Category : Unprotects for Games and Such
Archive   : UNPROT2.ZIP
Filename : WS2000.UNP

Output of file : WS2000.UNP contained in archive : UNPROT2.ZIP
Wordstar 2000 version 1.00 - Unprotect
by Gerald Lee

derived from

dBase III version 1.10 - Unprotect
by The Lone Victor

The following instructions show you how to bypass the SoftGuard
copy protection scheme used on WORDSTAR 2000 version 1.00. This is the
same scheme used for FrameWork 1.10 and for dBase III version 1.10.
Wordstar 2000 version 1.10 does not use a copy protection scheme, while
versions 1.00 of dBase III and FrameWork used ProLock. To unprotect
Prolock disks read the file PROLOCK.UNP.

First, using your valid, original Wordstar 2000 diskettes, install
it on fixed disk. Softguard hides two files in your root directory:
CML0200.HCL and VDF0200.VDW. WS2000.EXE is the real Wordstar 2000
program, encrypted. When you run Wordstar, the program WS2000.COM loads
CML0200.HCL high in memory and runs it. CML decrypts itself and reads
VDF0200.VDW. The VDF file contains some code and data from the fixed disk
FAT at the time of installation. By comparing the information in the VDF
file with the current FAT, CML can tell if the CML, VDF, and WORDSTAR.EXE
files are in the same place on the disk where they were installed. If
they have moved, say from a backup & restore, then WORDSTAR 2000 will
not run.

Second, un-hide the two files in the root directory. You can do
this with the programs ALTER.COM or FM.COM, or UNHIDE.COM and HIDE.COM
found on any BBS. PC-SWEEP2 is the easiest it will copy the files to
another directory unhidden.

Make copies of the two files, and of WS2000.COM and WS2000.EXE, into
some other directory.

Hide the two root files again if using ALTER or FM. Leave alone if
using PC-SWEEP2.

Following the WORDSTAR instructions, UNINSTAL WORDSTAR 2000. You
can now put away your original WORDSTAR diskettes. We are done with them.

Next we will make some patches to CML0200.HCL to allow us to trace
through the code in DEBUG. These patches will keep it from killing our
interrupt vectors.

E 3F9 2A.4A ; change the 2A to 4A
E 49D F6.16 ; if any of these numbers don't show up
E 506 E9.09 ; it's not working.
E A79 00.20 ;
E AE9 00.20 ;
E 73C 97 FA FA F4 F1 7E ; this is an encrypted call to 0:300
W ; write out the new CML file
Q ; quit debug

Now copy your four saved files back into the root directory and
hide the CML0200.HCL and VDF0200.VDW files using ALTER, FM or PC-SWEEP2.

We can now run WS2000.COM using DEBUG, trace just up to the point
where it has decrypted WORDSTAR.EXE, then write that file out.

R ; write down the value of DS for use below.
A 0:300 ; we must assemble some code here
MOV [320],AX ; save return address
MOV [322],AX
PUSH ES ; set up stack the way we need it
JMP FAR PTR [320] ;jump to our return address

G 406 ; now we can trace CML
G 177 ; this stuff just traces past some
G 1E9 ; encryption routines.
G 54E ; wait while reading VDF & FAT
G=559 569
G=571 857 ; WS2000.EXE has been decrypted
rBX ; length WS2000.EXE = 1AC00 bytes
:1 ; set BX to 1
:AC00 ; set CX to AC00.
nWS12 ; name of file to write to
W XXXX:100 ; where XXXX is the value of DS that
; you wrote down at the begining.
Q ; quit debug

Last, unhide and delete the two root files CML0200.HCL, VDF0200.VDW,
and WS2000.COM and WS2000 directory. Rename WS12 to WS2000.COM and
replace in the WS2000 directory. This is the routine that starts the
real WS2000.EXE program without any SoftGuard code or encryption. It
requires the .OVL and .MSG files to run. I have not tried it on a two
disk systems but I think it should work.

If you have any comments on this unprotect routine, please leave
on the Chino RBBS (714) 591-7002.

GERALD LEE - 5/12/85

  3 Responses to “Category : Unprotects for Games and Such
Archive   : UNPROT2.ZIP
Filename : WS2000.UNP

  1. Very nice! Thank you for this wonderful archive. I wonder why I found it only now. Long live the BBS file archives!

  2. This is so awesome! 😀 I’d be cool if you could download an entire archive of this at once, though.

  3. But one thing that puzzles me is the “mtswslnkmcjklsdlsbdmMICROSOFT” string. There is an article about it here. It is definitely worth a read: