Skip to content

Instantly share code, notes, and snippets.

@callowaysutton

callowaysutton/Chapter_1.txt

Created December 18, 2018 00:02
Show Gist options
  • Save callowaysutton/38e2f70658e5911de824d98f33eb57c6 to your computer and use it in GitHub Desktop.
Save callowaysutton/38e2f70658e5911de824d98f33eb57c6 to your computer and use it in GitHub Desktop.
Download ZIP
How to Crack - A Small Booklet
Raw
Chapter_1.txt
Chapter I How to Crack
-------------------------------------------------------------
Let's start with a simple introduction to patching a program
using the DOS DEBUG program. The following article will in-
troduce you to the basic ideas and concepts of looking for a
certain area of a program and making a patch to it.
-------------------------------------------------------------
By: Charles Petzold / Specular Vision
Title: Case Study: A Colorful CLS
This article originally appeared in the Oct. 14,1986 Issue
of PC Magazine (Vol 15. Num 17.). Written by Charles Petzold.
The hardest part of patching existing programs is determin-
ing where the patch should go. You really have to make an
intelligent guess about the functioning of the program.
As an example, let's attempt to modify COMMAND.COM so that
is colors the screen on a CLS command. As with any type of
patch try it out on a copy and NOT the original.
First, think about what we should look for. CLS is differ-
ent from all the other DOS internal Commands, It is the only
internal command that does something to the screen other than
just write to it with simple teletype output. CLS blanks the
screen and homes the cursor. Since it can't do this through
DOS Calls (unless ANSI.SYS is loaded), it is probably calling
the BIOS Directly. The BIOS Interrupt 10h call controls the
video, and so the CLS command probably uses several INT 10h
instructions. The machine code for INT 10h is CD 10.
(While this same method will work under any version of
PC-DOS, Version 2.0 and later, the addresses I'll be using
are from PC-DOS 3.1. Other versions of PC-DOS(or MS-DOS) will
have different addresses; you should be absolutely certain
that you're using the correct addresses.)
Load COMMAND.COM into DEBUG:
DEBUG COMMAND.COM
and do an R (Registers) command. The size of COMMAND.COM is
in register CX. For DOS 3.1's COMMAND.COM, this value is
5AAA.
Now do Search command to look for the CD 10 bytes:
S 100 L 5AAA CD 10
You'll get a list of six addresses, all clustered close to-
4
gether. The first one is 261D. You can now pick an address a
little before that (to see what the first call is doing) and
start disassembling:
U 261B
The first INT 10 has AH set to 0F which is a Current Video
State call. The code checks if the returned value of AL
(Which is the video mode) is less than 3 or equal to 7.
These are the text modes. If so, it branches to 262C. If
not, it just resets the video mode with another INT 10 at ad-
dress 2629.
At 262C, the code first sets the border black (the INT 10
at 2630), then does another Current Video State call (at
2634) to get the screen width in register AH. It uses infor-
mation from this call to set DX equal to the bottom right row
and column. It then clears the screen by scrolling the en-
tire screen up with another INT 10 (at 2645), and then sets
the cursor to the zeroth row and zeroth column with the final
INT 10 (at 264D).
When it scrolls the whole screen, the zero value in AL ac-
tually means blank the screen, the value of BH is the at-
tribute to be used on the blanked area. In an unmodified
COMMAND.COM, BH is set to 7 (Which is white on black) by the
following statement at address 2640:
MOV BX,0700
If you prefer a yellow-on-blue attribute (1E), you can
change this line by going into Assemble mode by entering:
A
then entering
MOV BX,1E00
and exiting Assemble mode by entering a blank line.
Now you can save the modified file:
W
and quit DEBUG:
Q
When you load the new version of COMMAND.COM (and you can
do so without rebooting by just entering:
COMMAND
5
on the DOS command level), a CLS will turn the screen blue
and display characters as yellow.
If it doesn't or if anything you type shows up as white on
black, that probably means you have ANSI.SYS loaded. If you
use ANSI.SYS, you don't have to make this patch but can in-
stead use the prompt command for coloring the screen.
END.
6
-------------------------------------------------------------
That was just one section of a very large article that helped
me to get started. Next we'll look at two other articles,
both written by Buckaroo Banzi. These two articles CRACK-1
and CRACK-2 give you an introduction to the different copy
protection schemes used on IBM PC's, and how to find and by-
pass them.
-------------------------------------------------------------
By: Buckaroo Banzai
Title: Cracking On the IBM PC Part I
Introduction
------------
For years, I have seen cracking tutorials for the APPLE
computers, but never have I seen one for the PC. I have de-
cided to try to write this series to help that pirate move up
a level to a crackest.
In this part, I will cover what happens with INT 13 and how
most copy protection schemes will use it. I strongly suggest
a knowledge of Assembler (M/L) and how to use DEBUG. These
will be an important figure in cracking anything.
INT-13 - An overview
--------------------
Many copy protection schemes use the disk interrupt
(INT-13). INT-13 is often use to either try to read in a il-
legally formatted track/sector or to write/format a
track/sector that has been damaged in some way.
INT-13 is called like any normal interrupt with the assem-
bler command INT 13 (CD 13). [AH] is used to select which
command to be used, with most of the other registers used for
data.
INT-13 Cracking College
-----------------------
Although, INT-13 is used in almost all protection schemes,
the easiest to crack is the DOS file. Now the protected pro-
gram might use INT-13 to load some other data from a normal
track/sector on a disk, so it is important to determine which
tracks/sectors are important to the protection scheme. I
have found the best way to do this is to use LOCKSMITH/pc
(what, you don't have LS. Contact your local pirate for it.)
Use LS to analyze the diskette. Write down any track/sector
that seems abnormal. These track are must likely are part of
the protection routine. Now, we must enter debug. Load in
7
the file execute a search for CD 13. Record any address
show.
If no address are picked up, this mean 1 or 2 things, the
program is not copy protected (right...) or that the check is
in an other part of the program not yet loaded. The latter
being a real hassle to find, so I'll cover it in part II.
There is another choice. The CD 13 might be hidden in self
changing code. Here is what a sector of hidden code might
look like
-U CS:0000
1B00:0000 31DB XOR BX,BX
1B00:0002 8EDB MOV DS,BX
1B00:0004 BB0D00 MOV BX,000D
1B00:0007 8A07 MOV AL,[BX]
1B00:0009 3412 XOR AL,12
1B00:000B 8807 MOV [BX],AL
1B00:000D DF13 FIST WORD...
In this section of code, [AL] is set to DF at location
1B00:0007. When you XOR DF and 12, you would get a CD(hex)
for the INT opcode which is placed right next to a 13 ie,
giving you CD13 or INT-13. This type of code can't and will
not be found using debug's [S]earch command.
Finding Hidden INT-13s
----------------------
The way I find best to find hidden INT-13s, is to use a
program called PC-WATCH (TRAP13 works well also). This pro-
gram traps the interrupts and will print where they were
called from. Once running this, you can just disassemble
around the address until you find code that look like it is
setting up the disk interrupt.
An other way to decode the INT-13 is to use debug's [G]o
command. Just set a breakpoint at the address give by
PC-WATCH (both programs give the return address). Ie, -G
CS:000F (see code above). When debug stops, you will have
encoded not only the INT-13 but anything else leading up to
it.
What to do once you find INT-13
-------------------------------
Once you find the INT-13, the hard part for the most part
is over. All that is left to do is to fool the computer in
to thinking the protection has been found. To find out what
the computer is looking for, examine the code right after the
INT-13. Look for any branches having to do with the
8
CARRYFLAG or any CMP to the AH register. If a JNE or JC
(etc) occurs, then [U]nassembe the address listed with the
jump. If it is a CMP then just read on.
Here you must decide if the program was looking for a pro-
tected track or just a normal track. If it has a CMP AH,0
and it has read in a protected track, it can be assumed that
it was looking to see if the program had successfully com-
plete the READ/FORMAT of that track and that the disk had
been copied thus JMPing back to DOS (usually). If this is
the case, Just NOP the bytes for the CMP and the correspond-
ing JMP.
If the program just checked for the carry flag to be set,
and it isn't, then the program usually assumes that the disk
has been copied. Examine the following code
INT 13 <-- Read in the Sector
JC 1B00 <-- Protection found
INT 19 <-- Reboot
1B00 (rest of program)
The program carries out the INT and find an error (the il-
legally formatted sector) so the carry flag is set. The com-
puter, at the next instruction, see that the carry flag is
set and know that the protection has not been breached. In
this case, to fool the computer, just change the "JC 1B00" to
a "JMP 1B00" thus defeating the protection scheme.
NOTE: the PROTECTION ROUTINE might be found in more than just
1 part of the program
Handling EXE files
------------------
As we all know, Debug can read .EXE files but cannot write
them. To get around this, load and go about cracking the
program as usual. When the protection scheme has been found
and tested, record (use the debug [D]ump command) to save + &
- 10 bytes of the code around the INT 13. Exit back to dos
and rename the file to a .ZAP (any extension but .EXE will
do) and reloading with debug. Search the program for the 20+
bytes surrounding the code and record the address found.
Then just load this section and edit it like normal. Save
the file and exit back to dos. Rename it back to the .EXE
file and it should be cracked.
***NOTE: Sometimes you have to play around with it for a
while to make it work.
9
DISK I/O (INT-13)
-----------------
This interrupt uses the AH resister to select the function
to be used. Here is a chart describing the interrupt.
AH=0 Reset Disk
AH=1 Read the Status of the Disk
system in to AL
AL Error
----------------------------
00 - Successful
01 - Bad command given to INT
*02 - Address mark not found
03 - write attempted on write protected disk
*04 - request sector not found
08 - DMA overrun
09 - attempt to cross DMA boundary
*10 - bad CRC on disk read
20 - controller has failed
40 - seek operation failed
80 - attachment failed
(* denotes most used in copy protection)
AH=2 Read Sectors
input
DL = Drive number (0-3)
DH = Head number (0or1)
CH = Track number
CL = Sector number
AL = # of sectors to read
ES:BX = load address
output
AH =error number (see above)
[Carry Flag Set]
AL = # of sectors read
AH=3 Write (params. as above)
AH=4 Verify (params. as above -ES:BX)
AH=5 Format (params. as above -CL,AL
ES:BX points to format
Table)
------------------------------------------------------------
For more information on INT-13 refer to appendix A.
------------------------------------------------------------
END.
10
-------------------------------------------------------------
In part II, Buck cover's Calls to INT-13 and INT-13 that are
located in different overlays of the program. This is a
method that is used often.
-------------------------------------------------------------
Cracking Tutorial II.
By: Buckaroo Banzai
Title: Cracking On the IBM PC Part II
Introduction
------------
OK guys, you now passed out of Copy Class 101 (dos files)
and have this great new game with overlays. How do I crack
this one. You scanned the entire .EXE file for the CD 13 and
it's nowhere. Where can it be you ask yourself.
In part II, I'll cover cracking Overlays and the use of
locksmith in cracking. If you haven't read part I, then I
suggest you do so. The 2 files go together.
Looking for Overlays
--------------------
So, you cant find CD 13 in the .EXE file, well, it can mean
4 things.
1: The .EXE (though it is mostly .COM) file is just a
loader for the main file.
2: The .EXE file loads in an overlay.
3: The CD 13 is encrypted &/or hidden in the .EXE file.
4: Your looking at the WRONG file.
I won't discuss case 1 (or at least no here) because so
many UNP files are devoted to PROLOCK a
Raw
Chapter_2.txt
2
CRACKING 101 - 1990 edition
Lesson 3
ZDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD?
3 CHAMBER OF THE SCI-MUTANT PREISTEST 3
@DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDY
Oh shit, I have finally found a newer program that has
on disk copy protection. Good, you'all need a refresher
course on so here it is (YO JB study hard, you might learn
something).
CHAMBER of the SCI-MUTANT PREISTEST (CSMP) is a really
fucked up game but was simple to unprotect. So, lets dive
right in. We will be using DEBUG here (although I used
periscope but then shit I'm special) to do the crack. Lets
dive in. When we first load CSMP (the file ERE.COM) and
unassemble it here is what we get.
Come on... Ain't Got All Day!! u 100 10B
119A:0100 8CCA MOV DX,CS
119A:0102 81C2C101 ADD DX,01C1
119A:0106 52 PUSH DX
119A:0107 BA0F00 MOV DX,000F
119A:010A 52 PUSH DX
119A:010B CB RETF
I included the register listing for a reason. NOTICE
that this piece of code just seem to stop (the RETF)
statement. Well, what is really does is place the address
(segment and offset) of the real starting point on to the
stack and the execute a far return to that location. Now
this might fool a real beginner (or at least make him worry a
bit but us...no way).
If you take the current CS value and add 1C1 to it (in
segment addition) you will get the segment address 135B (that
is if you are using my example of 119A. If not then you will
not get 135B but trust me, it's the right value).
So since we want to be at the real program, execute the
code until 10B (ie use the command "G 10B") then trace
Come on... Ain't Got All Day!! through the next instruction.
If you now unassemble the code, here is what it should
look like.
-u 000f 36
135B:000F 9C PUSHF
135B:0010 50 PUSH AX
135B:0011 1E PUSH DS
135B:0012 06 PUSH ES
135B:0013 0E PUSH CS
135B:0014 1F POP DS
135B:0015 0E PUSH CS
135B:0016 07 POP ES
135B:0017 FC CLD
135B:0018 89260B00 MOV [000B],SP
135B:001C C70600000102 MOV WORD PTR [0000],0201
135B:0022 B013 MOV AL,13
135B:0024 A23500 MOV [0035],AL
135B:0027 A2FF01 MOV [01FF],AL
135B:002A A22F02 MOV [022F],AL
135B:002D A23901 MOV [0139],AL
135B:0030 B280 MOV DL,80
Come on... Ain't Got All Day!! 135B:0032 B408 MOV AH,08
135B:0034 CD21 INT 21
135B:0036 7232 JB 006A
Since we are looking for a disk based copy protection,
it might be a good time to look for INT 13. So search the
current segment for INT 13 with the command
S 135B:0 FFFF CD 13
But shit, nothing. You mean this program doesn't use
int 13. Be real. Reread the first lesson. You know the one
that talks about self modifing code. This is what we have
here. Let's take a closer look at the last bit of code but
this time, with my comments added.
-u 000f 36
; The first part of the code simple sets up for the return to
; dos as well as sets ES and DS
135B:000F 9C PUSHF
135B:0010 50 PUSH AX
Come on... Ain't Got All Day!! 135B:0011 1E PUSH DS
135B:0012 06 PUSH ES
135B:0013 0E PUSH CS
135B:0014 1F POP DS ; Set DS to CS
135B:0015 0E PUSH CS
135B:0016 07 POP ES ; Set ES to DS
135B:0017 FC CLD
135B:0018 89260B00 MOV [000B],SP
; The next instruction sets up a variable that is used in the
; routine that reads in the sectors from the disk. More on
; later.
135B:001C C70600000102 MOV WORD PTR [0000],0201
; Now, here is the self modifing code. Notice at AL is 13
; (INT 13h ... Get it). Look at the first memory location
; (35h) and remember that DS = CS. With this in mind, when
; then instuction at 135B:0024 is executed byte at 135B:0035
; will be changed to 13h. That will in fact change the
; INT 21h at 135B:0034 to an INT 13h. And so on, and so on.
135B:0022 B013 MOV AL,13 ; New value
Come on... Ain't Got All Day!! 135B:0024 A23500 MOV [0035],AL ; Change to INT 13h
135B:0027 A2FF01 MOV [01FF],AL ; Change to INT 13h
135B:002A A22F02 MOV [022F],AL ; Change to INT 13h
135B:002D A23901 MOV [0139],AL ; Change to INT 13h
; If you lookup DOS function 08 you will find it's CONSOLE
; INPUT. Now does that seem out of place to you.
135B:0030 B280 MOV DL,80
135B:0032 B408 MOV AH,08
135B:0034 CD21 INT 21 ; Changed to INT 13h
135B:0036 7232 JB 006A
Whoa, that was tricky. If you execute up to 135B:30
here is what it should look like..
135B:0030 B280 MOV DL,80
135B:0032 B408 MOV AH,08
135B:0034 CD13 INT 13
135B:0036 7232 JB 006A
AHA, now we are getting somewhere. If we lookup what
Come on... Ain't Got All Day!! disk function 08 means, you won't be suprised. Function 08h
is GET DRIVE TYPE. It will tell what type of disk drive we
have. Remember, if you are loading off of a hard disk then
it wants to use a different routine. Since we want it to
think we are loading off of disk, then we want to take this
jump. So for now, force the jmp by setting IP to 6A.
At 135B:006A you find another jmp instruction
135B:006A EB6B JMP 00D7
This jumps to the routine that does the actual disk
check. Here is the outer loop of that code (With my comments
of course).
; This first part of this routine simply test to see how many
; disk drives you have.
135B:00D7 CD11 INT 11
135B:00D9 25C000 AND AX,00C0
135B:00DC B106 MOV CL,06
135B:00DE D3E8 SHR AX,CL
Come on... Ain't Got All Day!! 135B:00E0 FEC0 INC AL
135B:00E2 FEC0 INC AL
135B:00E4 A20200 MOV [0002],AL
; Next, so setup for the actual disk check
135B:00E7 C606090000 MOV BYTE PTR [0009],00
135B:00EC B9F127 MOV CX,27F1
135B:00EF 8BE9 MOV BP,CX
135B:00F1 B107 MOV CL,07
135B:00F3 F8 CLC
; This calls the protection routine part 1
135B:00F4 E82F00 CALL 0126
135B:00F7 B9DE27 MOV CX,27DE
135B:00FA 8BE9 MOV BP,CX
135B:00FC B108 MOV CL,08
135B:00FE F9 STC
; This calls the protection routine part 2
Come on... Ain't Got All Day!! 135B:00FF E82400 CALL 0126
135B:0102 8D1E5802 LEA BX,[0258]
135B:0106 8D361C01 LEA SI,[011C]
135B:010A 8BCD MOV CX,BP
135B:010C AC LODSB
135B:010D 8AC8 MOV CL,AL
; This calls the protection routine part 3
135B:010F E8E300 CALL 01F5
; Makes the final check
135B:0112 7271 JB 0185
135B:0114 AC LODSB
135B:0115 0AC0 OR AL,AL
135B:0117 75F4 JNZ 010D ; If not correct, try again
135B:0119 EB77 JMP 0192 ; Correct, continue program
135B:011B 90 NOP
There are calls to 2 different subroutines. The routine
at 126 and the routine at 1F5. If you examine the routine at
Come on... Ain't Got All Day!! 126 you find that it makes several calls to the routine at
1F5. Then you you examine the routine at 1F5 you see the
actual call to INT 13. Here is the code for both routine
with comments
; First, it sets up the sector, head and drive information.
; DS:000A holds the sector to read
135B:0126 880E0A00 MOV [000A],CL
135B:012A 8A160900 MOV DL,[0009]
135B:012E B600 MOV DH,00
; Sets the DTA
135B:0130 8D365802 LEA SI,[0258]
135B:0134 7213 JB 0149
; Resets the disk
135B:0136 33C0 XOR AX,AX
135B:0138 CD13 INT 13
; Calls the the check
Come on... Ain't Got All Day!!
135B:013A B90114 MOV CX,1401 ; TRACK 14 sector 1
135B:013D 8BDE MOV BX,SI
135B:013F E8B300 CALL 01F5
; The next track/sector to read in is stored in BP
135B:0142 8BCD MOV CX,BP
135B:0144 E8AE00 CALL 01F5
135B:0147 7234 JB 017D ; If an error occured,
; trap it.
135B:0149 88160900 MOV [0009],DL ; Reset drive
135B:014D 8A0E0A00 MOV CL,[000A] ; reset sector
135B:0151 E8A100 CALL 01F5 ; check protection
135B:0154 722F JB 0185 ; Check for an error
135B:0156 8D5C20 LEA BX,[SI+20]
135B:0159 8BCD MOV CX,BP ; Get next T/S
135B:015B B010 MOV AL,10 ; Ignore this
135B:015D E89500 CALL 01F5 ; Check protection
Come on... Ain't Got All Day!! 135B:0160 7223 JB 0185 ; check for error
; The next sector of code checks to see if what was read in
; is the actual protected tracks
; First check
135B:0162 8DBCAC00 LEA DI,[SI+00AC]
135B:0166 B91000 MOV CX,0010
135B:0169 F3 REPZ
135B:016A A7 CMPSW
; NOTE: If it was a bad track, it will jmp to 185. A good
; read should just continue
135B:016B 7518 JNZ 0185
; Second check
135B:016D 8D365802 LEA SI,[0258]
135B:0171 8D3E3702 LEA DI,[0237]
135B:0175 B90400 MOV CX,0004
135B:0178 F3 REPZ
135B:0179 A7 CMPSW
Come on... Ain't Got All Day!!
; see NOTE above
135B:017A 7509 JNZ 0185
; This exit back to the main routine.
135B:017C C3 RET
; Here is the start of the error trap routines. Basicly what
; they do is check an error count. If it's not 0 then it
; retries everything. If it is 0 then it exit back to dos.
135B:017D FEC2 INC DL
135B:017F 3A160200 CMP DL,[0002]
135B:0183 72B1 JB 0136
135B:0185 E85400 CALL 01DC
135B:0188 8B260B00 MOV SP,[000B]
135B:018C 2BC9 SUB CX,CX
135B:018E 58 POP AX
135B:018F 50 PUSH AX
135B:0190 EB1F JMP 01B1
Come on... Ain't Got All Day!! ** Here is the actual code the does the check **
; ES:BX points to the buffer
135B:01F5 1E PUSH DS
135B:01F6 07 POP ES
; SI is set to the # of retries
135B:01F7 56 PUSH SI
135B:01F8 BE0600 MOV SI,0006
; Remember how I said we would use what was in DS:0000 later.
; well, here is where you use it. It loads in the FUNCTION
; and # of sectors from what is stored in DS:0000. This is
; just a trick to make the int 13 call more vague.
135B:01FB A10000 MOV AX,[0000]
135B:01FE CD13 INT 13
; If there is no errors, then exit this part of the loop
135B:0200 7309 JNB 020B
135B:0202 F6C480 TEST AH,80
Come on... Ain't Got All Day!!
; Check to see if it was a drive TIMEOUT. If so, then set
; an error flag and exit
135B:0205 7503 JNZ 020A
; It must have been a load error. Retry 6 times
135B:0207 4E DEC SI
135B:0208 75F1 JNZ 01FB
; Set the error flag
135B:020A F9 STC
; restore SI and return
135B:020B 5E POP SI
135B:020C C3 RET
If you follow through all of that. You will see that
the only real way out is the jmp to "135B:0192" at 135B:0119.
So, how do we test it. Simple. Exit back to dos and let's
Come on... Ain't Got All Day!! add a temporary patch.
Reload ERE.COM under debug. Execute the program setting
a breakpoint at 135B:0022 (if you remember, that is right at
the begining of the self modifing code). When execution
stops, change you IP register to 192. Now execute the code.
Well shit, we are at the main menu. We just bypassed
the entire protection routine. So, now where to add the
patch. We will be adding the patch at 135B:0022. But what
should the patch be. In this case, simply jumping to
135B:0192 will do. So, reload ERE.COM under debug. Execute
the code until 135B:0022. Now unassemble it. Here is the
code fragment we need.
135B:0022 B013 MOV AL,13
135B:0024 A23500 MOV [0035],AL
135B:0027 A2FF01 MOV [01FF],AL
135B:002A A22F02 MOV [022F],AL
135B:002D A23901 MOV [0139],AL
Here is the code we want to use as the patch
135B:0022 E96D01 JMP 192
Come on... Ain't Got All Day!!
So, to add the patch, we search the file ERE.COM using
PC-TOOLS. For our search string we use
B0 13 A2 35 00 A2 FF 01 A2 2F 02 A2 39 01
PC-TOOLS should find the search string at reletive
sector #13. Edit the sector and change "B0 13 A2" to
"E9 6D 01" (our patch) and save the sector.
BOOM! your done and CSMP is cracked. Fun huh. You just
kicked 5 seconds off of the load time. Preaty fucken good.
Well, I hope this textfile helped.
-Buckaroo Banzai
-Cracking Guru
CRACKING 101 - 1990 Edition
Lesson 4
revision 1
ZDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD?
Come on... Ain't Got All Day!! 3 REMOVING THE DOC CHECK FOR STAR CONTROL 3
@DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDY
<
Added for revision 1 -
First, let me tell you about a major fuckup I made.
When I first wrote this file, I left out a major part of the
patch. For all of the user who got that version, I'm sorry
but even I make mistakes at 3:00 in the morning. Anyway,
just replace the original with this updated version
- Buckaroo Banzai
>
Hey, Buckaroo Banzai .. Cracking Guru back once again to
help you lesser crackist learn. This time, we will be going
over Star Control. This is the last lesson in the original
4. From here on out, I will simply release lessons as I
write them.
I want to say a few things about some of the groups out
Come on... Ain't Got All Day!! there right now. Speed isn't everything. I really wish that
for example when you remove a doc check, most of us want it
REMOVED. We don't want to have to enter your group name or
even typing 1 letter is to much. We shouldn't even see the
menu for the doc check. Now, I don't direct this to all of
you, but there seems to have been a move from quality to
quickness. Let's go back to the days of SPI (and INC when
they were first getting started) and crack right. If there
is a doc check, remove it, not just fake it.
Nuff said, on with the tutorial.
Star Control (SC for here out) is a preaty good game.
The protection on it wasn't too hard, but if you didn't read
enough in to it, you would just kill the title music also.
So, how do we go about cracking SC. Well for this one I
opted to break out when SC asks for the code from the code
wheel. Originaly I did this just for the hell of it, but it
turned out to be a luck guess and made life a lot easier.
As usual we will be using periscope to crack SC. I used
PSKEY (using int 3 as the trap interrupt not int 2) to pop in
at the input routine. So lets get started. Load up PS and
Come on... Ain't Got All Day!! PSKEY, then execute Star Control. When you get to the doc
check, break out.
Now you should be at the usual IRET insturction that's
part of PSKEY. Now comes the tricky part. Since we are
using a key trap to break out during the input sequence, we
could be anywhere inside the entire input routine. So in
cases like this I suggest finding a reference point.
So how do you pick the reference point. Well, since
this doc check must be entered via the keyboard you can bet
somewhere it will call INT 16h (bios keyboard) (although
there are times when this is not true, it rare). I think we
should go off and find that call to that interrupt.
So we trace (using the 'T' command) through some code
and finally come apon the follow subroutine ....
( NOTE: all comments were added by me )
; This is the actual routine that is used to get a key
2A00:09D4 55 PUSH BP
Come on... Ain't Got All Day!! 2A00:09D5 8BEC MOV BP,SP
2A00:09D7 8A6606 MOV AH,[BP+06]
2A00:09DA 8AD4 MOV DL,AH
2A00:09DC 80E20F AND DL,0F
2A00:09DF CD16 INT 16 ; Call to bios. We will
2A00:09E1 7509 JNZ 09EC ; use this as our
2A00:09E3 80FA01 CMP DL,01 ; reference point
2A00:09E6 7504 JNZ 09EC
2A00:09E8 33C0 XOR AX,AX
2A00:09EA EB0A JMP 09F6
2A00:09EC 80FA02 CMP DL,02
2A00:09EF 7405 JZ 09F6
2A00:09F1 0BC0 OR AX,AX
2A00:09F3 7501 JNZ 09F6
2A00:09F5 48 DEC AX
2A00:09F6 5D POP BP
2A00:09F7 CB RETF
So we write down the address of our REFERENCE point and
get ready to procede. Now, It's really kinda boring to keep
trying to trace through the entire input routine while trying
to enter the code string, so what we want to do next, is to
figure out the input routine. A quick look at this last
section of code shows that it only reads in a character but
Come on... Ain't Got All Day!! really does not handle it.
So, we exit via the RETF at 9F7 enter the next level of
the subroutine. Again, if you manual trace through this
routine (as well as the next level up) you see that it simple
exits out rather quickly. This is definitly not the top loop
of the imput routine.
So, we trace through the next level up, and again exit
quickly to a higher level. But this time, as we trace
through, we find that the it loops back on itself. AHA, the
outer input loop. Here is the code to the entire input loop.
