

              HOW TO UNPROTECT BASIC PROGRAMS
              by Guy Gordon, White Crane Systems



               By  now, practically everyone knows how to un-protect IBM-PC
          BASIC programs that were saved  with  the  P  option.   A  simple
          POKE  1124,0  and  bingo--you can list the program, save it, edit
          it--do everything you could before it was protected.   Well  last
          week  I  ran  into a protected BASIC program for the Victor 9000.
          Curious, I tried the above trick.  

               Surprise!  Microsoft's on  to  us!   In  MS-BASIC  5.27  you
          cannot  do  PEEKs,  POKEs,  or  anything else that might give you
          a glimpse of the source code while  a  protected  program  is  in
          memory.  The program can do them--but you can't.  
                       program                  you         

               Is  this a sign of things to come?  Will all those thousands
          of PC'ers out there soon be unable to snoop around in each others
          source  code?   Probably  not.   On the PC, and also the XT under
          PC-DOS 2.0, IBM just doesn't seem too interested in copy  protec-
          tion,  much less in such simple schemes as the P option in BASIC.

               This still  leaves  everyone  running  PC  compatibles  with
          the problem of un-protecting their BASIC programs.  As succinctly
          as possible, here's how to do it:

               MSBASIC             ; enter Basic
               LOAD "FILE"         ; load the protected program
               SYSTEM              ; exit to MS-DOS
               DEBUG FILE.BAS      ; enter Debug
               E 6B02 FF           ; flag the program left by Basic
               N FILE.UNP          ; Name an output file
               W 6B02              ; Write out the unprotected program
                         *The number 6B02 is machine dependent.

               Now just what did we do?   Well--when  a  BASIC  program  is
                             did                                           
          loaded  into  memory  it  is stored in a form called "tokenized".
          Each of the BASIC keywords (PRINT, FOR, etc.)  (What?  You  never
          heard  of  the  ETC  command?)  is  stored as a two byte "token".
          Your variable names, comments,  and  literals  ("anything  inside
          quotes")  are  stored  just  as  you entered them.  Line numbers,
          constants, and pointers to  other  lines  are  stored  as  binary
          numbers.   That  is  why  a BASIC program looks so funny when you
          try to TYPE it without having saved it in ASCII  mode.   For  MS-
          BASIC  5.27  operating  under MS-DOS 1.25a on a Victor 9000, this
          program is stored in memory at  6B03  bytes  above  DEBUG.   (For
          other computers you must determine this address--read on.)

               When  you  save a program, BASIC merely copies this internal
          program to a file, preceeded by an FF byte.  The  FF  is  a  flag
          telling  BASIC,  when  it  loads the file, that this is a normal,
          tokenized program.  But if you save the program with the P option
          BASIC  first  writes  an  FE byte, and then an enciphered copy of
          the program.  When loading the file,  BASIC  finds  the  FE  flag
          as  the  first  byte  and knows to decipher the program, and also
          not to let you LIST it, PEEK or  POKE  at  it,  EDIT  the  lines,
          or  any  of  a number of things that might let you see the source
          code.  Never-the-less, there is an unprotected copy of  the  pro-
          gram in memory.  


               When  you  exit  to  the  operating  system, that program is
          still in memory where BASIC left  it.   Since  DEBUG  is  smaller
          than  BASIC,  you  can  enter  DEBUG and examine the program.  In
          fact, you can enter the FF byte  in  front  of  the  program  and
          write  the whole thing out to a file.  By entering DEBUG FILE.BAS
          you automatically start with the length of the program (FILE.BAS)
          in  the CX register.  You can view this value with the R command.
          Just out of curiosity, we can also look at the protected  program
          with  D 100, and at the unprotected version with D 6B02.  (Really
          the only reason for  loading  FILE.BAS  with  the  DEBUG  command
          is  to save me the trouble of calculating the size of the program
          in hexadecimal and loading it into the CX register.)  If FILE.BAS
          were so large that it overlapped the unprotected version, (great-
          er than 6A00h, or about 27K) then we would have  to  enter  DEBUG
          without  loading  FILE.BAS, and load the CX register by hand with
          the R CX command.  

               Now suppose you're not running  MS-DOS  1.25a  on  a  Victor
          9000.   How can you find the beginning of BASIC's program storage
          area?  Quite simple.  Just write a very  small  program--for  ex-
                                             very                          
          ample:

               10 'Force corps inns heaven beers aglow, hour forefingers
               20 'foundered upon this condiment a ruination
               30 'con sieve din libber tea and dead a clay Ted
               40 'tooth a proper swish in that Allman are creative sequels
               50 Etc              ' See!
               SAVE "FORSCORN"          ; save this momentous program
               SYSTEM                   ; and exit BASIC
               DEBUG FORSCORN.BAS       ; Enter DEBUG and
               D 100                    ;  let's see what it looks like.

          0473:0100 FF DD 0A 0A 00 3A 8F DB 46 6F 72 63 65 20 63 6F
                                                  .]...:.[Force       corps

               S 200 FFFF 'Force corps' ; search for our program
               0473:6B0A                ; and there it is.
               D 6B00

          0473:6B00 00 00 00 DD 0A 0A 00 3A 8F DB 46 6F 72 63 72 63
                                                  ...]...:.[Force 

               E 6B02 FF                ; just to convince yourself 
               N FORSCORN.UNP           ;  that it works, try it
               W 6B02                   ;  on this one.

               That's all there is to it.   Just  remember  that  DEBUG  is
          one  of  the  most  powerful  tools you have under MS-DOS.  Those
          of you who have not yet taken the time to learn  how  to  use  it
          should  read  "dangerous"  for  "powerful" in the above sentence.
          When trying this trick for the first time be sure to copy  BASIC,
          DEBUG,  and  the protected program onto a blank diskette and work
          from there.  At least once you will forget to  name  a  different
          output file and will write out over your original program.




