Copy Link
Add to Bookmark
Report
Pirate Vol 1 Issue 3
ON 1 WARMUP:
*******************************************************
** **
** PPPPP I RRRRR AAAAA TTTTT EEEEE **
** P PP I R RR A A T E **
** PPP I RRR AAAAA T EEEEE **
** P I R R A A T E **
** P I R R A A T EEEEE **
**keepin' the dream alive **
*******************************************************
***************************************************
*** Pirate Magazine Issue III-3 / File 1 of 9 ***
or 11(your choice)wins the game.
***************************************************
Welcome to the third issue of *PIRATE MAGAZINE*.
Special thanks for getting this issue out go to:
Flint
Gene & Roger
Hatchet Molly
Jedi
Knight Lightning
Mikey Mouse
Taran King
The California Zephyr
The Institute
The Hillside Pirates
Special thanks to those who took the time to write the
unprotects, including Buckaroo Banzai, Super Dave,
Company of Wolves, Bentley Bear, The Asp, and all the others.
Any comments, or if you want to contribute, most of us can be reached at
one of the following boards:
GREAT ESCAPE >>> PIRATE HOME BOARD
RIPCO (Illinois)
SYCAMORE ELITE (815-895-5573)
THE ABYSS (201-671-8954)
PACIFIC ALLIANCE (California)
Chris Robin BITNET = TK0EEE1@NIU
+++++++++++++++++++++++++++++++++++++++++++++++++++++
Dedicated to sharing knowledge, gossip, information, and tips for warez
hobbyists.
*******************************************************
* EDITORS' CORNER *
*******************************************************
** CONTENTS THIS ISSUE **
File #1. Introduction, editorial, and general comments
File #2. News Reprint: Who's the REAL software threat??
File #3. Unprotects and cracking tips (part 1)
File #4. Unprotects and cracking tips (part 2)
File #5. Unprotects and cracking tips (part 3)
File #6. Unprotects and cracking tips (part 4)
File #7. Unprotects and cracking tips (part 5)
File #8. Unprotects and cracking tips (part 6)
File #9. Gene n' Roger's "review of the month" (DEAD ZONE)
Welcome to the third edition of *PIRATE*, a bit late, but here it is.
Still can't seem to please everybody, and it's a toss-up between those
wanting more law/virus type stuff and those wanting nuts and bolts for "how
to crack," so this issue we're giving more cracking tips that were sent in.
Next issue we'll bring back some of the legal stuff, virus info, and keep
the unprotect section as a regular feature.
Last issue pissed some people off, mostly the kiddie klubbers who thought
we were a bit unfair. Well, like we keep saying, there's a pirate ethic,
and if you can't figure it out, you ain't one.
Lots of feedback on "what's a pirate!" Add it up anyway you want to, keeps
coming out the same: PIRATES AREN'T RIPPING OFF--they're warez hobbyists
who enjoy the challenge or the collecting.
Bad news, sad news--more national pirate boards have gone down. Seems that
the "fly-by-night" crowd springs up, drains off enough clients to cut into
the elite boards, and the sysops all say the same thing: Too many kids
calling and tying up the lines, and a decrease in good users caused by the
competition.
A few sysops have also requested that we don't print the numbers of boards
where PIRATE staff can be reached because too many lamerz started calling.
The boards are pretty easy to find, though, and a few will tolerate their
numbers being published for one more issue.
If you have any suggestions or ideas for future issues, call or get ahold
of us--just leave a message on any of the top boards and we'll get to it
sooner or later.
<-----<<END>>----->
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
***************************************************
*** Pirate Magazine Issue III-3 / File 2 of 9 ***
*** Who's the REAL Warez Threat? ***
***************************************************
Multiple choice quiz:
Who's the biggest threat to the computer industry:
a) Phreaks
b) Hackers
c) Pirates
d) Ducks without condoms
e) The software industry itself
If you answered "e)", you passed. The tendancy of the mega-corps to try to
eat each other, with lawyers as the only winners, costs more in dollars and
feel" of an idea. The mega-corp czars keep saying that pirates and phreaks
will put the "small programmer" out of business, but the following article
suggests it's quite the opposite. What's the bottom line? The computer
underground is resistance, and like the PIRATE crew says, we gotta "keep
the dream alive."
**<Chris Robin> and Pru Dohn**
* * * *
"Softare Industry Growing Jaded over Copyright Disputes"
by Tom Schmitz
(THE CHICAGO TRIBUNE, December 26, 1989-Sect. 3, p.3)
SAN JOSE--When it comes to copyright lawsuits, the computer software
industry is starting to sound a bit like victims of the recent earthquake.
They've already been through the Big Shake. And they're getting a bit
jaded about the aftershocks.
"When the Apple-Microsoft suit hit, everybody got frightened," said Heidi
Roizen, president of the Software Publishers Association. "A Month later,
99 percent of us were back to normal. I get the sense companies aren't
going to do much this time."
"This time" is the Xeroz-Apple lawsuit, in which Xerox Corp. is claiming
Apple Computer Inc. infringed its copyright in designing the display and
command system for its enormously popular Macintosh computer. Filed in San
Francisco two weeks ago, the suit comes 21 months after Apple brought a
similar case against Microsoft Corp. and Hewlett-Packard Co., saying they
had infringed Apple's own copyright on the distinctive display software.
The Macintosh's graphic display has such "user-friendly" features as
pull-down menus; easy-to-identify symbols, or "icons"; and "windows" that
allow users to display text, menus and illustrations simultaneously.
By pressing its claim to the "look and feel" of Macintosh softare, Apple
set off alarms at hundreds of smaller companies that were developing
to forge ahead.
So while the Xerox suit again raises the question of just who can use what
software, those awaiting the battle's outcome say they see no reason to
drop their wait-and-see attitude. They just have more to watch.
"It throws a little scare in, but I'm not going to program any less," said
Andy Hertzfeld, and independent programmer in Palo Alto, Calif., and one of
the original designers of the Macintosh software. "If people want to sue
me, they can."
All agree the issue of who can rightfully use the display system is
important and must be settled quickly. But more troubling, industry
observers say, is increasing use of lawsuits to settle such disputes.
"Basically the whole thing is anticustomer and prolawyer," Hertzfeld said.
"All that money that Apple is paying their lawyers could be going into
products." What's more, a litigious atmosphere can stifle innovation. "If
every time I come up with an idea I have to hire a team of lawyers to find
out if it's really mine, my product development will slow way down."
Some hope the Xeroz-Apple suit will finally put an end to that process.
Unlike the Apple-Microsoft ase, the suit does not involve a specific
contract. That could allow the court to tackle the look-and-feel issue
head-on without bogging down over technicalities. And both companies have
war chests large enough to see the fight through.
"I think Ethe suitL is good," said Dan Bricklin, president of Software
Garden, Inc. in Cambridge, Mass., who wrote the first computer spreadsheet
program. "We need the issue resolved by the courts, and we can't have
people pulling out for lack of money."
Yet even among those who say the industry needs a clear set of rules, there
remains a certain nostalgia for the freewheeling days when software
designers wrote what they wanted and settled their differences outside the
courtroom.
<-----<<END>>----->
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
***************************************************
*** Pirate Magazine Issue III-3 / File 3 of 9 ***
*** Cracking Tips (Part 1) ***
***************************************************
In this file: Jordan v. Bird
Gauntlet
Sierra Games
Cracking is about learning computer programming, and the fun is in
increasing skills. We've been sent some reprints of tips, and even if you
have the programs, it's neat to make a backup copy and experiment. For
some, these tips may be old hat, but for novices they show some of the
basic techniques the that "pros" use.
The more programing you know, the easier cracking is, and we recommend
taking an intro course in your school. But most programs can be worked on
using DOS DEBUG. Think of DEBUG like a text editor. The difference is that,
instead of writing ASCII type stuff, you're working in BINARY files. Debug
lets you "edit" (or alter) the contents of a program and then immediately
re-execute to see if your changes worked. Before reading the following,
check your DOS manual and read the DEBUG instructions. We've included old
unprotects here for a reason: If you have some of these old programs laying
around, dig them out and use them for practice. "Cracking" is one of the
best (and most fun) ways to learn about what makes a program work.
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
^^^^^^^^^^^^^^^
We reprint the following tips by BUCKAROO BANZAI that beginners and
intermediates should find helpful.
^^^^^^^^^^^^^^^^
****************************************
* B U C K A R O O B A N Z A I *
* aka the Reset Vector *
* *
* presents *
* *
* Cracking On the IBMpc *
* Part I *
* *
****************************************
Introduction
------------
For years, I have seen cracking tutorials for the APPLE computers, but
never have I seen one for the PC. I have decided to try to write this
series to help that pirate move up a level to a crackest.
In this part, I will cover what happens with INT 13 and how most copy
protection schemes will use it. I strongly suggest a knowledge of
Assembler (M/L) and how to use DEBUG. These will be an important figure in
cracking anything.
INT-13 - An overview
--------------------
Many copy protection schemes use the disk interrupt (INT-13). INT-13 is
often use to either try to read in a illegaly formated track/sector or to
write/format a track/sector that has been damaged in some way.
INT-13 is called like any normal interupt with the assembler command
which command to be used, with most of the other registers used for data.
INT-13 Cracking Collage
-----------------------
Although, INT-13 is used in almost all protection schemes, the easiest to
crack is the DOS file. Now the protected program might use INT-13 to load
some other data from a normal track/sector on a disk, so it is important to
determine which tracks/sectors are inportant to the protection scheme. I
have found the best way to do this is to use LOCKSMITH/pc (what, you don't
have LS. Contact your local pirate for it.)
Use LS to to analyze the diskette. Write down any track/sector that
seems abnormal. These track are must likely are part of the protection
routine. Now, we must enter debug. Load in the file execute a search for
CD 13. Record any address show. If no address are picked up, this mean 1
or 2 things, the program is not copy protected (bullshit) or that the check
is in an other part of the program not yet loaded. The latter being a real
bitch to find, so I'll cover it in part II. There is another choice. The
CD 13 might be hidden in self changing code. Here is what a sector of
hidden code might look like
-U CS:0000
1B00:0000 31DB XOR BX,BX
1B00:0002 8EDB MOV DS,BX
1B00:0004 BB0D00 MOV BX,000D
1B00:0009 3412 XOR AL,12
1B00:000D DF13 FIST WORD...
to DF at location 1B00:0007. When you XOR DF and 12, you would get a
CD(hex) for the INT opcode which is placed right next to a 13 ie, giving
you CD13 or INT-13. This type of code cann't and will command.
Finding Hidden INT-13s
----------------------
The way I find best to find hidden INT-13s, is to use a program called
PC-WATCH (TRAP13 works well also). This program traps the interrupts and
will print where they were called from. Once running this, you can just
disassemble around the address until you find code that look like it is
setting up the disk interupt.
An other way to decode the INT-13 is breakpoint at the address give by
PC-WATCH (both programs give the return address). Ie, -G CS:000F (see code
above). When debug stops, you will have encoded not only the INT-13 but
anything else leading up to it.
What to do once you find INT-13
-------------------------------
Once you find the INT-13, the hard part for the most part is over. All
that is left to do is to fool the computer in to thinking the protection
has been found. To find out what the computer is looking for, examine the
code right after the INT-13. Look for any branches having to do with the
CARRY FLAG or any CMP to the AH register.
If a JNE or JC (etc) occurs, then jump. If it is a CMP then just read
on.
Here you must decide if the program was looking for a protected track or
just a normal track. If it has a CMP AH,0 and it has read in a protected
track, it can be assumed that it was looking to see if the program had
successfully complete the READ/FORMAT of that track and that the disk had
been copied thus JMPing back to DOS (usually). If this is the case, Just
NOP the bytes for the CMP and the corrisponding JMP.
If the program just checked for the carry flag to be set, and it isn't,
then the program usually assumes that the disk has been copied. Examine the
following code
INT 13 <-- Read in the Sector
JC 1B00 <-- Protection found
INT 19 <-- Reboot
1B00 (rest of program)
The program carries out the INT and find an error (the illegaly formatted
sector) so the carry flag is set. The computer, at the next instruction,
see that the carry flag is set and know that the protection has not been
breached. In this case, to fool the computer, just change the "JC 1B00" to
a "JMP 1B00" thus defeating the protection scheme.
NOTE: the PROTECTION ROUTINE might be found in more than just 1 part of
the program
Handling EXE files
------------------
As we all know, Debug can read .EXE files but cannot write
them. To get around this, load and go about cracking the program
as usual. When the protection scheme has been found and command)
to save + & - 10 bytes of the code around the INT 13.
Exit back to dos and rename the file to a .ZAP (any extention
but .EXE will do) and reloading with debug.
Search the program for the 20+ bytes surrounding the code and
record the address found. Then just load this section and edit
it like normal.
Save the file and exit back to dos. Rename it back to the .EXE
file and it should be cracked. ***NOTE: Sometimes you have to
fuck around for a while to make it work.
DISK I/O (INT-13)
-----------------
This interrupt uses the AH resister to select the function to
be used. Here is a chart describing the interrupt.
AH=0 Reset Disk
AH=1 Read the Status of the Disk
system in to AL
AL Error
----------------------------
00 - Successful
01 - Bad command given to INT
*02 - Address mark not found
03 - write attempted on write prot
*04 - request sector not found
08 - DMA overrun
09 - attempt to cross DMA boundry
*10 - bad CRC on disk read
20 - controller has failed
40 - seek operation failed
80 - attachment failed
(* denotes most used in copy protection)
AH=2 Read Sectors
input
DL = Drive number (0-3)
DH = Head number (0or1)
CH = Track number
CL = Sector number
AL = # of sectors to read
ES:BX = load address
output
AH =error number (see above)
AL = # of sectors read
AH=3 Write (params. as above)
AH=4 Verify (params. as above -ES:BX)
AH=5 Format (params. as above -CL,AL
ES:BX points to format
Table)
For more infomation on INT-13 see the IBM Techinal Reference
Manuals.
Comming Soon
------------
In part II, I will cover CALLs to INT-13 and INT-13 that is
located in diffrents overlays of the program
Happy Cracking.....
Buckaroo Banzai
<-------+------->
PS: This Phile can be Upload in it's
unmodified FORM ONLY.
PPS: Any suggestion, corrections,
comment on this Phile are accepted and
encouraged.....
* * * * * * * * * *
****************************************
* B U C K A R O O B A N Z A I *
* aka the Reset Vector *
* *
* presents *
* *
* Cracking On the IBMpc *
* Part II *
* *
****************************************
Introduction
------------
Ok guys, you now passed out of Kopy Klass 101 (dos files) and
have this great new game with overlays. How the phuck do I crack
this bitch. You scanned the entire .EXE file for the CD 13 and
it's nowhere. Where can it be you ask yourself.
In part II, I'll cover cracking Overlays and the use of
locksmith in cracking. If you haven't read part I, then I
suggest you do so. The 2 files go together.
Looking for Overlays
--------------------
I won't discuss case 1 (or at least no here) because so many
UNP files are devoted to PROLOCK and SOFTGUARD, if you can't
figure it out with them, your PHUCKEN stupid.
If you have case 3, use the techinque in part I and restart
from the beg. And if you have case 4, shoot your self.
Using PC-Watch to Find Overlays
-------------------------------
You Have Found the Overlays
---------------------------
Locksmith and Cracking
----------------------
The copy/disk utility program Locksmith by AlphaLogic is a great
tool in cracking. It's analyzing ability is great for
determining what and where the protection is. I suggest that
you get locksmith if you don't already have it. Check your
local pirate board for the program. I also suggest getting
PC-Watch and Norton Utilities 3.1. All of these program have
many uses in the cracking world.
Have Phun Phucker
Buckaroo Banzai
The Banzai Institute
special thanks to the Honk Kong Cavliers
Call Spectrum 007 (914)-338-8837
<-----<<END>>----->
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
***************************************************
*** Pirate Magazine Issue III-3 / File 4 of 9 ***
*** Cracking Tips (Part 2) ***
***************************************************
In this file: Curse of the Azure Gods
Gauntlet (alt. unprotect)
Silpheed
Simcity
Carmen San Diego
Sargon IV
zdddddddddddddddddddddddddQ
3 The Baji Man 3
3 PRESENTS 3
3 3
3 JORDAN V.S. BIRD DOCS 3
3 Cracked by: DAY STAR 3
Game Play Options:
1 ON 1 FULL GAME:
M. Jordan and L. Bird play one on one for either 2,5,8, or 12
mins per quarter. You can set the computers skill level in the
options menu with Recreational being the easiest to
Professional being the hardest. Winners Outs option is where
if you score you get the ball back. Instant replay, Fouls, amd
Music/Sowndz
DR.J JAM- Start from the jumpers circle and let go of the ball
just as you man is descending. Wait until your sure he's
descending,but not too long.
Windmill - Start from the right baseline area and and let go
Back Slam- Same as a Two-Handed-Hammer
Statue Of Liberty - Same as Dr. J. Dunk
Skim-The-Rim - Exactlt like the Air-Jordan except let go of the
ball a lil' bit sooner.
Toss Slam- This dunk seems the hardest but its the easiest. Start
from the left side baseline area and let go when your almost in
front of the basket.
My version of Jordan v.s. Bird ahs a bug in it which doesn't
display semifinal stats and standings. You just play the
finals and thats it. Other versions may differ.
FOLLOW THE LEADER:
This is just a "You do as I do" dunk contest with do or die rules.
3 POINT CONTEST- Shoot the first ball on the first rack, go to
the next rack, and so on.... when you get to the last rack make
your way back to the first rack. The object is to get as any
baskets as possible in 30 or something secondz.
Hintz and Tipz:
To get past your opponent in one on one games just press the
%Q! your designated direction and you will
speed up dramatically. To dunk just gain a little speed by
running up to the basket from as far as possible and holding the
insert key. Its almost impossible to explain defensive techniques
because this is one of those "u gotta be in the right place at
the right time gamez" The best thing I can tell ya is to
Experiment with the game a little and pratice. have Phun!!!!
The Baji Man
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
*
* This is how I unlocked Gauntlet by Mindscape
*
By : LM *
***************************************
Gauntlet was one of those games in the arcade that I liked a lot.
So when I walked into the Computer Store and saw it on the shelf,
I just had to have it.
The price of the game wasn't bad at all and the game was really
good. But Mindscape gives you only ONE install. What kind of
$hi* is that. I mean only one install to your hard disk and then
you must uninstall before you optimize you disk or you have lost
------------ NO MORE INSTALL's. -------------
mistake I got out my DEBUG and statred to look at the game. I
found that Mindscape writes two hidden files to your C:f when you
install Gauntlet. DEMAA.COM and DEMAB.COM. The first file
(DEMAA.COM) is just junk.
The second file (DEMAB.COM) has some info about where the first
file is at on your hard disk. (The starting cluster number) When
you load Gauntlet it calls GINTRO.EXE and GINTRO.EXE checks for
this information. Then it calls GPORG.EXE and it check for the
same information.
My fix for this was to load gintro.exe and gprog.exe with fake
data. After you fix gauntlet you DON'T have to use Mindscape
install to play the game, just copy the files to your disk and
go. It has worked fine for Me and I hope it is what you need to
fix your game.
****************************************
* To fix Gauntlet you will need the following:
*
* 1. A copy of your Gauntlet master diskette(you can use dos to
make a copy)
*
* 2. Debug
*
* 1. Rename gintro.exe gintro
*
* 2. debug gintro
*
* 3. e 3EB7 90 90 90 90 This was a check for drive
A:,B:,C:
*
* 4. e 4339 EB 21 Jump around file read
(demaa.com)
*
* 5. e 435C B8 C3 02 A3 22 03 B8 3D FD Replace file info with
dummy data
*
* 6. e 4097 EB 14 Jump around file read
(demab.com)
*
* 7. w
*
* 8. q
*
* 9. Rename gintro gintro.exe
*
* 10. Rename gprog.exe gprog
*
* 11. debug gprog
*
* 12. e 7F57 90 90 90 90 This was a check for
drive A:,B:,C
*
* 13. e 83D9 EB 21 Jump around file read
(demaa.com)
*
* 14. e 83FC B8 C3 02 A3 22 03 B8 3D FD Replace file info with
dummy data
*
* 15. e 8137 EB 14 Jump around file read
(demab.com)
*
* 16. w
*
* 17. q
*
* 18. Rename gprog gprog.exe
*
**************************************************
* Now you can copy you game to any hard disk or flex many times.
**************************************************
* If you would like more information as to HOW and WHY.
*
* You can leave Me a message on the following BBS :
*
* Inner Sanctum (813) 856 5071
*
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Unprotect for all Sierra Games using the version 3.0 SIERRA.COM game
loader and the AGI (Adventure Game Interpreter).
This text written
July 11, 1988
Sierra-On-Line Software utilizes a copy protection scheme
which, upon the execution of the game loader (usually
SIERRA.COM), loads some key data from a specially formatted
track. Normal DOS copy and diskcopy commands cannot copy this
specially formatted track (usually track 6). Only image hardware
copy devices such as the "OPTION BOARD" can copy the specially
formatted track properly - and even this will not allow
stand-alone hard disk usage.
This unprotect is accomplished by running the program to the
point where it loads the key data, and then copying the key data
into the loader. Then the loader is further modified by jumping
around the call to the "opening original disk" request screens.
The last step is to change the bx and cx registers to allow for
the inclusion of the key data in the loader.
There are three things to determine before you can start the
unprotect. The first is to verify that your game contains the
version 3.0 game loader (usually the file SIERRA.COM) and the
file "AGI". This applies to about 90% of all Sierra games. The
others contain a slightly modified version 3.0 game loader and
the file MAIN. This unprotect does not apply to Sierra games that
contain the file "MAIN". Some games which use the "MAIN" file
are: 3-D Helicopter, Thexder and a few others. Check this BBS for
a different unprotect for Sierra games using the "MAIN" file.
Run a directory on your Sierra game disk 1 to verify that is
does contain the files "SIERRA.COM" and "AGI".
The next step is to determine which version of the 3.0 game
loader (SIERRA.COM) your game has. Yes, there are two different
versions of the 3.0 version game loader. In the code of the
SIERRA.COM file is listed either the date 1985 or 1987 - the 1985
being one version and the 1987 being another version. You must
run a debug operation as follows to determine your version of the
game loader:
Arrange your configuration so that SIERRA.COM
and DEBUG.EXE are on the same disk, directory
or path.
DEBUG SIERRA.COM <return> -d 100 <return>
Some text will now appear to the right of your screen,
somewhere containing "LOADER v.3 Copyright Sierra On-Line, Inc.
198?". Note the year appearing in this text. Now you can quit
debug by typing a "q" at the "-" prompt. The unprotect differs
for the 1985 and 1987 versions, so, if your version is the 1985
version, refer to the file SIERRA85.UNP contained in this
package. Likewise, if your version is the 1987 version, refer to
the file SIERRA87.UNP contained in this package.
=| ++++++++++++++++++++++++++++++++++++++++++++++++++++++
Please read the file READTHIS.1ST before proceeding to read this
file.
Unprotect for all Sierra Games using the version 3.0 SIERRA.COM
game loader and the AGI (Adventure Game Interpreter). THE
FOLLOWING PROCESS APPLIES TO THE 1987 version of the 3.0 version
SIERRA.COM game loader!
Make a copy of your original game disk 1 using the dos copy *.*
command. But don't put away your factory original game disk yet,
you will need it during the unprotect.
Arrange your configuration so that SIERRA.COM and DEBUG.EXE are
on the same disk, directory or path.
Using THE COPY of the game disk 1, start as follows:
DEBUG SIERRA.COM <return> -r <return>
screen, including the prompt to insert your original disk (write
protect it to be safe). The key data from the specially formatted
track will be loaded into memory. When the program breaks back
to debug (the registers will be listed again), be sure you have
the COPY you made of your original disk in the disk drive.)
-rbx <return>
: <-type in here the value of BX register that
you were instructed to write down in step one.
<return>
-rcx <return>
CX XXXX
: <-type in here the value of CX register that
you were instructed to write down in step one.
<return>
(In the above line you have inserted NO-OP's (90's) to jump
around the protection check and opening screen calls)
-w <return> (this will write back to disk the unprotected
game loader)
Writing xxxx bytes
-q <return> (quits debug)
This completes the Sierra game 1987 version 3.0 game loader
unprotect. Use this unprotect to allow proper hard disk usage or
to make an archival backup copy. Please do not promote theft by
using this procedure to distribute unauthorized copies.
Bart Montgomery
Atlanta PCUG BBS
(404) 433-0062
<-----<<END>>----->
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
***************************************************
*** Pirate Magazine Issue III-3 / File 5 of 9 ***
*** Cracking Tips (Part 3) ***
***************************************************
In this file: Curse of the Azure Bonds
Gauntlet
Silpheed
Carmen San Diego
Saragon
* * * * * *
How to fix copy protection from
and supercharge characters
for Curse of the Azure Bonds.
FROM:
THE COMPANY OF WOLVES
-----------------------------------------------------------------
NEEDED:
1. Norton Utilities (or similar program)
2. A copy of the file start.exe from your Azure Bonds disk A
3. A bit of your time
-----------------------------------------------------------------
1. HOW TO UNPROTECT CURSE OF THE AZURE BONDS:
First load START.EXE into Norton. Then search for the string 80
3E CC. This should take you to file offset 9BA hex. Go back to
9B5 hex this should be 9A (the first machine language code for a
far call). Change the values of the bytes from 9B5 hex - 9b9 hex
to 90's Save the changes
Now the program will skip the part where it asks for code letter,
you now can put away that annoying code disk until needed for
decoding
-----------------------------------------------------------------
2. SUPERCHARGING YOUR CHARACTERS:
Copy the program CHARFIX.EXE (included with this fix) into the
directory that your saved games reside. Change to that directory.
Run the program, it is self explanitory.
-----------------------------------------------------------------
If you have any problems with any of the patches above check the
date of the file START.EXE on your original disk A for the date
and time 07/27/89 16:44. If your file has a different date then
they probably changed the copy protection method and your out of
luck with this patch. For other problems leave The Company of
Wolves a message, I can be reached on EXCEL BBS (414)789-4210
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
How to fix copy protection from
Mindscape's Gauntlet.
FROM:
THE COMPANY OF WOLVES
-----------------------------------------------------------------
NEEDED:
1. Norton Utilities (or similar program)
2. A copy of the file's gintro.exe and gprog.exe from your
original disk.
3. A bit of your time
-----------------------------------------------------------------
1. HOW TO UNPROTECT GAUNTLET:
First load one of the above files into Norton.
Then search for the string F3 A7.
Change the byte immediately following (74) to EB.
Continue the search and once again change the 74 to EB.
Save the changes
Repeat the steps above for the other .EXE file.
For you Debug fans rename each of the two files to 1.aaa and
2.aaa respectivaly.
Search (the S command) for F3 A7, you should get at least 3
matches.
You will need to unassemble each of the matches, the first copy
protection match should read REPZ CMPSW, JZ 2D96, ect..., and the
second REPZ CMPSW, JZ 2DB1, ect...
th the E command using the FULL address of the JZ commands
change the 74's to EB's.
Write the files with the W command and repeat the process for the
other file.
When finishes erase Gintro.exe and Gprog.exe and rename 1.aaa
gintro.exe and 2.aaa gprog.exe.
In this version of the program will still look for the copy
protection (which is a sector at the end of the hard disk that
the install program writes then marks bad to prevent overwriting
to that sector) but will continue the program as if the
comparison (F3 A7) was successful.
-----------------------------------------------------------------
If you have any problems with any of the patches above check the
date of the file GINTRO.EXE on your original disk A for the date
03/25/88. If your file has a different date then they probably
changed the copy protection method and your out of luck with this
patch. If you have any questions leave The Company of Wolves a
message, I can be reached on EXCEL BBS (414)789-4210 under the
name Nicodemus Keesarvexious.
Also included is another patch for a different version of
Gauntlet in case you have a different version from the one I
* * * * * * * *
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
To unprotect SilpHeed By Sierra!
Use Norton and change these bytes in the SIMCITY.EXE file:
Change: 80 3e cc 06 01 74 0c
To....: 80 3e cc 06 01 eb 0c
^^
Then when it asks the question just hit ENTER.
Another software crack by Bentley Bear!
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
To unprotect SimCity!
Use Norton and change these bytes in the SIMCITY.EXE file:
Change: 0c 87 00 75 3c
To....: 0c 87 00 eb 3c
^^
Another software crack by Bentley Bear!
Unprotect for Where in Time is Carmen Sandiego.
This program checks for the original key disk each time you are
promoted in the game.
I found another unprotect on this BBS (CARMNTME.ZIP) which did
not work at all. If fact, it made it so you can not even get into
the program!
Here's mine. You can patch the file either with a hex editor, or
with debug.
Using a hex editor, such as those in PC-Tools or Norton's Utilities:
Search for the hex byte string: 02 E1 07 C3 FA 55
Change the first byte only: 12
------------
Using debug
>ren carmen.exe car
'ug car
-S0000 FFFF 02 E1 07 C3 FA 55 <cr>
xxxx:yyyy (note value of yyyy)
-e yyyy (type e, then value of yyyy above)
xxxx:yyyy 02.12 <cr>
-w <cr>
-q <cr>
>ren car carmen.exe
-------------
That's it. And a lot easier then the other patch that didn't work!
Although this patch only changes one byte, it was difficult to
come up with. They used a far call which was hard to follow, and
could not be nop'ed out. Good Luck.
5
-e XXXX:YYYY b8 00 10 : Edit the contents of the
returned address
Now write the new sargon game back to the disk:
-w <Enter>
Writing XXXX bytes
Then Quit Debug:
-q <Enter>
Now it is time to rename sargon back to sargon.exe
C>ren sargon sargon.exe
Now try to run the new (Hopefully) unprotected version of Sargon IV.
When the question comes up answer '1924'
C>sargon
-----------------------------------------------------------------
Unprotect Brought to you courtesy of Super Dave
Super Dave can be reached at:
Hackers Paradise BBS
(803) 269-7899
Greenville, SC
<-----<<END>>----->
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
***************************************************
*** Pirate Magazine Issue III-3 / File 6 of 9 ***
*** Cracking Tips (Part 4) ***
***************************************************
In this file: Memory shift 2.1
Lotus 123 ver 1a
Multilink ver 2.06
Chartmaster
Enable ver. 1.00
EZWriter ver. 1.1
Flight Simulator 1.00
How to Unprotect MEMORY-SHIFT, Version 2.1
A>FORMAT b:/s/v
With Memory Shift Master in drive A: and your fresh diskette in B:
A>COPY A:*.*,B:
Replace the Memory Shift Master in drive A: with your DOS diskette
A>RENAME B:MS.EXE,B:MS.XXX
A>DEBUG B:MS.XXX
-s 0 l 8000 e8 22 00 72 <- look for this string in memory
xxxx:7F68 <- one occurance should be found
-e 7F68
xxxx:7F68 E8.eb 22.08 <CR>
-e 80ec
xxxx:80EC AD.e9 AB.9e AD.fe <CR>
-e 7f8d
xxxx:7F8D 06.b8 1E.00 B8.01
xxxx:7F90 40.ab 00.b8 8E.f0 D8.ff BF.01 3E.d8 00.ab 8A.b8
xxxx:7F98 95.d0 04.40 00.89 80.c1 E2.b8 03.b8 8E.03 46.e9
xxxx:7FA0 00.54 33.01
-w
Writing 8000 bytes
-q
A>RENAME B:MS.XXX,B:MS.EXE
That is all there is to it!
December 28, 1983
<> <> <> <> <> <> <> <> <> <> <>
I have just seen a new copy of Lotus 1-2-3 v1a that has a
modified protection scheme for which the currently published
unprotect scheme will not work. Here is a modified unprotect
that will work properly with both the old and new v1a releases
.....
1) Rename 123.exe to 123.xyx
2) Type (to DOS) the command
C> debug 123.xyx
3) Type (to debug) the command
-s 100 efff cd 13 (The "-" is a prompt from debug.)
4) Debug should respond with something like:
xxxx:ABA9 where xxxx is a hex number that may vary
5) Type
-e aba9 fb f9 (Use whatever debug gave you in the
-w last step instead of "aba9" if it is
-q different.)
6) Rename 123.xyx to 123.exe
For those of you who want to understand this, it is
replacing an "INT 13" instruction that checks the disk
in drive A: for some funny stuff with STI, STC instructions
A little while ago, there was a patch for 123.EXE listed here that
effectively unprotected the copy-protected disk and allowed hard-disk
to run without the floppy.
I just received the new version of Lotus 123 and retrofitted the patch
(it is a different technique). To unprotect 123.EXE Version 1A,
1. Rename 123.EXE 123.XYZ
2. DEBUG 123.XYZ
3. type U ABA9
4. you should see INT 13 at that address
5. type E ABA9 90 90
6. type W
7. type Q
8. Rename 123.XYZ 123.EXE
That's it. Good Luck.
<> <> <> <> <> <> <> <> <> <> <>
The following is a method to unprotect MultiLink Ver 2.06 to allow
booting directly from hard disk without the need to insert the
MultiLink distribution disk.
ENTER COMMENTS
------------------------- ---------------------------------------
C>copy mlink.com mlink.bak Make a backup first!
C>debug mlink.com Start debug session.
-u 2dfa Unassemble from address 2DFA.
You should see:
xxxx:2DFA CALL 2F01
xxxx:2DFD JNB 2E10
xxxx:2DFF MOV CX,2908
xxxx:2E02 CALL 2F01
xxxx:2E05 JNB 2E10
xxxx:2E07 DEC BYTE PTR [2E0F]
xxxx:2E0B JG 2DF2
xxxx:2E0D JMP 07C4
xxxx:2E10 XOR BYTE PTR [2E0D],32
xxxx:2E15 MOV AX,[23C4]
xxxx:2E18 CMP [2705],AX
If you don't see this, you have another
version. If so, enter 'q' to quit the
debug session. Otherwise, continue.
The instructions at
xxxx:2dfa, xxxx:2e02, and xxxx:2e1c
need to be replaced.
-e 2dfa f8 90 90 CALL 2F01 is replaced by CLC, NOP, NOP
-e 2e02 f8 90 90 CALL 2F01 is replaced by CLC, NOP, NOP
-e 2e1c 90 90 JNZ 2E0D is replaced by NOP, NOP
-w Save the changes to disk
-q End the debug session.
<> <> <> <> <> <> <> <> <> <> <>
In the spirit of a recent patch to unprotect LOTUS 1-2-3, I discovered
the same logic can be applied to unprotect MEMORY/SHIFT.
1. Rename MS.EXE MS.XYZ
2. DEBUG MS.XYZ
3. type U 1565
4. you should see INT 21 at that address
5. type E 1565 90 90
type E 1567 90 90
6. type W
7. type Q
8. Rename MS.XYZ MS.EXE
Finally, make sure command.com resides on the disk where MEMORY/
SHIFT is initiated.
65399 '** DONE - PRESS ENTER TO RETURN TO MENU **
There is another version of Lotus 123 also called Release 1A
but with a different copy-protection technique. It can be
identified by an "*" that displays on the first screen under
the "s" in the word "Release"
Release 1A
*
To unprotect this version so it can be run on a hard disk
without requiring the SYSTEM DISK in drive A, do the following:
1. RENAME 123.EXE 123.XYZ
2. DEBUG 123.XYZ
3. Type U AB8C press ENTER
You should see MOV CX,0002
if you don't, something is different and this won't work.
4. Type E AB8C C3 press ENTER
5. Type W
6. Type Q
7. RENAME 123.XYZ 123.EXE
That's it. It will now run from any drive. As always, this patch
is provided so that honest people don't have to suffer the
inconvienences imposed upon them by software manufacturers.
FOR THE USERS THAT HAVE 'CHARTMASTER' VER 6.04
<> <> <> <> <> <> <> <> <> <> <>
-------------------------------------------------------------------
FROM : THE A.S.P ; (Against Software Protection)
DATED : OCT 18,1984 (FIRST RELEASE)
ORIGINALLY SUBMITTED TO ASA FULTONS BBS (THE SHINING SUN -305-273-0020)
AND TO
LEE NELSONS BBS (PC-FORUM -404-761-3635)
PLEASE NOTE THAT THESE UNPROTECT PROCEDURES INVOLVE FROM 4 HOURS TO
40 OR MORE HOURS ( 4+ HOURS FOR 'CHARTMASTER' ) OF
SINGLE STEPPING THRU CODE AND FIGURING OUT THE
INTENT OF THE ORIGINAL CODE.. SO I WOULD APPRECIATE IT WHEN U PASS
THIS ON TO OTHER BOARDS YOU DO NOT ALTER THIS OR TRY TO TAKE CREDIT
FOR MY LOST SLEEP.... THE A.S.P... (J.P. TO HIS FRIENDS)
OH, AS A FURTHER NOTE. I SEE SOME BBS'S ARE NOW CHARGING U TO BE REGISTERED
TO USE THEIR SYSTEM. FIRST OF ALL I GIVE U FROM 4 TO 60 HOURS OF MY TIME
AT NO COST TO YOU AND I DO NOT LOOK TO KINDLY TO SUCH BBS'S PUTTING ON
MY PROCEDURES AND THEN CHARGING U TO GET ACCESS TO THEM. THEY DIDNT SPEND
TIME AND COST (SAY 'X' HOURS * $40+) TO MAKE THE PROCEDURES AVAIL. , SO
I WOULD APPRECIATE THAT SUCH BOARDS DID NOT USE ANY OF THE 'A.S.P'S'
PROCEDURES, UNLESS THEY ARE WILLING TO PUT THEIR WORKS TRULY IN THE
PUBLIC DOMAIN.. ENOUGH SAID.. THANK YOU.
IF YOU HAVE A HARD DISK OR WANT TO CREATE A BACKUP COPY THAT IS NOT
TIED INTO THE 'CHARTMASTER' DISKETTE...IN CASE YOUR ONLY COPY GOES BAD
. THIS PATCH WILL REMOVE THE COPY PROTECTION COMPLETELY.
AS ALWAYS THIS IS FOR YOUR PERSONAL PEACE OF MIND ONLY
IT IS NOT MEANT TO BYPASS ANY COPYRIGHTS..YOU ARE BY LAW BOUND BY
YOUR PURCHASE LICENSE AGREEMENT.
IF YOU HAVE A HARD DISK AND WANT TO PUT THE PROGRAM ON SUCH
WHY SHOULD YOU BE TIED TO A FLOPPY. YOU HAD TO GIVE UP A LOT OF
'BIG MACS' TO GET YOUR HARD DISK.
FORMAT 1 SYSTEM DISK UNDER DOS 2.0 OR 2.1 OR 3.0
LABEL IT ACCORDING TO THE ORIGINAL 'CHARTMASTER' SYSTEM DISKETTE
COPY THE (UNHIDDEN) FILES FROM THE ORIGINAL DISKETTE TO THE CORRESPONDING
2.X OR 3.X FORMATTED DISKETTE
I WONT TELL U HOW TO USE DEBUG OR ANY 'PATCHER' PROGRAMS
ON THE BBS'S, I ASSUME U HAVE A BASIC UNDERSTANDING.
RENAME CM1.EXE CM1
DEBUG CM1
D CS:A67
YOU SHOULD SEE 75 03 E9 09 00
E CS:A67 90 90 E9 F7 01
D CS:D139
YOU SHOULD SEE 5F
E CS:D139 CB
W
Q
RENAME CM1 CM1.EXE
OTHER NOTES:
-------------------------------------------------------------------------
CHECKS FOR SPECIALLY FORMATTED TRACKS COMPLETELY REMOVED
U MAY LOAD ALL THE FILES ON THE NEWLY FORMATTED AND UNPROTECTED
DISKETTE DIRECTLY TO HARD OR RAM DISK, IN ANY SUB-DIRECTORY U
SET UP
SOMEONE WANTED TO KNOW WHY I USED UPPER CASE FOR EVERYTHING. FIRST
AFTER ABOUT 8 TO 20 HOURS OF STARING AT THE TUBE., I AM NOT ABOUT
TO SHIFT THE CHARACTERS, AND SECONDLY I AM SO EXCITED , AFTER DOING
SOMETHING THAT AT FIRST SEEMED IMPOSSIBLE, AND IN A HURRY TO GET IT OUT
ON A BBS, SO THAT U MAY USE THE NEWLY GLEAMED KNOWLEDGE.
ALSO IN SOME CASES THE PROGRAM STILL TRIES TO GO TO THE "A" AND "B"
DRIVES, SO I USED AN ASSIGN TO ASSIGN THEM TO THE 'C'. THIS PROBABLY CAN
BE OVERCOME WITH THE CORRECT CONFIGURATION PARAMETERS.
ENJOY YOUR NEW FOUND FREEDOM..HARD DISKS FOREVER!!!!!
<> <> <> <> <> <> <> <> <> <> <>
This is the procedure to unprotect the intregrated software package
called ENABLE , Vers 1.00
If you have a hard disk or want to create a backup copy that is not
tied to the original ENABLE system disk, this will remove the copy
protection completly.
This procedure is to be used by legitimate owners of ENABLE only,
as you are entitled to make a back up for archive purposes only.
You are bound by your licence agreement.
Format a blank disk using DOS 2 or 2.1 (Do not use the /s option.)
Label it the same as the original ENABLE system disk.
Copy the files from the original ENABLE system to the formatted
blank disk using *.* .
Place DOS system disk containing DEBUG in drive A:
Place the new copy of ENABLE in drive B:
DEBUG B:SYSTEM.TSG
S CS:0 L EFFF B8 01 04
(You should see)
XXXX:069C
XXXX:XXXX < this one doest matter!
(If you dont - type q and enter - you have a different version!)
(If you do)
E 69C (enter)
B. EB 01.2D 04.90 (enter)
W
Q
Now all the copy protection has been removed, and you may copy the
files as required.
All checks for specially formatted tracks has been removed.
Disk needs no longer to be in the A drive on start up.
***** UNPROTECT EZWRITER 1.1 ***** BY JPM - ORLANDO FLA
THIS PROGRAM IS TO HELP ALL OF YOU THAT HAVE FOUND THAT YOU
COPIED YOUR EZWRITER 1.1 BACKUP TO SINGLE SIDED DISKETTE
AND NOW YOU HAVE A DOUBLE SIDED DRIVE OR FIXED DISK,
OR RAM DISK AND YOU ARE UP THE I/O CHANNEL WITHOUT A BYTE.
THE WAY THE EZWRITER PROTECTION WORKS IS:
<> <> <> <> <> <> <> <> <> <> <>
1). A BAD TRACK IS CREATED ON THE DISKETTE (LAST TRACK)
SO THAT DISK COPY WOULD NOT WORK.
IT REALLY DOES WORK THOUGH, BUT THE BAD TRACK IS
IS NOT COPIED. THIS BAD TRACK IS THE KEY.
WITH OUT THE BAD TRACK , WHICH EZWRITE NEEDS TO READ
THE PROGRAM WILL NOT RUN.
2). EW1.COM IS READ IN (YOU DO THIS). EW1.COM INTURN
LOADS "IBM88VMI.COM", WHICH INTURN LOADS "TARGET.COM".
TARGET.COM IS THE GUTS OF EZWRITER.
"IBM88VMI.COM" CHECKS FOR THE BAD TRACK, AND IF IT
IS THERE LOADS "TARGET.COM" OTHERWISE BYE-BYE.
WHAT THIS SIMPLE PROGRAM DOES IS TELLS "IBM88VMI.COM"
TO IGNORE THE RESULTS OF THE CHECK FOR THE BAD TRACK.
THIS WAY AFTER YOU DO A "COPY *.*" OR "DISKCOPY"
YOU CAN THE USE AND MOVE THE EZWRITER PROGRAM TO ANY
MAGNETIC STORAGE MEDIA.
***************************************************************
TO MAKE A UNPROTECTED COPY OF EZWRITER:
1). PUT THE ORIGINAL OR BACKUP IN DRIVE "A"
2). PUT A FORMATED (SINGLE OR DOUBLE) DISKETTE IN DRIVE "B:"
3). COPY *.* B:
4). REMOVE EZWRITER FROM DRIVE "A:"
5). LOAD BASIC FROM "A:" AND ONCE IN BASIC LOAD THIS PROGRAM
6). RUNTHIS PROGRAM , LOW AND BEHOLD THE COPIED EZWRITER
DISKETTE IN DRIVE "B: SHOULD NOW BE UNPROTECTED AND
TRANSPORTABLE AS WELL AS TOTALLY FUNCTIONAL.
7). AS ALWAYS PUT YOUR BACKUP DISKETTES IN A SAFE PLACE
IN CASE OF PROBLEMS WITH THE COPIES.
SINCE YOU NOW HAVE A UNPROTECTED VERSION OF EZWRITER
THE COPIES SHOULD BE FOR YOUR USE ONLY. YOU ARE STILL
BOUND BY THE LICENSE AGREEMENT WHEN YOU PURCHASED THE
PACKAGE.
CLS
CLOSE
DEFINT A-Z
YOU SHOULD NOP RECORD(BYTE) 390 AND 391
THEY CONTAIN HEX(CD20) WHICH IS A BRANCH IF BAD TRACK NOT FOUND
THIS ONE LITTLE INSTRUCTION KEEPS YOU FROM RUNNING
THERE IS NO ERROR CHECKING DONE , SUCH AS FOR MISSING FILE,
WRITE PROTECTED DISKETTE OR OTHER POSSIBLE I/O ERRORS.
NOP$=CHR$(144)
BRANCH.BYTE1$=CHR$(205)
BRANCH.BYTE2$=CHR$(32)
OPEN "B:IBM88VMI.COM" AS #1 LEN=1
GET #1,390
FIELD 1,1 AS A$
BYTE$=A$
PRINT "VAULE READ FOR BYTE 390 WAS ";ASC(BYTE$)
IF BYTE$<>BRANCH.BYTE1$ THEN GOTO 770
LSET A$=NOP$
PUT 1,390
GET #1,391
FIELD 1,1 AS A$
BYTE$=A$
PRINT "VALUE READ FOR BYTE 391 WAS ";ASC(BYTE$)
IF BYTE$<>BRANCH.BYTE2$ THEN GOTO 770
LSET A$=NOP$
PUT 1,391
CLOSE
END
PRINT "THE BYTE YOU WERE TRYING TO NOP WAS ";ASC(BYTE$)
PRINT "THE BYTE SHOULD HAVE BEEN EITHER 32 OR 205"
PRINT "IF THE BYTE READ WAS 144 YOU HAVE PROBABLY"
PRINT "UNPROTECTED THE PROGRAM ONCE BEFORE"
PRINT "IF PROBLEMS GOTO YOUR BACKUP DISKETTES"
<> <> <> <> <> <> <> <> <> <> <>
To make a backup of Microsoft Flight Simulator 1.00,
do the following:
*Take un UNFORMATTED (never used) disk and place it in drive B.
*Place your DOS disk (which has DEBUG) into drive A.
A>DEBUG
-E CS:0000 B9 01 00 BA 01 00 BB 00
01 0E 07 06 1F 88 E8 53
5F AA 83 C7 03 81 FF 1C
01 76 F6 B8 08 05 CD 13
73 01 90 FE C5 80 FD 0C
76 E1 90 CD 20
-E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02 00 00 04 02
00 00 05 02 00 00 06 02 00 00 07 02 00 00 08 02
-R IP
xxxx
:0000 <-- YOU ENTER THIS, NOW INSERT FLT. SIM DISK INTO A:
-G =CS:0000 CS:22 CS:2A
-E CS:02 0E
-E CS:27 19
-G =CS:0000 CS:22 CS:2A
-E CS:02 27
-E CS:27 27
-G =CS:0000 CS:22 CS:2A
-L DS:0000 0 0 40
-W DS:0000 1 0 40
-L DS:0000 0 40 28
-W DS:0000 1 70 30
-L DS:0000 0 A0 30
-W DS:0000 1 A0 30
-L DS:0000 0 138 8
-W DS:0000 1 138 8
-Q
A>
*Now write protect the new disk.
*This procedure may not work on the version which has color on RGB monitors.
To make a backup of Microsoft Flight Simulator 1.00,
do the following:
*Take un UNFORMATTED (never used) disk and place it in drive B.
*Place your DOS disk (which has DEBUG) into drive A.
