___________________________________________________________________ THE ZAPPER Volume 1, Number 1 For Registered Users Of FreeSoft Products ___________________________________________________________________ Copy Protecting Diskettes ------------------------- The Ultra-Format program has the capability to format diskettes that cannot be copied by DOS's DISKCOPY utility. This article will explain how to use the Ultra-Format program to produce copy-protected diskettes. The whole idea behind producing copy-protected diskettes is to know exactly what DISKCOPY can and can't duplicate. Specifically, DISKCOPY looks for and copies only the following: 1) Side 0 and Side 1 2) Tracks 0 to 39 3) Sectors 1 to 8 (512 bytes each). Knowing this, it is easy to confuse DISKCOPY by formatting a diskette outside of these "normal" limits. Although we certainly can't format more than two or less than one diskette sides, there are a number of other approaches we can take. All disk drives we have used, for instance, have been able to format 1 or 2 more tracks than the manufacturer specifies. On your IBM-PC, you could actually format tracks 40 and 41 if you wanted to. Since DISKCOPY does not look for these tracks during a backup, (and, by the way, neither do many "pirate" backup programs), any copies made will not contain the information in these tracks. Although, due to the way DOS handles free disk space, the extra tracks can't be used for programs or files, you can use the sectors in these tracks to contain special passwords. Use the FORMAT STANDARD TRACK option in Ultra-Format to format a track 40 on a scratch diskette. Then, using Ultra-Zap, go in with the DISPLAY/MODIFY DISK SECTOR function to insert a secret password into one of that track's sectors. If your program has the ability to read a raw disk sector, this password can be checked for validity. We will discuss this "read a sector" function in more detail later. Another good way to fool DISKCOPY is to format a standard track of 8 sectors of 512 bytes each, but numbered weirdly (Sectors 32, 34, 5, 93, 87, 2, 14, and 201, for instance). Again, a password can be inserted and later verified in one of these sectors. Remember that DISKCOPY expects the sectors to be numbered consecutively from 1 to 8 and won't copy any others. Finally, you can also format a track containing sectors of a different length than 512 btyes. The disk controller circuit in your IBM-PC has the ability to format sectors of either 128, 256, 512, or 1024 bytes each. You can forget about formatting a track of ten 1024 byte sectors, though - there just isn't enough room on a track. A good rule of thumb is to format sectors in relation to their size. That is, four 1024 byte sectors per track, eight 512 byte sectors per track, sixteen 256 byte sectors per track, or thirty two 128 byte sectors per track. All of these combinations give the same number of available bytes for data. 2) When using sectors of other than 512 byte lengths, there is another matter to consider. Several bytes in the Disk Parameter Table will have to be fiddled with in order to format a track correctly. If you don't adjust these values, the resulting track will contain CRC errors. CRC (cyclic redundency check) is just a checksum that is used by the disk controller circuit to confirm that data is being read properly. Of course, you could purposefully format a track with CRC errors, try to read a sector, and verify that it is a non-pirated copy when it returns a CRC error code. To do this, just format a track using the FORMAT NON-STANDARD TRACK option in Ultra-Format. When specifying sectors, go ahead and specify the first 7 sectors as would be found in a standard track (logical sector numbers 1 through 7 with a length value of 2). On the eight sector, specify a length value of 3 (meaning 256 bytes). When sector 8 is later read (assuming the Disk Parameter Table bytes/sector value is changed to value 3), you should get a CRC error. Don't forget, when you later want to read odd-sized sectors, you will have to change the bytes per sector value in the Disk Parameter Table to reflect the sector's size. Don't forget to restore this byte back to it's original value before doing other disk I/O or exiting your program. Here are the bytes in the Disk Parameter Table that will need to be modified before formatting oddly-sized (not 512 bytes) sectors: 1) Byte #5 (Highest Sector Number On Track): This byte should contain the number of sectors you wish to format, not necessarily the highest logical sector number. 2) Byte #6 (Gap Length For Diskette Reads): We're not exactly sure if this byte actually affects a format operation, but it doesn't hurt to go ahead and modify it. The value should be changed in relation to the sector size. For instance, if you're going to format a track of four 1024 byte sectors, cut the value in this byte in half. Double it for sixteen 256 byte sectors and multiply it by four for thirty two 128 byte sectors. 3) Byte #8 (Gap Between Sectors): This definitely needs to be changed before formatting. Modify it in relation to the sector size, as was discussed in 2) above. All in all, getting a format that works is the result of experimentation. Since we had no need for formatting copy-protected diskettes with our products, our experience with this is limited. We would appreciate hearing about any particularly interesting copy-protection schemes you come up with using the Ultra-Utilities. Just putting a weirdly formatted track or sector on a diskette won't keep your programs from being copied. DISKCOPY will go ahead and copy everything else. Therefore, you will need to insert in your program some means of reading a given sector and checking a password in it before continuing with the execution of the program. There is really no easy way of doing this outside of an assembly language subroutine. Fortunately, the routine needs only to be 10 or 20 lines long since the IBM-PC BIOS contains a sector read subroutine. This is accessed through the INTERRUPT 13H vector. 3) Basically, all your routine has to do is put certain values into the 8088 registers and call this routine. Here's the register setup that's required: AH=2 (this specifies a "READ" operation) AL=1 (this specifies a single sector read) ES:BX (address of the memory buffer you wish the sector data to be copied into) CH (track number you wish to read 0-255) CL (sector number you wish to read 0-255) DH (side number you wish to read 0 or 1) DL (drive number you wish to use 0=Drive A, 1=Drive B, etc.) After filling these registers as required, execute an INT 13H instruction. This does the actual sector read. Afterwards, the CARRY flag is set if the read failed or is reset if the read was successful. If an error occured, the AH register contains the error code. Here are the meanings of the possible error codes: AH=1 Bad disk command was issued (registers setup correctly?) AH=2 Address mark not found (track formatted?) AH=3 Tried to write a write protected disk (AH=2 upon entry?) AH=4 Sector not found AH=8 Direct Memory Access overrun AH=9 Direct Memory Access crossed a 64K boundary AH=16 Cyclic redundency check error (CRC) AH=32 Disk controller failure AH=64 Track seek failed AH=128 Drive timed out (drive door open? disk mounted?) All of the above error codes are in decimal format. ------------------------------------------------------------------- Once last caveat, although many drives are capable of formatting tracks higher than 39, most diskette manufacturers don't certify these tracks before selling the diskettes. ------------------------------------------------------------------- MONTHLY UNPROTECTS ------------------ The following tips are for those who are registered users of the software concerned. Please don't rip off those who have worked hard to put such fine products on the market. LOTUS 1-2-3 ----------- This works with the newer releases of 1-2-3 1) RENAME 123.EXE 123.XYZ 2) DEBUG 123.XYZ 3) type U ABA9 4) you should see INT 13 at that address 5) type E ABA9 90 90 6) type W 7) type Q 8) COPY 123.XYZ onto another diskette 9) RENAME 123.XYZ UNP123.EXE UNP123.EXE may now be freely copied and/or moved onto a hard disk. 4) VISICALC -------- 1) Format a single sided diskette with FORMAT B:/S (or whatever drive letter is appropriate) 2) DEBUG 3) Put VisiCalc diskette in Drive A 4) type L 100 0 138 2 5) type M 0 3FF 7000 6) type R CS 7) write down this number (we'll call this Hold #1) 8) add 700H to this number and type this in. 9) type R DS 10) write down this number (we'll call this Hold #2) 11) add 700H to this number and type this in. 12) Take the rightmost two digits of Hold #1 and insert those in place of the LL symbols in step 13. Put the leftmost two digits in place of the HH in step 13. 13) type E 107 LL HH (substituting your values for LL & HH) 14) type E 24D BB A8 00 90 15) type G =1B8 26B 16) After a few burps and chirps, you will be back at the DEBUG prompt. 17) type R CS 18) type in the value you saved as Hold #1 19) type R DS 20) type in the value you saved as Hold #2 21) type R BX 22) type the number 0 23) type R CX 24) if you have VC version 1.0, type the number 6802, if you have version 1.1, type the number 6B64 25) remove the Visicalc diskette from Drive A and mount your freshly formatted diskette in Drive A 26) type N VC.COM 27) type W 28) type Q VC.COM can now be freely copied and placed on a hard disk. These unprotects have been garnered from various bulletin boards around the country. If you've got a favorite unprotect, why not send it in for the next issue of THE ZAPPER! --------------------------------------------------------------------- LAST MINUTE ADDTION ------------------- The following BASIC program lines will allow you to modify the Disk Parameter Table values: 20000 DEF SEG=0:A1%=120:A2%=PEEK(A1%)+256*PEEK(A1%+1) 20010 DEF SEG=PEEK(A1%+2)+256*PEEK(A1%+3) 20020 POKE A2%+3,3:'THIS PUTS A LENGTH OF VALUE OF 3 INTO THE THIRD 20030 ' BYTE (BYTES PER SECTOR VALUE) OF THE D.P.T. 20040 DEF SEG E OF 3 INTO THE THIRD 20030 '