 Date: Tue, 2 Jul 91 02:30:35 -0400
 From: NETOPRWA@ncsuvm.ncsu.edu (Wayne Aiken)
 Subject: Larry Rainey's DOS 5.0 patches

 Below, I present sections of code from MicroSoft MSDOS 5.00,
 dis-assembled with DEBUG so that those with versions of DOS other than
 the ones listed above can find the offsets for their COMMAND.COM.

 In every most DOS versions, most of the sections of code to be patched
 are unchanged, they are simply shifted in position so it's just a
 question of locating the correct offsets by searching for strings of
 bytes from the sections of code listed below.  The main trick here is
 to avoid addresses in the code which are likely to be different (most
 absolute addresses will be different while relative addresses may or
 may not be different).  Assuming you're handy with DEBUG or a similar
 debugger and know some 8088 assembly, you should be able to pull it
 off.  If DEBUG's search command is too limited, you might try
 Unassembling the whole COMMAND.COM to a text file and using an editor
 or lister utility to search.

 Here are the sections of code from MicroSoft MSDOS 5.00:

 The environment size
 -u 165b
 x:165B 58            POP   AX
 x:165C C706C01E5100  MOV   WORD PTR [1EC0],0051
 x:1662 C706BE1E1000  MOV   WORD PTR [1EBE],0010  <<default envir. size>>
 x:1668 BAD498        MOV   DX,98D4
 x:166B B104          MOV   CL,04
 x:166D D3EA          SHR   DX,CL
 x:166F 8916CE1E      MOV   [1ECE],DX
 x:1673 2BC2          SUB   AX,DX
 x:1675 A39802        MOV   [0298],AX
 x:1678 A12C00        MOV   AX,[002C]

 Just searching for '10 00' should find this one.

 Echo off for AUTOEXEC.BAT
 -u 1a7d
 x:1A7D A15202        MOV   AX,[0252]
 x:1A80 C606A60203    MOV   BYTE PTR [02A6],03   <<Change 03 to 02 for
 x:1A85 C706B5020100  MOV   WORD PTR [02B5],0001   ECHO OFF in
 x:1A8B 8EC0          MOV   ES,AX                  AUTOEXEC.BAT>>
 x:1A8D 33FF          XOR   DI,DI
 x:1A8F B000          MOV   AL,00
 x:1A91 AA            STOSB
 x:1A92 B001          MOV   AL,01
 x:1A94 AA            STOSB
 x:1A95 33C0          XOR   AX,AX
 x:1A97 AA            STOSB
 x:1A98 AB            STOSW
 x:1A99 AB            STOSW
 x:1A9A AA            STOSB
 x:1A9B AB            STOSW
 x:1A9C AB            STOSW

 Searching for '03 C7 06' works or 'AA AB AB AA' should find this

 Echo off for other batch files
 -u 2ace
 x:2ACE 26            ES:
 x:2ACF A0A602        MOV   AL,[02A6]
 x:2AD2 2401          AND   AL,01        <<change 01 to 00 for ECHO OFF
 x:2AD4 50            PUSH  AX              in regular bat files>>
 x:2AD5 33C0          XOR   AX,AX
 x:2AD7 26            ES:
 x:2AD8 F7065202FFFF  TEST  WORD PTR [0252],FFFF
 x:2ADE 7414          JZ    2AF4
 x:2AE0 26            ES:
 x:2AE1 A15202        MOV   AX,[0252]
 x:2AE4 26            ES:
 x:2AE5 803EB80201    CMP   BYTE PTR [02B8],01
 x:2AEA 7408          JZ    2AF4
 x:2AEC 06            PUSH  ES
 x:2AED 8EC0          MOV   ES,AX

 Look for '24 01 50 33 C0'.

 Larry Rainey  6/11/91

 Recapped in easy keyin format:

 DEBUG COMMAND.COM
 -E 1666 10 20
 -E 1A84 03 02
 -E 2AD3 01 00
 -W
 -Q

 will make echo off the default and set your environment to 512 (x'20')

 Wayne Aiken             netoprwa@ncsuvm.bitnet         "You can BE what
 PO Box 30904            netoprwa@ncsuvm.cc.ncsu.edu     you WON'T!!"
 Raleigh, NC  27622      slack@ncsu.edu                   --"Bob"
 (919) 782-8171          StarFleet BBS: (919) 782-3095