|
PROLOCK.UNP HOW TO KILL PROLOCK by the Lone Victor This file describes how to eliminate the Prolock code from almost any file. It will work for DBASE III, FrameWork, and a number of other programs that I have tried. All that is needed is a copy of the program, DEBUG, and this file. The original Prolock disk is not needed. After these fixes are applied the program will be 6K - 8K smaller and will not require the original disk to run. One limitation built into this script file is the search performed for the .EXE header (4D 5A). Thus, the original program, before Prolock was applied, must have been a .EXE file as were dBase and Framework. Original .COM files could also be unprotected this way, but I have yet to find any. The following instructions use the dBase III file DBASE.EXE as an example. Make careful note of where an example address or number is give. The numbers will be different for a different file. Enter the commands given below which are in capital letters, not the comments and examples. <CR> means press the Carriage Return or Enter key. DEBUG DBASE.EXE R <CR> ;record the BX and CX registers example: BX=0001 CX=C750 U <CR> ;skip first screen ;look for a LOOP instruction example: xxxx:0167 LOOP 0160 xxxx:0169 XCHG DX,AX ;the addresses need not be the same ;as in the example. ;go to the address after the LOOP G 169 <CR> S 100 3000 83 C4 08 <CR> ;search for code example: xxxx:0746 xxxx:13C4 ;<- use the last address displayed A 13C4 <CR> ;assemble code at address found above XOR AX,AX <CR> RET <CR> <CR> S 100 3000 C0 45 F8 <CR> ;search for code example: xxxx:1140 ;<-use this address E 1140 0B 46 <CR> ;enter encoded int 80 at address found M 0:C F 0:200 <CR> ;copy BPT vector to int 80 vector G <CR> ;prolock tests diskette drives S 100 3000 4D 5A ;search for .EXE header example: xxxx:03D6 xxxx:06E0 . . xxxx:1B50 ;<- use last address displayed ; This number is the address of the now decoded, original program, before ;Prolock was applied. We need to subtract this hex number from the size of ;the original Prolock file (BX,CX we recored fist). example 1 C750 - 1B50 ________ 1 AC00 ; This can be done using debug: H C750 1B50 <CR> ;ask debug for som and difference example E2A0 AC00 ;<- use last number RBX <CR> ;load BX and CX with new file size :0001 <CR> RCX <CR> :AC00 <CR> N DBASE <CR> ;choose any new file name ;(use no extension) W 1B50 <CR> ;write out file starting at the address ;of the .EXE file that we found above. Q <CR> ;quit debug REN DBASE DB.EXE ;rename new file to a .EXE filename That's all there is to it. The new file contains no Prolock code, and will run without the original disk. Here is a brief description of what was actually done. The first LOOP decodes the Prolock code. We do a GO to the end of that loop. The Search for the bytes 83 C4 08 finds the code that prints the error message when Prolock fails to find it's special disk. We Assemble new code at that address which returns a 0 in AX. This tricks Prolock into thinking the disk was found, and it then decodes the original .EXE file. The Search for the bytes C0 45 F8 finds the code that loads the original .EXE file. By the time this code is executed, the .EXE file is decoded and we want to stop and write it out. We can't put a Break Point there because Prolock will destroy our BPT vector. So we enter the code for an INT 80 at this address and copy or BPT vector to the unused INT 80 vector. In addition, this code is "encrypted" by having each byte exclusive ORed with the byte C6. Our INT 80 code (CD 80) thus becomes the bytes 0B 46. The Move 0:C F 0:200 instruction copies the debug Break Point vector to the INT 80 vector for use there. We then do a GO and Prolock checks the A: drive for a Prolock disk, thinks it finds it, and decodes the original .EXE file. Before it can execute the file it hits our INT 80, which returns us to debug. Finally we search for the .EXE header, calculate how long the file is without the Prolock code, and write it out to a file. This file is Renamed to a .EXE file and can then be run. Another file downloaded from: NIRVANAnet(tm) & the Temple of the Screaming Electron 510-935-5845 Rat Head 510-524-3649 Burn This Flag 408-363-9766 realitycheck 415-474-2602 Lies Unlimited 415-583-4102 Specializing in conversations, obscure information, high explosives, arcane knowledge, political extremism, diversive sexuality, insane speculation, and wild rumours. ALL-TEXT BBS SYSTEMS. Full access for first-time callers. We don't want to know who you are, where you live, or what your phone number is. We are not Big Brother. "Raw Data for Raw Nerves"