TUCoPS :: PC Hacks :: prolock.txt

How to kill Prolock

PROLOCK.UNP     HOW TO KILL PROLOCK      by the Lone Victor

This file describes how to eliminate the Prolock code from almost any
file.  It will work for DBASE III, FrameWork, and a number of other
programs that I have tried.  All that is needed is a copy of the program,
DEBUG, and this file.  The original Prolock disk is not needed.  After
these fixes are applied the program will be 6K - 8K smaller and will not
require the original disk to run.

One limitation built into this script file is the search performed for
the .EXE header (4D 5A).  Thus, the original program, before Prolock was
applied, must have been a .EXE file as were dBase and Framework.
Original .COM files could also be unprotected this way, but I have yet
to find any.

The following instructions use the dBase III file DBASE.EXE as an
example.  Make careful note of where an example address or number is
give.  The numbers will be different for a different file.  Enter the
commands given below which are in capital letters, not the comments and
examples.  <CR> means press the Carriage Return or Enter key.

R <CR>                            ;record the BX and CX registers
    example: BX=0001    CX=C750
U <CR>                            ;skip first screen
                                  ;look for a LOOP instruction
    example: xxxx:0167  LOOP  0160
             xxxx:0169  XCHG  DX,AX
                                  ;the addresses need not be the same
                                  ;as in the example.
                                  ;go to the address after the LOOP
G 169 <CR>
S 100 3000 83 C4 08 <CR>          ;search for code
    example: xxxx:0746
             xxxx:13C4            ;<- use the last address displayed
A 13C4 <CR>                       ;assemble code at address found above
S 100 3000 C0 45 F8 <CR>          ;search for code
    example: xxxx:1140            ;<-use this address
E 1140 0B 46 <CR>                 ;enter encoded int 80 at address found

M 0:C F 0:200 <CR>                ;copy BPT vector to int 80 vector

G <CR>                            ;prolock tests diskette drives

S 100 3000 4D 5A                  ;search for .EXE header
    example: xxxx:03D6
             xxxx:1B50            ;<- use last address displayed

 ;     This number is the address of the now decoded, original program,
before ;Prolock was applied.  We need to subtract this hex number from
the size of ;the original Prolock file (BX,CX we recored fist).
    example   1 C750
            -   1B50
              1 AC00

;     This can be done using debug:

H C750 1B50 <CR>                  ;ask debug for som and difference
    example  E2A0  AC00           ;<- use last number

RBX <CR>                          ;load BX and CX with new file size
:0001 <CR>
:AC00 <CR>

N DBASE <CR>                      ;choose any new file name
                                  ;(use no extension)
W 1B50 <CR>                       ;write out file starting at the address
                                  ;of the .EXE file that we found above.
Q <CR>                            ;quit debug

REN DBASE DB.EXE                  ;rename new file to a .EXE filename

That's all there is to it.  The new file contains no Prolock code, and will
run without the original disk.  Here is a brief description of what was
actually done.

The first LOOP decodes the Prolock code.  We do a GO to the end of that loop.
The Search for the bytes 83 C4 08 finds the code that prints the error
message when Prolock fails to find it's special disk.  We Assemble new code
at that address which returns a 0 in AX.  This tricks Prolock into thinking
the disk was found, and it then decodes the original .EXE file.

The Search for the bytes C0 45 F8 finds the code that loads the original .EXE
file.  By the time this code is executed, the .EXE file is decoded and we
want to stop and write it out.  We can't put a Break Point there because
Prolock will destroy our BPT vector.  So we enter the code for an INT 80 at
this address and copy or BPT vector to the unused INT 80 vector.  In
addition, this code is "encrypted" by having each byte exclusive ORed with
the byte C6.  Our INT 80 code (CD 80) thus becomes the bytes 0B 46.

The Move 0:C F 0:200 instruction copies the debug Break Point vector to the
INT 80 vector for use there.  We then do a GO and Prolock checks the A: drive
for a Prolock disk, thinks it finds it, and decodes the original .EXE file.
Before it can execute the file it hits our INT 80, which returns us to debug.

Finally we search for the .EXE header, calculate how long the file is without
the Prolock code, and write it out to a file.  This file is Renamed to a .EXE
file and can then be run.

     Another file downloaded from:                     NIRVANAnet(tm)

     & the Temple of the Screaming Electron              510-935-5845

     Rat Head                                            510-524-3649
     Burn This Flag                                      408-363-9766
     realitycheck                                        415-474-2602
     Lies Unlimited                                      415-583-4102

   Specializing in conversations, obscure information, high explosives,
       arcane knowledge, political extremism, diversive sexuality,
       insane speculation, and wild rumours. ALL-TEXT BBS SYSTEMS.

  Full access for first-time callers.  We don't want to know who you are,
   where you live, or what your phone number is. We are not Big Brother.

                         "Raw Data for Raw Nerves"

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH