Shield v1.70 by V Communications (C)racked by Red Rat 1990 Oh, those huckers! Good luck to you, curious cracker! Shield v1.70, track 2, side 0, sector 10 0231 8B1E2602 mov bx,[0226] 0235 C6067603FC mov byte ptr [0376],FC 023A B90A01 mov cx,010A 023D B80102 mov ax,0201 0240 CD13 int 13 0242 0AE4 or ah,ah 0244 7541 jne 0287 0246 8A4701 mov al,[bx+01] 0249 3C00 cmp al,00 024B 7409 je 0256 024D xx xx xx xx xx xx xx xx xx 0256 A1E505 mov ax,[05E5] 0259 85C0 test ax,ax 025B 7431 je 028E 025D 8B36E705 mov si,[05E7] 0261 8B00 mov ax,[bx+si] 0263 2D6F55 sub ax,556F 0266 750B jne 0273 0268 xx xx xx xx xx xx xx xx xx xx xx 0273 A3E505 mov [05E5],ax 0276 FF08 dec word ptr [bx+si] 0278 B80103 mov ax,0301 027B CD13 int 13 027D 84E4 test ah,ah 027F 740D je 028E 0281 xx xx xx xx xx xx 0287 33C0 xor ax,ax 0289 A36503 mov [0365],ax 028C CD13 int 13 028E C40EE905 les cx,[05E9] 0292 BF3800 mov di,0038 0295 B8B503 mov ax,03B5 0298 268705 xchg es:[di],ax 029B A3BD03 mov [03BD],ax 029E 8CC8 mov ax,cs 02A0 26874502 xchg es:[di+02],ax 02A4 A3BF03 mov [03BF],ax 02A7 C43E1002 les di,[0210] 02AB C606F40506 mov byte ptr [05F4],06 02B0 C606760392 mov byte ptr [0376],92 02B5 B10B mov cl,0B 02B7 B80102 mov ax,0201 02BA CD13 int 13 0376 92 xchg ax,dx 02BC 87062002 xchg [0220],ax 02C0 C6067603FC mov byte ptr [0376],FC 02C5 C606F40501 mov byte ptr [05F4],01 02CA 93 xchg bx,ax 02CB A12D02 mov ax,[022D] 02CE 02C6 add al,dh 02D0 A31A02 mov [021A],ax 02D3 8B3E2602 mov di,[0226] 02D7 03BFFC00 add di,[bx+00FC] 02DB 8A45FF mov al,[di-01] 02DE B164 mov cl,64 02E0 F3AE rep scasb ; after scasb cx = 54 02E2 C787FC00AA55 mov word ptr [bx+00FC],55AA 02E8 C406E905 les ax,[05E9] 02EC BF0C00 mov di,000C 02EF 030E1A02 add cx,[021A] 02F3 26034DF8 add cx,es:[di-08] 02F7 AB stosw 02F8 BEBD03 mov si,03BD 02FB BF3800 mov di,0038 02FE A5 movsw 02FF A5 movsw 0300 BEED05 mov si,05ED 0303 BF7800 mov di,0078 0306 A5 movsw 0307 A5 movsw 0308 CD13 int 13 030A 87062F02 xchg [022F],ax 030E 03C1 add ax,cx 0310 BE1F05 mov si,051F 0313 33C6 xor ax,si 0315 D1C8 ror ax,1 0317 3004 xor [si],al 0319 46 inc si 031A 81FED205 cmp si,05D2 031E 72F3 jb 0313 0320 C43EE905 les di,[05E9] 0324 8BF7 mov si,di 0326 2B0E6503 sub cx,[0365] 032A 83C1FF add cx,FFFF 032D 13F7 adc si,di 032F D1E6 shl si,1 0331 8B84C103 mov ax,[si+03C1] 0335 268905 mov es:[di],ax 0338 BE2202 mov si,0222 033B A1E105 mov ax,[05E1] 033E B104 mov cl,04 0340 D3E8 shr ax,cl 0342 91 xchg cx,ax 0343 26894D0C mov es:[di+0C],cx 0347 A1D505 mov ax,[05D5] 034A 2689450E mov es:[di+0E],ax 034E C7061E02CCCF mov word ptr [021E],CFCC 0354 051000 add ax,0010 0356 CD00 int 00 ; goto 051F ... 