This worked like a charm. What tools did you use to examine/crack it? For easier stuff I can get by with debug; is that you what used?
soft-ice 2.80 For all DOS debugging, I don't think it can be beat. I'm also really used to working with it, since I've been playing with it for a decade or more. I use it at work all the time too, since I still get to write DOS based software to test out some custom hardware we're working on occasionally.
I still use debug too, but it's tougher to do breakpoints with it, and the ability to view/edit/scroll through memory and code in s-ice make it a really powerful tool.
1) all I did was boot to a clean DOS disk (soft-ice and himem.sys don't get along well)
2) loaded soft-ice
3) ran "ldr write.exe" - this ldr program comes with soft-ice and lets you load a program and it then pops you into s-ice at the first instruction of that program.
4) typed "bpint 13" in the command window - this sets a breakpoint at any int 13 call.
5) exit back out of s-ice (ctrl-S) to let it run. it immediately popped me back into s-ice right on top of the copy protection, because it was trying to read some magic sector off the disk. All I had to do then is examine what it was trying to do, and see what flags it may set during the check. In this case, it sets AX=0 or 1 depending on if the protection passes or not.
6) trace through the ret from the protection and note the call after the return,
7) exit the program and restart it. this time stop at that calling address-now you're at the top of the protection routine.
8) trace into the call, and now change the code there to "mov ax,1", "ret"
9) hex edit the actual executable and test it out.
I think I've just overstepped the AUP for the board here. sorry.