Unfortunately, this site has restricted functionality as this browser does not support the HTML button formaction attribute.
Unfortunately, this site has restricted functionality as this browser has HTML web storage turned off.

Breaking Softguard version 2.03 & 2.03A version 22. by Independent (IND)

57 of 20,182 files
  • UNP / Text   NFO scene release
  • 19 kB   DOWNLOAD   SHARE
hide RetroTxt by Defacto2   The open source web-extension to view many ANSI, ASCII and NFO files as text in your browser, available on Chrome Firefox GitHub
[+] Configuration Select all
SOFTG203.UNP        Breaking Softguard version 2.03 & 2.03A
version 22                                          by The Lone Victor

     United States copyright law SPECIFICALLY grants you the right to
make copies of programs you buy on magnetic media.  Programs are copy
protected IN VIOLATION OF YOUR RIGHTS UNDER U.S. LAW.

     Programs that are protected by the Softguard system are distinguished
by the files CML0203.HCL and VDF0203.VDW which are hidden in the root
directory when you install the program on your fixed disk.  The 0203
part of the file names is the Softguard version (2.03) while CML stands
for Common Loader and VDF is the Volume Descriptor File.  The extensions
HCL and VDW stand for Hard-disk Common Loader and Verify Descriptor Working
copy.  In addition, there will be a hidden root file with a .EXE or .LOD
or some other extension.  This is the REAL program, which has been
encrypted and hidden.

     The program <PRODUCT>.COM, in the product directory is the Softguard
miniloader.  All it does is call the Common Loader.  For example, when you
run CLIPPER, the program CLIPPER.COM loads CML0203.HCL high in memory and
runs it.  CML decrypts itself and reads VDF0203.VDW.  The VDF file contains
some code and data from the fixed disk FAT at the time of installation.  By
comparing the information in the VDF file with the current FAT, CML can tell
if the CML, VDF, and CLIPPER.L23 files are in the same place on the disk
where they were installed.  If they have moved, say from a backup & restore,
then CLIPPER will not run.

     This text file is designed to let you unprotect ANY of the programs
using the Softguard 2.03 system.  We will use CLIPPER as an example,
but values for other programs will be included in a table.  This text will
not unprotect any programs using Softguard 2.00.  To unprotect Softguard
2.00, see the file SOFTG200.  Versions 1.00 of dBase III and Framework
used ProLock.  To unprotect Prolock disks read the file PROLOCK.UNP,
also by yours truly.

     This table is an experiment designed to keep down the number of
files uploaded to BBS's.  When I started it, this text file was named
SOFTG203.UN1.  Whenever you add a product to the table (including your
"name" if desired) increment the file name by one and upload it to your
local BBS.  Don't worry about the fact that others will be doing the same.
Higher versions of SOFTG203.UNx will not INSURE that they contain all the
tabulated products, but will be MORE LIKELY to contain them all.
Eventually we'll get them all collected.  (Could this be a new type of
electronic chain letter?)

     If you find a new program to add to the table, just enter the name of
the encrypted, hidden file in the root directory, and it's size, converted
to HEX.  Try it out before you upload it to your BBS.

     If you have any comments on this unprotect routine or the PROLOCK.UNP
routine, please leave them on the Atlanta PCUG BBS (404) 433-0062.

                                          The Lone Victor - 7/14/85



            TABLE OF VALUES FOR VARIOUS PROTECTED PROGRAMS

                  FILE    FINAL
PRODUCT  VERSION  NAME     EXT  SIZE:  BX=  CX=        CONTRIBUTOR
------------------------------------------------------------------------

Clipper     1.00  CLIPPER  EXE  BX = 1  CX = 9800  The Lone Victor 7/14/85
Spotlight   1.1   SL       EXE  BX = 0  CX = 6600  HARD DISK USER  7/25/85
dBASE III Developer's Release
                  DBASE    EXE  BX = 1  CX = C000  Vanishing/|\Point 10/85
dBCODE      1.62  DBC      COM  BX = 0  CX = 5A00  Vanishing/|\Point 10/85
dBRUN             DBRUN    COM  BX = 1  CX = AC00  <<BOLTAR>>     11/01/85




        USE THE SECOND UNPROTECT METHOD FOR THE FOLLOWING PROGRAMS

                  FILE    FINAL
PRODUCT  VERSION  NAME     EXT  SIZE:  BX=  CX=        CONTRIBUTOR
------------------------------------------------------------------------

Clipper     S85   CLIPPER  EXE  BX = 1  CX = 9800  Hate Protection 9/23/85
Doubledos   2.1R  DOUBLEDO EXE  BX = 0  CX = 4800  Godfather       10/02/85
Sprdsht Auditor 2.00   AU  EXE  BX = 2  CX = 9400  The Lone Victor 10/31/85
Framework II  1.0 FW       EXE  BX = 3  CX = 7600  <<BOLTAR>> & Co.11/23/85
Disk Optimizer    OPTIMIZE COM  BX = 0  CX = 4100  CODEBUSTER     12/05/85
Doubledos   2.1T  DOUBLEDO EXE  BX = 0  CX = 4600  <<BOLTAR>>     12/28/85
Disk Optimizer for Version 1.2
                  OPTIMIZE EXE  BX = 0  CX = 4600  <<BOLTAR>> & Co.12/28/85
dBASE III Developer's Release
                  DBASE    EXE  BX = 1  CX = C000  Vanishing/|\Point 10/85
dBCODE      1.62  DBC      COM  BX = 0  CX = 5A00  Vanishing/|\Point 10/85
dBRUN             DBRUN    COM  BX = 1  CX = AC00  <<BOLTAR>>      11/01/85
Realia      2.00  REALCOB  EXE  BX = 0  CX = 6C00  Another Victor  11/10/85
Direc-Tree 3.01   DTREE.EXE     BX = 0  CX = DA00  DKS-USA Inc.    03/26/86
Reflection3 1.01  R3       EXE  BX = 1  CX = D200  Run-em          04/30/86
Reflection3 1.30  R3       EXE  BX = 1  CX = 7600  Run-em          04/30/86
Chuckle Pops 1.0  CHUCKLE  EXE  BX = 0  CX = 8D00  Captain Kirk    05/29/86
MSCPAL2  1.1      MSCPAL2  COM  BX = 0  CX = 9400  REDBEARD        05/10/86


           USE THE THIRD UNPPROTECT METHOD FOR SOFTGUARD 2.03A

                  FILE    FINAL
PRODUCT  VERSION  NAME     EXT  SIZE:  BX=  CX=        CONTRIBUTOR
------------------------------------------------------------------------

123         2.00  123      EXE  BX = 0  CX = 1C00  The Lone Victor 11/ 4/85
PARADOX     1.00  PARADOX  EXE  BX = 0  CX = 8C30  The Blot        11/12/85
REPORT WRITER  1  REPORT   EXE  BX = 1  CX = 1200  Bogus the Elf   10/09/86


           USE THE YET ANOTHER UNPPROTECT METHOD FOR SOFTGUARD 2.0.3

                  FILE    FINAL
PRODUCT  VERSION  NAME     EXT  SIZE:  BX=  CX=        CONTRIBUTOR
------------------------------------------------------------------------

CUBIT       1.10  CUBITR   COM  BX = 0  CX = 4800  Born to Code    09/27/86





    The following instructions show you how to bypass the SoftGuard copy
protection scheme using CLIPPER version 1.00 as an example.  To use it
with other products, simply substitute the values in the table above for
the values given below.  The only things that change are the file name,
and the size that goes in the BX:CX register pair.  You can obtain the file
size by loading the encrypted file (e.g. CLIPPER.L23) with DEBUG and doing
the Register command.  The file size is in the BX:CX register pair.



                        -- INSTRUCTIONS --

     First, using your valid, original CLIPPER diskette, install it on a
fixed disk.  You cannot use this text to unprotect the floppy directly!
Softguard hides three files in your fixed disk root directory: CML0203.HCL,
VDF0203.VDW, and CLIPPER.L23.  It also copies CLIPPER.COM into your chosen
CLIPPER directory.  CLIPPER L23 is the real CLIPPER program, encrypted.  The
extension of this file does not matter.  It is really an encrypted .EXE file.

     Second, un-hide the three files in the root directory.  You can do
this with the programs ALTER.COM or FM.COM found on any BBS.

     Make copies of the three files, and of CLIPPER.COM, into some other
directory.

     Hide the three root files again using ALTER or FM.

     Following the CLIPPER instructions, UNINSTALL CLIPPER.  You can now
put away your original CLIPPER diskette.  We are done with it.

     Now copy your four saved files back into the root directory and hide
the CML0203.HCL, VDF0203.VDW, and CLIPPER.L23 files using ALTER or FM.

     We can now run CLIPPER.COM using DEBUG, trace just up to the point
where it has decrypted CLIPPER.EXE, then write that file out.

          ****  USE THE FILE NAME LISTED IN THE TABLE ABOVE  ****
     ****  E.G. USE FW.COM INSTEAD OF CLIPPER.COM FOR FRAMEWORK  ****

debug CLIPPER.com               ; name of file that runs the product
r <CR>                          ; dump debug's registers

          ****  WRITE DOWN THE VALUE OF DS FOR USE BELOW.  ****
     ****  THIS VALUE IS DEPENDENT ON YOUR PARTICULAR MACHINE. ****

g 4D7                           ; now we can trace CML
t
g 1B5
t
e cs:A2
        74.EB                   ; debug reports the 74 here, you enter EB
e cs:127
        E8.90 D2.90 05.90       ; you enter the 90's followed by a space.
                                ; If you get a D1 instead of D2 skip to
                                ; the next page for the second version 2.03
g 127
a 186
        jmp 1C6
        <CR>                    ; this second CR gets you out of the assembler
a 22C
        jmp 266
        <CR>
a 420
        mov ax,22
        <CR>
e cs:430
        01.89                   ; debug reports the 01, you enter 89
a 4CF
        mov bl,7C
        <CR>
g 4E0
g 282
t
g 24D
t
g 59F                           ; wait while reading VDF & FAT
g=5AA 5BA
g=5C2 9D3                       ; CLIPPER.EXE has been decrypted

d cs:1E0 L8                     ; just for grins, here's the password
               '44250A15'

              ****  USE THE FILE SIZE LISTED IN THE TABLE ABOVE  ****
               ****  THE VALUES HERE ARE FOR CLIPPER 1.00 ONLY  ****

rBX <CR>
:1                              ; set BX to 1 for CLIPPER
rCX <CR>
:9800                           ; set CX to 9800 for CLIPPER

              ****  USE THE FILE NAME LISTED IN THE TABLE ABOVE  ****

nCLIPPER.bin                    ; name of file to write to
w XXXX:100                      ; where XXXX is the value of DS that
                                ;   you wrote down at the beginning.
q                               ; quit debug

     Last, unhide and delete the three root files CML0203.HCL, VDF0203.VDW,
and CLIPPER.L23.  Delete CLIPPER.COM and rename CLIPPER.BIN to CLIPPER.EXE.
This is the real CLIPPER program without any SoftGuard code or encryption.
We could not write it out with the .EXE extension because DEBUG cannot write
it is possible to use Softguard to encrypt .COM files too.  See the table
above for the proper extension to put on the decrypted file.


     There is another version of the Softguard system, ALSO labeled 2.03,
but which differs by one byte in part of the CML file and 7 bytes in
another.  If you start to apply the above patches and find some of the
bytes do not match, try the following instructions:

debug CLIPPER.com               ; name of file that runs the product
r <CR>                          ; dump debug's registers

          ****  WRITE DOWN THE VALUE OF DS FOR USE BELOW.  ****
     ****  THIS VALUE IS DEPENDENT ON YOUR PARTICULAR MACHINE. ****

g 4D7                           ; now we can trace CML
t
g 1B5
t
e cs:A2
        74.EB                   ; debug reports the 74 here, you enter EB
e cs:127                        ; HERE START THE 1 BYTE DIFFERENCES
        E8.90 D1.90 05.90       ; you enter the 90's followed by a space.
g 127
a 185
        jmp 1C5
        <CR>                    ; this second CR gets you out of the assembler
a 22B
        jmp 265
        <CR>
a 41F
        mov ax,22
        <CR>
e cs:42F
        01.89                   ; debug reports the 01, you enter 89
a 4CE
        mov bl,7A
        <CR>
g 4DF
g 281
t
g 24D
t                               ; HERE ARE THE 7 BYTE DIFFERENCES
g 5A6                           ; wait while reading VDF & FAT
g=5B1 5C1
g=5C9 9DA                       ; CLIPPER.EXE has been decrypted

d cs:1E7 L8                     ; just for grins, here's the password
               'SUMMER85'

              ****  USE THE FILE SIZE LISTED IN THE TABLE ABOVE  ****
             ****  THE VALUES HERE ARE FOR CLIPPER SUMMER 85 ONLY  ****

rBX <CR>
:1                              ; set BX to 1 for CLIPPER
rCX <CR>
:9800                           ; set CX to 9800 for CLIPPER

              ****  USE THE FILE NAME LISTED IN THE TABLE ABOVE  ****

nCLIPPER.bin                    ; name of file to write to
w XXXX:100                      ; where XXXX is the value of DS that
                                ;   you wrote down at the beginning.
q                               ; quit debug

REN CLIPPER.BIN CLIPPER.EXE
                                          The Lone Victor - 9/20/85


SOFT203A.UNP        Breaking Softguard version 2.03A
version 1                                           by The Lone Victor

     There is a THIRD version of the Softguard system, labeled 2.03A,
which is used by Lotus for 123 release 2.

     First, using your valid, original 123 diskette, install it on a
fixed disk.  You cannot use this text to unprotect the floppy directly!
Softguard hides three files in your fixed disk root directory: CML0203A.HCL,
VDF0203A.VDW, and 123.L2C.  It also copies 123.COM into your chosen 123
directory.  123.L2C is the real 123 loader, encrypted (it loades the 123.CMP
file). The extension of this file does not matter.  It is really an
encrypted .EXE file.

     We can now run 123.COM using DEBUG, trace just up to the point
where it has decrypted 123.EXE, then write that file out.

          ****  USE THE FILE NAME LISTED IN THE TABLE ABOVE  ****
       ****  E.G. USE FW.COM INSTEAD OF 123.COM FOR FRAMEWORK  ****

debug 123.com                   ; name of file that runs the product
r <CR>                          ; dump debug's registers

          ****  WRITE DOWN THE VALUE OF DS FOR USE BELOW.  ****
     ****  THIS VALUE IS DEPENDENT ON YOUR PARTICULAR MACHINE. ****

g 4FA                           ; now we can trace CML
t                               ; this step changes segments into CML
g 1B5
t                               ; change segments
a 7D    mov ax,cs               ; assemble new instruction here over xor ax,ax
e cs:E9                         ; NOP out a mov ds,cx instruction
        8E.90 D9.90             ; when debug reports 8E. you enter 90 <space>
                                ; when debug reports D9. you enter 90 <CR>
e cs:F5                         ; change a jz instruction into a jmp
        74.EB                   ; debug reports the 74 here, you enter EB
e cs:107
        8E.90 D8.90             ; NOP out a mov ds,ax
e cs:119
        8E.90 D9.90             ; NOP out a mov ds,cx
e cs:1AA
        CC.90                   ; NOP out an int 3
g1AA                            ; go to this address
e cs:1E6
        CC.90                   ; NOP out an int 3
e cs:200
        E8.90 FF.90 03.90       ; NOP out a call 602
e cs:269
        26.2E                   ; change an es: to cs:
e cs:26E                        ; change order of some pop instructions
        1F.5A 5A.59 5F.5B 5B.5F 5E.5E 59.1F
e cs:1B6
        8E.90 DB.90             ; NOP out a mov ds.bx
e cs:1DD
        74.EB                   ; change a jz to a jmp
a 44C
        jmp 4BF                 ; jump to some code we need
a 53C
        jmp 455                 ; jump back into main line code
a 4E1
        mov bl,10               ; provide correct checksum value
e cs:500
        FE.90 C7.90             ; NOP out an inc bh
e cs:52B
        8E.90 D9.90             ; NOP out a mov ds,cx
g 1E6
t                               ; trace through two passes
g 1E6
g 290
t                               ; change segments
g 24D
t                               ; change segments
e cs:728
        8C.90 1F.90             ; NOP out a mov [bx],ds
e cs:431
        89.90 07.90             ; NOP out a mov [bx],ds
e cs:5BD
        75.90 03.90             ; NOP out a jnz 5C2
e cs:5F0
        89.90 17.90             ; NOP out a mov [bx],dx
e cs:5D8
        74.EB                   ; change a jz to jmp
g A41
g AFA                           ; 123.EXE has been decrypted

d cs:1F1 L8                     ; just for grins, here's the password
               'LOTUSKEY'
e XXXX:100                      ; where XXXX is the value of DS that
                                ;   you wrote down at the beginning.
        3B.4D 2E.5A             ; programs other than 123 rel 2 may
                                ; have some numbers here other than 3B 2E

              ****  USE THE FILE SIZE LISTED IN THE TABLE ABOVE  ****
                 ****  THE VALUES HERE ARE FOR 123 2.00 ONLY  ****

rBX <CR>
:0                              ; set BX to 0 for 123
rCX <CR>
:1C00                           ; set CX to 1C00 for 123

              ****  USE THE FILE NAME LISTED IN THE TABLE ABOVE  ****

n123.bin                        ; name of file to write to
w XXXX:100                      ; again XXXX is the original DS value
q                               ; quit debug

     Following the 123 instructions, UNINSTALL 123.  You can now
put away your original 123 diskette.  We are done with it.  Delete
123.COM and rename 123.BIN to 123.EXE.  This is the unprotected 123
loader which runs the 123.CMP program. We could not write it
out with the .EXE extension because DEBUG cannot write .EXE files.


                    Yet another Softguard 2.0.3 system
                                     by "Born to Code"

The folks at softguard have been up to no good ! This version is also
labelled 2.0.3, but is enhanced over the previous version with more
checks for debug interrupts and trace interrupts. I don't know if it
is being used on anything else, but I suspect that it is.

This file was a debug input redirection that I used to unprotect CUBIT v1.1.

debug CUBITR.COM  ; cubit resident is the softguarded one
; first look at ds to find where our completed exe file will end up
r
g 4d7
t
g 1b5
t
e cs:a2
eb
; there are 2 calls here at 127 instead of 1 that must be
; nop'ed out because they do nasty debugger checks.
e cs:127
90 90 90 90 90 90
g 127
; however the calls do poke some code, so here it is:
e cs:272
07 5d
; standard softguard stuff
a 188
jmp 1c8

a 22e
jmp 268

; the old int 1 stuff has been replaced with int 3 which is shorter
; but the following code will do the same job without using int 3
a 410
pushf
push cs
call 490
jmp 42b

a 41f
jmp 42b

; now patch out the loop to compute the key byte with a simple move
; figuring out the key byte (80) was a real pain !
a 4bd
mov bl,80

; we're in the home stretch now
g 4ce
g 274
t
g 24d
t
; patch out some moves that poke out int 3
e 72a
90 90
e 435
90 90
g 5c1
g=5cc 5dc
; he sure loves to zap int 3, but we'll stop him
e 5f2
90 90
g=5e4 a16
g a53
g ae7
g af9
; and for the grand finale, here is the key
d cs:di l 8
rbx
0
rcx
4800
ncub.bin
; make it a proper load image
e xxxx:100
4d 5a
w xxxx:100
q

A patch for Lotus Report Writer and Lotus 1-2-3 V2.0 to remove
the jump to A: after booting from the hard disk.  After removing
the Softguard 2.03A from either product, edit the resulting .exe
file with Norton or some similar file editor program.

Search for the bytes CD 13 in both programs; they should be found
very close the the code which states "(serial number not found)".
Change these bytes to 90 (NOP).
In Report Writer, also search for 73 09 and replace with 90 as
well.  That's it! The program will now ignore A: on boot.