A>DEBUG
-E CS:0000 B9 01 00 BA 01 00 BB 00
01 0E 07 06 1F 88 E8 53
5F AA 83 C7 03 81 FF 1C
01 76 F6 B8 08 05 CD 13
73 01 90 FE C5 80 FD 0C
76 E1 90 CD 20
-E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02 00 00 04 02
00 00 05 02 00 00 06 02 00 00 07 02 00 00 08 02
-R IP
xxxx
:0000 <-- YOU ENTER THIS, NOW INSERT FLT. SIM DISK INTO A:
-G =CS:0000 CS:22 CS:2A
-E CS:02 0E
-E CS:27 19
-G =CS:0000 CS:22 CS:2A
-E CS:02 27
-E CS:27 27
-G =CS:0000 CS:22 CS:2A
-L DS:0000 0 0 40
-W DS:0000 1 0 40
-L DS:0000 0 40 28
-W DS:0000 1 70 30
-L DS:0000 0 A0 30
-W DS:0000 1 A0 30
-L DS:0000 0 138 8
-W DS:0000 1 138 8
-Q
A>
*Now write protect the new disk.
*This procedure may not work on the version which has color on RGB monitors.
The following fix will eliminiate the bothersome requirement to
insert the FOCUS "activator" diskette in the A-drive everytime you
bring FOCUS up. This change was made to a version of FOCUS
that had file dates of 05/11/84. Be sure that you verify the code
that is in place before applying this zap.
RENAME FCPCINIT.EXE FCPCINIT.XXX
DEBUG FCPCINIT.XXX
U 22AB L 5
(You should see "9A C5 02 14 02 CALL 0214:02C5" display on the screen)
E 22AB 90 90 90 90 90
W
Q
RENAME FCPCINIT.XXX FCPCINIT.EXE
That all there is to it. Have fun.
The Ancient Mariner
Note added 6 DEC 84
Same procedure continues to work, only 5 bytes want to no-op
are at location 0C57:23E0
What you see at that location is CALL 021C:02C5
<-----<<END>>----->
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
***************************************************
*** Pirate Magazine Issue III-3 / File 7 of 9 ***
*** Cracking Tips (Part 5) ***
***************************************************
In this file: Graphwriter 4.21
TheDraw
SideKick 1.00A
PFS Report
PCDRAW 1.4
Signmaster
FOR THE USERS THAT HAVE 'GRAPHWRITER' VER 4.21
-------------------------------------------------------------------
FROM : THE A.S.P ; (Against Software Protection)
DATED : OCT 19,1984 (FIRST RELEASE)
ORIGINALLY SUBMITTED TO ASA FULTONS BBS (THE SHINING SUN -305-273-0020)
AND TO
LEE NELSONS BBS (PC-FORUM -404-761-3635)
PLEASE NOTE THAT THESE UNPROTECT PROCEDURES INVOLVE FROM 4 HOURS TO
___________________________________________________________________
40 OR MORE HOURS ( 8+ HOURS FOR 'GRAPHWRITER' ) OF
SINGLE STEPPING THRU CODE AND FIGURING OUT THE
INTENT OF THE ORIGINAL CODE.. SO I WOULD APPRECIATE IT WHEN U PASS
THIS ON TO OTHER BOARDS YOU DO NOT ALTER THIS OR TRY TO TAKE CREDIT
FOR MY LOST SLEEP.... THE A.S.P... (J.P. TO HIS FRIENDS)
OH, AS A FURTHER NOTE. I SEE SOME BBS'S ARE NOW CHARGING U TO BE REGISTERED
TO USE THEIR SYSTEM. FIRST OF ALL I GIVE U FROM 4 TO 60 HOURS OF MY TIME
AT NO COST TO YOU AND I DO NOT LOOK TO KINDLY TO SUCH BBS'S PUTTING ON
in. Thanks John Roswick, Bismarck.
Keywords: SIDEKICK PROKEY PATCH FIX BUGS COMPATIBILITY BORLAND
<> <> <> <> <> <> <> <> <> <> <>
UNPROTECT FOR -SIDEKICK-
Attention Sidekick/Prokey users ! We at Borland were having
trouble getting Sidekick to be compatible with Rosesoft's Prokey and
as many of you Prokey users out there know everything locked up when the
two got together. The reason Prokey does not work is because it trashes
some of the registers when running and confuses Sidekick as to make your
terminal go down. Enclosed is the portion of Prokey which does this.
0730 2EF606D402FF TEST CS:BYTE PTR [02D4H],OFFH
0736 7409 JE 0741H
0738 2EFF2EC602 JMP CS:DWORD PTR [02C6H]
073D 5B POP BX
073E 1F POP DS
073F EBF7 JMP SHORT 0738H
0741 1E PUSH DS
0742 53 PUSH BX
0743 8CCB MOV BX,CS
0745 8EDB MOV DS,BX
0747 FB STI
0748 C5053D0100 MOV BYTE PTR [013DH],00H
074D 803E660400 CMP BYTE PTR [0466H],00H
0752 7420 JE 0774H
0754 833E670400 CMP WORD PTR [0469H],00H
0759 7507 JNE 0762H
075B 833E670400 CMP WORD PTR [0467H],00H
0760 740D JE 076FH
0762 832E670401 SUB WORD PTR [0467H],01H
0767 831E690400 SBB WORD PTR [0469H],00H
076C EB06 JMP SHORT 0774H
076E 90 NOP
076F C606660400 MOV BYTE PTR [0466H],00H
0774 803E530400 CMP BYTE PTR [0466H],00H
0779 74C2 JE 037DH
077B 833E662400 CMP WORD PTR [2466H],00H
0780 7507 JNE 0789H
0782 833E682400 CMP WORD PTR [2468H],00H
0787 740C JE 0795H
0789 832E682401 SUB WORD PTR [2468H],01H
078E 831E662400 SBB WORD PTR [2466H],00H
0793 EBA8 JMP SHORT 073DH
0795 E8841D CALL 251CH ;HMMM !
0798 EBA3 JMP SHORT 073DH
THE SAGA CONTINUES ...
251C 50 PUSH AX
251D 1E PUSH DS
251E A05304 MOV AL,[0453H]
2521 3C01 CMP AL,01H
2523 7407 JE 252CH
2525 3C02 CMP AL,02H
2527 743F JE 2568H
2529 1F POP DS
252A 58 POP AX
252B C3 RET ?NEAR
252C BD9D2D MOV BP,2D9DH BP DESTROYED
252F E8480E CALL 337AH
2532 A16C24 MOV AX,[246CH]
2535 A39D2D MOV [2D9DH],AX
2538 BD9D2D MOV BP,2D9DH
253B E8E30D CALL 3321H
253E BD9D2D MOV BP,2D9DH
2541 BEE023 MOV SI,23E0H SI DESTROYED
2544 B601 MOV DH,01H DX DESTROYED
2546 B201 MOV DL,01H (BUT WILL BE RESTORED
2548 E8230C CALL 317FH BY THE BIOS)
254B E88407 CALL 2CD2H
254E 8B366024 MOV SI,[2460H]
2552 387D07 CALL 2CD2H
2555 A16224 MOV AX,[2462H]
2558 A36824 MOV [2468H],AX
255B C70666240000 MOV WORD PTR [2466H],000H
2561 C606530402 MOV BYTE PTR [0453H],02H
2566 EBC1 JMP SHORT 2529H
2568 BD9D2D MOV BP,2D9DH
256B E80C0E CALL 337AH
256E C606530400 MOV BYTE PTR [0453H],00H
2573 EBB4 JMP SHORT 2529H
.
.
Prokey does not save and restore all registers when trapping interrupt
1C. The reason why this error occurs at a higher frequency when using
Sidekick is beyond this discussion. However, to verify the error try the
following:
1. Start Prokey
2. Define a key recursively
3. Notice prokey now issues an error message
4. terminate definition (fast...)
5. press return 100 times
6. if prokey did not crash repeat step 2-6
Register destroying occurs when Prokey is flashing error message. You must
terminate and press return as fast as possible, and be logged on a floppy
drive (important: let your prompt show the active directory in order to let
dos read on the disk).
The following program establishes a trap at interrupt 8 (to make sure Prokey
or others does not overwrite it, bios int 8 then activates 1C).
CODE SEGMENT
ASSUME CS:CODE
ORG 100H
START PROC
JMP SHORT SETUP
START ENDP
INT08SAVE DD
INT08TRAP PROC FAR
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH BP
PUSH DS
PUSH ES
PUSHF
CALL INT08SAVE
POP ES
POP DS
POP BP
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
IRET
INT08TRAP ENDP
EOTRAP:
SETUP PROC
MOV DS,AX
MOV SI,20H
CLI
LES AX,DWORD PTR[SI]
MOV WORD PTR INT08SAVE,AX
MOV WORD PT
MOV WORD PTR [SI],OFFSET INT08TRAP
MOV [SI+2],CS
STI
MOV DX,OFFSET EOTRAP+1
SETUP ENDP
CODE ENDS
END START
It may be faster to enter the following bytes using debug and writing them
to the file profix.com, thus saving your original prokey file:
e100
0100: EB 1D 00 00 00 00 50 53 51 52 56 57 55 1E 06 9C
0110: 2E FF 1E 02 01 07 1F 5D 5F 5E 5A 59 5B 58 CF 33
0120: C0 8E D8 BE 2
0 00 FA C4 04 2E A3 02 01 2E 8C 06
0130: 04 01 C7 04 06 01 8C 4C 02 FB BA 20 01 CD 27
RCX
3F
NPROFIX.COM
W
NOW USE PROFIX INSTEAD OF PROKEY
NOTE: THIS MAY NOT BE THE COMPLETE SOLUTION AS THE WORD STILL DOES NOT
WORK WITH PROKEY. FURTHERMORE THIS HAS ONLY BEEN TESTED USING PROKEY
VERSION 3.0 - OLDER VERSIONS MAY HAVE OTHER BUGS!
INSTRUCTIONS FOR UNPROTECTING PFS-FILE AND PFS-REPORT.
IMPORTANT! COPY FILE.EXE AND/OR REPORT.EXE TO ANOTHER DISK FIRST.
DON'T MAKE THESE PATCHES ON YOUR ORIGINAL DISK! (USE THE USUAL DOS
COPY COMMAND)
FOR PFS-FILE:
RENAME FILE.EXE TO FILE.ZAP
HAVE DEBUG.COM HANDY
TYPE -> DEBUG FILE.ZAP
TYPE -> U 9243
YOU SHOULD SEE, AMONG OTHER THINGS: PUSH BP
MOV AX,DS
MOV ES,AX
(ETC)
IF YOU DON'T SEE THIS, TYPE -> Q (YOU DON'T HAVE THE RIGHT VERSION)
OTHERWISE,
TYPE -> E 9248 EB 2B
TYPE -> W
TYPE -> Q
BACK IN DOS, RENAME FILE.ZAP TO FILE.EXE. YOU NOW HAVE AN UNPROTECTED
COPY OF PFS-FILE.
FOR PFS-REPORT:
RENAME REPORT.EXE TO REPORT.ZAP
HAVE DEBUG.COM HANDY, AND TYPE -> DEBUG REPORT.ZAP
TYPE -> U 98BF
YOU SHOULD SEE, AMONG OTHER THINGS: PUSH BP
MOV AX,DS
MOV ES,AX
(ETC)
IF YOU DON'T SEE THIS, TYPE -> Q (YOU DON'T HAVE THE RIGHT VERSION)
OTHERWISE,
TYPE -> E 98C4 EB 2B
TYPE -> W
TYPE -> Q
BACK IN DOS, RENAME REPORT.ZAP TO REPORT.EXE. YOU NOW HAVE AN
UNPROTECTED COPY OF PFS-REPORT.
For those of you whose PFS:FILE and PFS:REPORT do not match the other
PFS zaps on this board, try these:
----------------------------------------------------------------------
For PFS:FILE, copy FILE.EXE to another disk, and do:
RENAME FILE.EXE FILE.ZAP
DEBUG FILE.ZAP
U 9213
should show ... PUSH BP
MOV CX,0004
which is the first part of a timing loop.
if it doesn't, quit; else do:
E 9217 EB 18
U 9213
should show ... PUSH BP
MOV CX,0004
JMP 9231
if so, do:
W
Q
RENAME FILE.ZAP FILE.EXE
----------------------------------------------------------------------
For PFS:REPORT, copy REPORT.EXE to another disk, and do:
RENAME REPORT.EXE REPORT.ZAP
DEBUG REPORT.ZAP
U 9875
should show ... PUSH BP
MOV AX,DS
MOV ES,AX
if it doesn't, quit; else do:
E 987A EB 11
U 9875
should show ... PUSH BP
MOV AX,DS
MOV ES,AX
JMP 988D
if so, do:
W
Q
RENAME REPORT.ZAP REPORT.EXE
----------------------------------------------------------------------
if everything was OK, your new versions of PFS:FILE and PFS:REPORT
should run just fine without the original diskettes.
----------------------------------------------------------------------
Zaps provided by Lazarus Associates
<> <> <> <> <> <> <> <> <> <> <>
----------------------------------------------------------UNPROTECT IBM PERSONAL
1. REN MCEMAIL.EXE X
2. DEBUG X DOS 2.xx Version
3. A EB47 JMP EB4F (was JNZ EB4F)
4. A EBEF NOP NOP (was JZ EC0B)
5. A EC06 NOP NOP (was JNZ EC0B)
6. W
7. Q
8. REN X MCEMAIL.EXE
IMPORTANT! All copies of PCM must have this patch
(i.e. the programs on both ends of a connection).
This has been tested on a PCjr and PC.
<> <> <> <> <> <> <> <> <> <> <>
FOR THE USERS THAT HAVE 'PC-DRAW' V1.4
------------------------------------------
FROM : THE A.S.P ; (Against Software Protection)
ORIGINALLY SUBMITTED TO ASA FULTONS BBS - SHINING SUN :305-273-0020
AND WHIT WYANTS BBS - PC-CONNECT :203-966-8869
PLEASE NOTE THAT THESE UNPROTECT PROCEDURES INVOLVE FROM 4 HOURS TO
(+1 HOURS FOR PC-DRAW V1.4)
40 OR MORE HOURS OF SINGLE STEPPING THRU CODE AND FIGURING OUT THE
INTENT OF THE ORIGINAL CODE.. SO I WOULD APPRECIATE IT WHEN U PASS
THIS ON TO OTHER BOARDS YOU DO NOT ALTER THIS OR TRY TO TAKE CREDIT
FOR MY LOST SLEEP.... THE A.S.P... ORLANDO FLA. (J P , TO HIS FRIENDS)
IF YOU HAVE A HARD DISK OR WANT TO CREATE A BACKUP COPY THAT IS NOT
TIED INTO THE PC-DRAW DISKETTE...IN CASE YOUR ONLY COPY GOES BAD
. THIS PATCH WILL REMOVE THE COPY PROTECTION COMPLETELY....
AS ALWAYS THIS IS FOR YOUR PERSONAL PEACE OF MIND ONLY
IT IS NOT MEANT TO BYPASS ANY COPYRIGHTS..YOU ARE BY LAW BOUND BY
YOUR PURCHASE LICENSE AGREEMENT.
IF YOU HAVE A HARD DISK AND WANT TO PUT THE PROGRAM ON SUCH
WHY SHOULD YOU BE TIED TO A FLOPPY. YOU HAD TO GIVE UP A LOT OF
'BIG MACS' TO GET YOUR HARD DISK.
THIS WRITE UP ASSUMES THAT YOU ARE FAMILIAR WITH DEBUG,
1). FORMAT A CORRESPONDING EQUAL NUMBER OF DOS2.0 OR 2.1 DISKS
AS SYSTEM DISKS
2). LABEL EACH OF THE 2.X FORMATTED DISKS THE SAME AS EACH ONE OF
THE ORIGINAL 'PC-DRAW' DISKS
3). COPY THE FILES FROM THE ORIGINAL DISKS TO THE 2.X FORMATTED DISK
ON A ONE FOR ONE BASIS, USING 'COPY' COMMAND
4). PLACE THE ORIGINAL DISKS IN A SAFE PLACE, WE DONT NEED THEM ANY MORE.
5). PLACE 'DISK 1' IN THE 'A' DRIVE
6). RENAME PC-DRAW.EXE PC-DRAW
7). DEBUG PC-DRAW
8) ENTER -S CS:100 L EFFF CD 13
9). FIRST YOU SHOULD SEE THE FOLLOWING CODE AT ADDRESS
CS:4D45 CD 13 INT 13
IF U DONT U MAY HAVE A DIFFERENT VERSION SO DONT PROCEED ANY FARTHER,
ENTER THE CHANGE TO CHANGE "INT 13" TO "NOP" AND "STC", AND FORCE A JUMP
10). ENTER -E 4D45 90 F9 EB 28
11). ENTER -W
12). ENTER -Q
13). RENAME PC-DRAW PC-DRAW.EXE
NOTE: PC-DRAW IS NOW COMPLETELY UNPROTECTED.
IF U WANT TO USE 'PC-DRAW' FROM HARD DISK OR RAM DISK U MUST USE THE
CORRECT 'ASSIGN=', SINCE 'PC-DRAW' APPEARS TO HAVE DRIVES HARD CODED.
ALSO FOR V1.2 AND 1.3 THE BAD TRACK CHECK WAS IN DIAGRAM.EXE,
NOTE THAT THE CHECK IS NOW DONE IN PC-DRAW.EXE.
ENJOY YOUR NEW FOUND FREEDOM..HARD DISKS FOREVER!!!!!
END OF TRANSFER - PRESS ENTER TO RETURN TO MENU
This procedure will unprotect the version 1.10A of SIDEKICK.
Many thanks to the individual who provided the procedure
for the version 1.00A.
The only major difference between the two versions is the offset
address of the instructions to be modified.
Using DEBUG on SK.COM, NOP out the CALL 8C1E at location 07CA ----+
|
Change the OR AL,AL at 07D9 to OR AL,01 --------+ |
| |
.....and that's it! | |
| |
(BEFORE ZAP) | |
78A7:07CA E85184 CALL 8C1E <----------------------------+
78A7:07CD 2E CS: | |
78A7:07CE 8E163E02 MOV SS,[023E] | |
78A7:07D2 2E CS: | |
78A7:07D3 8B264002 MOV SP,[0240] | |
78A7:07D7 1F POP DS | |
78A7:07D8 59 POP CX | |
78A7:07D9 0AC0 OR AL,AL <----------+ |
| |
(AFTER ZAP) | |
78A7:07CA 90 NOP <-----------------------------+
78A7:07CB 90 NOP <-----------------------------+
78A7:07CC 90 NOP <-----------------------------+
78A7:07CD 2E CS: |
78A7:07CE 8E163E02 MOV SS,[023E] |
78A7:07D2 2E CS: |
78A7:07D3 8B264002 MOV SP,[0240] |
78A7:07D7 1F POP DS |
78A7:07D8 59 POP CX |
78A7:07D9 0C01 OR AL,01 <----------+
-------------------------------------------------------------------
<> <> <> <> <> <> <> <> <> <> <>
UNPROTECT FOR -SIGNMASTER
FROM : THE A.S.P ; (Against Software Protection)
1). FORMAT 1 SYSTEM DISK UNDER DOS 2.0 OR 2.1 OR 3.0
2). LABEL IT ACCORDING TO THE ORIGINAL 'SIGNMASTER' SYSTEM DISKETTE
3). COPY THE (UNHIDDEN) FILES FROM THE ORIGINAL DISKETTE TO THE CORRESPONDING
2.X OR 3.X FORMATTED DISKETTE
4). I WONT TELL U HOW TO USE DEBUG OR ANY 'PATCHER' PROGRAMS
ON THE BBS'S, I ASSUME U HAVE A BASIC UNDERSTANDING.
5). RENAME SIGN.EXE SIGN
6). DEBUG SIGN
7). D CS:99C
YOU SHOULD SEE 75 03 E9 09
E CS:99C 90 90 EB 1F
D CS:D407
YOU SHOULD SEE 5F
E CS:D407 CB
W
Q
8). RENAME SIGN SIGN.EXE
OTHER NOTES:
-------------------------------------------------------------------------
1). CHECKS FOR SPECIALLY FORMATTED TRACKS COMPLETELY REMOVED
2). U MAY LOAD ALL THE FILES ON THE NEWLY FORMATTED AND UNPROTECTED
DISKETTE DIRECTLY TO HARD OR RAM DISK, IN ANY SUB-DIRECTORY U
SET UP
3). SOMEONE WANTED TO KNOW WHY I USED UPPER CASE FOR EVERYTHING. FIRST
AFTER ABOUT 8 TO 20 HOURS OF STARING AT THE TUBE., I AM NOT ABOUT
TO SHIFT THE CHARACTERS, AND SECONDLY I AM SO EXCITED , AFTER DOING
SOMETHING THAT AT FIRST SEEMED IMPOSSIBLE, AND IN A HURRY TO GET IT OUT
ON A BBS, SO THAT U MAY USE THE NEWLY GLEAMED KNOWLEDGE.
This is the procedure for bypassing the copy protection scheme used by
SIDEKICK, version 1.00A.
Using DEBUG on SK.COM, NOP out the CALL 8780 at location 071A ----+
|
Change the OR AL,AL at 072D to OR AL,01 --------+ |
| |
.....and that's it! | |
| |
(BEFORE ZAP) | |
78A7:071A E86380 CALL 8780 <----------------------------+
78A7:071D 2E CS: | |
78A7:071E 8E163D02 MOV SS,[023D] | |
78A7:0722 2E CS: | |
78A7:0723 8B263F02 MOV SP,[023F] | |
78A7:0727 1F POP DS | |
78A7:0728 59 POP CX | |
78A7:0729 880E1300 MOV [0013],CL | |
78A7:072D 0AC0 OR AL,AL <----------+ |
| |
(AFTER ZAP) | |
78A7:071A 90 NOP <-----------------------------+
78A7:071B 90 NOP <-----------------------------+
78A7:071C 90 NOP <-----------------------------+
78A7:071D 2E CS: |
78A7:071E 8E163D02 MOV SS,[023D] |
78A7:0722 2E CS: |
78A7:0723 8B263F02 MOV SP,[023F] |
78A7:0727 1F POP DS |
78A7:0728 59 POP CX |
78A7:0729 880E1300 MOV [0013],CL |
78A7:072D 0C01 OR AL,01 <----------+
<> <> <> <> <> <> <> <> <> <> <>
What follows is an unprotect scheme for version 1.11C of Borland
International's Sidekick. The basic procedure is the same as
that for version 1.1A with just location differences. So the
only credit I can take is for finding the new locations! This is
(of course), provided only for legal owners of Sidekick!! Also,
make sure you 'DEBUG' a copy NOT the original!
DEBUG SK.COM <ENTER>
-U 801 <ENTER>
-E 801 <ENTER>
you will then see:
25E5:0801 E8.
90 <ENTER>
repeat for 802 and 803:
-E 802 <ENTER>
90 <ENTER>
-E 803 <ENTER>
90 <ENTER>
then:
-A 810 <ENTER>
OR AL,01 <ENTER>
<ENTER>
-U 801 <ENTER>
you should then see (among other things):
XXXX:801 90 NOP
XXXX:802 90 NOP
XXXX:803 90 NOP
XXXX:810 0C01 OR AL,01
if so:
-W <ENTER>
-Q <ENTER>
if not:
-Q <ENTER>
+++++++++++++++++++++++++++++++++++++++++++++++++++++
For SKN.COM, SKM.COM and SKC.COM the unprotect is the same
but at the following locations:
SK SKN SKM SKC
--- --- --- ---
801 7DF 76F 7BC
802 7E0 770 7BD
803 7E1 771 7BE
810 7EE 77E 7CB
To unprotect SKC.COM you would 'DEBUG SKC.COM' and then replace
any occurence of '801' with '7BC'; '802' with '7BD' and so on.
GOOD LUCK!
* * * * * * * * * * * *
* * * * * * * * * * * *
This is an explanation of the internal workings of Print.Com, a file
included in DOS for the IBM PC and compatibles. It explains how this
program fails to do its part to insure integrity of all registers. For
this reason some trouble was being experienced while using both SideKick
and Print.
op
The timer tick generates an interrupt 8 18.2 per second. When SK
is not active, this interrupt is handled by the Bios as follows:
It pushes all registers used by the routine (AX among others.)
It updates the system timer count.
It updates the disk motor timer count.
It generates an int 1C.
When the spooler is active, it has placed a vector at int 1C,
pointing at the spooler's code. The spooler is therefore
activated in the middle of the int 8 handling. The cause of the
SK received the int 8 and calls the bios int 8 routine to make
sure that the timer tick is properly handles. The bios int 8
me as above:
It pushes all registers used by the routine (AX among others).
It updates the system timer count.
It updates the disk motor timer count.
It generates an int 10.
SK has replaced the vector that the spooler placed here with a
IRET, so nothing happens. This is because we cannot allow the
timer tick to pass through to programs which use it, for example
to write on the screen.
It generates an end-of-interrupt to the interrupt controler.
It pops the registers that were pushed.
It does an interrupt return.
Back in SK's int 8 routine we make a call to the address that was
stored at int 10 when SK was first started. In this way he still
services any resident programs that were loaded before SK. With
the spooler active we therefore make a call to the spooler.
The spooler again corrupts the AX register because it uses it
without saving it first.
Back in SK we have no way of restoring the original contents of
the AX register because we did not save it (why should we, we
don't use it.)
In short, the root of the trouble is that the spooler destroys
the AX register. The fact that the Bio's int 8 routine saves and
stores it is pure coincidence.
I quote from the Technical Reference Manual, Pages 2-5, Section
Interrupt Hex 1C-timer tick:
"It is the responsibility of the application to save and restore
all registers that will be modified."
Relying on a version of the Bios which happens to save register
AX is bad programming practice. However, the guy who wrote the
print spooler did not rely on this because at another point in
his program he does correctly save AX. Obviously he simply
forgot and fortunately for him the Bios saved him.
The following patch will fix the problem:
SK.COM unprotected version change 7F8: 55 to 7F8: 50
SK.COM unprotected version change 805: 5D to 805: 58
SK.COM protected version change 801: 55 to 801: 50
SK.COM protected version change 80E: 5D to 80E: 58
Also on both above change 012C: 41 to 012C: 42
UNPROTECT IBM TIME MANAGER (80 Column Version) Version 1.00 -
1. Have a formatted, blank disk ready if copying to a floppy. Hard
disk is OK, also.
2. Startup DEBUG from drive A. Just type DEBUG <enter>
3. Place the TIME MANAGER program disk in drive A.
4. Type L 600 0 A5 40 <enter>
5. Type F 100,600 90 <enter>
6. Type RCX <enter>
7. Type 8000 <enter>
8. Place the formated, blank floppy in drive B
9. Type NTM.COM <enter>
10. Type W <enter>
11. Type Q <enter>
That's it. You now have the 80-column version of Time Manager on the
disk in Drive B. It is called TM.COM and can be started by simply
typing TM.
BE AWARE!!! - the data diskette is non-dos and cannot be placed on a
hard disk. Also, while the program itself can be loaded from any drive
letter (A-Z), the data disk can only be on drives A or B.
The data disk is not protected and may be copied with DISKCOPY.
For the 40-column version, replace line4 with:
4. Type L 600 0 65 40 <enter>
All others steps are the same.
If you wish to have both a 40 and 80 column version, change line 9
so that the name is descriptive of the version, i.e. NTM40.COM or
NTM80.COM.
<-----<<END>>----->
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
*** Pirate Magazine Issue III-3 / File 8 of 9 ***
*** Cracking Tips (Part 6) ***
***************************************************
In this file: Lotus 123
Visicalc
Microsoft word 1.1
ZORK
Trivia Fever
Wordstar 2000 1.00
dBase 3
PFS programs
Double Dos
UNPROTECTING LOTUS 1-2-3
1-2-3 Release 1-A
-----------------
1. Rename 123.exe 123.xyz
2. DEBUG 123.xyz
3. Type U ABA9
4. You should see INT 13 at this address
5. Type E ABA9 90 90
6. Type W
7. Type Q
8. Rename 123.xyz 123.exe
1-2-3 Release 1
---------------
1. Rename 123.exe 123.xyz
2. DEBUG 123.xyz
3. Type S DS:100 FFFF E8 BE 71
The system will respond with xxxx:3666 where xxxx can vary
4. Type E xxxx:3666 90 90 90 (xxxx is the number from above)
5. Type W
6. Type Q
7. Rename 123.xyz 123.exe
Compliments of THE BIG APPLE BBS (212) 975-0046
<> <> <> <> <> <> <> <> <> <> <>
[[This patch was extracted from the PHOENIX IBM-PC Software
Library newsletter. They received it from the HAL-PC users group of
Houston, TX. Corrected by Jack Wright. Many thanks to them.]]
**** CONVERT VISICALC TO A .COM FILE ****
USE THE FOLLOWING PROCEDURE TO TRANSFER THE 80-COLUMN VISICALC PROGRAM
FROM THE VISICALC DISK AND WRITE A STANDARD .COM FILE WHICH MAY BE
FORMAT A DISK AS FOLLOWS: (FORMAT B:/S(ENTER)).
START THE DEBUG SYSTEM.
INSERT THE VISICALC DISK IN DRIVE A:
THEN TYPE:
-L 100 0 138 2 (LOAD THE VC80 LOAD/DECRYPTER)
-M 0 3FF 7000 (DUPLICATE IT IN HIGHER MEMORY)
-R CS (INSPECT COMMAND SEGMENT REGISTER)
DEBUG WILL RESPOND WITH THE CONTENTS OF THE CS REGISTER (eg. 04B5) AND
PROMPT WITH A COLON (:). TYPE THE OLD CONTENTS + 700 (HEX). (eg. 04B5
BECOMES 0BB5). DO THE SAME WITH THE 'DS' REGISTER.
DEBUG response to R CS might be:
CS 04B5 <-Save the value you get, we'll need it later.
:0BB5 <-Type in your CS value + 700hex here
-R DS <-Type
DS 04B5
:0BB5 <-Type in your DS value + 700hex here
NEXT:
Take the low order byte of the CS you saved above and substitute it
for LL in the next line. Substitute the high order byte for HH:
-E 107 LL HH (ENTER BYTE-FLIPPED CS) Ex: -E 107 B5 04
-E 24D BB A8 00 90 (HARD-WIRE THE DECRYPTION KEY)
NOW, WE MUST RUN THE LOADER/DECRYPTER, TYPE:
-G =1B8 26B (EXECUTE FROM 1B8 TO 26B)
THE ENTIRE PROGRAM WILL NOW BE LOADED AND DECRYPTED AND A REGISTER DUMP
SHOULD APPEAR ON THE SCREEN. NOW RESTORE CS AND DS TO THEIR PREVIOUS
VALUES AND SET THE FILE LENGTH IN CX. Set BX=0:
-R CS
CS 0BB5 <-Yours might be different
:04B5 <-Type in the value of CS you saved above
-R DS
DS 0BB5
:04B5 <-Type in the value of DS you saved above
-R BX
BX F3FD
:0
-R CX
CX 0000
:6B64 (LENGTH = 6B64 FOR VERSION 1.1, 6802 FOR VERSION 1.0)
NOW WE MUST NAME THE FILE, WRITE IT AND EXIT.
REMOVE THE VISICALC DISK FROM A:
INSERT THE NEW, FORMATTED, EMPTY DISK IN A:
TYPE:
-N VC.COM (OR WHATEVER YOU WISH TO NAME IT)
-W (WRITE THE .COM FILE)
-Q (EXIT FROM DEBUG)
***YOU ARE DONE*****
Back in DOS, type VC to try it.
The protection scheme for MS WORD is quite good. The last track
is formatted with 256 byte sectors. One sector, however, has
an ID that says it is a 1K sector. If you try to read it as a 256
byte sector, you'll get a sector not found. You can read it as a
1K sector with a guaranteed CRC error, and you will get the data
and other sector overhead from 3+ sectors. They read it as 1K, and
use the bytes after the first 256 for decryption. These bytes
constitute the post-amble of the sector, the inter-sector gap, and
the preamble to the next 256 byte sector. If it's not formatted
with the correct inter-sector gap, the decryption key is
different and the incorrectly decoded program bombs.
The best way around this is to modify the MWCOPY program so it
will let you make more than one copy. The below mods will let
you make as many backups as you want (and you can leave the
write protect tab on your master disk). Of course, this method
should only be used by registered owners of Word. If you, or any
of your IMF force is killed, the secretary will disavow any
knowledge of these patches.
We will copy MWCOPY to another disk, using another name (MWCP) so
you'll know it's the special version, and then modify MWCP.
(with master disk in A:, B: has any disk with debug on it)
A>copy mwcopy.com b:mwcp.com
B>debug mwcp.com
-e103
xxxx:0103 0x.00
-e148
xxxx:0148 A5.a7
-e194
xxxx:0194 02.04
-e32a
xxxx:032A 1C.1e
-e32e
xxxx:032E 1C.1e
-e3372
xxxx:3372 01.03
-ecfe
xxxx:0CFE CD.90<space>26.90<space>
xxxx:0D00 5B.90
-e4ab
xxxx:04AB 1B.84
-e69a
xxxx:069A C1.b9<space>38.ff<space>28.b9
-e7b3
xxxx:07B3 A2.5f<space>08.e9
-e66f
xxxx:066F E5.d8<space>
xxxx:0670 94.29<space>90.ff<space>29.b9
Writing 332D bytes
-q
B>mwcp (try making a copy..remember,
leave the write-protect on the master)
(Just follow the prompts in the program, except when they ask
you to remove the write protect tab)
I think this will also work for the hard disk copy portion. Another
way to unprotect Word gets rid of the need for any weird disk formats.
But it is MUCH more complicated to do. Enjoy!
<> <> <> <> <> <> <> <> <> <> <>
Unprotection for Microsoft "WORD" Version 1.1 using the
Ultra-utilities (U-Format and U-Zap). June 22, 1984
The following information is presented for those legitimate
owners who feel somewhat insecure when the availability of an
important program is dependent on the survival of a single floppy
disk.
Microsoft's WORD uses a very good protection method. This
consists of a track (Side 1, Track 39) which is formatted with
twelve sectors. Sectors 1,2,3,4,6,7,8,9,10 & 11 are all 256 byte
sectors. Sector 5 is formatted as a 1024 byte sector with a
inherent CRC error. The sectors on this track have an ASCII text
on the subjects of not stealing software and the names of the
people who worked on the development of the WORD package.
Sectors 1,2,3 & 4, while presenting an interesting message, do
not directly affect the copy protection scheme. They would
appear to be a "red herring", to divert attention from the actual
protection area.
Earlier versions of WORD were supplied with a program called
MWCOPY.COM which permitted a single floppy disk copy and a single
hard disk copy. If you have these versions use WORD.UNP or
WORDNEW.UNP which can be found on many BBS's.
Version 1.1 is furnished with a single back-up floppy and the
utility programs furnished are MWCOPY1.COM, MWCOPY.BAT, and
MWCOPY2.BAT. These programs only permit a one-time copy to a hard
disk. No provision is included for a floppy copy.
To make a floppy copy you will need the Ultra-Utilities, a
userware set of programs available on many BBS's. Of this set you
specifically need U-FORMAT.EXE and U-ZAP.EXE.
1) Place a write protect tab on your copy of WORD.
2) Make a copy of WORD with the standard DOS DISKCOPY command.
(NOTE: There are hidden files, so the use of COPY will
not work.
DISKCOPY will report "Unrecoverable read errors on source
Track 39 Side 1". Just ignore this.
3) Start the U-FORMAT.EXE program. This can be done by removing
the WORD disk and inserting your Ultra-Utilities disk. Once
U-Format is started you can remove the Ultra-utilities disk
and return the WORD disk to the drive.
4) Select #5 (Display Radix) from the U-Format menu and change to
decimal display.
5) Select #4 (Display/Modify Disk Parameter Table) and set the
following:
#4 Bytes per sector = 001
#5 Highest sector number per track = 012
#8 Formatting gap length = 010
All other values remain at the default settings.
Quit to the main menu.
6) Select menu item #3 (Format a Non-Standard Track)
The program will ask if you intend to format a track with 12
sectors. Answer = YES
The program will then ask for the following information:
SIDE = 1
DRIVE = (enter letter of the drive with the COPY disk)
TRACK = 39
The program will then prompt for the following information:
Physical Sector # Logical Sector # Sector Size
1 1 1
2 2 1
3 3 1
4 4 1
5 5 3
6 6 1
7 7 1
8 8 1
9 9 1
10 10 1
11 11 1
12 12 1
After pressing "enter" in response to the prompt, you may exit
U-Format.
7) Start the U-ZAP.EXE program. This can be done by removing
the WORD disk and inserting your Ultra-Utilities disk. Once
U-Zap is started you can remove the Ultra-utilities disk
and return the WORD disk to the drive.
8) Select #8 (Display Radix) from the U-Format menu and change to
decimal display.
9) Select #11 (Display/Modify Disk Parameter Table) and set the
following:
#4 Bytes per sector = 001
#5 Highest sector number per track = 012
All other values remain at the default settings.
Quit to the main menu.
10) Select #3 (Copy Disk Sectors) and use the following
information:
SOURCE DISK DESTINATION DISK
SIDE = 1 SIDE = 1
DRIVE = (enter drive letter DRIVE = (enter drive letter
for WORD disk) for COPY disk)
TRACK = 39 TRACK = 39
SECTOR = 6 SECTOR = 6
NUMBER OF SECTORS TO COPY = 7
The program will report "Sector Not Found"... "Re-Try (Y/N)"
Answer = NO
The program will then ask how many sides for the disk.
Answer = 2
The program will then show the copy process.
(NOTE: DO NOT copy the information from sectors 1,2,3,4,
or 5.)
You may then quit from U-zap to DOS.
YOUR' DONE.
The copy disk should workHow to backup Infocom's ZORK III game:
*Insert DOS disk in drive A
A>DISKCOPY A: B: <-- Ignore the errors on tracks 1-3!
*Place your ZORK I or ZORK II disk in drive A and a blank disk in drive B.
BE SURE THAT YOUR ORIGINAL IS WRITE-PROTECTED!!!
A>
*Now take out your ZORK disk and insert your DOS disk in A.
A>DEBUG
-R CS
xxxx
:0000 <-- you enter this
-R DS
xxxx
:0040
-R IP
xxxx
:7C00
-R ES
xxxx
:0000
-L 0:7C00 0 0 8
-G =0:7C00 0:7C32
-G 0:7C44 <-- Don't take a shortcut here!
-R ES
xxxx
:04C5
-G 0:7C46
-E 7C0:007C 02 08
-W 800:0000 1 8 8
-E 07C0:007C 03 04
-G 0:7C44
-R BX
xxxx
:0000
-G 0:7C46
-E 07C0:007C 02 08
-W 04C5:0000 1 10 8
-E 07C0:007C 03 04
-G 0:7C44
-R BX
xxxx
:0000
-E 07C0:007C 02 08
-W 04C5:0000 1 18 8
-E 0:7C41 B8 08 02
-W 0:7C00 1 0 8
-Q
<> <> <> <> <> <> <> <> <> <> <>
UNPROTECT FOR INFOCOMO'S -ZORK III-
*This patch was done under DOS 1.1 - I haven't tried it under DOS 2.0 yet -
which may cause unpredictable results...
*Take out your new disk in drive B and write-protect it.
It is now DISKCOPY-able.
*Reboot your system - press ALT-CTRL-DEL.
How to backup Infocom's ZORK III game:
*Insert DOS disk in drive A
A>DISKCOPY A: B: <-- Ignore the errors on tracks 1-3!
*Place your ZORK III disk in drive A and a blank disk in drive B.
A>
*Now take out your ZORK III disk and insert your DOS disk in A.
A>DEBUG
-R CS
xxxx
:0000 <-- you enter this
-R DS
xxxx
:0040
-R IP
xxxx
:7C00
-R ES
xxxx
:0000
-L 0:7C00 0 0 1
-G =0:7C00 0:7C2A
-R AX
xxxx
:0800
-G 0:7C63
-E 800:14E5 B8 08 02
-E 800:211A 02 08
-W 800:0000 1 8 18
-L 0:7C00 0 0 8
-E 0:7C7C 02 08
-E 0:7C41 B8 08 02
-W 0:7C00 1 0 8
-Q
*Take out your new disk in drive B and write-protect it.
It is now DISKCOPY-able.
*Reboot your system - press ALT-CTRL-DEL.
<> <> <> <> <> <> <> <> <> <> <>
This is the procedure to unprotect the game software package
called TRIVIA FEVER (This procedure also works on the demo disk of
TRIVIA FEVER available with the blank XIDEX disks!)
If you have a hard disk or want to create a backup copy that is not
tied to the original TRIVIA system disk, this will remove the copy
protection completly.
This procedure is to be used by legitimate owners of
TRIVIA FEVER ONLY ...
as you are entitled to make a back up for archive purposes only.
You are bound by your licence agreement.
Format a blank system disk using DOS 2 or 2.1
Label it the same as the original TRIVIA system disk.
Copy the files from the original TRIVIA system to the formatted
blank disk using *.* .
Place DOS system disk containing DEBUG in drive A:
Place the new copy of TRIVIA in drive B:
Rename the file called TF.EXE to TF
A>DEBUG B:TF
-E 257E (enter)
-75.90 03.90 (enter)
-W
-Q
Rename B:TF B:TF.EXE
Now all the copy protection has been removed, and you may copy the
files as required.
All checks for specially formatted tracks has been removed.
Disk needs no longer to be in the A drive on start up.
<> <> <> <> <> <> <> <> <> <> <>
Wordstar 2000 version 1.00 - Unprotect
by Gerald Lee
derived from
dBase III version 1.10 - Unprotect
by The Lone Victor
The following instructions show you how to bypass the SoftGuard
copy protection scheme used on WORDSTAR 2000 version 1.00. This is the
same scheme used for FrameWork 1.10 and for dBase III version 1.10.
Wordstar 2000 version 1.10 does not use a copy protection scheme, while
versions 1.00 of dBase III and FrameWork used ProLock. To unprotect
Prolock disks read the file PROLOCK.UNP.
First, using your valid, original Wordstar 2000 diskettes, install
it on fixed disk. Softguard hides two files in your root directory:
CML0200.HCL and VDF0200.VDW. WS2000.EXE is the real Wordstar 2000
program, encrypted. When you run Wordstar, the program WS2000.COM loads
CML0200.HCL high in memory and runs it. CML decrypts itself and reads
VDF0200.VDW. The VDF file contains some code and data from the fixed disk
FAT at the time of installation. By comparing the information in the VDF
file with the current FAT, CML can tell if the CML, VDF, and WORDSTAR.EXE
files are in the same place on the disk where they were installed. If
they have moved, say from a backup & restore, then WORDSTAR 2000 will
not run.
Second, un-hide the two files in the root directory. You can do
this with the programs ALTER.COM or FM.COM, or UNHIDE.COM and HIDE.COM
found on any BBS. PC-SWEEP2 is the easiest it will copy the files to
another directory unhidden.
Make copies of the two files, and of WS2000.COM and WS2000.EXE, into
some other directory.
Hide the two root files again if using ALTER or FM. Leave alone if
using PC-SWEEP2.
Following the WORDSTAR instructions, UNINSTAL WORDSTAR 2000. You
can now put away your original WORDSTAR diskettes. We are done with them.
Next we will make some patches to CML0200.HCL to allow us to trace
through the code in DEBUG. These patches will keep it from killing our
interrupt vectors.
DEBUG CML0200.HCL
E 3F9 <CR> 2A.4A <CR> ; change the 2A to 4A
E 49D <CR> F6.16 <CR> ; if any of these numbers don't show up
E 506 <CR> E9.09 <CR> ; it's not working.
E A79 <CR> 00.20 <CR> ;
E AE9 <CR> 00.20 <CR> ;
E 73C 97 FA FA F4 F1 7E <CR> ; this is an encrypted call to 0:300
W <CR> ; write out the new CML file
Q <CR> ; quit debug
Now copy your four saved files back into the root directory and
hide the CML0200.HCL and VDF0200.VDW files using ALTER, FM or PC-SWEEP2.
We can now run WS2000.COM using DEBUG, trace just up to the point
where it has decrypted WORDSTAR.EXE, then write that file out.
DEBUG WS2000.COM
R <CR> ; write down the value of DS for use below.
A 0:300 <CR> ; we must assemble some code here
POP AX <CR>
CS: <CR>
MOV [320],AX <CR> ; save return address
POP AX <CR>
CS: <CR>
MOV [322],AX <CR>
PUSH ES <CR> ; set up stack the way we need it
MOV AX,20 <CR>
MOV ES,AX <CR>
MOV AX,0 <CR>
CS: <CR>
JMP FAR PTR [320] <CR> ;jump to our return address
<CR>
G 406 <CR> ; now we can trace CML
T <CR>
G 177 <CR> ; this stuff just traces past some
G 1E9 <CR> ; encryption routines.
T <CR>
G 54E <CR> ; wait while reading VDF & FAT
G=559 569 <CR>
G=571 857 <CR> ; WS2000.EXE has been decrypted
rBX <CR> ; length WS2000.EXE = 1AC00 bytes
:1 <CR> ; set BX to 1
rCX <CR>
:AC00 <CR> ; set CX to AC00.
nWS12 <CR> ; name of file to write to
W XXXX:100 <CR> ; where XXXX is the value of DS that
; you wrote down at the begining.
Q <CR> ; quit debug
Last, unhide and delete the two root files CML0200.HCL, VDF0200.VDW,
and WS2000.COM and WS2000 directory. Rename WS12 to WS2000.COM and
replace in the WS2000 directory. This is the routine that starts the
real WS2000.EXE program without any SoftGuard code or encryption. It
requires the .OVL and .MSG files to run. I have not tried it on a two
disk systems but I think it should work.
If you have any comments on this unprotect routine, please leave
them
GERALD LEE - 5/12/85
<> <> <> <> <> <> <> <> <> <> <>
dBase III version 1.10 - Unprotect
by The Lone Victor
The following instructions show you how to bypass the SoftGuard
copy protection scheme used on dBase III version 1.10. This is the same
scheme used for FrameWork 1.10 and for Wordstar 2000 1.00. Wordstar
2000 version 1.10 does not use a copy protection scheme, while versions
1.00 of dBase III and FrameWork used ProLock. To unprotect Prolock disks
read the file PROLOCK.UNP.
This scheme also reportedly works on Quickcode 1.10 QuickReport 1.00.
First, using your valid, original dBase III diskette, install it on
a fixed disk. Softguard hides three files in your root directory:
CML0200.HCL, VDF0200.VDW, and DBASE.EXE. It also copies DBASE.COM into
your chosen dBase directory. DBASE.EXE is the real dBase III program,
encrypted. When you run dbase, the program DBASE.COM loads CML0200.HCL
high in memory and runs it. CML decrypts itself and reads VDF0200.VDW.
The VDF file contains some code and data from the fixed disk FAT at the
time of installation. By comparing the information in the VDF file with
the current FAT, CML can tell if the CML, VDF, and DBASE.EXE files are
in the same place on the disk where they were installed. If they have
moved, say from a backup & restore, then dBase will not run.
Second, un-hide the three files in the root directory. You can do
this with the programs ALTER.COM or FM.COM found on any BBS.
Make copies of the three files, and of DBASE.COM, into some other
directory.
Hide the three root files again using ALTER or FM.
Following the dBase instructions, UNINSTALL dBase III. You can now
put away your original dBase diskette. We are done with it.
Next we will make some patches to CML0200.HCL to allow us to trace
through the code in DEBUG. These patches will keep it from killing our
interrupt vectors.
debug cml0200.hcl
e 3F9 <CR> 2A.4A <CR> ; change the 2A to 4A
e 49D <CR> F6.16 <CR> ; if any of these numbers don't show up
e 506 <CR> E9.09 <CR> ; it's not working.
e A79 <CR> 00.20 <CR> ;
e AE9 <CR> 00.20 <CR> ;
e 73C 97 FA FA F4 F1 7E <CR> ; this is an encrypted call to 0:300
w ; write out the new CML file
q ; quit debug
Now copy your four saved files back into the root directory and
hide the CML0200.HCL, VDF0200.VDW, and DBASE.EXE files using ALTER or FM.
We can now run DBASE.COM using DEBUG, trace just up to the point
where it has decrypted DBASE.EXE, then write that file out.
debug dbase.com
r <CR> ; write down the value of DS for use below.
a 0:300 <CR> ; we must assemble some code here
pop ax
cs:
mov [320],ax ; save return address
pop ax
cs:
mov [322],ax
push es ; set up stack the way we need it
mov ax,20
mov es,ax
mov ax,0
cs:
jmp far ptr [320] ; jump to our return address
<CR>
g 406 ; now we can trace CML
t
g 177 ; this stuff just traces past some
g 1E9 ; encryption routines.
t
g 54E ; wait while reading VDF & FAT
g=559 569
g=571 857 ; DBASE.EXE has been decrypted
rBX <CR> ; length DBASE.EXE = 1AC00 bytes
:1 ; set BX to 1
rCX <CR>
:AC00 ; set CX to AC00.
nDBASE ; name of file to write to
w XXXX:100 ; where XXXX is the value of DS that
; you wrote down at the begining.
q ; quit debug
Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW,
and DBASE.EXE. Delete DBASE.COM and rename DBASE to DBASE.EXE. This is the
real dBase III program without any SoftGuard code or encryption. It requires
only the DBASE.OVL file to run.