0369 36892E7403 mov ss:[0374],bp 036E 368306100202 add ss:word ptr [0210],0002 0374 FFE7 jmp di 0376 FC cld trace proc 0377 FB sti 0378 3687062A02 xchg ss:[022A],ax 037D 95 xchg bp,ax 037E 8B46FE mov ax,[bp-02] 0381 03C5 add ax,bp 0383 314600 xor [bp],ax 0386 D1C0 rol ax,1 0388 314602 xor [bp+02],ax 038B 368B2E1002 mov bp,ss:[0210] 0390 8B46FE mov ax,[bp-02] 0393 03C5 add ax,bp 0395 314600 xor [bp],ax 0398 D1C0 rol ax,1 039A 314602 xor [bp+02],ax 039D 8B4600 mov ax,[bp] 03A0 3CCD cmp al,CD 03A2 95 xchg bp,ax 03A3 3687062A02 xchg ss:[022A],ax 03A8 74BF je 0369 03AA CF iret trace endp 03AB 1E push ds ; I think code from 03AC A5 movsw ; 03AB thru 03B3 is 03AD A5 movsw ; never used 03AE AB stosw 03AF 07 pop es 03B0 8BFC mov di,sp 03B2 FB sti 03B3 FFE3 jmp bx int_0E proc 03B5 2EC7062D020000 mov cs:word ptr [022D],0000 03BC EA00000000 jmp 0000:0000 int_0E endp 03C5 721D jc 03E4 03C7 A10001 mov ax,[0100] 03CA 3B07 cmp ax,[bx] 03CC 7516 jne 03E4 03CE A10201 mov ax,[0102] 03D1 3B4704 cmp ax,[bx+04] 03D4 750E jne 03E4 03D6 817F02CDD3 cmp word ptr [bx+02],D3CD 03DB 7507 jne 03E4 03DD C70610023102 mov word ptr [0210],0231 03E3 CF iret 03E4 B400 mov ah,00 03E6 CD13 int 13 03E8 CF iret 03E9 268B1E1002 mov bx,es:[0210] 03EE 26A11A02 mov ax,es:[021A] 03F2 A30800 mov [0008],ax 03F5 26A11C02 mov ax,es:[021C] 03F9 A30A00 mov [000A],ax 03FC C7060C00C503 mov word ptr [000C],03C5 0402 80E603 and dh,03 0405 02FE add bh,dh 0407 26891E2F02 mov es:[022F],bx 040C B400 mov ah,00 040E CD13 int 13 0410 BE8C00 mov si,008C 0413 26A1D505 mov ax,es:[05D5] 0417 890C mov [si],cx 0419 894402 mov [si+02],ax 041C BE7800 mov si,0078 041F BFED05 mov di,05ED 0422 A5 movsw 0423 A5 movsw 0424 8BC7 mov ax,di 0426 8CCB mov bx,cs 0428 897CFC mov [si-04],di 042B 8C44FE mov [si-02],es 042E 26C575FC lds si,es:[di-04] 0432 B10B mov cl,0B 0434 F3A4 rep movsb 0436 26C5161002 lds dx,es:[0210] 043B 8CDB mov bx,ds 043D B104 mov cl,04 043F D3E3 shl bx,cl 0441 B8FD25 mov ax,25FD 0444 03C3 add ax,bx 0446 2500E0 and ax,E000 0449 2BC3 sub ax,bx 044B A32602 mov [0226],ax 044E FECC dec ah 0450 8BD8 mov bx,ax 0452 3DFD05 cmp ax,05FD 0455 7305 jnb 045C 0457 xx xx xx xx xx 045C A32002 mov [0220],ax 045F 93 xchg bx,ax 0460 A32802 mov [0228],ax 0463 C745F8010B mov word ptr [di-08],0B01 0468 C6067603CC mov byte ptr [0376],CC 046D B90A02 mov cx,020A 0470 BA0400 mov dx,0004 0473 22162C02 and dl,[022C] 