Unprotect Ultima II   by Independent (IND)

The copy-protection scheme used in ULTIMA II is also used by PROKEY 3.0 and several other programs. The approach I outline here works with any of these that are in COM file format. If anyone can improve it to work for EXE files PLEASE post it. This general copy scheme uses a short sector of 256 bytes to store an essential piece of the program code. On startup, location 100H contains a JMP instruction to the code which reads this short sector. Locations 103H - 110H contain HLT instructions (hex F4). After the sector is read, its contents are overlayed onto locations 100H - 110H, replacing the dummy instruction codes. A branch to 100H then begins the actual program. All we need to do is to stop execution after the changes are made and write down the contents of 100H - 110H; reloading the program and POKEing these changes results in an unprotected program. Here's how its done: (1) Put PROTECTED disk in A: (you can write-protect it for safety) and a disk containing DEBUG in B: (2) A: Make A: the default. (3) B:DEBUG ULTIMAII.COM (or PKLOAD.COM, LAYOUT.COM...) (4) -u 0100 Tell DEBUG to disassemble 0100-0120 DEBUG responds with: 0100 JMP 88A0 (or whatever) 0103 HLT 0104 HLT ...etc. (5) -u 88A0 Look at short-sector decrypting code. DEBUG responds with: 88A0 JMPS 88A7 Next "statements" are data locations; ignore. (6) -u 88A7 Now look for where program restarts at 100H. DEBUG responds with: 88A7 CALL 88C4 88AA CALL 892E 88AD JC 88BF (If Carry is set, the disk is a copy. Go to DOS!) ... 88BA MOV AX,0100 88BD JMP AX Paydirt! If you got this far, the program has ... written the REAL code into 0100 - 0120H. (7) -g 88BD Tell DEBUG to run the program, stop here. (8) -d 0100 011F Dump out the changed code. DEBUG responds with: 8C C8 05 25 07 8E D8 05-10 03 8E D0... Two lines. WRITE DOWN for (12) (9) -q Get out of DEBUG. You must reload to deprotect. (10) Make a copy of the disk; you can use copy *.* Put copy in A: (11) B:DEBUG ULTIMAII.COM load copy (12) -e 0100 Patch locations 0100 - 011F with what you wrote down above. Follow each entry with a SPACE until last entry; then hit ENTER. (13) -w Write out new version of ULTIMAII.COM (14) -q You've done it! I've been detailed because this works generally for any COM file. This method doesn't work for EXE files because while DEBUG can load relocatable modules and execute them with breakpoints (step 7 above), you cannot use debug to write an EXE file in relocatable form. Any suggestions? L.Brenkus