ON 1 WARMUP: 
  
         ******************************************************* 
         **                                                   ** 
         **     PPPPP    I    RRRRR    AAAAA  TTTTT   EEEEE   ** 
         **     P  PP    I    R  RR    A   A    T     E       ** 
         **     PPP      I    RRR      AAAAA    T     EEEEE   ** 
         **     P        I    R  R     A   A    T     E       ** 
         **     P        I    R   R    A   A    T     EEEEE   ** 
         **keepin' the dream alive                            ** 
         ******************************************************* 
  
*************************************************** 
***  Pirate Magazine Issue III-3 / File 1 of 9  *** 
or 11(your choice)wins the game. 
*************************************************** 
  
Welcome to the third issue of *PIRATE MAGAZINE*. 
Special thanks for getting this issue out go to: 
  Flint 
  Gene & Roger 
  Hatchet Molly 
  Jedi 
  Knight Lightning 
  Mikey Mouse 
  Taran King 
  The California Zephyr 
  The Institute 
  The Hillside Pirates 
  Special thanks to those who took the time to write the 
  unprotects, including Buckaroo Banzai, Super Dave, 
  Company of Wolves, Bentley Bear, The Asp, and all the others. 
  
Any comments, or if you want to contribute, most of us can be reached at 
one of the following boards: 
  GREAT ESCAPE          >>> PIRATE HOME BOARD 
  RIPCO              (Illinois) 
  SYCAMORE ELITE     (815-895-5573) 
  THE ABYSS          (201-671-8954) 
  PACIFIC ALLIANCE   (California) 
  Chris Robin         BITNET = TK0EEE1@NIU 
  
     +++++++++++++++++++++++++++++++++++++++++++++++++++++ 
  
Dedicated to sharing knowledge, gossip, information, and tips for warez 
hobbyists. 
  
   ******************************************************* 
   *                 EDITORS' CORNER                     * 
   ******************************************************* 
  
                    ** CONTENTS THIS ISSUE ** 
  
File #1. Introduction, editorial, and general comments 
File #2. News Reprint: Who's the REAL software threat?? 
File #3. Unprotects and cracking tips (part 1) 
File #4. Unprotects and cracking tips (part 2) 
File #5. Unprotects and cracking tips (part 3) 
File #6. Unprotects and cracking tips (part 4) 
File #7. Unprotects and cracking tips (part 5) 
File #8. Unprotects and cracking tips (part 6) 
File #9. Gene n' Roger's "review of the month" (DEAD ZONE) 
  
Welcome to the third edition of *PIRATE*, a bit late, but here it is. 
Still can't seem to please everybody, and it's a toss-up between those 
wanting more law/virus type stuff and those wanting nuts and bolts for "how 
to crack," so this issue we're giving more cracking tips that were sent in. 
Next issue we'll bring back some of the legal stuff, virus info, and keep 
the unprotect section as a regular feature. 
  
Last issue pissed some people off, mostly the kiddie klubbers who thought 
we were a bit unfair. Well, like we keep saying, there's a pirate ethic, 
and if you can't figure it out, you ain't one. 
  
Lots of feedback on "what's a pirate!" Add it up anyway you want to, keeps 
coming out the same: PIRATES AREN'T RIPPING OFF--they're warez hobbyists 
who enjoy the challenge or the collecting. 
  
Bad news, sad news--more national pirate boards have gone down.  Seems that 
the "fly-by-night" crowd springs up, drains off enough clients to cut into 
the elite boards, and the sysops all say the same thing: Too many kids 
calling and tying up the lines, and a decrease in good users caused by the 
competition. 
  
A few sysops have also requested that we don't print the numbers of boards 
where PIRATE staff can be reached because too many lamerz started calling. 
The boards are pretty easy to find, though, and a few will tolerate their 
numbers being published for one more issue. 
  
If you have any suggestions or ideas for future issues, call or get ahold 
of us--just leave a message on any of the top boards and we'll get to it 
sooner or later. 
  
  
                            <-----<<END>>-----> 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
! 
  
*************************************************** 
***  Pirate Magazine Issue III-3 / File 2 of 9  *** 
***  Who's the REAL Warez Threat?               *** 
*************************************************** 
  
  
Multiple choice quiz: 
  
Who's the biggest threat to the computer industry: 
    a) Phreaks 
    b) Hackers 
    c) Pirates 
    d) Ducks without condoms 
    e) The software industry itself 
  
If you answered "e)", you passed. The tendancy of the mega-corps to try to 
eat each other, with lawyers as the only winners, costs more in dollars and 
feel" of an idea.  The mega-corp czars keep saying that pirates and phreaks 
will put the "small programmer" out of business, but the following article 
suggests it's quite the opposite. What's the bottom line?  The computer 
underground is resistance, and like the PIRATE crew says, we gotta "keep 
the dream alive." 
                      **<Chris Robin> and Pru Dohn** 
                             * * * * 
  
     "Softare Industry Growing Jaded over Copyright Disputes" 
                          by Tom Schmitz 
      (THE CHICAGO TRIBUNE, December 26, 1989-Sect. 3, p.3) 
  
SAN JOSE--When it comes to copyright lawsuits, the computer software 
industry is starting to sound a bit like victims of the recent earthquake. 
They've already been through the Big Shake.  And they're getting a bit 
jaded about the aftershocks. 
  
"When the Apple-Microsoft suit hit, everybody got frightened," said Heidi 
Roizen, president of the Software Publishers Association. "A Month later, 
99 percent of us were back to normal.  I get the sense companies aren't 
going to do much this time." 
  
"This time" is the Xeroz-Apple lawsuit, in which Xerox Corp. is claiming 
Apple Computer Inc. infringed its copyright in designing the display and 
command system for its enormously popular Macintosh computer. Filed in San 
Francisco two weeks ago, the suit comes 21 months after Apple brought a 
similar case against Microsoft Corp. and Hewlett-Packard Co., saying they 
had infringed Apple's own copyright on the distinctive display software. 
  
The Macintosh's graphic display has such "user-friendly" features as 
pull-down menus; easy-to-identify symbols, or "icons"; and "windows" that 
allow users to display text, menus and illustrations simultaneously. 
  
By pressing its claim to the "look and feel" of Macintosh softare, Apple 
set off alarms at hundreds of smaller companies that were developing 
to forge ahead. 
  
So while the Xerox suit again raises the question of just who can use what 
software, those awaiting the battle's outcome say they see no reason to 
drop their wait-and-see attitude. They just have more to watch. 
  
"It throws a little scare in, but I'm not going to program any less," said 
Andy Hertzfeld, and independent programmer in Palo Alto, Calif., and one of 
the original designers of the Macintosh software.  "If people want to sue 
me, they can." 
  
All agree the issue of who can rightfully use the display system is 
important and must be settled quickly.  But more troubling, industry 
observers say, is increasing use of lawsuits to settle such disputes. 
  
"Basically the whole thing is anticustomer and prolawyer," Hertzfeld said. 
"All that money that Apple is paying their lawyers could be going into 
products." What's more, a litigious atmosphere can stifle innovation.  "If 
every time I come up with an idea I have to hire a team of lawyers to find 
out if it's really mine, my product development will slow way down." 
  
Some hope the Xeroz-Apple suit will finally put an end to that process. 
Unlike the Apple-Microsoft ase, the suit does not involve a specific 
contract. That could allow the court to tackle the look-and-feel issue 
head-on without bogging down over technicalities.  And both companies have 
war chests large enough to see the fight through. 
  
"I think Ethe suitL is good," said Dan Bricklin, president of Software 
Garden, Inc. in Cambridge, Mass., who wrote the first computer spreadsheet 
program.  "We need the issue resolved by the courts, and we can't have 
people pulling out for lack of money." 
  
Yet even among those who say the industry needs a clear set of rules, there 
remains a certain nostalgia for the freewheeling days when software 
designers wrote what they wanted and settled their differences outside the 
courtroom. 
  
                            <-----<<END>>-----> 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
! 
  
*************************************************** 
***  Pirate Magazine Issue III-3 / File 3 of 9  *** 
***  Cracking Tips  (Part 1)                    *** 
*************************************************** 
  
  
In this file: Jordan v. Bird 
              Gauntlet 
              Sierra Games 
  
Cracking is about learning computer programming, and the fun is in 
increasing skills. We've been sent some reprints of tips, and even if you 
have the programs, it's neat to make a backup copy and experiment. For 
some, these tips may be old hat, but for novices they show some of the 
basic techniques the that "pros" use. 
  
The more programing you know, the easier cracking is, and we recommend 
taking an intro course in your school. But most programs can be worked on 
using DOS DEBUG. Think of DEBUG like a text editor. The difference is that, 
instead of writing ASCII type stuff, you're working in BINARY files. Debug 
lets you "edit" (or alter) the contents of a program and then immediately 
re-execute to see if your changes worked. Before reading the following, 
check your DOS manual and read the DEBUG instructions.  We've included old 
unprotects here for a reason: If you have some of these old programs laying 
around, dig them out and use them for practice. "Cracking" is one of the 
best (and most fun) ways to learn about what makes a program work. 
  
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
^^^^^^^^^^^^^^^ 
We reprint the following tips by BUCKAROO BANZAI that beginners and 
intermediates should find helpful. 
^^^^^^^^^^^^^^^^ 
  
**************************************** 
*     B U C K A R O O  B A N Z A I     * 
*         aka the Reset Vector         * 
*                                      * 
*              presents                * 
*                                      * 
*        Cracking On the IBMpc         * 
*               Part I                 * 
*                                      * 
**************************************** 
  
Introduction 
------------ 
  For years, I have seen cracking tutorials for the APPLE computers, but 
never have I seen one for the PC.  I have decided to try to write this 
series to help that pirate move up a level to a crackest. 
  
  In this part, I will cover what happens with INT 13 and how most copy 
protection schemes will use it.  I strongly suggest a knowledge of 
Assembler (M/L) and how to use DEBUG.  These will be an important figure in 
cracking anything. 
  
INT-13 - An overview 
-------------------- 
  Many copy protection schemes use the disk interrupt (INT-13).  INT-13 is 
often use to either try to read in a illegaly formated track/sector or to 
write/format a track/sector that has been damaged in some way. 
  
  INT-13 is called like any normal interupt with the assembler command 
which command to be used, with most of the other registers used for data. 
  
INT-13 Cracking Collage 
----------------------- 
  Although, INT-13 is used in almost all protection schemes, the easiest to 
crack is the DOS file.  Now the protected program might use INT-13 to load 
some other data from a normal track/sector on a disk, so it is important to 
determine which tracks/sectors are inportant to the protection scheme.  I 
have found the best way to do this is to use LOCKSMITH/pc (what, you don't 
have LS.  Contact your local pirate for it.) 
  
  Use LS to to analyze the diskette.  Write down any track/sector that 
seems abnormal.  These track are must likely are part of the protection 
routine.  Now, we must enter debug. Load in the file execute a search for 
CD 13.  Record any address show.  If no address are picked up, this mean 1 
or 2 things, the program is not copy protected (bullshit) or that the check 
is in an other part of the program not yet loaded.  The latter being a real 
bitch to find, so I'll cover it in part II.  There is another choice.  The 
CD 13 might be hidden in self changing code.  Here is what a sector of 
hidden code might look like 
  
-U CS:0000 
1B00:0000 31DB     XOR    BX,BX 
1B00:0002 8EDB     MOV    DS,BX 
1B00:0004 BB0D00   MOV    BX,000D 
1B00:0009 3412     XOR    AL,12 
1B00:000D DF13            FIST   WORD... 
to DF at location 1B00:0007.  When you XOR DF and 12, you would get a 
CD(hex) for the INT opcode which is placed right next to a 13 ie, giving 
you CD13 or INT-13.  This type of code cann't and will command. 
  
Finding Hidden INT-13s 
---------------------- 
  The way I find best to find hidden INT-13s, is to use a program called 
PC-WATCH (TRAP13 works well also).  This program traps the interrupts and 
will print where they were called from.  Once running this, you can just 
disassemble around the address until you find code that look like it is 
setting up the disk interupt. 
  
  An other way to decode the INT-13 is breakpoint at the address give by 
PC-WATCH (both programs give the return address).  Ie, -G CS:000F (see code 
above).  When debug stops, you will have encoded not only the INT-13 but 
anything else leading up to it. 
  
What to do once you find INT-13 
------------------------------- 
  Once you find the INT-13, the hard part for the most part is over.  All 
that is left to do is to fool the computer in to thinking the protection 
has been found.  To find out what the computer is looking for, examine the 
code right after the INT-13.  Look for any branches having to do with the 
CARRY FLAG or any CMP to the AH register. 
  
  If a JNE or JC (etc) occurs, then jump.  If it is a CMP then just read 
on. 
  
Here you must decide if the program was looking for a protected track or 
just a normal track.  If it has a CMP AH,0 and it has read in a protected 
track, it can be assumed that it was looking to see if the program had 
successfully complete the READ/FORMAT of that track and that the disk had 
been copied thus JMPing back to DOS (usually).  If this is the case, Just 
NOP the bytes for the CMP and the corrisponding JMP. 
  
  If the program just checked for the carry flag to be set, and it isn't, 
then the program usually assumes that the disk has been copied. Examine the 
following code 
  
      INT 13      <-- Read in the Sector 
      JC 1B00     <-- Protection found 
      INT 19      <-- Reboot 
1B00  (rest of program) 
  
  The program carries out the INT and find an error (the illegaly formatted 
sector) so the carry flag is set.  The computer, at the next instruction, 
see that the carry flag is set and know that the protection has not been 
breached.  In this case, to fool the computer, just change the "JC 1B00" to 
a "JMP 1B00" thus defeating the protection scheme. 
  
  
NOTE: the PROTECTION ROUTINE might be found in more than just 1 part of 
     the program 
  
Handling EXE files 
------------------ 
  As we all know, Debug can read .EXE files but cannot write 
them.  To get around this, load and go about cracking the program 
as usual.  When the protection scheme has been found and command) 
to save + & - 10 bytes of the code around the INT 13. 
  
  Exit back to dos and rename the file to a .ZAP (any extention 
but .EXE will do) and reloading with debug. 
  
  Search the program for the 20+ bytes surrounding the code and 
record the address found.  Then just load this section and edit 
it like normal. 
  Save the file and exit back to dos.  Rename it back to the .EXE 
file and it should be cracked.  ***NOTE: Sometimes you have to 
fuck around for a while to make it work. 
  
DISK I/O (INT-13) 
----------------- 
  This interrupt uses the AH resister to select the function to 
be used.  Here is a chart describing the interrupt. 
  
AH=0    Reset Disk 
AH=1    Read the Status of the Disk 
        system in to AL 
  
    AL          Error 
  ---------------------------- 
    00   - Successful 
    01   - Bad command given to INT 
   *02   - Address mark not found 
    03   - write attempted on write prot 
   *04   - request sector not found 
    08   - DMA overrun 
    09   - attempt to cross DMA boundry 
   *10   - bad CRC on disk read 
    20   - controller has failed 
    40   - seek operation failed 
    80   - attachment failed 
(* denotes most used in copy protection) 
AH=2    Read Sectors 
  
  input 
     DL = Drive number (0-3) 
     DH = Head number (0or1) 
     CH = Track number 
     CL = Sector number 
     AL = # of sectors to read 
  ES:BX = load address 
  output 
      AH =error number (see above) 
      AL = # of sectors read 
  
AH=3 Write (params. as above) 
AH=4 Verify (params. as above -ES:BX) 
AH=5 Format (params. as above -CL,AL 
             ES:BX points to format 
             Table) 
  
  For more infomation on INT-13 see the IBM Techinal Reference 
Manuals. 
  
Comming Soon 
------------ 
  In part II, I will cover CALLs to INT-13 and INT-13 that is 
located in diffrents overlays of the program 
  
  
Happy Cracking..... 
        Buckaroo Banzai 
       <-------+-------> 
  
PS: This Phile can be Upload in it's 
unmodified FORM ONLY. 
  
PPS: Any suggestion, corrections, 
comment on this Phile are accepted and 
encouraged..... 
  
                       * * * * * * * * * * 
**************************************** 
*     B U C K A R O O  B A N Z A I     * 
*         aka the Reset Vector         * 
*                                      * 
*              presents                * 
*                                      * 
*        Cracking On the IBMpc         * 
*               Part II                 * 
*                                      * 
**************************************** 
  
  
Introduction 
------------ 
  
  Ok guys, you now passed out of Kopy Klass 101 (dos files) and 
have this great new game with overlays.  How the phuck do I crack 
this bitch.  You scanned the entire .EXE file for the CD 13 and 
it's nowhere.  Where can it be you ask yourself. 
  
  In part II, I'll cover cracking Overlays and the use of 
locksmith in cracking.  If you haven't read part I, then I 
suggest you do so.  The 2 files go together. 
  
Looking for Overlays 
-------------------- 
  I won't discuss case 1 (or at least no here) because so many 
UNP files are devoted to PROLOCK and SOFTGUARD, if you can't 
figure it out with them, your PHUCKEN stupid. 
  
  If you have case 3, use the techinque in part I and restart 
from the beg. And if you have case 4, shoot your self. 
  
Using PC-Watch to Find Overlays 
------------------------------- 
  
You Have Found the Overlays 
--------------------------- 
  
Locksmith and Cracking 
---------------------- 
 The copy/disk utility program Locksmith by AlphaLogic is a great 
 tool in cracking.  It's analyzing ability is great for 
 determining what and where the protection is.  I suggest that 
 you get locksmith if you don't already have it.  Check your 
 local pirate board for the program.  I also suggest getting 
 PC-Watch and Norton Utilities 3.1.  All of these program have 
 many uses in the cracking world. 
  
Have Phun Phucker 
    Buckaroo Banzai 
     The Banzai Institute 
  
special thanks to the Honk Kong Cavliers 
  
Call Spectrum 007 (914)-338-8837 
  
                            <-----<<END>>-----> 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
! 
  
*************************************************** 
***  Pirate Magazine Issue III-3 / File 4 of 9  *** 
***  Cracking Tips  (Part 2)                    *** 
*************************************************** 
  
  
In this file:  Curse of the Azure Gods 
               Gauntlet (alt. unprotect) 
               Silpheed 
               Simcity 
               Carmen San Diego 
               Sargon IV 
  
                         zdddddddddddddddddddddddddQ 
                         3       The Baji Man      3 
                         3         PRESENTS        3 
                         3                         3 
                         3 JORDAN  V.S. BIRD DOCS  3 
                         3  Cracked by: DAY STAR   3 
  
  
Game Play Options: 
  
1 ON 1 FULL GAME: 
   M. Jordan and L. Bird play one on one for either 2,5,8, or 12 
   mins per quarter. You can set the computers skill level in the 
   options menu with Recreational being the easiest to 
   Professional being the hardest.  Winners Outs option is where 
   if you score you get the ball back.  Instant replay, Fouls, amd 
   Music/Sowndz 
  
  
DR.J JAM- Start from the jumpers circle and let go of the ball 
just as you man is descending. Wait until your sure he's 
descending,but not too long. 
  
Windmill - Start from the right baseline area and and let go 
Back Slam- Same as a Two-Handed-Hammer 
  
Statue Of Liberty - Same as Dr. J. Dunk 
  
Skim-The-Rim - Exactlt like the Air-Jordan except let go of the 
ball a lil' bit sooner. 
  
Toss Slam- This dunk seems the hardest but its the easiest. Start 
from the left side baseline area and let go when your almost in 
front of the basket. 
  
   My version of Jordan v.s. Bird ahs a bug in it which doesn't 
   display semifinal stats and standings. You just play the 
   finals and thats it.  Other versions may differ. 
  
FOLLOW THE LEADER: 
   This is just a "You do as I do" dunk contest with do or die rules. 
  
3 POINT CONTEST- Shoot the first ball on the first rack, go to 
the next rack, and so on.... when you get to the last rack make 
your way back to the first rack.  The object is to get as any 
baskets as possible in 30 or something secondz. 
  
Hintz and Tipz: 
  
To get past your opponent in one on one games just press the 
%Q! your designated direction and you will 
speed up dramatically.  To dunk just gain a little speed by 
running up to the basket from as far as possible and holding the 
insert key. Its almost impossible to explain defensive techniques 
because this is one of those "u gotta be in the right place at 
the right time gamez"  The best thing I can tell ya is to 
Experiment with the game a little and pratice. have Phun!!!! 
The Baji Man 
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
  
           * 
 *          This is how I unlocked Gauntlet by Mindscape 
           * 
By : LM    * 
  
*************************************** 
  
Gauntlet was one of those games in the arcade that I liked a lot. 
So when I walked into the Computer Store and saw it on the shelf, 
I just had to have it. 
  
The price of the game wasn't bad at all and the game was really 
good.  But Mindscape gives you only ONE install. What kind of 
$hi* is that.  I mean only one install to your hard disk and then 
you must uninstall before you optimize you disk or you have lost 
  
         ------------  NO MORE INSTALL's. ------------- 
  
mistake I got out my DEBUG and statred to look at the game. I 
found that Mindscape writes two hidden files to your C:f when you 
install Gauntlet.  DEMAA.COM and DEMAB.COM. The first file 
(DEMAA.COM) is just junk. 
  
The second file (DEMAB.COM) has some info about where the first 
file is at on your hard disk. (The starting cluster number) When 
you load Gauntlet it calls GINTRO.EXE and GINTRO.EXE checks for 
this information. Then it calls GPORG.EXE and it check for the 
same information. 
My fix for this was to load gintro.exe and gprog.exe with fake 
data.  After you fix gauntlet you DON'T have to use Mindscape 
install to play the game, just copy the files to your disk and 
go.  It has worked fine for Me and I hope it is what you need to 
fix your game. 
  
**************************************** 
* To fix Gauntlet you will need the following: 
           * 
* 1. A copy of your Gauntlet master diskette(you can use dos to 
     make a copy) 
           * 
* 2. Debug 
  
           * 
* 1. Rename gintro.exe gintro 
           * 
* 2. debug gintro 
           * 
* 3. e 3EB7 90 90 90 90                This was a check for drive 
     A:,B:,C: 
           * 
* 4. e 4339 EB 21                      Jump around file read 
     (demaa.com) 
           * 
* 5. e 435C B8 C3 02 A3 22 03 B8 3D FD Replace file info with 
     dummy data 
           * 
* 6. e 4097 EB 14                      Jump around file read 
     (demab.com) 
           * 
* 7. w 
           * 
* 8. q 
           * 
* 9. Rename gintro gintro.exe 
           * 
* 10. Rename gprog.exe gprog 
           * 
* 11. debug gprog 
           * 
* 12. e 7F57 90 90 90 90                This was a check for 
     drive A:,B:,C 
           * 
* 13. e 83D9 EB 21                      Jump around file read 
     (demaa.com) 
           * 
* 14. e 83FC B8 C3 02 A3 22 03 B8 3D FD Replace file info with 
     dummy data 
           * 
* 15. e 8137 EB 14                      Jump around file read 
     (demab.com) 
           * 
* 16. w 
           * 
* 17. q 
           * 
* 18. Rename gprog gprog.exe 
           * 
************************************************** 
* Now you can copy you game to any hard disk or flex many times. 
************************************************** 
* If you would like more information as to HOW and WHY. 
           * 
* You can leave Me a message on the following BBS : 
           * 
* Inner Sanctum (813) 856 5071 
           * 
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
  
Unprotect for all Sierra Games using the version 3.0 SIERRA.COM game 
loader and the AGI (Adventure Game Interpreter). 
  
                         This text written 
                           July 11, 1988 
  
   Sierra-On-Line Software utilizes a copy protection scheme 
which, upon the execution of the game loader (usually 
SIERRA.COM), loads some key data from a specially formatted 
track. Normal DOS copy and diskcopy commands cannot copy this 
specially formatted track (usually track 6). Only image hardware 
copy devices such as the "OPTION BOARD" can copy the specially 
formatted track properly - and even this will not allow 
stand-alone hard disk usage. 
  
   This unprotect is accomplished by running the program to the 
point where it loads the key data, and then copying the key data 
into the loader. Then the loader is further modified by jumping 
around the call to the "opening original disk" request screens. 
The last step is to change the bx and cx registers to allow for 
the inclusion of the key data in the loader. 
  
   There are three things to determine before you can start the 
unprotect.  The first is to verify that your game contains the 
version 3.0 game loader (usually the file SIERRA.COM) and the 
file "AGI". This applies to about 90% of all Sierra games. The 
others contain a slightly modified version 3.0 game loader and 
the file MAIN. This unprotect does not apply to Sierra games that 
contain the file "MAIN". Some games which use the "MAIN" file 
are: 3-D Helicopter, Thexder and a few others. Check this BBS for 
a different unprotect for Sierra games using the "MAIN" file. 
  
   Run a directory on your Sierra game disk 1 to verify that is 
does contain the files "SIERRA.COM" and "AGI". 
  
   The next step is to determine which version of the 3.0 game 
loader (SIERRA.COM) your game has. Yes, there are two different 
versions of the 3.0 version game loader. In the code of the 
SIERRA.COM file is listed either the date 1985 or 1987 - the 1985 
being one version and the 1987 being another version. You must 
run a debug operation as follows to determine your version of the 
game loader: 
  
                   Arrange your configuration so that SIERRA.COM 
                   and DEBUG.EXE are on the same disk, directory 
                   or path. 
  
                   DEBUG SIERRA.COM <return> -d 100 <return> 
  
   Some text will now appear to the right of your screen, 
somewhere containing "LOADER v.3 Copyright Sierra On-Line, Inc. 
198?". Note the year appearing in this text. Now you can quit 
debug by typing a "q" at the "-" prompt. The unprotect differs 
for the 1985 and 1987 versions, so, if your version is the 1985 
version, refer to the file SIERRA85.UNP contained in this 
package. Likewise, if your version is the 1987 version, refer to 
the file SIERRA87.UNP contained in this package. 
=|     ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
Please read the file READTHIS.1ST before proceeding to read this 
file. 
  
Unprotect for all Sierra Games using the version 3.0 SIERRA.COM 
game loader and the AGI (Adventure Game Interpreter). THE 
FOLLOWING PROCESS APPLIES TO THE 1987 version of the 3.0 version 
SIERRA.COM game loader! 
  
Make a copy of your original game disk 1 using the dos copy *.* 
command.  But don't put away your factory original game disk yet, 
you will need it during the unprotect. 
  
Arrange your configuration so that SIERRA.COM and DEBUG.EXE are 
on the same disk, directory or path. 
  
Using THE COPY of the game disk 1, start as follows: 
               DEBUG SIERRA.COM <return> -r <return> 
screen, including the prompt to insert your original disk (write 
protect it to be safe). The key data from the specially formatted 
track will be loaded into memory.  When the program breaks back 
to debug (the registers will be listed again), be sure you have 
the COPY you made of your original disk in the disk drive.) 
  
               -rbx <return> 
               :         <-type in here the value of BX register that 
                           you were instructed to write down in step one. 
               <return> 
  
               -rcx <return> 
               CX XXXX 
               :         <-type in here the value of CX register that 
                           you were instructed to write down in step one. 
               <return> 
  
  
(In the above line you have inserted NO-OP's (90's) to jump 
around the protection check and opening screen calls) 
  
               -w <return>  (this will write back to disk the unprotected 
                             game loader) 
               Writing xxxx bytes 
               -q <return>  (quits debug) 
  
This completes the Sierra game 1987 version 3.0 game loader 
unprotect. Use this unprotect to allow proper hard disk usage or 
to make an archival backup copy. Please do not promote theft by 
using this procedure to distribute unauthorized copies. 
  
Bart Montgomery 
Atlanta PCUG BBS 
(404) 433-0062 
  
                            <-----<<END>>-----> 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
! 
  
*************************************************** 
***  Pirate Magazine Issue III-3 / File 5 of 9  *** 
***  Cracking Tips  (Part 3)                    *** 
*************************************************** 
  
In this file: Curse of the Azure Bonds 
              Gauntlet 
              Silpheed 
              Carmen San Diego 
              Saragon 
                           * * * * * * 
  
                 How to fix copy protection from 
                   and supercharge characters 
                  for Curse of the Azure Bonds. 
  
  
                              FROM: 
                      THE COMPANY OF WOLVES 
----------------------------------------------------------------- 
                             NEEDED: 
1. Norton Utilities (or similar program) 
2. A copy of the file start.exe from your Azure Bonds disk A 
3. A bit of your time 
----------------------------------------------------------------- 
  
  
1. HOW TO UNPROTECT CURSE OF THE AZURE BONDS: 
First load START.EXE into Norton.  Then search for the string 80 
3E CC.  This should take you to file offset 9BA hex.  Go back to 
9B5 hex this should be 9A (the first machine language code for a 
far call).  Change the values of the bytes from 9B5 hex - 9b9 hex 
to 90's Save the changes 
  
Now the program will skip the part where it asks for code letter, 
you now can put away that annoying code disk until needed for 
decoding 
----------------------------------------------------------------- 
  
2. SUPERCHARGING YOUR CHARACTERS: 
Copy the program CHARFIX.EXE (included with this fix) into the 
directory that your saved games reside. Change to that directory. 
Run the program, it is self explanitory. 
----------------------------------------------------------------- 
  
If you have any problems with any of the patches above check the 
date of the file START.EXE on your original disk A for the date 
and time 07/27/89 16:44. If your file has a different date then 
they probably changed the copy protection method and your out of 
luck with this patch. For other problems leave The Company of 
Wolves a message, I can be reached on EXCEL BBS (414)789-4210 
  
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
                 How to fix copy protection from 
                      Mindscape's Gauntlet. 
  
  
                              FROM: 
                      THE COMPANY OF WOLVES 
----------------------------------------------------------------- 
                             NEEDED: 
1. Norton Utilities (or similar program) 
2. A copy of the file's gintro.exe and gprog.exe from your 
original disk. 
3. A bit of your time 
----------------------------------------------------------------- 
  
  
1. HOW TO UNPROTECT GAUNTLET: 
First load one of the above files into Norton. 
Then search for the string F3 A7. 
Change the byte immediately following (74) to EB. 
Continue the search and once again change the 74 to EB. 
Save the changes 
Repeat the steps above for the other .EXE file. 
  
For you Debug fans rename each of the two files to 1.aaa and 
2.aaa respectivaly. 
Search (the S command) for F3 A7, you should get at least 3 
matches. 
You will need to unassemble each of the matches, the first copy 
protection match should read REPZ CMPSW, JZ 2D96, ect..., and the 
second REPZ CMPSW, JZ 2DB1, ect... 
th the E command using the FULL address of the JZ commands 
change the 74's to EB's. 
Write the files with the W command and repeat the process for the 
other file. 
When finishes erase Gintro.exe and Gprog.exe and rename 1.aaa 
gintro.exe and 2.aaa gprog.exe. 
  
In this version of the program will still look for the copy 
protection (which is a sector at the end of the hard disk that 
the install program writes then marks bad to prevent overwriting 
to that sector) but will continue the program as if the 
comparison (F3 A7) was successful. 
----------------------------------------------------------------- 
  
If you have any problems with any of the patches above check the 
date of the file GINTRO.EXE on your original disk A for the date 
03/25/88. If your file has a different date then they probably 
changed the copy protection method and your out of luck with this 
patch. If you have any questions leave The Company of Wolves a 
message, I can be reached on EXCEL BBS (414)789-4210 under the 
name Nicodemus Keesarvexious. 
  
Also included is another patch for a different version of 
Gauntlet in case you have a different version from the one I 
  
                         * * * * * * * * 
  
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
  
To unprotect SilpHeed By Sierra! 
  
    Use Norton and change these bytes in the SIMCITY.EXE file: 
  
        Change: 80 3e cc 06 01 74 0c 
        To....: 80 3e cc 06 01 eb 0c 
                               ^^ 
Then when it asks the question just hit ENTER. 
  
Another software crack by Bentley Bear! 
  
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
     ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
To unprotect SimCity! 
  
    Use Norton and change these bytes in the SIMCITY.EXE file: 
  
        Change: 0c 87 00 75 3c 
        To....: 0c 87 00 eb 3c 
                         ^^ 
Another software crack by Bentley Bear! 
  
Unprotect for Where in Time is Carmen Sandiego. 
  
This program checks for the original key disk each time you are 
promoted in the game. 
  
I found another unprotect on this BBS (CARMNTME.ZIP) which did 
not work at all. If fact, it made it so you can not even get into 
the program! 
  
Here's mine. You can patch the file either with a hex editor, or 
with debug. 
  
Using a hex editor, such as those in PC-Tools or Norton's Utilities: 
  
Search for the hex byte string:   02 E1 07 C3 FA 55 
  
Change the first byte only:       12 
  
------------ 
  
Using debug 
  
>ren carmen.exe car 
'ug car 
-S0000 FFFF 02 E1 07 C3 FA 55    <cr> 
xxxx:yyyy                        (note value of yyyy) 
-e yyyy                          (type e, then value of yyyy above) 
xxxx:yyyy 02.12                  <cr> 
-w                               <cr> 
-q                               <cr> 
  
>ren car carmen.exe 
  
------------- 
That's it. And a lot easier then the other patch that didn't work! 
Although this patch only changes one byte, it was difficult to 
come up with. They used a far call which was hard to follow, and 
could not be nop'ed out. Good Luck. 
  
5 
  
     -e XXXX:YYYY b8 00 10         :   Edit the contents of the 
                                       returned address 
  
 Now write the new sargon game back to the disk: 
  
     -w  <Enter> 
  
     Writing XXXX bytes 
  
 Then Quit Debug: 
  
     -q  <Enter> 
  
 Now it is time to rename sargon back to sargon.exe 
  
     C>ren sargon sargon.exe 
  
 Now try to run the new (Hopefully) unprotected version of Sargon IV. 
 When the question comes up answer '1924' 
  
     C>sargon 
  
----------------------------------------------------------------- 
  
 Unprotect Brought to you courtesy of Super Dave 
  
                        Super Dave can be reached at: 
  
                        Hackers Paradise BBS 
                        (803) 269-7899 
                        Greenville, SC 
  
                            <-----<<END>>-----> 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
! 
*************************************************** 
***  Pirate Magazine Issue III-3 / File 6 of 9  *** 
***  Cracking Tips  (Part 4)                    *** 
*************************************************** 
  
  
In this file:  Memory shift 2.1 
               Lotus 123 ver 1a 
               Multilink ver 2.06 
               Chartmaster 
               Enable ver. 1.00 
               EZWriter ver. 1.1 
               Flight Simulator 1.00 
  
How to Unprotect MEMORY-SHIFT, Version 2.1 
  
A>FORMAT b:/s/v 
  
With Memory Shift Master in drive A: and your fresh diskette in B: 
A>COPY A:*.*,B: 
  
Replace the Memory Shift Master in drive A: with your DOS diskette 
A>RENAME B:MS.EXE,B:MS.XXX 
A>DEBUG B:MS.XXX 
-s 0 l 8000 e8 22 00 72     <- look for this string in memory 
xxxx:7F68                   <- one occurance should be found 
-e 7F68 
xxxx:7F68  E8.eb  22.08 <CR> 
-e 80ec 
xxxx:80EC  AD.e9  AB.9e  AD.fe <CR> 
-e 7f8d 
xxxx:7F8D  06.b8  1E.00  B8.01 
xxxx:7F90  40.ab  00.b8  8E.f0  D8.ff  BF.01  3E.d8  00.ab  8A.b8 
xxxx:7F98  95.d0  04.40  00.89  80.c1  E2.b8  03.b8  8E.03  46.e9 
xxxx:7FA0  00.54  33.01 
-w 
Writing 8000 bytes 
-q 
A>RENAME B:MS.XXX,B:MS.EXE 
  
That is all there is to it! 
December 28, 1983 
                <> <> <> <> <> <> <> <> <> <> <> 
  
I have just seen a new copy of Lotus 1-2-3 v1a that has a 
modified protection scheme for which the currently published 
unprotect scheme will not work. Here is a modified unprotect 
that will work properly with both the old and new v1a releases 
..... 
1) Rename 123.exe to 123.xyx 
2) Type (to DOS) the command 
  C> debug 123.xyx 
3) Type (to debug) the command 
  -s 100 efff cd 13   (The "-" is a prompt from debug.) 
4) Debug should respond with something like: 
   xxxx:ABA9    where xxxx is a hex number that may vary 
5) Type 
  -e aba9 fb f9   (Use whatever debug gave you in the 
  -w               last step instead of "aba9" if it is 
  -q               different.) 
  
6) Rename 123.xyx to 123.exe 
For those of you who want to understand this, it is 
replacing an "INT 13" instruction that checks the disk 
in drive A: for some funny stuff with STI, STC instructions 
  
A little while ago, there was a patch for 123.EXE listed here that 
effectively unprotected the copy-protected disk and allowed hard-disk 
to run without the floppy. 
I just received the new version of Lotus 123 and retrofitted the patch 
(it is a different technique). To unprotect 123.EXE Version 1A, 
  
1. Rename 123.EXE 123.XYZ 
2. DEBUG 123.XYZ 
3. type  U ABA9 
4. you should see    INT 13   at that address 
5. type  E ABA9 90 90 
6. type  W 
7. type  Q 
8. Rename 123.XYZ 123.EXE 
  
That's it. Good Luck. 
                <> <> <> <> <> <> <> <> <> <> <> 
  
  The following is a method to unprotect MultiLink Ver 2.06 to allow 
  booting directly from hard disk without the need to insert the 
  MultiLink distribution disk. 
  
   ENTER                         COMMENTS 
-------------------------    --------------------------------------- 
C>copy mlink.com mlink.bak   Make a backup first! 
C>debug mlink.com            Start debug session. 
-u 2dfa                      Unassemble from address 2DFA. 
                             You should see: 
  
                             xxxx:2DFA       CALL     2F01 
                             xxxx:2DFD       JNB      2E10 
                             xxxx:2DFF       MOV      CX,2908 
                             xxxx:2E02       CALL     2F01 
                             xxxx:2E05       JNB      2E10 
                             xxxx:2E07       DEC      BYTE PTR [2E0F] 
                             xxxx:2E0B       JG       2DF2 
                             xxxx:2E0D       JMP      07C4 
                             xxxx:2E10       XOR      BYTE PTR [2E0D],32 
                             xxxx:2E15       MOV      AX,[23C4] 
                             xxxx:2E18       CMP      [2705],AX 
  
                             If you don't see this, you have another 
                             version.  If so, enter 'q' to quit the 
                             debug session.  Otherwise, continue. 
                             The instructions at 
                             xxxx:2dfa, xxxx:2e02, and xxxx:2e1c 
                             need to be replaced. 
  
-e 2dfa f8 90 90             CALL  2F01  is replaced by CLC, NOP, NOP 
-e 2e02 f8 90 90             CALL  2F01  is replaced by CLC, NOP, NOP 
-e 2e1c 90 90                JNZ   2E0D  is replaced by NOP, NOP 
-w                           Save the changes to disk 
-q                           End the debug session. 
                <> <> <> <> <> <> <> <> <> <> <> 
  
In the spirit of a recent patch to unprotect LOTUS 1-2-3, I discovered 
the same logic can be applied to unprotect MEMORY/SHIFT. 
  
1. Rename MS.EXE MS.XYZ 
2. DEBUG MS.XYZ 
3. type  U 1565 
4. you should see    INT 21   at that address 
5. type  E 1565 90 90 
   type  E 1567 90 90 
6. type  W 
7. type  Q 
8. Rename MS.XYZ MS.EXE 
  
Finally, make sure command.com resides on the disk where MEMORY/ 
SHIFT  is initiated. 
65399 '** DONE - PRESS ENTER TO RETURN TO MENU **   
There is another version of Lotus 123 also called Release 1A 
but with a different copy-protection technique. It can be 
identified by an "*" that displays on the first screen under 
the "s" in the word "Release" 
                                     Release 1A 
                                          * 
To unprotect this version so it can be run on a hard disk 
without requiring the SYSTEM DISK in drive A, do the following: 
  
1. RENAME   123.EXE    123.XYZ 
2. DEBUG    123.XYZ 
3. Type     U AB8C     press ENTER 
    You should see  MOV  CX,0002 
    if you don't, something is different and this won't work. 
4. Type     E AB8C C3     press ENTER 
5. Type     W 
6. Type     Q 
7. RENAME   123.XYZ   123.EXE 
  
That's it. It will now run from any drive. As always, this patch 
is provided so that honest people don't have to suffer the 
inconvienences imposed upon them by software manufacturers. 
FOR THE USERS THAT HAVE 'CHARTMASTER'  VER 6.04 
                <> <> <> <> <> <> <> <> <> <> <> 
------------------------------------------------------------------- 
FROM : THE A.S.P ; (Against Software Protection) 
      DATED : OCT 18,1984 (FIRST RELEASE) 
ORIGINALLY SUBMITTED TO ASA FULTONS BBS (THE SHINING SUN -305-273-0020) 
                 AND TO 
                        LEE NELSONS BBS (PC-FORUM        -404-761-3635) 
PLEASE NOTE THAT THESE UNPROTECT PROCEDURES INVOLVE FROM 4 HOURS TO 
40 OR MORE HOURS ( 4+ HOURS FOR 'CHARTMASTER' ) OF 
SINGLE STEPPING THRU CODE AND FIGURING OUT THE 
INTENT OF THE ORIGINAL CODE.. SO I WOULD APPRECIATE IT WHEN U PASS 
THIS ON TO OTHER BOARDS YOU DO NOT ALTER THIS OR TRY TO TAKE CREDIT 
FOR MY LOST SLEEP.... THE A.S.P... (J.P. TO HIS FRIENDS) 
OH, AS A FURTHER NOTE. I SEE SOME BBS'S ARE NOW CHARGING U TO BE REGISTERED 
TO USE THEIR SYSTEM. FIRST OF ALL I GIVE U FROM 4 TO 60 HOURS OF MY TIME 
AT NO COST TO YOU AND I DO NOT LOOK TO KINDLY TO SUCH BBS'S PUTTING ON 
MY PROCEDURES AND THEN CHARGING U TO GET ACCESS TO THEM. THEY DIDNT SPEND 
TIME AND COST (SAY 'X' HOURS * $40+) TO MAKE THE PROCEDURES AVAIL. , SO 
I WOULD APPRECIATE THAT SUCH BOARDS DID NOT USE ANY OF THE 'A.S.P'S' 
PROCEDURES, UNLESS THEY ARE WILLING TO PUT THEIR WORKS TRULY IN THE 
PUBLIC DOMAIN.. ENOUGH SAID.. THANK YOU. 
  
  IF YOU HAVE A HARD DISK OR WANT TO CREATE A BACKUP COPY THAT IS NOT 
TIED INTO THE 'CHARTMASTER' DISKETTE...IN CASE YOUR ONLY COPY GOES BAD 
. THIS PATCH WILL REMOVE THE COPY PROTECTION COMPLETELY. 
  
  AS ALWAYS THIS IS FOR YOUR PERSONAL PEACE OF MIND ONLY 
IT IS NOT MEANT TO BYPASS ANY COPYRIGHTS..YOU ARE BY LAW BOUND BY 
YOUR PURCHASE LICENSE AGREEMENT. 
  
  IF YOU HAVE A HARD DISK AND WANT TO PUT THE PROGRAM ON SUCH 
WHY SHOULD YOU BE TIED TO A FLOPPY. YOU HAD TO GIVE UP A LOT OF 
'BIG MACS' TO GET YOUR HARD DISK. 
  
    FORMAT 1 SYSTEM DISK UNDER DOS 2.0 OR 2.1 OR 3.0 
    LABEL IT ACCORDING TO THE ORIGINAL 'CHARTMASTER'  SYSTEM DISKETTE 
    COPY THE (UNHIDDEN) FILES FROM THE ORIGINAL DISKETTE TO THE CORRESPONDING 
   2.X  OR 3.X FORMATTED DISKETTE 
    I WONT  TELL U HOW TO USE DEBUG OR  ANY 'PATCHER' PROGRAMS 
   ON THE BBS'S, I ASSUME U HAVE A BASIC UNDERSTANDING. 
    RENAME CM1.EXE CM1 
    DEBUG CM1 
    D CS:A67 
     YOU SHOULD SEE 75 03 E9 09 00 
     E CS:A67 90 90 E9 F7 01 
     D CS:D139 
     YOU SHOULD SEE 5F 
     E CS:D139 CB 
     W 
     Q 
    RENAME CM1 CM1.EXE 
  
OTHER NOTES: 
------------------------------------------------------------------------- 
  
    CHECKS FOR SPECIALLY FORMATTED TRACKS COMPLETELY REMOVED 
  
    U MAY LOAD ALL THE FILES ON THE NEWLY FORMATTED AND UNPROTECTED 
   DISKETTE DIRECTLY TO HARD OR RAM DISK, IN ANY SUB-DIRECTORY U 
   SET UP 
  
    SOMEONE WANTED TO KNOW WHY I USED UPPER CASE FOR EVERYTHING. FIRST 
   AFTER ABOUT 8 TO 20 HOURS OF STARING AT THE TUBE., I AM NOT ABOUT 
   TO SHIFT THE CHARACTERS, AND SECONDLY I AM SO EXCITED , AFTER DOING 
   SOMETHING THAT AT FIRST SEEMED IMPOSSIBLE, AND IN A HURRY TO GET IT OUT 
   ON A BBS, SO THAT U MAY USE THE NEWLY GLEAMED KNOWLEDGE. 
  
 ALSO IN SOME CASES THE PROGRAM STILL TRIES TO GO TO THE "A" AND "B" 
   DRIVES, SO I USED AN ASSIGN TO ASSIGN THEM TO THE 'C'. THIS PROBABLY CAN 
   BE OVERCOME WITH THE CORRECT CONFIGURATION PARAMETERS. 
  
  ENJOY YOUR NEW FOUND FREEDOM..HARD DISKS FOREVER!!!!! 
                <> <> <> <> <> <> <> <> <> <> <> 
This is the procedure to unprotect the intregrated software package 
called ENABLE , Vers 1.00 
  
If you have a hard disk or want to create a backup copy that is not 
tied to the original ENABLE system disk, this will remove the copy 
protection completly. 
  
This procedure is to be used by legitimate owners of ENABLE only, 
as you are entitled to make a back up for archive purposes only. 
You are bound by your licence agreement. 
  
Format a blank disk using DOS 2 or 2.1 (Do not use the /s option.) 
  
Label it the same as the original ENABLE system disk. 
  
Copy the files from the original ENABLE system to the formatted 
blank disk using  *.*   . 
  
Place DOS system disk containing DEBUG in drive A: 
  
Place the new copy of ENABLE in drive B: 
  
DEBUG B:SYSTEM.TSG 
  
S CS:0 L EFFF B8 01 04 
  
(You should see) 
XXXX:069C 
XXXX:XXXX   < this one doest matter! 
  
(If you dont - type q and enter - you have a different version!) 
  
(If you do) 
  
E  69C      (enter) 
  
B. EB 01.2D 04.90     (enter) 
  
W 
  
Q 
  
Now all the copy protection has been removed, and you may copy the 
files as required. 
  
All checks for specially formatted tracks has been removed. 
  
Disk needs no longer to be in the A drive on start up. 
  
  
         ***** UNPROTECT EZWRITER 1.1 ***** BY JPM - ORLANDO FLA 
  
     THIS PROGRAM IS TO HELP ALL OF YOU THAT HAVE FOUND THAT YOU 
     COPIED YOUR EZWRITER 1.1 BACKUP TO SINGLE SIDED DISKETTE 
     AND NOW YOU HAVE A DOUBLE SIDED DRIVE OR FIXED DISK, 
      OR RAM DISK AND YOU ARE UP THE I/O CHANNEL WITHOUT A BYTE. 
  
       THE WAY THE EZWRITER PROTECTION WORKS IS: 
                <> <> <> <> <> <> <> <> <> <> <> 
        1). A BAD TRACK IS CREATED ON THE DISKETTE (LAST TRACK) 
           SO THAT DISK COPY WOULD NOT WORK. 
           IT REALLY DOES WORK THOUGH, BUT THE BAD TRACK IS 
           IS NOT COPIED. THIS BAD TRACK IS THE KEY. 
           WITH OUT THE BAD TRACK , WHICH EZWRITE NEEDS TO READ 
           THE PROGRAM WILL NOT RUN. 
        2). EW1.COM IS READ IN (YOU DO THIS). EW1.COM INTURN 
           LOADS "IBM88VMI.COM", WHICH INTURN LOADS "TARGET.COM". 
           TARGET.COM IS THE GUTS OF EZWRITER. 
           "IBM88VMI.COM" CHECKS FOR THE BAD TRACK, AND IF IT 
           IS THERE LOADS "TARGET.COM" OTHERWISE BYE-BYE. 
            WHAT THIS SIMPLE PROGRAM DOES IS TELLS "IBM88VMI.COM" 
           TO IGNORE THE RESULTS OF THE CHECK FOR THE BAD TRACK. 
            THIS WAY AFTER YOU DO A "COPY *.*" OR "DISKCOPY" 
           YOU CAN THE USE AND MOVE THE EZWRITER PROGRAM TO ANY 
           MAGNETIC STORAGE MEDIA. 
  
     *************************************************************** 
  
      TO MAKE A UNPROTECTED COPY OF EZWRITER: 
  
       1). PUT THE ORIGINAL OR BACKUP IN DRIVE "A" 
       2). PUT A FORMATED (SINGLE OR DOUBLE) DISKETTE IN DRIVE "B:" 
       3). COPY *.* B: 
       4). REMOVE EZWRITER FROM DRIVE "A:" 
       5). LOAD BASIC FROM "A:" AND ONCE IN BASIC LOAD  THIS PROGRAM 
        6). RUNTHIS PROGRAM , LOW AND BEHOLD THE COPIED EZWRITER 
           DISKETTE IN DRIVE "B: SHOULD NOW BE UNPROTECTED AND 
           TRANSPORTABLE AS WELL AS TOTALLY FUNCTIONAL. 
       7). AS ALWAYS PUT YOUR BACKUP DISKETTES IN A SAFE PLACE 
          IN CASE OF PROBLEMS WITH THE COPIES. 
  
          SINCE YOU NOW HAVE A UNPROTECTED VERSION OF EZWRITER 
       THE COPIES SHOULD BE FOR YOUR USE ONLY. YOU ARE STILL 
       BOUND BY THE LICENSE AGREEMENT WHEN YOU PURCHASED THE 
       PACKAGE. 
    CLS 
    CLOSE 
    DEFINT A-Z 
  
      YOU SHOULD NOP RECORD(BYTE) 390 AND 391 
      THEY CONTAIN HEX(CD20) WHICH IS A BRANCH IF BAD TRACK NOT FOUND 
      THIS ONE LITTLE INSTRUCTION KEEPS YOU FROM RUNNING 
  
      THERE IS NO ERROR CHECKING DONE , SUCH AS FOR MISSING FILE, 
      WRITE PROTECTED DISKETTE OR OTHER POSSIBLE I/O ERRORS. 
  
    NOP$=CHR$(144) 
    BRANCH.BYTE1$=CHR$(205) 
  BRANCH.BYTE2$=CHR$(32) 
    OPEN "B:IBM88VMI.COM" AS #1 LEN=1 
    GET #1,390 
    FIELD 1,1 AS A$ 
    BYTE$=A$ 
    PRINT "VAULE READ FOR BYTE 390 WAS ";ASC(BYTE$) 
    IF BYTE$<>BRANCH.BYTE1$ THEN GOTO 770 
    LSET A$=NOP$ 
    PUT 1,390 
    GET #1,391 
    FIELD 1,1 AS A$ 
    BYTE$=A$ 
    PRINT "VALUE READ FOR BYTE 391 WAS ";ASC(BYTE$) 
    IF BYTE$<>BRANCH.BYTE2$ THEN GOTO 770 
    LSET A$=NOP$ 
    PUT 1,391 
    CLOSE 
    END 
    PRINT "THE BYTE YOU WERE TRYING TO NOP WAS ";ASC(BYTE$) 
    PRINT "THE BYTE SHOULD HAVE BEEN EITHER 32 OR 205" 
    PRINT "IF THE BYTE READ WAS 144 YOU HAVE PROBABLY" 
    PRINT "UNPROTECTED THE PROGRAM ONCE BEFORE" 
    PRINT "IF PROBLEMS GOTO YOUR BACKUP DISKETTES" 
                <> <> <> <> <> <> <> <> <> <> <> 
  To make a backup of Microsoft Flight Simulator 1.00, 
do the following: 
  
*Take un UNFORMATTED (never used) disk and place it in drive B. 
*Place your DOS disk (which has DEBUG) into drive A. 
  
A>DEBUG 
-E CS:0000 B9 01 00 BA 01 00 BB 00 
           01 0E 07 06 1F 88 E8 53 
           5F AA 83 C7 03 81 FF 1C 
           01 76 F6 B8 08 05 CD 13 
           73 01 90 FE C5 80 FD 0C 
           76 E1 90 CD 20 
-E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02 00 00 04 02 
           00 00 05 02 00 00 06 02 00 00 07 02 00 00 08 02 
-R IP 
xxxx 
:0000                <-- YOU ENTER THIS, NOW INSERT FLT. SIM DISK INTO A: 
-G =CS:0000 CS:22 CS:2A 
-E CS:02 0E 
-E CS:27 19 
-G =CS:0000 CS:22 CS:2A 
-E CS:02 27 
-E CS:27 27 
-G =CS:0000 CS:22 CS:2A 
-L DS:0000 0 0 40 
-W DS:0000 1 0 40 
-L DS:0000 0 40 28 
-W DS:0000 1 70 30 
-L DS:0000 0 A0 30 
-W DS:0000 1 A0 30 
-L DS:0000 0 138 8 
-W DS:0000 1 138 8 
-Q 
A> 
  
*Now write protect the new disk. 
*This procedure may not work on the version which has color on RGB monitors. 
To make a backup of Microsoft Flight Simulator 1.00, 
do the following: 
  
*Take un UNFORMATTED (never used) disk and place it in drive B. 
*Place your DOS disk (which has DEBUG) into drive A. 
  
A>DEBUG 
-E CS:0000 B9 01 00 BA 01 00 BB 00 
           01 0E 07 06 1F 88 E8 53 
           5F AA 83 C7 03 81 FF 1C 
           01 76 F6 B8 08 05 CD 13 
           73 01 90 FE C5 80 FD 0C 
           76 E1 90 CD 20 
-E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02 00 00 04 02 
           00 00 05 02 00 00 06 02 00 00 07 02 00 00 08 02 
-R IP 
xxxx 
:0000                <-- YOU ENTER THIS, NOW INSERT FLT. SIM DISK INTO A: 
-G =CS:0000 CS:22 CS:2A 
-E CS:02 0E 
-E CS:27 19 
-G =CS:0000 CS:22 CS:2A 
-E CS:02 27 
-E CS:27 27 
-G =CS:0000 CS:22 CS:2A 
-L DS:0000 0 0 40 
-W DS:0000 1 0 40 
-L DS:0000 0 40 28 
-W DS:0000 1 70 30 
-L DS:0000 0 A0 30 
-W DS:0000 1 A0 30 
-L DS:0000 0 138 8 
-W DS:0000 1 138 8 
-Q 
A> 
  
*Now write protect the new disk. 
*This procedure may not work on the version which has color on RGB monitors. 
The following fix will eliminiate the bothersome requirement to 
insert the FOCUS "activator" diskette in the A-drive everytime you 
bring FOCUS up.   This change was made to a version of FOCUS 
that had file dates of 05/11/84.  Be sure that you verify the code 
that is in place before applying this zap. 
  
RENAME FCPCINIT.EXE FCPCINIT.XXX 
DEBUG FCPCINIT.XXX 
  U 22AB L 5 
(You should see "9A C5 02 14 02   CALL  0214:02C5"  display on the screen) 
  E 22AB 90 90 90 90 90 
  W 
  Q 
RENAME FCPCINIT.XXX FCPCINIT.EXE 
  
That all there is to it.   Have fun. 
  
                              The Ancient Mariner 
Note added 6 DEC 84 
Same procedure continues to work, only 5 bytes want to no-op 
are at location 0C57:23E0 
What you see at that location is CALL 021C:02C5 
  
                            <-----<<END>>-----> 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
! 
  
*************************************************** 
***  Pirate Magazine Issue III-3 / File 7 of 9  *** 
***  Cracking Tips  (Part 5)                    *** 
*************************************************** 
  
In this file:  Graphwriter 4.21 
               TheDraw 
               SideKick 1.00A 
               PFS Report 
               PCDRAW 1.4 
               Signmaster 
  
  
FOR THE USERS THAT HAVE 'GRAPHWRITER'  VER 4.21 
------------------------------------------------------------------- 
FROM : THE A.S.P ; (Against Software Protection) 
  
      DATED : OCT 19,1984 (FIRST RELEASE) 
ORIGINALLY SUBMITTED TO ASA FULTONS BBS (THE SHINING SUN -305-273-0020) 
                 AND TO 
                        LEE NELSONS BBS (PC-FORUM        -404-761-3635) 
  
PLEASE NOTE THAT THESE UNPROTECT PROCEDURES INVOLVE FROM 4 HOURS TO 
___________________________________________________________________ 
  
40 OR MORE HOURS ( 8+ HOURS FOR 'GRAPHWRITER' ) OF 
SINGLE STEPPING THRU CODE AND FIGURING OUT THE 
INTENT OF THE ORIGINAL CODE.. SO I WOULD APPRECIATE IT WHEN U PASS 
  
THIS ON TO OTHER BOARDS YOU DO NOT ALTER THIS OR TRY TO TAKE CREDIT 
FOR MY LOST SLEEP.... THE A.S.P... (J.P. TO HIS FRIENDS) 
  
OH, AS A FURTHER NOTE. I SEE SOME BBS'S ARE NOW CHARGING U TO BE REGISTERED 
TO USE THEIR SYSTEM. FIRST OF ALL I GIVE U FROM 4 TO 60 HOURS OF MY TIME 
AT NO COST TO YOU AND I DO NOT LOOK TO KINDLY TO SUCH BBS'S PUTTING ON 
 in.  Thanks    John Roswick, Bismarck. 
    Keywords: SIDEKICK PROKEY PATCH FIX BUGS COMPATIBILITY BORLAND 
                <> <> <> <> <> <> <> <> <> <> <> 
 UNPROTECT FOR -SIDEKICK- 
     Attention Sidekick/Prokey users !  We at Borland were having 
trouble getting Sidekick to be compatible with Rosesoft's Prokey and 
as many of you Prokey users out there know everything locked up when the 
two got together.  The reason Prokey does not work is because it trashes 
some of the registers when running and confuses Sidekick as to make your 
terminal go down.  Enclosed is the portion of Prokey which does this. 
  
0730  2EF606D402FF              TEST    CS:BYTE PTR [02D4H],OFFH 
0736  7409                      JE      0741H 
0738  2EFF2EC602                JMP     CS:DWORD PTR [02C6H] 
073D  5B                        POP     BX 
073E  1F                        POP     DS 
073F  EBF7                      JMP     SHORT 0738H 
0741  1E                        PUSH    DS 
0742  53                        PUSH    BX 
0743  8CCB                      MOV     BX,CS 
0745  8EDB                      MOV     DS,BX 
0747  FB                        STI 
0748  C5053D0100                MOV     BYTE PTR [013DH],00H 
074D  803E660400                CMP     BYTE PTR [0466H],00H 
0752  7420                      JE      0774H 
0754  833E670400                CMP     WORD PTR [0469H],00H 
0759  7507                      JNE     0762H 
075B  833E670400                CMP     WORD PTR [0467H],00H 
0760  740D                      JE      076FH 
0762  832E670401                SUB     WORD PTR [0467H],01H 
0767  831E690400                SBB     WORD PTR [0469H],00H 
076C  EB06                      JMP     SHORT 0774H 
076E  90                        NOP 
076F  C606660400                MOV     BYTE PTR [0466H],00H 
0774  803E530400                CMP     BYTE PTR [0466H],00H 
0779  74C2                      JE      037DH 
077B  833E662400                CMP     WORD PTR [2466H],00H 
0780  7507                      JNE     0789H 
0782  833E682400                CMP     WORD PTR [2468H],00H 
0787  740C                      JE      0795H 
0789  832E682401                SUB     WORD PTR [2468H],01H 
078E  831E662400                SBB     WORD PTR [2466H],00H 
0793  EBA8                      JMP     SHORT 073DH 
0795  E8841D                    CALL    251CH                    ;HMMM ! 
0798  EBA3                      JMP     SHORT 073DH 
  
THE SAGA CONTINUES ... 
  
251C  50                        PUSH    AX 
251D  1E                        PUSH    DS 
251E  A05304                    MOV     AL,[0453H] 
2521  3C01                      CMP     AL,01H 
2523  7407                      JE      252CH 
2525  3C02                      CMP     AL,02H 
2527  743F                      JE      2568H 
2529  1F                        POP     DS 
252A  58                        POP     AX 
252B  C3                        RET     ?NEAR 
252C  BD9D2D                    MOV     BP,2D9DH       BP DESTROYED 
252F  E8480E                    CALL    337AH 
2532  A16C24                    MOV     AX,[246CH] 
2535  A39D2D                    MOV     [2D9DH],AX 
2538  BD9D2D                    MOV     BP,2D9DH 
253B  E8E30D                    CALL    3321H 
253E  BD9D2D                    MOV     BP,2D9DH 
2541  BEE023                    MOV     SI,23E0H       SI DESTROYED 
2544  B601                      MOV     DH,01H         DX DESTROYED 
2546  B201                      MOV     DL,01H         (BUT WILL BE RESTORED 
2548  E8230C                    CALL    317FH          BY THE BIOS) 
254B  E88407                    CALL    2CD2H 
254E  8B366024                  MOV     SI,[2460H] 
2552  387D07                    CALL    2CD2H 
2555  A16224                    MOV     AX,[2462H] 
2558  A36824                    MOV     [2468H],AX 
255B  C70666240000              MOV     WORD PTR [2466H],000H 
2561  C606530402                MOV     BYTE PTR [0453H],02H 
2566  EBC1                      JMP     SHORT 2529H 
2568  BD9D2D                    MOV     BP,2D9DH 
256B  E80C0E                    CALL    337AH 
256E  C606530400                MOV     BYTE PTR [0453H],00H 
2573  EBB4                      JMP     SHORT 2529H 
 . 
 . 
  
Prokey does not save and restore all registers when trapping interrupt 
1C.  The reason why this error occurs at a higher frequency when using 
Sidekick is beyond this discussion. However, to verify the error try the 
following: 
  
1. Start Prokey 
2. Define a key recursively 
3. Notice prokey now issues an error message 
4. terminate definition (fast...) 
5. press return 100 times 
6. if prokey did not crash repeat step 2-6 
  
Register destroying occurs when Prokey is flashing error message.  You must 
terminate and press return as fast as possible, and be logged on a floppy 
drive (important: let your prompt show the active directory in order to let 
dos read on the disk). 
  
The following program establishes a trap at interrupt 8 (to make sure Prokey 
or others does not overwrite it, bios int 8 then activates 1C). 
  
CODE                          SEGMENT 
                              ASSUME     CS:CODE 
                              ORG        100H 
START                         PROC 
                              JMP        SHORT SETUP 
START                         ENDP 
INT08SAVE                     DD 
INT08TRAP                     PROC       FAR 
                              PUSH       AX 
                              PUSH       BX 
                              PUSH       CX 
                              PUSH       DX 
                              PUSH       SI 
                              PUSH       DI 
                              PUSH       BP 
                              PUSH       DS 
                              PUSH       ES 
                              PUSHF 
                              CALL       INT08SAVE 
                              POP        ES 
                              POP        DS 
                              POP        BP 
                              POP        DI 
                              POP        SI 
                              POP        DX 
                              POP        CX 
                              POP        BX 
                              POP        AX 
                              IRET 
INT08TRAP                     ENDP 
EOTRAP: 
SETUP                         PROC 
  
                              MOV        DS,AX 
                              MOV        SI,20H 
                              CLI 
                              LES        AX,DWORD PTR[SI] 
                              MOV        WORD PTR INT08SAVE,AX 
                              MOV        WORD PT 
                              MOV        WORD PTR [SI],OFFSET INT08TRAP 
                              MOV        [SI+2],CS 
                              STI 
                              MOV        DX,OFFSET EOTRAP+1 
  
SETUP                         ENDP 
CODE                          ENDS 
                              END        START 
  
It may be faster to enter the following bytes using debug and writing them 
to the file profix.com, thus saving your original prokey file: 
  
  
e100 
0100:  EB 1D 00 00 00 00 50 53 51 52 56 57 55 1E 06 9C 
0110:  2E FF 1E 02 01 07 1F 5D 5F 5E 5A 59 5B 58 CF 33 
0120:  C0 8E D8 BE 20 00 FA C4 04 2E A3 02 01 2E 8C 06 
0130:  04 01 C7 04 06 01 8C 4C 02 FB BA 20 01 CD 27 
RCX 
3F 
NPROFIX.COM 
W 
  
NOW USE PROFIX INSTEAD OF PROKEY 
  
NOTE:  THIS MAY NOT BE THE COMPLETE SOLUTION AS THE WORD STILL DOES NOT 
WORK WITH PROKEY.  FURTHERMORE THIS HAS ONLY BEEN TESTED USING PROKEY 
VERSION 3.0 - OLDER VERSIONS MAY HAVE OTHER BUGS! 
INSTRUCTIONS FOR UNPROTECTING PFS-FILE AND PFS-REPORT. 
  
 IMPORTANT!  COPY FILE.EXE AND/OR REPORT.EXE TO ANOTHER DISK FIRST. 
 DON'T MAKE THESE PATCHES ON YOUR ORIGINAL DISK! (USE THE USUAL DOS 
 COPY COMMAND) 
  
FOR PFS-FILE: 
  RENAME FILE.EXE TO FILE.ZAP 
  HAVE DEBUG.COM HANDY 
  TYPE -> DEBUG FILE.ZAP 
  TYPE -> U 9243 
  YOU SHOULD SEE, AMONG OTHER THINGS:  PUSH BP 
                                       MOV AX,DS 
                                       MOV ES,AX 
   (ETC) 
  IF YOU DON'T SEE THIS, TYPE -> Q  (YOU DON'T HAVE THE RIGHT VERSION) 
  OTHERWISE, 
  TYPE -> E 9248 EB 2B 
  TYPE -> W 
  TYPE -> Q 
  BACK IN DOS, RENAME FILE.ZAP TO FILE.EXE.  YOU NOW HAVE AN UNPROTECTED 
  COPY OF PFS-FILE. 
  
FOR PFS-REPORT: 
  RENAME REPORT.EXE TO REPORT.ZAP 
  HAVE DEBUG.COM HANDY, AND TYPE -> DEBUG REPORT.ZAP 
  TYPE -> U 98BF 
  YOU SHOULD SEE, AMONG OTHER THINGS:  PUSH BP 
                                       MOV AX,DS 
                                       MOV ES,AX 
   (ETC) 
  IF YOU DON'T SEE THIS, TYPE -> Q  (YOU DON'T HAVE THE RIGHT VERSION) 
  OTHERWISE, 
  TYPE -> E 98C4 EB 2B 
  TYPE -> W 
  TYPE -> Q 
  BACK IN DOS, RENAME REPORT.ZAP TO REPORT.EXE.  YOU NOW HAVE AN 
  UNPROTECTED COPY OF PFS-REPORT. 
  
For those of you whose PFS:FILE and PFS:REPORT do not match the other 
PFS zaps on this board, try these: 
  
---------------------------------------------------------------------- 
  
For PFS:FILE, copy FILE.EXE to another disk, and do: 
  
RENAME FILE.EXE FILE.ZAP 
DEBUG FILE.ZAP 
U 9213 
should show  ...   PUSH BP 
                   MOV CX,0004 
which is the first part of a timing loop. 
if it doesn't, quit; else do: 
E 9217 EB 18 
U 9213 
should show  ...   PUSH BP 
                   MOV CX,0004 
                   JMP 9231 
if so, do: 
W 
Q 
RENAME FILE.ZAP FILE.EXE 
  
---------------------------------------------------------------------- 
  
For PFS:REPORT, copy REPORT.EXE to another disk, and do: 
  
RENAME REPORT.EXE REPORT.ZAP 
DEBUG REPORT.ZAP 
U 9875 
should show  ...   PUSH BP 
                   MOV AX,DS 
                   MOV ES,AX 
if it doesn't, quit; else do: 
E 987A EB 11 
U 9875 
should show  ...   PUSH BP 
                   MOV AX,DS 
                   MOV ES,AX 
                   JMP 988D 
if so, do: 
W 
Q 
RENAME REPORT.ZAP REPORT.EXE 
  
---------------------------------------------------------------------- 
  
if everything was OK, your new versions of PFS:FILE and PFS:REPORT 
should run just fine without the original diskettes. 
  
---------------------------------------------------------------------- 
  
Zaps provided by Lazarus Associates 
  
                <> <> <> <> <> <> <> <> <> <> <> 
----------------------------------------------------------UNPROTECT IBM PERSONAL 
  
 1. REN MCEMAIL.EXE X 
 2. DEBUG X               DOS 2.xx Version 
 3. A EB47 JMP EB4F    (was JNZ EB4F) 
 4. A EBEF NOP NOP     (was JZ  EC0B) 
 5. A EC06 NOP NOP     (was JNZ EC0B) 
 6. W 
 7. Q 
 8. REN X MCEMAIL.EXE 
  
IMPORTANT! All copies of PCM must have this patch 
(i.e. the programs on both ends of a connection). 
This has been tested on a PCjr and PC. 
  
                <> <> <> <> <> <> <> <> <> <> <> 
FOR THE USERS THAT HAVE 'PC-DRAW' V1.4 
------------------------------------------ 
FROM : THE A.S.P ; (Against Software Protection) 
  
ORIGINALLY SUBMITTED TO ASA FULTONS BBS - SHINING SUN :305-273-0020 
                    AND WHIT WYANTS BBS - PC-CONNECT  :203-966-8869 
PLEASE NOTE THAT THESE UNPROTECT PROCEDURES INVOLVE FROM 4 HOURS TO 
(+1 HOURS FOR PC-DRAW V1.4) 
40 OR MORE HOURS OF SINGLE STEPPING THRU CODE AND FIGURING OUT THE 
INTENT OF THE ORIGINAL CODE.. SO I WOULD APPRECIATE IT WHEN U PASS 
THIS ON TO OTHER BOARDS YOU DO NOT ALTER THIS OR TRY TO TAKE CREDIT 
FOR MY LOST SLEEP.... THE A.S.P... ORLANDO FLA. (J P , TO HIS FRIENDS) 
IF YOU HAVE A HARD DISK OR WANT TO CREATE A BACKUP COPY THAT IS NOT 
TIED INTO THE PC-DRAW DISKETTE...IN CASE YOUR ONLY COPY GOES BAD 
. THIS PATCH WILL REMOVE THE COPY PROTECTION COMPLETELY.... 
  AS ALWAYS THIS IS FOR YOUR PERSONAL PEACE OF MIND ONLY 
IT IS NOT MEANT TO BYPASS ANY COPYRIGHTS..YOU ARE BY LAW BOUND BY 
YOUR PURCHASE LICENSE AGREEMENT. 
  IF YOU HAVE A HARD DISK AND WANT TO PUT THE PROGRAM ON SUCH 
WHY SHOULD YOU BE TIED TO A FLOPPY. YOU HAD TO GIVE UP A LOT OF 
'BIG MACS' TO GET YOUR HARD DISK. 
  
     THIS WRITE UP ASSUMES THAT YOU ARE FAMILIAR WITH DEBUG, 
  
1). FORMAT A CORRESPONDING EQUAL NUMBER OF DOS2.0 OR 2.1 DISKS 
   AS SYSTEM DISKS 
  
2). LABEL EACH OF THE 2.X FORMATTED DISKS THE SAME AS EACH ONE OF 
   THE ORIGINAL 'PC-DRAW' DISKS 
  
3). COPY THE FILES FROM THE ORIGINAL DISKS TO THE 2.X FORMATTED DISK 
   ON A ONE FOR ONE BASIS, USING 'COPY' COMMAND 
  
4). PLACE THE ORIGINAL DISKS IN A SAFE PLACE, WE DONT NEED THEM ANY MORE. 
  
5). PLACE 'DISK 1' IN THE 'A' DRIVE 
6). RENAME PC-DRAW.EXE PC-DRAW 
7). DEBUG PC-DRAW 
8)  ENTER -S CS:100 L EFFF CD 13 
9). FIRST YOU SHOULD SEE THE FOLLOWING CODE AT ADDRESS 
       CS:4D45        CD 13 INT 13 
    IF U DONT U MAY HAVE A DIFFERENT VERSION SO DONT PROCEED ANY FARTHER, 
    ENTER THE CHANGE TO CHANGE "INT 13" TO "NOP" AND "STC", AND FORCE A JUMP 
 10).  ENTER -E 4D45 90 F9 EB 28 
 11). ENTER -W 
 12). ENTER -Q 
 13). RENAME PC-DRAW PC-DRAW.EXE 
  
NOTE: PC-DRAW IS NOW COMPLETELY UNPROTECTED. 
    IF U WANT TO USE 'PC-DRAW' FROM HARD DISK OR RAM DISK U MUST USE THE 
    CORRECT 'ASSIGN=', SINCE 'PC-DRAW' APPEARS TO HAVE DRIVES HARD CODED. 
  
  
      ALSO FOR V1.2 AND 1.3 THE BAD TRACK CHECK WAS IN DIAGRAM.EXE, 
     NOTE THAT THE CHECK IS NOW DONE IN PC-DRAW.EXE. 
  
  ENJOY YOUR NEW FOUND FREEDOM..HARD DISKS FOREVER!!!!! 
END OF TRANSFER - PRESS ENTER TO RETURN TO MENU   
This procedure will unprotect the version 1.10A of SIDEKICK. 
  
Many thanks to the individual who provided the procedure 
for the version 1.00A. 
  
The only major difference between the two versions is the offset 
address of the instructions to be modified. 
  
Using DEBUG on SK.COM, NOP out the CALL 8C1E at location 07CA ----+ 
                                                                  | 
Change the OR  AL,AL at 07D9 to  OR  AL,01 --------+              | 
                                                   |              | 
.....and that's it!                               |              | 
                                                   |              | 
                     (BEFORE ZAP)                  |              | 
78A7:07CA E85184        CALL    8C1E <----------------------------+ 
78A7:07CD 2E            CS:                        |              | 
78A7:07CE 8E163E02      MOV     SS,[023E]          |              | 
78A7:07D2 2E            CS:                        |              | 
78A7:07D3 8B264002      MOV     SP,[0240]          |              | 
78A7:07D7 1F            POP     DS                 |              | 
78A7:07D8 59            POP     CX                 |              | 
78A7:07D9 0AC0          OR      AL,AL   <----------+              | 
                                                   |              | 
                     (AFTER ZAP)                   |              | 
78A7:07CA 90            NOP         <-----------------------------+ 
78A7:07CB 90            NOP         <-----------------------------+ 
78A7:07CC 90            NOP         <-----------------------------+ 
78A7:07CD 2E            CS:                        | 
78A7:07CE 8E163E02      MOV     SS,[023E]          | 
78A7:07D2 2E            CS:                        | 
78A7:07D3 8B264002      MOV     SP,[0240]          | 
78A7:07D7 1F            POP     DS                 | 
78A7:07D8 59            POP     CX                 | 
78A7:07D9 0C01          OR      AL,01   <----------+ 
------------------------------------------------------------------- 
                <> <> <> <> <> <> <> <> <> <> <> 
  
 UNPROTECT FOR -SIGNMASTER 
FROM : THE A.S.P ; (Against Software Protection) 
  
1). FORMAT 1 SYSTEM DISK UNDER DOS 2.0 OR 2.1 OR 3.0 
2). LABEL IT ACCORDING TO THE ORIGINAL 'SIGNMASTER'  SYSTEM DISKETTE 
3). COPY THE (UNHIDDEN) FILES FROM THE ORIGINAL DISKETTE TO THE CORRESPONDING 
   2.X  OR 3.X FORMATTED DISKETTE 
4). I WONT  TELL U HOW TO USE DEBUG OR  ANY 'PATCHER' PROGRAMS 
   ON THE BBS'S, I ASSUME U HAVE A BASIC UNDERSTANDING. 
5). RENAME SIGN.EXE SIGN 
6). DEBUG SIGN 
7). D CS:99C 
     YOU SHOULD SEE 75 03 E9 09 
     E CS:99C 90 90 EB 1F 
     D CS:D407 
     YOU SHOULD SEE 5F 
     E CS:D407 CB 
     W 
     Q 
8). RENAME SIGN SIGN.EXE 
  
OTHER NOTES: 
------------------------------------------------------------------------- 
  
1). CHECKS FOR SPECIALLY FORMATTED TRACKS COMPLETELY REMOVED 
  
2). U MAY LOAD ALL THE FILES ON THE NEWLY FORMATTED AND UNPROTECTED 
   DISKETTE DIRECTLY TO HARD OR RAM DISK, IN ANY SUB-DIRECTORY U 
   SET UP 
  
3). SOMEONE WANTED TO KNOW WHY I USED UPPER CASE FOR EVERYTHING. FIRST 
   AFTER ABOUT 8 TO 20 HOURS OF STARING AT THE TUBE., I AM NOT ABOUT 
   TO SHIFT THE CHARACTERS, AND SECONDLY I AM SO EXCITED , AFTER DOING 
   SOMETHING THAT AT FIRST SEEMED IMPOSSIBLE, AND IN A HURRY TO GET IT OUT 
   ON A BBS, SO THAT U MAY USE THE NEWLY GLEAMED KNOWLEDGE. 
  
This is the procedure for bypassing the copy protection scheme used by 
SIDEKICK,  version 1.00A. 
  
Using DEBUG on SK.COM, NOP out the CALL 8780 at location 071A ----+ 
                                                                  | 
Change the OR  AL,AL at 072D to  OR  AL,01 --------+              | 
                                                   |              | 
.....and that's it!                               |              | 
                                                   |              | 
                     (BEFORE ZAP)                  |              | 
78A7:071A E86380        CALL    8780 <----------------------------+ 
78A7:071D 2E            CS:                        |              | 
78A7:071E 8E163D02      MOV     SS,[023D]          |              | 
78A7:0722 2E            CS:                        |              | 
78A7:0723 8B263F02      MOV     SP,[023F]          |              | 
78A7:0727 1F            POP     DS                 |              | 
78A7:0728 59            POP     CX                 |              | 
78A7:0729 880E1300      MOV     [0013],CL          |              | 
78A7:072D 0AC0          OR      AL,AL   <----------+              | 
                                                   |              | 
                     (AFTER ZAP)                   |              | 
78A7:071A 90            NOP         <-----------------------------+ 
78A7:071B 90            NOP         <-----------------------------+ 
78A7:071C 90            NOP         <-----------------------------+ 
78A7:071D 2E            CS:                        | 
78A7:071E 8E163D02      MOV     SS,[023D]          | 
78A7:0722 2E            CS:                        | 
78A7:0723 8B263F02      MOV     SP,[023F]          | 
78A7:0727 1F            POP     DS                 | 
78A7:0728 59            POP     CX                 | 
78A7:0729 880E1300      MOV     [0013],CL          | 
78A7:072D 0C01          OR      AL,01   <----------+ 
                <> <> <> <> <> <> <> <> <> <> <> 
  
What follows is an unprotect scheme for version 1.11C of Borland 
International's Sidekick.  The basic procedure is the same as 
that for version 1.1A with just location differences.  So the 
only credit I can take is for finding the new locations!  This is 
(of course), provided only for legal owners of Sidekick!!  Also, 
make sure you 'DEBUG' a copy NOT the original! 
        DEBUG SK.COM    <ENTER> 
        -U 801          <ENTER> 
        -E 801          <ENTER> 
        you will then see: 
        25E5:0801    E8. 
        90              <ENTER> 
        repeat for 802 and 803: 
        -E 802          <ENTER> 
        90              <ENTER> 
        -E 803          <ENTER> 
        90              <ENTER> 
        then: 
        -A 810          <ENTER> 
        OR AL,01        <ENTER> 
        <ENTER> 
        -U 801          <ENTER> 
        you should then see (among other things): 
        XXXX:801       90     NOP 
        XXXX:802       90     NOP 
        XXXX:803       90     NOP 
  
        XXXX:810  0C01     OR     AL,01 
        if so: 
        -W              <ENTER> 
        -Q              <ENTER> 
        if not: 
        -Q              <ENTER> 
  
            +++++++++++++++++++++++++++++++++++++++++++++++++++++ 
  
             For SKN.COM, SKM.COM and SKC.COM the unprotect is the same 
        but at the following locations: 
  
             SK          SKN          SKM          SKC 
             ---         ---          ---          --- 
             801         7DF          76F          7BC 
             802         7E0          770          7BD 
             803         7E1          771          7BE 
             810         7EE          77E          7CB 
  
        To unprotect SKC.COM you would 'DEBUG SKC.COM' and then replace 
        any occurence of '801' with '7BC'; '802' with '7BD' and so on. 
                              GOOD LUCK! 
                          * * * * * * * * * * * * 
                          * * * * * * * * * * * * 
  
    This is an explanation of the internal workings of Print.Com, a file 
    included in DOS for the IBM PC and compatibles.  It explains how this 
    program fails to do its part to insure integrity of all registers.  For 
    this reason some trouble was being experienced while using both SideKick 
    and Print. 
  
op 
The timer tick generates an interrupt 8 18.2 per second.  When SK 
is not active, this interrupt is handled by the Bios as follows: 
  
It  pushes  all registers used by the routine (AX among  others.) 
It updates the system timer count. 
It updates the disk motor timer count. 
It generates an int 1C. 
  
When  the spooler is active,  it has placed a vector at  int  1C, 
pointing  at  the  spooler's  code.   The  spooler  is  therefore 
activated in the middle of the int 8 handling.   The cause of the 
SK  received the int  8 and calls the bios int 8 routine to  make 
sure  that the timer tick is properly handles.   The bios  int  8 
me as above: 
  
It pushes all registers used by the routine (AX among others). 
It updates the system timer count. 
It updates the disk motor timer count. 
It generates an int 10. 
SK  has replaced the vector that the spooler placed here  with  a 
IRET,  so  nothing happens.   This is because we cannot allow the 
timer tick to pass through to programs which use it,  for example 
to write on the screen. 
It generates an end-of-interrupt to the interrupt controler. 
It pops the registers that were pushed. 
It does an interrupt return. 
  
Back in SK's int 8 routine we make a call to the address that was 
stored at int 10 when SK was first started.  In this way he still 
services any resident programs that were loaded before SK.   With 
the spooler active we therefore make a call to the spooler. 
  
The  spooler  again corrupts the AX register because it  uses  it 
without saving it first. 
Back  in SK we have no way of restoring the original contents  of 
the  AX register because we did not save it (why  should  we,  we 
don't use it.) 
  
In  short,  the root of the trouble is that the spooler  destroys 
the AX register.  The fact that the Bio's int 8 routine saves and 
stores it is pure coincidence. 
  
I quote from the Technical Reference Manual,  Pages 2-5,  Section 
Interrupt Hex 1C-timer tick: 
  
"It is the responsibility of the application to save and  restore 
all registers that will be modified." 
  
Relying  on a version of the Bios which happens to save  register 
AX is bad programming practice.   However,  the guy who wrote the 
print  spooler did not rely on this because at another  point  in 
his  program  he  does correctly save AX.   Obviously  he  simply 
forgot and fortunately for him the Bios saved him. 
  
The following patch will fix the problem: 
  
SK.COM unprotected version change 7F8: 55 to 7F8: 50 
SK.COM unprotected version change 805: 5D to 805: 58 
  
SK.COM protected version change 801: 55 to 801: 50 
SK.COM protected version change 80E: 5D to 80E: 58 
  
Also on both above change 012C: 41 to 012C: 42 
  
UNPROTECT IBM TIME MANAGER (80 Column Version) Version 1.00 - 
  
1. Have a formatted, blank disk ready if copying to a floppy. Hard 
   disk is OK, also. 
  
2. Startup DEBUG from drive A.  Just type  DEBUG  <enter> 
  
3. Place the TIME MANAGER program disk in drive A. 
4. Type   L 600 0 A5 40  <enter> 
5. Type   F 100,600 90   <enter> 
6. Type   RCX            <enter> 
7. Type   8000           <enter> 
8. Place the formated, blank floppy in drive B 
  
9. Type   NTM.COM        <enter> 
10. Type  W              <enter> 
11. Type  Q              <enter> 
  
That's it. You now have the 80-column version of Time Manager on the 
disk in Drive B. It is called TM.COM and can be started by simply 
typing TM. 
  
BE AWARE!!! - the data diskette is non-dos and cannot be placed on a 
hard disk. Also, while the program itself can be loaded from any drive 
letter (A-Z), the data disk can only be on drives A or B. 
The data disk is not protected and may be copied with DISKCOPY. 
  
  
For the 40-column version, replace line4 with: 
  
4. Type   L 600 0 65 40  <enter> 
  
All others steps are the same. 
  
If you wish to have both a 40 and 80 column version, change line 9 
so that the name is descriptive of the version, i.e. NTM40.COM or 
NTM80.COM. 
  
                            <-----<<END>>-----> 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
! 
  
***  Pirate Magazine Issue III-3 / File 8 of 9  *** 
***  Cracking Tips  (Part 6)                    *** 
*************************************************** 
  
  
In this file: Lotus 123 
              Visicalc 
              Microsoft word 1.1 
              ZORK 
              Trivia Fever 
              Wordstar 2000 1.00 
              dBase 3 
              PFS programs 
              Double Dos 
  
  
                  UNPROTECTING LOTUS 1-2-3 
  
1-2-3 Release 1-A 
----------------- 
1. Rename 123.exe 123.xyz 
2. DEBUG 123.xyz 
3. Type U ABA9 
4. You should see INT 13 at this address 
5. Type E ABA9 90 90 
6. Type W 
7. Type Q 
8. Rename 123.xyz 123.exe 
  
1-2-3 Release 1 
--------------- 
1. Rename 123.exe 123.xyz 
2. DEBUG 123.xyz 
3. Type S DS:100 FFFF E8 BE 71 
   The system will respond with xxxx:3666 where xxxx can vary 
4. Type E xxxx:3666 90 90 90  (xxxx is the number from above) 
5. Type W 
6. Type Q 
7. Rename 123.xyz 123.exe 
  
       Compliments of THE BIG APPLE BBS (212) 975-0046 
  
                <> <> <> <> <> <> <> <> <> <> <> 
     [[This patch was extracted from the PHOENIX IBM-PC Software 
Library newsletter. They received it from the HAL-PC users group of 
Houston, TX.  Corrected by Jack Wright.  Many thanks to them.]] 
  
****   CONVERT VISICALC TO A .COM FILE   **** 
  
USE THE FOLLOWING PROCEDURE TO TRANSFER THE 80-COLUMN VISICALC PROGRAM 
FROM THE VISICALC DISK AND WRITE A STANDARD .COM FILE WHICH MAY BE 
  
FORMAT A DISK AS FOLLOWS: (FORMAT B:/S(ENTER)). 
START THE DEBUG SYSTEM. 
INSERT THE VISICALC DISK IN DRIVE A: 
THEN TYPE: 
  
-L 100 0 138 2         (LOAD THE VC80 LOAD/DECRYPTER) 
-M 0 3FF 7000          (DUPLICATE IT IN HIGHER MEMORY) 
-R CS                  (INSPECT COMMAND SEGMENT REGISTER) 
  
DEBUG WILL RESPOND WITH THE CONTENTS OF THE CS REGISTER (eg. 04B5) AND 
PROMPT WITH A COLON (:). TYPE THE OLD CONTENTS + 700 (HEX). (eg. 04B5 
BECOMES 0BB5). DO THE SAME WITH THE 'DS' REGISTER. 
DEBUG response to R CS might be: 
  
CS 04B5    <-Save the value you get, we'll need it later. 
:0BB5      <-Type in your CS value + 700hex here 
-R DS      <-Type 
DS 04B5 
:0BB5      <-Type in your DS value + 700hex here 
  
NEXT: 
Take the low order byte of the CS you saved above and substitute it 
for LL in the next line.  Substitute the high order byte for HH: 
  
-E 107 LL HH           (ENTER BYTE-FLIPPED CS) Ex: -E 107 B5 04 
-E 24D BB A8 00 90     (HARD-WIRE THE DECRYPTION KEY) 
  
NOW, WE MUST RUN THE LOADER/DECRYPTER, TYPE: 
  
-G =1B8 26B            (EXECUTE FROM 1B8 TO 26B) 
  
THE ENTIRE PROGRAM WILL NOW BE LOADED AND DECRYPTED AND A REGISTER DUMP 
SHOULD APPEAR ON THE SCREEN. NOW RESTORE CS AND DS TO THEIR PREVIOUS 
VALUES AND SET THE FILE LENGTH IN CX. Set BX=0: 
  
-R CS 
CS 0BB5     <-Yours might be different 
:04B5       <-Type in the value of CS you saved above 
-R DS 
DS 0BB5 
:04B5       <-Type in the value of DS you saved above 
-R BX 
BX F3FD 
:0 
-R CX 
CX 0000 
:6B64       (LENGTH = 6B64 FOR VERSION 1.1, 6802 FOR VERSION 1.0) 
  
NOW WE MUST NAME THE FILE, WRITE IT AND EXIT. 
REMOVE THE VISICALC DISK FROM A: 
INSERT THE NEW, FORMATTED, EMPTY DISK IN A: 
TYPE: 
-N VC.COM               (OR WHATEVER YOU WISH TO NAME IT) 
-W                      (WRITE THE .COM FILE) 
-Q                      (EXIT FROM DEBUG) 
***YOU ARE DONE***** 
Back in DOS, type VC to try it. 
  
The protection scheme for MS WORD is quite good.  The last track 
is formatted with 256 byte sectors.  One sector, however, has 
an ID that says it is a 1K sector.  If you try to read it as a 256 
byte sector, you'll get a sector not found.  You can read it as a 
1K sector with a guaranteed CRC error, and you will get the data 
and other sector overhead from 3+ sectors.  They read it as 1K, and 
use the bytes after the first 256 for decryption.  These bytes 
constitute the post-amble of the sector, the inter-sector gap, and 
the preamble to the next 256 byte sector.  If it's not formatted 
with the correct inter-sector gap, the decryption key is 
different and the incorrectly decoded program bombs. 
  
The best way around this is to modify the MWCOPY program so it 
will let you make more than one copy.  The below mods will let 
you make as many backups as you want (and you can leave the 
write protect tab on your master disk).  Of course, this method 
should only be used by registered owners of Word.  If you, or any 
of your IMF force is killed, the secretary will disavow any 
knowledge of these patches. 
  
We will copy MWCOPY to another disk, using another name (MWCP) so 
you'll know it's the special version, and then modify MWCP. 
  
(with master disk in A:, B: has any disk with debug on it) 
A>copy mwcopy.com b:mwcp.com 
B>debug mwcp.com 
-e103 
xxxx:0103  0x.00 
-e148 
xxxx:0148  A5.a7 
-e194 
xxxx:0194  02.04 
-e32a 
xxxx:032A  1C.1e 
-e32e 
xxxx:032E  1C.1e 
-e3372 
xxxx:3372  01.03 
-ecfe 
xxxx:0CFE  CD.90<space>26.90<space> 
xxxx:0D00  5B.90 
-e4ab 
xxxx:04AB  1B.84 
-e69a 
xxxx:069A  C1.b9<space>38.ff<space>28.b9 
-e7b3 
xxxx:07B3  A2.5f<space>08.e9 
-e66f 
xxxx:066F  E5.d8<space> 
xxxx:0670  94.29<space>90.ff<space>29.b9 
Writing 332D bytes 
-q 
B>mwcp      (try making a copy..remember, 
             leave the write-protect on the master) 
   (Just follow the prompts in the program, except when they ask 
    you to remove the write protect tab) 
  
I think this will also work for the hard disk copy portion.  Another 
way to unprotect Word gets rid of the need for any weird disk formats. 
But it is MUCH more complicated to do.  Enjoy! 
  
