Unprotect The Last Ninja   by Independent (IND)

************************************************************************ The following text is written to demonstrate how to unprotect the game, 'THE LAST NINJA', solely for the use of making legal backup copies for the original owner. ************************************************************************ In order to unprotect NINJA, you first must understand the copy protection scheme which is used by ACTIVISION. The copy protection does not reside in just one program, but in three separate EXE files on disk A. If you only plan to run this program on one type of display monitor, then only one program needs to be unprotected. ACTIVISION has three separate EXE files to accomodate the three types of graphics it supports. There is a copy protection scheme in each one of these files. However, this unprotect will work identically for all cases. The files that are in question are as follows: E.EXE - EGA DISPLAY C.EXE - CGA DISPLAY T.EXE - SPECIAL TANDY DISPLAY For this example, I will use E.EXE, however, as stated before, this unprotect will work for any of the display programs. STEP 1: Make a copy of the NINJA A disk using DISKCOPY. After this has been completed, you can put away your original disk. STEP 2: Rename E.EXE to E.ZAP. STEP 3: Enter DOS DEBUG by entering the following command: A> debug e.zap STEP 4: ACTIVISION uses the return codes from DOS interrupt 13 to determine if the original disk is being used. Therefore, you must first find all occurances of interrupt 13. To do this, use the DEBUG search command: -s cs:100 9999 cd 13 The results of this command should look similar to the following: 1229:0579 1229:0588 1229:05AB STEP 5: The first address displayed is where the program is checking the boot record. This one can be ignored. The second address is the interrupt which checks the hidden file, XEMAG.SYS. XEMAG.SYS resides on track number nine. If you unassemble the statements just prior to the interrupt, you should be able to see where '09' is moved to the CH register. This is the one in which you are interested in. Next, enter the following command: -u 1229:0588 (the address used should be the address obtained from the previous step) This should produce results that look like the following: 1229:0028 INT 13 1229:002A JNB 0032 (this address may vary) 1229:002C MOV AX,000A 1229:002F JMP 0081 (this address may also vary) STEP 6: The JNB instruction is the branch which is taken when the program receives a wrong return code from the interrupt. The address that is branched to contains the display which tells you to insert your original disk. The JMP instruction is the branch that is taked when everything is fine. Therefore, to unprotect NINJA, you simply replace the JNB instruction with the JMP instruction. To do this, enter: -a 1229:0028 (the addresses are obtained from the previous unassemble step) You will then get the following prompt: 1229:0028 On this line, simply enter an unconditional jump. 1229:0028 JMP 0081 (the address used here was also obtained from step #5) At the next prompt, simply hit the enter key. This should return the DOS DEBUG prompt. STEP 7: Write the altered code back to disk by entering: -w When this is finished, exit DEBUG by entering: -q STEP 8: Rename E.ZAP to E.EXE. The copy protection has now been removed from disk A. and you can make as many backup copies as you wish. As far as disk B is comcerned, there is no copy protection and it can be copied using DISKCOPY. The reason that programs such as DISKCOPY and even COPYIIPC do not effectively copy disk A is very simple yet hard to detect. In actuality, ACTIVISION has changed the boot record on the original disk so that it will receive an invalid return code from the interrupt 13 (this is the first occurance of CD13 found when doing the DEBUG search). The above mentioned programs cannot effectively copy the boot record from disk A. Therefore, when a copy is made, the programs still won't execute. If you find that this text has been of any value to you, a donation of any sum of money would be greatly appreciated. Please send it to my 14 year old son (he really did all of the work !) at the following address: Christian Sartler 4530 Maple Road East Troy, Wisc. 53120 If any questions should arise or additional help is required, just leave me a note on EXEC-PC bulletin board, 414-964-5160. Gary Sartler