Category : Unprotects for Games and Such
Archive   : MORE_UNP.ZIP
Filename : ULTIMA.TXT

 
Output of file : ULTIMA.TXT contained in archive : MORE_UNP.ZIP
The copy-protection scheme used in ULTIMA II is also used by
PROKEY 3.0 and several other programs. The approach I outline
here works with any of these that are in COM file format. If
anyone can improve it to work for EXE files PLEASE post it.
This general copy scheme uses a short sector of 256 bytes to
store an essential piece of the program code. On startup, location
100H contains a JMP instruction to the code which reads this
short sector. Locations 103H - 110H contain HLT instructions (hex F4).
After the sector is read, its contents are overlayed onto locations
100H - 110H, replacing the dummy instruction codes. A branch to 100H
then begins the actual program.
All we need to do is to stop execution after the changes are
made and write down the contents of 100H - 110H; reloading the
program and POKEing these changes results in an unprotected program.
Here's how its done:
(1) Put PROTECTED disk in A: (you can write-protect it for safety)
and a disk containing DEBUG in B:
(2) A: Make A: the default.
(3) B:DEBUG ULTIMAII.COM (or PKLOAD.COM, LAYOUT.COM...)
(4) -u 0100 Tell DEBUG to disassemble 0100-0120
DEBUG responds with:
0100 JMP 88A0 (or whatever)
0103 HLT
0104 HLT ...etc.
(5) -u 88A0 Look at short-sector decrypting code.
DEBUG responds with:
88A0 JMPS 88A7 Next "statements" are data locations; ignore.
(6) -u 88A7 Now look for where program restarts at 100H.
DEBUG responds with:
88A7 CALL 88C4
88AA CALL 892E
88AD JC 88BF (If Carry is set, the disk is a copy. Go to DOS!)
...
88BA MOV AX,0100
88BD JMP AX Paydirt! If you got this far, the program has
... written the REAL code into 0100 - 0120H.
(7) -g 88BD Tell DEBUG to run the program, stop here.
(8) -d 0100 011F Dump out the changed code.
DEBUG responds with:
8C C8 05 25 07 8E D8 05-10 03 8E D0... Two lines. WRITE DOWN for (12)
(9) -q Get out of DEBUG. You must reload to deprotect.
(10) Make a copy of the disk; you can use copy *.* Put copy in A:
(11) B:DEBUG ULTIMAII.COM load copy
(12) -e 0100 Patch locations 0100 - 011F with what you
wrote down above. Follow each entry with
a SPACE until last entry; then hit ENTER.
(13) -w Write out new version of ULTIMAII.COM
(14) -q You've done it!

I've been detailed because this works generally for any COM file.
This method doesn't work for EXE files because while DEBUG can load
relocatable modules and execute them with breakpoints (step 7 above),
you cannot use debug to write an EXE file in relocatable form.
Any suggestions?
L.Brenkus


  3 Responses to “Category : Unprotects for Games and Such
Archive   : MORE_UNP.ZIP
Filename : ULTIMA.TXT

  1. Very nice! Thank you for this wonderful archive. I wonder why I found it only now. Long live the BBS file archives!

  2. This is so awesome! 😀 I’d be cool if you could download an entire archive of this at once, though.

  3. But one thing that puzzles me is the “mtswslnkmcjklsdlsbdmMICROSOFT” string. There is an article about it here. It is definitely worth a read: http://www.os2museum.com/wp/mtswslnk/