166 lines
7.8 KiB
Plaintext
166 lines
7.8 KiB
Plaintext
![]() |
GCLISP.UNP Breaking GCLISP (Sofguard version 2.00)
|
|||
|
Special thanks to by The Lone Victor
|
|||
|
|
|||
|
Programs that are protected by the Softguard system are distingished
|
|||
|
by the fileS CML0200.HCL and VDF0200.VDW which are hidden in the root
|
|||
|
directory when you install the program on your fixed disk. The 0200
|
|||
|
part of the file names is the Softguard version (2.00) while CML stands
|
|||
|
for Common Loader and VDF is the Volume Descriptor File. The extentions
|
|||
|
HCL and VDW stand for Hard Common Loader and Verify Descriptor Working
|
|||
|
copy. In addition, there will be a hidden root file with a .EXE or .LOD
|
|||
|
extention. This is the REAL program, which has been encrypted and hidden.
|
|||
|
|
|||
|
The program <FILE>.COM, in the product directory is the Softguard mini-
|
|||
|
loader. All it does is call the Common Loader. For example, when you run
|
|||
|
dbase, the program GCLISP.COM loads CML0200.HCL high in memory and runs it.
|
|||
|
CML decrypts itself and reads VDF0200.VDW. The VDF file contains some code
|
|||
|
and data from the fixed disk FAT at the time of installation. By comparing
|
|||
|
the information in the VDF file with the current FAT, CML can tell if the
|
|||
|
CML, VDF, and GCLISP.EXE files are in the same place on the disk where they
|
|||
|
were installed. If they have moved, say from a backup & restore, then GCLISP
|
|||
|
will not run.
|
|||
|
|
|||
|
This text file is designed to let you unprotect ANY of the programs
|
|||
|
using the Softguard 2.00 system. We will use GCLISP as an example,
|
|||
|
but values for other programs will be included in a table.
|
|||
|
|
|||
|
The DBASE III compiler named CLIPPER uses Softguard 2.03 (i.e. has
|
|||
|
CML0203.HCL, etc.) Many of the code addresses are different in this
|
|||
|
version. This text will not, currently, unprotect any programs using
|
|||
|
Softguard 2.03.
|
|||
|
|
|||
|
This table is an experiment designed to keep down the number of files
|
|||
|
uploaded to BBS's. When I started it, this text file was named SOFTG1.UNP.
|
|||
|
Whenever you add a product to the table (including your "name" if desired)
|
|||
|
increment the file name by one and upload it to your local BBS. Don't worry
|
|||
|
about the fact that others will be doing the same. Higher versions of
|
|||
|
SOFTGxxx.UNP will not INSURE that they contain all the tabulated products,
|
|||
|
but will be MORE LIKELY to contain them all. Eventually we'll get them all
|
|||
|
collected.
|
|||
|
|
|||
|
If you find a new program to add to the table, just enter the name of
|
|||
|
the encrypted, hidden file in the root directory, and it's size converted
|
|||
|
to HEX. Try it out before you upload it to your BBS.
|
|||
|
|
|||
|
If you have any comments on this unprotect routine or the PROLOCK.UNP
|
|||
|
routine, please leave them on the Atlanta PCUG BBS (404) 634-5731.
|
|||
|
|
|||
|
The Lone Victor - 6/26/85
|
|||
|
|
|||
|
|
|||
|
|
|||
|
TABLE OF VALUES FOR VARIOUS PROTECTED PROGRAMS
|
|||
|
|
|||
|
FILE FINAL
|
|||
|
PRODUCT VERSION NAME EXT SIZE: BX= CX= CONTRIBUTOR
|
|||
|
------------------------------------------------------------------------
|
|||
|
|
|||
|
dBase III 1.10 DBASE EXE BX = 1 CX = AC00 The Lone Victor 4/15/85
|
|||
|
Framework 1.10 FW EXE BX = 2 CX = F400 Q-1367
|
|||
|
(I question this next file size - L.V.)
|
|||
|
WordStar 1.00 WS2000 EXE BX = 1 CX = AC00 Gerald Lee
|
|||
|
Double DOS ? DOUBLEDO EXE BX = ? CX = ? Big Al & Coffee Man
|
|||
|
Spot Light ? SL EXE BX = 0 CX = 6700
|
|||
|
Golden Common Lisp GCLISP EXE BX = 2 CX = 3E00 MIT CRACKER
|
|||
|
|
|||
|
|
|||
|
The following instructions show you how to bypass the SoftGuard copy
|
|||
|
protection scheme using GCLISP as an example. To use it
|
|||
|
with other products, simply substitute the values in the table above for
|
|||
|
the values given below. The only things that change are the file name,
|
|||
|
and the size that goes in the BX:CX register pair.
|
|||
|
|
|||
|
First, using your valid, original GCLISP diskette, install it on
|
|||
|
a fixed disk. You cannot use this text to unprotect the floppy directly!
|
|||
|
Softguard hides three files in your fixed disk root directory: CML0200.HCL,
|
|||
|
VDF0200.VDW, and GCLISP.EXE. It also copies GCLISP.COM into your chosen GCLISP
|
|||
|
directory. GCLISP.EXE is the real GCLISP program, encrypted. (This file
|
|||
|
might also be named GCLISP.LOD, but is the same thing.)
|
|||
|
|
|||
|
Second, un-hide the three files in the root directory. You can do
|
|||
|
this with the programs ALTER.COM or FM.COM found on any BBS.
|
|||
|
|
|||
|
Make copies of the three files, and of GCLISP.COM, into some other
|
|||
|
directory.
|
|||
|
|
|||
|
Hide the three root files again using ALTER or FM.
|
|||
|
|
|||
|
Following the GCLISP instructions, UNINSTALL GCLISP . You can now
|
|||
|
put away your original GCLISP diskette. We are done with it.
|
|||
|
|
|||
|
Next we will make some patches to CML0200.HCL to allow us to trace
|
|||
|
through the code in DEBUG. These patches will keep it from killing our
|
|||
|
interrupt vectors.
|
|||
|
|
|||
|
debug cml0200.hcl
|
|||
|
e 3F9 <CR> 2A.4A <CR> ; change the 2A to 4A
|
|||
|
e 49D <CR> F6.16 <CR> ; if any of these numbers don't show up
|
|||
|
e 506 <CR> E9.09 <CR> ; it's not working.
|
|||
|
e A79 <CR> 00.20 <CR> ;
|
|||
|
e AE9 <CR> 00.20 <CR> ;
|
|||
|
e 73C 97 FA FA F4 F1 7E <CR> ; this is an encrypted call to 0:300
|
|||
|
w ; write out the new CML file
|
|||
|
q ; quit debug
|
|||
|
|
|||
|
|
|||
|
Now copy your four saved files back into the root directory and
|
|||
|
hide the CML0200.HCL, VDF0200.VDW, and GCLISP.EXE files using ALTER or FM.
|
|||
|
|
|||
|
We can now run GCLISP.COM using DEBUG, trace just up to the point
|
|||
|
where it has decrypted GCLISP.EXE, then write that file out.
|
|||
|
|
|||
|
**** USE THE FILE NAME LISTED IN THE TABLE ABOVE ****
|
|||
|
**** E.G. USE FW.COM INSTEAD OF GCLISP.COM FOR FRAMEWORK ****
|
|||
|
|
|||
|
debug GCLISP.com ; name of file that runs the product
|
|||
|
r <CR> ; dump debug's registers
|
|||
|
|
|||
|
**** WRITE DOWN THE VALUE OF DS FOR USE BELOW. ****
|
|||
|
**** THIS VALUE IS DEPENDENT ON YOUR PARTICULAR MACHINE. ****
|
|||
|
|
|||
|
a 0:300 <CR> ; we must assemble some code here
|
|||
|
pop ax
|
|||
|
cs:
|
|||
|
mov [320],ax ; save return address
|
|||
|
pop ax
|
|||
|
cs:
|
|||
|
mov [322],ax
|
|||
|
push es ; set up stack the way we need it
|
|||
|
mov ax,20
|
|||
|
mov es,ax
|
|||
|
mov ax,0
|
|||
|
cs:
|
|||
|
jmp far ptr [320] ; jump to our return address
|
|||
|
<CR>
|
|||
|
g 406 ; now we can trace CML
|
|||
|
t
|
|||
|
g 177 ; this stuff just traces past some
|
|||
|
g 1E9 ; encryption routines.
|
|||
|
t
|
|||
|
g 54E ; wait while reading VDF & FAT
|
|||
|
g=559 569
|
|||
|
g=571 857 ; GCLISP.EXE has been decrypted
|
|||
|
|
|||
|
**** USE THE FILE SIZE LISTED IN THE TABLE ABOVE ****
|
|||
|
**** THE VALUES HERE ARE FOR GCLISP ONLY ****
|
|||
|
|
|||
|
rBX <CR>
|
|||
|
:2 ; set BX to 1 for GCLISP
|
|||
|
rCX <CR>
|
|||
|
:3E00 ; set CX to AC00 for GCLISP
|
|||
|
|
|||
|
**** USE THE FILE NAME LISTED IN THE TABLE ABOVE ****
|
|||
|
|
|||
|
nGCLISP.bin ; name of file to write to
|
|||
|
w XXXX:100 ; where XXXX is the value of DS that
|
|||
|
; you wrote down at the begining.
|
|||
|
q ; quit debug
|
|||
|
|
|||
|
Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW,
|
|||
|
and GCLISP.EXE. Delete GCLISP.COM and rename GCLISP.BIN to GCLISP.EXE. This is
|
|||
|
the real GCLISP program without any SoftGuard code or encryption. It
|
|||
|
requires only the INIT.LSP file to run. Every protected program I have seen
|
|||
|
has the .EXE extention, but it is possible to use Softguard to encrypt .COM
|
|||
|
files too. See the table above for the proper extention to put on the de-
|
|||
|
crypted file.
|
|||
|
|