BUCKAROO BANZAI the Reset Vector presents Cracking On the IBMpc 

     Many copy protection schemes use INT-13 either to try to read in an 
illegaly formated track/sector or to write/format a track/sector that 
has been damaged in some way.  It is called like any normal interupt 
with the assembler command INT 13 (CD 13).  [AH] is used to select which 
command is to be used, with most of the other registers used for data. 
     Although INT-13 is used in almost all protection schemes, the 
easiest to crack is the DOS file.  Now the protected program might use 
INT-13 to load some other data from a normal track/sector on a disk, so 
it is important to determine which tracks/sectors are inportant to the 
protection scheme.  I have found the best way to do this is to use 
LOCKSMITH/pc to analyze the diskette.  Write down any track/sector that 
seems abnormal.  Load the file into DEBUG and execute a search for CD 
13.  Record any address shown.  If no address is picked up, the program 
is not copy protected (bullshit) or the check is in another part of the 
program not yet loaded (a real bitch to find).  Another choice is that 
the CD 13 might be hidden in self changing code like this:
      -U CS:0000
      1B00:0000 31DB     XOR    BX,BX
      1B00:0002 8EDB     MOV    DS,BX
      1B00:0004 BB0D00   MOV    BX,000D
      1B00:0007 8A07     MOV    AL,[BX]
      1B00:0009 3412     XOR    AL,12
      1B00:000B 8807     MOV    [BX],AL
      1B00:000D DF13            FIST   WORD...
     In this section of code, [AL] is set to DF at location 1B00:0007.  
When you XOR DF and 12, you would get a CD(hex) for the INT opcode which 
is placed right next to a 13 ie, giving you CD13 or INT-13.  This type 
of code can not and will not be found using debug's [S]earch command. 
     My best way to find hidden INT-13s, is to use PC-WATCH (or TRAP13).  
These trap the interrupts and will print where they were called from.  
Then you can disassemble around the address until you find code that 
looks like it is setting up the disk interupt. Another way to decode the 
INT-13 is to use debug's [G]o command.  Just set a breakpoint at the 
address given by PC-WATCH (both programs give the return address).  Ie, 
-G CS:000F (see code above).  When debug stops, you will have encoded 
not only the INT-13 but anything else leading up to it. 
     Once you find the INT-13, all you do is to fool the computer in to 
thinking the protection has been found.  To find out what the computer 
is looking for, examine the code right after the INT-13.  Look for any 
branches having to do with the CARRY FLAG or any CMP to the AH register.
     If a JNE or JC (etc) occurs, then [U]nassembe the address listed 
with the jump.  If it is a CMP then just read on.  Here you must decide 
if the program was looking for a protected track or just a normal track.  
If it has a CMP AH,0 and it has read in a protected track, it can be 
assumed that it was looking to see if the program had successfully 
completed the READ/FORMAT of that track and that the disk had been copied 
thus JMPing back to DOS (usually).  If this is the case, Just NOP the 
bytes for the CMP and the corresponding JMP.  If the program just checked 
for the carry flag to be set, and it isn't, then the program usually 
assumes that the disk has been copied.  Examine the following code 
            INT 13      <-- Read in the Sector
            JC 1B00     <-- Protection found
            INT 19      <-- Reboot
       1B00  (rest of program)
     The program carries out the INT and finds an error (the illegaly 
formatted sector) so the carry flag is set.  The computer, at the next 
instruction, sees that the carry flag is set and knows the protection 
has not been breached. In this case, to fool the computer, just change 
the "JC 1B00" to a "JMP 1B00" thus defeating the protection scheme. 
     NOTE: the PROTECTION ROUTINE might be found in more than just 1 
part of the program 
     Debug reads .EXE files but can't write them.  When the protection 
scheme has been found and tested, record (use the debug [D]ump command) 
+ & - 10 bytes of the code around the INT 13. Exit back to dos, rename 
the file anything but .EXE and reload with debug.  Search the program 
for the 20+ bytes surrounding the code and record the address found.  
Then just load this section and edit it like normal.  Save the file and 
exit back to dos.  Rename it back to the .EXE file and it should be 
cracked.  ***NOTE: Sometimes you have to fuck around for a while.
     DISK I/O (INT-13) interrupt uses the AH resister to select the 
function to be used.  Here is a chart describing the interrupt. 
 AH=0    Reset Disk
 AH=1    Read the Status of the Disk system in to AL
      AL          Error   (* denotes most used in copy protection)
    ----------------------------
      00   - Successful
      01   - Bad command given to INT
     *02   - Address mark not found
      03   - write attempted on write prot
     *04   - request sector not found
      08   - DMA overrun
      09   - attempt to cross DMA boundry
     *10   - bad CRC on disk read
      20   - controller has failed
      40   - seek operation failed
      80   - attachment failed
 AH=2    Read Sectors
    input
        DL = Drive number (0-3)
        DH = Head number  (0 or 1)
        CH = Track number
        CL = Sector number
        AL = # of sectors to read
     ES:BX = load address
    output
        AH =error number (see above) [Carry Flag Set]
        AL = # of sectors read
 AH=3 Write (params.  as above)
 AH=4 Verify (params.  as above -ES:BX)
 AH=5 Format (params.  as above -CL,AL ES:BX points to format Table)
     If you can't find CD 13 in the .EXE file:  1 - the .EXE (usually 
.COM) file is just a loader for the main file, 2 - the .EXE file loads 
in an overlay, 3 - the CD 13 is encrypted &/or hidden in the .EXE file 
or 4 - you are looking at the WRONG file.  I won't discuss case 1 
because so many UNP files are devoted to PROLOCK and SOFTGUARD and you 
can figure it out with them. If you have case 3, use the technique above 
and restart from the beginning. If you have case 4, shoot your self.
     You know the program uses overlays but don't see any on disk?  Try 
Nortons; any hidden files are probably the overlays we are after.  If 
you still can't find them, use PC-WATCH (a must!! Traps ALL interrupts).  
Start up PC-Watch and EXCLUDE everything in the left col.  Search the 
right col. until you find DOS21 - OpnFile and select it.  Now run the 
program to be cracked.  Play the game until the protection is checked.  
Examine your pcwatch output to see what file was loaded right before it.  
This probably is the one with the check.  If not, go through all files.
     When you find the overlay just crack it as if it was a DOS file.  
Keep a backup copy of the overlay so if you phuck up, and you will, you 
can recover quickly. Locksmith's (AlphaLogic) analyzing ability is great 
for determining what and where the protection is.  I find it useful, 
before I even start cracking, to analyze the protected disk to find and 
id it's protection.  This helps in 2 ways.  First, it helps you to know 
what to do in order to fake out the protection.  Second, it helps you to 
find what the program is looking for.  Check your local pirate board for 
the program.  I also suggest getting PC-Watch and Norton Utilities 3.1.                     
                    Call Spectrum 007 (914)-338-8837