.... hO yAh... yuMyUm... piTS and all...sluRpsLUrp! maN..we're just frying this message base with wiErdo messages.. buT hEy.. doN't coomplain...we're posTing.... m&m... so quE pasa with aNGie, eH?... mY mountain hideaway...maybe next year.............. pSYchE..raH..everytime i listen to spLit enZ, the b's, or doOOrandOooran, it reminds me oF yOUze.... (awW. aIn't tat sweEt! HahA!).. shaKe a tail feaTher... you're about as eaSy as a nuClear waR.... ...(of course, i'm not saying that there's any similarity... ...) oh...what'snext.... damn i'm boRed...goTTa sliP me in anudder cD.... yEee-haAAa! daMn i'm HiP!... ... plEAse pleAse tell me noW.... cuZ i wanna RoAm in your buuUuusssshhhhh----fiiIiire!... aND i think it's about to bReak.... smiL3e...chiLL hoMie.. reLax..doN't do iT.. set your miNd righT to It. thERe's a chance you could be righT.... anOther glaMoRous peFeroRmaNce by mE...aNd i.. mR. bUStin' DuStiN!! [A]utoReply [N]ext [R]eread [Q]uit: Central Graveyard: [#]-Read Number [N]ew Graves [Q]uit [G]lobal Q-scan [J]ump [L]ist [F]rd. Read [R]vrs. Read [S]can [>]Next Bd. [<]Prev. Bd. [K]ill [P]ost [T]erminate Session Spread the Disease [-[-[-[-[-[-[- -]-]-]-]-]-]-] Spread the Disease [Central Graveyard 1-100] :> -/- Rue Morgue -f- :< Nice fucking accent...why cant you speak like me! User Menu B- Bulletin Boards C- Scream at Sysop D- Display Parms F- Feedback to Sysop I- System Information N- Re-Read System News P- Get a Password [Guests ONLY] R- Read Mail T- Terminate Yourself Y- Your Body Status -/- Rue Morgue -f- :T [] Violent Termination [] *************** That's it! So much for contemporary education through age 16! >--------=====END=====--------< ! JB ZZZZ