Hey,

Some of u may be familiar with this old DOS disk-check routine. In order to activate a protected exe, u need to supply the right disket.
This protection is quite hard to beat (for me , including encryption and packing.
Someone by the name j@ker released what he calls "Universal cops deprotector". This may be a great util, yet it doesn't work at all with my file, probably a newer version.
Therefore, I would appreciate help on this subject- how to correctly deproterct a cops copylock II protected exe. Any help would be highly appreciated.

thanx in advance,
dw.

Hello dream-weaver !

First of all, don't post the same thing in more than one forum.

Second, I don't know this protection, but I'm familiar with DOS programs. Just from the information you posted I can't tell you anything to do.

You should give us some more information about the target.
Does it include Anti-Debugging tricks?
Any one-way encryption?
Do you have the needed disc?
What have you tried so far? (DiskCopy, Debugger, Disassembler, Automatic unpacker?)
Do you need the disk to run the .EXE or to decrypt it?
Can you move the protection from the disc to other media?
Are you familiar with ASM?
Anything else which might be interesting?

First of all, thanx for the response DakienDX!

I've posted in the newbie forum, thus u may understand that I'm a little new to this subject. So sorry I didn't post enough info, I'll write here all I think is relevant:

As mentioned, this is a disk-check routine. Therefore, It needs a specific disket with, probably some specific corrupted bytes. If the protection finds this bytes, the program works. I didn't try disk- copy as I don't have the original disk.
I had it once and tried to copy it, and since then it doesn't work !
I don't know about anti-debugging tricks, I suppose it does have some from the info on the official web-site:

ww.linkdata.com/newhome/index.htm#copylock

This should give you enough info about this protection. As far as I know, this is one of the most advanced disk- check protections for DOS. The page mentions anti-debugging, anti-copying, and other tricks.

I tried using all the generic unpackers for DOS I could find in exetools, protools, etc. As i said nothing worked. I got the same result from j@ker's cops copylock deprotector.

Again, I'm not sure, but from what I could find out, the protection unpacks exe only partially, then waits for the correct disk, and then unpacks the rest of the program in order to run.

I tried using Softice and I landed in an endless INT13 (DOS IO interrupt, reading a sector in disket for instance) loop. That's about it. I also tried disassembling, with IDA and W32DSM, yet it is obvious I didn't get anything useful as the program is encrypted. I also didn't find any INT13 calls inside the code from the same reason.

I know the basics of ASM. I can understand some Windows codes, yet I found it much harder to reverse DOS programs. Thus I posted this thread in hope to get some help

Finally, if this is necesary, u can take a look at the protected exe at:
ww.geocities.com/virtual_pool_2/LINGO.ZIP

I hope this info is enough because I'm quite lost and don't know where to start.
So, again, any help would be highly appreciated.

dw.

Hello dream-weaver !

Thank you for the information. I looked at their homepage and found some interesting phrases.
"No source changes necessary" -> a wrapper is used
"No special diskettes" -> can be copied somehow
"Includes Machine Installation ... hard disk can be low-level formatted or even replaced with another hard disk type without affecting protected files" -> probaly uses CMOS to store some data

I'll download the program and see what I can find out.

hey,

Thanx a lot for your help again, I really appreciate it.

I see that they made good protections in the old days as well

If anyone can suggest anything else I would be greatful.

dw

Hello dream-weaver !

Yes, they made good protections in the old days as well.

But this is none of the good ones.

The program uses a wrapper. You can bypass it by reversing about 10-15 conditional jumps. There is no need to make a fake disc. It does not ready any valueable data from the disc.
It stores some version information in the boot record, using some fileds which makes the discs completely incompatible with any OS.

The program is even packed (LINK /EXEPACK) under the wrapper, so we don't need to care about relocations.

I get a "File not found in module LINGO-L" at startup, but the program works fine.

Hey again,

Well thanx for your reply, but now u are forgetting that I am a newbie, and this time u didn't post enough info.

How do I unpack the file (If I need to )?

What jumps do u mean? (That I need to change)
The disassembler returned no code, so I'm a little lost about it.

I realized it too that there is no need really for the key-disk, it's there for security purposes only.

Furthermore, I think I already tried some unpackers which should recognize exepack /link, yet all of them failed. Can u please direct me and explain what I am doing wrong. I would appreciate it.


thanx again,
dw.

Hello dream-weaver !

You can unpack the file with any DOS unpacker, since LINK /EXEPACK does not really pack the file, only the relocations. You don't need to do this, I only did it to see if the file is working.

What jumps do I mean? A bit diffucult to explain. I single stepped through the file.
You'll come to a loop checking for the key disc after some time (2 minutes ), there you've to reverse the jump checking if the disc is OK. Then you come to a serial check and after some version information is shown on screen (of course junk, since it's read from the floppy's boot record, which we don't have) you come around a lot other conditional jumps which must be reversed nearly all.

Then there should be a relocation routine which is skipped since there are no relocations and after that the usual packer cleanup procedure. (I hope you can identify it. clearing all registers and setting up SS:SP and jumping to CS:IP)

Then you are at the entry point of the LINK /EXEPACK code. You could not see it before since the Cops Copylock II layer was around it.

You can dump the code then. Try writing about 150KB (filesize) to a file and write down SS:SP and CS:IP.

Create a .EXE from the dump and change SS:SP and CS:IP to it's right values. (If you like, you can unpack the relocations now)

Now you can run the file without a valid disc.

hey,

Well I must admit it does sound simple from u, but sorry, I still don't get it ;(

You said I can unpack this one with every DOS exe unpacker, yet I tried many of them and the result was the same: Nothing unpacked.

Then there's the jumps issue. You said that the only packer used is exepack /link (which I couldn't unpack with unp either). So why can't I see the disk- check routine and all those conditional jumps with a disassembler like IDA?

I already told u I tried a bpm int 13 in SICE and ended up in an endless loop of int13 which I couldn't get out of. So I have no idea how to trace this one (Another bpm maybe?).

Maybe I'm hopeless, Maybe I didn't do my tuts reading I don't know. If u can send me the de-protected exe maybe I will be able to understand what u explained a bit better.

I don't really know. Again, write anything u think is relevant and might be able to help.

thanx again,
dw.

Hello dream-weaver !

Sorry if I'm too fast, but it was easy for me.

You can use UNP or any DOS unpacker to unpack the LINK /EXEPACK wrapper. But if you've not removed the Cops Copylock II wrapper yet, you can't unpack it this way of course. First you've to remove the outher layer before going on with the inner layer.

You can forget about a disassembler since the code is encrypted and a disassebler will just produce junk code. Some parts of the decryptor are also encrypted.

Maybe the endless loop of INT 13 you found in SoftICE was the disc check. It should be some Calls, one JNB and one JB in a loop. The first step is to reverse the JB by changing the Carry flag when being there in SoftICE. This can be done by entering R FL C. Now you should be out of the loop and be able to follow my other instructions.

Sorry, but I won't send you the unpacked file. This is no crack request board. It a board to ask for help when being stuck on unpacking a program.

But it wouldn't help you either. You would just notice that by replacing 150KB in a 152KB program and truncating the other 2KB the program is unpacked. Remember, the program is encrypted. Comparing the packed and unpacked file would give only differences, since there are no similarities.

I hope you understand me better now.