0477 D0EA shr dl,1 0479 D0EA shr dl,1 047B B80102 mov ax,0201 047E CD13 int 13 0376 CC int 3 ; goto 03C5 0480 FE062C02 inc byte ptr [022C] 0484 75EA jne 0470 ... start: 04C6 2E8C06D505 mov cs:[05D5],es 04CB 2E8706D305 xchg cs:[05D3],ax 04D0 8BEC mov bp,sp 04D2 B9C303 mov cx,03C3 04D5 90 nop 04D6 33DB xor bx,bx 04D8 024600 add al,[bp] 04DB 12E7 adc ah,bh 04DD 45 inc bp 04DE E2F8 loop 04D8 04E0 8CCE mov si,cs 04E2 8EDB mov ds,bx 04E4 FA cli 04E5 BC2202 mov sp,0222 04E8 59 pop cx 04E9 5A pop dx 04EA 870F xchg [bx],cx 04EC 43 inc bx 04ED 43 inc bx 04EE 03D6 add dx,si 04F0 8717 xchg [bx],dx 04F2 52 push dx 04F3 51 push cx 04F4 43 inc bx 04F5 43 inc bx 04F6 83EC04 sub sp,0004 04F9 80FB10 cmp bl,10 04FC 72EA jb 04E8 04FE CC int 03 ; goto 506 04FF 90 nop 0500 E9E6FE jmp 03E9 0503 xx db xx ; void byte 0504 9802 dw 0298 0506 FB sti 0507 5D pop bp 0508 07 pop es 0509 5A pop dx 050A 5F pop di 050B 8B3D mov di,[di] 050D 8B4E05 mov cx,[bp+05] 0510 33C7 xor ax,di 0512 33C1 xor ax,cx 0514 D1C0 rol ax,1 0516 263105 xor es:[di],ax 0519 47 inc di 051A E2F4 loop 0510 051C 06 push es 051D 55 push bp 051E CF iret 051F FB sti 0520 A5 movsw 0521 A5 movsw 0522 83EE08 sub si,0008 0525 A5 movsw 0526 A5 movsw 0527 8BF3 mov si,bx 0529 33DB xor bx,bx 052B 5A pop dx 052C 0316E305 add dx,[05E3] ; after adding dx = 22C 0530 8BE8 mov bp,ax 0532 8EC0 mov es,ax 0534 3210 xor dl,[bx+si] 0536 D1C2 rol dx,1 0538 26D00F ror es:byte ptr [bx],1 053B 263017 xor es:[bx],dl 053E FEC3 inc bl 0540 75F2 jne 0534 0542 051000 add ax,0010 0545 E2EB loop 0532 0547 8BD3 mov dx,bx 0549 380EFC05 cmp [05FC],cl 054D 742B je 057A 054F 8B0EDF05 mov cx,[05DF] 0553 E312 jcxz 0567 0555 8ED8 mov ds,ax 0557 8BF3 mov si,bx 0559 AD lodsw 055A 97 xchg di,ax 055B AD lodsw 055C 03C5 add ax,bp 055E 8EC0 mov es,ax 0560 26012D add es:[di],bp 0563 E2F4 loop 0559 0565 0E push cs 0566 1F pop ds 0567 8B36D905 mov si,[05D9] 056B 03F5 add si,bp 056D 8B1ED705 mov bx,[05D7] 0571 032EDD05 add bp,[05DD] 0575 A1DB05 mov ax,[05DB] 0578 EB1E jmp 0598 057A 83ED10 sub bp,0010 057D 8EDD mov ds,bp 057F A10200 mov ax,[0002] 0582 2BC5 sub ax,bp 0584 3D0010 cmp ax,1000 0587 7306 jnb 058F 0589 93 xchg bx,ax 058A B104 mov cl,04 058C D3E3 shl bx,cl 058E 91 xchg cx,ax 058F B80001 mov ax,0100 0592 8BF5 mov si,bp 0594 4B dec bx 0595 4B dec bx 0596 890F mov [bx],cx 0598 07 pop es 0599 268716E505 xchg es:[05E5],dx 059E 268706D305 xchg es:[05D3],ax 05A3 26872ED505 xchg es:[05D5],bp 05A8 8EDD mov ds,bp 05AA 268B3E2802 mov di,es:[0228] 05AF B98010 mov