I have marked the place where you should enter from the lower
level.
( String input loop -- Outer level )
7C00:0835 FF365220 PUSH [2052]
7C00:0839 FF365020 PUSH [2050]
7C00:083D 9A2802FD41 CALL 41FD:0228 ; Entery here
7C00:0842 888670FE MOV [BP+FE70],AL
7C00:0946 0AC0 OR AL,AL
7C00:0848 7503 JNZ 084D
7C00:084A E99200 JMP 08DF
Come on... Ain't Got All Day!! 7C00:084D 2AE4 SUB AH,AH
7C00:084F 2D0800 SUB AX,0008
7C00:0852 745A JZ 08AE
7C00:0854 48 DEC AX
7C00:0855 48 DEC AX
7C00:0856 7503 JNZ 085B
7C00:0858 E90901 JMP 0964
7C00:085B 2D0300 SUB AX,0003
7C00:085E 7503 JNZ 0863
7C00:0860 E90101 JMP 0964
7C00:0863 8A9E70FE MOV BL,[BP+FE70]
7C00:0867 2AFF SUB BH,BH
7C00:0869 F687790B57 TEST BYTE PTR [BX+0B79],57
7C00:086E 746F JZ 08DF
7C00:0870 F687790B03 TEST BYTE PTR [BX+0B79],03
7C00:0875 740C JZ 0883
7C00:0877 F687790B02 TEST BYTE PTR [BX+0B79],02
7C00:087C 7405 JZ 0883
7C00:087E 80AE70FE20 SUB BYTE PTR [BP+FE70],20
7C00:0883 8A8670FE MOV AL,[BP+FE70]
7C00:0887 C49E7EFE LES BX,[BP+FE7E]
7C00:088B 8BB682FE MOV SI,[BP+FE82]
7C00:088F 26 ES:
7C00:0890 8800 MOV [BX+SI],AL
Come on... Ain't Got All Day!! 7C00:0892 FF8682FE INC WORD PTR [BP+FE82]
7C00:0896 FFB688FE PUSH [BP+FE88]
7C00:089A 8D8678FE LEA AX,[BP+FE78]
7C00:089E 50 PUSH AX
7C00:089F 9A56049324 CALL 2493:0456
7C00:08A4 83C404 ADD SP,+04
7C00:08A7 0BC0 OR AX,AX
7C00:08A9 7534 JNZ 08DF
7C00:08AB EB27 JMP 08D4
7C00:08AD 90 NOP
7C00:08AE 83BE82FE00 CMP WORD PTR [BP+FE82],+00
7C00:08B3 7404 JZ 08B9
7C00:08B5 FF8E82FE DEC WORD PTR [BP+FE82]
7C00:08B9 B008 MOV AL,08
7C00:08BB 50 PUSH AX
7C00:08BC 9A1003443D CALL 3D44:0310
7C00:08C1 8D8684FE LEA AX,[BP+FE84]
7C00:08C5 16 PUSH SS
7C00:08C6 50 PUSH AX
7C00:08C7 9A6A00843D CALL 3D84:006A
7C00:08CC B047 MOV AL,47
7C00:08CE 50 PUSH AX
7C00:08CF 9A1003443D CALL 3D44:0310
7C00:08D4 8D8678FE LEA AX,[BP+FE78]
Come on... Ain't Got All Day!! 7C00:08D8 16 PUSH SS
7C00:08D9 50 PUSH AX
7C00:08DA 9A8202C93C CALL 3CC9:0282
7C00:08DF 83BE8CFE00 CMP WORD PTR [BP+FE8C],+00
7C00:08E4 7503 JNZ 08E9
7C00:08E6 E94CFF JMP 0835 ; <DDD?
3
as you can see, at this point it loops back on itself.
This is what tells use that it's the outer loop. Knowing
that, we can just set a code breakpoint at 8E9 (the next
instruction after the loop) and execute the code.
At this point, the SC will pause waiting for you to
enter the code key. Use the code wheel and enter the correct
key (after all, it's kinda hard to crack a game without
having the proper codes right...)
So, we have now exited the input loop with everything
intact (ie: the proper code was entered). Next step is to
figure out what happens when the proper code is entered.
Well, since you have entered the proper code, just follow
this routine out. Remember back to lesson 2. What we want
to do is find the call the to routine that does the doc check
and remove it somehow (a PROPER crack). So since everything
Come on... Ain't Got All Day!! is in the right place, if we just keep jumping over the code
we should find our way out.
So after jumping over many instructions, we come the the
follow piece of code
7C00:0B74 8BE5 MOV SP,BP
7C00:0B76 5D POP BP
7C00:0B77 CB RETF
By now, you should know that what you are looking at is
the exit routine for a higher level language's (C or pascal)
code. So we have found the end of the doc check. After
tracing through the RETF you find yourself looking down a cmp
and a conditional jump. Here is the code (NOTE! I have
included the actual call to the doc check just for reference)
45E2:0235 9A46010F4A CALL 7C00:146 ; Call to Doc Check
45E2:023A 83C404 ADD SP,+04
45E2:023D 0BC0 OR AX,AX
45E2:023F 7465 JZ 02A6
Notice the value of the AX register. Since right after
the doc check, it is acted upon, then it has some importance.
Come on... Ain't Got All Day!! So, now that we know where the doc check takes place, how do
we remove it.
Well, We could patch it with the code
45E2:0235 B40100 MOV AX,0001
45E2:0238 90 NOP
45E2:0239 90 NOP
This patch will work (I know, it's how I first patched
the program). But there is one small problem. If you run
the program after adding this patch, you will find that the
title music doesn't play. So, this is now a good place to
put the patch.
So where then. Well, make note of the address of the
call to the doc check. Now, restart the process but this
time right after SC switches in to graphics mode, break out.
Now, set a breakpoint at the address from above (in my
case 45E2:0235). Let SC run in to the intro. You will find
that although the title screen comes up, the music doesn't
kick in before the breakpoint is reached.
Come on... Ain't Got All Day!! No, they couldn't...they wouldn't.. well they did. The
music routines for the intro are stored in the routine for
the doc check. Here is the entire doc check. I have
commented on some of the code
; these first few calls seem to load something from disk
7C00:0146 55 PUSH BP
7C00:0147 8BEC MOV BP,SP
7C00:0149 81EC9001 SUB SP,0190
7C00:014D 57 PUSH DI
7C00:014E 56 PUSH SI
7C00:014F 8B4608 MOV AX,[BP+08]
7C00:0152 0B4606 OR AX,[BP+06]
7C00:0155 740E JZ 0165
7C00:0157 FF7608 PUSH [BP+08]
7C00:015A FF7606 PUSH [BP+06]
7C00:015D 9A65341E2D CALL 2D1E:3465
7C00:0162 83C404 ADD SP,+04
7C00:0165 FF365220 PUSH [2052]
7C00:0169 FF365020 PUSH [2050]
7C00:016D 9A2802FD41 CALL 41FD:0228
Come on... Ain't Got All Day!! 7C00:0172 0AC0 OR AL,AL
7C00:0174 75EF JNZ 0165
7C00:0176 B80200 MOV AX,0002
7C00:0179 898664FF MOV [BP+FF64],AX
7C00:017D 898672FF MOV [BP+FF72],AX
7C00:0181 2BC0 SUB AX,AX
7C00:0183 898662FF MOV [BP+FF62],AX
7C00:0187 89866AFF MOV [BP+FF6A],AX
7C00:018B 898674FF MOV [BP+FF74],AX
7C00:018F B80100 MOV AX,0001
7C00:0192 898666FF MOV [BP+FF66],AX
7C00:0196 89866CFF MOV [BP+FF6C],AX
7C00:019A 898670FF MOV [BP+FF70],AX
7C00:019E 898676FF MOV [BP+FF76],AX
7C00:01A2 B80300 MOV AX,0003
7C00:01A5 898668FF MOV [BP+FF68],AX
7C00:01A9 89866EFF MOV [BP+FF6E],AX
7C00:01AD 898678FF MOV [BP+FF78],AX
; Although I have NO IDEA what the hell is being setup
; here I suspect that it is the must
7C00:01B1 C746860400 MOV WORD PTR [BP-7A],0004
7C00:01B6 C746880100 MOV WORD PTR [BP-78],0001
Come on... Ain't Got All Day!! 7C00:01BB C7468A0200 MOV WORD PTR [BP-76],0002
7C00:01C0 C7468C0000 MOV WORD PTR [BP-74],0000
7C00:01C5 C7468E0000 MOV WORD PTR [BP-72],0000
7C00:01CA C746900500 MOV WORD PTR [BP-70],0005
7C00:01CF C746920600 MOV WORD PTR [BP-6E],0006
7C00:01D4 C746940700 MOV WORD PTR [BP-6C],0007
7C00:01D9 C746960C00 MOV WORD PTR [BP-6A],000C
7C00:01DE 894698 MOV [BP-68],AX
7C00:01E1 C7469A0500 MOV WORD PTR [BP-66],0005
7C00:01E6 C7469C0D00 MOV WORD PTR [BP-64],000D
7C00:01EB C7469E0000 MOV WORD PTR [BP-62],0000
7C00:01F0 C746A00100 MOV WORD PTR [BP-60],0001
7C00:01F5 C746A20200 MOV WORD PTR [BP-5E],0002
7C00:01FA C746A40800 MOV WORD PTR [BP-5C],0008
7C00:01FF B80400 MOV AX,0004
7C00:0202 8946A6 MOV [BP-5A],AX
7C00:0205 8946A8 MOV [BP-58],AX
7C00:0208 C746AA0600 MOV WORD PTR [BP-56],0006
7C00:020D C746AC0800 MOV WORD PTR [BP-54],0008
7C00:0212 C746AE0700 MOV WORD PTR [BP-52],0007
7C00:0217 C746B00900 MOV WORD PTR [BP-50],0009
7C00:021C C746B20A00 MOV WORD PTR [BP-4E],000A
7C00:0221 8946B4 MOV [BP-4C],AX
7C00:0224 C746B60C00 MOV WORD PTR [BP-4A],000C
Come on... Ain't Got All Day!! 7C00:0229 C746B80300 MOV WORD PTR [BP-48],0003
7C00:022E C746BA0B00 MOV WORD PTR [BP-46],000B
7C00:0233 C746BC0D00 MOV WORD PTR [BP-44],000D
7C00:0238 C746BE0B00 MOV WORD PTR [BP-42],000B
7C00:023D C746C00500 MOV WORD PTR [BP-40],0005
7C00:0242 C746C20100 MOV WORD PTR [BP-3E],0001
7C00:0247 C746C40700 MOV WORD PTR [BP-3C],0007
7C00:024C C746C60000 MOV WORD PTR [BP-3A],0000
7C00:0251 C746C80600 MOV WORD PTR [BP-38],0006
7C00:0256 C746CA0200 MOV WORD PTR [BP-36],0002
7C00:025B C746CC0300 MOV WORD PTR [BP-34],0003
7C00:0260 C746CE0800 MOV WORD PTR [BP-32],0008
7C00:0265 C746D00900 MOV WORD PTR [BP-30],0009
7C00:026A C746D20A00 MOV WORD PTR [BP-2E],000A
7C00:026F C746D40B00 MOV WORD PTR [BP-2C],000B
7C00:0274 C746D60C00 MOV WORD PTR [BP-2A],000C
7C00:0279 C746D80A00 MOV WORD PTR [BP-28],000A
7C00:027E C746DA0500 MOV WORD PTR [BP-26],0005
7C00:0283 C746DC0D00 MOV WORD PTR [BP-24],000D
7C00:0288 C746DE0800 MOV WORD PTR [BP-22],0008
7C00:028D C746E00900 MOV WORD PTR [BP-20],0009
7C00:0292 C746E20300 MOV WORD PTR [BP-1E],0003
7C00:0297 C746E40B00 MOV WORD PTR [BP-1C],000B
7C00:029C C78692FE0000 MOV WORD PTR [BP+FE92],0000
Come on... Ain't Got All Day!! 7C00:02A2 C78694FE2B00 MOV WORD PTR [BP+FE94],002B
7C00:02A8 C78696FE0200 MOV WORD PTR [BP+FE96],0002
7C00:02AE C78698FE0300 MOV WORD PTR [BP+FE98],0003
7C00:02B4 89869AFE MOV [BP+FE9A],AX
7C00:02B8 C7869CFE0500 MOV WORD PTR [BP+FE9C],0005
7C00:02BE C7869EFE0600 MOV WORD PTR [BP+FE9E],0006
7C00:02C4 C786A0FE0E00 MOV WORD PTR [BP+FEA0],000E
7C00:02CA C786A2FE2B00 MOV WORD PTR [BP+FEA2],002B
7C00:02D0 C786A4FE0900 MOV WORD PTR [BP+FEA4],0009
7C00:02D6 C786A6FE0A00 MOV WORD PTR [BP+FEA6],000A
7C00:02DC C786A8FE0B00 MOV WORD PTR [BP+FEA8],000B
7C00:02E2 C786AAFE0C00 MOV WORD PTR [BP+FEAA],000C
7C00:02E8 C786ACFE2B00 MOV WORD PTR [BP+FEAC],002B
7C00:02EE C786AEFE0F00 MOV WORD PTR [BP+FEAE],000F
7C00:02F4 C786B0FE0D00 MOV WORD PTR [BP+FEB0],000D
7C00:02FA C786B2FE1000 MOV WORD PTR [BP+FEB2],0010
7C00:0300 C786B4FE1100 MOV WORD PTR [BP+FEB4],0011
7C00:0306 C786B6FE1200 MOV WORD PTR [BP+FEB6],0012
7C00:030C C786B8FE1300 MOV WORD PTR [BP+FEB8],0013
7C00:0312 C786BAFE1400 MOV WORD PTR [BP+FEBA],0014
7C00:0318 C786BCFE1500 MOV WORD PTR [BP+FEBC],0015
7C00:031E C786BEFE1600 MOV WORD PTR [BP+FEBE],0016
7C00:0324 C786C0FE1700 MOV WORD PTR [BP+FEC0],0017
7C00:032A C786C2FE0800 MOV WORD PTR [BP+FEC2],0008
Come on... Ain't Got All Day!! 7C00:0330 C786C4FE1800 MOV WORD PTR [BP+FEC4],0018
7C00:0336 C786C6FE2B00 MOV WORD PTR [BP+FEC6],002B
7C00:033C C786C8FE1900 MOV WORD PTR [BP+FEC8],0019
7C00:0342 C786CAFE2B00 MOV WORD PTR [BP+FECA],002B
7C00:0348 C786CCFE1A00 MOV WORD PTR [BP+FECC],001A
7C00:034E C786CEFE1B00 MOV WORD PTR [BP+FECE],001B
7C00:0354 C786D0FE1C00 MOV WORD PTR [BP+FED0],001C
7C00:035A C786D2FE1D00 MOV WORD PTR [BP+FED2],001D
7C00:0360 C786D4FE1E00 MOV WORD PTR [BP+FED4],001E
7C00:0366 C786D6FE1F00 MOV WORD PTR [BP+FED6],001F
7C00:036C C786D8FE2000 MOV WORD PTR [BP+FED8],0020
7C00:0372 C786DAFE2100 MOV WORD PTR [BP+FEDA],0021
7C00:0378 C786DCFE0700 MOV WORD PTR [BP+FEDC],0007
7C00:037E C786DEFE2200 MOV WORD PTR [BP+FEDE],0022
7C00:0384 C786E0FE2300 MOV WORD PTR [BP+FEE0],0023
7C00:038A C786E2FE2400 MOV WORD PTR [BP+FEE2],0024
7C00:0390 C786E4FE2500 MOV WORD PTR [BP+FEE4],0025
7C00:0396 C786E6FE2600 MOV WORD PTR [BP+FEE6],0026
7C00:039C C786E8FE2B00 MOV WORD PTR [BP+FEE8],002B
7C00:03A2 C786EAFE2700 MOV WORD PTR [BP+FEEA],0027
7C00:03A8 C786ECFE2800 MOV WORD PTR [BP+FEEC],0028
7C00:03AE C786EEFE2900 MOV WORD PTR [BP+FEEE],0029
7C00:03B4 C786F0FE2A00 MOV WORD PTR [BP+FEF0],002A
7C00:03BA 8D46F4 LEA AX,[BP-0C]
Come on... Ain't Got All Day!! 7C00:03BD 50 PUSH AX
7C00:03BE 8D867AFF LEA AX,[BP+FF7A]
7C00:03C2 50 PUSH AX
7C00:03C3 8D862CFF LEA AX,[BP+FF2C]
7C00:03C7 50 PUSH AX
7C00:03C8 8D8628FF LEA AX,[BP+FF28]
7C00:03CC 50 PUSH AX
7C00:03CD E832FC CALL 0002 ; Music Plays
7C00:03D0 0BC0 OR AX,AX
7C00:03D2 7503 JNZ 03D7
7C00:03D4 E99B07 JMP 0B72
7C00:03D7 FF36AA1E PUSH [1EAA]
7C00:03DB 9A0200443D CALL 3D44:0002
7C00:03E0 FF36AE1E PUSH [1EAE]
7C00:03E4 FF36AC1E PUSH [1EAC]
7C00:03E8 9A0C008D3D CALL 3D8D:000C
7C00:03ED B80201 MOV AX,0102
7C00:03F0 50 PUSH AX
7C00:03F1 9ADE02443D CALL 3D44:02DE
7C00:03F6 B80400 MOV AX,0004
7C00:03F9 BA4000 MOV DX,0040
7C00:03FC 52 PUSH DX
7C00:03FD 50 PUSH AX
7C00:03FE 8D868CFE LEA AX,[BP+FE8C]
Come on... Ain't Got All Day!! 7C00:0402 50 PUSH AX
7C00:0403 9A7000963B CALL 3B96:0070 ; Music plays
7C00:0408 89868EFE MOV [BP+FE8E],AX
7C00:040C 899690FE MOV [BP+FE90],DX
7C00:0410 0BD0 OR DX,AX
7C00:0412 7471 JZ 0485
7C00:0414 2BC0 SUB AX,AX
7C00:0416 898686FE MOV [BP+FE86],AX
7C00:041A 898684FE MOV [BP+FE84],AX
7C00:041E FFB690FE PUSH [BP+FE90]
7C00:0422 FFB68EFE PUSH [BP+FE8E]
7C00:0426 9A0A00F93C CALL 3CF9:000A
7C00:042B 898688FE MOV [BP+FE88],AX
7C00:042F 89968AFE MOV [BP+FE8A],DX
7C00:0433 833EB41E00 CMP WORD PTR [1EB4],+00
7C00:0438 7514 JNZ 044E
7C00:043A 8B4608 MOV AX,[BP+08]
7C00:043D 0B4606 OR AX,[BP+06]
7C00:0440 740C JZ 044E
7C00:0442 B80100 MOV AX,0001
7C00:0445 50 PUSH AX
7C00:0446 9AF4019324 CALL 2493:01F4
7C00:044B 83C402 ADD SP,+02
7C00:044E 2AC0 SUB AL,AL
Come on... Ain't Got All Day!! 7C00:0450 50 PUSH AX
7C00:0451 9A4803443D CALL 3D44:0348
7C00:0456 9A57331E2D CALL 2D1E:3357
7C00:045B 9A9911A73B CALL 3BA7:1199
7C00:0460 8D8684FE LEA AX,[BP+FE84]
7C00:0464 16 PUSH SS
7C00:0465 50 PUSH AX
7C00:0466 9A04007E3D CALL 3D7E:0004 ; Music plays
7C00:046B FFB68AFE PUSH [BP+FE8A]
7C00:046F FFB688FE PUSH [BP+FE88]
7C00:0473 9AF001F93C CALL 3CF9:01F0
7C00:0478 FFB690FE PUSH [BP+FE90]
7C00:047C FFB68EFE PUSH [BP+FE8E]
7C00:0480 9A78068D3D CALL 3D8D:0678 ; Music plays
7C00:0485 8B4608 MOV AX,[BP+08]
7C00:0488 0B4606 OR AX,[BP+06]
7C00:048B 7429 JZ 04B6
7C00:048D 833EB41E00 CMP WORD PTR [1EB4],+00
7C00:0492 740C JZ 04A0
7C00:0494 B80100 MOV AX,0001
7C00:0497 50 PUSH AX
7C00:0498 9AF4019324 CALL 2493:01F4 ; Music Plays
7C00:049D 83C402 ADD SP,+02
7C00:04A0 9A8C341E2D CALL 2D1E:348C
Come on... Ain't Got All Day!! 7C00:04A5 FF7608 PUSH [BP+08]
7C00:04A8 FF7606 PUSH [BP+06]
7C00:04AB 9A2A006342 CALL 4263:002A
7C00:04B0 50 PUSH AX
7C00:04B1 9A54006342 CALL 4263:0054
; this is the start of the actual doc check. OH! As you can
; tell, I wasn't too intrested in the music routines, but
; thought it might be fun to track them down
7C00:04B6 9AD0098D3D CALL 3D8D:09D0 ; Show Doc check
; screen
7C00:04BB B80301 MOV AX,0103
7C00:04BE 50 PUSH AX
7C00:04BF 9ADE02443D CALL 3D44:02DE
7C00:04C4 C746F60B00 MOV WORD PTR [BP-0A],000B
7C00:04C9 C746F87900 MOV WORD PTR [BP-08],0079
7C00:04CE C746FA2801 MOV WORD PTR [BP-06],0128
7C00:04D3 C746FC4500 MOV WORD PTR [BP-04],0045
7C00:04D8 B008 MOV AL,08
7C00:04DA 50 PUSH AX
7C00:04DB 9A1003443D CALL 3D44:0310
7C00:04E0 8D867AFF LEA AX,[BP+FF7A]
7C00:04E4 16 PUSH SS
7C00:04E5 50 PUSH AX
7C00:04E6 9A36007E3D CALL 3D7E:0036 ; Show alien's face
Come on... Ain't Got All Day!!
7C00:04EB C746E6A000 MOV WORD PTR [BP-1A],00A0
7C00:04F0 C746EA0100 MOV WORD PTR [BP-16],0001
7C00:04F5 C746840300 MOV WORD PTR [BP-7C],0003
7C00:04FA 2AC0 SUB AL,AL
7C00:04FC 50 PUSH AX
7C00:04FD 9A1003443D CALL 3D44:0310
7C00:0502 8B46F8 MOV AX,[BP-08]
7C00:0505 050700 ADD AX,0007
7C00:0508 8946E8 MOV [BP-18],AX
7C00:050B FFB62EFF PUSH [BP+FF2E]
7C00:050F FFB62CFF PUSH [BP+FF2C]
7C00:0513 FFB62EFF PUSH [BP+FF2E]
7C00:0517 FFB62CFF PUSH [BP+FF2C]
7C00:051B 9AE400FC44 CALL 44FC:00E4
7C00:0520 8BF0 MOV SI,AX
7C00:0522 9A1201E245 CALL 45E2:0112
7C00:0527 B90500 MOV CX,0005
7C00:052A 8BD0 MOV DX,AX
7C00:052C 8BC6 MOV AX,SI
7C00:052E 8BDA MOV BX,DX
7C00:0530 2BD2 SUB DX,DX
7C00:0532 F7F1 DIV CX
7C00:0534 8BD0 MOV DX,AX
Come on... Ain't Got All Day!! 7C00:0536 4A DEC DX
7C00:0537 8BC3 MOV AX,BX
7C00:0539 8BDA MOV BX,DX
7C00:053B 2BD2 SUB DX,DX
7C00:053D F7F3 DIV BX
7C00:053F 42 INC DX
7C00:0540 8BC2 MOV AX,DX
7C00:0542 D1E2 SHL DX,1
7C00:0544 D1E2 SHL DX,1
7C00:0546 03D0 ADD DX,AX
7C00:0548 52 PUSH DX
7C00:0549 9A2801FC44 CALL 44FC:0128
7C00:054E 89868EFE MOV [BP+FE8E],AX
7C00:0552 899690FE MOV [BP+FE90],DX
7C00:0556 C78672FE0000 MOV WORD PTR [BP+FE72],0000
; This is the start of the loop the prints out the stupid
; message
7C00:055C 52 PUSH DX
7C00:055D 50 PUSH AX
7C00:055E 9A4602FC44 CALL 44FC:0246
7C00:0563 8946EC MOV [BP-14],AX
7C00:0566 8956EE MOV [BP-12],DX
Come on... Ain't Got All Day!! 7C00:0569 FFB690FE PUSH [BP+FE90]
7C00:056D FFB68EFE PUSH [BP+FE8E]
7C00:0571 9AF201FC44 CALL 44FC:01F2
7C00:0576 8946F0 MOV [BP-10],AX
7C00:0579 8D46E6 LEA AX,[BP-1A]
7C00:057C 16 PUSH SS
7C00:057D 50 PUSH AX
7C00:057E 9A8202C93C CALL 3CC9:0282
7C00:0583 8346E80A ADD WORD PTR [BP-18],+0A
7C00:0587 FFB690FE PUSH [BP+FE90]
7C00:058B FFB68EFE PUSH [BP+FE8E]
7C00:058F B80100 MOV AX,0001
7C00:0592 50 PUSH AX
7C00:0593 9A7E01FC44 CALL 44FC:017E
7C00:0598 89868EFE MOV [BP+FE8E],AX
7C00:059C 899690FE MOV [BP+FE90],DX
7C00:05A0 FF8672FE INC WORD PTR [BP+FE72]
7C00:05A4 83BE72FE05 CMP WORD PTR [BP+FE72],+05
7C00:05A9 7CB1 JL 055C
; Reads in the code to check (I think. Oh hell it really
; doesn't matter)
7C00:05AB 9A1201E245 CALL 45E2:0112
Come on... Ain't Got All Day!! 7C00:05B0 B90C00 MOV CX,000C
7C00:05B3 99 CWD
7C00:05B4 F7F9 IDIV CX
7C00:05B6 895682 MOV [BP-7E],DX
7C00:05B9 9A1201E245 CALL 45E2:0112
7C00:05BE B90C00 MOV CX,000C
7C00:05C1 99 CWD
7C00:05C2 F7F9 IDIV CX
7C00:05C4 8956F2 MOV [BP-0E],DX
7C00:05C7 9A1201E245 CALL 45E2:0112
7C00:05CC B90C00 MOV CX,000C
7C00:05CF 99 CWD
7C00:05D0 F7F9 IDIV CX
7C00:05D2 8956FE MOV [BP-02],DX
7C00:05D5 9A1201E245 CALL 45E2:0112
7C00:05DA B90C00 MOV CX,000C
7C00:05DD 99 CWD
7C00:05DE F7F9 IDIV CX
7C00:05E0 8996F4FE MOV [BP+FEF4],DX
7C00:05E4 FFB62AFF PUSH [BP+FF2A]
7C00:05E8 FFB628FF PUSH [BP+FF28]
7C00:05EC FF7682 PUSH [BP-7E]
7C00:05EF 9A2801FC44 CALL 44FC:0128
7C00:05F4 89868EFE MOV [BP+FE8E],AX
Come on... Ain't Got All Day!! 7C00:05F8 899690FE MOV [BP+FE90],DX
7C00:05FC 52 PUSH DX
7C00:05FD 50 PUSH AX
7C00:05FE 8D86F6FE LEA AX,[BP+FEF6]
7C00:0602 16 PUSH SS
7C00:0603 50 PUSH AX
7C00:0604 9A9A02FC44 CALL 44FC:029A
7C00:0609 FFB62AFF PUSH [BP+FF2A]
7C00:060D FFB628FF PUSH [BP+FF28]
7C00:0611 8B46FE MOV AX,[BP-02]
7C00:0614 050C00 ADD AX,000C
7C00:0617 50 PUSH AX
7C00:0618 9A2801FC44 CALL 44FC:0128
7C00:061D 89868EFE MOV [BP+FE8E],AX
7C00:0621 899690FE MOV [BP+FE90],DX
7C00:0625 52 PUSH DX
7C00:0626 50 PUSH AX
7C00:0627 8DBEF6FE LEA DI,[BP+FEF6]
7C00:062B 16 PUSH SS
7C00:062C 07 POP ES
7C00:062D B9FFFF MOV CX,FFFF
7C00:0630 33C0 XOR AX,AX
7C00:0632 F2 REPNZ
7C00:0633 AE SCASB
Come on... Ain't Got All Day!! 7C00:0634 F7D1 NOT CX
7C00:0636 49 DEC CX
7C00:0637 8BF1 MOV SI,CX
7C00:0639 8D82F6FE LEA AX,[BP+SI+FEF6]
7C00:063D 16 PUSH SS
7C00:063E 50 PUSH AX
7C00:063F 9A9A02FC44 CALL 44FC:029A
7C00:0644 FFB62AFF PUSH [BP+FF2A]
7C00:0648 FFB628FF PUSH [BP+FF28]
7C00:064C 8B46F2 MOV AX,[BP-0E]
7C00:064F 051800 ADD AX,0018
7C00:0652 50 PUSH AX
7C00:0653 9A2801FC44 CALL 44FC:0128
7C00:0658 89868EFE MOV [BP+FE8E],AX
7C00:065C 899690FE MOV [BP+FE90],DX
7C00:0660 52 PUSH DX
7C00:0661 50 PUSH AX
7C00:0662 8DBEF6FE LEA DI,[BP+FEF6]
7C00:0666 16 PUSH SS
7C00:0667 07 POP ES
7C00:0668 B9FFFF MOV CX,FFFF
7C00:066B 33C0 XOR AX,AX
7C00:066D F2 REPNZ
7C00:066E AE SCASB
Come on... Ain't Got All Day!! 7C00:066F F7D1 NOT CX
7C00:0671 49 DEC CX
7C00:0672 8BF1 MOV SI,CX
7C00:0674 8D82F6FE LEA AX,[BP+SI+FEF6]
7C00:0678 16 PUSH SS
7C00:0679 50 PUSH AX
7C00:067A 9A9A02FC44 CALL 44FC:029A
7C00:067F FFB62AFF PUSH [BP+FF2A]
7C00:0683 FFB628FF PUSH [BP+FF28]
7C00:0687 8B86F4FE MOV AX,[BP+FEF4]
7C00:068B 052400 ADD AX,0024
7C00:068E 50 PUSH AX
7C00:068F 9A2801FC44 CALL 44FC:0128
7C00:0694 89868EFE MOV [BP+FE8E],AX
7C00:0698 899690FE MOV [BP+FE90],DX
7C00:069C 52 PUSH DX
7C00:069D 50 PUSH AX
7C00:069E 8DBEF6FE LEA DI,[BP+FEF6]
7C00:06A2 16 PUSH SS
7C00:06A3 07 POP ES
7C00:06A4 B9FFFF MOV CX,FFFF
7C00:06A7 33C0 XOR AX,AX
7C00:06A9 F2 REPNZ
7C00:06AA AE SCASB
Come on... Ain't Got All Day!! 7C00:06AB F7D1 NOT CX
7C00:06AD 49 DEC CX
7C00:06AE 8BF1 MOV SI,CX
7C00:06B0 8D82F6FE LEA AX,[BP+SI+FEF6]
7C00:06B4 16 PUSH SS
7C00:06B5 50 PUSH AX
7C00:06B6 9A9A02FC44 CALL 44FC:029A
7C00:06BB C746E8B200 MOV WORD PTR [BP-18],00B2
7C00:06C0 8D86F6FE LEA AX,[BP+FEF6]
7C00:06C4 8946EC MOV [BP-14],AX
7C00:06C7 8C56EE MOV [BP-12],SS
7C00:06CA 8DBEF6FE LEA DI,[BP+FEF6]
7C00:06CE 16 PUSH SS
7C00:06CF 07 POP ES
7C00:06D0 B9FFFF MOV CX,FFFF
7C00:06D3 33C0 XOR AX,AX
7C00:06D5 F2 REPNZ
7C00:06D6 AE SCASB
7C00:06D7 F7D1 NOT CX
7C00:06D9 49 DEC CX
7C00:06DA 894EF0 MOV [BP-10],CX
7C00:06DD B084 MOV AL,84
7C00:06DF 50 PUSH AX
7C00:06E0 9A1003443D CALL 3D44:0310
Come on... Ain't Got All Day!! 7C00:06E5 8D46E6 LEA AX,[BP-1A]
7C00:06E8 16 PUSH SS
7C00:06E9 50 PUSH AX
7C00:06EA 9A8202C93C CALL 3CC9:0282 ; Displays the code
; to check
7C00:06EF 8346E80A ADD WORD PTR [BP-18],+0A
7C00:06F3 FFB62AFF PUSH [BP+FF2A]
7C00:06F7 FFB628FF PUSH [BP+FF28]
7C00:06FB B85B00 MOV AX,005B
7C00:06FE 50 PUSH AX
7C00:06FF 9A2801FC44 CALL 44FC:0128
7C00:0704 89868EFE MOV [BP+FE8E],AX
7C00:0708 899690FE MOV [BP+FE90],DX
7C00:070C 52 PUSH DX
7C00:070D 50 PUSH AX
7C00:070E 9A4602FC44 CALL 44FC:0246
7C00:0713 8946EC MOV [BP-14],AX
7C00:0716 8956EE MOV [BP-12],DX
7C00:0719 FFB690FE PUSH [BP+FE90]
7C00:071D FFB68EFE PUSH [BP+FE8E]
7C00:0721 9AF201FC44 CALL 44FC:01F2
7C00:0726 8946F0 MOV [BP-10],AX
7C00:0729 2AC0 SUB AL,AL
Come on... Ain't Got All Day!! 7C00:072B 50 PUSH AX
7C00:072C 9A1003443D CALL 3D44:0310
7C00:0731 8D46E6 LEA AX,[BP-1A]
7C00:0734 16 PUSH SS
7C00:0735 50 PUSH AX
7C00:0736 9A8202C93C CALL 3CC9:0282 ; Displays "PROPER
; response" msg
7C00:073B 8B86F4FE MOV AX,[BP+FEF4]
7C00:073F 2B46F2 SUB AX,[BP-0E]
7C00:0742 898672FE MOV [BP+FE72],AX
7C00:0746 0346FE ADD AX,[BP-02]
7C00:0749 898676FE MOV [BP+FE76],AX
7C00:074D 0BC0 OR AX,AX
7C00:074F 7D09 JGE 075A
7C00:0751 050C00 ADD AX,000C
7C00:0754 898676FE MOV [BP+FE76],AX
7C00:0758 EB0A JMP 0764
7C00:075A 3D0C00 CMP AX,000C
7C00:075D 7C05 JL 0764
7C00:075F 83AE76FE0C SUB WORD PTR [BP+FE76],+0C
7C00:0764 8B4682 MOV AX,[BP-7E]
7C00:0767 038672FE ADD AX,[BP+FE72]
7C00:076B 898674FE MOV [BP+FE74],AX
Come on... Ain't Got All Day!! 7C00:076F 0BC0 OR AX,AX
7C00:0771 7D09 JGE 077C
7C00:0773 050C00 ADD AX,000C
7C00:0776 898674FE MOV [BP+FE74],AX
7C00:077A EB0A JMP 0786
7C00:077C 3D0C00 CMP AX,000C
7C00:077F 7C05 JL 0786
7C00:0781 83AE74FE0C SUB WORD PTR [BP+FE74],+0C
7C00:0786 8BB6F4FE MOV SI,[BP+FEF4]
7C00:078A D1E6 SHL SI,1
7C00:078C 8BB262FF MOV SI,[BP+SI+FF62]
7C00:0790 89B672FE MOV [BP+FE72],SI
7C00:0794 8B8676FE MOV AX,[BP+FE76]
7C00:0798 D1E0 SHL AX,1
7C00:079A D1E0 SHL AX,1
7C00:079C 03F0 ADD SI,AX
7C00:079E D1E6 SHL SI,1
7C00:07A0 8B8292FE MOV AX,[BP+SI+FE92]
7C00:07A4 8986F4FE MOV [BP+FEF4],AX
7C00:07A8 3D2B00 CMP AX,002B
7C00:07AB 7515 JNZ 07C2
7C00:07AD 8BB674FE MOV SI,[BP+FE74]
7C00:07B1 D1E6 SHL SI,1
7C00:07B3 D1E6 SHL SI,1
Come on... Ain't Got All Day!! 7C00:07B5 03B672FE ADD SI,[BP+FE72]
7C00:07B9 D1E6 SHL SI,1
7C00:07BB 8B4286 MOV AX,[BP+SI-7A]
7C00:07BE 8986F4FE MOV [BP+FEF4],AX
7C00:07C2 C78684FE7800 MOV WORD PTR [BP+FE84],0078
7C00:07C8 B85100 MOV AX,0051
7C00:07CB 898686FE MOV [BP+FE86],AX
7C00:07CF 898688FE MOV [BP+FE88],AX
7C00:07D3 C7868AFE0900 MOV WORD PTR [BP+FE8A],0009
7C00:07D9 C78678FE7900 MOV WORD PTR [BP+FE78],0079
7C00:07DF C7867AFE5900 MOV WORD PTR [BP+FE7A],0059
7C00:07E5 C7867CFE0000 MOV WORD PTR [BP+FE7C],0000
7C00:07EB 8D86F6FE LEA AX,[BP+FEF6]
7C00:07EF 89867EFE MOV [BP+FE7E],AX
7C00:07F3 8C9680FE MOV [BP+FE80],SS
7C00:07F7 C78682FE0000 MOV WORD PTR [BP+FE82],0000
7C00:07FD FFB62AFF PUSH [BP+FF2A]
7C00:0801 FFB628FF PUSH [BP+FF28]
7C00:0805 8B86F4FE MOV AX,[BP+FEF4]
7C00:0809 053000 ADD AX,0030
7C00:080C 50 PUSH AX
7C00:080D 9A2801FC44 CALL 44FC:0128
7C00:0812 89868EFE MOV [BP+FE8E],AX
7C00:0816 899690FE MOV [BP+FE90],DX
Come on... Ain't Got All Day!! 7C00:081A 52 PUSH DX
7C00:081B 50 PUSH AX
7C00:081C 8D8630FF LEA AX,[BP+FF30]
7C00:0820 16 PUSH SS
7C00:0821 50 PUSH AX
7C00:0822 9A9A02FC44 CALL 44FC:029A
7C00:0827 B047 MOV AL,47
7C00:0829 50 PUSH AX
7C00:082A 9A1003443D CALL 3D44:0310
7C00:082F C7868CFE0000 MOV WORD PTR [BP+FE8C],0000
; All the code you just saw. I have no clue what it does
; (hey at least I'm honest) but it wasn't important.
; Here is the imput outer loop
7C00:0835 FF365220 PUSH [2052]
7C00:0839 FF365020 PUSH [2050]
7C00:083D 9A2802FD41 CALL 41FD:0228
7C00:0842 888670FE MOV [BP+FE70],AL
7C00:0846 0AC0 OR AL,AL
7C00:0848 7503 JNZ 084D
7C00:084A E99200 JMP 08DF
7C00:084D 2AE4 SUB AH,AH
7C00:084F 2D0800 SUB AX,0008
7C00:0852 745A JZ 08AE
7C00:0854 48 DEC AX
7C00:0855 48 DEC AX
7C00:0856 7503 JNZ 085B
7C00:0858 E90901 JMP 0964
7C00:085B 2D0300 SUB AX,0003
7C00:085E 7503 JNZ 0863
7C00:0860 E90101 JMP 0964
7C00:0863 8A9E70FE MOV BL,[BP+FE70]
7C00:0867 2AFF SUB BH,BH
7C00:0869 F687790B57 TEST BYTE PTR [BX+0B79],57
7C00:086E 746F JZ 08DF
7C00:0870 F687790B03 TEST BYTE PTR [BX+0B79],03
7C00:0875 740C JZ 0883
7C00:0877 F687790B02 TEST BYTE PTR [BX+0B79],02
7C00:087C 7405 JZ 0883
7C00:087E 80AE70FE20 SUB BYTE PTR [BP+FE70],20
7C00:0883 8A8670FE MOV AL,[BP+FE70]
7C00:0887 C49E7EFE LES BX,[BP+FE7E]
7C00:088B 8BB682FE MOV SI,[BP+FE82]
7C00:088F 26 ES:
7C00:0890 8800 MOV [BX+SI],AL
7C00:0892 FF8682FE INC WORD PTR [BP+FE82]
7C00:0896 FFB688FE PUSH [BP+FE88]
7C00:089A 8D8678FE LEA AX,[BP+FE78]
7C00:089E 50 PUSH AX
7C00:089F 9A56049324 CALL 2493:0456
7C00:08A4 83C404 ADD SP,+04
7C00:08A7 0BC0 OR AX,AX
7C00:08A9 7534 JNZ 08DF
7C00:08AB EB27 JMP 08D4
7C00:08AD 90 NOP
7C00:08AE 83BE82FE00 CMP WORD PTR [BP+FE82],+00
7C00:08B3 7404 JZ 08B9
7C00:08B5 FF8E82FE DEC WORD PTR [BP+FE82]
7C00:08B9 B008 MOV AL,08
7C00:08BB 50 PUSH AX
7C00:08BC 9A1003443D CALL 3D44:0310
7C00:08C1 8D8684FE LEA AX,[BP+FE84]
7C00:08C5 16 PUSH SS
7C00:08C6 50 PUSH AX
7C00:08C7 9A6A00843D CALL 3D84:006A
7C00:08CC B047 MOV AL,47
7C00:08CE 50 PUSH AX
7C00:08CF 9A1003443D CALL 3D44:0310
7C00:08D4 8D8678FE LEA AX,[BP+FE78]
7C00:08D8 16 PUSH SS
7C00:08D9 50 PUSH AX
7C00:08DA 9A8202C93C CALL 3CC9:0282
7C00:08DF 83BE8CFE00 CMP WORD PTR [BP+FE8C],+00
7C00:08E4 7503 JNZ 08E9
7C00:08E6 E94CFF JMP 0835
; Next comes the code that checks your entry. If you follow
; it through you will see it handles not only clearing the
; screen and printing the "GOOD GOING" message but it also
; handles bad entries, etc.
