💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › PIRATE › pirate-3 captured on 2022-06-12 at 14:00:42.

View Raw

More Information

-=-=-=-=-=-=-

ON 1 WARMUP:
 
         *******************************************************
         **                                                   **
         **     PPPPP    I    RRRRR    AAAAA  TTTTT   EEEEE   **
         **     P  PP    I    R  RR    A   A    T     E       **
         **     PPP      I    RRR      AAAAA    T     EEEEE   **
         **     P        I    R  R     A   A    T     E       **
         **     P        I    R   R    A   A    T     EEEEE   **
         **keepin' the dream alive                            **
         *******************************************************
 

or 11(your choice)wins the game.

 
Welcome to the third issue of *PIRATE MAGAZINE*.
Special thanks for getting this issue out go to:
  Flint
  Gene & Roger
  Hatchet Molly
  Jedi
  Knight Lightning
  Mikey Mouse
  Taran King
  The California Zephyr
  The Institute
  The Hillside Pirates
  Special thanks to those who took the time to write the
  unprotects, including Buckaroo Banzai, Super Dave,
  Company of Wolves, Bentley Bear, The Asp, and all the others.
 
Any comments, or if you want to contribute, most of us can be reached at
one of the following boards:
  GREAT ESCAPE          >>> PIRATE HOME BOARD
  RIPCO              (Illinois)
  SYCAMORE ELITE     (815-895-5573)
  THE ABYSS          (201-671-8954)
  PACIFIC ALLIANCE   (California)
  Chris Robin         BITNET = TK0EEE1@NIU
 
     +++++++++++++++++++++++++++++++++++++++++++++++++++++
 
Dedicated to sharing knowledge, gossip, information, and tips for warez
hobbyists.
 
   *******************************************************
   *                 EDITORS' CORNER                     *
   *******************************************************
 
                    ** CONTENTS THIS ISSUE **
 
File #1. Introduction, editorial, and general comments
File #2. News Reprint: Who's the REAL software threat??
File #3. Unprotects and cracking tips (part 1)
File #4. Unprotects and cracking tips (part 2)
File #5. Unprotects and cracking tips (part 3)
File #6. Unprotects and cracking tips (part 4)
File #7. Unprotects and cracking tips (part 5)
File #8. Unprotects and cracking tips (part 6)
File #9. Gene n' Roger's "review of the month" (DEAD ZONE)
 
Welcome to the third edition of *PIRATE*, a bit late, but here it is.
Still can't seem to please everybody, and it's a toss-up between those
wanting more law/virus type stuff and those wanting nuts and bolts for "how
to crack," so this issue we're giving more cracking tips that were sent in.
Next issue we'll bring back some of the legal stuff, virus info, and keep
the unprotect section as a regular feature.
 
Last issue pissed some people off, mostly the kiddie klubbers who thought
we were a bit unfair. Well, like we keep saying, there's a pirate ethic,
and if you can't figure it out, you ain't one.
 
Lots of feedback on "what's a pirate!" Add it up anyway you want to, keeps
coming out the same: PIRATES AREN'T RIPPING OFF--they're warez hobbyists
who enjoy the challenge or the collecting.
 
Bad news, sad news--more national pirate boards have gone down.  Seems that
the "fly-by-night" crowd springs up, drains off enough clients to cut into
the elite boards, and the sysops all say the same thing: Too many kids
calling and tying up the lines, and a decrease in good users caused by the
competition.
 
A few sysops have also requested that we don't print the numbers of boards
where PIRATE staff can be reached because too many lamerz started calling.
The boards are pretty easy to find, though, and a few will tolerate their
numbers being published for one more issue.
 
If you have any suggestions or ideas for future issues, call or get ahold
of us--just leave a message on any of the top boards and we'll get to it
sooner or later.
 
 
                            <-----<<END>>----->
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
 

 
 
Multiple choice quiz:
 
Who's the biggest threat to the computer industry:
    a) Phreaks
    b) Hackers
    c) Pirates
    d) Ducks without condoms
    e) The software industry itself
 
If you answered "e)", you passed. The tendancy of the mega-corps to try to
eat each other, with lawyers as the only winners, costs more in dollars and
feel" of an idea.  The mega-corp czars keep saying that pirates and phreaks
will put the "small programmer" out of business, but the following article
suggests it's quite the opposite. What's the bottom line?  The computer
underground is resistance, and like the PIRATE crew says, we gotta "keep
the dream alive."
                      **<Chris Robin> and Pru Dohn**
                             * * * *
 
     "Softare Industry Growing Jaded over Copyright Disputes"
                          by Tom Schmitz
      (THE CHICAGO TRIBUNE, December 26, 1989-Sect. 3, p.3)
 
SAN JOSE--When it comes to copyright lawsuits, the computer software
industry is starting to sound a bit like victims of the recent earthquake.
They've already been through the Big Shake.  And they're getting a bit
jaded about the aftershocks.
 
"When the Apple-Microsoft suit hit, everybody got frightened," said Heidi
Roizen, president of the Software Publishers Association. "A Month later,
99 percent of us were back to normal.  I get the sense companies aren't
going to do much this time."
 
"This time" is the Xeroz-Apple lawsuit, in which Xerox Corp. is claiming
Apple Computer Inc. infringed its copyright in designing the display and
command system for its enormously popular Macintosh computer. Filed in San
Francisco two weeks ago, the suit comes 21 months after Apple brought a
similar case against Microsoft Corp. and Hewlett-Packard Co., saying they
had infringed Apple's own copyright on the distinctive display software.
 
The Macintosh's graphic display has such "user-friendly" features as
pull-down menus; easy-to-identify symbols, or "icons"; and "windows" that
allow users to display text, menus and illustrations simultaneously.
 
By pressing its claim to the "look and feel" of Macintosh softare, Apple
set off alarms at hundreds of smaller companies that were developing
to forge ahead.
 
So while the Xerox suit again raises the question of just who can use what
software, those awaiting the battle's outcome say they see no reason to
drop their wait-and-see attitude. They just have more to watch.
 
"It throws a little scare in, but I'm not going to program any less," said
Andy Hertzfeld, and independent programmer in Palo Alto, Calif., and one of
the original designers of the Macintosh software.  "If people want to sue
me, they can."
 
All agree the issue of who can rightfully use the display system is
important and must be settled quickly.  But more troubling, industry
observers say, is increasing use of lawsuits to settle such disputes.
 
"Basically the whole thing is anticustomer and prolawyer," Hertzfeld said.
"All that money that Apple is paying their lawyers could be going into
products." What's more, a litigious atmosphere can stifle innovation.  "If
every time I come up with an idea I have to hire a team of lawyers to find
out if it's really mine, my product development will slow way down."
 
Some hope the Xeroz-Apple suit will finally put an end to that process.
Unlike the Apple-Microsoft ase, the suit does not involve a specific
contract. That could allow the court to tackle the look-and-feel issue
head-on without bogging down over technicalities.  And both companies have
war chests large enough to see the fight through.
 
"I think Ethe suitL is good," said Dan Bricklin, president of Software
Garden, Inc. in Cambridge, Mass., who wrote the first computer spreadsheet
program.  "We need the issue resolved by the courts, and we can't have
people pulling out for lack of money."
 
Yet even among those who say the industry needs a clear set of rules, there
remains a certain nostalgia for the freewheeling days when software
designers wrote what they wanted and settled their differences outside the
courtroom.
 
                            <-----<<END>>----->
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
 

 
 
In this file: Jordan v. Bird
              Gauntlet
              Sierra Games
 
Cracking is about learning computer programming, and the fun is in
increasing skills. We've been sent some reprints of tips, and even if you
have the programs, it's neat to make a backup copy and experiment. For
some, these tips may be old hat, but for novices they show some of the
basic techniques the that "pros" use.
 
The more programing you know, the easier cracking is, and we recommend
taking an intro course in your school. But most programs can be worked on
using DOS DEBUG. Think of DEBUG like a text editor. The difference is that,
instead of writing ASCII type stuff, you're working in BINARY files. Debug
lets you "edit" (or alter) the contents of a program and then immediately
re-execute to see if your changes worked. Before reading the following,
check your DOS manual and read the DEBUG instructions.  We've included old
unprotects here for a reason: If you have some of these old programs laying
around, dig them out and use them for practice. "Cracking" is one of the
best (and most fun) ways to learn about what makes a program work.
 
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++
^^^^^^^^^^^^^^^
We reprint the following tips by BUCKAROO BANZAI that beginners and
intermediates should find helpful.
^^^^^^^^^^^^^^^^
 

 
Introduction
------------
  For years, I have seen cracking tutorials for the APPLE computers, but
never have I seen one for the PC.  I have decided to try to write this
series to help that pirate move up a level to a crackest.
 
  In this part, I will cover what happens with INT 13 and how most copy
protection schemes will use it.  I strongly suggest a knowledge of
Assembler (M/L) and how to use DEBUG.  These will be an important figure in
cracking anything.
 
INT-13 - An overview
--------------------
  Many copy protection schemes use the disk interrupt (INT-13).  INT-13 is
often use to either try to read in a illegaly formated track/sector or to
write/format a track/sector that has been damaged in some way.
 
  INT-13 is called like any normal interupt with the assembler command
which command to be used, with most of the other registers used for data.
 
INT-13 Cracking Collage
-----------------------
  Although, INT-13 is used in almost all protection schemes, the easiest to
crack is the DOS file.  Now the protected program might use INT-13 to load
some other data from a normal track/sector on a disk, so it is important to
determine which tracks/sectors are inportant to the protection scheme.  I
have found the best way to do this is to use LOCKSMITH/pc (what, you don't
have LS.  Contact your local pirate for it.)
 
  Use LS to to analyze the diskette.  Write down any track/sector that
seems abnormal.  These track are must likely are part of the protection
routine.  Now, we must enter debug. Load in the file execute a search for
CD 13.  Record any address show.  If no address are picked up, this mean 1
or 2 things, the program is not copy protected (bullshit) or that the check
is in an other part of the program not yet loaded.  The latter being a real
bitch to find, so I'll cover it in part II.  There is another choice.  The
CD 13 might be hidden in self changing code.  Here is what a sector of
hidden code might look like
 
-U CS:0000
1B00:0000 31DB     XOR    BX,BX
1B00:0002 8EDB     MOV    DS,BX
1B00:0004 BB0D00   MOV    BX,000D
1B00:0009 3412     XOR    AL,12
1B00:000D DF13            FIST   WORD...
to DF at location 1B00:0007.  When you XOR DF and 12, you would get a
CD(hex) for the INT opcode which is placed right next to a 13 ie, giving
you CD13 or INT-13.  This type of code cann't and will command.
 
Finding Hidden INT-13s
----------------------
  The way I find best to find hidden INT-13s, is to use a program called
PC-WATCH (TRAP13 works well also).  This program traps the interrupts and
will print where they were called from.  Once running this, you can just
disassemble around the address until you find code that look like it is
setting up the disk interupt.
 
  An other way to decode the INT-13 is breakpoint at the address give by
PC-WATCH (both programs give the return address).  Ie, -G CS:000F (see code
above).  When debug stops, you will have encoded not only the INT-13 but
anything else leading up to it.
 
What to do once you find INT-13
-------------------------------
  Once you find the INT-13, the hard part for the most part is over.  All
that is left to do is to fool the computer in to thinking the protection
has been found.  To find out what the computer is looking for, examine the
code right after the INT-13.  Look for any branches having to do with the
CARRY FLAG or any CMP to the AH register.
 
  If a JNE or JC (etc) occurs, then jump.  If it is a CMP then just read
on.
 
Here you must decide if the program was looking for a protected track or
just a normal track.  If it has a CMP AH,0 and it has read in a protected
track, it can be assumed that it was looking to see if the program had
successfully complete the READ/FORMAT of that track and that the disk had
been copied thus JMPing back to DOS (usually).  If this is the case, Just
NOP the bytes for the CMP and the corrisponding JMP.
 
  If the program just checked for the carry flag to be set, and it isn't,
then the program usually assumes that the disk has been copied. Examine the
following code
 
      INT 13      <-- Read in the Sector
      JC 1B00     <-- Protection found
      INT 19      <-- Reboot
1B00  (rest of program)
 
  The program carries out the INT and find an error (the illegaly formatted
sector) so the carry flag is set.  The computer, at the next instruction,
see that the carry flag is set and know that the protection has not been
breached.  In this case, to fool the computer, just change the "JC 1B00" to
a "JMP 1B00" thus defeating the protection scheme.
 
 
NOTE: the PROTECTION ROUTINE might be found in more than just 1 part of
     the program
 
Handling EXE files
------------------
  As we all know, Debug can read .EXE files but cannot write
them.  To get around this, load and go about cracking the program
as usual.  When the protection scheme has been found and command)
to save + & - 10 bytes of the code around the INT 13.
 
  Exit back to dos and rename the file to a .ZAP (any extention
but .EXE will do) and reloading with debug.
 
  Search the program for the 20+ bytes surrounding the code and
record the address found.  Then just load this section and edit
it like normal.
  Save the file and exit back to dos.  Rename it back to the .EXE
file and it should be cracked.  ***NOTE: Sometimes you have to
fuck around for a while to make it work.
 
DISK I/O (INT-13)
-----------------
  This interrupt uses the AH resister to select the function to
be used.  Here is a chart describing the interrupt.
 
AH=0    Reset Disk
AH=1    Read the Status of the Disk
        system in to AL
 
    AL          Error
  ----------------------------
    00   - Successful
    01   - Bad command given to INT
   *02   - Address mark not found
    03   - write attempted on write prot
   *04   - request sector not found
    08   - DMA overrun
    09   - attempt to cross DMA boundry
   *10   - bad CRC on disk read
    20   - controller has failed
    40   - seek operation failed
    80   - attachment failed
(* denotes most used in copy protection)
AH=2    Read Sectors
 
  input
     DL = Drive number (0-3)
     DH = Head number (0or1)
     CH = Track number
     CL = Sector number
     AL = # of sectors to read
  ES:BX = load address
  output
      AH =error number (see above)
      AL = # of sectors read
 
AH=3 Write (params. as above)
AH=4 Verify (params. as above -ES:BX)
AH=5 Format (params. as above -CL,AL
             ES:BX points to format
             Table)
 
  For more infomation on INT-13 see the IBM Techinal Reference
Manuals.
 
Comming Soon
------------
  In part II, I will cover CALLs to INT-13 and INT-13 that is
located in diffrents overlays of the program
 
 
Happy Cracking.....
        Buckaroo Banzai
       <-------+------->
 
PS: This Phile can be Upload in it's
unmodified FORM ONLY.
 
PPS: Any suggestion, corrections,
comment on this Phile are accepted and
encouraged.....
 
                       * * * * * * * * * *

 
 
Introduction
------------
 
  Ok guys, you now passed out of Kopy Klass 101 (dos files) and
have this great new game with overlays.  How the phuck do I crack
this bitch.  You scanned the entire .EXE file for the CD 13 and
it's nowhere.  Where can it be you ask yourself.
 
  In part II, I'll cover cracking Overlays and the use of
locksmith in cracking.  If you haven't read part I, then I
suggest you do so.  The 2 files go together.
 
Looking for Overlays
--------------------
  I won't discuss case 1 (or at least no here) because so many
UNP files are devoted to PROLOCK and SOFTGUARD, if you can't
figure it out with them, your PHUCKEN stupid.
 
  If you have case 3, use the techinque in part I and restart
from the beg. And if you have case 4, shoot your self.
 
Using PC-Watch to Find Overlays
-------------------------------
 
You Have Found the Overlays
---------------------------
 
Locksmith and Cracking
----------------------
 The copy/disk utility program Locksmith by AlphaLogic is a great
 tool in cracking.  It's analyzing ability is great for
 determining what and where the protection is.  I suggest that
 you get locksmith if you don't already have it.  Check your
 local pirate board for the program.  I also suggest getting
 PC-Watch and Norton Utilities 3.1.  All of these program have
 many uses in the cracking world.
 
Have Phun Phucker
    Buckaroo Banzai
     The Banzai Institute
 
special thanks to the Honk Kong Cavliers
 
Call Spectrum 007 (914)-338-8837
 
                            <-----<<END>>----->
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
 

 
 
In this file:  Curse of the Azure Gods
               Gauntlet (alt. unprotect)
               Silpheed
               Simcity
               Carmen San Diego
               Sargon IV
 
                         zdddddddddddddddddddddddddQ
                         3       The Baji Man      3
                         3         PRESENTS        3
                         3                         3
                         3 JORDAN  V.S. BIRD DOCS  3
                         3  Cracked by: DAY STAR   3
 
 
Game Play Options:
 
1 ON 1 FULL GAME:
   M. Jordan and L. Bird play one on one for either 2,5,8, or 12
   mins per quarter. You can set the computers skill level in the
   options menu with Recreational being the easiest to
   Professional being the hardest.  Winners Outs option is where
   if you score you get the ball back.  Instant replay, Fouls, amd
   Music/Sowndz
 
 
DR.J JAM- Start from the jumpers circle and let go of the ball
just as you man is descending. Wait until your sure he's
descending,but not too long.
 
Windmill - Start from the right baseline area and and let go
Back Slam- Same as a Two-Handed-Hammer
 
Statue Of Liberty - Same as Dr. J. Dunk
 
Skim-The-Rim - Exactlt like the Air-Jordan except let go of the
ball a lil' bit sooner.
 
Toss Slam- This dunk seems the hardest but its the easiest. Start
from the left side baseline area and let go when your almost in
front of the basket.
 
   My version of Jordan v.s. Bird ahs a bug in it which doesn't
   display semifinal stats and standings. You just play the
   finals and thats it.  Other versions may differ.
 
FOLLOW THE LEADER:
   This is just a "You do as I do" dunk contest with do or die rules.
 
3 POINT CONTEST- Shoot the first ball on the first rack, go to
the next rack, and so on.... when you get to the last rack make
your way back to the first rack.  The object is to get as any
baskets as possible in 30 or something secondz.
 
Hintz and Tipz:
 
To get past your opponent in one on one games just press the
%Q! your designated direction and you will
speed up dramatically.  To dunk just gain a little speed by
running up to the basket from as far as possible and holding the
insert key. Its almost impossible to explain defensive techniques
because this is one of those "u gotta be in the right place at
the right time gamez"  The best thing I can tell ya is to
Experiment with the game a little and pratice. have Phun!!!!
The Baji Man
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
           *
 *          This is how I unlocked Gauntlet by Mindscape
           *
By : LM    *
 

 
Gauntlet was one of those games in the arcade that I liked a lot.
So when I walked into the Computer Store and saw it on the shelf,
I just had to have it.
 
The price of the game wasn't bad at all and the game was really
good.  But Mindscape gives you only ONE install. What kind of
$hi* is that.  I mean only one install to your hard disk and then
you must uninstall before you optimize you disk or you have lost
 
         ------------  NO MORE INSTALL's. -------------
 
mistake I got out my DEBUG and statred to look at the game. I
found that Mindscape writes two hidden files to your C:f when you
install Gauntlet.  DEMAA.COM and DEMAB.COM. The first file
(DEMAA.COM) is just junk.
 
The second file (DEMAB.COM) has some info about where the first
file is at on your hard disk. (The starting cluster number) When
you load Gauntlet it calls GINTRO.EXE and GINTRO.EXE checks for
this information. Then it calls GPORG.EXE and it check for the
same information.
My fix for this was to load gintro.exe and gprog.exe with fake
data.  After you fix gauntlet you DON'T have to use Mindscape
install to play the game, just copy the files to your disk and
go.  It has worked fine for Me and I hope it is what you need to
fix your game.
 

           *

     make a copy)
           *

 
           *

           *

           *

     A:,B:,C:
           *

     (demaa.com)
           *

     dummy data
           *

     (demab.com)
           *

           *

           *

           *

           *

           *

     drive A:,B:,C
           *

     (demaa.com)
           *

     dummy data
           *

     (demab.com)
           *

           *

           *

           *

           *

           *

           *
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
Unprotect for all Sierra Games using the version 3.0 SIERRA.COM game
loader and the AGI (Adventure Game Interpreter).
 
                         This text written
                           July 11, 1988
 
   Sierra-On-Line Software utilizes a copy protection scheme
which, upon the execution of the game loader (usually
SIERRA.COM), loads some key data from a specially formatted
track. Normal DOS copy and diskcopy commands cannot copy this
specially formatted track (usually track 6). Only image hardware
copy devices such as the "OPTION BOARD" can copy the specially
formatted track properly - and even this will not allow
stand-alone hard disk usage.
 
   This unprotect is accomplished by running the program to the
point where it loads the key data, and then copying the key data
into the loader. Then the loader is further modified by jumping
around the call to the "opening original disk" request screens.
The last step is to change the bx and cx registers to allow for
the inclusion of the key data in the loader.
 
   There are three things to determine before you can start the
unprotect.  The first is to verify that your game contains the
version 3.0 game loader (usually the file SIERRA.COM) and the
file "AGI". This applies to about 90% of all Sierra games. The
others contain a slightly modified version 3.0 game loader and
the file MAIN. This unprotect does not apply to Sierra games that
contain the file "MAIN". Some games which use the "MAIN" file
are: 3-D Helicopter, Thexder and a few others. Check this BBS for
a different unprotect for Sierra games using the "MAIN" file.
 
   Run a directory on your Sierra game disk 1 to verify that is
does contain the files "SIERRA.COM" and "AGI".
 
   The next step is to determine which version of the 3.0 game
loader (SIERRA.COM) your game has. Yes, there are two different
versions of the 3.0 version game loader. In the code of the
SIERRA.COM file is listed either the date 1985 or 1987 - the 1985
being one version and the 1987 being another version. You must
run a debug operation as follows to determine your version of the
game loader:
 
                   Arrange your configuration so that SIERRA.COM
                   and DEBUG.EXE are on the same disk, directory
                   or path.
 
                   DEBUG SIERRA.COM <return> -d 100 <return>
 
   Some text will now appear to the right of your screen,
somewhere containing "LOADER v.3 Copyright Sierra On-Line, Inc.
198?". Note the year appearing in this text. Now you can quit
debug by typing a "q" at the "-" prompt. The unprotect differs
for the 1985 and 1987 versions, so, if your version is the 1985
version, refer to the file SIERRA85.UNP contained in this
package. Likewise, if your version is the 1987 version, refer to
the file SIERRA87.UNP contained in this package.
=|     ++++++++++++++++++++++++++++++++++++++++++++++++++++++
Please read the file READTHIS.1ST before proceeding to read this
file.
 
Unprotect for all Sierra Games using the version 3.0 SIERRA.COM
game loader and the AGI (Adventure Game Interpreter). THE
FOLLOWING PROCESS APPLIES TO THE 1987 version of the 3.0 version
SIERRA.COM game loader!
 
Make a copy of your original game disk 1 using the dos copy *.*
command.  But don't put away your factory original game disk yet,
you will need it during the unprotect.
 
Arrange your configuration so that SIERRA.COM and DEBUG.EXE are
on the same disk, directory or path.
 
Using THE COPY of the game disk 1, start as follows:
               DEBUG SIERRA.COM <return> -r <return>
screen, including the prompt to insert your original disk (write
protect it to be safe). The key data from the specially formatted
track will be loaded into memory.  When the program breaks back
to debug (the registers will be listed again), be sure you have
the COPY you made of your original disk in the disk drive.)
 
               -rbx <return>
               :         <-type in here the value of BX register that
                           you were instructed to write down in step one.
               <return>
 
               -rcx <return>
               CX XXXX
               :         <-type in here the value of CX register that
                           you were instructed to write down in step one.
               <return>
 
 
(In the above line you have inserted NO-OP's (90's) to jump
around the protection check and opening screen calls)
 
               -w <return>  (this will write back to disk the unprotected
                             game loader)
               Writing xxxx bytes
               -q <return>  (quits debug)
 
This completes the Sierra game 1987 version 3.0 game loader
unprotect. Use this unprotect to allow proper hard disk usage or
to make an archival backup copy. Please do not promote theft by
using this procedure to distribute unauthorized copies.
 
Bart Montgomery
Atlanta PCUG BBS
(404) 433-0062
 
                            <-----<<END>>----->
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
 

 
In this file: Curse of the Azure Bonds
              Gauntlet
              Silpheed
              Carmen San Diego
              Saragon
                           * * * * * *
 
                 How to fix copy protection from
                   and supercharge characters
                  for Curse of the Azure Bonds.
 
 
                              FROM:
                      THE COMPANY OF WOLVES
-----------------------------------------------------------------
                             NEEDED:
1. Norton Utilities (or similar program)
2. A copy of the file start.exe from your Azure Bonds disk A
3. A bit of your time
-----------------------------------------------------------------
 
 
1. HOW TO UNPROTECT CURSE OF THE AZURE BONDS:
First load START.EXE into Norton.  Then search for the string 80
3E CC.  This should take you to file offset 9BA hex.  Go back to
9B5 hex this should be 9A (the first machine language code for a
far call).  Change the values of the bytes from 9B5 hex - 9b9 hex
to 90's Save the changes
 
Now the program will skip the part where it asks for code letter,
you now can put away that annoying code disk until needed for
decoding
-----------------------------------------------------------------
 
2. SUPERCHARGING YOUR CHARACTERS:
Copy the program CHARFIX.EXE (included with this fix) into the
directory that your saved games reside. Change to that directory.
Run the program, it is self explanitory.
-----------------------------------------------------------------
 
If you have any problems with any of the patches above check the
date of the file START.EXE on your original disk A for the date
and time 07/27/89 16:44. If your file has a different date then
they probably changed the copy protection method and your out of
luck with this patch. For other problems leave The Company of
Wolves a message, I can be reached on EXCEL BBS (414)789-4210
 
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++
                 How to fix copy protection from
                      Mindscape's Gauntlet.
 
 
                              FROM:
                      THE COMPANY OF WOLVES
-----------------------------------------------------------------
                             NEEDED:
1. Norton Utilities (or similar program)
2. A copy of the file's gintro.exe and gprog.exe from your
original disk.
3. A bit of your time
-----------------------------------------------------------------
 
 
1. HOW TO UNPROTECT GAUNTLET:
First load one of the above files into Norton.
Then search for the string F3 A7.
Change the byte immediately following (74) to EB.
Continue the search and once again change the 74 to EB.
Save the changes
Repeat the steps above for the other .EXE file.
 
For you Debug fans rename each of the two files to 1.aaa and
2.aaa respectivaly.
Search (the S command) for F3 A7, you should get at least 3
matches.
You will need to unassemble each of the matches, the first copy
protection match should read REPZ CMPSW, JZ 2D96, ect..., and the
second REPZ CMPSW, JZ 2DB1, ect...
th the E command using the FULL address of the JZ commands
change the 74's to EB's.
Write the files with the W command and repeat the process for the
other file.
When finishes erase Gintro.exe and Gprog.exe and rename 1.aaa
gintro.exe and 2.aaa gprog.exe.
 
In this version of the program will still look for the copy
protection (which is a sector at the end of the hard disk that
the install program writes then marks bad to prevent overwriting
to that sector) but will continue the program as if the
comparison (F3 A7) was successful.
-----------------------------------------------------------------
 
If you have any problems with any of the patches above check the
date of the file GINTRO.EXE on your original disk A for the date
03/25/88. If your file has a different date then they probably
changed the copy protection method and your out of luck with this
patch. If you have any questions leave The Company of Wolves a
message, I can be reached on EXCEL BBS (414)789-4210 under the
name Nicodemus Keesarvexious.
 
Also included is another patch for a different version of
Gauntlet in case you have a different version from the one I
 
                         * * * * * * * *
 
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
To unprotect SilpHeed By Sierra!
 
    Use Norton and change these bytes in the SIMCITY.EXE file:
 
        Change: 80 3e cc 06 01 74 0c
        To....: 80 3e cc 06 01 eb 0c
                               ^^
Then when it asks the question just hit ENTER.
 
Another software crack by Bentley Bear!
 
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++
To unprotect SimCity!
 
    Use Norton and change these bytes in the SIMCITY.EXE file:
 
        Change: 0c 87 00 75 3c
        To....: 0c 87 00 eb 3c
                         ^^
Another software crack by Bentley Bear!
 
Unprotect for Where in Time is Carmen Sandiego.
 
This program checks for the original key disk each time you are
promoted in the game.
 
I found another unprotect on this BBS (CARMNTME.ZIP) which did
not work at all. If fact, it made it so you can not even get into
the program!
 
Here's mine. You can patch the file either with a hex editor, or
with debug.
 
Using a hex editor, such as those in PC-Tools or Norton's Utilities:
 
Search for the hex byte string:   02 E1 07 C3 FA 55
 
Change the first byte only:       12
 
------------
 
Using debug
 
>ren carmen.exe car
'ug car
-S0000 FFFF 02 E1 07 C3 FA 55    <cr>
xxxx:yyyy                        (note value of yyyy)
-e yyyy                          (type e, then value of yyyy above)
xxxx:yyyy 02.12                  <cr>
-w                               <cr>
-q                               <cr>
 
>ren car carmen.exe
 
-------------
That's it. And a lot easier then the other patch that didn't work!
Although this patch only changes one byte, it was difficult to
come up with. They used a far call which was hard to follow, and
could not be nop'ed out. Good Luck.
 
5
 
     -e XXXX:YYYY b8 00 10         :   Edit the contents of the
                                       returned address
 
 Now write the new sargon game back to the disk:
 
     -w  <Enter>
 
     Writing XXXX bytes
 
 Then Quit Debug:
 
     -q  <Enter>
 
 Now it is time to rename sargon back to sargon.exe
 
     C>ren sargon sargon.exe
 
 Now try to run the new (Hopefully) unprotected version of Sargon IV.
 When the question comes up answer '1924'
 
     C>sargon
 
-----------------------------------------------------------------
 
 Unprotect Brought to you courtesy of Super Dave
 
                        Super Dave can be reached at:
 
                        Hackers Paradise BBS
                        (803) 269-7899
                        Greenville, SC
 
                            <-----<<END>>----->
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
!

 
 
In this file:  Memory shift 2.1
               Lotus 123 ver 1a
               Multilink ver 2.06
               Chartmaster
               Enable ver. 1.00
               EZWriter ver. 1.1
               Flight Simulator 1.00
 
How to Unprotect MEMORY-SHIFT, Version 2.1
 
A>FORMAT b:/s/v
 
With Memory Shift Master in drive A: and your fresh diskette in B:
A>COPY A:*.*,B:
 
Replace the Memory Shift Master in drive A: with your DOS diskette
A>RENAME B:MS.EXE,B:MS.XXX
A>DEBUG B:MS.XXX
-s 0 l 8000 e8 22 00 72     <- look for this string in memory
xxxx:7F68                   <- one occurance should be found
-e 7F68
xxxx:7F68  E8.eb  22.08 <CR>
-e 80ec
xxxx:80EC  AD.e9  AB.9e  AD.fe <CR>
-e 7f8d
xxxx:7F8D  06.b8  1E.00  B8.01
xxxx:7F90  40.ab  00.b8  8E.f0  D8.ff  BF.01  3E.d8  00.ab  8A.b8
xxxx:7F98  95.d0  04.40  00.89  80.c1  E2.b8  03.b8  8E.03  46.e9
xxxx:7FA0  00.54  33.01
-w
Writing 8000 bytes
-q
A>RENAME B:MS.XXX,B:MS.EXE
 
That is all there is to it!
December 28, 1983
                <> <> <> <> <> <> <> <> <> <> <>
 
I have just seen a new copy of Lotus 1-2-3 v1a that has a
modified protection scheme for which the currently published
unprotect scheme will not work. Here is a modified unprotect
that will work properly with both the old and new v1a releases
.....
1) Rename 123.exe to 123.xyx
2) Type (to DOS) the command
  C> debug 123.xyx
3) Type (to debug) the command
  -s 100 efff cd 13   (The "-" is a prompt from debug.)
4) Debug should respond with something like:
   xxxx:ABA9    where xxxx is a hex number that may vary
5) Type
  -e aba9 fb f9   (Use whatever debug gave you in the
  -w               last step instead of "aba9" if it is
  -q               different.)
 
6) Rename 123.xyx to 123.exe
For those of you who want to understand this, it is
replacing an "INT 13" instruction that checks the disk
in drive A: for some funny stuff with STI, STC instructions
 
A little while ago, there was a patch for 123.EXE listed here that
effectively unprotected the copy-protected disk and allowed hard-disk
to run without the floppy.
I just received the new version of Lotus 123 and retrofitted the patch
(it is a different technique). To unprotect 123.EXE Version 1A,
 
1. Rename 123.EXE 123.XYZ
2. DEBUG 123.XYZ
3. type  U ABA9
4. you should see    INT 13   at that address
5. type  E ABA9 90 90
6. type  W
7. type  Q
8. Rename 123.XYZ 123.EXE
 
That's it. Good Luck.
                <> <> <> <> <> <> <> <> <> <> <>
 
  The following is a method to unprotect MultiLink Ver 2.06 to allow
  booting directly from hard disk without the need to insert the
  MultiLink distribution disk.
 
   ENTER                         COMMENTS
-------------------------    ---------------------------------------
C>copy mlink.com mlink.bak   Make a backup first!
C>debug mlink.com            Start debug session.
-u 2dfa                      Unassemble from address 2DFA.
                             You should see:
 
                             xxxx:2DFA       CALL     2F01
                             xxxx:2DFD       JNB      2E10
                             xxxx:2DFF       MOV      CX,2908
                             xxxx:2E02       CALL     2F01
                             xxxx:2E05       JNB      2E10
                             xxxx:2E07       DEC      BYTE PTR [2E0F]
                             xxxx:2E0B       JG       2DF2
                             xxxx:2E0D       JMP      07C4
                             xxxx:2E10       XOR      BYTE PTR [2E0D],32
                             xxxx:2E15       MOV      AX,[23C4]
                             xxxx:2E18       CMP      [2705],AX
 
                             If you don't see this, you have another
                             version.  If so, enter 'q' to quit the
                             debug session.  Otherwise, continue.
                             The instructions at
                             xxxx:2dfa, xxxx:2e02, and xxxx:2e1c
                             need to be replaced.
 
-e 2dfa f8 90 90             CALL  2F01  is replaced by CLC, NOP, NOP
-e 2e02 f8 90 90             CALL  2F01  is replaced by CLC, NOP, NOP
-e 2e1c 90 90                JNZ   2E0D  is replaced by NOP, NOP
-w                           Save the changes to disk
-q                           End the debug session.
                <> <> <> <> <> <> <> <> <> <> <>
 
In the spirit of a recent patch to unprotect LOTUS 1-2-3, I discovered
the same logic can be applied to unprotect MEMORY/SHIFT.
 
1. Rename MS.EXE MS.XYZ
2. DEBUG MS.XYZ
3. type  U 1565
4. you should see    INT 21   at that address
5. type  E 1565 90 90
   type  E 1567 90 90
6. type  W
7. type  Q
8. Rename MS.XYZ MS.EXE
 
Finally, make sure command.com resides on the disk where MEMORY/
SHIFT  is initiated.
65399 '** DONE - PRESS ENTER TO RETURN TO MENU **
There is another version of Lotus 123 also called Release 1A
but with a different copy-protection technique. It can be
identified by an "*" that displays on the first screen under
the "s" in the word "Release"
                                     Release 1A
                                          *
To unprotect this version so it can be run on a hard disk
without requiring the SYSTEM DISK in drive A, do the following:
 
1. RENAME   123.EXE    123.XYZ
2. DEBUG    123.XYZ
3. Type     U AB8C     press ENTER
    You should see  MOV  CX,0002
    if you don't, something is different and this won't work.
4. Type     E AB8C C3     press ENTER
5. Type     W
6. Type     Q
7. RENAME   123.XYZ   123.EXE
 
That's it. It will now run from any drive. As always, this patch
is provided so that honest people don't have to suffer the
inconvienences imposed upon them by software manufacturers.
FOR THE USERS THAT HAVE 'CHARTMASTER'  VER 6.04
                <> <> <> <> <> <> <> <> <> <> <>
-------------------------------------------------------------------
FROM : THE A.S.P ; (Against Software Protection)
      DATED : OCT 18,1984 (FIRST RELEASE)
ORIGINALLY SUBMITTED TO ASA FULTONS BBS (THE SHINING SUN -305-273-0020)
                 AND TO
                        LEE NELSONS BBS (PC-FORUM        -404-761-3635)
PLEASE NOTE THAT THESE UNPROTECT PROCEDURES INVOLVE FROM 4 HOURS TO
40 OR MORE HOURS ( 4+ HOURS FOR 'CHARTMASTER' ) OF
SINGLE STEPPING THRU CODE AND FIGURING OUT THE
INTENT OF THE ORIGINAL CODE.. SO I WOULD APPRECIATE IT WHEN U PASS
THIS ON TO OTHER BOARDS YOU DO NOT ALTER THIS OR TRY TO TAKE CREDIT
FOR MY LOST SLEEP.... THE A.S.P... (J.P. TO HIS FRIENDS)
OH, AS A FURTHER NOTE. I SEE SOME BBS'S ARE NOW CHARGING U TO BE REGISTERED
TO USE THEIR SYSTEM. FIRST OF ALL I GIVE U FROM 4 TO 60 HOURS OF MY TIME
AT NO COST TO YOU AND I DO NOT LOOK TO KINDLY TO SUCH BBS'S PUTTING ON
MY PROCEDURES AND THEN CHARGING U TO GET ACCESS TO THEM. THEY DIDNT SPEND
TIME AND COST (SAY 'X' HOURS * $40+) TO MAKE THE PROCEDURES AVAIL. , SO
I WOULD APPRECIATE THAT SUCH BOARDS DID NOT USE ANY OF THE 'A.S.P'S'
PROCEDURES, UNLESS THEY ARE WILLING TO PUT THEIR WORKS TRULY IN THE
PUBLIC DOMAIN.. ENOUGH SAID.. THANK YOU.
 
  IF YOU HAVE A HARD DISK OR WANT TO CREATE A BACKUP COPY THAT IS NOT
TIED INTO THE 'CHARTMASTER' DISKETTE...IN CASE YOUR ONLY COPY GOES BAD
. THIS PATCH WILL REMOVE THE COPY PROTECTION COMPLETELY.
 
  AS ALWAYS THIS IS FOR YOUR PERSONAL PEACE OF MIND ONLY
IT IS NOT MEANT TO BYPASS ANY COPYRIGHTS..YOU ARE BY LAW BOUND BY
YOUR PURCHASE LICENSE AGREEMENT.
 
  IF YOU HAVE A HARD DISK AND WANT TO PUT THE PROGRAM ON SUCH
WHY SHOULD YOU BE TIED TO A FLOPPY. YOU HAD TO GIVE UP A LOT OF
'BIG MACS' TO GET YOUR HARD DISK.
 
    FORMAT 1 SYSTEM DISK UNDER DOS 2.0 OR 2.1 OR 3.0
    LABEL IT ACCORDING TO THE ORIGINAL 'CHARTMASTER'  SYSTEM DISKETTE
    COPY THE (UNHIDDEN) FILES FROM THE ORIGINAL DISKETTE TO THE CORRESPONDING
   2.X  OR 3.X FORMATTED DISKETTE
    I WONT  TELL U HOW TO USE DEBUG OR  ANY 'PATCHER' PROGRAMS
   ON THE BBS'S, I ASSUME U HAVE A BASIC UNDERSTANDING.
    RENAME CM1.EXE CM1
    DEBUG CM1
    D CS:A67
     YOU SHOULD SEE 75 03 E9 09 00
     E CS:A67 90 90 E9 F7 01
     D CS:D139
     YOU SHOULD SEE 5F
     E CS:D139 CB
     W
     Q
    RENAME CM1 CM1.EXE
 
OTHER NOTES:
-------------------------------------------------------------------------
 
    CHECKS FOR SPECIALLY FORMATTED TRACKS COMPLETELY REMOVED
 
    U MAY LOAD ALL THE FILES ON THE NEWLY FORMATTED AND UNPROTECTED
   DISKETTE DIRECTLY TO HARD OR RAM DISK, IN ANY SUB-DIRECTORY U
   SET UP
 
    SOMEONE WANTED TO KNOW WHY I USED UPPER CASE FOR EVERYTHING. FIRST
   AFTER ABOUT 8 TO 20 HOURS OF STARING AT THE TUBE., I AM NOT ABOUT
   TO SHIFT THE CHARACTERS, AND SECONDLY I AM SO EXCITED , AFTER DOING
   SOMETHING THAT AT FIRST SEEMED IMPOSSIBLE, AND IN A HURRY TO GET IT OUT
   ON A BBS, SO THAT U MAY USE THE NEWLY GLEAMED KNOWLEDGE.
 
 ALSO IN SOME CASES THE PROGRAM STILL TRIES TO GO TO THE "A" AND "B"
   DRIVES, SO I USED AN ASSIGN TO ASSIGN THEM TO THE 'C'. THIS PROBABLY CAN
   BE OVERCOME WITH THE CORRECT CONFIGURATION PARAMETERS.
 
  ENJOY YOUR NEW FOUND FREEDOM..HARD DISKS FOREVER!!!!!
                <> <> <> <> <> <> <> <> <> <> <>
This is the procedure to unprotect the intregrated software package
called ENABLE , Vers 1.00
 
If you have a hard disk or want to create a backup copy that is not
tied to the original ENABLE system disk, this will remove the copy
protection completly.
 
This procedure is to be used by legitimate owners of ENABLE only,
as you are entitled to make a back up for archive purposes only.
You are bound by your licence agreement.
 
Format a blank disk using DOS 2 or 2.1 (Do not use the /s option.)
 
Label it the same as the original ENABLE system disk.
 
Copy the files from the original ENABLE system to the formatted
blank disk using  *.*   .
 
Place DOS system disk containing DEBUG in drive A:
 
Place the new copy of ENABLE in drive B:
 
DEBUG B:SYSTEM.TSG
 
S CS:0 L EFFF B8 01 04
 
(You should see)
XXXX:069C
XXXX:XXXX   < this one doest matter!
 
(If you dont - type q and enter - you have a different version!)
 
(If you do)
 
E  69C      (enter)
 
B. EB 01.2D 04.90     (enter)
 
W
 
Q
 
Now all the copy protection has been removed, and you may copy the
files as required.
 
All checks for specially formatted tracks has been removed.
 
Disk needs no longer to be in the A drive on start up.
 
 
         ***** UNPROTECT EZWRITER 1.1 ***** BY JPM - ORLANDO FLA
 
     THIS PROGRAM IS TO HELP ALL OF YOU THAT HAVE FOUND THAT YOU
     COPIED YOUR EZWRITER 1.1 BACKUP TO SINGLE SIDED DISKETTE
     AND NOW YOU HAVE A DOUBLE SIDED DRIVE OR FIXED DISK,
      OR RAM DISK AND YOU ARE UP THE I/O CHANNEL WITHOUT A BYTE.
 
       THE WAY THE EZWRITER PROTECTION WORKS IS:
                <> <> <> <> <> <> <> <> <> <> <>
        1). A BAD TRACK IS CREATED ON THE DISKETTE (LAST TRACK)
           SO THAT DISK COPY WOULD NOT WORK.
           IT REALLY DOES WORK THOUGH, BUT THE BAD TRACK IS
           IS NOT COPIED. THIS BAD TRACK IS THE KEY.
           WITH OUT THE BAD TRACK , WHICH EZWRITE NEEDS TO READ
           THE PROGRAM WILL NOT RUN.
        2). EW1.COM IS READ IN (YOU DO THIS). EW1.COM INTURN
           LOADS "IBM88VMI.COM", WHICH INTURN LOADS "TARGET.COM".
           TARGET.COM IS THE GUTS OF EZWRITER.
           "IBM88VMI.COM" CHECKS FOR THE BAD TRACK, AND IF IT
           IS THERE LOADS "TARGET.COM" OTHERWISE BYE-BYE.
            WHAT THIS SIMPLE PROGRAM DOES IS TELLS "IBM88VMI.COM"
           TO IGNORE THE RESULTS OF THE CHECK FOR THE BAD TRACK.
            THIS WAY AFTER YOU DO A "COPY *.*" OR "DISKCOPY"
           YOU CAN THE USE AND MOVE THE EZWRITER PROGRAM TO ANY
           MAGNETIC STORAGE MEDIA.
 
     ***************************************************************
 
      TO MAKE A UNPROTECTED COPY OF EZWRITER:
 
       1). PUT THE ORIGINAL OR BACKUP IN DRIVE "A"
       2). PUT A FORMATED (SINGLE OR DOUBLE) DISKETTE IN DRIVE "B:"
       3). COPY *.* B:
       4). REMOVE EZWRITER FROM DRIVE "A:"
       5). LOAD BASIC FROM "A:" AND ONCE IN BASIC LOAD  THIS PROGRAM
        6). RUNTHIS PROGRAM , LOW AND BEHOLD THE COPIED EZWRITER
           DISKETTE IN DRIVE "B: SHOULD NOW BE UNPROTECTED AND
           TRANSPORTABLE AS WELL AS TOTALLY FUNCTIONAL.
       7). AS ALWAYS PUT YOUR BACKUP DISKETTES IN A SAFE PLACE
          IN CASE OF PROBLEMS WITH THE COPIES.
 
          SINCE YOU NOW HAVE A UNPROTECTED VERSION OF EZWRITER
       THE COPIES SHOULD BE FOR YOUR USE ONLY. YOU ARE STILL
       BOUND BY THE LICENSE AGREEMENT WHEN YOU PURCHASED THE
       PACKAGE.
    CLS
    CLOSE
    DEFINT A-Z
 
      YOU SHOULD NOP RECORD(BYTE) 390 AND 391
      THEY CONTAIN HEX(CD20) WHICH IS A BRANCH IF BAD TRACK NOT FOUND
      THIS ONE LITTLE INSTRUCTION KEEPS YOU FROM RUNNING
 
      THERE IS NO ERROR CHECKING DONE , SUCH AS FOR MISSING FILE,
      WRITE PROTECTED DISKETTE OR OTHER POSSIBLE I/O ERRORS.
 
    NOP$=CHR$(144)
    BRANCH.BYTE1$=CHR$(205)
  BRANCH.BYTE2$=CHR$(32)
    OPEN "B:IBM88VMI.COM" AS #1 LEN=1
    GET #1,390
    FIELD 1,1 AS A$
    BYTE$=A$
    PRINT "VAULE READ FOR BYTE 390 WAS ";ASC(BYTE$)
    IF BYTE{body}lt;>BRANCH.BYTE1$ THEN GOTO 770
    LSET A$=NOP$
    PUT 1,390
    GET #1,391
    FIELD 1,1 AS A$
    BYTE$=A$
    PRINT "VALUE READ FOR BYTE 391 WAS ";ASC(BYTE$)
    IF BYTE{body}lt;>BRANCH.BYTE2$ THEN GOTO 770
    LSET A$=NOP$
    PUT 1,391
    CLOSE
    END
    PRINT "THE BYTE YOU WERE TRYING TO NOP WAS ";ASC(BYTE$)
    PRINT "THE BYTE SHOULD HAVE BEEN EITHER 32 OR 205"
    PRINT "IF THE BYTE READ WAS 144 YOU HAVE PROBABLY"
    PRINT "UNPROTECTED THE PROGRAM ONCE BEFORE"
    PRINT "IF PROBLEMS GOTO YOUR BACKUP DISKETTES"
                <> <> <> <> <> <> <> <> <> <> <>
To make a backup of Microsoft Flight Simulator 1.00,
do the following:
 

 
A>DEBUG
-E CS:0000 B9 01 00 BA 01 00 BB 00
           01 0E 07 06 1F 88 E8 53
           5F AA 83 C7 03 81 FF 1C
           01 76 F6 B8 08 05 CD 13
           73 01 90 FE C5 80 FD 0C
           76 E1 90 CD 20
-E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02 00 00 04 02
           00 00 05 02 00 00 06 02 00 00 07 02 00 00 08 02
-R IP
xxxx
:0000                <-- YOU ENTER THIS, NOW INSERT FLT. SIM DISK INTO A:
-G =CS:0000 CS:22 CS:2A
-E CS:02 0E
-E CS:27 19
-G =CS:0000 CS:22 CS:2A
-E CS:02 27
-E CS:27 27
-G =CS:0000 CS:22 CS:2A
-L DS:0000 0 0 40
-W DS:0000 1 0 40
-L DS:0000 0 40 28
-W DS:0000 1 70 30
-L DS:0000 0 A0 30
-W DS:0000 1 A0 30
-L DS:0000 0 138 8
-W DS:0000 1 138 8
-Q
A>
 

To make a backup of Microsoft Flight Simulator 1.00,
do the following:
 

 
A>DEBUG
-E CS:0000 B9 01 00 BA 01 00 BB 00
           01 0E 07 06 1F 88 E8 53
           5F AA 83 C7 03 81 FF 1C
           01 76 F6 B8 08 05 CD 13
           73 01 90 FE C5 80 FD 0C
           76 E1 90 CD 20
-E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02 00 00 04 02
           00 00 05 02 00 00 06 02 00 00 07 02 00 00 08 02
-R IP
xxxx
:0000                <-- YOU ENTER THIS, NOW INSERT FLT. SIM DISK INTO A:
-G =CS:0000 CS:22 CS:2A
-E CS:02 0E
-E CS:27 19
-G =CS:0000 CS:22 CS:2A
-E CS:02 27
-E CS:27 27
-G =CS:0000 CS:22 CS:2A
-L DS:0000 0 0 40
-W DS:0000 1 0 40
-L DS:0000 0 40 28
-W DS:0000 1 70 30
-L DS:0000 0 A0 30
-W DS:0000 1 A0 30
-L DS:0000 0 138 8
-W DS:0000 1 138 8
-Q
A>
 

The following fix will eliminiate the bothersome requirement to
insert the FOCUS "activator" diskette in the A-drive everytime you
bring FOCUS up.   This change was made to a version of FOCUS
that had file dates of 05/11/84.  Be sure that you verify the code
that is in place before applying this zap.
 
RENAME FCPCINIT.EXE FCPCINIT.XXX
DEBUG FCPCINIT.XXX
  U 22AB L 5
(You should see "9A C5 02 14 02   CALL  0214:02C5"  display on the screen)
  E 22AB 90 90 90 90 90
  W
  Q
RENAME FCPCINIT.XXX FCPCINIT.EXE
 
That all there is to it.   Have fun.
 
                              The Ancient Mariner
Note added 6 DEC 84
Same procedure continues to work, only 5 bytes want to no-op
are at location 0C57:23E0
What you see at that location is CALL 021C:02C5
 
                            <-----<<END>>----->
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
 

 
In this file:  Graphwriter 4.21
               TheDraw
               SideKick 1.00A
               PFS Report
               PCDRAW 1.4
               Signmaster
 
 
FOR THE USERS THAT HAVE 'GRAPHWRITER'  VER 4.21
-------------------------------------------------------------------
FROM : THE A.S.P ; (Against Software Protection)
 
      DATED : OCT 19,1984 (FIRST RELEASE)
ORIGINALLY SUBMITTED TO ASA FULTONS BBS (THE SHINING SUN -305-273-0020)
                 AND TO
                        LEE NELSONS BBS (PC-FORUM        -404-761-3635)
 
PLEASE NOTE THAT THESE UNPROTECT PROCEDURES INVOLVE FROM 4 HOURS TO
___________________________________________________________________
 
40 OR MORE HOURS ( 8+ HOURS FOR 'GRAPHWRITER' ) OF
SINGLE STEPPING THRU CODE AND FIGURING OUT THE
INTENT OF THE ORIGINAL CODE.. SO I WOULD APPRECIATE IT WHEN U PASS
 
THIS ON TO OTHER BOARDS YOU DO NOT ALTER THIS OR TRY TO TAKE CREDIT
FOR MY LOST SLEEP.... THE A.S.P... (J.P. TO HIS FRIENDS)
 
OH, AS A FURTHER NOTE. I SEE SOME BBS'S ARE NOW CHARGING U TO BE REGISTERED
TO USE THEIR SYSTEM. FIRST OF ALL I GIVE U FROM 4 TO 60 HOURS OF MY TIME
AT NO COST TO YOU AND I DO NOT LOOK TO KINDLY TO SUCH BBS'S PUTTING ON
 in.  Thanks    John Roswick, Bismarck.
    Keywords: SIDEKICK PROKEY PATCH FIX BUGS COMPATIBILITY BORLAND
                <> <> <> <> <> <> <> <> <> <> <>
 UNPROTECT FOR -SIDEKICK-
     Attention Sidekick/Prokey users !  We at Borland were having
trouble getting Sidekick to be compatible with Rosesoft's Prokey and
as many of you Prokey users out there know everything locked up when the
two got together.  The reason Prokey does not work is because it trashes
some of the registers when running and confuses Sidekick as to make your
terminal go down.  Enclosed is the portion of Prokey which does this.
 
0730  2EF606D402FF              TEST    CS:BYTE PTR [02D4H],OFFH
0736  7409                      JE      0741H
0738  2EFF2EC602                JMP     CS:DWORD PTR [02C6H]
073D  5B                        POP     BX
073E  1F                        POP     DS
073F  EBF7                      JMP     SHORT 0738H
0741  1E                        PUSH    DS
0742  53                        PUSH    BX
0743  8CCB                      MOV     BX,CS
0745  8EDB                      MOV     DS,BX
0747  FB                        STI
0748  C5053D0100                MOV     BYTE PTR [013DH],00H
074D  803E660400                CMP     BYTE PTR [0466H],00H
0752  7420                      JE      0774H
0754  833E670400                CMP     WORD PTR [0469H],00H
0759  7507                      JNE     0762H
075B  833E670400                CMP     WORD PTR [0467H],00H
0760  740D                      JE      076FH
0762  832E670401                SUB     WORD PTR [0467H],01H
0767  831E690400                SBB     WORD PTR [0469H],00H
076C  EB06                      JMP     SHORT 0774H
076E  90                        NOP
076F  C606660400                MOV     BYTE PTR [0466H],00H
0774  803E530400                CMP     BYTE PTR [0466H],00H
0779  74C2                      JE      037DH
077B  833E662400                CMP     WORD PTR [2466H],00H
0780  7507                      JNE     0789H
0782  833E682400                CMP     WORD PTR [2468H],00H
0787  740C                      JE      0795H
0789  832E682401                SUB     WORD PTR [2468H],01H
078E  831E662400                SBB     WORD PTR [2466H],00H
0793  EBA8                      JMP     SHORT 073DH
0795  E8841D                    CALL    251CH                    ;HMMM !
0798  EBA3                      JMP     SHORT 073DH
 
THE SAGA CONTINUES ...
 
251C  50                        PUSH    AX
251D  1E                        PUSH    DS
251E  A05304                    MOV     AL,[0453H]
2521  3C01                      CMP     AL,01H
2523  7407                      JE      252CH
2525  3C02                      CMP     AL,02H
2527  743F                      JE      2568H
2529  1F                        POP     DS
252A  58                        POP     AX
252B  C3                        RET     ?NEAR
252C  BD9D2D                    MOV     BP,2D9DH       BP DESTROYED
252F  E8480E                    CALL    337AH
2532  A16C24                    MOV     AX,[246CH]
2535  A39D2D                    MOV     [2D9DH],AX
2538  BD9D2D                    MOV     BP,2D9DH
253B  E8E30D                    CALL    3321H
253E  BD9D2D                    MOV     BP,2D9DH
2541  BEE023                    MOV     SI,23E0H       SI DESTROYED
2544  B601                      MOV     DH,01H         DX DESTROYED
2546  B201                      MOV     DL,01H         (BUT WILL BE RESTORED
2548  E8230C                    CALL    317FH          BY THE BIOS)
254B  E88407                    CALL    2CD2H
254E  8B366024                  MOV     SI,[2460H]
2552  387D07                    CALL    2CD2H
2555  A16224                    MOV     AX,[2462H]
2558  A36824                    MOV     [2468H],AX
255B  C70666240000              MOV     WORD PTR [2466H],000H
2561  C606530402                MOV     BYTE PTR [0453H],02H
2566  EBC1                      JMP     SHORT 2529H
2568  BD9D2D                    MOV     BP,2D9DH
256B  E80C0E                    CALL    337AH
256E  C606530400                MOV     BYTE PTR [0453H],00H
2573  EBB4                      JMP     SHORT 2529H
 .
 .
 
Prokey does not save and restore all registers when trapping interrupt
1C.  The reason why this error occurs at a higher frequency when using
Sidekick is beyond this discussion. However, to verify the error try the
following:
 
1. Start Prokey
2. Define a key recursively
3. Notice prokey now issues an error message
4. terminate definition (fast...)
5. press return 100 times
6. if prokey did not crash repeat step 2-6
 
Register destroying occurs when Prokey is flashing error message.  You must
terminate and press return as fast as possible, and be logged on a floppy
drive (important: let your prompt show the active directory in order to let
dos read on the disk).
 
The following program establishes a trap at interrupt 8 (to make sure Prokey
or others does not overwrite it, bios int 8 then activates 1C).
 
CODE                          SEGMENT
                              ASSUME     CS:CODE
                              ORG        100H
START                         PROC
                              JMP        SHORT SETUP
START                         ENDP
INT08SAVE                     DD
INT08TRAP                     PROC       FAR
                              PUSH       AX
                              PUSH       BX
                              PUSH       CX
                              PUSH       DX
                              PUSH       SI
                              PUSH       DI
                              PUSH       BP
                              PUSH       DS
                              PUSH       ES
                              PUSHF
                              CALL       INT08SAVE
                              POP        ES
                              POP        DS
                              POP        BP
                              POP        DI
                              POP        SI
                              POP        DX
                              POP        CX
                              POP        BX
                              POP        AX
                              IRET
INT08TRAP                     ENDP
EOTRAP:
SETUP                         PROC
 
                              MOV        DS,AX
                              MOV        SI,20H
                              CLI
                              LES        AX,DWORD PTR[SI]
                              MOV        WORD PTR INT08SAVE,AX
                              MOV        WORD PT
                              MOV        WORD PTR [SI],OFFSET INT08TRAP
                              MOV        [SI+2],CS
                              STI
                              MOV        DX,OFFSET EOTRAP+1
 
SETUP                         ENDP
CODE                          ENDS
                              END        START
 
It may be faster to enter the following bytes using debug and writing them
to the file profix.com, thus saving your original prokey file:
 
 
e100
0100:  EB 1D 00 00 00 00 50 53 51 52 56 57 55 1E 06 9C
0110:  2E FF 1E 02 01 07 1F 5D 5F 5E 5A 59 5B 58 CF 33
0120:  C0 8E D8 BE 20 00 FA C4 04 2E A3 02 01 2E 8C 06
0130:  04 01 C7 04 06 01 8C 4C 02 FB BA 20 01 CD 27
RCX
3F
NPROFIX.COM
W
 
NOW USE PROFIX INSTEAD OF PROKEY
 
NOTE:  THIS MAY NOT BE THE COMPLETE SOLUTION AS THE WORD STILL DOES NOT
WORK WITH PROKEY.  FURTHERMORE THIS HAS ONLY BEEN TESTED USING PROKEY
VERSION 3.0 - OLDER VERSIONS MAY HAVE OTHER BUGS!
INSTRUCTIONS FOR UNPROTECTING PFS-FILE AND PFS-REPORT.
 
 IMPORTANT!  COPY FILE.EXE AND/OR REPORT.EXE TO ANOTHER DISK FIRST.
 DON'T MAKE THESE PATCHES ON YOUR ORIGINAL DISK! (USE THE USUAL DOS
 COPY COMMAND)
 
FOR PFS-FILE:
  RENAME FILE.EXE TO FILE.ZAP
  HAVE DEBUG.COM HANDY
  TYPE -> DEBUG FILE.ZAP
  TYPE -> U 9243
  YOU SHOULD SEE, AMONG OTHER THINGS:  PUSH BP
                                       MOV AX,DS
                                       MOV ES,AX
   (ETC)
  IF YOU DON'T SEE THIS, TYPE -> Q  (YOU DON'T HAVE THE RIGHT VERSION)
  OTHERWISE,
  TYPE -> E 9248 EB 2B
  TYPE -> W
  TYPE -> Q
  BACK IN DOS, RENAME FILE.ZAP TO FILE.EXE.  YOU NOW HAVE AN UNPROTECTED
  COPY OF PFS-FILE.
 
FOR PFS-REPORT:
  RENAME REPORT.EXE TO REPORT.ZAP
  HAVE DEBUG.COM HANDY, AND TYPE -> DEBUG REPORT.ZAP
  TYPE -> U 98BF
  YOU SHOULD SEE, AMONG OTHER THINGS:  PUSH BP
                                       MOV AX,DS
                                       MOV ES,AX
   (ETC)
  IF YOU DON'T SEE THIS, TYPE -> Q  (YOU DON'T HAVE THE RIGHT VERSION)
  OTHERWISE,
  TYPE -> E 98C4 EB 2B
  TYPE -> W
  TYPE -> Q
  BACK IN DOS, RENAME REPORT.ZAP TO REPORT.EXE.  YOU NOW HAVE AN
  UNPROTECTED COPY OF PFS-REPORT.
 
For those of you whose PFS:FILE and PFS:REPORT do not match the other
PFS zaps on this board, try these:
 
----------------------------------------------------------------------
 
For PFS:FILE, copy FILE.EXE to another disk, and do:
 
RENAME FILE.EXE FILE.ZAP
DEBUG FILE.ZAP
U 9213
should show  ...   PUSH BP
                   MOV CX,0004
which is the first part of a timing loop.
if it doesn't, quit; else do:
E 9217 EB 18
U 9213
should show  ...   PUSH BP
                   MOV CX,0004
                   JMP 9231
if so, do:
W
Q
RENAME FILE.ZAP FILE.EXE
 
----------------------------------------------------------------------
 
For PFS:REPORT, copy REPORT.EXE to another disk, and do:
 
RENAME REPORT.EXE REPORT.ZAP
DEBUG REPORT.ZAP
U 9875
should show  ...   PUSH BP
                   MOV AX,DS
                   MOV ES,AX
if it doesn't, quit; else do:
E 987A EB 11
U 9875
should show  ...   PUSH BP
                   MOV AX,DS
                   MOV ES,AX
                   JMP 988D
if so, do:
W
Q
RENAME REPORT.ZAP REPORT.EXE
 
----------------------------------------------------------------------
 
if everything was OK, your new versions of PFS:FILE and PFS:REPORT
should run just fine without the original diskettes.
 
----------------------------------------------------------------------
 
Zaps provided by Lazarus Associates
 
                <> <> <> <> <> <> <> <> <> <> <>
----------------------------------------------------------UNPROTECT IBM PERSONAL
 
 1. REN MCEMAIL.EXE X
 2. DEBUG X               DOS 2.xx Version
 3. A EB47 JMP EB4F    (was JNZ EB4F)
 4. A EBEF NOP NOP     (was JZ  EC0B)
 5. A EC06 NOP NOP     (was JNZ EC0B)
 6. W
 7. Q
 8. REN X MCEMAIL.EXE
 
IMPORTANT! All copies of PCM must have this patch
(i.e. the programs on both ends of a connection).
This has been tested on a PCjr and PC.
 
                <> <> <> <> <> <> <> <> <> <> <>
FOR THE USERS THAT HAVE 'PC-DRAW' V1.4
------------------------------------------
FROM : THE A.S.P ; (Against Software Protection)
 
ORIGINALLY SUBMITTED TO ASA FULTONS BBS - SHINING SUN :305-273-0020
                    AND WHIT WYANTS BBS - PC-CONNECT  :203-966-8869
PLEASE NOTE THAT THESE UNPROTECT PROCEDURES INVOLVE FROM 4 HOURS TO
(+1 HOURS FOR PC-DRAW V1.4)
40 OR MORE HOURS OF SINGLE STEPPING THRU CODE AND FIGURING OUT THE
INTENT OF THE ORIGINAL CODE.. SO I WOULD APPRECIATE IT WHEN U PASS
THIS ON TO OTHER BOARDS YOU DO NOT ALTER THIS OR TRY TO TAKE CREDIT
FOR MY LOST SLEEP.... THE A.S.P... ORLANDO FLA. (J P , TO HIS FRIENDS)
IF YOU HAVE A HARD DISK OR WANT TO CREATE A BACKUP COPY THAT IS NOT
TIED INTO THE PC-DRAW DISKETTE...IN CASE YOUR ONLY COPY GOES BAD
. THIS PATCH WILL REMOVE THE COPY PROTECTION COMPLETELY....
  AS ALWAYS THIS IS FOR YOUR PERSONAL PEACE OF MIND ONLY
IT IS NOT MEANT TO BYPASS ANY COPYRIGHTS..YOU ARE BY LAW BOUND BY
YOUR PURCHASE LICENSE AGREEMENT.
  IF YOU HAVE A HARD DISK AND WANT TO PUT THE PROGRAM ON SUCH
WHY SHOULD YOU BE TIED TO A FLOPPY. YOU HAD TO GIVE UP A LOT OF
'BIG MACS' TO GET YOUR HARD DISK.
 
     THIS WRITE UP ASSUMES THAT YOU ARE FAMILIAR WITH DEBUG,
 
1). FORMAT A CORRESPONDING EQUAL NUMBER OF DOS2.0 OR 2.1 DISKS
   AS SYSTEM DISKS
 
2). LABEL EACH OF THE 2.X FORMATTED DISKS THE SAME AS EACH ONE OF
   THE ORIGINAL 'PC-DRAW' DISKS
 
3). COPY THE FILES FROM THE ORIGINAL DISKS TO THE 2.X FORMATTED DISK
   ON A ONE FOR ONE BASIS, USING 'COPY' COMMAND
 
4). PLACE THE ORIGINAL DISKS IN A SAFE PLACE, WE DONT NEED THEM ANY MORE.
 
5). PLACE 'DISK 1' IN THE 'A' DRIVE
6). RENAME PC-DRAW.EXE PC-DRAW
7). DEBUG PC-DRAW
8)  ENTER -S CS:100 L EFFF CD 13
9). FIRST YOU SHOULD SEE THE FOLLOWING CODE AT ADDRESS
       CS:4D45        CD 13 INT 13
    IF U DONT U MAY HAVE A DIFFERENT VERSION SO DONT PROCEED ANY FARTHER,
    ENTER THE CHANGE TO CHANGE "INT 13" TO "NOP" AND "STC", AND FORCE A JUMP
 10).  ENTER -E 4D45 90 F9 EB 28
 11). ENTER -W
 12). ENTER -Q
 13). RENAME PC-DRAW PC-DRAW.EXE
 
NOTE: PC-DRAW IS NOW COMPLETELY UNPROTECTED.
    IF U WANT TO USE 'PC-DRAW' FROM HARD DISK OR RAM DISK U MUST USE THE
    CORRECT 'ASSIGN=', SINCE 'PC-DRAW' APPEARS TO HAVE DRIVES HARD CODED.
 
 
      ALSO FOR V1.2 AND 1.3 THE BAD TRACK CHECK WAS IN DIAGRAM.EXE,
     NOTE THAT THE CHECK IS NOW DONE IN PC-DRAW.EXE.
 
  ENJOY YOUR NEW FOUND FREEDOM..HARD DISKS FOREVER!!!!!
END OF TRANSFER - PRESS ENTER TO RETURN TO MENU
This procedure will unprotect the version 1.10A of SIDEKICK.
 
Many thanks to the individual who provided the procedure
for the version 1.00A.
 
The only major difference between the two versions is the offset
address of the instructions to be modified.
 
