Category : Unprotects for Games and Such
Archive   : TD3NEW.ZIP
Filename : TD3.UNP

 
Output of file : TD3.UNP contained in archive : TD3NEW.ZIP
Unprotect for Test Drive III

Tired of looking up protection codes for that expensive program you bought?
Well we can do something about that nasty protection scheme.

Use the Norton editor (or a similar hex editor) on the hard disk copy of
TD3.EXE (as always it is inadvisable to modify your original). Search for
the following bytes:

83 7E E8 00 74 32 (this should be found around 43A2)

Now make the following changes:

Original: 83 7E E8 00 74 32 2B
| |
Changes: C7 46 00 EB 31


Write the file out and you are done! Enter any number when it asks you the
question.

For reference this is the dump of the part of the program we are changing.


-u4490

1471:4490 83C408 ADD SP,+08
1471:4493 B80B00 MOV AX,000B
1471:4496 50 PUSH AX
1471:4497 2BC0 SUB AX,AX
1471:4499 50 PUSH AX
1471:449A 9AA106DC0B CALL 0BDC:06A1
1471:449F 83C404 ADD SP,+04
1471:44A2 837EE800 CMP WORD PTR [BP-18],+00 ;Change to MOV
1471:44A6 7432 JZ 44DA ;Change to JMP
1471:44A8 2BC0 SUB AX,AX
1471:44AA 8946E8 MOV [BP-18],AX
-q


FLASH !!!

Late breaking update. Forget the previous patch and whip out a hex editor
like Norton and change the following two hex strings:

Original Changes

EA A6 39 E9 26 06

75 0F 0E E8 75 00 EB 0F 0E E8 75 00

That's it! This patch completely eliminates the protection question. For
those interested here is a debug dump of the code in question.


-u3ea4

1269:3EA4 B84001 MOV AX,0140
1269:3EA7 50 PUSH AX
1269:3EA8 B85D23 MOV AX,235D
1269:3EAB 50 PUSH AX
1269:3EAC B8DE22 MOV AX,22DE
1269:3EAF 50 PUSH AX
1269:3EB0 0E PUSH CS
1269:3EB1 E8A639 CALL 785A ;Change to JMP 44DA
1269:3EB4 83C40C ADD SP,+0C
1269:3EB7 B88D0F MOV AX,0F8D
1269:3EBA 50 PUSH AX
1269:3EBB B8400A MOV AX,0A40
1269:3EBE 50 PUSH AX
1269:3EBF 9A8C07DC18 CALL 18DC:078C

-u44c4 4510

1269:44C4 2BC0 SUB AX,AX
1269:44C6 A39A00 MOV [009A],AX
1269:44C9 50 PUSH AX
1269:44CA 9A0600A716 CALL 16A7:0006
1269:44CF 83C402 ADD SP,+02
1269:44D2 C746FC0100 MOV WORD PTR [BP-04],0001
1269:44D7 EB1D JMP 44F6
1269:44D9 90 NOP
1269:44DA 2BC0 SUB AX,AX ;This is where we JMP to
1269:44DC 8946E8 MOV [BP-18],AX
1269:44DF 50 PUSH AX
1269:44E0 B8151C MOV AX,1C15
1269:44E3 50 PUSH AX
1269:44E4 0E PUSH CS
1269:44E5 E898F4 CALL 3980
1269:44E8 83C404 ADD SP,+04
1269:44EB 8946E8 MOV [BP-18],AX
1269:44EE 2BC0 SUB AX,AX
1269:44F0 8946FC MOV [BP-04],AX
1269:44F3 A28900 MOV [0089],AL
1269:44F6 C6068C0000 MOV BYTE PTR [008C],00
1269:44FB C746E80000 MOV WORD PTR [BP-18],0000
1269:4500 803E8C0000 CMP BYTE PTR [008C],00
1269:4505 750F JNZ 4516 ;Change to JMP 4516
1269:4507 0E PUSH CS
1269:4508 E87500 CALL 4580
1269:450B B80200 MOV AX,0002
1269:450E 50 PUSH AX
1269:450F 0E PUSH CS
1269:4510 E879F5 CALL 3A8C
-q


Courtesy of Bad Bob



  3 Responses to “Category : Unprotects for Games and Such
Archive   : TD3NEW.ZIP
Filename : TD3.UNP

  1. Very nice! Thank you for this wonderful archive. I wonder why I found it only now. Long live the BBS file archives!

  2. This is so awesome! 😀 I’d be cool if you could download an entire archive of this at once, though.

  3. But one thing that puzzles me is the “mtswslnkmcjklsdlsbdmMICROSOFT” string. There is an article about it here. It is definitely worth a read: http://www.os2museum.com/wp/mtswslnk/