7C00:08E9 8BB682FE MOV SI,[BP+FE82]
7C00:08ED C682F6FE00 MOV BYTE PTR [BP+SI+FEF6],00
7C00:08F2 8DBE30FF LEA DI,[BP+FF30]
7C00:08F6 8DB6F6FE LEA SI,[BP+FEF6]
7C00:08FA 16 PUSH SS
7C00:08FB 07 POP ES
7C00:08FC B9FFFF MOV CX,FFFF
7C00:08FF 33C0 XOR AX,AX
7C00:0901 F2 REPNZ
7C00:0902 AE SCASB
7C00:0903 F7D1 NOT CX
7C00:0905 2BF9 SUB DI,CX
7C00:0907 F3 REPZ
7C00:0908 A6 CMPSB
7C00:0909 7405 JZ 0910
7C00:090B 1BC0 SBB AX,AX
7C00:090D 1DFFFF SBB AX,FFFF
7C00:0910 3D0100 CMP AX,0001
7C00:0913 1BC0 SBB AX,AX
7C00:0915 F7D8 NEG AX
7C00:0917 8986F2FE MOV [BP+FEF2],AX
7C00:091B 0BC0 OR AX,AX
7C00:091D 7509 JNZ 0928
7C00:091F 837E8401 CMP WORD PTR [BP-7C],+01
7C00:0923 7703 JA 0928
7C00:0925 E91C02 JMP 0B44
7C00:0928 0BC0 OR AX,AX
7C00:092A 7506 JNZ 0932
7C00:092C 837E8403 CMP WORD PTR [BP-7C],+03
7C00:0930 740A JZ 093C
7C00:0932 0BC0 OR AX,AX
7C00:0934 745E JZ 0994
7C00:0936 837E8403 CMP WORD PTR [BP-7C],+03
7C00:093A 7358 JNB 0994
7C00:093C B047 MOV AL,47
7C00:093E 50 PUSH AX
7C00:093F 9A1003443D CALL 3D44:0310
7C00:0944 8D867AFF LEA AX,[BP+FF7A]
7C00:0948 16 PUSH SS
7C00:0949 50 PUSH AX
7C00:094A 9A36007E3D CALL 3D7E:0036
7C00:094F 83BEF2FE00 CMP WORD PTR [BP+FEF2],+00
7C00:0954 7518 JNZ 096E
7C00:0956 FF7680 PUSH [BP-80]
7C00:0959 FFB67EFF PUSH [BP+FF7E]
7C00:095D 9A1C04F93C CALL 3CF9:041C
7C00:0962 EB16 JMP 097A
7C00:0964 C7868CFE0100 MOV WORD PTR [BP+FE8C],0001
7C00:096A E972FF JMP 08DF
7C00:096D 90 NOP
7C00:096E FF7680 PUSH [BP-80]
7C00:0971 FFB67EFF PUSH [BP+FF7E]
7C00:0975 9A7204F93C CALL 3CF9:0472
7C00:097A 89867EFF MOV [BP+FF7E],AX
7C00:097E 895680 MOV [BP-80],DX
7C00:0981 B008 MOV AL,08
7C00:0983 50 PUSH AX
7C00:0984 9A1003443D CALL 3D44:0310
7C00:0989 8D867AFF LEA AX,[BP+FF7A]
7C00:098D 16 PUSH SS
7C00:098E 50 PUSH AX
7C00:098F 9A36007E3D CALL 3D7E:0036
7C00:0994 B047 MOV AL,47
7C00:0996 50 PUSH AX
7C00:0997 9A1003443D CALL 3D44:0310
7C00:099C 8D46F6 LEA AX,[BP-0A]
7C00:099F 16 PUSH SS
7C00:09A0 50 PUSH AX
7C00:09A1 9A6A00843D CALL 3D84:006A
7C00:09A6 B008 MOV AL,08
7C00:09A8 50 PUSH AX
7C00:09A9 9A1003443D CALL 3D44:0310
7C00:09AE 8D8684FE LEA AX,[BP+FE84]
7C00:09B2 16 PUSH SS
7C00:09B3 50 PUSH AX
7C00:09B4 9A6A00843D CALL 3D84:006A
7C00:09B9 83BEF2FE00 CMP WORD PTR [BP+FEF2],+00
7C00:09BE 7503 JNZ 09C3
7C00:09C0 E98500 JMP 0A48
7C00:09C3 2AC0 SUB AL,AL
7C00:09C5 50 PUSH AX
7C00:09C6 9A1003443D CALL 3D44:0310
7C00:09CB 8B46F8 MOV AX,[BP-08]
7C00:09CE 050700 ADD AX,0007
7C00:09D1 8946E8 MOV [BP-18],AX
7C00:09D4 FFB62EFF PUSH [BP+FF2E]
7C00:09D8 FFB62CFF PUSH [BP+FF2C]
7C00:09DC 2BC0 SUB AX,AX
7C00:09DE 50 PUSH AX
7C00:09DF 9A2801FC44 CALL 44FC:0128
7C00:09E4 89868EFE MOV [BP+FE8E],AX
7C00:09E8 899690FE MOV [BP+FE90],DX
7C00:09EC C78672FE0000 MOV WORD PTR [BP+FE72],0000
7C00:09F2 EB04 JMP 09F8
7C00:09F4 FF8672FE INC WORD PTR [BP+FE72]
7C00:09F8 83BE72FE05 CMP WORD PTR [BP+FE72],+05
7C00:09FD 7C03 JL 0A02
7C00:09FF E94201 JMP 0B44
7C00:0A02 52 PUSH DX
7C00:0A03 50 PUSH AX
7C00:0A04 9A4602FC44 CALL 44FC:0246
7C00:0A09 8946EC MOV [BP-14],AX
7C00:0A0C 8956EE MOV [BP-12],DX
7C00:0A0F FFB690FE PUSH [BP+FE90]
7C00:0A13 FFB68EFE PUSH [BP+FE8E]
7C00:0A17 9AF201FC44 CALL 44FC:01F2
7C00:0A1C 8946F0 MOV [BP-10],AX
7C00:0A1F 8D46E6 LEA AX,[BP-1A]
7C00:0A22 16 PUSH SS
7C00:0A23 50 PUSH AX
7C00:0A24 9A8202C93C CALL 3CC9:0282
7C00:0A29 8346E80A ADD WORD PTR [BP-18],+0A
7C00:0A2D FFB690FE PUSH [BP+FE90]
7C00:0A31 FFB68EFE PUSH [BP+FE8E]
7C00:0A35 B80100 MOV AX,0001
7C00:0A38 50 PUSH AX
7C00:0A39 9A7E01FC44 CALL 44FC:017E
7C00:0A3E 89868EFE MOV [BP+FE8E],AX
7C00:0A42 899690FE MOV [BP+FE90],DX
7C00:0A46 EBAC JMP 09F4
7C00:0A48 B084 MOV AL,84
7C00:0A4A 50 PUSH AX
7C00:0A4B 9A1003443D CALL 3D44:0310
7C00:0A50 C746E88C00 MOV WORD PTR [BP-18],008C
7C00:0A55 FFB62AFF PUSH [BP+FF2A]
7C00:0A59 FFB628FF PUSH [BP+FF28]
7C00:0A5D B85C00 MOV AX,005C
7C00:0A60 50 PUSH AX
7C00:0A61 9A2801FC44 CALL 44FC:0128
7C00:0A66 89868EFE MOV [BP+FE8E],AX
7C00:0A6A 899690FE MOV [BP+FE90],DX
7C00:0A6E 52 PUSH DX
7C00:0A6F 50 PUSH AX
7C00:0A70 9A4602FC44 CALL 44FC:0246
7C00:0A75 8946EC MOV [BP-14],AX
7C00:0A78 8956EE MOV [BP-12],DX
7C00:0A7B FFB690FE PUSH [BP+FE90]
7C00:0A7F FFB68EFE PUSH [BP+FE8E]
7C00:0A83 9AF201FC44 CALL 44FC:01F2
7C00:0A88 8946F0 MOV [BP-10],AX
Come on... Ain't Got All Day!! 7C00:0A8B 8D46E6 LEA AX,[BP-1A]
7C00:0A8E 16 PUSH SS
7C00:0A8F 50 PUSH AX
7C00:0A90 9A8202C93C CALL 3CC9:0282
7C00:0A95 2AC0 SUB AL,AL
7C00:0A97 50 PUSH AX
7C00:0A98 9A1003443D CALL 3D44:0310
7C00:0A9D 8346E80B ADD WORD PTR [BP-18],+0B
7C00:0AA1 FFB690FE PUSH [BP+FE90]
7C00:0AA5 FFB68EFE PUSH [BP+FE8E]
7C00:0AA9 B80100 MOV AX,0001
7C00:0AAC 50 PUSH AX
7C00:0AAD 9A7E01FC44 CALL 44FC:017E
7C00:0AB2 89868EFE MOV [BP+FE8E],AX
7C00:0AB6 899690FE MOV [BP+FE90],DX
7C00:0ABA 52 PUSH DX
7C00:0ABB 50 PUSH AX
7C00:0ABC 9A4602FC44 CALL 44FC:0246
7C00:0AC1 8946EC MOV [BP-14],AX
7C00:0AC4 8956EE MOV [BP-12],DX
7C00:0AC7 FFB690FE PUSH [BP+FE90]
7C00:0ACB FFB68EFE PUSH [BP+FE8E]
7C00:0ACF 9AF201FC44 CALL 44FC:01F2
7C00:0AD4 8946F0 MOV [BP-10],AX
Come on... Ain't Got All Day!! 7C00:0AD7 8D46E6 LEA AX,[BP-1A]
7C00:0ADA 16 PUSH SS
7C00:0ADB 50 PUSH AX
; Lot's of code Huh?
7C00:0ADC 9A8202C93C CALL 3CC9:0282
7C00:0AE1 C746E8BC00 MOV WORD PTR [BP-18],00BC
7C00:0AE6 FFB690FE PUSH [BP+FE90]
7C00:0AEA FFB68EFE PUSH [BP+FE8E]
7C00:0AEE B80100 MOV AX,0001
7C00:0AF1 50 PUSH AX
7C00:0AF2 9A7E01FC44 CALL 44FC:017E
7C00:0AF7 89868EFE MOV [BP+FE8E],AX
7C00:0AFB 899690FE MOV [BP+FE90],DX
7C00:0AFF 52 PUSH DX
7C00:0B00 50 PUSH AX
7C00:0B01 9A4602FC44 CALL 44FC:0246
7C00:0B06 8946EC MOV [BP-14],AX
7C00:0B09 8956EE MOV [BP-12],DX
7C00:0B0C FFB690FE PUSH [BP+FE90]
7C00:0B10 FFB68EFE PUSH [BP+FE8E]
7C00:0B14 9AF201FC44 CALL 44FC:01F2
Come on... Ain't Got All Day!! 7C00:0B19 8946F0 MOV [BP-10],AX
7C00:0B1C 8D46E6 LEA AX,[BP-1A]
7C00:0B1F 16 PUSH SS
7C00:0B20 50 PUSH AX
7C00:0B21 9A8202C93C CALL 3CC9:0282
7C00:0B26 B80100 MOV AX,0001
7C00:0B29 50 PUSH AX
7C00:0B2A 9AF4019324 CALL 2493:01F4
7C00:0B2F 83C402 ADD SP,+02
7C00:0B32 B047 MOV AL,47
7C00:0B34 50 PUSH AX
7C00:0B35 9A1003443D CALL 3D44:0310
7C00:0B3A 8D46F6 LEA AX,[BP-0A]
7C00:0B3D 16 PUSH SS
7C00:0B3E 50 PUSH AX
7C00:0B3F 9A6A00843D CALL 3D84:006A
7C00:0B44 83BEF2FE00 CMP WORD PTR [BP+FEF2],+00
7C00:0B49 7508 JNZ 0B53
7C00:0B4B FF4E84 DEC WORD PTR [BP-7C]
7C00:0B4E 7403 JZ 0B53
7C00:0B50 E9A7F9 JMP 04FA
7C00:0B53 FF76F4 PUSH [BP-0C]
7C00:0B56 8D867AFF LEA AX,[BP+FF7A]
7C00:0B5A 50 PUSH AX
Come on... Ain't Got All Day!! 7C00:0B5B FFB62EFF PUSH [BP+FF2E]
7C00:0B5F FFB62CFF PUSH [BP+FF2C]
7C00:0B63 FFB62AFF PUSH [BP+FF2A]
7C00:0B67 FFB628FF PUSH [BP+FF28]
7C00:0B6B E88EF5 CALL 00FC
7C00:0B6E 8B86F2FE MOV AX,[BP+FEF2]
7C00:0B72 5E POP SI
7C00:0B73 5F POP DI
; Here is the exit code I was talking about
7C00:0B74 8BE5 MOV SP,BP
7C00:0B76 5D POP BP
7C00:0B77 CB RETF
7C00:0B78 B85A06 MOV AX,065A
7C00:0B7B CB RETF
7C00:0B7C B89006 MOV AX,0690
7C00:0B7F CB RETF
Ok, after looking through all of that, can you tell me
where to put the patch. Simple. How about right at the
begining of the doc check right after the music routines (ie
address 7C00:04B6). Hey yeah ... good idea. But how do we
Come on... Ain't Got All Day!! want to patch it. Well, since this is a higher level
language, we just can't use RETF. We must reset the stack.
Since I hate large patches, a simply decided on the
follow patch
7C00:04B6 E9BB06 JMP B74
Ok, by jumping to 0B74, we still get the music but the
actual doc check is not executed. But there is still a
problem. Remember how I said that AX was tested after the
doc check. Well, we still have to fake the check. The
easiest way, is to simply NOP the condition jmp. Here is the
section of code again
45E2:0235 9A46010F4A CALL 7C00:146 ; Call to Doc Check
45E2:023A 83C404 ADD SP,+04
45E2:023D 0BC0 OR AX,AX
45E2:023F 7465 JZ 02A6
If you remember, when you enter the right code, AX will
be set to 0001 when we exit to 45E2:023A. If we OR 0001 and
0001 we get 0001. Here is the binary ...
Come on... Ain't Got All Day!!
0000 0000 0000 0001 ( remember OR means
if either is bit
or 0000 0000 0000 0001 is 1 )
DDDDDDDDDDDDDDDDDDD
0000 0000 0000 0001
Clearly we don't want to branch at the JZ at 45E2:023F.
So, to finish the patch we simply NOP that jmp.
Oh boy.. that was hard. So let's test it out. But
first, a little forsight. We will need a unique string of
bytes to search for when making the patch. I say we use the
code from 7C00:04C4 to 7C00:04CE and from 45E2:0235 to
45E2:023F. Yea, write down the hex equivelent and then
restart. Again break in right after the switch to graphics.
Now add the patch (ie A 7C00:04B6 <ENTER>, etc.). Now
execute the program.
SHIT! It worked, we are fucking amazing. Ok, now
adding the patch permenatly. Using PCTOOLS (or whatever)
search the file STARCON.EXE for the bytes mention above
(ie: C746F60B00C746F87900C746FA2801) But wait, now
matches...Hmmm strange. It was there just a minute ago...but
Come on... Ain't Got All Day!! wait there... another file STARCON.OVL (as we all know .OVL
mean OVERLAY). Let's try searching this one.
There we go, that's better (it should should up on the
13 sector read in). Now to add the patch. Simply find the
search bytes and the go backwards until the first occurance
of the hex byte 9A. Add the patch here. Save it.
Next, add the patch to 45E2:023F. Search for the bytes
83C4040BC07465. The should appear on sector 3 (give or take
a few sectors). Now simply change the 2 bytes 74 65 to 90 90
and save the sector. Now, you are good to go.
Well shit, this has been some hell of a textfile. 1113
lines in all. But what detail. Ok I hope you learned
something from all of this. And this end the first part of
CRACKING 101 - the 1990 edition. From here out all lessons (
lesson 5 and up) will be released on their own.
I would like the thank Phantom Phlegm for pushing me to
finish this shit.
Till lesson 5 this is Buckaroo Banzai, signing off.
Come on... Ain't Got All Day!!
OH... I can be reached for personal help via E-MAIL on LORD
WOLFEN's CASTLE or TOS...
[2] Tfiles: (1-3,?,Q) :
Raw
Chapter_3.txt
[0] Tfiles: (1-3,?,Q) : 3
THE OFFICIAL UNPROTECTION SCHEME LIBRARY
original document created and compiled by "The PaperBoy"
and the CopyCats, Inc.
01-21-89, 01-26-89, 01-30-89, 02-04-89, 02-06-89
-----------------------------------------------------------------------------
The following protection removal schemes took many valuable hours of time to
create. This file contains the procedures for many of the latest software
packages out today. (This document is updated at every new unprotection
scheme or schemes we find.) Please be patient if your program can't be
cracked yet. It will be, pretty soon, we hope.
! Please note that these patches are for personal use only !
We are THE COPYCATS INCORPORATED:
Seymore Warez Unprotected (President)
The PaperBoy, MasterByte, The Gigolo, The Ninjutsu, SlimeMan, Shimba,
Grand Central Station, Didley Bop, Dr. Disk, The No Cause People In Florida
** Just cracking software, byte by byte. **
Come on... Ain't Got All Day!!
Use these software unprotection schemes at own risk! (Try with a BACKUP!)
-----------------------------------------------------------------------------
These programs have unprotection patches or fixes in this document: 29
Accolade: 4th & Inches, Test Drive, Fast Break, Grand Prix Circuit,
Apollo 18
Activision: The Last Ninja+fix, Rampage
Sierra: Leisure Suit Larry II, King's Quest IV, Manhunter: NYork
Police Quest II, Gold Rush!
MindScape: Willow, Bop'n Wrestle, Infiltrator, Defender of the Crown,
Perfect College
Epyx: The Games: Summer E, TechnoCop/fix, California Games, The
Games: Winter E.
Simon&Schuster: Star Trek: The Kobayashi Alternative
DataSoft: Bruce Lee/fix
Electronic Arts: Advanced Flight Trainer 1.2
Spectrum Holobyte: Gato: WW2 Submarine Simulator
Broderbund: The Print Shop, Ancient Art of War
Cignet Tech: Little Black Book
PowerUp!: most software
Infocom: BattleTech!
misc: Trivia Fever
Come on... Ain't Got All Day!! /fix=fix only, no unprotection patch +fix=fix and unprotection patch
-----------------------------------------------------------------------------
A NOTE ON COPY PROTECTION
At the CopyCats, we would like to make a statement on copy protection. We see
this concept as unnecessary. Crude disk checking and trudging through the
manuals for "key words," make it very difficult for many of the novice users,
as well as the experienced computer users. Many of our "program hackers"
also feel they do not promote software piracy. They only help the people
who are against the protection schemes and use of software authorization
procedures. And, if it continues, WE will continue.
"S. W. Unprotected"
President of The CopyCats, Inc
-----------------------------------------------------------------------------
LAST MINUTE HACKER'S NOTES
The PaperBoy here. You may notice that many of these programs have similar
protection scheme instruction codes. If you have a program that has no
unprotection scheme here, apply it to the program and test it. That's how
we were able to pull most schemes down. Remember, this is for the experienced
user. Don't mess up your originals, either. And, use write-protect tabs for
the scheme checking - last time, it erased itself due to a backfire of
the BIOS interrupt 13hex. Smart program, but WE cracked it. CAREFUL!
Come on... Ain't Got All Day!! -----------------------------------------------------------------------------
THE UNPROTECTION SCHEMES!
-----------------------------------------------------------------------------
1. MOST MAJOR ACCOLADE SOFTWARE, The PaperBoy
To remove the protection schemes of 4TH & INCHES, TEST DRIVE, FAST BREAK**, &
other ACCOLADE SOFTWARE:
Search for these bytes: 55 56 57 06 1E (use Norton Utilities, DEBUG
And replace it with: 31 C0 C3 06 1E PC-Tools, or equivalent)
** If you wish to patch FAST BREAK, you must modify all main FB-?.EXE files
and the FB.RTL file.
-----------------------------------------------------------------------------
2. GRAND PRIX CIRCUIT BY ACCOLADE, Two Guys
The previous ACCOLADE unprotection scheme was incompatible with its later
released game, GRAND PRIX CIRCUIT. With an updated protection, you must:
Search for these bytes ------> And replace it with
1. BE 06 00 E8 13 00 EB 16 00 EB 13 00
2. F6 C4 10 75 0B EB 0E 10 75 0B
3. 72 5F BB 90 90 BB
4. 75 47 BE 90 90 BE
Come on... Ain't Got All Day!! 5. B8 09 02 EB 0A 02
6. 75 03 E8 03 EB 03 E8 03 (GPEGA.EXE only!)
-----------------------------------------------------------------------------
3. LEISURE SUIT LARRY II BY SIERRA, Pirates-R-Us
LEISURE SUIT LARRY GOES LOOKING FOR LOVE IN SEVERAL WRONG PLACES by Sierra
On-Line has a seriously annoying protection scheme. The player must trudge
through the manual to look for girl's phone number in order to enter the
game. This patch force the program to accept any input at the prompt in the
initialization of the program.
1. Rename SIERRA.EXE to SIERRA.XXX
2. Enter DEBUG and enter the following lines.
E 0394 F6
E 4210 52 5C
E 9E1D B8 08 35 CD 21 89 1E FC 12 8C 06 FE 12 B8 24 35
E 9E2D CD 21 89 1E 00 13 8C 06 02 13 B8 24 35 CD 21 89
E 9E3D 1E 04 13 8C 06 06 13 07 1E 0E 1F BA 6B 9C B8 23
E 9E4D 25 CD 21 BA 6C 9C B8 24 35 CD 21 1F E8 5A 00 C7
E 9E5D 06 FA 12 01 00 C3 90 57 51 B9 0F 00 BF 86 BA C6
E 9E6D 05 00 83 C7 09 E2 F8 59 5F 2E C7 06 10 3F 0E 01
E 9E7D E9 8F A3 90 90 90 90 90 90 90 90 90 90 98 90 83
E 9E8D 3E FA 12 00 75 01 C3 1E 07
Come on... Ain't Got All Day!! E F676 8E D8 B1 03
W
Q
3. Rename SIERRA.XXX back to SIERRA.EXE
-----------------------------------------------------------------------------
4. STAR TREK: THE KOBAYASHI ALTERNATIVE BY SIMON & SCHUSTER, Dr. Disk
This simple protection scheme can be bypassed with Central Point Software's
NOKEY (distributed with COPY II-PC), or you can use the removal scheme below.
Search through ST.EXE for CD 13 and replace it with 90 90.
You can use this patch with most software that you use with NOKEY to bypass
its protection scheme.
-----------------------------------------------------------------------------
5. RAMPAGE AND THE LAST NINJA BY ACTIVISION, INC., The Ninjutsu
The above unprotection scheme can be used on these two ACTIVISION programs.
Search the main EXE files for CD 13 and replace it with 90 90.
-----------------------------------------------------------------------------
6. MANHUNTER: NEW YORK BY SIERRA, Bart Montgomery
Search the file MHVOL.1 for these bytes: 41 06 7A
Come on... Ain't Got All Day!! and replace them with these bytes: 7F C3 00
-----------------------------------------------------------------------------
7. FIX FOR BRUCE LEE BY DATASOFT, The PaperBoy (FOR DISK VERSION ONLY)
First, Bruce Lee is an excellent product. It's just that (aaarrrggghhh)
you have no `falls' left, and you feel yourself quite near the finish of the
game. Suddenly, one of those little dots floating on floor taps your foot and
you get zapped. You see the sign "Game Over" and you feel pretty pissed, and
wish you could open the drive and rip the disk to shreds, but that would be
a waste. So, fix it! One thing you could do is play option C, one player vs.
your opponent played by the other player. But this time, play alone, and make
sure the second joystick is calibrated wrong. If the computer sees that the
Yamo isn't moving, it will take over, so a wrong calibration will make it
move always. So, you're playing, but that stupid ninja is in your way and it
won't let you win. Alternative? Eliminate him. And this is how you do it.
Get a disk utility, preferably Norton Utilities. Zap the Bruce Lee disk,
with the following information.
Sector 271 Sector 271
Offset 139 and Offset 354
Change 09(hex) to 63(hex) Change 09(hex) to 63(hex)
That's all there is to it. Now you play, the Green Yamo flying around
crazily, and the ninja... hmm... the ninja seems to appear for a quick second
Come on... Ain't Got All Day!! then disappear. Now, he's never gonna touch you!
-----------------------------------------------------------------------------
8. GATO: WORLD WAR 2-CLASS SUBMARINE SIMULATOR BY SPECTRUM HOLOBYTE, SlimeMan
To unprotect GATO, use the following table below.
Sector Offset Contents Change To
53 0E 72 11 90 90
53 13 72 0C 90 90
53 53 72 EB
53 65 75 EB
-----------------------------------------------------------------------------
9. TRIVIA FEVER, Grand Central Station
To unprotect TRIVIA FEVER, follow the steps below.
1. Rename TF.EXE to TF.XXX
2. Enter DEBUG and type in the lines below.
-E 257E <ENTER>
-75.90 03.90 <ENTER>
-W <ENTER>
-Q <ENTER>
3. Rename TF.XXX back to TF.EXE
Come on... Ain't Got All Day!! -----------------------------------------------------------------------------
10. THE GAMES: SUMMER EDITION BY EPYX, Dr. Disk
To unprotect THE GAMES, use the following patch below.
Search for these bytes: E8 87 00 59 C6
And replace it with: 59 59 5F EB 55
-----------------------------------------------------------------------------
11. LITTLE BLACK BOOK BY CIGNET TECHNOLOGIES, The Gigolo
To unprotect your LITTLE BLACK BOOK, search the file BOOK.EXE and patch:
Search for these bytes: ----> and replace it with these bytes:
3D 00 00 74 07 C6 06 03 01 B8 00 00 74 07 C6 06 03 00
CD 13 B8 01 02 CD 13 72 0E 90 90 90 90 90 90 90 EB 0E
EB F5 F6 C4 06 75 06 EB F5 F6 C4 06 EB 06
Now, search in the file LBB.EXE and patch:
Search for these bytes: ----> and replace it with these bytes:
3D 00 00 74 07 C6 06 76 04 01 B8 00 00 74 07 C6 06 76 04 00
CD 13 B8 01 02 CD 13 72 0E 90 90 90 90 90 90 90 EB 0E
EB F5 F6 C4 06 75 06 EB F5 F6 C4 06 EB 06
-----------------------------------------------------------------------------
Come on... Ain't Got All Day!! 12. KING'S QUEST IV: THE PERILS OF ROSELLA BY SIERRA ON-LINE, Pirates-R-Us
To completely bypass the documentational protection on KING'S QUEST IV, use
the procedure below.
1. First, search your Quality Assurance file for the correct edition date.
It is found in the ????????.QA file.
2. If you do not have your version dated 09-19-88 nor 09-24-88, you cannot
proceed with this patch. Sorry!
3. Rename SIERRA.EXE to SIERRA.XXX.
4. Enter DEBUG and type the following lines below.
(if you have the 09-19-88 version, use this patch)
E 0394 82
E 0CB4 90 E8 38 98
E A4A9 B8 08 35 CD 21 89 1E 7E 12 8C 06 80 12 B8 24 35 CD 21 89 1E
E A4BD 82 12 8C 06 84 12 B8 24 35 CD 21 89 1E 86 12 8C 06 88 12 07
E A4D1 1E 0E 1F BA F7 A2 B8 24 35 CD 21 BA F8 A2 B8 24 35 CD 21 1F
E A4E5 E8 5A 00 C7 06 7C 12 01 00 C3 90 80 FB 98 75 16 C7 04 32 95
E A4F9 C6 44 02 00 2E C7 06 B4 09 FF 97 2E C7 06 B6 09 A0 01 FF A7
E A50D A0 01 90 90 90 90 90 90 90 90 90 83 3E 7C 12 00 75 01 C3 1E
E A521 07
W
Q
Come on... Ain't Got All Day!!
(if you have the 09-24-88 version, use this patch)
E 0394 74
E 0CB4 90 E8 2A 98
E A49B B8 08 35 CD 21 89 1E 5E 12 8C 06 60 12 B8 23 35 CD 21 89 1E
E A4AF 62 12 8C 06 64 12 B8 24 35 CD 21 89 1E 66 12 8C 06 68 12 07
E A4C3 1E 0E 1F BA E9 A2 B8 23 25 CD 21 BA EA A2 B8 24 25 CD 21 1F
E A4D7 E8 5A 00 C7 06 5C 12 01 00 C3 90 80 FB 98 75 16 C7 04 32 99
E A4EB C6 44 02 00 2E C7 06 B4 09 FF 97 2E C7 06 B6 09 0A 05 FF A7
E A4FF 0A 05 90 90 90 90 90 90 90 90 90 83 3E 5C 12 00 75 01 C3 1E
E A513 07
W
Q
5. Rename SIERRA.XXX back to SIERRA.EXE.
-----------------------------------------------------------------------------
13. CALIFORNIA GAMES BY EPYX, Jonathan Millhouse
To override the disk protection scheme in CALIFORNIA GAMES, enter Norton
Utilities or your favorite disk/file editor and open CALGAMES.EXE.
Search for these bytes: FA FC 55 56 57
And replace it with these bytes: 00 00 31 C0 C3
-----------------------------------------------------------------------------
Come on... Ain't Got All Day!! 14. CHUCK YEAGER'S ADVANCED FLIGHT TRAINER BY ELECTRONIC ARTS, Tony Elliott
(Version 1.2 only)
1. Rename AFT.EXE to AFT.XXX
2. Enter DEBUG with AFT.XXX open for editing.
3. At the DEBUG "-" prompt, type
U 0DBB <ENTER>
Several lines with be displayed on screen. You are interested in the first
two. They should look EXACTLY like this:
xxxx:0DBB E9A3A7 JMP B561
xxxx:0DBE C3 RET
The "xxxx" represents any four hexadecimal numbers. If you have a match,
on to the next step. If not, you probably have the wrong version. Sorry!
4. At the "-" prompt again, type
U 0E38 <RETURN>
Several lines of code will again be displayed on screen. Look at the first
Come on... Ain't Got All Day!! two following the "U 0E38" command. They should also match exactly with the
following:
xxxx:0E38 880E5005 MOV [0550],CL
xxxx:0Exx 8A0E4D05 MOV CL,[054d]
If you have a match here, then you should have a compatible version of the
AFS program. If not, sorry!
5. At the "-" prompt, type the following:
E 0DBB 90 90 90 <ENTER>
E 0E38 C3 90 90 90 <ENTER>
W <ENTER>
Q <ENTER>
You should now be back in DOS. Only one more step left.
6. Rename AFT.XXX back to AFT.EXE
That's it! You now have an unprotected copy of AFT.
-----------------------------------------------------------------------------
15. POWER-UP! SOFTWARE, The No Cause People in Florida
Come on... Ain't Got All Day!! To unprotect most programs from POWER-UP!, load the main EXE file with Norton
Utilities or such.
Search for the bytes: E8 48 FF
And replace it with: 90 90 90
-----------------------------------------------------------------------------
16. THE PRINT SHOP BY BR0DERBUND, Swamp Fox
The Print Shop employs two sections of code to copy protect itself. The first
is embedded in PS.EXE and is exercised when the program is run from a floppy.
The second is embedded in PSINIT.OVR and is employed when the program is run
from a hard or ram disk. Once activated, both seek out a specially formatted
track on the A: drive and terminate the program if not found.
Both sections of code will be un-hooked here so that the program will run
from either a floppy or a hard disk.
RENAME PS.EXE PS.ZAP Rename for DEBUG
DEBUG PS.ZAP Start DEBUG
S0 9000 CD 13 Search for Disk interrupt 13
XXXX:3AC6 You should find these two:
Come on... Ain't Got All Day!! XXXX:3ADF
U 3AC6 Unassemble code to make sure
you're in the right place :
XXXX:3AC6 INT 13 A test for any disk in A:
XXXX:3AC8 MOV BYTE PTR [0A91],02
XXXX:3ACD DEC BYTE PTR [0A91]
XXXX:3AD1 JZ 3AE6
XXXX:3AD3 MOV DH,00 \
XXXX:3AD5 MOV DL,00 | This sets up a look for the
XXXX:3AD7 MOV CH,09 | special track
XXXX:3AD9 MOV CL,0A |
XXXX:3ADB MOV AL,01 |
XXXX:3ADD MOV AH,04 |
XXXX:3ADF INT 13 /
XXXX:3AE1 CMP AH,00 If not there ... Loop then
XXXX:3AE4 JNZ 3ACD Zonk! Terminate Program...
A 3AC6 Get rid of 1 st diskette look
XXXX:3AC6 NOP Remove the INT 13
XXXX:3AC7 NOP
Come on... Ain't Got All Day!! XXXX:3AC8
A 3ADD Get rid of the real test:
XXXX:3ADD MOV AH,00 Give it what it wants in AH
XXXX:3ADF NOP Remove the INT 13
XXXX:3AE0 NOP
XXXX:3AE1
W Write out the changed code
Q Quit DEBUG
RENAME PS.ZAP PS.EXE Rename for running program
(The program will now run from floppy disks without further changes)
Now for the second portion of the copy protection :
DEBUG PSINIT.OVR Start DEBUG (using a copy !)
S0 2000 CD 13 Look for disk interrupt 13
XXXX:0479 You should find these three:
Come on... Ain't Got All Day!! XXXX:0492
XXXX:04BD
U 0479
XXXX:0479 INT 13 A test for any disk in A:
XXXX:047B MOV BYTE PTR [CD57],02
XXXX:0480 DEC BYTE PTR [CD57]
XXXX:0484 JZ 04DB
XXXX:0486 MOV CL,11 \
XXXX:0488 MOV AH,04 |
XXXX:048A MOV DH,00 |
XXXX:048C MOV CH,09 | This sets up a look for the
XXXX:048E MOV DL,00 | special track
XXXX:0490 MOV AL,01 |
XXXX:0492 INT 13 /
XXXX:0494 CMP AH,00 If not there ... Loop then
XXXX:0497 JNZ 0480 Zonk ! Terminate Program...
(Look familiar ?)
U 04BD
XXXX:04BD INT 13 This one's a read (same idea)
Come on... Ain't Got All Day!! XXXX:04BF CMP AH,00
XXXX:04C2 JNZ 04A5
XXXX:04C4 ADD BX,018B
XXXX:04C8 MOV CL,05
XXXX:04CA ES:
XXXX:04CB MOV AL,[BX]
XXXX:04CD CMP AL,41
XXXX:04CF JNZ 04DB
XXXX:04D1 INC BX
XXXX:04D2 DEC CL
XXXX:04D4 JNZ 04CA
XXXX:04D6 MOV AX,0000 This is the success exit !
XXXX:04D9 JMP 04DE
A 0479
XXXX:0479 NOP Remove INT 13
XXXX:047A NOP
XXXX:047B
A 0490
XXXX:0490 MOV AH,00 Give it what it wants in AH
XXXX:0492 NOP Remove INT 13
Come on... Ain't Got All Day!! XXXX:0493 NOP
XXXX:0494
A 04BD
XXXX:04BD JMP 04D6 Jump to success exit code
XXXX:04BF
W Write out the changed code
Q Quit DEBUG
The program may now be run from a hard disk or floppy as desired. The hard
disk set up will ask for the master diskette to be inserted but won't do
any checking or diskette access at all.
-----------------------------------------------------------------------------
17. THE ANCIENT ART OF WAR BY BR0DERBUND, Didley Bop
Load up Norton Utilities with WAS.EXE and search for these bytes: E8 F8 32.
Replace them with B8 01 00. Now, it's unprotected!
-----------------------------------------------------------------------------
18. FIX FOR BATTLETECH BY INFOCOM, The PaperBoy
Come on... Ain't Got All Day!! You don't have enough C-Bills? Well, this will help. Save your game and run
Norton Utilities or such with the GAME# (#=number of the save game) ready.
Edit the bytes at offset 05D5hex and 05D6hex and replace it with 00 70. That
should give you about 28672 C-Bills when you return to the game. You may go
as high as FF 7F, which will total 32767, but I wouldn't want to go higher
than that, or there could be a program interpretation screwup.
-----------------------------------------------------------------------------
19. FIX FOR TECHNOCOP BY US GOLD AND EPYX, Shimba
If you start with only 5 lives and must go through 11 levels of harsh battle,
I don't think you'll make it, unless you are lucky and fast enough to get
extra lives. Save your game, enter NU and change the byte at offset 5hex to
05. This will return you to 5 lives. I tried fixing it with FF, but I found
out that it doesn't work - I lose as if I had no lives left. You can attempt
to screw around with other bytes and hopefully get more lives than five.
-----------------------------------------------------------------------------
20. WILLOW BY MINDSCAPE/CINEMAWARE, Hacker Joe
Open WILLOW.EXE with your hex file editor and perform these operations:
Search for these bytes: ----> And replace with:
CD 13 59 90 90 59
74 02 EB E6 EB 02 EB E6
75 04 3C 00 EB 18 3C 00
Come on... Ain't Got All Day!! 3C F8 75 14 3C F8 EB 14
73 0C 33 C0 EB 0C 33 C0
-----------------------------------------------------------------------------
21. BOP 'N WRESTLE BY MINDSCAPE, SlimeMan
Prepare BOP.EXE for editing with NU or compatible program. Search for these
bytes: B8 00 19 CD and replace them with: 31 C0 EB 2F.
-----------------------------------------------------------------------------
22. FIX FOR THE LAST NINJA BY ACTIVISION, The Ninjutsu
Not enough lives? Well, save your game and enter your hex-style editor with
that save game file open for editing. Change the byte at offset 59hex to any
hex number from 00 to FF. FF will obviously give you 255 lives, so why want
the 00? Your screen will be lined up with those damn apples on the bottom
status screen, but they won't effect the game.
-----------------------------------------------------------------------------
23. INFILTRATOR BY MINDSCAPE, MasterByte
This unprotection scheme was very similar to that of BOP 'N WRESTLE. Here's
its own version. ** Make sure you change all EXE files (except INSTALL)! **
Search for these bytes: 31 C0 19 CD
And replace it with: EB 33 19 CD
-----------------------------------------------------------------------------
Come on... Ain't Got All Day!! 24. APOLLO 18 BY ACCOLADE, Two Guys
To unprotect APOLLO 18, use Norton Utilities or PC-Tools and...
Search for these bytes: 9A 29 00
And replace it with: EB 1B 00
-----------------------------------------------------------------------------
25. DEFENDER OF THE CROWN BY MINDSCAPE/CINEMAWARE, The Doctor of MASH
To unprotect DEFENDER OF THE CROWN, use DEBUG for this one. Rename the file
DOC.EXE to DOC.XXX and follow the instructions below.
DEBUG DOC.XXX <CR>
-S 0 FFFF B8 00 A0 50 FF 36 0A 45 <CR> ; search for beginning of routine.
xxxx:3BCC ; addresses may be different
xxxx:3BF2
-A3BCC <CR> ; assemble at first address
xxxx:3BCC JMP 3BF2 <CR> ; jump to second address
xxxx:3BCE <CR>
-W <CR> ; write the edited file back to disk
Writing 11600 bytes
-Q <CR> ; quit, return to DOS
Now, rename DOC.XXX back to DOC.EXE. It's unprotected.
Come on... Ain't Got All Day!! -----------------------------------------------------------------------------
26. PERFECT COLLEGE, Dr. Disk
This unprotection scheme is very similar to that of unprotection scheme #1,
the ACCOLADE schemes. However, the program places a RETF (far return)
instruction instead of the normal RET. So, ready COLLEGE.EXE for edit, and:
Search for these bytes: 55 56 57 06 1E
And replace it with: 31 C0 CB 06 1E
-----------------------------------------------------------------------------
27. POLICE QUEST II: THE VENGEANCE BY SIERRA, Pirates-R-Us
The new line of SIERRA software protected with the documentational check have
almost identical patches to the main EXE file. This one was no sweat.
Rename SIERRA.EXE to SIERRA.XXX and load DEBUG. Enter these lines:
E 0394 74
E 7FDB 05 1F
E 9E9B B8 08 35 CD 21 89 1E 38 13 8C 06 3A 13 B8 24 35
E 9EAB CD 21 89 1E 3C 13 8C 06 3E 13 B8 24 35 CD 21 89
E 9EBB 1E 40 13 8C 06 42 13 07 1E 0E 1F BA E9 9C B8 23
E 9ECB 25 CD 21 BA EA 9C B8 24 35 CD 21 1F E8 5A 00 C7
E 9EDB 06 36 13 01 00 C3 90 57 51 B9 38 00 BF B8 AB C6
Come on... Ain't Got All Day!! E 9EEB 05 00 47 E2 FA 2E C7 06 DB 7C 5B 01 59 5F E9 DE
E 9EFB E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 83
E 9F0B 3E 36 13 00 75 01 C3 1E 07
W
Q
Rename SIERRA.XXX back to SIERRA.EXE and your unprotection is complete.
-----------------------------------------------------------------------------
28. GOLD RUSH! BY SIERRA, Sir Graham
To avoid the 80-page manual for the keywords, prepare the file GRDIR for
DEBUG and enter the following lines:
E 28C CC
E 28D 7A
W
Q
-----------------------------------------------------------------------------
29. THE GAMES: WINTER EDITION BY EPYX, Super Dave
To unprotect THE GAMES: WINTER EDITION, follow these steps below:
1. Rename GAMES.EXE to GAMES.XXX.
2. Enter DEBUG with GAMES.XXX ready for modifications.
Come on... Ain't Got All Day!! 3. Type "S 0000 FFFF 0B C0 74 01" to search for the protection pattern.
4. The computer should respond with only one address. If none or more
than one is given, this unprotection scheme may not work. Sorry!
5. Take the address given (in the form of XXXX:YYYY) and subract 5 from
the YYYY address. The numbers are in hexidecimal. Do not attempt
this patch if you do not understand hex.
6. Use the subracted number (ZZZZ) and enter it in DEBUG as follows:
"E ZZZZ EB 03 90 90 90 31 C0" to NOP the protection scheme.
7. Save the modified file by entering "W", then entering "Q" to exit to
DOS.
8. Rename the file GAMES.XXX back to GAMES.EXE.
-----------------------------------------------------------------------------
This file is updated every week. Watch out for new unprotection schemes!
Please upload this file archived as "UNP89-#.ARC," where # is the edition
number. For instant cracks on software, call 1-312-ZAP-DISK and ask for Vic!
[3] Tfiles: (1-3,?,Q) :
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment