Unprotect for Smarterm 100 release 4.0g1
  by Elub Xob

Smarterm 100 is installable on your hard disk, and can run without
a key-floppy in place.  Nice so far.  Unfortunately, the Persoft
folks are too cheap to include an uninstall utility, so if you want
to reformat your hard disk and you play the game by Persoft's rules,
you need to buy another copy of their program.  This is unfair in
our opinion, so we have worked out this patch to try to even up the
score.

This section is a short description of Persoft's protection method.
If you just want to get to the good part, you can skip on down to
"Patch method" below.

The protection method for this program, called Pertect, consists of
two distinct algorithms: First, a bizarre format diskette is used
for running from diskette, and for installing on the hard disk.
The presence of the bizarre track is checked during the startup.
Second, a trivial encryption scheme is used to encode a 256 byte
buffer containing your program serial number (which is stored in
the bizarre track), the time and date of installation on the hard
disk, if any, and other unimportant data.  During normal operation,
the plaintext data is re-encrypted and compared against the coded
copy using a key that is supplied from the bizarre track (if you
are running from the floppy) or from the cluster address and dir-
ectory position of a hidden file named ST100.HDI if you are running
from the hard disk.  If the comparison fails to match at load time,
the program tries to look for the bizarre diskette in drive A: and
will fail if the disk is not present.  If the comparison succeeds
during loading (or is ignored during loading) but fails during nor-
mal operation, the program displays the misleading message:
"Checksum error, possible bad diskette" and hangs up your system
by executing a return to a zero stack.  Cute.

All of the logic for the scheme is contained in ST100.EXE.  Our
unprotect method consists of patches that trick the program into
always performing as if it is running from hard disk, even if it
is not, and other patches to ignore the wrong checksum.  The hidden
file mentioned above is not needed after you apply the patches.
In case you were wondering, the program determines whether it is
running from floppy disk by examining the BIOS MOTOR_STATUS flag
at 0043F.  If this flag is non-zero (meaning that any floppy is
running), the program assumes it was loaded from a floppy.

PATCH METHOD            PATCH METHOD            PATCH METHOD

This patch is applied to a COPY of the distribution diskette.  It
need not, and should not, be applied to your original.  The program
That results from this patch contains no copy protection checking,
and will run anywhere.  There is no need to install the program on
a hard disk before applying this patch, nor is there any reason to
write ANYTHING on your distribution diskette.  PLEASE INSTALL A
WRITE PROTECT TAB ON YOUR DISTRIBUTION DISKETTE BEFORE PROCEEDING
WITH THIS PROJECT.

 1) Use the DOS copy command to copy all files from the distri-
    bution diskette to another diskette, or to your hard disk.

All subsequent steps are performed on the COPY you just made.

 2) Rename st100.exe to st100.xxx on the COPY.

 3) Enter DEBUG ST100.XXX

 4) At the debug prompt, enter the following commands:

E 111E 31 C0 88 46 02  ;was 8A 46 02 30 E4    fakes out floppy test
E E873 EB 15           ;was 8B E5
E E8A5 EB 27           ;was 8B EC
E E915 EB              ;was 74
E E9AA EB              ;was 74
E E9E6 EB              ;was 74
E EABB EB 46           ;was 8B E5
E EB2B 57 89 CF        ;was 8B E5 8D
E EB2E C7 45 0C 30 30  ;was 86 A6 00 50 8D   Installs the esthetically
E EB33 C7 45 0E 30 30  ;was 86 9E 00 50 8D   pleasing serial number
E EB38 C7 45 10 30 30  ;was 86 92 00 50 8D   "000000".
E EB3D 5F EB 06        ;was 86 86 00
E EB92 E9 05 01        ;was 8D 86 A6
E EBB5 EB              ;was 74
E EBD6 EB              ;was 75
E EC03 EB              ;was 74
E ECAE EB              ;was 74

 5) The next two patches must be entered in an address above debug's
    64K built-in limit.  This is done by adjusting the DS register
    as follows:

    Still in debug, enter "R DS" without the quotes.  Debug will
    respond with a four digit hex value in the format "DS 2F54".
    The value 2F54 here is a hypothetical value for illustration
    of the method.  It will be different on your machine.  After
    displaying the hex value, debug will wait at a colon prompt
    for you to enter a new value for DS.  Compute your new value
    by adding 100 hex to the debug response, and type in the sum.
    In our example, type 3054.

 6) Enter the final two patches:

E F792 75 0B           ;was 8B 1E; address is actually 10792
E F880 75 0B           ;was 8B 1E; address is actually 10880

 7) Write the modified file to disk and quit debug by entering:

W
Q

 8) And finally, rename ST100.XXX to ST100.EXE.  This is your
    unprotected version.

Elub Xob (obviously her real name) expended many long hours slaving
over a hot keyboard to generate this patch.  She would appreciate that
others not take credit for her ingenuity, for even though the success
of this endeaver is a superb reward unto itself, Ms. Xob harbors
enough (theologically acceptable) pride to feel betrayal when others
claim her work as their own.

Ms. Xob would appreciate hearing from users of this patch, especially
if you are having trouble with it.  The SYSOP of this BB might know
how to reach Ms. Xob, and then again he/she might not.

Happy Computing!
May 1, 1986
                                                                                      