Category : Unprotects for Games and Such
Archive   : MORE_UNP.ZIP
Filename : SIERRA.TXT

 
Output of file : SIERRA.TXT contained in archive : MORE_UNP.ZIP
This file is a description of how to unprotect the games written by SIERRA.
This file assumes a knoledge of DEBUG.COM and 8088 Assembly language. In
any case, I assume no responsibility for the use or mis-use of this info.
It is provided for the use of legitamite owners of Sierra's game products.


--- Mike Flynn ---

WHAT YOU WILL NEED:

In order to implement this, you must have the original Sierra game disk, or
this will not work. I have selected two of the most recent Sierra games to
use as examples. They are the 3-D Helecoptor game and Space Quest ][. A
sample dis-assembly of each is included below. This technique should work
on any of the recent editions of Sierra's games (i.e. Kings Quest I/II/II).


THE BOTTOM LINE...

On all of the recent Sierra game disks there is a loader program that you run
in order to play the game. It is usually called SIERRA.COM. The only
exception is the helecoptor game, where it is called HELI.COM. Load the file
into debug. Use the R command and record the contents of the CX register.
The first instruction is always a jump to the initialization code.
Dis-assemble this code. either in the first or second screen of code,
you will see REPZ followed by MOVSB. Directly following this will be a
series of calls. There may be 3 or 4 calls in a row. We are interested in
the second to the last call in the series. This is a call to the disk check
routine.

Now, put your original game disk in drive A: and use the debug GO command to
execute all of the initialization code up to the call following the disk check
call. Once it has read the disk, and we are back in debug, assemble 3 NOP
instructions over the disk check call. Then set BX to zero (it will have a 5
in it), and CX back to it's original value when we loaded the program. Then
write the file back out, and thats it!. Below you will see the two
examples that I have provided.

HAVE FUN!

Mike Flynn


------------------------------------------------------------------------------

Sierra's 3-D Helecoptor Simulator

------------------------------------------------------------------------------


this is a dump of the regs after debug loads HELI.COM
remember to record the value of cx for saving the program
when you are done patching it.

AX=0000 BX=0000 CX=0AF6 DX=0000 SP=FFFE BP=0000 SI=0000 DI=0000
DS=22BE ES=22BE SS=22BE CS=22BE IP=0100 NV UP EI PL NZ NA PO NC
22BE:0100 E93602 JMP 0339

Here we have a disassembly of the HELI.COM initialization code

22BE:0339 FA CLI
22BE:033A 8CC8 MOV AX,CS
22BE:033C 8ED0 MOV SS,AX
22BE:033E 8D26C102 LEA SP,[02C1]
22BE:0342 FB STI
22BE:0343 E87107 CALL 0AB7
22BE:0346 8D1EF60B LEA BX,[0BF6]
22BE:034A 83C30F ADD BX,+0F
22BE:034D B104 MOV CL,04
22BE:034F D3EB SHR BX,CL
22BE:0351 B44A MOV AH,4A
22BE:0353 CD21 INT 21
22BE:0355 8D3E2403 LEA DI,[0324]
22BE:0359 BE8000 MOV SI,0080
22BE:035C 33C9 XOR CX,CX
22BE:035E 8A0C MOV CL,[SI]
22BE:0360 41 INC CX
22BE:0361 F3 REPZ
22BE:0362 A4 MOVSB
22BE:0363 E81706 CALL 097D
22BE:0366 E87D03 CALL 06E6 <---- Here is the call to the disk check
22BE:0369 E89A00 CALL 0406 <---- In debug say G369 to allow the
22BE:036C A31503 MOV [0315],AX above call to check the disk.
22BE:036F 8D16C102 LEA DX,[02C1] Then NOP out the call at 366 and
22BE:0373 E82900 CALL 039F write the file back out.
22BE:0376 7310 JNB 0388
Remember to set up BX to 0
and CX to the value when
debug loaded this.

------------------------------------------------------------------------------

Space Quest ][

------------------------------------------------------------------------------

this is a dump of the regs after debug loads SIERRA.COM
remember to record the value of cx for saving the program
when you are done patching it.

AX=0000 BX=0000 CX=0C31 DX=0000 SP=FFFE BP=0000 SI=0000 DI=0000
DS=22BF ES=22BF SS=22BF CS=22BF IP=0100 NV UP EI PL NZ NA PO NC
22BF:0100 E99D02 JMP 03A0

Here we have a disassembly of the SIERRA.COM initialization code.

22BF:03A0 FA CLI
22BF:03A1 8CC8 MOV AX,CS
22BF:03A3 8ED0 MOV SS,AX
22BF:03A5 8D26C102 LEA SP,[02C1]
22BF:03A9 FB STI
22BF:03AA E83708 CALL 0BE4
22BF:03AD 8D3E7A03 LEA DI,[037A]
22BF:03B1 BE8000 MOV SI,0080
22BF:03B4 33C9 XOR CX,CX
22BF:03B6 8A0C MOV CL,[SI]
22BF:03B8 41 INC CX
22BF:03B9 F3 REPZ
22BF:03BA A4 MOVSB
22BF:03BB E8CD00 CALL 048B
22BF:03BE E8E906 CALL 0AAA
22BF:03C1 E82E04 CALL 07F2 <--- call to disk check
22BF:03C4 E8B500 CALL 047C <--- in debug, say G3C4 to let
22BF:03C7 8D16C102 LEA DX,[02C1] this call get executed.
22BF:03CB E84700 CALL 0415 then NOP the call out and
22BF:03CE 7310 JNB 03E0 write the file out, and
22BF:03D0 8D36D102 LEA SI,[02D1] BINGO!
Remember to set up BX to 0
and CX to the value when
debug loaded this.



  3 Responses to “Category : Unprotects for Games and Such
Archive   : MORE_UNP.ZIP
Filename : SIERRA.TXT

  1. Very nice! Thank you for this wonderful archive. I wonder why I found it only now. Long live the BBS file archives!

  2. This is so awesome! 😀 I’d be cool if you could download an entire archive of this at once, though.

  3. But one thing that puzzles me is the “mtswslnkmcjklsdlsbdmMICROSOFT” string. There is an article about it here. It is definitely worth a read: http://www.os2museum.com/wp/mtswslnk/