I was shocked that after watching a stupid Video Tape
critisizing and Stating how stupid Hackers and Pirates are (Which is
not true of course), that the school is using pirated software? Yes,
that's right, If you will notice the next time you use Print shop in
the computer room, that it says "Cracked By Mr. Krackman." So I've
decided to start a column on unprotecting IBM programs... To start it
off, here's one for News Room and Kings Quest III.
The following debug session will alow you to copy the Newsroom files to any
disk and run them from that disk.
However, the Newroom program will still want you to enter the clip-art disks
in drive A: and any banner, panel, or wire service disks in will also have to
be put in drive A:.
None of the disks need any copy protection, so therefore can be copied from
disk to disk and still be run.
Just follow the instructions carefully.
First copy all the Newsroom files on to a clean disk.
Also copy the Debug program on to the same disk.
RENAME NWSRM.EXE 1
DEBUG 1
-E 691A EB 41
-E 6973 90 90
-E 6977 EB 25 90
-
{THE FOLLOWING PORTION IS TELLING THE NEWSROOM DISK WHERE TO FIND CERTAIN FILES
SUCH AS LOGO.PIC, NRTITLE.PIC, NRSETUP, ALONG WITH ALL THE PRINTER AND MODEM
CONFIG TABLES.}
AT THE FOLLOWING LOCATIONS ENTER THE APPROPRIATE HEX VALUE:
FOR DRIVE A: 41
FOR DRIVE B: 42
FOR DRIVE C: 43
FOR DRIVE D: 44
-E 8F4B XX
-E 92D2 XX
-E 9316 XX
-E 9349 XX
-E 9354 XX
-E 9B59 XX
-E 9B66 XX
-E 9B73 XX
-E 9B8F XX
-E 9BA5 XX
-E 9CD4 XX
-E 9D9D XX
-E 9DAA XX
-E 9DB7 XX
-E 9DCE XX
WHERE XX = THE DRIVE NUMBER DESIGNATED ABOVE
That's all there is to it. Now just copy it over to any disk you want and
run it from there. Just remember that it is going to look for certain files
on the drive that you told it before in the debug session.
NPROTECTING KINGS QUEST III - IBM PC VERSION
---------------------------------------------
To unprotect Kings Quest III, you will need a DOS disk with DEBUG.COM,
the original master diskette 1, a freshly formatted diskette, and
about 15 minutes.
Boot the system with a standard DOS disk and answer the date and time
prompts. Place the Kings Quest disk in the A drive and the DOS disk
with DEBUG in the B drive. Enter the following lines, explanations and
non key strokes are shown in parenthesis.
A>B:DEBUG SIERRA.COM
-G100,3E4 (during this time the KQ disk will run,
you will be prompted to press ENTER twice)
(remove the KQ disk and place the freshly formatted diskette in the A drive)
-A100
xxxx:0100 JMP F10
xxxx:0102 (just press ENTER here)
-AF10
xxxx:0F10 MOV AX,CS
xxxx:0F12 MOV DS,AX
xxxx:0F14 MOV ES,AX
xxxx:0F16 MOV SS,AX
xxxx:0F18 MOV SP,2C1
xxxx:0F1B MOV BX,9E
xxxx:0F1E MOV AH,4A
xxxx:0F20 INT 21
xxxx:0F22 MOV AX,1C0D
xxxx:0F25 MOV BX,70
xxxx:0F28 MOV CX,1
xxxx:0F2B MOV DX,1A00
xxxx:0F2E MOV BP,0
xxxx:0F31 MOV SI,636
xxxx:0F34 MOV DI,1C1
xxxx:0F37 JMP 3E4
xxxx:0F3A (just press ENTER here)
-RCX
0001:0E3A
-W
0E3A Bytes Written
-Q
A>
(Place the original KQ disk in the B drive and enter the following.
(Have fun! KQ should also be able to be used on a hard drive with this
procedure, but hasn't been tried.)
----------------------------------------------------------------------
Here's a little Tutorial on how to Crack games..
+------------------------------------------------------------------------------+
| |
| Cracking Tutorial 1 |
| By Captain Quazmo |
| (INT 13 and DOS files) |
+------------------------------------------------------------------------------+
This is a Tutorial on Cracking. Let's start out with a simple defintion
for the word "CRACKING". Cracking is the art or STRIPPING the protection off a
disk or file. Thus allowing that program to run on a Hard Disk or be copied
freely. In the case of a whole disk, the disk must be decoded and converted
into a file. This process is rather hard to do so I will discuss it in
ter Tutorial.