Using DEBUG on SK.COM, NOP out the CALL 8C1E at location 07CA ----+
                                                                  |
Change the OR  AL,AL at 07D9 to  OR  AL,01 --------+              |
                                                   |              |
.....and that's it!                               |              |
                                                   |              |
                     (BEFORE ZAP)                  |              |
78A7:07CA E85184        CALL    8C1E <----------------------------+
78A7:07CD 2E            CS:                        |              |
78A7:07CE 8E163E02      MOV     SS,[023E]          |              |
78A7:07D2 2E            CS:                        |              |
78A7:07D3 8B264002      MOV     SP,[0240]          |              |
78A7:07D7 1F            POP     DS                 |              |
78A7:07D8 59            POP     CX                 |              |
78A7:07D9 0AC0          OR      AL,AL   <----------+              |
                                                   |              |
                     (AFTER ZAP)                   |              |
78A7:07CA 90            NOP         <-----------------------------+
78A7:07CB 90            NOP         <-----------------------------+
78A7:07CC 90            NOP         <-----------------------------+
78A7:07CD 2E            CS:                        |
78A7:07CE 8E163E02      MOV     SS,[023E]          |
78A7:07D2 2E            CS:                        |
78A7:07D3 8B264002      MOV     SP,[0240]          |
78A7:07D7 1F            POP     DS                 |
78A7:07D8 59            POP     CX                 |
78A7:07D9 0C01          OR      AL,01   <----------+
-------------------------------------------------------------------
                <> <> <> <> <> <> <> <> <> <> <>
 
 UNPROTECT FOR -SIGNMASTER
FROM : THE A.S.P ; (Against Software Protection)
 
1). FORMAT 1 SYSTEM DISK UNDER DOS 2.0 OR 2.1 OR 3.0
2). LABEL IT ACCORDING TO THE ORIGINAL 'SIGNMASTER'  SYSTEM DISKETTE
3). COPY THE (UNHIDDEN) FILES FROM THE ORIGINAL DISKETTE TO THE CORRESPONDING
   2.X  OR 3.X FORMATTED DISKETTE
4). I WONT  TELL U HOW TO USE DEBUG OR  ANY 'PATCHER' PROGRAMS
   ON THE BBS'S, I ASSUME U HAVE A BASIC UNDERSTANDING.
5). RENAME SIGN.EXE SIGN
6). DEBUG SIGN
7). D CS:99C
     YOU SHOULD SEE 75 03 E9 09
     E CS:99C 90 90 EB 1F
     D CS:D407
     YOU SHOULD SEE 5F
     E CS:D407 CB
     W
     Q
8). RENAME SIGN SIGN.EXE
 
OTHER NOTES:
-------------------------------------------------------------------------
 
1). CHECKS FOR SPECIALLY FORMATTED TRACKS COMPLETELY REMOVED
 
2). U MAY LOAD ALL THE FILES ON THE NEWLY FORMATTED AND UNPROTECTED
   DISKETTE DIRECTLY TO HARD OR RAM DISK, IN ANY SUB-DIRECTORY U
   SET UP
 
3). SOMEONE WANTED TO KNOW WHY I USED UPPER CASE FOR EVERYTHING. FIRST
   AFTER ABOUT 8 TO 20 HOURS OF STARING AT THE TUBE., I AM NOT ABOUT
   TO SHIFT THE CHARACTERS, AND SECONDLY I AM SO EXCITED , AFTER DOING
   SOMETHING THAT AT FIRST SEEMED IMPOSSIBLE, AND IN A HURRY TO GET IT OUT
   ON A BBS, SO THAT U MAY USE THE NEWLY GLEAMED KNOWLEDGE.
 
This is the procedure for bypassing the copy protection scheme used by
SIDEKICK,  version 1.00A.
 
Using DEBUG on SK.COM, NOP out the CALL 8780 at location 071A ----+
                                                                  |
Change the OR  AL,AL at 072D to  OR  AL,01 --------+              |
                                                   |              |
.....and that's it!                               |              |
                                                   |              |
                     (BEFORE ZAP)                  |              |
78A7:071A E86380        CALL    8780 <----------------------------+
78A7:071D 2E            CS:                        |              |
78A7:071E 8E163D02      MOV     SS,[023D]          |              |
78A7:0722 2E            CS:                        |              |
78A7:0723 8B263F02      MOV     SP,[023F]          |              |
78A7:0727 1F            POP     DS                 |              |
78A7:0728 59            POP     CX                 |              |
78A7:0729 880E1300      MOV     [0013],CL          |              |
78A7:072D 0AC0          OR      AL,AL   <----------+              |
                                                   |              |
                     (AFTER ZAP)                   |              |
78A7:071A 90            NOP         <-----------------------------+
78A7:071B 90            NOP         <-----------------------------+
78A7:071C 90            NOP         <-----------------------------+
78A7:071D 2E            CS:                        |
78A7:071E 8E163D02      MOV     SS,[023D]          |
78A7:0722 2E            CS:                        |
78A7:0723 8B263F02      MOV     SP,[023F]          |
78A7:0727 1F            POP     DS                 |
78A7:0728 59            POP     CX                 |
78A7:0729 880E1300      MOV     [0013],CL          |
78A7:072D 0C01          OR      AL,01   <----------+
                <> <> <> <> <> <> <> <> <> <> <>
 
What follows is an unprotect scheme for version 1.11C of Borland
International's Sidekick.  The basic procedure is the same as
that for version 1.1A with just location differences.  So the
only credit I can take is for finding the new locations!  This is
(of course), provided only for legal owners of Sidekick!!  Also,
make sure you 'DEBUG' a copy NOT the original!
        DEBUG SK.COM    <ENTER>
        -U 801          <ENTER>
        -E 801          <ENTER>
        you will then see:
        25E5:0801    E8.
        90              <ENTER>
        repeat for 802 and 803:
        -E 802          <ENTER>
        90              <ENTER>
        -E 803          <ENTER>
        90              <ENTER>
        then:
        -A 810          <ENTER>
        OR AL,01        <ENTER>
        <ENTER>
        -U 801          <ENTER>
        you should then see (among other things):
        XXXX:801       90     NOP
        XXXX:802       90     NOP
        XXXX:803       90     NOP
 
        XXXX:810  0C01     OR     AL,01
        if so:
        -W              <ENTER>
        -Q              <ENTER>
        if not:
        -Q              <ENTER>
 
            +++++++++++++++++++++++++++++++++++++++++++++++++++++
 
             For SKN.COM, SKM.COM and SKC.COM the unprotect is the same
        but at the following locations:
 
             SK          SKN          SKM          SKC
             ---         ---          ---          ---
             801         7DF          76F          7BC
             802         7E0          770          7BD
             803         7E1          771          7BE
             810         7EE          77E          7CB
 
        To unprotect SKC.COM you would 'DEBUG SKC.COM' and then replace
        any occurence of '801' with '7BC'; '802' with '7BD' and so on.
                              GOOD LUCK!
                          * * * * * * * * * * * *
                          * * * * * * * * * * * *
 
    This is an explanation of the internal workings of Print.Com, a file
    included in DOS for the IBM PC and compatibles.  It explains how this
    program fails to do its part to insure integrity of all registers.  For
    this reason some trouble was being experienced while using both SideKick
    and Print.
 
op
The timer tick generates an interrupt 8 18.2 per second.  When SK
is not active, this interrupt is handled by the Bios as follows:
 
It  pushes  all registers used by the routine (AX among  others.)
It updates the system timer count.
It updates the disk motor timer count.
It generates an int 1C.
 
When  the spooler is active,  it has placed a vector at  int  1C,
pointing  at  the  spooler's  code.   The  spooler  is  therefore
activated in the middle of the int 8 handling.   The cause of the
SK  received the int  8 and calls the bios int 8 routine to  make
sure  that the timer tick is properly handles.   The bios  int  8
me as above:
 
It pushes all registers used by the routine (AX among others).
It updates the system timer count.
It updates the disk motor timer count.
It generates an int 10.
SK  has replaced the vector that the spooler placed here  with  a
IRET,  so  nothing happens.   This is because we cannot allow the
timer tick to pass through to programs which use it,  for example
to write on the screen.
It generates an end-of-interrupt to the interrupt controler.
It pops the registers that were pushed.
It does an interrupt return.
 
Back in SK's int 8 routine we make a call to the address that was
stored at int 10 when SK was first started.  In this way he still
services any resident programs that were loaded before SK.   With
the spooler active we therefore make a call to the spooler.
 
The  spooler  again corrupts the AX register because it  uses  it
without saving it first.
Back  in SK we have no way of restoring the original contents  of
the  AX register because we did not save it (why  should  we,  we
don't use it.)
 
In  short,  the root of the trouble is that the spooler  destroys
the AX register.  The fact that the Bio's int 8 routine saves and
stores it is pure coincidence.
 
I quote from the Technical Reference Manual,  Pages 2-5,  Section
Interrupt Hex 1C-timer tick:
 
"It is the responsibility of the application to save and  restore
all registers that will be modified."
 
Relying  on a version of the Bios which happens to save  register
AX is bad programming practice.   However,  the guy who wrote the
print  spooler did not rely on this because at another  point  in
his  program  he  does correctly save AX.   Obviously  he  simply
forgot and fortunately for him the Bios saved him.
 
The following patch will fix the problem:
 
SK.COM unprotected version change 7F8: 55 to 7F8: 50
SK.COM unprotected version change 805: 5D to 805: 58
 
SK.COM protected version change 801: 55 to 801: 50
SK.COM protected version change 80E: 5D to 80E: 58
 
Also on both above change 012C: 41 to 012C: 42
 
UNPROTECT IBM TIME MANAGER (80 Column Version) Version 1.00 -
 
1. Have a formatted, blank disk ready if copying to a floppy. Hard
   disk is OK, also.
 
2. Startup DEBUG from drive A.  Just type  DEBUG  <enter>
 
3. Place the TIME MANAGER program disk in drive A.
4. Type   L 600 0 A5 40  <enter>
5. Type   F 100,600 90   <enter>
6. Type   RCX            <enter>
7. Type   8000           <enter>
8. Place the formated, blank floppy in drive B
 
9. Type   NTM.COM        <enter>
10. Type  W              <enter>
11. Type  Q              <enter>
 
That's it. You now have the 80-column version of Time Manager on the
disk in Drive B. It is called TM.COM and can be started by simply
typing TM.
 
BE AWARE!!! - the data diskette is non-dos and cannot be placed on a
hard disk. Also, while the program itself can be loaded from any drive
letter (A-Z), the data disk can only be on drives A or B.
The data disk is not protected and may be copied with DISKCOPY.
 
 
For the 40-column version, replace line4 with:
 
4. Type   L 600 0 65 40  <enter>
 
All others steps are the same.
 
If you wish to have both a 40 and 80 column version, change line 9
so that the name is descriptive of the version, i.e. NTM40.COM or
NTM80.COM.
 
                            <-----<<END>>----->
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
 

 
 
In this file: Lotus 123
              Visicalc
              Microsoft word 1.1
              ZORK
              Trivia Fever
              Wordstar 2000 1.00
              dBase 3
              PFS programs
              Double Dos
 
 
                  UNPROTECTING LOTUS 1-2-3
 
1-2-3 Release 1-A
-----------------
1. Rename 123.exe 123.xyz
2. DEBUG 123.xyz
3. Type U ABA9
4. You should see INT 13 at this address
5. Type E ABA9 90 90
6. Type W
7. Type Q
8. Rename 123.xyz 123.exe
 
1-2-3 Release 1
---------------
1. Rename 123.exe 123.xyz
2. DEBUG 123.xyz
3. Type S DS:100 FFFF E8 BE 71
   The system will respond with xxxx:3666 where xxxx can vary
4. Type E xxxx:3666 90 90 90  (xxxx is the number from above)
5. Type W
6. Type Q
7. Rename 123.xyz 123.exe
 
       Compliments of THE BIG APPLE BBS (212) 975-0046
 
                <> <> <> <> <> <> <> <> <> <> <>
     [[This patch was extracted from the PHOENIX IBM-PC Software
Library newsletter. They received it from the HAL-PC users group of
Houston, TX.  Corrected by Jack Wright.  Many thanks to them.]]
 

 
USE THE FOLLOWING PROCEDURE TO TRANSFER THE 80-COLUMN VISICALC PROGRAM
FROM THE VISICALC DISK AND WRITE A STANDARD .COM FILE WHICH MAY BE
 
FORMAT A DISK AS FOLLOWS: (FORMAT B:/S(ENTER)).
START THE DEBUG SYSTEM.
INSERT THE VISICALC DISK IN DRIVE A:
THEN TYPE:
 
-L 100 0 138 2         (LOAD THE VC80 LOAD/DECRYPTER)
-M 0 3FF 7000          (DUPLICATE IT IN HIGHER MEMORY)
-R CS                  (INSPECT COMMAND SEGMENT REGISTER)
 
DEBUG WILL RESPOND WITH THE CONTENTS OF THE CS REGISTER (eg. 04B5) AND
PROMPT WITH A COLON (:). TYPE THE OLD CONTENTS + 700 (HEX). (eg. 04B5
BECOMES 0BB5). DO THE SAME WITH THE 'DS' REGISTER.
DEBUG response to R CS might be:
 
CS 04B5    <-Save the value you get, we'll need it later.
:0BB5      <-Type in your CS value + 700hex here
-R DS      <-Type
DS 04B5
:0BB5      <-Type in your DS value + 700hex here
 
NEXT:
Take the low order byte of the CS you saved above and substitute it
for LL in the next line.  Substitute the high order byte for HH:
 
-E 107 LL HH           (ENTER BYTE-FLIPPED CS) Ex: -E 107 B5 04
-E 24D BB A8 00 90     (HARD-WIRE THE DECRYPTION KEY)
 
NOW, WE MUST RUN THE LOADER/DECRYPTER, TYPE:
 
-G =1B8 26B            (EXECUTE FROM 1B8 TO 26B)
 
THE ENTIRE PROGRAM WILL NOW BE LOADED AND DECRYPTED AND A REGISTER DUMP
SHOULD APPEAR ON THE SCREEN. NOW RESTORE CS AND DS TO THEIR PREVIOUS
VALUES AND SET THE FILE LENGTH IN CX. Set BX=0:
 
-R CS
CS 0BB5     <-Yours might be different
:04B5       <-Type in the value of CS you saved above
-R DS
DS 0BB5
:04B5       <-Type in the value of DS you saved above
-R BX
BX F3FD
:0
-R CX
CX 0000
:6B64       (LENGTH = 6B64 FOR VERSION 1.1, 6802 FOR VERSION 1.0)
 
NOW WE MUST NAME THE FILE, WRITE IT AND EXIT.
REMOVE THE VISICALC DISK FROM A:
INSERT THE NEW, FORMATTED, EMPTY DISK IN A:
TYPE:
-N VC.COM               (OR WHATEVER YOU WISH TO NAME IT)
-W                      (WRITE THE .COM FILE)
-Q                      (EXIT FROM DEBUG)

Back in DOS, type VC to try it.

The protection scheme for MS WORD is quite good.  The last track
is formatted with 256 byte sectors.  One sector, however, has
an ID that says it is a 1K sector.  If you try to read it as a 256
byte sector, you'll get a sector not found.  You can read it as a
1K sector with a guaranteed CRC error, and you will get the data
and other sector overhead from 3+ sectors.  They read it as 1K, and
use the bytes after the first 256 for decryption.  These bytes
constitute the post-amble of the sector, the inter-sector gap, and
the preamble to the next 256 byte sector.  If it's not formatted
with the correct inter-sector gap, the decryption key is
different and the incorrectly decoded program bombs.
 
The best way around this is to modify the MWCOPY program so it
will let you make more than one copy.  The below mods will let
you make as many backups as you want (and you can leave the
write protect tab on your master disk).  Of course, this method
should only be used by registered owners of Word.  If you, or any
of your IMF force is killed, the secretary will disavow any
knowledge of these patches.
 
We will copy MWCOPY to another disk, using another name (MWCP) so
you'll know it's the special version, and then modify MWCP.
 
(with master disk in A:, B: has any disk with debug on it)
A>copy mwcopy.com b:mwcp.com
B>debug mwcp.com
-e103
xxxx:0103  0x.00
-e148
xxxx:0148  A5.a7
-e194
xxxx:0194  02.04
-e32a
xxxx:032A  1C.1e
-e32e
xxxx:032E  1C.1e
-e3372
xxxx:3372  01.03
-ecfe
xxxx:0CFE  CD.90<space>26.90<space>
xxxx:0D00  5B.90
-e4ab
xxxx:04AB  1B.84
-e69a
xxxx:069A  C1.b9<space>38.ff<space>28.b9
-e7b3
xxxx:07B3  A2.5f<space>08.e9
-e66f
xxxx:066F  E5.d8<space>
xxxx:0670  94.29<space>90.ff<space>29.b9
Writing 332D bytes
-q
B>mwcp      (try making a copy..remember,
             leave the write-protect on the master)
   (Just follow the prompts in the program, except when they ask
    you to remove the write protect tab)
 
I think this will also work for the hard disk copy portion.  Another
way to unprotect Word gets rid of the need for any weird disk formats.
But it is MUCH more complicated to do.  Enjoy!
 
                <> <> <> <> <> <> <> <> <> <> <>
Unprotection for Microsoft "WORD" Version 1.1 using the
Ultra-utilities (U-Format and U-Zap). June 22, 1984
 
    The following information is presented for those legitimate
owners who feel somewhat insecure when the availability of an
important program is dependent on the survival of a single floppy
disk.
 
    Microsoft's WORD uses a very good protection method. This
consists of a track (Side 1, Track 39) which is formatted with
twelve sectors. Sectors 1,2,3,4,6,7,8,9,10 & 11 are all 256 byte
sectors. Sector 5 is formatted as a 1024 byte sector with a
inherent CRC error. The sectors on this track have an ASCII text
on the subjects of not stealing software and the names of the
people who worked on the development of the WORD package.
 
    Sectors 1,2,3 & 4, while presenting an interesting message, do
not directly affect the copy protection scheme. They would
appear to be a "red herring", to divert attention from the actual
protection area.
 
    Earlier versions of WORD were supplied with a program called
MWCOPY.COM which permitted a single floppy disk copy and a single
hard disk copy. If you have these versions use WORD.UNP or
WORDNEW.UNP which can be found on many BBS's.
 
    Version 1.1 is furnished with a single back-up floppy and the
utility programs furnished are MWCOPY1.COM, MWCOPY.BAT, and
MWCOPY2.BAT. These programs only permit a one-time copy to a hard
disk. No provision is included for a floppy copy.
 
    To make a floppy copy you will need the Ultra-Utilities, a
userware set of programs available on many BBS's. Of this set you
specifically need U-FORMAT.EXE and U-ZAP.EXE.
1)  Place a write protect tab on your copy of WORD.
2)  Make a copy of WORD with the standard DOS DISKCOPY command.
    (NOTE: There are hidden files, so the use of COPY will
    not work.
    DISKCOPY will report "Unrecoverable read errors on source
    Track 39 Side 1". Just ignore this.
3)  Start the U-FORMAT.EXE program. This can be done by removing
    the WORD disk and inserting your Ultra-Utilities disk. Once
    U-Format is started you can remove the Ultra-utilities disk
    and return the WORD disk to the drive.
4)  Select #5 (Display Radix) from the U-Format menu and change to
    decimal display.
5)  Select #4 (Display/Modify Disk Parameter Table) and set the
    following:
    #4 Bytes per sector = 001
    #5 Highest sector number per track = 012
    #8 Formatting gap length = 010
    All other values remain at the default settings.
    Quit to the main menu.
6)  Select menu item #3 (Format a Non-Standard Track)
    The program will ask if you intend to format a track with 12
    sectors. Answer = YES
 
    The program will then ask for the following information:
 
    SIDE  =  1
    DRIVE  =  (enter letter of the drive with the COPY disk)
    TRACK  =  39
 
    The program will then prompt for the following information:
 
    Physical Sector #   Logical Sector #   Sector Size
          1                   1               1
          2                   2               1
          3                   3               1
          4                   4               1
          5                   5               3
          6                   6               1
          7                   7               1
          8                   8               1
          9                   9               1
         10                  10               1
         11                  11               1
         12                  12               1
 
    After pressing "enter" in response to the prompt, you may exit
    U-Format.
 
7)  Start the U-ZAP.EXE program. This can be done by removing
    the WORD disk and inserting your Ultra-Utilities disk. Once
    U-Zap is started you can remove the Ultra-utilities disk
    and return the WORD disk to the drive.
 
8)  Select #8 (Display Radix) from the U-Format menu and change to
    decimal display.
 
9)  Select #11 (Display/Modify Disk Parameter Table) and set the
    following:
 
    #4 Bytes per sector = 001
    #5 Highest sector number per track = 012
 
    All other values remain at the default settings.
 
    Quit to the main menu.
 
10) Select #3 (Copy Disk Sectors) and use the following
    information:
 
    SOURCE DISK                     DESTINATION DISK
 
    SIDE  =  1                      SIDE  =  1
    DRIVE  =  (enter drive letter   DRIVE  =  (enter drive letter
               for WORD disk)                  for COPY disk)
    TRACK  =  39                    TRACK  =  39
    SECTOR  =  6                    SECTOR  =  6
 
        NUMBER OF SECTORS TO COPY  =  7
 
    The program will report "Sector Not Found"... "Re-Try (Y/N)"
    Answer  =  NO
 
    The program will then ask how many sides for the disk.
    Answer  =  2
 
    The program will then show the copy process.
 
    (NOTE: DO NOT copy the information from sectors 1,2,3,4,
    or 5.)
 
    You may then quit from U-zap to DOS.
 
    YOUR' DONE.
 
    The copy disk should workHow to backup Infocom's ZORK III game:

 
A>DISKCOPY A: B:          <-- Ignore the errors on tracks 1-3!

 BE SURE THAT YOUR ORIGINAL IS WRITE-PROTECTED!!!
 
A>

 
A>DEBUG
-R CS
xxxx
:0000                <-- you enter this
-R DS
xxxx
:0040
-R IP
xxxx
:7C00
-R ES
xxxx
:0000
-L 0:7C00 0 0 8
-G =0:7C00 0:7C32
-G 0:7C44                <-- Don't take a shortcut here!
-R ES
xxxx
:04C5
-G 0:7C46
-E 7C0:007C 02 08
-W 800:0000 1 8 8
-E 07C0:007C 03 04
-G 0:7C44
-R BX
xxxx
:0000
-G 0:7C46
-E 07C0:007C 02 08
-W 04C5:0000 1 10 8
-E 07C0:007C 03 04
-G 0:7C44
-R BX
xxxx
:0000
-E 07C0:007C 02 08
-W 04C5:0000 1 18 8
-E 0:7C41 B8 08 02
-W 0:7C00 1 0 8
-Q
                <> <> <> <> <> <> <> <> <> <> <>
 UNPROTECT FOR INFOCOMO'S  -ZORK III-

 which may cause unpredictable results...

 It is now DISKCOPY-able.

 
How to backup Infocom's ZORK III game:
 

 
A>DISKCOPY A: B:          <-- Ignore the errors on tracks 1-3!

 
A>

 
A>DEBUG
-R CS
xxxx
:0000                <-- you enter this
-R DS
xxxx
:0040
-R IP
xxxx
:7C00
-R ES
xxxx
:0000
-L 0:7C00 0 0 1
-G =0:7C00 0:7C2A
-R AX
xxxx
:0800
-G 0:7C63
-E 800:14E5 B8 08 02
-E 800:211A 02 08
-W 800:0000 1 8 18
-L 0:7C00 0 0 8
-E 0:7C7C 02 08
-E 0:7C41 B8 08 02
-W 0:7C00 1 0 8
-Q
 

 It is now DISKCOPY-able.

                <> <> <> <> <> <> <> <> <> <> <>
 
This is the procedure to unprotect the game software package
called TRIVIA FEVER (This procedure also works on the demo disk of
TRIVIA FEVER available with the blank XIDEX disks!)
 
If you have a hard disk or want to create a backup copy that is not
tied to the original TRIVIA system disk, this will remove the copy
protection completly.
 
This procedure is to be used by legitimate owners of
        TRIVIA FEVER ONLY ...
as you are entitled to make a back up for archive purposes only.
You are bound by your licence agreement.
 
Format a blank system disk using DOS 2 or 2.1
 
Label it the same as the original TRIVIA system disk.
 
Copy the files from the original TRIVIA system to the formatted
blank disk using  *.*   .
 
Place DOS system disk containing DEBUG in drive A:
 
Place the new copy of TRIVIA in drive B:
 
Rename the file called TF.EXE to TF
 
A>DEBUG B:TF
 
-E 257E      (enter)
 
-75.90 03.90 (enter)
 
-W
 
-Q
 
Rename B:TF B:TF.EXE
 
Now all the copy protection has been removed, and you may copy the
files as required.
 
All checks for specially formatted tracks has been removed.
 
Disk needs no longer to be in the A drive on start up.
                <> <> <> <> <> <> <> <> <> <> <>
 
               Wordstar 2000 version 1.00  -  Unprotect
                            by Gerald Lee
 
                            derived from
 
                 dBase III version 1.10  -  Unprotect
                          by The Lone Victor
 
     The following instructions show you how to bypass the SoftGuard
copy protection scheme used on WORDSTAR 2000 version 1.00.  This is the
same scheme used for FrameWork 1.10 and for dBase III version 1.10.
Wordstar 2000 version 1.10 does not use a copy protection scheme, while
versions 1.00 of dBase III and FrameWork used ProLock.  To unprotect
Prolock disks read the file PROLOCK.UNP.
 
     First, using your valid, original Wordstar 2000 diskettes, install
it on fixed disk.  Softguard hides two files in your root directory:
CML0200.HCL and VDF0200.VDW.  WS2000.EXE is the real Wordstar 2000
program, encrypted.  When you run Wordstar, the program WS2000.COM loads
CML0200.HCL high in memory and runs it.  CML decrypts itself and reads
VDF0200.VDW.  The VDF file contains some code and data from the fixed disk
FAT at the time of installation.  By comparing the information in the VDF
file with the current FAT, CML can tell if the CML, VDF, and WORDSTAR.EXE
files are in the same place on the disk where they were installed.  If
they have moved, say from a backup & restore, then WORDSTAR 2000 will
not run.
 
     Second, un-hide the two files in the root directory.  You can do
this with the programs ALTER.COM or FM.COM, or UNHIDE.COM and HIDE.COM
found on any BBS.  PC-SWEEP2 is the easiest it will copy the files to
another directory unhidden.
 
     Make copies of the two files, and of WS2000.COM and WS2000.EXE, into
some other directory.
 
     Hide the two root files again if using ALTER or FM.  Leave alone if
using PC-SWEEP2.
 
     Following the WORDSTAR instructions, UNINSTAL WORDSTAR 2000.  You
can now put away your original WORDSTAR diskettes.  We are done with them.
 
     Next we will make some patches to CML0200.HCL to allow us to trace
through the code in DEBUG.  These patches will keep it from killing our
interrupt vectors.
 
DEBUG CML0200.HCL
E 3F9 <CR>  2A.4A <CR>          ; change the 2A to 4A
E 49D <CR>  F6.16 <CR>          ;  if any of these numbers don't show up
E 506 <CR>  E9.09 <CR>          ;  it's not working.
E A79 <CR>  00.20 <CR>          ;
E AE9 <CR>  00.20 <CR>          ;
E 73C  97 FA FA F4 F1 7E <CR>   ; this is an encrypted call to 0:300
W <CR>                          ; write out the new CML file
Q <CR>                          ; quit debug
 
     Now copy your four saved files back into the root directory and
hide the CML0200.HCL and VDF0200.VDW files using ALTER, FM or PC-SWEEP2.
 
     We can now run WS2000.COM using DEBUG, trace just up to the point
where it has decrypted WORDSTAR.EXE, then write that file out.
 
DEBUG WS2000.COM
R <CR>                          ; write down the value of DS for use below.
A 0:300 <CR>                    ; we must assemble some code here
        POP     AX <CR>
        CS: <CR>
        MOV     [320],AX <CR>   ; save return address
        POP     AX <CR>
        CS: <CR>
        MOV     [322],AX <CR>
        PUSH    ES <CR>         ; set up stack the way we need it
        MOV     AX,20 <CR>
        MOV     ES,AX <CR>
        MOV     AX,0 <CR>
        CS: <CR>
        JMP     FAR PTR [320] <CR> ;jump to our return address
 <CR>
G 406 <CR>                      ; now we can trace CML
T <CR>
G 177 <CR>                      ; this stuff just traces past some
G 1E9 <CR>                      ;   encryption routines.
T <CR>
G 54E <CR>                      ; wait while reading VDF & FAT
G=559 569 <CR>
G=571 857 <CR>                  ; WS2000.EXE has been decrypted
rBX <CR>                        ; length WS2000.EXE = 1AC00 bytes
:1 <CR>                         ; set BX to 1
rCX <CR>
:AC00 <CR>                      ; set CX to AC00.
nWS12 <CR>                      ; name of file to write to
W XXXX:100 <CR>                 ; where XXXX is the value of DS that
                                ;   you wrote down at the begining.
Q <CR>                          ; quit debug
 
     Last, unhide and delete the two root files CML0200.HCL, VDF0200.VDW,
and WS2000.COM and WS2000 directory.  Rename WS12 to WS2000.COM and
replace in the WS2000 directory.  This is the routine that starts the
real WS2000.EXE program without any SoftGuard code or encryption.   It
requires the .OVL and .MSG files to run.  I have not tried it on a two
disk systems but I think it should work.
 
     If you have any comments on this unprotect routine, please leave
them
                                          GERALD LEE - 5/12/85
                <> <> <> <> <> <> <> <> <> <> <>
 
                 dBase III version 1.10  -  Unprotect
                                                    by The Lone Victor
 
     The following instructions show you how to bypass the SoftGuard
copy protection scheme used on dBase III version 1.10.  This is the same
scheme used for FrameWork 1.10 and for Wordstar 2000 1.00.  Wordstar
2000 version 1.10 does not use a copy protection scheme, while versions
1.00 of dBase III and FrameWork used ProLock.  To unprotect Prolock disks
read the file PROLOCK.UNP.
 
This scheme also reportedly works on Quickcode 1.10 QuickReport 1.00.
 
     First, using your valid, original dBase III diskette, install it on
a fixed disk.  Softguard hides three files in your root directory:
CML0200.HCL, VDF0200.VDW, and DBASE.EXE.  It also copies DBASE.COM into
your chosen dBase directory.  DBASE.EXE is the real dBase III program,
encrypted.  When you run dbase, the program DBASE.COM loads CML0200.HCL
high in memory and runs it.  CML decrypts itself and reads VDF0200.VDW.
The VDF file contains some code and data from the fixed disk FAT at the
time of installation.  By comparing the information in the VDF file with
the current FAT, CML can tell if the CML, VDF, and DBASE.EXE files are
in the same place on the disk where they were installed.  If they have
moved, say from a backup & restore, then dBase will not run.
 
     Second, un-hide the three files in the root directory.  You can do
this with the programs ALTER.COM or FM.COM found on any BBS.
 
     Make copies of the three files, and of DBASE.COM, into some other
directory.
 
     Hide the three root files again using ALTER or FM.
 
     Following the dBase instructions, UNINSTALL dBase III.  You can now
put away your original dBase diskette.  We are done with it.
 
     Next we will make some patches to CML0200.HCL to allow us to trace
through the code in DEBUG.  These patches will keep it from killing our
interrupt vectors.
 
debug cml0200.hcl
e 3F9 <CR>  2A.4A <CR>          ; change the 2A to 4A
e 49D <CR>  F6.16 <CR>          ;  if any of these numbers don't show up
e 506 <CR>  E9.09 <CR>          ;  it's not working.
e A79 <CR>  00.20 <CR>          ;
e AE9 <CR>  00.20 <CR>          ;
e 73C  97 FA FA F4 F1 7E <CR>   ; this is an encrypted call to 0:300
w                               ; write out the new CML file
q                               ; quit debug
 
     Now copy your four saved files back into the root directory and
hide the CML0200.HCL, VDF0200.VDW, and DBASE.EXE files using ALTER or FM.
 
     We can now run DBASE.COM using DEBUG, trace just up to the point
where it has decrypted DBASE.EXE, then write that file out.
 
debug dbase.com
r <CR>                          ; write down the value of DS for use below.
a 0:300 <CR>                    ; we must assemble some code here
        pop     ax
        cs:
        mov     [320],ax        ; save return address
        pop     ax
        cs:
        mov     [322],ax
        push    es              ; set up stack the way we need it
        mov     ax,20
        mov     es,ax
        mov     ax,0
        cs:
        jmp     far ptr [320]   ; jump to our return address
 <CR>
g 406                           ; now we can trace CML
t
g 177                           ; this stuff just traces past some
g 1E9                           ;   encryption routines.
t
g 54E                           ; wait while reading VDF & FAT
g=559 569
g=571 857                       ; DBASE.EXE has been decrypted
rBX <CR>                        ; length DBASE.EXE = 1AC00 bytes
:1                              ; set BX to 1
rCX <CR>
:AC00                           ; set CX to AC00.
nDBASE                          ; name of file to write to
w XXXX:100                      ; where XXXX is the value of DS that
                                ;   you wrote down at the begining.
q                               ; quit debug
 
     Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW,
and DBASE.EXE.  Delete DBASE.COM and rename DBASE to DBASE.EXE.  This is the
real dBase III program without any SoftGuard code or encryption.  It requires
only the DBASE.OVL file to run.
 
     If you have any comments on this unprotect routine or the PROLOCK.UNP
routine, please leave them on the Atlanta PCUG BBS (404) 634-5731.
 
                                          The Lone Victor - 4/15/85
 
                <> <> <> <> <> <> <> <> <> <> <>
INSTRUCTIONS FOR UNPROTECTING PFS-FILE, PFS-REPORT AND PFS-WRITE.
 
 IMPORTANT!  COPY FILE.EXE AND/OR REPORT.EXE TO ANOTHER DISK FIRST.
 DON'T MAKE THESE PATCHES ON YOUR ORIGINAL DISK! (USE THE USUAL DOS
 COPY COMMAND)
 
  YOU SHOULD SEE, AMONG OTHER THINGS:  PUSH BP
                                       MOV AX,DS
                                       MOV ES,AX
                                 (ETC)
  IF YOU DON'T SEE THIS, TYPE -> Q  (YOU DON'T HAVE THE RIGHT VERSION)
  OTHERWISE,
  TYPE -> E 9248 EB 2B
  TYPE -> W
  TYPE -> Q
  BACK IN DOS, RENAME FILE.ZAP TO FILE.EXE.  YOU NOW HAVE AN UNPROTECTED
  COPY OF PFS-FILE.
 
FOR PFS-REPORT:
  RENAME REPORT.EXE TO REPORT.ZAP
  HAVE DEBUG.COM HANDY, AND TYPE -> DEBUG REPORT.ZAP
  TYPE -> U 98BF
  YOU SHOULD SEE, AMONG OTHER THINGS:  PUSH BP
                                       MOV AX,DS
                                       MOV ES,AX
                                 (ETC)
  IF YOU DON'T SEE THIS, TYPE -> Q  (YOU DON'T HAVE THE RIGHT VERSION)
  OTHERWISE,
  TYPE -> E 98C4 EB 2B
  TYPE -> W
  TYPE -> Q
  BACK IN DOS, RENAME REPORT.ZAP TO REPORT.EXE.  YOU NOW HAVE AN
  UNPROTECTED COPY OF PFS-REPORT.
 
For PFS-Write:
 
 RENAME PFSWRITE.EXE TO PFSWRITE.ZAP
 DEBUG PFSWRITE.ZAP
 U 235A
 YOU SHOULD SEE, AMONG OTHER THINGS:  INT 13
                                      JNB 2362
 
 IF YOU DONcT SEE THIS, TYPE -> Q (you don't have the right version)
 OTHERWISE,
 TYPE -> E235A 90 90 90 90
 TYPE -> E2360 90 90
 TYPE -> A2369
 TYPE -> CMP AX,AX
 TYPE -> <cr>
 TYPE -> W
 TYPE -> Q
 
 RENAME PFSWRITE.ZAP TO PFSWRITE.EXE.  YOU NOW HAVE AN UNPROTECTED COPY
 OF PFS-WRITE.
 
============================================================================
 
 P.S. From another author than the one who wrote the above.
      The routine above is excellent, however I had a different version
      of PFS FILE and PFS REPORT.  If you dont find the locations listed
      above try these:
 
 PFS FILE   TYPE -> U 9223  YOU SHOULD SEE  PUSH BP
                                            MOV AX,DS
                                            MOV ES,AX
                                      (ETC)
 IF SO TYPE -> E 9228 EB 2B
       TYPE -> W
       TYPE -> Q
 AND FOLLOW THE DIRECTIONS GIVEN ABOVE ABOUT RENAME ETC.
 
 PFS REPORT  TYPE -> U 988F  YOU SHOULD SEE PUSH BP
                                            MOV AX,DS
                                            MOV ES,AX
                                      (ETC)
 IF SO TYPE -> E 9894 EB 2B
       TYPE -> W
       TYPE -> Q
 AND FOLLOW THE DIRECTIONS GIVEN ABOVE ABOUT RENAME & ETC.
 
 My thanks to the original author who worked so hard to help us.
 Please use these routines for your own use. I needed to add DOS 2.1
 and place these programs on double sided disks.  Don't rip off these
 software manufacturers.
 
PROKEY 3.0 and several other programs. The approach I outline
here works with any of these that are in COM file format. If
anyone can improve it to work for EXE files PLEASE post it.
  This general copy scheme uses a short sector of 256 bytes to
store an essential piece of the program code. On startup, location
100H contains a JMP instruction to the code which reads this
short sector. Locations 103H - 110H contain HLT instructions (hex F4).
After the sector is read, its contents are overlayed onto locations
100H - 110H, replacing the dummy instruction codes. A branch to 100H
then begins the actual program.
   All we need to do is to stop execution after the changes are
made and write down the contents of 100H - 110H; reloading the
program and POKEing these changes results in an unprotected program.
   Here's how its done:
(1) Put PROTECTED disk in A: (you can write-protect it for safety)
   and a disk containing DEBUG in B:
(2) A:               Make A: the default.
(3) B:DEBUG ULTIMAII.COM      (or PKLOAD.COM, LAYOUT.COM...)
(4) -u 0100        Tell DEBUG to disassemble 0100-0120
DEBUG responds with:
  0100 JMP 88A0        (or whatever)
  0103 HLT
  0104 HLT             ...etc.
(5) -u 88A0            Look at short-sector decrypting code.
DEBUG responds with:
  88A0 JMPS 88A7       Next "statements" are data locations; ignore.
(6) -u 88A7            Now look for where program restarts at 100H.
DEBUG responds with:
  88A7 CALL 88C4
  88AA CALL 892E
  88AD JC 88BF      (If Carry is set, the disk is a copy. Go to DOS!)
..
  88BA MOV AX,0100
  88BD JMP AX         Paydirt! If you got this far, the program has
..                    written the REAL code into 0100 - 0120H.
(7) -g 88BD           Tell DEBUG to run the program, stop here.
(8) -d 0100 011F      Dump out the changed code.
DEBUG responds with:
  8C C8 05 25 07 8E D8 05-10 03 8E D0...  Two lines. WRITE DOWN for (12)
(9) -q         Get out of DEBUG. You must reload to deprotect.
(10) Make a copy of the disk; you can use copy *.*   Put copy in A:
(11) B:DEBUG ULTIMAII.COM     load copy
(12) -e 0100             Patch locations 0100 - 011F with what you
                         wrote down above. Follow each entry with
                         a SPACE until last entry; then hit ENTER.
(13) -w               Write out new version of ULTIMAII.COM
(14) -q               You've done it!
 
  I've been detailed because this works generally for any COM file.
This method doesn't work for EXE files because while DEBUG can load
relocatable modules and execute them with breakpoints (step 7 above),
you cannot use debug to write an EXE file in relocatable form.
Any suggestions?
    L.Brenkus
                <> <> <> <> <> <> <> <> <> <> <>
 
                 DOUBLEDOS  -  Unprotect
                                        Based on The Lone Victor's
                                        routine.
 
     The following instructions show you how to bypass the SoftGuard
copy protection scheme used on DOUBLEDOS version 1.00.  This is the same
scheme used for FrameWork 1.10 and for Wordstar 2000 1.00.  Wordstar
2000 version 1.10 does not use a copy protection scheme, while versions
1.00 of dBase III and FrameWork used ProLock.  To unprotect Prolock disks
read the file PROLOCK.UNP.
 
     First, using your valid, original DOUBLEDOS diskette, install it on a
fixed disk.  Softguard hides three files in your root directory:
CML0200.HCL, VDF0200.VDW, and DOUBLEDO.EXE.  It also copies DOUBLEDO.COM
into your chosen DOUBLEDOS directory.  DOUBLEDO.EXE is the real DOUBLEDOS
program, encrypted.  When you run DOUBLEDOS, the program DOUBLEDO.COM loads
CML0200.HCL high in memory and runs it.  CML decrypts itself and reads
VDF0200.VDW.
The VDF file contains some code and data from the fixed disk FAT at the
time of installation.  By comparing the information in the VDF file with
the current FAT, CML can tell if the CML, VDF, and DOUBLEDO.EXE files are
in the same place on the disk where they were installed.  If they have
moved, say from a backup & restore, then DOUBLEDOS will not run.
 
     Second, un-hide the three files in the root directory.  You can do
this with the programs ALTER.COM or FM.COM found on any BBS.
 
     Make copies of the three files, and of DOUBLEDO.COM, into some other
directory.
 
     Hide the three root files again using ALTER or FM.
 
     Following the DOUBLEDOS  instructions, UNINSTALL DOUBLEDOS.  You can now
put away your original DOUBLEDOS diskette.  We are done with it.
 
     Next we will make some patches to CML0200.HCL to allow us to trace
through the code in DEBUG.  These patches will keep it from killing our
interrupt vectors.
 
debug cml0200.hcl
e 3F9 <CR>  2A.4A <CR>          ; change the 2A to 4A
e 49D <CR>  F6.16 <CR>          ;  if any of these numbers don't show up
e 506 <CR>  E9.09 <CR>          ;  it's not working.
e A79 <CR>  00.20 <CR>          ;
e AE9 <CR>  00.20 <CR>          ;
e 73C  97 FA FA F4 F1 7E <CR>   ; this is an encrypted call to 0:300
w                               ; write out the new CML file
q                               ; quit debug
 
     Now copy your four saved files back into the root directory and
hide the CML0200.HCL, VDF0200.VDW, and DOUBLEDOS.EXE files using ALTER or FM.
 
     We can now run DOUBLEDO.COM using DEBUG, trace just up to the point
where it has decrypted DOUBLEDO.EXE, then write that file out.
 
debug dOUBLEDO.COM
r <CR>                          ; write down the value of DS for use below.
a 0:300 <CR>                    ; we must assemble some code here
        pop     ax
        cs:
        mov     [320],ax        ; save return address
        pop     ax
        cs:
        mov     [322],ax
        push    es              ; set up stack the way we need it
        mov     ax,20
        mov     es,ax
        mov     ax,0
        cs:
        jmp     far ptr [320]   ; jump to our return address
 <CR>
g 406                           ; now we can trace CML
g 177                           ; this stuff just traces past some
g 1E9                           ;   encryption routines.
t
g 54E                           ; wait while reading VDF & FAT
g=559 569
g=571 857                       ; DOUBLEDO.EXE has been decrypted
rBX <CR>                        ; length DOUBLEDO.EXE = 04800 bytes
:0                              ; set BX to 0
rCX <CR>
:4800                           ; set CX to 4800.
nDOUBLEDO                       ; name of file to write to
w XXXX:100                      ; where XXXX is the value of DS that
                                ;   you wrote down at the begining.
q                               ; quit debug
 
     Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW,
and DOUBLEDO.EXE.  Delete DOUBLEDO.COM and rename DOUBLEDO to DOUBLEDO.EXE.
This is the real DOUBLEDOS program without any SoftGuard code or
encryption.  It requires only the DOUBLGD2.PGM and DDCONFIG.SYS files to
run.
 
                 DOUBLEDOS  -  Unprotect
                                        Based on The Lone Victor's
                                        routine.
                <> <> <> <> <> <> <> <> <> <> <>
     The following instructions show you how to bypass the SoftGuard
copy protection scheme used on DOUBLEDOS version 1.00.  This is the same
scheme used for FrameWork 1.10 and for Wordstar 2000 1.00.  Wordstar
2000 version 1.10 does not use a copy protection scheme, while versions
1.00 of dBase III and FrameWork used ProLock.  To unprotect Prolock disks
read the file PROLOCK.UNP.
 
     First, using your valid, original DOUBLEDOS diskette, install it on
a fixed disk.  Softguard hides three files in your root directory:
CML0200.HCL, VDF0200.VDW, and DOUBLEDO.EXE.  It also copies DOUBLEDO.COM into
your chosen DOUBLEDOS directory.  DOUBLEDO.EXE is the real DOUBLEDOS
program, encrypted.  When you run DOUBLEDOS, the program DOUBLEDO.COM loads
CML0200.HCL high in memory and runs it.  CML decrypts itself and reads
VDF0200.VDW.
The VDF file contains some code and data from the fixed disk FAT at the
time of installation.  By comparing the information in the VDF file with
the current FAT, CML can tell if the CML, VDF, and DOUBLEDO.EXE files are
in the same place on the disk where they were installed.  If they have
moved, say from a backup & restore, then DOUBLEDOS will not run.
 
     Second, un-hide the three files in the root directory.  You can do
this with the programs ALTER.COM or FM.COM found on any BBS.
 
     Make copies of the three files, and of DOUBLEDO.COM, into some other
directory.
 
     Hide the three root files again using ALTER or FM.
 
     Following the DOUBLEDOS  instructions, UNINSTALL DOUBLEDOS.  You can now
put away your original DOUBLEDOS diskette.  We are done with it.
 
     Next we will make some patches to CML0200.HCL to allow us to trace
through the code in DEBUG.  These patches will keep it from killing our
interrupt vectors.
 
debug cml0200.hcl
e 3F9 <CR>  2A.4A <CR>          ; change the 2A to 4A
e 49D <CR>  F6.16 <CR>          ;  if any of these numbers don't show up
e 506 <CR>  E9.09 <CR>          ;  it's not working.
e A79 <CR>  00.20 <CR>          ;
e AE9 <CR>  00.20 <CR>          ;
e 73C  97 FA FA F4 F1 7E <CR>   ; this is an encrypted call to 0:300
w                               ; write out the new CML file
q                               ; quit debug
 
 
     Now copy your four saved files back into the root directory and
hide the CML0200.HCL, VDF0200.VDW, and DOUBLEDOS.EXE files using ALTER or FM.
 
     We can now run DOUBLEDO.COM using DEBUG, trace just up to the point
where it has decrypted DOUBLEDO.EXE, then write that file out.
debug dOUBLEDO.COM
r <CR>                          ; write down the value of DS for use below.
a 0:300 <CR>                    ; we must assemble some code here
        pop     ax
        cs:
        mov     [320],ax        ; save return address
        pop     ax
        cs:
        mov     [322],ax
        push    es              ; set up stack the way we need it
        mov     ax,20
        mov     es,ax
        mov     ax,0
        cs:
        jmp     far ptr [320]   ; jump to our return address
 <CR>
g 406                           ; now we can trace CML
t
g 177                           ; this stuff just traces past some
g 1E9                           ;   encryption routines.
t
g 54E                           ; wait while reading VDF & FAT
g=559 569
g=571 857                       ; DOUBLEDO.EXE has been decrypted
rBX <CR>                        ; length DOUBLEDO.EXE = 04800 bytes
:0                              ; set BX to 0
rCX <CR>
:4800                           ; set CX to 4800.
nDOUBLEDO                       ; name of file to write to
w XXXX:100                      ; where XXXX is the value of DS that
                                ;   you wrote down at the begining.
q                               ; quit debug
 
     Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW,
and DOUBLEDO.EXE.  Delete DOUBLEDO.COM and rename DOUBLEDO to DOUBLEDO.EXE.
This is the real DOUBLEDOS program without any SoftGuard code or
encryption.  It requires only the DOUBLGD2.PGM and DDCONFIG.SYS files to
run.
 
                            <-----<<END>>----->
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++
!
 

 
 
NOW REVIEWING -- DEAD ZONE (214-522-5321)
 
We kept hearing about this Dallas board that's part camp, part lame, part
punk, and mostly heavy metal, so we thought we'd check into it, 'cause it's
been around for awhile and seems to have a loyal, if somewhat brain-dead
 claim to be heavy metal junkies, and a few log-ins and
message readings convinced us that too much of this stuff can rot your
brain, but maybe that's what comes from living in Dallas.
 
We were on last year and found it all a bore, but lost our account and had
to re-enter.  The chat is mostly mindless, the sysop is into posturing a
lot, and the whole thing is pretty pretentious.  Great for kids through age
14. We didn't bother to re-apply for higher access. Here's what ya see when
you log in, and here's a sample of the messages. If you're into mindless
drivel, maybe this board's your thing, but the R&G rating for DEAD ZONE is
         <><>BOOOOOOORRRING!!<>
 
                                 ********
 
 
!   !!! !!    !  !!     !   !!   !!!
                 !!   !!  !!   !!  !!     !   !!   !!
                !!!!!!!  !!!!!!!! !!!!   !!! !!!!!!!
 
                !!!!!!!!    !!!!  !!!!  !!!! !!!!!!!!
                !!    !!   !!  !!  !!!   !!   !!   !!
                !!    !!  !!!  !!! !!!!  !!   !!    !
                     !!   !!!  !!! !! !! !!   !!!!
                    !!    !!!  !!! !!  !!!!   !! !
                   !!  !! !!!  !!! !!   !!!   !!    !
                  !!   !!  !!  !!  !!    !!   !!   !!
                 !!!!!!!!   !!!!  !!!!  !!!! !!!!!!!!
                 !!!! !!!   !! !  !!    !    !!!   !!
                  !!   !    !     !!          !!   !!
                  !!   !    !  !   !         !!     !
                   !               !          !
                            !                       !
                   !        !   !       !     !
                   !
                 .......              !      .........
              .... NO! ...                  ... MNO! ...
            ..... MNO!! ...................... MNNOO! ...
          ..... MMNO! ......................... MNNOO!! .
         .... MNOONNOO!   MMMMMMMMMMPPPOII!   MNNO!!!! .
          ... !O! NNO! MMMMMMMMMMMMMPPPOOOII!! NO! ....
             ...... ! MMMMMMMMMMMMMPPPPOOOOIII! ! ...
            ........ MMMMMMMMMMMMPPPPPOOOOOOII!! .....
            ........ MMMMMOOOOOOPPPPPPPPOOOOMII! ...
             ....... MMMMM..    OPPMMP    .,OMI! ....
              ...... MMMM::   o.,OPMP,.o   ::I!! ...
                  .... NNM:::.,,OOPM!P,.::::!! ....
                   .. MMNNNNNOOOOPMO!!IIPPO!!O! .....
                  ... MMMMMNNNNOO:!!:!!IPPPPOO! ....
                    .. MMMMMNNOOMMNNIIIPPPOO!! ......
                   ...... MMMONNMMNNNIIIOO!..........
                ....... MN MOMMMNNNIIIIIO! OO ..........
             ......... MNO! IiiiiiiiiiiiI OOOO ...........
           ...... NNN.MNO! . O!!!!!!!!!O . OONO NO! ........
            .... MNNNNNO! ...OOOOOOOOOOO .  MMNNON!........
            ...... MNNNNO! .. PPPPPPPPP .. MMNON!........
               ...... OO! ................. ON! .......
                  ................................
 