                <> <> <> <> <> <> <> <> <> <> <> 
Unprotection for Microsoft "WORD" Version 1.1 using the 
Ultra-utilities (U-Format and U-Zap). June 22, 1984 
  
    The following information is presented for those legitimate 
owners who feel somewhat insecure when the availability of an 
important program is dependent on the survival of a single floppy 
disk. 
  
    Microsoft's WORD uses a very good protection method. This 
consists of a track (Side 1, Track 39) which is formatted with 
twelve sectors. Sectors 1,2,3,4,6,7,8,9,10 & 11 are all 256 byte 
sectors. Sector 5 is formatted as a 1024 byte sector with a 
inherent CRC error. The sectors on this track have an ASCII text 
on the subjects of not stealing software and the names of the 
people who worked on the development of the WORD package. 
  
    Sectors 1,2,3 & 4, while presenting an interesting message, do 
not directly affect the copy protection scheme. They would 
appear to be a "red herring", to divert attention from the actual 
protection area. 
  
    Earlier versions of WORD were supplied with a program called 
MWCOPY.COM which permitted a single floppy disk copy and a single 
hard disk copy. If you have these versions use WORD.UNP or 
WORDNEW.UNP which can be found on many BBS's. 
  
    Version 1.1 is furnished with a single back-up floppy and the 
utility programs furnished are MWCOPY1.COM, MWCOPY.BAT, and 
MWCOPY2.BAT. These programs only permit a one-time copy to a hard 
disk. No provision is included for a floppy copy. 
  
    To make a floppy copy you will need the Ultra-Utilities, a 
userware set of programs available on many BBS's. Of this set you 
specifically need U-FORMAT.EXE and U-ZAP.EXE. 
1)  Place a write protect tab on your copy of WORD. 
2)  Make a copy of WORD with the standard DOS DISKCOPY command. 
    (NOTE: There are hidden files, so the use of COPY will 
    not work. 
    DISKCOPY will report "Unrecoverable read errors on source 
    Track 39 Side 1". Just ignore this. 
3)  Start the U-FORMAT.EXE program. This can be done by removing 
    the WORD disk and inserting your Ultra-Utilities disk. Once 
    U-Format is started you can remove the Ultra-utilities disk 
    and return the WORD disk to the drive. 
4)  Select #5 (Display Radix) from the U-Format menu and change to 
    decimal display. 
5)  Select #4 (Display/Modify Disk Parameter Table) and set the 
    following: 
    #4 Bytes per sector = 001 
    #5 Highest sector number per track = 012 
    #8 Formatting gap length = 010 
    All other values remain at the default settings. 
    Quit to the main menu. 
6)  Select menu item #3 (Format a Non-Standard Track) 
    The program will ask if you intend to format a track with 12 
    sectors. Answer = YES 
  
    The program will then ask for the following information: 
  
    SIDE  =  1 
    DRIVE  =  (enter letter of the drive with the COPY disk) 
    TRACK  =  39 
  
    The program will then prompt for the following information: 
  
    Physical Sector #   Logical Sector #   Sector Size 
          1                   1               1 
          2                   2               1 
          3                   3               1 
          4                   4               1 
          5                   5               3 
          6                   6               1 
          7                   7               1 
          8                   8               1 
          9                   9               1 
         10                  10               1 
         11                  11               1 
         12                  12               1 
  
    After pressing "enter" in response to the prompt, you may exit 
    U-Format. 
  
7)  Start the U-ZAP.EXE program. This can be done by removing 
    the WORD disk and inserting your Ultra-Utilities disk. Once 
    U-Zap is started you can remove the Ultra-utilities disk 
    and return the WORD disk to the drive. 
  
8)  Select #8 (Display Radix) from the U-Format menu and change to 
    decimal display. 
  
9)  Select #11 (Display/Modify Disk Parameter Table) and set the 
    following: 
  
    #4 Bytes per sector = 001 
    #5 Highest sector number per track = 012 
  
    All other values remain at the default settings. 
  
    Quit to the main menu. 
  
10) Select #3 (Copy Disk Sectors) and use the following 
    information: 
  
    SOURCE DISK                     DESTINATION DISK 
  
    SIDE  =  1                      SIDE  =  1 
    DRIVE  =  (enter drive letter   DRIVE  =  (enter drive letter 
               for WORD disk)                  for COPY disk) 
    TRACK  =  39                    TRACK  =  39 
    SECTOR  =  6                    SECTOR  =  6 
  
        NUMBER OF SECTORS TO COPY  =  7 
  
    The program will report "Sector Not Found"... "Re-Try (Y/N)" 
    Answer  =  NO 
  
    The program will then ask how many sides for the disk. 
    Answer  =  2 
  
    The program will then show the copy process. 
  
    (NOTE: DO NOT copy the information from sectors 1,2,3,4, 
    or 5.) 
  
    You may then quit from U-zap to DOS. 
  
    YOUR' DONE. 
  
    The copy disk should workHow to backup Infocom's ZORK III game: 
*Insert DOS disk in drive A 
  
A>DISKCOPY A: B:          <-- Ignore the errors on tracks 1-3! 
*Place your ZORK I or ZORK II disk in drive A and a blank disk in drive B. 
 BE SURE THAT YOUR ORIGINAL IS WRITE-PROTECTED!!! 
  
A> 
*Now take out your ZORK disk and insert your DOS disk in A. 
  
A>DEBUG 
-R CS 
xxxx 
:0000                <-- you enter this 
-R DS 
xxxx 
:0040 
-R IP 
xxxx 
:7C00 
-R ES 
xxxx 
:0000 
-L 0:7C00 0 0 8 
-G =0:7C00 0:7C32 
-G 0:7C44                <-- Don't take a shortcut here! 
-R ES 
xxxx 
:04C5 
-G 0:7C46 
-E 7C0:007C 02 08 
-W 800:0000 1 8 8 
-E 07C0:007C 03 04 
-G 0:7C44 
-R BX 
xxxx 
:0000 
-G 0:7C46 
-E 07C0:007C 02 08 
-W 04C5:0000 1 10 8 
-E 07C0:007C 03 04 
-G 0:7C44 
-R BX 
xxxx 
:0000 
-E 07C0:007C 02 08 
-W 04C5:0000 1 18 8 
-E 0:7C41 B8 08 02 
-W 0:7C00 1 0 8 
-Q 
                <> <> <> <> <> <> <> <> <> <> <> 
 UNPROTECT FOR INFOCOMO'S  -ZORK III- 
*This patch was done under DOS 1.1 - I haven't tried it under DOS 2.0 yet - 
 which may cause unpredictable results... 
*Take out your new disk in drive B and write-protect it. 
 It is now DISKCOPY-able. 
*Reboot your system - press ALT-CTRL-DEL. 
  
How to backup Infocom's ZORK III game: 
  
*Insert DOS disk in drive A 
  
A>DISKCOPY A: B:          <-- Ignore the errors on tracks 1-3! 
*Place your ZORK III disk in drive A and a blank disk in drive B. 
  
A> 
*Now take out your ZORK III disk and insert your DOS disk in A. 
  
A>DEBUG 
-R CS 
xxxx 
:0000                <-- you enter this 
-R DS 
xxxx 
:0040 
-R IP 
xxxx 
:7C00 
-R ES 
xxxx 
:0000 
-L 0:7C00 0 0 1 
-G =0:7C00 0:7C2A 
-R AX 
xxxx 
:0800 
-G 0:7C63 
-E 800:14E5 B8 08 02 
-E 800:211A 02 08 
-W 800:0000 1 8 18 
-L 0:7C00 0 0 8 
-E 0:7C7C 02 08 
-E 0:7C41 B8 08 02 
-W 0:7C00 1 0 8 
-Q 
  
*Take out your new disk in drive B and write-protect it. 
 It is now DISKCOPY-able. 
*Reboot your system - press ALT-CTRL-DEL. 
                <> <> <> <> <> <> <> <> <> <> <> 
  
This is the procedure to unprotect the game software package 
called TRIVIA FEVER (This procedure also works on the demo disk of 
TRIVIA FEVER available with the blank XIDEX disks!) 
  
If you have a hard disk or want to create a backup copy that is not 
tied to the original TRIVIA system disk, this will remove the copy 
protection completly. 
  
This procedure is to be used by legitimate owners of 
        TRIVIA FEVER ONLY ... 
as you are entitled to make a back up for archive purposes only. 
You are bound by your licence agreement. 
  
Format a blank system disk using DOS 2 or 2.1 
  
Label it the same as the original TRIVIA system disk. 
  
Copy the files from the original TRIVIA system to the formatted 
blank disk using  *.*   . 
  
Place DOS system disk containing DEBUG in drive A: 
  
Place the new copy of TRIVIA in drive B: 
  
Rename the file called TF.EXE to TF 
  
A>DEBUG B:TF 
  
-E 257E      (enter) 
  
-75.90 03.90 (enter) 
  
-W 
  
-Q 
  
Rename B:TF B:TF.EXE 
  
Now all the copy protection has been removed, and you may copy the 
files as required. 
  
All checks for specially formatted tracks has been removed. 
  
Disk needs no longer to be in the A drive on start up. 
                <> <> <> <> <> <> <> <> <> <> <> 
  
               Wordstar 2000 version 1.00  -  Unprotect 
                            by Gerald Lee 
  
                            derived from 
  
                 dBase III version 1.10  -  Unprotect 
                          by The Lone Victor 
  
     The following instructions show you how to bypass the SoftGuard 
copy protection scheme used on WORDSTAR 2000 version 1.00.  This is the 
same scheme used for FrameWork 1.10 and for dBase III version 1.10. 
Wordstar 2000 version 1.10 does not use a copy protection scheme, while 
versions 1.00 of dBase III and FrameWork used ProLock.  To unprotect 
Prolock disks read the file PROLOCK.UNP. 
  
     First, using your valid, original Wordstar 2000 diskettes, install 
it on fixed disk.  Softguard hides two files in your root directory: 
CML0200.HCL and VDF0200.VDW.  WS2000.EXE is the real Wordstar 2000 
program, encrypted.  When you run Wordstar, the program WS2000.COM loads 
CML0200.HCL high in memory and runs it.  CML decrypts itself and reads 
VDF0200.VDW.  The VDF file contains some code and data from the fixed disk 
FAT at the time of installation.  By comparing the information in the VDF 
file with the current FAT, CML can tell if the CML, VDF, and WORDSTAR.EXE 
files are in the same place on the disk where they were installed.  If 
they have moved, say from a backup & restore, then WORDSTAR 2000 will 
not run. 
  
     Second, un-hide the two files in the root directory.  You can do 
this with the programs ALTER.COM or FM.COM, or UNHIDE.COM and HIDE.COM 
found on any BBS.  PC-SWEEP2 is the easiest it will copy the files to 
another directory unhidden. 
  
     Make copies of the two files, and of WS2000.COM and WS2000.EXE, into 
some other directory. 
  
     Hide the two root files again if using ALTER or FM.  Leave alone if 
using PC-SWEEP2. 
  
     Following the WORDSTAR instructions, UNINSTAL WORDSTAR 2000.  You 
can now put away your original WORDSTAR diskettes.  We are done with them. 
  
     Next we will make some patches to CML0200.HCL to allow us to trace 
through the code in DEBUG.  These patches will keep it from killing our 
interrupt vectors. 
  
DEBUG CML0200.HCL 
E 3F9 <CR>  2A.4A <CR>          ; change the 2A to 4A 
E 49D <CR>  F6.16 <CR>          ;  if any of these numbers don't show up 
E 506 <CR>  E9.09 <CR>          ;  it's not working. 
E A79 <CR>  00.20 <CR>          ; 
E AE9 <CR>  00.20 <CR>          ; 
E 73C  97 FA FA F4 F1 7E <CR>   ; this is an encrypted call to 0:300 
W <CR>                          ; write out the new CML file 
Q <CR>                          ; quit debug 
  
     Now copy your four saved files back into the root directory and 
hide the CML0200.HCL and VDF0200.VDW files using ALTER, FM or PC-SWEEP2. 
  
     We can now run WS2000.COM using DEBUG, trace just up to the point 
where it has decrypted WORDSTAR.EXE, then write that file out. 
  
DEBUG WS2000.COM 
R <CR>                          ; write down the value of DS for use below. 
A 0:300 <CR>                    ; we must assemble some code here 
        POP     AX <CR> 
        CS: <CR> 
        MOV     [320],AX <CR>   ; save return address 
        POP     AX <CR> 
        CS: <CR> 
        MOV     [322],AX <CR> 
        PUSH    ES <CR>         ; set up stack the way we need it 
        MOV     AX,20 <CR> 
        MOV     ES,AX <CR> 
        MOV     AX,0 <CR> 
        CS: <CR> 
        JMP     FAR PTR [320] <CR> ;jump to our return address 
 <CR> 
G 406 <CR>                      ; now we can trace CML 
T <CR> 
G 177 <CR>                      ; this stuff just traces past some 
G 1E9 <CR>                      ;   encryption routines. 
T <CR> 
G 54E <CR>                      ; wait while reading VDF & FAT 
G=559 569 <CR> 
G=571 857 <CR>                  ; WS2000.EXE has been decrypted 
rBX <CR>                        ; length WS2000.EXE = 1AC00 bytes 
:1 <CR>                         ; set BX to 1 
rCX <CR> 
:AC00 <CR>                      ; set CX to AC00. 
nWS12 <CR>                      ; name of file to write to 
W XXXX:100 <CR>                 ; where XXXX is the value of DS that 
                                ;   you wrote down at the begining. 
Q <CR>                          ; quit debug 
  
     Last, unhide and delete the two root files CML0200.HCL, VDF0200.VDW, 
and WS2000.COM and WS2000 directory.  Rename WS12 to WS2000.COM and 
replace in the WS2000 directory.  This is the routine that starts the 
real WS2000.EXE program without any SoftGuard code or encryption.   It 
requires the .OVL and .MSG files to run.  I have not tried it on a two 
disk systems but I think it should work. 
  
     If you have any comments on this unprotect routine, please leave 
them 
                                          GERALD LEE - 5/12/85 
                <> <> <> <> <> <> <> <> <> <> <> 
  
                 dBase III version 1.10  -  Unprotect 
                                                    by The Lone Victor 
  
     The following instructions show you how to bypass the SoftGuard 
copy protection scheme used on dBase III version 1.10.  This is the same 
scheme used for FrameWork 1.10 and for Wordstar 2000 1.00.  Wordstar 
2000 version 1.10 does not use a copy protection scheme, while versions 
1.00 of dBase III and FrameWork used ProLock.  To unprotect Prolock disks 
read the file PROLOCK.UNP. 
  
This scheme also reportedly works on Quickcode 1.10 QuickReport 1.00. 
  
     First, using your valid, original dBase III diskette, install it on 
a fixed disk.  Softguard hides three files in your root directory: 
CML0200.HCL, VDF0200.VDW, and DBASE.EXE.  It also copies DBASE.COM into 
your chosen dBase directory.  DBASE.EXE is the real dBase III program, 
encrypted.  When you run dbase, the program DBASE.COM loads CML0200.HCL 
high in memory and runs it.  CML decrypts itself and reads VDF0200.VDW. 
The VDF file contains some code and data from the fixed disk FAT at the 
time of installation.  By comparing the information in the VDF file with 
the current FAT, CML can tell if the CML, VDF, and DBASE.EXE files are 
in the same place on the disk where they were installed.  If they have 
moved, say from a backup & restore, then dBase will not run. 
  
     Second, un-hide the three files in the root directory.  You can do 
this with the programs ALTER.COM or FM.COM found on any BBS. 
  
     Make copies of the three files, and of DBASE.COM, into some other 
directory. 
  
     Hide the three root files again using ALTER or FM. 
  
     Following the dBase instructions, UNINSTALL dBase III.  You can now 
put away your original dBase diskette.  We are done with it. 
  
     Next we will make some patches to CML0200.HCL to allow us to trace 
through the code in DEBUG.  These patches will keep it from killing our 
interrupt vectors. 
  
debug cml0200.hcl 
e 3F9 <CR>  2A.4A <CR>          ; change the 2A to 4A 
e 49D <CR>  F6.16 <CR>          ;  if any of these numbers don't show up 
e 506 <CR>  E9.09 <CR>          ;  it's not working. 
e A79 <CR>  00.20 <CR>          ; 
e AE9 <CR>  00.20 <CR>          ; 
e 73C  97 FA FA F4 F1 7E <CR>   ; this is an encrypted call to 0:300 
w                               ; write out the new CML file 
q                               ; quit debug 
  
     Now copy your four saved files back into the root directory and 
hide the CML0200.HCL, VDF0200.VDW, and DBASE.EXE files using ALTER or FM. 
  
     We can now run DBASE.COM using DEBUG, trace just up to the point 
where it has decrypted DBASE.EXE, then write that file out. 
  
debug dbase.com 
r <CR>                          ; write down the value of DS for use below. 
a 0:300 <CR>                    ; we must assemble some code here 
        pop     ax 
        cs: 
        mov     [320],ax        ; save return address 
        pop     ax 
        cs: 
        mov     [322],ax 
        push    es              ; set up stack the way we need it 
        mov     ax,20 
        mov     es,ax 
        mov     ax,0 
        cs: 
        jmp     far ptr [320]   ; jump to our return address 
 <CR> 
g 406                           ; now we can trace CML 
t 
g 177                           ; this stuff just traces past some 
g 1E9                           ;   encryption routines. 
t 
g 54E                           ; wait while reading VDF & FAT 
g=559 569 
g=571 857                       ; DBASE.EXE has been decrypted 
rBX <CR>                        ; length DBASE.EXE = 1AC00 bytes 
:1                              ; set BX to 1 
rCX <CR> 
:AC00                           ; set CX to AC00. 
nDBASE                          ; name of file to write to 
w XXXX:100                      ; where XXXX is the value of DS that 
                                ;   you wrote down at the begining. 
q                               ; quit debug 
  
     Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW, 
and DBASE.EXE.  Delete DBASE.COM and rename DBASE to DBASE.EXE.  This is the 
real dBase III program without any SoftGuard code or encryption.  It requires 
only the DBASE.OVL file to run. 
  
     If you have any comments on this unprotect routine or the PROLOCK.UNP 
routine, please leave them on the Atlanta PCUG BBS (404) 634-5731. 
  
                                          The Lone Victor - 4/15/85 
  
                <> <> <> <> <> <> <> <> <> <> <> 
INSTRUCTIONS FOR UNPROTECTING PFS-FILE, PFS-REPORT AND PFS-WRITE. 
  
 IMPORTANT!  COPY FILE.EXE AND/OR REPORT.EXE TO ANOTHER DISK FIRST. 
 DON'T MAKE THESE PATCHES ON YOUR ORIGINAL DISK! (USE THE USUAL DOS 
 COPY COMMAND) 
  
  YOU SHOULD SEE, AMONG OTHER THINGS:  PUSH BP 
                                       MOV AX,DS 
                                       MOV ES,AX 
                                 (ETC) 
  IF YOU DON'T SEE THIS, TYPE -> Q  (YOU DON'T HAVE THE RIGHT VERSION) 
  OTHERWISE, 
  TYPE -> E 9248 EB 2B 
  TYPE -> W 
  TYPE -> Q 
  BACK IN DOS, RENAME FILE.ZAP TO FILE.EXE.  YOU NOW HAVE AN UNPROTECTED 
  COPY OF PFS-FILE. 
  
FOR PFS-REPORT: 
  RENAME REPORT.EXE TO REPORT.ZAP 
  HAVE DEBUG.COM HANDY, AND TYPE -> DEBUG REPORT.ZAP 
  TYPE -> U 98BF 
  YOU SHOULD SEE, AMONG OTHER THINGS:  PUSH BP 
                                       MOV AX,DS 
                                       MOV ES,AX 
                                 (ETC) 
  IF YOU DON'T SEE THIS, TYPE -> Q  (YOU DON'T HAVE THE RIGHT VERSION) 
  OTHERWISE, 
  TYPE -> E 98C4 EB 2B 
  TYPE -> W 
  TYPE -> Q 
  BACK IN DOS, RENAME REPORT.ZAP TO REPORT.EXE.  YOU NOW HAVE AN 
  UNPROTECTED COPY OF PFS-REPORT. 
  
For PFS-Write: 
  
 RENAME PFSWRITE.EXE TO PFSWRITE.ZAP 
 DEBUG PFSWRITE.ZAP 
 U 235A 
 YOU SHOULD SEE, AMONG OTHER THINGS:  INT 13 
                                      JNB 2362 
  
 IF YOU DONcT SEE THIS, TYPE -> Q (you don't have the right version) 
 OTHERWISE, 
 TYPE -> E235A 90 90 90 90 
 TYPE -> E2360 90 90 
 TYPE -> A2369 
 TYPE -> CMP AX,AX 
 TYPE -> <cr> 
 TYPE -> W 
 TYPE -> Q 
  
 RENAME PFSWRITE.ZAP TO PFSWRITE.EXE.  YOU NOW HAVE AN UNPROTECTED COPY 
 OF PFS-WRITE. 
  
============================================================================ 
  
 P.S. From another author than the one who wrote the above. 
      The routine above is excellent, however I had a different version 
      of PFS FILE and PFS REPORT.  If you dont find the locations listed 
      above try these: 
  
 PFS FILE   TYPE -> U 9223  YOU SHOULD SEE  PUSH BP 
                                            MOV AX,DS 
                                            MOV ES,AX 
                                      (ETC) 
 IF SO TYPE -> E 9228 EB 2B 
       TYPE -> W 
       TYPE -> Q 
 AND FOLLOW THE DIRECTIONS GIVEN ABOVE ABOUT RENAME ETC. 
  
 PFS REPORT  TYPE -> U 988F  YOU SHOULD SEE PUSH BP 
                                            MOV AX,DS 
                                            MOV ES,AX 
                                      (ETC) 
 IF SO TYPE -> E 9894 EB 2B 
       TYPE -> W 
       TYPE -> Q 
 AND FOLLOW THE DIRECTIONS GIVEN ABOVE ABOUT RENAME & ETC. 
  
 My thanks to the original author who worked so hard to help us. 
 Please use these routines for your own use. I needed to add DOS 2.1 
 and place these programs on double sided disks.  Don't rip off these 
 software manufacturers. 
  
PROKEY 3.0 and several other programs. The approach I outline 
here works with any of these that are in COM file format. If 
anyone can improve it to work for EXE files PLEASE post it. 
  This general copy scheme uses a short sector of 256 bytes to 
store an essential piece of the program code. On startup, location 
100H contains a JMP instruction to the code which reads this 
short sector. Locations 103H - 110H contain HLT instructions (hex F4). 
After the sector is read, its contents are overlayed onto locations 
100H - 110H, replacing the dummy instruction codes. A branch to 100H 
then begins the actual program. 
   All we need to do is to stop execution after the changes are 
made and write down the contents of 100H - 110H; reloading the 
program and POKEing these changes results in an unprotected program. 
   Here's how its done: 
(1) Put PROTECTED disk in A: (you can write-protect it for safety) 
   and a disk containing DEBUG in B: 
(2) A:               Make A: the default. 
(3) B:DEBUG ULTIMAII.COM      (or PKLOAD.COM, LAYOUT.COM...) 
(4) -u 0100        Tell DEBUG to disassemble 0100-0120 
DEBUG responds with: 
  0100 JMP 88A0        (or whatever) 
  0103 HLT 
  0104 HLT             ...etc. 
(5) -u 88A0            Look at short-sector decrypting code. 
DEBUG responds with: 
  88A0 JMPS 88A7       Next "statements" are data locations; ignore. 
(6) -u 88A7            Now look for where program restarts at 100H. 
DEBUG responds with: 
  88A7 CALL 88C4 
  88AA CALL 892E 
  88AD JC 88BF      (If Carry is set, the disk is a copy. Go to DOS!) 
.. 
  88BA MOV AX,0100 
  88BD JMP AX         Paydirt! If you got this far, the program has 
..                    written the REAL code into 0100 - 0120H. 
(7) -g 88BD           Tell DEBUG to run the program, stop here. 
(8) -d 0100 011F      Dump out the changed code. 
DEBUG responds with: 
  8C C8 05 25 07 8E D8 05-10 03 8E D0...  Two lines. WRITE DOWN for (12) 
(9) -q         Get out of DEBUG. You must reload to deprotect. 
(10) Make a copy of the disk; you can use copy *.*   Put copy in A: 
(11) B:DEBUG ULTIMAII.COM     load copy 
(12) -e 0100             Patch locations 0100 - 011F with what you 
                         wrote down above. Follow each entry with 
                         a SPACE until last entry; then hit ENTER. 
(13) -w               Write out new version of ULTIMAII.COM 
(14) -q               You've done it! 
  
  I've been detailed because this works generally for any COM file. 
This method doesn't work for EXE files because while DEBUG can load 
relocatable modules and execute them with breakpoints (step 7 above), 
you cannot use debug to write an EXE file in relocatable form. 
Any suggestions? 
    L.Brenkus 
                <> <> <> <> <> <> <> <> <> <> <> 
  
                 DOUBLEDOS  -  Unprotect 
                                        Based on The Lone Victor's 
                                        routine. 
  
     The following instructions show you how to bypass the SoftGuard 
copy protection scheme used on DOUBLEDOS version 1.00.  This is the same 
scheme used for FrameWork 1.10 and for Wordstar 2000 1.00.  Wordstar 
2000 version 1.10 does not use a copy protection scheme, while versions 
1.00 of dBase III and FrameWork used ProLock.  To unprotect Prolock disks 
read the file PROLOCK.UNP. 
  
     First, using your valid, original DOUBLEDOS diskette, install it on a 
fixed disk.  Softguard hides three files in your root directory: 
CML0200.HCL, VDF0200.VDW, and DOUBLEDO.EXE.  It also copies DOUBLEDO.COM 
into your chosen DOUBLEDOS directory.  DOUBLEDO.EXE is the real DOUBLEDOS 
program, encrypted.  When you run DOUBLEDOS, the program DOUBLEDO.COM loads 
CML0200.HCL high in memory and runs it.  CML decrypts itself and reads 
VDF0200.VDW. 
The VDF file contains some code and data from the fixed disk FAT at the 
time of installation.  By comparing the information in the VDF file with 
the current FAT, CML can tell if the CML, VDF, and DOUBLEDO.EXE files are 
in the same place on the disk where they were installed.  If they have 
moved, say from a backup & restore, then DOUBLEDOS will not run. 
  
     Second, un-hide the three files in the root directory.  You can do 
this with the programs ALTER.COM or FM.COM found on any BBS. 
  
     Make copies of the three files, and of DOUBLEDO.COM, into some other 
directory. 
  
     Hide the three root files again using ALTER or FM. 
  
     Following the DOUBLEDOS  instructions, UNINSTALL DOUBLEDOS.  You can now 
put away your original DOUBLEDOS diskette.  We are done with it. 
  
     Next we will make some patches to CML0200.HCL to allow us to trace 
through the code in DEBUG.  These patches will keep it from killing our 
interrupt vectors. 
  
debug cml0200.hcl 
e 3F9 <CR>  2A.4A <CR>          ; change the 2A to 4A 
e 49D <CR>  F6.16 <CR>          ;  if any of these numbers don't show up 
e 506 <CR>  E9.09 <CR>          ;  it's not working. 
e A79 <CR>  00.20 <CR>          ; 
e AE9 <CR>  00.20 <CR>          ; 
e 73C  97 FA FA F4 F1 7E <CR>   ; this is an encrypted call to 0:300 
w                               ; write out the new CML file 
q                               ; quit debug 
  
     Now copy your four saved files back into the root directory and 
hide the CML0200.HCL, VDF0200.VDW, and DOUBLEDOS.EXE files using ALTER or FM. 
  
     We can now run DOUBLEDO.COM using DEBUG, trace just up to the point 
where it has decrypted DOUBLEDO.EXE, then write that file out. 
  
debug dOUBLEDO.COM 
r <CR>                          ; write down the value of DS for use below. 
a 0:300 <CR>                    ; we must assemble some code here 
        pop     ax 
        cs: 
        mov     [320],ax        ; save return address 
        pop     ax 
        cs: 
        mov     [322],ax 
        push    es              ; set up stack the way we need it 
        mov     ax,20 
        mov     es,ax 
        mov     ax,0 
        cs: 
        jmp     far ptr [320]   ; jump to our return address 
 <CR> 
g 406                           ; now we can trace CML 
g 177                           ; this stuff just traces past some 
g 1E9                           ;   encryption routines. 
t 
g 54E                           ; wait while reading VDF & FAT 
g=559 569 
g=571 857                       ; DOUBLEDO.EXE has been decrypted 
rBX <CR>                        ; length DOUBLEDO.EXE = 04800 bytes 
:0                              ; set BX to 0 
rCX <CR> 
:4800                           ; set CX to 4800. 
nDOUBLEDO                       ; name of file to write to 
w XXXX:100                      ; where XXXX is the value of DS that 
                                ;   you wrote down at the begining. 
q                               ; quit debug 
  
     Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW, 
and DOUBLEDO.EXE.  Delete DOUBLEDO.COM and rename DOUBLEDO to DOUBLEDO.EXE. 
This is the real DOUBLEDOS program without any SoftGuard code or 
encryption.  It requires only the DOUBLGD2.PGM and DDCONFIG.SYS files to 
run. 
  
                 DOUBLEDOS  -  Unprotect 
                                        Based on The Lone Victor's 
                                        routine. 
                <> <> <> <> <> <> <> <> <> <> <> 
     The following instructions show you how to bypass the SoftGuard 
copy protection scheme used on DOUBLEDOS version 1.00.  This is the same 
scheme used for FrameWork 1.10 and for Wordstar 2000 1.00.  Wordstar 
2000 version 1.10 does not use a copy protection scheme, while versions 
1.00 of dBase III and FrameWork used ProLock.  To unprotect Prolock disks 
read the file PROLOCK.UNP. 
  
     First, using your valid, original DOUBLEDOS diskette, install it on 
a fixed disk.  Softguard hides three files in your root directory: 
CML0200.HCL, VDF0200.VDW, and DOUBLEDO.EXE.  It also copies DOUBLEDO.COM into 
your chosen DOUBLEDOS directory.  DOUBLEDO.EXE is the real DOUBLEDOS 
program, encrypted.  When you run DOUBLEDOS, the program DOUBLEDO.COM loads 
CML0200.HCL high in memory and runs it.  CML decrypts itself and reads 
VDF0200.VDW. 
The VDF file contains some code and data from the fixed disk FAT at the 
time of installation.  By comparing the information in the VDF file with 
the current FAT, CML can tell if the CML, VDF, and DOUBLEDO.EXE files are 
in the same place on the disk where they were installed.  If they have 
moved, say from a backup & restore, then DOUBLEDOS will not run. 
  
     Second, un-hide the three files in the root directory.  You can do 
this with the programs ALTER.COM or FM.COM found on any BBS. 
  
     Make copies of the three files, and of DOUBLEDO.COM, into some other 
directory. 
  
     Hide the three root files again using ALTER or FM. 
  
     Following the DOUBLEDOS  instructions, UNINSTALL DOUBLEDOS.  You can now 
put away your original DOUBLEDOS diskette.  We are done with it. 
  
     Next we will make some patches to CML0200.HCL to allow us to trace 
through the code in DEBUG.  These patches will keep it from killing our 
interrupt vectors. 
  
debug cml0200.hcl 
e 3F9 <CR>  2A.4A <CR>          ; change the 2A to 4A 
e 49D <CR>  F6.16 <CR>          ;  if any of these numbers don't show up 
e 506 <CR>  E9.09 <CR>          ;  it's not working. 
e A79 <CR>  00.20 <CR>          ; 
e AE9 <CR>  00.20 <CR>          ; 
e 73C  97 FA FA F4 F1 7E <CR>   ; this is an encrypted call to 0:300 
w                               ; write out the new CML file 
q                               ; quit debug 
  
  
     Now copy your four saved files back into the root directory and 
hide the CML0200.HCL, VDF0200.VDW, and DOUBLEDOS.EXE files using ALTER or FM. 
  
     We can now run DOUBLEDO.COM using DEBUG, trace just up to the point 
where it has decrypted DOUBLEDO.EXE, then write that file out. 
debug dOUBLEDO.COM 
r <CR>                          ; write down the value of DS for use below. 
a 0:300 <CR>                    ; we must assemble some code here 
        pop     ax 
        cs: 
        mov     [320],ax        ; save return address 
        pop     ax 
        cs: 
        mov     [322],ax 
        push    es              ; set up stack the way we need it 
        mov     ax,20 
        mov     es,ax 
        mov     ax,0 
        cs: 
        jmp     far ptr [320]   ; jump to our return address 
 <CR> 
g 406                           ; now we can trace CML 
t 
g 177                           ; this stuff just traces past some 
g 1E9                           ;   encryption routines. 
t 
g 54E                           ; wait while reading VDF & FAT 
g=559 569 
g=571 857                       ; DOUBLEDO.EXE has been decrypted 
rBX <CR>                        ; length DOUBLEDO.EXE = 04800 bytes 
:0                              ; set BX to 0 
rCX <CR> 
:4800                           ; set CX to 4800. 
nDOUBLEDO                       ; name of file to write to 
w XXXX:100                      ; where XXXX is the value of DS that 
                                ;   you wrote down at the begining. 
q                               ; quit debug 
  
     Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW, 
and DOUBLEDO.EXE.  Delete DOUBLEDO.COM and rename DOUBLEDO to DOUBLEDO.EXE. 
This is the real DOUBLEDOS program without any SoftGuard code or 
encryption.  It requires only the DOUBLGD2.PGM and DDCONFIG.SYS files to 
run. 
  
                            <-----<<END>>-----> 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
! 
  
*************************************************** 
***  Pirate Magazine Issue III-3 / File 9 of 9  *** 
***  Gene and Roger at the BBS                  *** 
*************************************************** 
  
  
NOW REVIEWING -- DEAD ZONE (214-522-5321) 
  
We kept hearing about this Dallas board that's part camp, part lame, part 
punk, and mostly heavy metal, so we thought we'd check into it, 'cause it's 
been around for awhile and seems to have a loyal, if somewhat brain-dead 
 claim to be heavy metal junkies, and a few log-ins and 
message readings convinced us that too much of this stuff can rot your 
brain, but maybe that's what comes from living in Dallas. 
  
We were on last year and found it all a bore, but lost our account and had 
to re-enter.  The chat is mostly mindless, the sysop is into posturing a 
lot, and the whole thing is pretty pretentious.  Great for kids through age 
14. We didn't bother to re-apply for higher access. Here's what ya see when 
you log in, and here's a sample of the messages. If you're into mindless 
drivel, maybe this board's your thing, but the R&G rating for DEAD ZONE is 
         <><>BOOOOOOORRRING!!<> 
  
                                 ******** 
  
  
!   !!! !!    !  !!     !   !!   !!! 
                 !!   !!  !!   !!  !!     !   !!   !! 
                !!!!!!!  !!!!!!!! !!!!   !!! !!!!!!! 
  
                !!!!!!!!    !!!!  !!!!  !!!! !!!!!!!! 
                !!    !!   !!  !!  !!!   !!   !!   !! 
                !!    !!  !!!  !!! !!!!  !!   !!    ! 
                     !!   !!!  !!! !! !! !!   !!!! 
                    !!    !!!  !!! !!  !!!!   !! ! 
                   !!  !! !!!  !!! !!   !!!   !!    ! 
                  !!   !!  !!  !!  !!    !!   !!   !! 
                 !!!!!!!!   !!!!  !!!!  !!!! !!!!!!!! 
                 !!!! !!!   !! !  !!    !    !!!   !! 
                  !!   !    !     !!          !!   !! 
                  !!   !    !  !   !         !!     ! 
                   !               !          ! 
                            !                       ! 
                   !        !   !       !     ! 
                   ! 
                 .......              !      ......... 
              .... NO! ...                  ... MNO! ... 
            ..... MNO!! ...................... MNNOO! ... 
          ..... MMNO! ......................... MNNOO!! . 
         .... MNOONNOO!   MMMMMMMMMMPPPOII!   MNNO!!!! . 
          ... !O! NNO! MMMMMMMMMMMMMPPPOOOII!! NO! .... 
             ...... ! MMMMMMMMMMMMMPPPPOOOOIII! ! ... 
            ........ MMMMMMMMMMMMPPPPPOOOOOOII!! ..... 
            ........ MMMMMOOOOOOPPPPPPPPOOOOMII! ... 
             ....... MMMMM..    OPPMMP    .,OMI! .... 
              ...... MMMM::   o.,OPMP,.o   ::I!! ... 
                  .... NNM:::.,,OOPM!P,.::::!! .... 
                   .. MMNNNNNOOOOPMO!!IIPPO!!O! ..... 
                  ... MMMMMNNNNOO:!!:!!IPPPPOO! .... 
                    .. MMMMMNNOOMMNNIIIPPPOO!! ...... 
                   ...... MMMONNMMNNNIIIOO!.......... 
                ....... MN MOMMMNNNIIIIIO! OO .......... 
             ......... MNO! IiiiiiiiiiiiI OOOO ........... 
           ...... NNN.MNO! . O!!!!!!!!!O . OONO NO! ........ 
            .... MNNNNNO! ...OOOOOOOOOOO .  MMNNON!........ 
            ...... MNNNNO! .. PPPPPPPPP .. MMNON!........ 
               ...... OO! ................. ON! ....... 
                  ................................ 
  
  
 -cDc- -cDc- -cDc- 
       _   _ 
      ((___)) 
      [ x x ] 
       f   / 
       (' ') 
        (U) 
  
 -cDc- -cDc- -cDc- 
  
 A [-Cult of the Dead Cow-] System 
  
[New Corpses enter -KILL ME-] 
[Grave ID]: 
  
][-KILLE ME 
  
Enter your alias [Upper+Lower Case] 
:Roger 
  
City of Residence [Upper+Lower Case] 
:San Francisco 
  
State [XX] 
:CA 
  
Phone number [xxx-xxx-xxxx] 
:414-555-1212 
  
Roger 
San Francisco, CA 
415-555-1212 
  
Abs0lutely 0k ? Y 
  
[P]=Password 
[G]=Guest 
-]-[-P 
  
Preparing Entrance... 
  
             Hey d0rk, over here...Read This: 
  
        Well, if you have actually made it this far, I sure hope 
you typed your name in upper/lower case like this sentence is. If 
not, you're going to probably have your access denied cause you 
showed me you aren't even aware enough to read. I'd really prefer 
you give me your REAL phone number, or somewhere I can reach you. 
I don't voice validate that much, and I don't take your number 
and randomly call it to annoy the hell out of you. Now, all you 
have to do is answer the following questions pretty keenly, and 
I'll give you access. Don't put smart ass answers....you don't 
amuse me when you do that. If it asks you a simple [Yes/No] 
question, don't answer "N" or "Y". Sure what the fuck is that 
supposed to mean...it means you can't type Yes or No. The board 
is mainly for people who like Metal/Speed Metal/Punk/etc and 
intelligent/semi-intelligent users. In other words you should be 
able to carry on a conversation somewhat. If not, you are a waste 
of life roper and ought to go get drunk in some bar and die. Now 
I'm outta here....answer these questions: 
  
                        Leper Messiah 
  
[Ctr-S Pauses : Spacebar Quits] 
  
What is your real FIRST name ? 
  
--ROGER 
  
How old are you ? 
  
--22 
  
What type of computer do you have, 
and what is the maximum baud rate 
of your modem ? 
  
--IBM/2400 
  
Do you phreak, hack, both, or 
neither ? 
  
--BOTH 
  
Do you pirate software and/or 
collect textfiles ? 
  
--Yes 
  
Are you related to any law 
enforcement agency and/or do 
you plan on reporting any 
information from this board to 
  
--No 
  
Who is your favorite musical group 
and how long have they been your 
favorite ? 
  
--Banshee Heaven 
  
Are you a cDc Member? 
  
--No 
  
SPECIFICALLY, where did you get the 
number to this BBS ? [Tell the person's 
handle, the board, or wherever you 
  
--?? 
  
Want to send Leper Messiah 
a Message ? No 
  
Enter a password to use [4-8 Characters] 
:Demon 
  
Grave ID #99 
Password :DEMON 
  
Knife [RETURN] to login to The Dead Zone 
  
[Ctr-S Pauses : Spacebar Quits] 
  
12/24/89 
N00wz that you better fucking read... 
  
Ok, I got pissed off at a certain leech, so I deleted 200+ users 
from the userlist. I did delete a couple I didn't mean to, so if 
you got deleted, and you don't think you deserved it, you're 
probably right and I fucked up. 
  
Next off, if you would like a different user number for some 
reason, [F]eedback me, and I might change it. 
  
If you would like AE access and you aren't going to leech, send 
me [F]eedback.  If you have AE access and you leech, you are 
going to have a large problem. 
  
If you would like upgraded access, [F]eedback me, and if I merit 
that you do, you'll get it. 
  
Lastly....Happy Hannukkah, and Merry Christmas, Have a Good New 
Year, and don't drink and drive....(seriously). Thanks. 
  
|-- Graveyard Shift  :: 01:19:04    12/28/89 
|-- Corpse           :: Roger 
|-- Last Corpse      :: Phantom Of The Opera 
  
|-- Undertaker       :: Leper Messiah 
  
|-- Executioners     :: The Wanderer 
|--                  :: The Interloper 
  
|--There are 17967 fresh graves... 
  
-/- Rue Morgue -f-  :M 
  
Nice fucking accent...why cant you speak like me! 
  
-/- Rue Morgue -f-  :? 
  
    User Menu 
  
B- Bulletin Boards 
C- Scream at Sysop 
D- Display Parms 
F- Feedback to Sysop 
I- System Information 
N- Re-Read System News 
P- Get a Password [Guests ONLY] 
R- Read Mail 
T- Terminate Yourself 
Y- Your Body Status 
  
-/- Rue Morgue -f-  :B 
  
[Central Graveyard 1-100] :R 
  
Sequential Retrieval - Reverse 
  
Start where [-#, L)ast, <CR>-]:L 
  
[Ctr-S Pauses : Spacebar Quits] 
[Knife ENL for next grave] 
  
 ____/ 100.                                           f____ 
____   Re: .                  Demolition War        .   ____ 
 ____  by Madmartigan (#188)                           ____ 
     f 12/27/89 at 23:48:22                           / 
  
  Bush was right to go into Panama.  Otherwise he looks like an 
idiot who can let some wimpy dictator ruin his foriegn policy and 
screw up our image in the world.  He had to do it... 
  
  As for the Dead ZOne going down next year,,...  Thank God! 
  
[A]utoReply [N]ext [R]eread [Q]uit: 
  
 ____/ 99.                     f____ 
____   I love typos.             ____ 
 ____  by M&M (#7)              ____ 
     f 12/27/89 at 23:10:21    / 
  
        "If I did, me would want more."  That was great. 
  
Psyche is Fuck Me. 
  
Roper::::>  Let me explain this AGAIN.  The lyrics I typed WERE 
NOT Pink Floyd lyrics but ALTERED lyrics.  READ THEM.  <jeez> 
  
        kicker up there reminds me of this asshole that came to 
our school... he was like... "What kind of music do you listen 
know all about him - but the question is, is he a good impression 
on you?"  Fuckin' dick.  I hate ignorant people.  It's fine to be 
stupid but if you don't know what you're talking about DON 'T 
PRETEND! 
  
  M&M 
  
[A]utoReply [N]ext [R]eread [Q]uit: 
  
 ____/ 98.                                           f____ 
____   I did NOT............................................!   ____ 
 ____  by The Wanderer (#11)                                ____ 
     f 12/27/89 at 22:56:04                                                 / 
  
I did NOT rape SMI2le! There is an easy way to tell if I did it or not. If 
I did it, me would want more. 
  
Insane Fixx - Why would I want to trash my cowboy boots, and why 
would I want to dye my hair blond? A blond with freckles? I think 
not. Of course, I could bleech my skin too..... 
  
Rah! I got me a VCR for x-mas! Now I'm going to have to head down 
to the sordid side of town, say hi to sue as I pass the 
apropriate corner, and buy some trashy videos. The type that most 
of ya'll won't be able to buy for another 5 or 6 years. 
  
Hahahahahahaha! 
  
Tw 
/s 
/dammit! 
  
[A]utoReply [N]ext [R]eread [Q]uit: 
  
 ____/ 97.                           f____ 
____   pLaNeT cLaIrE                   ____ 
 ____  by The Psychedelic Fur (#209)  ____ 
     f 12/27/89 at 21:42:50          / 
  
i DoN't WaNt YoUr LoVe...i WaNt yOuR sEx 
  
mOhEhAhO 
  
DuStBuStEr:  YoU kNoW jUsT wHaT iT tAkEs AnD wHeRe To 
Go....WhAt MoRe CaN a PoOr BoY dO?...YoU'rE a HaRd AcT tO 
fOLLoW...i just looooove my pastel pink lace underwire push up 
bra and matching panties!  But my crowning glory is the 
sexxxxxxxxxy pink silk nightie I bought...'TiS tOo MuCh FoR 
jUsT oNe GuY tO tAkE!! 
  
AcEybAbY:  Sorry I missed ya...you didn't call me 
back...snif...methinks i am hurt...but i shall recover.  I will 
call ya when i get back from the RaIdEr BoWL. 
  
..i dOn'T wAnT tO sAy i LoVe YoU, ThAt WoULd GiVe AwAy ToO 
mUcH....i DoN't waNt To sAy I wAnT yOu, eVeN tHoUgH i wAnT yOu 
So MuCh....iT's No NeW YeAr'S rEsOLuTiOn, iT's MoRe ThAn 
ThAt... 
  
i just loooove SpLiT eNz! 
  
i think i will get on here early tomorrow morning before i 
leave, and say goodbye...i must pack now and i'm not in the 
mood to "bOn VoYaGe, bAbY!" 
  
             tWo RoAdS dIvErGeD iN a WoOd 
             aNd I - i ChOsE tHe OnE LeSs TrAvELeD bY 
             AnD tHaT hAs MaDe aLL tHe DifFeReNcE... 
  
             ShALL i CoMpArE tHeE tO a SuMmEr'S dAy 
             ThOu ArT mOrE LoVeLy aNd MoRe TeMpErAtE... 
/|             ShE wALkS iN bEaUtY LiKe ThE nIgHt 
             oF cLoUdLeSs CLiMbS aNd StArRy SkIeS 
             aNd aLL tHaT's BeSt Of DaRk AnD bRiGhT 
             MeEt In ThE aSpEcT oF hEr EyEs... 
  
Name the movie, the authors, and who said them...and i'll do 
something eXXXtra special... 
  
oH cApTaIn, mY cApTaIn... 
  
[A]utoReply [N]ext [R]eread [Q]uit: 
  
 ____/ 96.                            f____ 
____   Death is near so come rape me!   ____ 
 ____  by Smi2le (#83)                 ____ 
     f 12/27/89 at 18:01:59           / 
  
   M&M: You're a sheepfucker, right?  Some come on baby, I'm a sheep. 
  
      Leper: While your at it, buy me a push up jockstrap.  M&M 
just doesn't get the job done anymore. 
  
Have fun! 
  
Meat 
  
[A]utoReply [N]ext [R]eread [Q]uit: 
  
  
Gee... I may have to remember this for later use.!   (sarcasm) 
  
Hey babe, wanna Pistachio??  (wink, snort, phlegm-hack) 
  
[A]utoReply [N]ext [R]eread [Q]uit: 
  
 ____/ 92.                                f____ 
____   .              Hootenanny        .   ____ 
 ____  by Leper Messiah (#1)               ____ 
     f 12/27/89 at 11:13:46               / 
  
Oh swell, I'm going to Valley View today, I think I'll stop by 
Vic's Secret also and pick me up something interesting.... 
  
Then again, maybe I won't. 
  
Maybe I'll visit Hastings instead and get some k000000000l album. 
  
GO Away, I wanna burn in hell... 
  
                -There's something I haven't sdaid in a long time. 
  
Or spelled correctly for that matter. 
  
Well, well, well... 
  
Right now I'll go... 
  
somewhere else. 
  
Me 
  
[A]utoReply [N]ext [R]eread [Q]uit: 
  
 ____/ 91.                           f____ 
____   tHe UnIvErSe Is ExPaNdInG       ____ 
 ____  by The Psychedelic Fur (#209)  ____ 
     f 12/27/89 at 10:42:35          / 
  
SmI2Le:  Me??? LaRgEr tHaN LiFe?  How so?  I tell ya this much, 
if I was "larger than life"  I wouldn't be able to shop at 
ViC's SeCrEt... 
  
And I now have a real bustline... 
  
the most orgasmic thins, besides Godiva chocolates, silk 
lingerie, and great sex, are pistachios... 
  
pHaLLi 
C SyMb 
OLs!!! 
  
Board rape.  Sounds fun.  Reminds me of the time on PiL when 
ol' Karl and myself came up with this guy, "Mr. Awesome", who 
was a homosexual and sent bulk mail to all the guys on the 
board encouraging them to have anal sex, etc.  We had everybody 
fooled. 
  
DaVe:  Methinks you want to do the nasty...:) 
  
munching on a healthful aphrodisiac...sex on the mind...and 
less than 24 hours till I'm off to the bowl... 
  
maybe I'll get some in Birmingham... 
  
[A]utoReply [N]ext [R]eread [Q]uit: 
  
 ____/ 88. 
____   Re: and that was a song called "Yeah" by... you guessed 
it The Garden Bugs   ____ 
 ____  by Roper (#308) 
     f 12/27/89 at 01:10:20 
  
M&M ---- > O.K. so yer a bigger fuck than I thought, Although I 
was quite impressed that YOU would know the lyrics to a country 
tune. And by the way,... I did listen to the Pink Floyd lyrics 
again,... still sounds suicidal to me. 
  
JUST TRYIN TO HELP WHERE I CAN,... GIMME A BREAK! 
  
Roper 
  
[A]utoReply [N]ext [R]eread [Q]uit: 
  
 ____/ 83.                            f____ 
____   abcdefghijklmnopqrstuvwxyz....   ____ 
 ____  by Ace of Diamonds (#36)        ____ 
     f 12/26/89 at 11:45:57           / 
  
now i no my abc's wont you come and 
fuck with me..... 
  
suebeast: nononono...ya can beg...but 
 lananananana...oh lana...has moi dik 
 first....cuzzz she luvz to suck it 
 so sweet.....and u 'hate doin that 
 shit'....so, [strike three, yer out!] 
 .....glad ya missed loozer car 54.... 
 its black and white anyway...ack..... 
 yawn....i got sex on the brane....... 
 in multicolor3D vision............... 
 ohyeah...today i'm sposed to kall ya. 
 i think i'm gonna ferget.....duH..... 
  
sycho-correct:aka MaDDFiXX....<i'm soo 
 intelictual>....rahrah....d00d...yer 
 so vEry sTraNGe.......sEE mY SelF iN 
 ThE miRRoR..... 
  
SOMEBODY GET ME A DOCTOR!!!! 
  
   need some new lyrix besides wiggin' 
       dance tunez.....hmmmm.......... 
  
what's everyonez fav EmptyVee video... 
  
i must admit that my MeTalHeAd has 
    turned soft cuz...i lUUUUUv 
      paula halfbake abdul's 
          The Way that U luv Me.... 
  
i lust everything in that video.... 
     her bod, stereo equip, visagold 
       (which i have already), mazerati 
         90'yackt, black limozine, 
          pearl necklace ..(both kindz) 
  
etc.....but most of all ....iz her 
        tItz.......yumyumyum 
  
               gOts tO mAil Rezumayz, 
                      AoD 
  
[A]utoReply [N]ext [R]eread [Q]uit: 
  
 ____/ 77.                                f____ 
____   ..lOOks like rED skies at niTe....   ____ 
 ____  by The Madd Fixx (#142)             ____ 
     f 12/25/89 at 23:47:35               / 
  
                buT of cOurse.... 
  
                        tiN-roOf.... 
  
                                ruSTed! 
  
     duDes.. i haD a pretty rocKin' ChrisTmas.. goT me a cD player... aND 
             daT suIts me fiNe.... i goT dis biTchin' Indiana joNes lookin' 
                 haT... it roCks.. 
  
                        aNYone ever seen cherrIes in liquoR?.... hO yAh... 
  
                                yuMyUm... piTS and all...sluRpsLUrp! 
  
            maN..we're just frying this message base with wiErdo messages.. 
                        buT hEy.. doN't coomplain...we're posTing.... 
  
        m&m... so quE pasa with aNGie, eH?... 
  
           mY mountain hideaway...maybe next year.............. 
  
                   pSYchE..raH..everytime i listen to spLit enZ, the b's, 
                     or doOOrandOooran, it reminds me oF yOUze.... (awW. 
                           aIn't tat sweEt! HahA!).. shaKe a tail feaTher... 
  
                                you're about as eaSy as a nuClear waR.... 
  
                           ...(of course, i'm not saying that there's 
                                        any similarity... <eviLish griN>...) 
  
                                                        oh...what'snext.... 
  
                        damn i'm boRed...goTTa sliP me in anudder cD.... 
  
                                yEee-haAAa! daMn i'm HiP!... <smiRk>... 
  
  
                plEAse pleAse tell me noW.... cuZ i wanna RoAm in your 
                  buuUuusssshhhhh----fiiIiire!... 
  
                        aND i think it's about to bReak.... 
  
    smiL3e...chiLL hoMie.. reLax..doN't do iT.. set your miNd righT to It. 
  
                        thERe's a chance you could be righT.... 
  
                                                        anOther glaMoRous 
                                                peFeroRmaNce by mE...aNd i.. 
  
                                                                mR. 
                                                                bUStin' 
                                                                DuStiN!! 
  
[A]utoReply [N]ext [R]eread [Q]uit: 
  
Central Graveyard: 
  
  [#]-Read Number [N]ew Graves [Q]uit 
  [G]lobal Q-scan [J]ump       [L]ist 
  [F]rd. Read     [R]vrs. Read [S]can 
  [>]Next Bd.     [<]Prev. Bd. [K]ill 
  [P]ost          [T]erminate Session 
  
  
Spread the Disease [-[-[-[-[-[-[-    -]-]-]-]-]-]-] Spread the Disease 
[Central Graveyard 1-100] :> 
-/- Rue Morgue -f-  :< 
  
Nice fucking accent...why cant you speak like me! 
  
    User Menu 
  
B- Bulletin Boards 
C- Scream at Sysop 
D- Display Parms 
F- Feedback to Sysop 
I- System Information 
N- Re-Read System News 
P- Get a Password [Guests ONLY] 
R- Read Mail 
T- Terminate Yourself 
Y- Your Body Status 
  
-/- Rue Morgue -f-  :T 
  
[] Violent Termination [] 
  
                         *************** 
  
That's it! So much for contemporary education through age 
16! 
                 >--------=====END=====--------< 
! 
       JB  ZZZZ 