In this tutorial, I will explain how to beat the "INT13 Protection".
this routine is used on most disks today. In this tutorial I will make
refrence to these programs
LOCKSMITH - Aplha Logic
PCWATCH - IBM
FSD - IBM
You can use these programs or any others that
do the same things. DiskMechanic will work in place of Locksmith (used for
analyss of Track information.) TRAP13 will replace PCWATCH (to find where
the program access INT 13h), and dos's DEBUG will surfice for FSD. Please
remember that if you use DEBUG on and ".EXE" file, you will first need to
rename it "filename.ZAP" and when in debug, all address are +100h.
In this tutorial, We will go thru and crack "The Ancient Art of War".
we will start by analyzing the disk with Locksmith and End of Changeing it with
DEBUG (if you are asking why I am using debug, when I cracked it I didn't have
FD.)
The first thing we will do is analyze the disk with LOCKSMITH. We search
both sides of the disk using the "Analyze" command in the track menu. We mark
down the sector that have high SECTOR NUMBERING, WRONG N SIZE, or CRC ERRORS.
Make carefull note of these numbers for we will need them in the future.
Now Exit Locksmith and Enter PCwatch. EXCLUDE everything in window #1 execpt
"CARRY FLAG SET", INCLUDE [F1] this. Go over to window #3 and hit PgDn until
you see the INT13 options. INCLUDE "READ SECTOR". In window #2 tell it to
output to printer. Now exit the program [F4]. Place the AAOW (ancient art of
war) disk in drive A:. Type "A>WAR". The Game will load but slowly and the
printer will run. When the game is loaded replace the AAOW disk with DOS and
reboot. Take the listing and examine it. Forget about any call from
[0070:xxxx] for these are used to load in the program.
Now make a copy of you war disk using DISKCOPY or LOCKSMITH sector copy.
This will be out work cpy. Debug the main program on the disk [WAR.EXE].
Examine the listing from PCWATCH. Find the First address [nnnn:XXXX] besides
[0070:xxxx]. In AAOW it is or rather should be [nnnn:8BDA]. unassemble [U]
10 bytes back [U 8BAA]. This allows us to see the int13. The next instruction
after the CD 13 [INT 13h] should either be a CMP or a JMP of some sort. In
most protection routines usually have a JC or JB after their INT13.
You must decide now what is needed to be done here according to the jumps
seen. If a JC or JB follow INT13 then try this. Replace INT13 (2 bytes CD 13)
with STC & NOP. These 2 command SET the CARRY Flag. If the program Doesn't
rechange "STC" to "CLC". The CLC is one of the most used ways to get around
INT13 protection. AAOW uses "CLC". It goes out and looks for a Sector. If
it is not found then it has an Error. The CLC hardwires the Error. Write
the file out again.
You have now cracked your first program (with a little HELP.) You can
use this techinque on st DOS files. Please remember, after you crack
something, leave the UNPROTECT on your local board so other can use them.
----------------------------------------------------------------------
Captain Quazmo....Leader of the AT&T Underground..............
----------------------------------------------------------------------
Here's an underground Newspaper on Kracking...
+----------------------------------------------------------------------------+
| |
| KRACK |
| April 1986 |
| Volume 1 Number 1 |
| |
+----------------------------------------------------------------------------+
You are reading KRAK, the official Kracking Textfile. This file is put
out by the Cellar Elite. Captain Quazmo is the Head editor.
If you wish to submit articals to KRACK just upload a Text file in IBM
PC format to one of the official KRACK boards. Krack is for all type of
computers. Apple and C/64-128 users let's get going.
+----------------------------------------------------------------------------+
| |
| Cracking NewsRoom |
| IBM-PC format |
| |
| Captain Quazmo |
| |
+----------------------------------------------------------------------------+
There are a couple of unprotects going around for this piece of software.
This one is rather short but others make you change 51 other bytes that seem
to be unneeded. You will need DEBUG for you dos diskette and a Copy (doesn't
matter if it works) of NewsRoom.
At Dos: A> Ren nwsrm.exe nwsrm.zap
A> Debug nwsrm.zap
-E 691A EB 41
-E 6973 90 90
-E 6977 EB 25 90
-W
-Q
A> Ren nwsrm.zap nwsrm.exe
A> Debug nwsrm1.ovl
-E 05db 8B 46 04 89 46 FE 3B 46 04
-W
-Q
A> Debug nwsrm22.ovl
-10C6 B8 05 43
-W
-Q
You now have a working copy of newsroom. The only not is that all file
most reside on drive A:. Assign can be use to allow this program to work
on a hard drive.
+----------------------------------------------------------------------------+
| |
| Defeating Prolock |
| from the Locksmith Procedures manual |
| |
+----------------------------------------------------------------------------+
You will need: Dos DEBUG
A formatted Blank diskette
A non working copy of the program
This tutorial show how defeat prolock on dBASE III but can be used for most
prolocked disks.
A> Debug DBASE.exe
-R
You will now see whats in the registers. Record the values
-U
-U
Look for a LOOP instruction. The next instruction will be a XCHG.
Using the Address in the first column [091B:XXXX 92 XCHG DX,AX]
enter -G XXXX
-S 100 3000 83 c4 08
Some address will be listed. Take the last address 091b:XXXX and
-A XXXX
XOR AX,AX
RET
Press Return twice until the "-" prompt. enter
-S 100 3000 C0 45 F8
This will display a single value [091B:XXXX]. use it and enter
-E XXXX 0B 46
-M 0:c f 0:200
Prolock will test for the original diskette enter
-R BX
0001
-R CX
When prompted enter the original value of CX
-N TEMP
-S 100 3000 4D 5A
Several values will be displayed. Remove the program disk and
insert the black disk and type
-W 1A50
-Q
A> Ren temp dbase.exe
+----------------------------------------------------------------------------+
| |
| LockSmith Instructions |
| IBMpc Format |
| |
+----------------------------------------------------------------------------+
Locksmith is in my oppion the BEST copy program for the IBMpc. Using
Special Parameters Locksmith can copy almost anything. I hope to explain to
all you PC Pirates how to use this great program. This is first in a 2 part
series on the use of locksmith.
Status Line - This line show all messages from Locksmith. I give discriptions
In the main and secondary menu modes.
Drives: A: > B: - The first letter [A:] is the Source drive and the second
letter is the Target drive
Drive - Change Drive information
Letter - Change the Source & Target drives
Controller - Change the FDC control codes
Track - Track Utilitys
Analyze - Analyze the selected track showing their N value and
any Errors.
Backup - Copy selected track from Source to Target drives
Format - Format selected track in Regular/IrRegular formats
Erase - Erase selected track to the Fill Byte
Hidden - Search for irregular sector sizes and number
Read - Read in a selected track
Write - Write out a selected track
Compare - Compare tracks with information in BUFFER
Print - Print out Track Buffer
Secoter - Sector Utilitys
Backup - Fast copy [35 sec.]
Read - Read in sectors
Write - Write out sectors
Compare - Compare sectors with memory
Options - Set up Locksmith's parameters
Misc - Misc. Functions
Reset - Reset all information to Default
PrintSetup - Redefine the print tables
Search - Define a string to Search for
Quit - Quit to DOS [A>]
Window #1: Current Track Window. This window is used for selecting what
Tracks are to be used. To get to this window press the [F1] key.
If a number (Track) has a "." under it then it is to be used.
The SPACEBAR is used to toggle a single Track. The "+" key is
used to toggle the whole side of a disk. Left and Right Arrows
keys are used to move the cursor.
Window #2: This is the Sector window. Here you will find the Size (N) and
the Error in the sector if any and the percent of the track taken up
by that sector. By examine the sector's number you can find out how
how the sectors are really numbered because some protection schemes
use abnormal sector numbering. HOME will take you to the top of the
screen to the Number of sectors [SECTORS: 00] prompt. This is used
in creating your own protection schemes which will be explained in
the next issue of KRACK: [F2] get this window
Window #3: The data window can be used to examine, edit and create data to
be written out to the disk. So protection schemes need certain
bytes to be changed. [F3] get you here while [F9] toggle Ascii/Hex
display. If a search string has been entered then [F10] will start
the search.
Copying something with locksmith is pretty easy. If the disk is unprotected
then use the BACKUP in the SECTOR utilitys. If the disk is protected then
you must use the BACKUP in the TRACK utilitys. The best way to copy a
protected diskette is the first to Slow Copy the whole disk [TRACK utilitys]
then write down any odd tracks (more sectors than the other errors etc.).
Use Fast copy [SECTOR utilitys] to copy similar track then use Slow copy to
copy the Fuckup tracks.
Lotus 123: Slow Copy Side 0 tracks 3,7 and Side 1 track 4. Fast copy the rest
Harvard Project Manager v 1.1: Fast Copy all track the Analyze side 1 track 1A
Edit buffer and change address 0F46 to 01
Office Writer: Fast copy all track. Copy tracks 28,29 both sides
Super Cala: Fast Copy all Tracks
Infocom: Slow copy all tracks
WordStar 2000: Fast copy all tracks
XYWrite II: Fast copy all tracks
+----------------------------------------------------------------------------+
| |
| Official KRACK Boards |
| |
+----------------------------------------------------------------------------+
Do you want your board to be an official Krack board. Just leave a message
on one of the current Krack Boards.