-----------------------------------------------------------------------------
+                                                                           +
+  AAAAA  AAAAA  AAAAA  AAAAA  A      AAAAA  A   A  A  AAAAA  AAAAA  AAAAA  +
+  A   A  A        A    A   A  A      A   A  A   A  A  A        A    A   A  +
+  AAAAA  AAAAA    A    AAAAA  A      AAAAA  A   A  A  AAAAA    A    AAAAA  +
+  A   A      A    A    A   A  A      A   A   A A   A      A    A    A   A  +
+  A   A  AAAAA    A    A   A  AAAAA  A   A    A    A  AAAAA    A    A   A  +
+                                                                           +
-----------------------------------------------------------------------------
+  Date   : 7. Sept 2000                                                    +
+  Title  : LICENSING PERFECT DISK 2000 FROM DEMO VERSION                   +
+  Source : http://www.AstaLaVista.com                                      +
+  Writer : FoolFox                                                         +
-----------------------------------------------------------------------------
--- [ INTRO ] ---------------------------------------------

Title : Perfect Disk 2000 - License Key
Type of Crack   : Registry Licence
Autor : FoolFox 
OS : M$ Windows 2000

--- [DETAILS] ---------------------------------------------

Software : Raxco PerfectDisk 2000  
URL             : http://www.raxco.com
Version : 3.0.024 - English
OS : Windows2000 (MS)
Autor : Raxco Software, Inc.
Editor : Raxco Software, Inc.


--- [TOOLS USED] ------------------------------------------

W32Dasm (Debugger/Disasembler)
Hexpert (Hex editor)
Regedit.exe (Registry editor)


--- [HANDS ON] --------------------------------------------


Defragmentation of Hard Drive is certainly a task you HAVE
to acomplish sometimes if you don't want to see your latest
baby swaming more and more heavily as time pass...

So, even if Windows 2000 give you a little defragmentation
tool within his system utilities (NT does not... :->), a GOOD
defragmentation tool is still a good co-worker for all users.

Raxco software offer you a little tools of few Mo, that can
make, as THEY say, more than others products, (extract of 
their web page : Engineered for unprecedented performance 
and reliability, Exclusive! Patented Smart Placement for 
disk optimization!, bla bla bla....) and better.

I have to say that if defragmentation of hard drives is a
non-complex operation, still need a big reliabilty and a
good thinking during developement phase, a bad bug can be
really dramatic for data that lies on your HD. So I was a
bit surprised when I saw on the web page (this was on the 
french version, english page differ, and I didn't go back
to check if they have changed that) :

Supported Platforms :

Processors :

INTEL, ALPHA AXP-Windows 95, Windows 98,
Windows 98SE, Windows NT4, Windows 2000

OS :
Windows NT 4.x from service pack 'SP5' 

Totally compliant Windows 2000


In my mind, classify windows95, 98, 98se, NT4 and Windows
2000 in the category "Processors" show a monster lack of
knowledge. Well, I guess that it was not developers that
write this down. And personaly, I'm waiting at least from
a software (but maybe I'm asking for too much..) that work
on a Windows 2000 "processor", that he is "compliant"

Enough of that. Anyway, if Raxco software give us a nice
software, it still have a 30-days limitation. Let's see
if Raxco Software are as good in protection than marketing
advisories.. (may I say : pseudo-technical ?)

Starting the application throw out a window showing following
informations :


License type : Demo

License options : Defragmenting
  Smart placement
  Scheduling

System type : Workstation

Days left : 30 Days


We'll directly start by playing with the Windows Date. Just to see
how the protection react. Double-clic on the time in the tray bar.
Push time by 26 hours. 26 hours cause license start probably the
first time we run the program, but probably take care only of the
round value of the time. ( so, 26 hours = 24 hours (1 day) + a 
little security margin..). Running again PerfectDisk :


License type : Demo

License options : Defragmenting
  Smart placement
  Scheduling

System type : Workstation

Days left : 29 Days


Well. Apparently, they use a Windows function to retrieve the actual
time. ( A much efficient way and as easy would have been to seek
the last modification of a system file (daily touch), a more efficient
way and a much more elegant way to do that is to retrieve the date
from the BIOS (imagine the numbers of shutdown/restart you'll have
to deal with if you want to play with date in such a case..). So now,
we change the date to go 40 days after the installation date. Running
again the target result of :


License type : Expired Demo

License options : Defragmenting

System type : Workstation


Less options :->>. Getting our system back to the actual date, running
another time :


License type : Demo

License options : Defragmenting
  Smart placement
  Scheduling

System type : Workstation

Days left : 30 jours


Excellent (from a cracker point of view. From a security point of
view, this is a pity). A protection that didn't see that his previous
execution was expired prove a low-level control of the date....that
is GOOD for us....

Before analysis the main executable, we'll have a look on what is
written in the registry about Raxco. Of course, there is all the
classical entries, but one more is added :


[HKEY_LOCAL_MACHINE\SOFTWARE\Raxco\PerfectDisk\3.0]
"LogSettings"=hex:01,00,00,00,01,00,00,00,27,43,3a,5c,....
"Password"=hex:d4,1d,8c,d9,8f,00,b2,04,e9,80,09,98,ec,...
"ProductId"="3.0"
"Build"=dword:00000018
"License Key"=hex:c6,45,45,60,1e,84,0c,31,47,51,88,38,...
"Display"=hex:00,00,ff,00,ff,ff,00,00,ff,00,00,00,c0,...


Paticuliary interesting point is (guess why..):


"License Key"=hex:c6,45,45,60,1e,84,0c,31,47,51,88,38,cc,
40,4c,da,f1,40,ea,51,db,2f,96,e1


It seems thay buying the software using Internet will lead you
to receive a registry key that replace the one we have, and
most probably this key is enough to unlock the software.

Notice that at this time, we've used NO tools, we've made no
reverse engineering, just stuffing around and we know already
so much on the target...

Time now to goes on our favourite disassembler (W32Dasm) and 
load the main executable of our target (PerfectDisk.exe).

At this time, there is many way to proceed. Personaly, I'll have
a close look to that "License Key" that will probably de-activate
all protection mechanism if we can lead the program to think
that is has got a GOOD key. But we can also track messages given
by the first windows, or playing with the date...

So, we make a little search with W32Dasm on the term "software"
(this term is contained in the registry key that contain the
license.)

First result :


* Possible StringData Ref from Data Obj ->"The license key entered is 
either "
                                        ->"invalid or expired.  Please 
enter "
                                        ->"another key or contact Raxco 
Software "
                                        ->"to obtain a valid license key."



And we can found, few line before :


* Reference To: PDCommon.?DecodeKey@CLicense@@QAEHVCString@@000@Z, 
Ord:00A3h
                                  |
:00412E8B FF15D0FD4400            Call dword ptr [0044FDD0]
:00412E91 85C0                    test eax, eax
:00412E93 752D                    jne 00412EC2
:00412E95 6A00                    push 00000000
:00412E97 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"The license key entered is 
either "
                                        ->"invalid or expired.  Please 
enter "
                                        ->"another key or contact Raxco 
Software "
                                        ->"to obtain a valid license key."



Call to a function of the libray PDCommon.dll (this library is installed
by the software) that is sweetly named : 
DecodeKey@CLicense@@QAEHVCString@@000@Z.
DecodeKey. I imagine that I've no need to explain anyone out there what
could be this function...

Few lines below, we found :


* Reference To: PDCommon.?GetCurrentVersion@CLicense@@QAEKXZ, Ord:00BDh
                                  |
:00412ED0 FF15D4FD4400            Call dword ptr [0044FDD4]
:00412ED6 3BF0                    cmp esi, eax
:00412ED8 742D                    je 00412F07
:00412EDA 6A00                    push 00000000
:00412EDC 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"The license key entered is 
either "
                                        ->"invalid or expired.  Please 
enter "
                                        ->"another key or contact Raxco 
Software "
                                        ->"to obtain a valid license key."
                                  |

and if we continue the search, we'll found :


* Possible StringData Ref from Data Obj ->"Software\Raxco\PerfectDisk\3.0
\"
                                  |
:00413D75 6874364600              push 00463674

* Reference To: MFC42u.MFC42u:NoName0282, Ord:021Ah
                                  |
:00413D7A E8D13F0300              Call 00447D50
:00413D7F 8945C8                  mov dword ptr [ebp-38], eax



* Possible StringData Ref from Data Obj ->"Software\Raxco\PerfectDisk\3.0
\"
                                  |
:00413E22 68C4364600              push 004636C4

* Reference To: MFC42u.MFC42u:NoName0282, Ord:021Ah
                                  |
:00413E27 E8243F0300              Call 00447D50



* Possible StringData Ref from Data Obj ->"Software\Raxco\PerfectDisk\3.0
\"
                                  |
:0041F1AD 6868544600              push 00465468

* Reference To: MFC42u.MFC42u:NoName0282, Ord:021Ah
                                  |
:0041F1B2 E8998B0200              Call 00447D50
:0041F1B7 8945C0                  mov dword ptr [ebp-40], eax
:0041F1BA 8D4DD0                  lea ecx, dword ptr [ebp-30]



* Possible StringData Ref from Data Obj -
>"Software\Microsoft\Windows\CurrentVersion\App "
                                    ->"Paths\PerfectDisk.exe"
                                  |
:0041F2EF 689C554600              push 0046559C
:0041F2F4 8D4DCC                  lea ecx, dword ptr [ebp-34]

* Reference To: MFC42u.MFC42u:NoName0266, Ord:035Dh
                                  |
:0041F2F7 E8F4890200              Call 00447CF0
:0041F2FC 51                      push ecx



* Possible StringData Ref from Data Obj -
>"Software\Microsoft\Windows\CurrentVersion\App "
                                        ->"Paths\PerfectDisk.exe"
                                  |
:0041F4D6 6838574600              push 00465738
:0041F4DB 8D4DCC                  lea ecx, dword ptr [ebp-34]

* Reference To: MFC42u.MFC42u:NoName0266, Ord:035Dh
                                  |
:0041F4DE E80D880200              Call 00447CF0



* Possible StringData Ref from Data Obj -
>"Software\Microsoft\Windows\CurrentVersion\App "
                                        ->"Paths\PerfectDisk.exe"
                                  |
:004471BC 68508E4600              push 00468E50
:004471C1 8D4DB0                  lea ecx, dword ptr [ebp-50]

* Reference To: MFC42u.MFC42u:NoName0266, Ord:035Dh
                                  |
:004471C4 E8270B0000              Call 00447CF0
:004471C9 51                      push ecx



A LOT of results. Damn. Examination of the two first tests give
us (lame and quick examination) :


Call dword ptr [0044FDD0] Call function DecodeKey
test eax, eax test
jne 00412EC2 jump if test ok
...show message
00412EC2
...
Call dword ptr [0044FDD4] Call fonction GetCurrentVersion
cmp esi, eax compare
je 00412F07 jump if test ok
...show message


Before going more far away, we'll give a try to a simple test : just
modify the two jumps to see if it's enough to deprotect the software.
I can already say that this would probably not work (there is a test 
on the date that we have NOT found with our search), but if few minutes
are enough to check, it's worth the try. So with a Hexeditor, modify
following instructions :


:00412E93 752D                    jne 00412EC2

:00412ED8 742D                    je 00412F07


by :


:00412E93 742D                    je 00412EC2

:00412ED8 752D                    jne 00412F07


Ran the software, no results.

It could be interesting to take a closer look at this library, wich
could be the origin of the protection. We load the file PDCommon.dll
and we seek for the term "license" on the list of exported functions,
wich result of about 20 functions that contain this word :


 Addr:1000CB40 Ord:  15 (000Fh) Name: ??0CLicense@@QAE@XZ
 Addr:1000CC00 Ord:  51 (0033h) Name: ??1CLicense@@UAE@XZ
 Addr:1001CB90 Ord:  91 (005Bh) Name: ??_7CLicense@@6B@
 Addr:1000DA20 Ord: 131 (0083h) Name: ?ComputeChkSum@CLicense@@AAEEK@Z
 Addr:1000D7F0 Ord: 133 (0085h) Name: ?ComputeNumDaysLeft@CLicense@@QAEHXZ
 Addr:1000CA80 Ord: 153 (0099h) Name: ?
CreateObject@CLicense@@SGPAVCObject@@XZ
 Addr:1000CFE0 Ord: 164 (00A4h) Name: ?
DecodeKey@CLicense@@QAEHVCString@@000@Z
 Addr:1000D9A0 Ord: 165 (00A5h) Name: ?Decrypt@CLicense@@AAEXAAK0@Z
 Addr:1000D930 Ord: 176 (00B0h) Name: ?Encrypt@CLicense@@AAEXAAK0@Z
 Addr:1000CE00 Ord: 180 (00B4h) Name: ?
GenerateKey@CLicense@@QAEXKKGAAVCString@@000@Z
 Addr:1000D860 Ord: 190 (00BEh) Name: ?GetCurrentVersion@CLicense@@QAEKXZ
 Addr:1000D660 Ord: 193 (00C1h) Name: ?GetDemoDays@CLicense@@QAEKXZ
 Addr:1000D640 Ord: 216 (00D8h) Name: ?GetInstallDate@CLicense@@QAE?
AU_FILETIME@@XZ
 Addr:1000CAF0 Ord: 287 (011Fh) Name: ?
GetRuntimeClass@CLicense@@UBEPAUCRuntimeClass@@XZ
 Addr:1000DAD0 Ord: 327 (0147h) Name: ?
InsertChkSumToFlags@CLicense@@AAEKXZ
 Addr:1000D3C0 Ord: 339 (0153h) Name: ?IsDemo@CLicense@@QAEHXZ
 Addr:1000D3F0 Ord: 340 (0154h) Name: ?IsDemoExpired@CLicense@@QAEHXZ
 Addr:1000D3D0 Ord: 341 (0155h) Name: ?IsDemoExtend@CLicense@@QAEHXZ
 Addr:1000D3E0 Ord: 345 (0159h) Name: ?IsFull@CLicense@@QAEHXZ
 Addr:1000D670 Ord: 352 (0160h) Name: ?
IsNormalDemo@CLicense@@QAEHVCString@@000@Z
 Addr:1000D400 Ord: 360 (0168h) Name: ?Load@CLicense@@QAEHXZ
 Addr:1000D2E0 Ord: 364 (016Ch) Name: ?
LoadLicenseRegistryVer@CLicense@@QAEXXZ
 Addr:1000D520 Ord: 401 (0191h) Name: ?Save@CLicense@@QAEHXZ
 Addr:1000CC10 Ord: 416 (01A0h) Name: ?
Serialize@CLicense@@UAEXAAVCArchive@@@Z
 Addr:1000D870 Ord: 461 (01CDh) Name: ?
SetInstallDate@CLicense@@QAEXVCTime@@@Z
 Addr:1000D370 Ord: 466 (01D2h) Name: ?SetLicenseRegistry@CLicense@@QAEXXZ
 Addr:1000DA10 Ord: 532 (0214h) Name: ?Shift@CLicense@@AAEEKH@Z
 Addr:1000DA60 Ord: 550 (0226h) Name: ?VerifyChkSum@CLicense@@AAEHXZ
 Addr:1000CAE0 Ord: 567 (0237h) Name: ?
_GetBaseClass@CLicense@@KGPAUCRuntimeClass@@XZ
 Addr:10029328 Ord: 583 (0247h) Name: ?
classCLicense@CLicense@@2UCRuntimeClass@@A


Apparently, we've a complete product in hands (DLL can check the license
to determine if it's a "demo", a "normaldemo" (they release abnormal 
demo ?)
or a "full"). We find here functions to crypt/decrypt license, and inside
those functions there is one paticuliary attractive... 


 Name: ?GenerateKey@CLicense@@QAEXKKGAAVCString@@000@Z


A license generator ? Go and see what it looks like :


Exported fn(): ?GenerateKey@CLicense@@QAEXKKGAAVCString@@000@Z - Ord:00B4h
:1000CE00 6AFF                    push FFFFFFFF
:1000CE02 6810A60110              push 1001A610
:1000CE07 64A100000000            mov eax, dword ptr fs:[00000000]
:1000CE0D 50                      push eax
:1000CE0E 64892500000000          mov dword ptr fs:[00000000], esp
:1000CE15 83EC10                  sub esp, 00000010
:1000CE18 53                      push ebx
:1000CE19 56                      push esi
:1000CE1A 8BF1                    mov esi, ecx
:1000CE1C 8D4C2410                lea ecx, dword ptr [esp+10]

* Reference To: MFC42u.MFC42u:NoName0085, Ord:021Ch
                                  |
:1000CE20 E869BE0000              Call 10018C8E
:1000CE25 8D4C240C                lea ecx, dword ptr [esp+0C]
...


Function is quit long, but first two lines could be the start of
an official license key, to which are appended supplemental infos.
And IF validity test goes only on the first caracters of the license,
we could always try to modify the registry key.. (I did not include
that part of the code in this paper (it's quit long..), but if you
look at the PerfectDisk.exe dead listing at the level of the first two 
tests we've found when researching "software", you'll see that the 
pointer used by the license check retrieve values at the beginning
of the key).

So, we start the registry editor (regedit.exe) and in the key
[HKEY_LOCAL_MACHINE\SOFTWARE\Raxco\PerfectDisk\3.0], we replace
the 8 first caracters of the LicenseKey value (c64545601e840c31)
by FFFFFFFF1001A610 and we ran again the software. 

Windows that popped-up previously didn't show, and we're directly
in the main software. Clic on Help menu, then View License, and
we find :


License type : Permanent

License options : Defragmenting
  Smart placement
  Scheduling

System type : Workstation


Moving again the system date by few months, and it's still functionning.
So, to unlock the software and use it beyond the 30-days limit, install
the demo version, copy following lines ( between --8<- ) in a file
(named crack.reg for example), and the execute the file :


---8<---8<---( file crack.reg )-----8<-----8<-----8<-----8<-----8<-----8<
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Raxco\PerfectDisk\3.0]
"License 
Key"=hex:ff,ff,ff,ff,10,01,a6,10,47,51,88,38,cc,40,4c,da,f1,40,ea,51,\
  db,2f,96,e1
---8<---8<---( EOF crack.reg)-8<-----8<-----8<-----8<-----8<-----8<----8<


ATTENTION : This software have been tested and unprotected on Windows 
2000.
If you ran this file on Windows 95/98/NT, it's possible that the chain
"Windows Registry Editor Version 5.00" cause you some troubles. If it's 
the
case, launch Regedit.exe on your computer, select any key of the root 
([HKEY_LOCAL_MACHINE] for example), export the key in a file, open the 
file
with notepad and replace the first line of the CRACK.REG file by the
first line of your file.


FoolFox


Award
AWARD
AWARD SW
AWARD?SW
AWARD_PS
AWARD_PW
AWARD_SW
j256
j262
J256
J262
J64
q_l27&z
ALFAROME
BIOSTAR
BIOSSTAR

AMI-BIOS:
ami
AMI
AMI_SW
AMI?SW
AMI?PW
A.M.I.
oder 
PASSWORD

Phoenix-BIOS:
BIOS
CMOS
phoenix
PHOENIX

generell:
aLLy
awkward
BIOSTAR
CONDO
HLT
lkwpeter
LKWPETER
SER
setup
SKY_FOX
Sxyz
Syxz
SZYX
Wodj

-------------------------------------------------------------------------------

Ermitteln des Passworts aus dem Arbeitsspeicher

Dieser Schritt setzt voraus, dass der Computer bereits erfolgreich zum Laufen
gebracht wurde. Hat man dann freien Zugriff auf ihn laesst sich das gesetzte
oder ein anderes funktionierendes Passwort mit Hilfe einiger kleiner Programme
ermitteln. Leider funktioniert nicht jedes Programm fuer jeden BIOS. Es gibt
z. T. auch erhebliche (Sicherheits-)Unterschiede zwischen den einzelnen BIOS-
Versionen eines Herstellers. Es lohnt sich auf jeden Fall, wenn es nicht
gleich klappt, alle hier angebotenen Programme fuer den entsprechenden BIOS-
Hersteller auszuprobieren.

Alle Programme sind fuer DOS.

"!BIOS" ist das mit grossem Abstand beste Programm zum Knacken bzw. Loeschen
des BIOS-Passworts, das ich kenne. Es unterstuetzt eine Vielzahl von verschie-
denen BIOS-Typen und verfuegt auch ueber eine gute Dokumentation. Die aktuelle
Version ist die folgende, die sogar den Award-BIOS v4.6 unterstuetzt:

Name: !BIOS 3.20b (build: 200000209)
Autor: Eleventh Alliance / Bluefish (<bluefish@swipnet.se> /
 <http://www.11a.nu/>)
Datum: 09.02.2000
geeignet fuer: Award v4.5x und v4.6, AMI, IBM (PS2, Aptiva etc.) BIOS (nach
 eigenen Angaben)
Download: <http://www.brandtcomputer.de/SuddenDeath/Dateien/Bios.zip>, ge-
 packt (ZIP): 44.392 Bytes, entpackt: 45.584 Bytes

Ausserdem gibt es noch:

Name: AMIDECOD
Autor: Danny Soft / Daniel Minder
Datum: 07.11.1993
geeignet fuer: Ami BIOS
Besonderheit: Als einziges hier genanntes Programm in deutsch.
Download: <http://www.brandtcomputer.de/SuddenDeath/Dateien/Amidecod.zip>, ge-
 packt (ZIP): 2.106 Bytes, entpackt: 2.599 Bytes

Name: Award Modular BiOS crack tool
Autor: The Immortal
Datum: 14.11.1996
geeignet fuer: Award BIOS v4.50PG (nach eigenen Angaben)
Besonderheit: Das Passwort wird nicht angezeigt, sondern kann vielmehr (de)ak-
 tiviert werden (sowohl "Supervisor"- als auch "User"-Passwort). Ausserdem
 kann die Passwortabfrage auf "Setup" bzw. "System" gestellt und der aktuelle
 Sicherheitsstatus des BIOS angezeigt werden. Dem Programm liegen eine
 "Readme"-Datei und der Source-Code (Assembler, ASM) bei.
Download: <http://www.brandtcomputer.de/SuddenDeath/Dateien/Awcrack.zip>, ge-
packt (ZIP): 4.523 Bytes, entpackt: 14.126 Bytes

Name: CrackAmiBios 1.1
Datum: 23.08.1994
geeignet fuer: AMI BIOS
Besonderheit: Dem Programm liegt der Source-Code (Assembler, DEBUG) bei.
Download: <http://www.brandtcomputer.de/SuddenDeath/Dateien/Ami.zip>, gepackt
 (ZIP): 555 Bytes, entpackt: 508 Bytes

Name: Password
Autor: Oren Levy - Dynamic L.T.D.
Datum: 16.04.1994
Download: <http://www.brandtcomputer.de/SuddenDeath/Dateien/Bioshack.zip>, ge-
 packt (ZIP): 2.582 Bytes, entpackt: 2.460 Bytes

Name: Password (C)alculator for AWARD BIOS 4.22
Autor: FalCoN 'N' AleX
Datum: 12.10.1994
geeignet fuer: Award BIOS v4.22 (nach eigenen Angaben)
Download: <http://www.brandtcomputer.de/SuddenDeath/Dateien/Aw.zip>, gepackt
 (ZIP): 1.881 Bytes, entpackt: 1.771 Bytes

-------------------------------------------------------------------------------

Softwaremaessiges Loeschen des CMOS

Wenn kein Programm das Passwort herausfinden kann, bleibt keine andere Wahl
als das Loeschen des CMOS, in dem das Passwort und alle weiteren BIOS-Einstel-
lungen gespeichert sind. Damit gehen zwar ein paar Systemeinstellungen verlo-
ren, aber auch das Passwort wird zurueckgesetzt. Dabei hilft die folgende
Software:

Name: KiLLCMOS32 v1.0
Autor: John Hale Jr.
Datum: 29.09.1996
geeignet fuer: alle BIOS-Arten (nach eigenen Angaben)
Download: <http://www.brandtcomputer.de/SuddenDeath/Dateien/Killcmos.zip>, ge-
 packt (ZIP): 31.247 Bytes, entpackt: 97.819 Bytes

Sie setzt eine ungueltigen Wert in das CMOS und bewirkt so, dass alle dort ge-
speicherten Daten (einschl. Passwort) neu eingegeben werden muessen. Bedingung
ist aber wieder, dass der Computer laeuft und man freien Zugriff hat.

Das gleiche soll man "von Hand" auch dadurch bewirken koennen, dass man unter
DOS oder im DOS-Fenster unter Windows 95 QBasic startet, die folgenden zwei
Zeilen eingibt und das Programm ausfuehrt. (Quelle: Opultys Website)

10 OUT &H70,17
20 OUT &H71,0

Details zum CMOS-Zugriff inkl. einer "CMOS Memory Map" findest Du unter
<http://www.11a.nu/FILES/!BIOS/ALPHA/cmos.lst>.

-------------------------------------------------------------------------------

Hardwaremaessiges Loeschen des CMOS

Dies ist wohl der radikalste Schritt. Er erfordert den freien Zugriff auf das
Computergehaeuse und beinhaltet den Verlust aller veraenderten BIOS-Einstel-
lungen.

Wie genau es geht, steht im Mainboard-Handbuch ("clearing the CMOS"). Meist
muss man einfach eine Verbindung kurzschliessen. Aber: Vorsicht - Stecker zie-
hen!
