Category : Unprotects for Games and Such
Archive   : DRHALO.ZIP
Filename : DRHALO.UNP

Output of file : DRHALO.UNP contained in archive : DRHALO.ZIP
DRHALO - Unprotect
Based on The Lone Victor's

The following instructions show you how to bypass the SoftGuard
copy protection scheme used on DRHALO. This is the same
scheme used for FrameWork 1.10 and for Wordstar 2000 1.00. Wordstar
2000 version 1.10 does not use a copy protection scheme, while versions
1.00 of dBase III and FrameWork used ProLock. To unprotect Prolock disks
read the file PROLOCK.UNP.

First, using your valid, original DRHALO diskette, install it on
a fixed disk. Softguard hides three files in your root directory:
CML0200.HCL, VDF0200.VDW, and DRHALO.EXE. It also copies DRHALO.COM into
your chosen DRHALO directory. DRHALO.EXE is the real DRHALO program,
encrypted. When you run DRHALO, the program DRHALO.COM loads CML0200.HCL
high in memory and runs it. CML decrypts itself and reads VDF0200.VDW.
The VDF file contains some code and data from the fixed disk FAT at the
time of installation. By comparing the information in the VDF file with
the current FAT, CML can tell if the CML, VDF, and DRHALO.EXE files are
in the same place on the disk where they were installed. If they have
moved, say from a backup & restore, then DRHALO will not run.

Second, un-hide the three files in the root directory. You can do
this with the programs ALTER.COM or FM.COM found on any BBS.

Make copies of the three files, and of DRHALO.COM, into some other

Hide the three root files again using ALTER or FM.

Following the DRHALO instructions, UNINSTALL DRHALO. You can now
put away your original DRHALO diskette. We are done with it.

Next we will make some patches to CML0200.HCL to allow us to trace
through the code in DEBUG. These patches will keep it from killing our
interrupt vectors.

debug cml0200.hcl
e 3F9 2A.4A ; change the 2A to 4A
e 49D F6.16 ; if any of these numbers don't show up
e 506 E9.09 ; it's not working.
e A79 00.20 ;
e AE9 00.20 ;
e 73C 97 FA FA F4 F1 7E ; this is an encrypted call to 0:300
w ; write out the new CML file
q ; quit debug

Now copy your four saved files back into the root directory and
hide the CML0200.HCL, VDF0200.VDW, and DRHALO.EXE files using ALTER or FM.

We can now run DRHALO.COM using DEBUG, trace just up to the point
where it has decrypted DRHALO.EXE, then write that file out.

debug dRHALO.COM
r ; write down the value of DS for use below.
a 0:300 ; we must assemble some code here
pop ax
mov [320],ax ; save return address
pop ax
mov [322],ax
push es ; set up stack the way we need it
mov ax,20
mov es,ax
mov ax,0
jmp far ptr [320] ; jump to our return address

g 406 ; now we can trace CML
g 177 ; this stuff just traces past some
g 1E9 ; encryption routines.
g 54E ; wait while reading VDF & FAT
g=559 569
g=571 857 ; DRHALO.EXE has been decrypted
rBX ; length DRHALO.EXE = 29200 bytes
:2 ; set BX to 2
:9200 ; set CX to 9200.
nDRHALO ; name of file to write to
w XXXX:100 ; where XXXX is the value of DS that
; you wrote down at the begining.
q ; quit debug

Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW,
and DRHALO.EXE. Delete DRHALO.COM and rename DRHALO to DRHALO.EXE. This is the
real DRHALO program without any SoftGuard code or encryption. It requires
only the font and config files to run.

  3 Responses to “Category : Unprotects for Games and Such
Archive   : DRHALO.ZIP
Filename : DRHALO.UNP

  1. Very nice! Thank you for this wonderful archive. I wonder why I found it only now. Long live the BBS file archives!

  2. This is so awesome! 😀 I’d be cool if you could download an entire archive of this at once, though.

  3. But one thing that puzzles me is the “mtswslnkmcjklsdlsbdmMICROSOFT” string. There is an article about it here. It is definitely worth a read: