Unfortunately, this site has restricted functionality as this browser does not support the HTML button formaction attribute.
Unfortunately, this site has restricted functionality as this browser has HTML web storage turned off.

Unprotect Ultima II. by Independent (IND)

58 of 20,182 files
  • TXT / Text   How to
  • 3 kB   DOWNLOAD   SHARE
hide RetroTxt by Defacto2   The open source web-extension to view many ANSI, ASCII and NFO files as text in your browser, available on Chrome Firefox GitHub
[+] Configuration Select all
The copy-protection scheme used in ULTIMA II is also used by
PROKEY 3.0 and several other programs. The approach I outline
here works with any of these that are in COM file format. If
anyone can improve it to work for EXE files PLEASE post it.
  This general copy scheme uses a short sector of 256 bytes to
store an essential piece of the program code. On startup, location
100H contains a JMP instruction to the code which reads this
short sector. Locations 103H - 110H contain HLT instructions (hex F4).
After the sector is read, its contents are overlayed onto locations
100H - 110H, replacing the dummy instruction codes. A branch to 100H
then begins the actual program.
   All we need to do is to stop execution after the changes are
made and write down the contents of 100H - 110H; reloading the
program and POKEing these changes results in an unprotected program.
   Here's how its done:
(1) Put PROTECTED disk in A: (you can write-protect it for safety)
   and a disk containing DEBUG in B:
(2) A:               Make A: the default.
(3) B:DEBUG ULTIMAII.COM      (or PKLOAD.COM, LAYOUT.COM...)
(4) -u 0100        Tell DEBUG to disassemble 0100-0120
DEBUG responds with:
  0100 JMP 88A0        (or whatever)
  0103 HLT
  0104 HLT             ...etc.
(5) -u 88A0            Look at short-sector decrypting code.
DEBUG responds with:
  88A0 JMPS 88A7       Next "statements" are data locations; ignore.
(6) -u 88A7            Now look for where program restarts at 100H.
DEBUG responds with:
  88A7 CALL 88C4
  88AA CALL 892E
  88AD JC 88BF      (If Carry is set, the disk is a copy. Go to DOS!)
...
  88BA MOV AX,0100
  88BD JMP AX         Paydirt! If you got this far, the program has
...                    written the REAL code into 0100 - 0120H.
(7) -g 88BD           Tell DEBUG to run the program, stop here.
(8) -d 0100 011F      Dump out the changed code.
DEBUG responds with:
  8C C8 05 25 07 8E D8 05-10 03 8E D0...  Two lines. WRITE DOWN for (12)
(9) -q         Get out of DEBUG. You must reload to deprotect.
(10) Make a copy of the disk; you can use copy *.*   Put copy in A:
(11) B:DEBUG ULTIMAII.COM     load copy
(12) -e 0100             Patch locations 0100 - 011F with what you
                         wrote down above. Follow each entry with
                         a SPACE until last entry; then hit ENTER.
(13) -w               Write out new version of ULTIMAII.COM
(14) -q               You've done it!
 
  I've been detailed because this works generally for any COM file.
This method doesn't work for EXE files because while DEBUG can load
relocatable modules and execute them with breakpoints (step 7 above),
you cannot use debug to write an EXE file in relocatable form.
Any suggestions?
    L.Brenkus