 
 -cDc- -cDc- -cDc-
       _   _
      ((___))
      [ x x ]
       f   /
       (' ')
        (U)
 
 -cDc- -cDc- -cDc-
 
 A [-Cult of the Dead Cow-] System
 
[New Corpses enter -KILL ME-]
[Grave ID]:
 
][-KILLE ME
 
Enter your alias [Upper+Lower Case]
:Roger
 
City of Residence [Upper+Lower Case]
:San Francisco
 
State [XX]
:CA
 
Phone number [xxx-xxx-xxxx]
:414-555-1212
 
Roger
San Francisco, CA
415-555-1212
 
Abs0lutely 0k ? Y
 
[P]=Password
[G]=Guest
-]-[-P
 
Preparing Entrance...
 
             Hey d0rk, over here...Read This:
 
        Well, if you have actually made it this far, I sure hope
you typed your name in upper/lower case like this sentence is. If
not, you're going to probably have your access denied cause you
showed me you aren't even aware enough to read. I'd really prefer
you give me your REAL phone number, or somewhere I can reach you.
I don't voice validate that much, and I don't take your number
and randomly call it to annoy the hell out of you. Now, all you
have to do is answer the following questions pretty keenly, and
I'll give you access. Don't put smart ass answers....you don't
amuse me when you do that. If it asks you a simple [Yes/No]
question, don't answer "N" or "Y". Sure what the fuck is that
supposed to mean...it means you can't type Yes or No. The board
is mainly for people who like Metal/Speed Metal/Punk/etc and
intelligent/semi-intelligent users. In other words you should be
able to carry on a conversation somewhat. If not, you are a waste
of life roper and ought to go get drunk in some bar and die. Now
I'm outta here....answer these questions:
 
                        Leper Messiah
 
[Ctr-S Pauses : Spacebar Quits]
 
What is your real FIRST name ?
 
--ROGER
 
How old are you ?
 
--22
 
What type of computer do you have,
and what is the maximum baud rate
of your modem ?
 
--IBM/2400
 
Do you phreak, hack, both, or
neither ?
 
--BOTH
 
Do you pirate software and/or
collect textfiles ?
 
--Yes
 
Are you related to any law
enforcement agency and/or do
you plan on reporting any
information from this board to
 
--No
 
Who is your favorite musical group
and how long have they been your
favorite ?
 
--Banshee Heaven
 
Are you a cDc Member?
 
--No
 
SPECIFICALLY, where did you get the
number to this BBS ? [Tell the person's
handle, the board, or wherever you
 
--??
 
Want to send Leper Messiah
a Message ? No
 
Enter a password to use [4-8 Characters]
:Demon
 
Grave ID #99
Password :DEMON
 
Knife [RETURN] to login to The Dead Zone
 
[Ctr-S Pauses : Spacebar Quits]
 
12/24/89
N00wz that you better fucking read...
 
Ok, I got pissed off at a certain leech, so I deleted 200+ users
from the userlist. I did delete a couple I didn't mean to, so if
you got deleted, and you don't think you deserved it, you're
probably right and I fucked up.
 
Next off, if you would like a different user number for some
reason, [F]eedback me, and I might change it.
 
If you would like AE access and you aren't going to leech, send
me [F]eedback.  If you have AE access and you leech, you are
going to have a large problem.
 
If you would like upgraded access, [F]eedback me, and if I merit
that you do, you'll get it.
 
Lastly....Happy Hannukkah, and Merry Christmas, Have a Good New
Year, and don't drink and drive....(seriously). Thanks.
 
|-- Graveyard Shift  :: 01:19:04    12/28/89
|-- Corpse           :: Roger
|-- Last Corpse      :: Phantom Of The Opera
 
|-- Undertaker       :: Leper Messiah
 
|-- Executioners     :: The Wanderer
|--                  :: The Interloper
 
|--There are 17967 fresh graves...
 
-/- Rue Morgue -f-  :M
 
Nice fucking accent...why cant you speak like me!
 
-/- Rue Morgue -f-  :?
 
    User Menu
 
B- Bulletin Boards
C- Scream at Sysop
D- Display Parms
F- Feedback to Sysop
I- System Information
N- Re-Read System News
P- Get a Password [Guests ONLY]
R- Read Mail
T- Terminate Yourself
Y- Your Body Status
 
-/- Rue Morgue -f-  :B
 
[Central Graveyard 1-100] :R
 
Sequential Retrieval - Reverse
 
Start where [-#, L)ast, <CR>-]:L
 
[Ctr-S Pauses : Spacebar Quits]
[Knife ENL for next grave]
 
 ____/ 100.                                           f____
____   Re: .                  Demolition War        .   ____
 ____  by Madmartigan (#188)                           ____
     f 12/27/89 at 23:48:22                           /
 
  Bush was right to go into Panama.  Otherwise he looks like an
idiot who can let some wimpy dictator ruin his foriegn policy and
screw up our image in the world.  He had to do it...
 
  As for the Dead ZOne going down next year,,...  Thank God!
 
[A]utoReply [N]ext [R]eread [Q]uit:
 
 ____/ 99.                     f____
____   I love typos.             ____
 ____  by M&M (#7)              ____
     f 12/27/89 at 23:10:21    /
 
        "If I did, me would want more."  That was great.
 
Psyche is Fuck Me.
 
Roper::::>  Let me explain this AGAIN.  The lyrics I typed WERE
NOT Pink Floyd lyrics but ALTERED lyrics.  READ THEM.  <jeez>
 
        kicker up there reminds me of this asshole that came to
our school... he was like... "What kind of music do you listen
know all about him - but the question is, is he a good impression
on you?"  Fuckin' dick.  I hate ignorant people.  It's fine to be
stupid but if you don't know what you're talking about DON 'T
PRETEND!
 
  M&M
 
[A]utoReply [N]ext [R]eread [Q]uit:
 
 ____/ 98.                                           f____
____   I did NOT............................................!   ____
 ____  by The Wanderer (#11)                                ____
     f 12/27/89 at 22:56:04                                                 /
 
I did NOT rape SMI2le! There is an easy way to tell if I did it or not. If
I did it, me would want more.
 
Insane Fixx - Why would I want to trash my cowboy boots, and why
would I want to dye my hair blond? A blond with freckles? I think
not. Of course, I could bleech my skin too.....
 
Rah! I got me a VCR for x-mas! Now I'm going to have to head down
to the sordid side of town, say hi to sue as I pass the
apropriate corner, and buy some trashy videos. The type that most
of ya'll won't be able to buy for another 5 or 6 years.
 
Hahahahahahaha!
 
Tw
/s
/dammit!
 
[A]utoReply [N]ext [R]eread [Q]uit:
 
 ____/ 97.                           f____
____   pLaNeT cLaIrE                   ____
 ____  by The Psychedelic Fur (#209)  ____
     f 12/27/89 at 21:42:50          /
 
i DoN't WaNt YoUr LoVe...i WaNt yOuR sEx
 
mOhEhAhO
 
DuStBuStEr:  YoU kNoW jUsT wHaT iT tAkEs AnD wHeRe To
Go....WhAt MoRe CaN a PoOr BoY dO?...YoU'rE a HaRd AcT tO
fOLLoW...i just looooove my pastel pink lace underwire push up
bra and matching panties!  But my crowning glory is the
sexxxxxxxxxy pink silk nightie I bought...'TiS tOo MuCh FoR
jUsT oNe GuY tO tAkE!!
 
AcEybAbY:  Sorry I missed ya...you didn't call me
back...snif...methinks i am hurt...but i shall recover.  I will
call ya when i get back from the RaIdEr BoWL.
 
..i dOn'T wAnT tO sAy i LoVe YoU, ThAt WoULd GiVe AwAy ToO
mUcH....i DoN't waNt To sAy I wAnT yOu, eVeN tHoUgH i wAnT yOu
So MuCh....iT's No NeW YeAr'S rEsOLuTiOn, iT's MoRe ThAn
ThAt...
 
i just loooove SpLiT eNz!
 
i think i will get on here early tomorrow morning before i
leave, and say goodbye...i must pack now and i'm not in the
mood to "bOn VoYaGe, bAbY!"
 
             tWo RoAdS dIvErGeD iN a WoOd
             aNd I - i ChOsE tHe OnE LeSs TrAvELeD bY
             AnD tHaT hAs MaDe aLL tHe DifFeReNcE...
 
             ShALL i CoMpArE tHeE tO a SuMmEr'S dAy
             ThOu ArT mOrE LoVeLy aNd MoRe TeMpErAtE...
/|             ShE wALkS iN bEaUtY LiKe ThE nIgHt
             oF cLoUdLeSs CLiMbS aNd StArRy SkIeS
             aNd aLL tHaT's BeSt Of DaRk AnD bRiGhT
             MeEt In ThE aSpEcT oF hEr EyEs...
 
Name the movie, the authors, and who said them...and i'll do
something eXXXtra special...
 
oH cApTaIn, mY cApTaIn...
 
[A]utoReply [N]ext [R]eread [Q]uit:
 
 ____/ 96.                            f____
____   Death is near so come rape me!   ____
 ____  by Smi2le (#83)                 ____
     f 12/27/89 at 18:01:59           /
 
   M&M: You're a sheepfucker, right?  Some come on baby, I'm a sheep.
 
      Leper: While your at it, buy me a push up jockstrap.  M&M
just doesn't get the job done anymore.
 
Have fun!
 
Meat
 
[A]utoReply [N]ext [R]eread [Q]uit:
 
 
Gee... I may have to remember this for later use.!   (sarcasm)
 
Hey babe, wanna Pistachio??  (wink, snort, phlegm-hack)
 
[A]utoReply [N]ext [R]eread [Q]uit:
 
 ____/ 92.                                f____
____   .              Hootenanny        .   ____
 ____  by Leper Messiah (#1)               ____
     f 12/27/89 at 11:13:46               /
 
Oh swell, I'm going to Valley View today, I think I'll stop by
Vic's Secret also and pick me up something interesting....
 
Then again, maybe I won't.
 
Maybe I'll visit Hastings instead and get some k000000000l album.
 
GO Away, I wanna burn in hell...
 
                -There's something I haven't sdaid in a long time.
 
Or spelled correctly for that matter.
 
Well, well, well...
 
Right now I'll go...
 
somewhere else.
 
Me
 
[A]utoReply [N]ext [R]eread [Q]uit:
 
 ____/ 91.                           f____
____   tHe UnIvErSe Is ExPaNdInG       ____
 ____  by The Psychedelic Fur (#209)  ____
     f 12/27/89 at 10:42:35          /
 
SmI2Le:  Me??? LaRgEr tHaN LiFe?  How so?  I tell ya this much,
if I was "larger than life"  I wouldn't be able to shop at
ViC's SeCrEt...
 
And I now have a real bustline...
 
the most orgasmic thins, besides Godiva chocolates, silk
lingerie, and great sex, are pistachios...
 
pHaLLi
C SyMb
OLs!!!
 
Board rape.  Sounds fun.  Reminds me of the time on PiL when
ol' Karl and myself came up with this guy, "Mr. Awesome", who
was a homosexual and sent bulk mail to all the guys on the
board encouraging them to have anal sex, etc.  We had everybody
fooled.
 
DaVe:  Methinks you want to do the nasty...:)
 
munching on a healthful aphrodisiac...sex on the mind...and
less than 24 hours till I'm off to the bowl...
 
maybe I'll get some in Birmingham...
 
[A]utoReply [N]ext [R]eread [Q]uit:
 
 ____/ 88.
____   Re: and that was a song called "Yeah" by... you guessed
it The Garden Bugs   ____
 ____  by Roper (#308)
     f 12/27/89 at 01:10:20
 
M&M ---- > O.K. so yer a bigger fuck than I thought, Although I
was quite impressed that YOU would know the lyrics to a country
tune. And by the way,... I did listen to the Pink Floyd lyrics
again,... still sounds suicidal to me.
 
JUST TRYIN TO HELP WHERE I CAN,... GIMME A BREAK!
 
Roper
 
[A]utoReply [N]ext [R]eread [Q]uit:
 
 ____/ 83.                            f____
____   abcdefghijklmnopqrstuvwxyz....   ____
 ____  by Ace of Diamonds (#36)        ____
     f 12/26/89 at 11:45:57           /
 
now i no my abc's wont you come and
fuck with me.....
 
suebeast: nononono...ya can beg...but
 lananananana...oh lana...has moi dik
 first....cuzzz she luvz to suck it
 so sweet.....and u 'hate doin that
 shit'....so, [strike three, yer out!]
 .....glad ya missed loozer car 54....
 its black and white anyway...ack.....
 yawn....i got sex on the brane.......
 in multicolor3D vision...............
 ohyeah...today i'm sposed to kall ya.
 i think i'm gonna ferget.....duH.....
 
sycho-correct:aka MaDDFiXX....<i'm soo
 intelictual>....rahrah....d00d...yer
 so vEry sTraNGe.......sEE mY SelF iN
 ThE miRRoR.....
 
SOMEBODY GET ME A DOCTOR!!!!
 
   need some new lyrix besides wiggin'
       dance tunez.....hmmmm..........
 
what's everyonez fav EmptyVee video...
 
i must admit that my MeTalHeAd has
    turned soft cuz...i lUUUUUv
      paula halfbake abdul's
          The Way that U luv Me....
 
i lust everything in that video....
     her bod, stereo equip, visagold
       (which i have already), mazerati
         90'yackt, black limozine,
          pearl necklace ..(both kindz)
 
etc.....but most of all ....iz her
        tItz.......yumyumyum
 
               gOts tO mAil Rezumayz,
                      AoD
 
[A]utoReply [N]ext [R]eread [Q]uit:
 
 ____/ 77.                                f____
____   ..lOOks like rED skies at niTe....   ____
 ____  by The Madd Fixx (#142)             ____
     f 12/25/89 at 23:47:35               /
 
                buT of cOurse....
 
                        tiN-roOf....
 
                                ruSTed!
 
     duDes.. i haD a pretty rocKin' ChrisTmas.. goT me a cD player... aND
             daT suIts me fiNe.... i goT dis biTchin' Indiana joNes lookin'
                 haT... it roCks..
 
                        aNYone ever seen cherrIes in liquoR?.... hO yAh...
 
                                yuMyUm... piTS and all...sluRpsLUrp!
 
            maN..we're just frying this message base with wiErdo messages..
                        buT hEy.. doN't coomplain...we're posTing....
 
        m&m... so quE pasa with aNGie, eH?...
 
           mY mountain hideaway...maybe next year..............
 
                   pSYchE..raH..everytime i listen to spLit enZ, the b's,
                     or doOOrandOooran, it reminds me oF yOUze.... (awW.
                           aIn't tat sweEt! HahA!).. shaKe a tail feaTher...
 
                                you're about as eaSy as a nuClear waR....
 
                           ...(of course, i'm not saying that there's
                                        any similarity... <eviLish griN>...)
 
                                                        oh...what'snext....
 
                        damn i'm boRed...goTTa sliP me in anudder cD....
 
                                yEee-haAAa! daMn i'm HiP!... <smiRk>...
 
 
                plEAse pleAse tell me noW.... cuZ i wanna RoAm in your
                  buuUuusssshhhhh----fiiIiire!...
 
                        aND i think it's about to bReak....
 
    smiL3e...chiLL hoMie.. reLax..doN't do iT.. set your miNd righT to It.
 
                        thERe's a chance you could be righT....
 
                                                        anOther glaMoRous
                                                peFeroRmaNce by mE...aNd i..
 
                                                                mR.
                                                                bUStin'
                                                                DuStiN!!
 
[A]utoReply [N]ext [R]eread [Q]uit:
 
Central Graveyard:
 
  [#]-Read Number [N]ew Graves [Q]uit
  [G]lobal Q-scan [J]ump       [L]ist
  [F]rd. Read     [R]vrs. Read [S]can
  [>]Next Bd.     [<]Prev. Bd. [K]ill
  [P]ost          [T]erminate Session
 
 
Spread the Disease [-[-[-[-[-[-[-    -]-]-]-]-]-]-] Spread the Disease
[Central Graveyard 1-100] :>
-/- Rue Morgue -f-  :<
 
Nice fucking accent...why cant you speak like me!
 
    User Menu
 
B- Bulletin Boards
C- Scream at Sysop
D- Display Parms
F- Feedback to Sysop
I- System Information
N- Re-Read System News
P- Get a Password [Guests ONLY]
R- Read Mail
T- Terminate Yourself
Y- Your Body Status
 
-/- Rue Morgue -f-  :T
 
[] Violent Termination []
 
                         ***************
 
That's it! So much for contemporary education through age
16!
                 >--------=====END=====--------<
!
       JB  ZZZZ