If you have any comments on this unprotect routine or the PROLOCK.UNP
routine, please leave them on the Atlanta PCUG BBS (404) 634-5731.
The Lone Victor - 4/15/85
<> <> <> <> <> <> <> <> <> <> <>
INSTRUCTIONS FOR UNPROTECTING PFS-FILE, PFS-REPORT AND PFS-WRITE.
IMPORTANT! COPY FILE.EXE AND/OR REPORT.EXE TO ANOTHER DISK FIRST.
DON'T MAKE THESE PATCHES ON YOUR ORIGINAL DISK! (USE THE USUAL DOS
COPY COMMAND)
YOU SHOULD SEE, AMONG OTHER THINGS: PUSH BP
MOV AX,DS
MOV ES,AX
(ETC)
IF YOU DON'T SEE THIS, TYPE -> Q (YOU DON'T HAVE THE RIGHT VERSION)
OTHERWISE,
TYPE -> E 9248 EB 2B
TYPE -> W
TYPE -> Q
BACK IN DOS, RENAME FILE.ZAP TO FILE.EXE. YOU NOW HAVE AN UNPROTECTED
COPY OF PFS-FILE.
FOR PFS-REPORT:
RENAME REPORT.EXE TO REPORT.ZAP
HAVE DEBUG.COM HANDY, AND TYPE -> DEBUG REPORT.ZAP
TYPE -> U 98BF
YOU SHOULD SEE, AMONG OTHER THINGS: PUSH BP
MOV AX,DS
MOV ES,AX
(ETC)
IF YOU DON'T SEE THIS, TYPE -> Q (YOU DON'T HAVE THE RIGHT VERSION)
OTHERWISE,
TYPE -> E 98C4 EB 2B
TYPE -> W
TYPE -> Q
BACK IN DOS, RENAME REPORT.ZAP TO REPORT.EXE. YOU NOW HAVE AN
UNPROTECTED COPY OF PFS-REPORT.
For PFS-Write:
RENAME PFSWRITE.EXE TO PFSWRITE.ZAP
DEBUG PFSWRITE.ZAP
U 235A
YOU SHOULD SEE, AMONG OTHER THINGS: INT 13
JNB 2362
IF YOU DONcT SEE THIS, TYPE -> Q (you don't have the right version)
OTHERWISE,
TYPE -> E235A 90 90 90 90
TYPE -> E2360 90 90
TYPE -> A2369
TYPE -> CMP AX,AX
TYPE -> <cr>
TYPE -> W
TYPE -> Q
RENAME PFSWRITE.ZAP TO PFSWRITE.EXE. YOU NOW HAVE AN UNPROTECTED COPY
OF PFS-WRITE.
============================================================================
P.S. From another author than the one who wrote the above.
The routine above is excellent, however I had a different version
of PFS FILE and PFS REPORT. If you dont find the locations listed
above try these:
PFS FILE TYPE -> U 9223 YOU SHOULD SEE PUSH BP
MOV AX,DS
MOV ES,AX
(ETC)
IF SO TYPE -> E 9228 EB 2B
TYPE -> W
TYPE -> Q
AND FOLLOW THE DIRECTIONS GIVEN ABOVE ABOUT RENAME ETC.
PFS REPORT TYPE -> U 988F YOU SHOULD SEE PUSH BP
MOV AX,DS
MOV ES,AX
(ETC)
IF SO TYPE -> E 9894 EB 2B
TYPE -> W
TYPE -> Q
AND FOLLOW THE DIRECTIONS GIVEN ABOVE ABOUT RENAME & ETC.
My thanks to the original author who worked so hard to help us.
Please use these routines for your own use. I needed to add DOS 2.1
and place these programs on double sided disks. Don't rip off these
software manufacturers.
PROKEY 3.0 and several other programs. The approach I outline
here works with any of these that are in COM file format. If
anyone can improve it to work for EXE files PLEASE post it.
This general copy scheme uses a short sector of 256 bytes to
store an essential piece of the program code. On startup, location
100H contains a JMP instruction to the code which reads this
short sector. Locations 103H - 110H contain HLT instructions (hex F4).
After the sector is read, its contents are overlayed onto locations
100H - 110H, replacing the dummy instruction codes. A branch to 100H
then begins the actual program.
All we need to do is to stop execution after the changes are
made and write down the contents of 100H - 110H; reloading the
program and POKEing these changes results in an unprotected program.
Here's how its done:
(1) Put PROTECTED disk in A: (you can write-protect it for safety)
and a disk containing DEBUG in B:
(2) A: Make A: the default.
(3) B:DEBUG ULTIMAII.COM (or PKLOAD.COM, LAYOUT.COM...)
(4) -u 0100 Tell DEBUG to disassemble 0100-0120
DEBUG responds with:
0100 JMP 88A0 (or whatever)
0103 HLT
0104 HLT ...etc.
(5) -u 88A0 Look at short-sector decrypting code.
DEBUG responds with:
88A0 JMPS 88A7 Next "statements" are data locations; ignore.
(6) -u 88A7 Now look for where program restarts at 100H.
DEBUG responds with:
88A7 CALL 88C4
88AA CALL 892E
88AD JC 88BF (If Carry is set, the disk is a copy. Go to DOS!)
..
88BA MOV AX,0100
88BD JMP AX Paydirt! If you got this far, the program has
.. written the REAL code into 0100 - 0120H.
(7) -g 88BD Tell DEBUG to run the program, stop here.
(8) -d 0100 011F Dump out the changed code.
DEBUG responds with:
8C C8 05 25 07 8E D8 05-10 03 8E D0... Two lines. WRITE DOWN for (12)
(9) -q Get out of DEBUG. You must reload to deprotect.
(10) Make a copy of the disk; you can use copy *.* Put copy in A:
(11) B:DEBUG ULTIMAII.COM load copy
(12) -e 0100 Patch locations 0100 - 011F with what you
wrote down above. Follow each entry with
a SPACE until last entry; then hit ENTER.
(13) -w Write out new version of ULTIMAII.COM
(14) -q You've done it!
I've been detailed because this works generally for any COM file.
This method doesn't work for EXE files because while DEBUG can load
relocatable modules and execute them with breakpoints (step 7 above),
you cannot use debug to write an EXE file in relocatable form.
Any suggestions?
L.Brenkus
<> <> <> <> <> <> <> <> <> <> <>
DOUBLEDOS - Unprotect
Based on The Lone Victor's
routine.
The following instructions show you how to bypass the SoftGuard
copy protection scheme used on DOUBLEDOS version 1.00. This is the same
scheme used for FrameWork 1.10 and for Wordstar 2000 1.00. Wordstar
2000 version 1.10 does not use a copy protection scheme, while versions
1.00 of dBase III and FrameWork used ProLock. To unprotect Prolock disks
read the file PROLOCK.UNP.
First, using your valid, original DOUBLEDOS diskette, install it on a
fixed disk. Softguard hides three files in your root directory:
CML0200.HCL, VDF0200.VDW, and DOUBLEDO.EXE. It also copies DOUBLEDO.COM
into your chosen DOUBLEDOS directory. DOUBLEDO.EXE is the real DOUBLEDOS
program, encrypted. When you run DOUBLEDOS, the program DOUBLEDO.COM loads
CML0200.HCL high in memory and runs it. CML decrypts itself and reads
VDF0200.VDW.
The VDF file contains some code and data from the fixed disk FAT at the
time of installation. By comparing the information in the VDF file with
the current FAT, CML can tell if the CML, VDF, and DOUBLEDO.EXE files are
in the same place on the disk where they were installed. If they have
moved, say from a backup & restore, then DOUBLEDOS will not run.
Second, un-hide the three files in the root directory. You can do
this with the programs ALTER.COM or FM.COM found on any BBS.
Make copies of the three files, and of DOUBLEDO.COM, into some other
directory.
Hide the three root files again using ALTER or FM.
Following the DOUBLEDOS instructions, UNINSTALL DOUBLEDOS. You can now
put away your original DOUBLEDOS diskette. We are done with it.
Next we will make some patches to CML0200.HCL to allow us to trace
through the code in DEBUG. These patches will keep it from killing our
interrupt vectors.
debug cml0200.hcl
e 3F9 <CR> 2A.4A <CR> ; change the 2A to 4A
e 49D <CR> F6.16 <CR> ; if any of these numbers don't show up
e 506 <CR> E9.09 <CR> ; it's not working.
e A79 <CR> 00.20 <CR> ;
e AE9 <CR> 00.20 <CR> ;
e 73C 97 FA FA F4 F1 7E <CR> ; this is an encrypted call to 0:300
w ; write out the new CML file
q ; quit debug
Now copy your four saved files back into the root directory and
hide the CML0200.HCL, VDF0200.VDW, and DOUBLEDOS.EXE files using ALTER or FM.
We can now run DOUBLEDO.COM using DEBUG, trace just up to the point
where it has decrypted DOUBLEDO.EXE, then write that file out.
debug dOUBLEDO.COM
r <CR> ; write down the value of DS for use below.
a 0:300 <CR> ; we must assemble some code here
pop ax
cs:
mov [320],ax ; save return address
pop ax
cs:
mov [322],ax
push es ; set up stack the way we need it
mov ax,20
mov es,ax
mov ax,0
cs:
jmp far ptr [320] ; jump to our return address
<CR>
g 406 ; now we can trace CML
g 177 ; this stuff just traces past some
g 1E9 ; encryption routines.
t
g 54E ; wait while reading VDF & FAT
g=559 569
g=571 857 ; DOUBLEDO.EXE has been decrypted
rBX <CR> ; length DOUBLEDO.EXE = 04800 bytes
:0 ; set BX to 0
rCX <CR>
:4800 ; set CX to 4800.
nDOUBLEDO ; name of file to write to
w XXXX:100 ; where XXXX is the value of DS that
; you wrote down at the begining.
q ; quit debug
Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW,
and DOUBLEDO.EXE. Delete DOUBLEDO.COM and rename DOUBLEDO to DOUBLEDO.EXE.
This is the real DOUBLEDOS program without any SoftGuard code or
encryption. It requires only the DOUBLGD2.PGM and DDCONFIG.SYS files to
run.
DOUBLEDOS - Unprotect
Based on The Lone Victor's
routine.
<> <> <> <> <> <> <> <> <> <> <>
The following instructions show you how to bypass the SoftGuard
copy protection scheme used on DOUBLEDOS version 1.00. This is the same
scheme used for FrameWork 1.10 and for Wordstar 2000 1.00. Wordstar
2000 version 1.10 does not use a copy protection scheme, while versions
1.00 of dBase III and FrameWork used ProLock. To unprotect Prolock disks
read the file PROLOCK.UNP.
First, using your valid, original DOUBLEDOS diskette, install it on
a fixed disk. Softguard hides three files in your root directory:
CML0200.HCL, VDF0200.VDW, and DOUBLEDO.EXE. It also copies DOUBLEDO.COM into
your chosen DOUBLEDOS directory. DOUBLEDO.EXE is the real DOUBLEDOS
program, encrypted. When you run DOUBLEDOS, the program DOUBLEDO.COM loads
CML0200.HCL high in memory and runs it. CML decrypts itself and reads
VDF0200.VDW.
The VDF file contains some code and data from the fixed disk FAT at the
time of installation. By comparing the information in the VDF file with
the current FAT, CML can tell if the CML, VDF, and DOUBLEDO.EXE files are
in the same place on the disk where they were installed. If they have
moved, say from a backup & restore, then DOUBLEDOS will not run.
Second, un-hide the three files in the root directory. You can do
this with the programs ALTER.COM or FM.COM found on any BBS.
Make copies of the three files, and of DOUBLEDO.COM, into some other
directory.
Hide the three root files again using ALTER or FM.
Following the DOUBLEDOS instructions, UNINSTALL DOUBLEDOS. You can now
put away your original DOUBLEDOS diskette. We are done with it.
Next we will make some patches to CML0200.HCL to allow us to trace
through the code in DEBUG. These patches will keep it from killing our
interrupt vectors.
debug cml0200.hcl
e 3F9 <CR> 2A.4A <CR> ; change the 2A to 4A
e 49D <CR> F6.16 <CR> ; if any of these numbers don't show up
e 506 <CR> E9.09 <CR> ; it's not working.
e A79 <CR> 00.20 <CR> ;
e AE9 <CR> 00.20 <CR> ;
e 73C 97 FA FA F4 F1 7E <CR> ; this is an encrypted call to 0:300
w ; write out the new CML file
q ; quit debug
Now copy your four saved files back into the root directory and
hide the CML0200.HCL, VDF0200.VDW, and DOUBLEDOS.EXE files using ALTER or FM.
We can now run DOUBLEDO.COM using DEBUG, trace just up to the point
where it has decrypted DOUBLEDO.EXE, then write that file out.
debug dOUBLEDO.COM
r <CR> ; write down the value of DS for use below.
a 0:300 <CR> ; we must assemble some code here
pop ax
cs:
mov [320],ax ; save return address
pop ax
cs:
mov [322],ax
push es ; set up stack the way we need it
mov ax,20
mov es,ax
mov ax,0
cs:
jmp far ptr [320] ; jump to our return address
<CR>
g 406 ; now we can trace CML
t
g 177 ; this stuff just traces past some
g 1E9 ; encryption routines.
t
g 54E ; wait while reading VDF & FAT
g=559 569
g=571 857 ; DOUBLEDO.EXE has been decrypted
rBX <CR> ; length DOUBLEDO.EXE = 04800 bytes
:0 ; set BX to 0
rCX <CR>
:4800 ; set CX to 4800.
nDOUBLEDO ; name of file to write to
w XXXX:100 ; where XXXX is the value of DS that
; you wrote down at the begining.
q ; quit debug
Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW,
and DOUBLEDO.EXE. Delete DOUBLEDO.COM and rename DOUBLEDO to DOUBLEDO.EXE.
This is the real DOUBLEDOS program without any SoftGuard code or
encryption. It requires only the DOUBLGD2.PGM and DDCONFIG.SYS files to
run.
<-----<<END>>----->
++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
***************************************************
*** Pirate Magazine Issue III-3 / File 9 of 9 ***
*** Gene and Roger at the BBS ***
***************************************************
NOW REVIEWING -- DEAD ZONE (214-522-5321)
We kept hearing about this Dallas board that's part camp, part lame, part
punk, and mostly heavy metal, so we thought we'd check into it, 'cause it's
been around for awhile and seems to have a loyal, if somewhat brain-dead
claim to be heavy metal junkies, and a few log-ins and
message readings convinced us that too much of this stuff can rot your
brain, but maybe that's what comes from living in Dallas.
We were on last year and found it all a bore, but lost our account and had
to re-enter. The chat is mostly mindless, the sysop is into posturing a
lot, and the whole thing is pretty pretentious. Great for kids through age
14. We didn't bother to re-apply for higher access. Here's what ya see when
you log in, and here's a sample of the messages. If you're into mindless
drivel, maybe this board's your thing, but the R&G rating for DEAD ZONE is
<><>BOOOOOOORRRING!!<>
********
! !!! !! ! !! ! !! !!!
!! !! !! !! !! ! !! !!
!!!!!!! !!!!!!!! !!!! !!! !!!!!!!
!!!!!!!! !!!! !!!! !!!! !!!!!!!!
!! !! !! !! !!! !! !! !!
!! !! !!! !!! !!!! !! !! !
!! !!! !!! !! !! !! !!!!
!! !!! !!! !! !!!! !! !
!! !! !!! !!! !! !!! !! !
!! !! !! !! !! !! !! !!
!!!!!!!! !!!! !!!! !!!! !!!!!!!!
!!!! !!! !! ! !! ! !!! !!
!! ! ! !! !! !!
!! ! ! ! ! !! !
! ! !
! !
! ! ! ! !
!
....... ! .........
.... NO! ... ... MNO! ...
..... MNO!! ...................... MNNOO! ...
..... MMNO! ......................... MNNOO!! .
.... MNOONNOO! MMMMMMMMMMPPPOII! MNNO!!!! .
... !O! NNO! MMMMMMMMMMMMMPPPOOOII!! NO! ....
...... ! MMMMMMMMMMMMMPPPPOOOOIII! ! ...
........ MMMMMMMMMMMMPPPPPOOOOOOII!! .....
........ MMMMMOOOOOOPPPPPPPPOOOOMII! ...
....... MMMMM.. OPPMMP .,OMI! ....
...... MMMM:: o.,OPMP,.o ::I!! ...
.... NNM:::.,,OOPM!P,.::::!! ....
.. MMNNNNNOOOOPMO!!IIPPO!!O! .....
... MMMMMNNNNOO:!!:!!IPPPPOO! ....
.. MMMMMNNOOMMNNIIIPPPOO!! ......
...... MMMONNMMNNNIIIOO!..........
....... MN MOMMMNNNIIIIIO! OO ..........
......... MNO! IiiiiiiiiiiiI OOOO ...........
...... NNN.MNO! . O!!!!!!!!!O . OONO NO! ........
.... MNNNNNO! ...OOOOOOOOOOO . MMNNON!........
...... MNNNNO! .. PPPPPPPPP .. MMNON!........
...... OO! ................. ON! .......
................................
-cDc- -cDc- -cDc-
_ _
((___))
[ x x ]
f /
(' ')
(U)
-cDc- -cDc- -cDc-
A [-Cult of the Dead Cow-] System
[New Corpses enter -KILL ME-]
[Grave ID]:
][-KILLE ME
Enter your alias [Upper+Lower Case]
:Roger
City of Residence [Upper+Lower Case]
:San Francisco
State [XX]
:CA
Phone number [xxx-xxx-xxxx]
:414-555-1212
Roger
San Francisco, CA
415-555-1212
Abs0lutely 0k ? Y
[P]=Password
[G]=Guest
-]-[-P
Preparing Entrance...
Hey d0rk, over here...Read This:
Well, if you have actually made it this far, I sure hope
you typed your name in upper/lower case like this sentence is. If
not, you're going to probably have your access denied cause you
showed me you aren't even aware enough to read. I'd really prefer
you give me your REAL phone number, or somewhere I can reach you.
I don't voice validate that much, and I don't take your number
and randomly call it to annoy the hell out of you. Now, all you
have to do is answer the following questions pretty keenly, and
I'll give you access. Don't put smart ass answers....you don't
amuse me when you do that. If it asks you a simple [Yes/No]
question, don't answer "N" or "Y". Sure what the fuck is that
supposed to mean...it means you can't type Yes or No. The board
is mainly for people who like Metal/Speed Metal/Punk/etc and
intelligent/semi-intelligent users. In other words you should be
able to carry on a conversation somewhat. If not, you are a waste
of life roper and ought to go get drunk in some bar and die. Now
I'm outta here....answer these questions:
Leper Messiah
[Ctr-S Pauses : Spacebar Quits]
What is your real FIRST name ?
--ROGER
How old are you ?
--22
What type of computer do you have,
and what is the maximum baud rate
of your modem ?
--IBM/2400
Do you phreak, hack, both, or
neither ?
--BOTH
Do you pirate software and/or
collect textfiles ?
--Yes
Are you related to any law
enforcement agency and/or do
you plan on reporting any
information from this board to
--No
Who is your favorite musical group
and how long have they been your
favorite ?
--Banshee Heaven
Are you a cDc Member?
--No
SPECIFICALLY, where did you get the
number to this BBS ? [Tell the person's
handle, the board, or wherever you
--??
Want to send Leper Messiah
a Message ? No
Enter a password to use [4-8 Characters]
:Demon
Grave ID #99
Password :DEMON
Knife [RETURN] to login to The Dead Zone
[Ctr-S Pauses : Spacebar Quits]
12/24/89
N00wz that you better fucking read...
Ok, I got pissed off at a certain leech, so I deleted 200+ users
from the userlist. I did delete a couple I didn't mean to, so if
you got deleted, and you don't think you deserved it, you're
probably right and I fucked up.
Next off, if you would like a different user number for some
reason, [F]eedback me, and I might change it.
If you would like AE access and you aren't going to leech, send
me [F]eedback. If you have AE access and you leech, you are
going to have a large problem.
If you would like upgraded access, [F]eedback me, and if I merit
that you do, you'll get it.
Lastly....Happy Hannukkah, and Merry Christmas, Have a Good New
Year, and don't drink and drive....(seriously). Thanks.
|-- Graveyard Shift :: 01:19:04 12/28/89
|-- Corpse :: Roger
|-- Last Corpse :: Phantom Of The Opera
|-- Undertaker :: Leper Messiah
|-- Executioners :: The Wanderer
|-- :: The Interloper
|--There are 17967 fresh graves...
-/- Rue Morgue -f- :M
Nice fucking accent...why cant you speak like me!
-/- Rue Morgue -f- :?
User Menu
B- Bulletin Boards
C- Scream at Sysop
D- Display Parms
F- Feedback to Sysop
I- System Information
N- Re-Read System News
P- Get a Password [Guests ONLY]
R- Read Mail
T- Terminate Yourself
Y- Your Body Status
-/- Rue Morgue -f- :B
[Central Graveyard 1-100] :R
Sequential Retrieval - Reverse
Start where [-#, L)ast, <CR>-]:L
[Ctr-S Pauses : Spacebar Quits]
[Knife ENL for next grave]
____/ 100. f____
____ Re: . Demolition War . ____
____ by Madmartigan (#188) ____
f 12/27/89 at 23:48:22 /
Bush was right to go into Panama. Otherwise he looks like an
idiot who can let some wimpy dictator ruin his foriegn policy and
screw up our image in the world. He had to do it...
As for the Dead ZOne going down next year,,... Thank God!
[A]utoReply [N]ext [R]eread [Q]uit:
____/ 99. f____
____ I love typos. ____
____ by M&M (#7) ____
f 12/27/89 at 23:10:21 /
"If
I did, me would want more." That was great.
Psyche is Fuck Me.
Roper::::> Let me explain this AGAIN. The lyrics I typed WERE
NOT Pink Floyd lyrics but ALTERED lyrics. READ THEM. <jeez>
kicker up there reminds me of this asshole that came to
our school... he was like... "What kind of music do you listen
know all about him - but the question is, is he a good impression
on you?" Fuckin' dick. I hate ignorant people. It's fine to be
stupid but if you don't know what you're talking about DON 'T
PRETEND!
M&M
[A]utoReply [N]ext [R]eread [Q]uit:
____/ 98. f____
____ I did NOT............................................! ____
____ by The Wanderer (#11) ____
f 12/27/89 at 22:56:04 /
I did NOT rape SMI2le! There is an easy way to tell if I did it or not. If
I did it, me would want more.
Insane Fixx - Why would I want to trash my cowboy boots, and why
would I want to dye my hair blond? A blond with freckles? I think
not. Of course, I could bleech my skin too.....
Rah! I got me a VCR for x-mas! Now I'm going to have to head down
to the sordid side of town, say hi to sue as I pass the
apropriate corner, and buy some trashy videos. The type that most
of ya'll won't be able to buy for another 5 or 6 years.
Hahahahahahaha!
Tw
/s
/dammit!
[A]utoReply [N]ext [R]eread [Q]uit:
____/ 97. f____
____ pLaNeT cLaIrE ____
____ by The Psychedelic Fur (#209) ____
f 12/27/89 at 21:42:50 /
i DoN't WaNt YoUr LoVe...i WaNt yOuR sEx
mOhEhAhO
DuStBuStEr: YoU kNoW jUsT wHaT iT tAkEs AnD wHeRe To
Go....WhAt MoRe CaN a PoOr BoY dO?...YoU'rE a HaRd AcT tO
fOLLoW...i just looooove my pastel pink lace underwire push up
bra and matching panties! But my crowning glory is the
sexxxxxxxxxy pink silk nightie I bought...'TiS tOo MuCh FoR
jUsT oNe GuY tO tAkE!!
AcEybAbY: Sorry I missed ya...you didn't call me
back...snif...methinks i am hurt...but i shall recover. I will
call ya when i get back from the RaIdEr BoWL.
..i dOn'T wAnT tO sAy i LoVe YoU, ThAt WoULd GiVe AwAy ToO
mUcH....i DoN't waNt To sAy I wAnT yOu, eVeN tHoUgH i wAnT yOu
So MuCh....iT's No NeW YeAr'S rEsOLuTiOn, iT's MoRe ThAn
ThAt...
i just loooove SpLiT eNz!
i think i will get on here early tomorrow morning before i
leave, and say goodbye...i must pack now and i'm not in the
mood to "bOn VoYaGe, bAbY!"
tWo RoAdS dIvErGeD iN a WoOd
aNd I - i ChOsE tHe OnE LeSs TrAvELeD bY
AnD tHaT hAs MaDe aLL tHe DifFeReNcE...
ShALL i CoMpArE tHeE tO a SuMmEr'S dAy
ThOu ArT mOrE LoVeLy aNd MoRe TeMpErAtE...
/| ShE wALkS iN bEaUtY LiKe ThE nIgHt
oF cLoUdLeSs CLiMbS aNd StArRy SkIeS
aNd aLL tHaT's BeSt Of DaRk AnD bRiGhT
MeEt In ThE aSpEcT oF hEr EyEs...
Name the movie, the authors, and who said them...and i'll do
something eXXXtra special...
oH cApTaIn, mY cApTaIn...
[A]utoReply [N]ext [R]eread [Q]uit:
____/ 96. f____
____ Death is near so come rape me! ____
____ by Smi2le (#83) ____
f 12/27/89 at 18:01:59 /
M&M: You're a sheepfucker, right? Some come on baby, I'm a sheep.
Leper: While your at it, buy me a push up jockstrap. M&M
just doesn't get the job done anymore.
Have fun!
Meat
[A]utoReply [N]ext [R]eread [Q]uit:
Gee... I may have to remember this for later use.! (sarcasm)
Hey babe, wanna Pistachio?? (wink, snort, phlegm-hack)
[A]utoReply [N]ext [R]eread [Q]uit:
____/ 92. f____
____ . Hootenanny . ____
____ by Leper Messiah (#1) ____
f 12/27/89 at 11:13:46 /
Oh swell, I'm going to Valley View today, I think I'll stop by
Vic's Secret also and pick me up something interesting....
Then again, maybe I won't.
Maybe I'll visit Hastings instead and get some k000000000l album.
GO Away, I wanna burn in hell...
-There's something I haven't sdaid in a long time.
Or spelled correctly for that matter.
Well, well, well...
Right now I'll go...
somewhere else.
Me
[A]utoReply [N]ext [R]eread [Q]uit:
____/ 91. f____
____ tHe UnIvErSe Is ExPaNdInG ____
____ by The Psychedelic Fur (#209) ____
f 12/27/89 at 10:42:35 /
SmI2Le: Me??? LaRgEr tHaN LiFe? How so? I tell ya this much,
if I was "larger than life" I wouldn't be able to shop at
ViC's SeCrEt...
And I now have a real bustline...
the most orgasmic thins, besides Godiva chocolates, silk
lingerie, and great sex, are pistachios...
pHaLLi
C SyMb
OLs!!!
Board rape. Sounds fun. Reminds me of the time on PiL when
ol' Karl and myself came up with this guy, "Mr. Awesome", who
was a homosexual and sent bulk mail to all the guys on the
board encouraging them to have anal sex, etc. We had everybody
fooled.
DaVe: Methinks you want to do the nasty...:)
munching on a healthful aphrodisiac...sex on the mind...and
less than 24 hours till I'm off to the bowl...
maybe I'll get some in Birmingham...
[A]utoReply [N]ext [R]eread [Q]uit:
____/ 88.
____ Re: and that was a song called "Yeah" by... you guessed
it The Garden Bugs ____
____ by Roper (#308)
f 12/27/89 at 01:10:20
M&M ---- > O.K. so yer a bigger fuck than I thought, Although I
was quite impressed that YOU would know the lyrics to a country
tune. And by the way,... I did listen to the Pink Floyd lyrics
again,... still sounds suicidal to me.
JUST TRYIN TO HELP WHERE I CAN,... GIMME A BREAK!
Roper
[A]utoReply [N]ext [R]eread [Q]uit:
____/ 83. f____
____ abcdefghijklmnopqrstuvwxyz.... ____
____ by Ace of Diamonds (#36) ____
f 12/26/89 at 11:45:57 /
now i no my abc's wont you come and
fuck with me.....
suebeast: nononono...ya can beg...but
lananananana...oh lana...has moi dik
first....cuzzz she luvz to suck it
so sweet.....and u 'hate doin that
shit'....so, [strike three, yer out!]
.....glad ya missed loozer car 54....
its black and white anyway...ack.....
yawn....i got sex on the brane.......
in multicolor3D vision...............
ohyeah...today i'm sposed to kall ya.
i think i'm gonna ferget.....duH.....
sycho-correct:aka MaDDFiXX....<i'm soo
intelictual>....rahrah....d00d...yer
so vEry sTraNGe.......sEE mY SelF iN
ThE miRRoR.....
SOMEBODY GET ME A DOCTOR!!!!
need some new lyrix besides wiggin'
dance tunez.....hmmmm..........
what's everyonez fav EmptyVee video...
i must admit that my MeTalHeAd has
turned soft cuz...i lUUUUUv
paula halfbake abdul's
The Way that U luv Me....
i lust everything in that video....
her bod, stereo equip, visagold
(which i have already), mazerati
90'yackt, black limozine,
pearl necklace ..(both kindz)
etc.....but most of all ....iz her
tItz.......yumyumyum
gOts tO mAil Rezumayz,
AoD
[A]utoReply [N]ext [R]eread [Q]uit:
____/ 77. f____
____ ..lOOks like rED skies at niTe.... ____
____ by The Madd Fixx (#142) ____
f 12/25/89 at 23:47:35 /
buT of cOurse....
tiN-roOf....
ruSTed!
duDes.. i haD a pretty rocKin' ChrisTmas.. goT me a cD player... aND
daT suIts me fiNe.... i goT dis biTchin' Indiana joNes lookin'
haT... it roCks..
aNYone ever seen cherrIes in liquoR?.... hO yAh...
yuMyUm... piTS and all...sluRpsLUrp!
maN..we're just frying this message base with wiErdo messages..
buT hEy.. doN't coomplain...we're posTing....
m&m... so quE pasa with aNGie, eH?...
mY mountain hideaway...maybe next year..............
pSYchE..raH..everytime i listen to spLit enZ, the b's,
or doOOrandOooran, it reminds me oF yOUze.... (awW.
aIn't tat sweEt! HahA!).. shaKe a tail feaTher...
you're about as eaSy as a nuClear waR....
...(of course, i'm not saying that there's
any similarity... <eviLish griN>...)
oh...what'snext....
damn i'm boRed...goTTa sliP me in anudder cD....
yEee-haAAa! daMn i'm HiP!... <smiRk>...
plEAse pleAse tell me noW.... cuZ i wanna RoAm in your
buuUuusssshhhhh----fiiIiire!...
aND i think it's about to bReak....
smiL3e...chiLL hoMie.. reLax..doN't do iT.. set your miNd righT to It.
thERe's a chance you could be righT....
anOther glaMoRous
peFeroRmaNce by mE...aNd i..
mR.
bUStin'
DuStiN!!
[A]utoReply [N]ext [R]eread [Q]uit:
Central Graveyard:
[#]-Read Number [N]ew Graves [Q]uit
[G]lobal Q-scan [J]ump [L]ist
[F]rd. Read [R]vrs. Read [S]can
[>]Next Bd. [<]Prev. Bd. [K]ill
[P]ost [T]erminate Session
Spread the Disease [-[-[-[-[-[-[- -]-]-]-]-]-]-] Spread the Disease
[Central Graveyard 1-100] :>
-/- Rue Morgue -f- :<
Nice fucking accent...why cant you speak like me!
User Menu
B- Bulletin Boards
C- Scream at Sysop
D- Display Parms
F- Feedback to Sysop
I- System Information
N- Re-Read System News
P- Get a Password [Guests ONLY]
R- Read Mail
T- Terminate Yourself
Y- Your Body Status
-/- Rue Morgue -f- :T
[] Violent Termination []
***************
That's it! So much for contemporary education through age
16!
>--------=====END=====--------<
!
JB ZZZZ