cx,1080 05B2 F3AB rep stosw 05B4 BF2C02 mov di,022C 05B7 B9C701 mov cx,01C7 05BA F3AB rep stosw 05BC 2E8B3E0201 mov di,cs:[0102] 05C1 8EC5 mov es,bp 05C3 33ED xor bp,bp 05C5 FA cli 05C6 8ED6 mov ss,si 05C8 8BE3 mov sp,bx 05CA 2E8B360001 mov si,cs:[0100] 05BC 2E8B3E0201 mov di,cs:[0102] 05C1 8EC5 mov es,bp 05C3 33ED xor bp,bp 05C5 FA cli 05C6 8ED6 mov ss,si 05C8 8BE3 mov sp,bx 05CA 2E8B360001 mov si,cs:[0100] 05CF 33DB xor bx,bx 05D1 FB sti 05D2 EAxxxxxxxx jmp xxxx:xxxx ; goto protected program xx and ... mean code had not been passed. You can crack this protection using Quaid Analyzer. For COM file cracking, you should choose int 0 as breakpoint and set breakpoint at 05D2, because this byte is not encoded. But this byte efforts on check sum so you should run program to 04E0 then put 3D3F in AX and then set your breakpoint at 05D2. This way may be used for EXE files without relocation table too. To do it you can choose any breakpoint (e.g. int 60) but before you set it, you must put interrupt number (60) in byte at 05DB, because this byte will be written by Shield in byte at 05D3. If you want to crack EXE file with relocation table you should trace int 13 till sector 0.0.11.6 would been read from key disk then after disk reset catch Shield. Replace command at 0369 with nop's and set a some breakpoint (e.g. int 60) at 0374. After this breakpoint go to 051F and installation code would be before you. Some notes about Shield 386 by Alex Simkin. This protection differs from original Shield in next code: 0369 368306100202 add ss:word ptr [0210],0002 036F FFE7 jmp di 0371 FC cld trace proc 0372 FB sti 0373 3687062A02 xchg ss:[022A],ax 0378 95 xchg bp,ax 0379 8B46FE mov ax,[bp-02] 037C 03C5 add ax,bp 037E 314600 xor [bp],ax 0381 D1C0 rol ax,1 0383 314602 xor [bp+02],ax 0386 368B2E1002 mov bp,ss:[0210] 038B 8B46FE mov ax,[bp-02] 038E 03C5 add ax,bp 0390 314600 xor [bp],ax 0393 D1C0 rol ax,1 0395 314602 xor [bp+02],ax 0398 8B4600 mov ax,[bp] 039B 3CCD cmp al,CD 039D 95 xchg bp,ax 039E 36892E6F03 mov ss:[036F],bp 03A3 3687062A02 xchg ss:[022A],ax 03A8 74BF je 0369 03AA CF iret trace endp Such code allows to run program on 80386 processor correctly. Other differences is connected with changes of address 0376 into 0371. Besides, result of command at 052C add dx,[05E3] is 022B. So you can crack this protection in the same way as original Shield. In case of EXE file you must only change command at 039E instead of at 0369 into nop's Igor Sysoev Red Rat's Hacker Club.