GCLISP.UNP           Breaking GCLISP (Sofguard version 2.00)
                      Special thanks to by The Lone Victor

     Programs that are protected by the Softguard system are distingished
by the fileS CML0200.HCL and VDF0200.VDW which are hidden in the root
directory when you install the program on your fixed disk.  The 0200
part of the file names is the Softguard version (2.00) while CML stands
for Common Loader and VDF is the Volume Descriptor File.  The extentions
HCL and VDW stand for Hard Common Loader and Verify Descriptor Working
copy.  In addition, there will be a hidden root file with a .EXE or .LOD
extention.  This is the REAL program, which has been encrypted and hidden.  

     The program <FILE>.COM, in the product directory is the Softguard mini-
loader.  All it does is call the Common Loader.  For example, when you run
dbase, the program GCLISP.COM loads CML0200.HCL high in memory and runs it.  
CML decrypts itself and reads VDF0200.VDW.  The VDF file contains some code 
and data from the fixed disk FAT at the time of installation.  By comparing 
the information in the VDF file with the current FAT, CML can tell if the
CML, VDF, and GCLISP.EXE files are in the same place on the disk where they 
were installed.  If they have moved, say from a backup & restore, then GCLISP 
will not run.

     This text file is designed to let you unprotect ANY of the programs
using the Softguard 2.00 system.  We will use GCLISP  as an example,
but values for other programs will be included in a table.

     The DBASE III compiler named CLIPPER uses Softguard 2.03 (i.e. has
CML0203.HCL, etc.)  Many of the code addresses are different in this 
version.  This text will not, currently, unprotect any programs using 
Softguard 2.03.

     This table is an experiment designed to keep down the number of files
uploaded to BBS's.  When I started it, this text file was named SOFTG1.UNP.  
Whenever you add a product to the table (including your "name" if desired)  
increment the file name by one and upload it to your local BBS.  Don't worry 
about the fact that others will be doing the same.  Higher versions of 
SOFTGxxx.UNP will not INSURE that they contain all the tabulated products, 
but will be MORE LIKELY to contain them all.  Eventually we'll get them all 
collected.  

     If you find a new program to add to the table, just enter the name of 
the encrypted, hidden file in the root directory, and it's size converted
to HEX.  Try it out before you upload it to your BBS.

     If you have any comments on this unprotect routine or the PROLOCK.UNP
routine, please leave them on the Atlanta PCUG BBS (404) 634-5731.

                                          The Lone Victor - 6/26/85



            TABLE OF VALUES FOR VARIOUS PROTECTED PROGRAMS

                     FILE    FINAL
PRODUCT  VERSION     NAME     EXT  SIZE:  BX=  CX=        CONTRIBUTOR
------------------------------------------------------------------------

dBase III   1.10     DBASE    EXE   BX = 1  CX = AC00  The Lone Victor 4/15/85
Framework   1.10     FW       EXE   BX = 2  CX = F400  Q-1367
                                  (I question this next file size - L.V.)
WordStar    1.00     WS2000   EXE   BX = 1  CX = AC00  Gerald Lee
Double DOS    ?      DOUBLEDO EXE   BX = ?  CX = ?     Big Al & Coffee Man
Spot Light    ?      SL       EXE   BX = 0  CX = 6700
Golden Common Lisp   GCLISP   EXE   BX = 2  CX = 3E00  MIT CRACKER


     The following instructions show you how to bypass the SoftGuard copy 
protection scheme using GCLISP as an example.  To use it 
with other products, simply substitute the values in the table above for 
the values given below.  The only things that change are the file name, 
and the size that goes in the BX:CX register pair.

     First, using your valid, original GCLISP  diskette, install it on
a fixed disk.  You cannot use this text to unprotect the floppy directly!
Softguard hides three files in your fixed disk root directory: CML0200.HCL, 
VDF0200.VDW, and GCLISP.EXE.  It also copies GCLISP.COM into your chosen GCLISP 
directory.  GCLISP.EXE is the real GCLISP  program, encrypted.  (This file
might also be named GCLISP.LOD, but is the same thing.)

     Second, un-hide the three files in the root directory.  You can do
this with the programs ALTER.COM or FM.COM found on any BBS.

     Make copies of the three files, and of GCLISP.COM, into some other
directory.

     Hide the three root files again using ALTER or FM.

     Following the GCLISP instructions, UNINSTALL GCLISP .  You can now
put away your original GCLISP diskette.  We are done with it.

     Next we will make some patches to CML0200.HCL to allow us to trace
through the code in DEBUG.  These patches will keep it from killing our
interrupt vectors.

debug cml0200.hcl
e 3F9 <CR>  2A.4A <CR>          ; change the 2A to 4A
e 49D <CR>  F6.16 <CR>          ;  if any of these numbers don't show up
e 506 <CR>  E9.09 <CR>          ;  it's not working.
e A79 <CR>  00.20 <CR>          ;
e AE9 <CR>  00.20 <CR>          ;
e 73C  97 FA FA F4 F1 7E <CR>   ; this is an encrypted call to 0:300
w                               ; write out the new CML file
q                               ; quit debug


     Now copy your four saved files back into the root directory and
hide the CML0200.HCL, VDF0200.VDW, and GCLISP.EXE files using ALTER or FM.

     We can now run GCLISP.COM using DEBUG, trace just up to the point
where it has decrypted GCLISP.EXE, then write that file out.

          ****  USE THE FILE NAME LISTED IN THE TABLE ABOVE  ****
       ****  E.G. USE FW.COM INSTEAD OF GCLISP.COM FOR FRAMEWORK  ****

debug GCLISP.com                 ; name of file that runs the product
r <CR>                          ; dump debug's registers

          ****  WRITE DOWN THE VALUE OF DS FOR USE BELOW.  ****
     ****  THIS VALUE IS DEPENDENT ON YOUR PARTICULAR MACHINE.  ****

a 0:300 <CR>                    ; we must assemble some code here
        pop     ax
        cs:
        mov     [320],ax        ; save return address
        pop     ax
        cs:
        mov     [322],ax
        push    es              ; set up stack the way we need it
        mov     ax,20
        mov     es,ax
        mov     ax,0
        cs:
        jmp     far ptr [320]   ; jump to our return address
 <CR>
g 406                           ; now we can trace CML
t
g 177                           ; this stuff just traces past some
g 1E9                           ;   encryption routines.
t
g 54E                           ; wait while reading VDF & FAT
g=559 569
g=571 857                       ; GCLISP.EXE has been decrypted

              ****  USE THE FILE SIZE LISTED IN THE TABLE ABOVE  ****
              ****  THE VALUES HERE ARE FOR GCLISP ONLY  ****

rBX <CR>  
:2                              ; set BX to 1 for GCLISP
rCX <CR>
:3E00                           ; set CX to AC00 for GCLISP

              ****  USE THE FILE NAME LISTED IN THE TABLE ABOVE  ****

nGCLISP.bin                      ; name of file to write to
w XXXX:100                      ; where XXXX is the value of DS that
                                ;   you wrote down at the begining.
q                               ; quit debug

     Last, unhide and delete the three root files CML0200.HCL, VDF0200.VDW, 
and GCLISP.EXE.  Delete GCLISP.COM and rename GCLISP.BIN to GCLISP.EXE.  This is 
the real GCLISP  program without any SoftGuard code or encryption.  It 
requires only the INIT.LSP file to run.  Every protected program I have seen
has the .EXE extention, but it is possible to use Softguard to encrypt .COM
files too.  See the table above for the proper extention to put on the de-
crypted file.
                                                                  