آموزش کرک و قفل شکنی ( انگلیسی ) از بهترین کرکرهای روس و ...

[Morteza_SOS]

به نام خدا
سلام امروز قصد دارم بهترین مقالات از نوع ( زیرزمینی ) که در بین کرکرهای حرفه ای رد و بدل می شه را براتون قرار بدم . حالا چطور به دست ما رسیده بماند


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

اولین مقاله از SaintMan FoO در مورد قفل سی دی می باشد ...

This is fourth tutor on cracking, my second on CD protections but this tutor explains 4 different ways on how to crack a CD. I have made a home page since last time you heard from me the address is

کد:

برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید

if that did not work try

کد:

برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید

. For all the new crackers (newbes in the beginning) that has red my other tutor and asked for help I am so sorry for not answering your mails but as I said in the tutors I was going on a trip so when I came back and checked my e-mail I had almost 200 mails and 150 was from crackers, so as you can se I did not feel like to answer them all. This time I am not going any where fore a long time so feel free to send me mails fore help and tell me what you thought about my tutor. DO NOT send me programs or files. Tell me the name of the game -program that you want to crack and I will se what I can. Remember I only write these tutors because that I got a lot of e-mail giving me credit for them hope that I get a mail from YOU to!!!
My e-mail is [ برای مشاهده لینک ، با نام کاربری خود وارد شوید یا ثبت نام کنید ] if I do not answer on that one then try [ برای مشاهده لینک ، با نام کاربری خود وارد شوید یا ثبت نام کنید ] .

Notes:

Bad English: I am Danish and I do not check my spelling errors don't have the time!!
Tools: Softice nope not in this tutor but it is the best tools. You will need Windasm any version Hiew any version. Find the tools on my page

کد:

برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید

in the tools section.
Level easy if you have red my other tutors find them on my page.


FOUR TRICKS ON CD-PROTECTIONS


Opportunity NR. 1

You know the error message you got when you tried to play the game with out the CD in it.
So you disassemble the games exe file or com file. Click on the Strn.Ref next to print.
Find the error message or one that says any thing like error on CD data any thing.
Double click on it. You are now in the CD check routine. What we will have to do is to
eliminate this routine so that it do not check if the CD is in the drive. (or so that it
do not check the size of the CD then you can put in any CD) The best thing that you can do is
to find a call over the error message(in windasm of course) double click on it and it should
turn green if not do not use that find another above that call if you can not find one then a
jmp might work. You have found the jmp or call. Type down the offset without the h. Get out
of windasm and start hiew.

IN HIEW!!!

Open the exe file or com file. Press F4 and then decode. Press F5 and type in the offset and push enter.
As I wrote in my last tutors every to numbers means one byte. So go ahead and nop.
When you are finished press F9 for update and F10 for exit. Run the exe file It should
work now!! If not then read on!


Opportunity NR. 2

Do the same as before but this time do not nope it but type b8010000000 this way the game thinks that the CD is in the drive every time you want to run it.
Note: this will only work if the numbers you before had to nope was 5 byte long.
Did it work??
If not then shit on the fucking CD. Please do not but go to opportunity NR. 3

Opportunity NR. 3

Find a jne or a jn command over the message. Get it's offset NR.
Open hiew. Open the exe file(com). F4 -decode. F5 -type in the offset NR.
And change a…

75 (jne) to 74 (je), a
85 (jne) to 84 (je), a
74 (je) to 75 (jne) or a
84 (je) to 85 (jne).
It worked!!! if not do as before read on!!

Opportunity NR. 4

OK, goto WDASM and search for a line like "getdrivetypea" .
Look around, do u see a call? and a cmp (compare) with a 0005 ?? (example)
00005 stands for CD-Drive
00003 stands for Hard-Drive
hehe, got it?? Yes, we will change the 00005 to 00003! Just edit the
line cmp00005 and change it to cmp00003.



This is some of assambly codes.

ASM WHAT DOES IT MEAN
---------------------------
jne jump if not equal
je jump if equal
jmp jump directly to
nop no operation
ja jump if above
jna jump if not above
jae jump if above or equal
jnae jump if not above or equal
jb jump if below
jnb jump if not below
jbe jump if below or equal
jnbe jump if not below or equal
jg jump if greater
jng jump if not greater
jge jump if greater or equal
jnge jump if not greater or equal
jl jump if less
jnl jump if not less
jle jump if less or equal
jnle jump if not less or equal

کد:

برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید

or

کد:

برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید

might be some serverproblems

THIS TUTOR WAS MADE IN ONE HOUR!! WORK WELL

[Morteza_SOS]

Disclaimer:
This file was written for educational purposes only. I'm not
responsible for the actions u cause by using the information
provided herein. YOU are responsible.


Hi, to all the Newbies reading my first tutorial about cracking.
---------------------------------------------------------------------

A.
I think you all know what cracking means and surely you've heard about
such shit words like, ASM, SoftIce.... Well, the sense of cracking
is to kill the shit evaluation limits, nag-screens, serialz,
CD-testings and so on... OK, my first tutorial is about CD-Cracking.
If a friend of u has got a game and u want it to, don't wanna burn
the CD, but the shit game only runs with the original CD then you
can crack this protection and it will work without the shit CD.

I tried not to let the document grow to much, so it's not explained
in any details u don't need if u aren't a stupid fool.
Oh I also have to say sorry for my bad english.

OK, here the progs you need at first:

W32dsm8.9 -->Disassembler
Hiew -->Hex-Editor
I think you won't need SoftIce (debugger) at first, you'll have to
get some experiances with the ASM-Code first then you'll be able
to use the ++master-tool++. I'll explain SI in a later tutorial!

So, you'll also need a game to crack it. Use a game with only one
CD first!

First of all:
CD-Cracking, means how to crack a game which wanna have the original
CD in drive to start.
There are many different ways of doin' this here are the most
recommended ways I know:

1.
First of all, install the biggest configuration available and start
the game without the CD, then you'll get the shit error-msg like,
couldn't find CD in Drive!! ---- it!
Well ok write it down.
Goto WDASM and edit a copy of the .exe file and disassemble it.
Now click on STRNG References or something like this and search the
error-msg and doubleclick on it. Now you're at the place you have
to be.

But at first, let's give ya some knowledge of ASM-codes:

ASM WHAT DOES IT MEAN
---------------------------
jne jump if not equal
je jump if equal
jmp jump directly to
nop no operation
ja jump if above
jna jump if not above
jae jump if above or equal
jnae jump if not above or equal
jb jump if below
jnb jump if not below
jbe jump if below or equal
jnbe jump if not below or equal
jg jump if greater
jng jump if not greater
jge jump if greater or equal
jnge jump if not greater or equal
jl jump if less
jnl jump if not less
jle jump if less or equal
jnle jump if not less or equal

OK! Got it?
Well now search for a call, right over the message, it ain't the
one directly over the msg everytime but most time it is, if not
try the next, till it works.
We're now going to nop (no operate) it. Place the bar on it and note
the offset-Number without the h.
Now start your Hiew and open the original exe. Press F4 and then
on decode and you'll get the ASM-Code. Press F5 and enter the
Number. Press F3 to edit the file.
Remember that every 2 Numbers are one byte! --> f80h74 These would be 3 bytes.

0000000000 <--- this number would be 5bytes.Just change the number into
9090909090 <--- nop the call.Dont panic if the line jumps down after you
pressed 90 just continous entering four more 90's.
Now press F9 and F10 to save and exit Hiew.
Run the prog and enjoy the game! If it has not worked try the next pos.

2.
Sometimes the game knows that you have nop it. So we'll have to make
the game believe it had a CD in drive everytime.
Just do the same as before, but now you don't nop it, you will
type the following: B8010000000 <-- For a 5byte long call.
What have you now done?? The prog checks eax, if it is 0 it will
jump to the error-msg if it is 1 it will jump to the next position.
It works? No, then try the next:

3.
Just look out for a jne or a jn command over the msg, when you got it,
open Hiew insert the offset-Number and change it. Change a
75 (jne) to 74 (je), a
85 (jne) to 84(je), a
74 (je) to 75(jne) or a
84 (je) to 85(jne).
Now it should work!
Not? well then let's try the last possibility. The prog must be fucked up!

4.
OK, goto WDASM and search for a line like "getdrivetypea" .
Look around, do u see a call? and a cmp (compare) with a 0005 ?? (example)
00005 stands for CD-Drive
00003 stands for Hard-Drive
hehe, got it?? Yes, we will change the 00005 to 00003! Just edit the
line cmp00005 and change it to cmp00003.

OK these are the most used ways for cracking CD Protections.
My next tutorial will be about how to crack Serialz and time-limits.

[Morteza_SOS]

CDROM check protection





I'm writing you this tutorial, to share my first cracking experience with you,

to reveal the cracking from the perspective of a newbye.

This tut deals with cracking a "CDROM check" type protection, in wich the

program searches for a particular data on the original CD. This type of

protection you'll encounter in many today's games which are distributed on CD.



After you complete this tutorial you'll know how to:



-deal with a DOS4GW program

-tackle a CD check type protection



You probably won't know how to crack any CD check protection, but, at least,

you'll know how to start with it.



To better follow this tut you'll need:



- the game "Silent Hunter", a wonderful WW II submarine simulator, a must

have for the strategy freaks. I worked on a Razor distribution, and I think

you'll find it on the web. It's a CD ripped version, and it's just what we

need, with animation files removed.



- a patch for Silent Hunter, from version 1.0 to version 1.11. You can download

it from SSI web site. This version is protected, so it won't work. It must be

cracked.



- some tools. I recommend: SoftIce for Win95 (DOS version is useless with all

new programs), KGB ( the best spy I found, and it's with source code so you

can modify it), DOS Navigator (for editing large files, and for many more...)

and much patience :-)



Now let's get to work. I'll describe my approach. I'm quite lazy so I always

try to find the easiest way in doing something. This is how we'll do it:



1. When you run the program it asks you to put the original CD in drive. What do

you do now? Well, I don't know, but my first try is to run a fakeCD utility

(a little TSR wich emulates a CDROM drive on your hard disk)

Doesn't work.



2. What next? I'll install KGB.exe and run the game again. This TSR will log some

DOS INT 21h file access functions to a file. Now sit down and study the log.

Here is an extras from the log file:



OpenFile-R : ART\GUI_1.FNT

OpenFile-R : ART\FONT1.FNT

OpenFile-R : ART\FONT1.FNT

OpenFile-R : BUD\10.SMK

OpenFile-R : BUD\10.SMK

OpenFile-R : BUD\10.SMK



As you can see the program tries to open BUD\10.smk and, since it can't find

it, assumes it doesn't have the right CD in drive. This is an animation file

quite big, probably, to be sure it is left apart when the program is ripped

from CD.



3. As I told you, I want to do it the easy (but the right) way. I don't want

to step through code. At least not until I use all other means.

So I make a file 10.smk, and put some crap in it. Run again the program.

Doesn't work again! How stupid I can be!



4. Well, maybe it needs a valid smk file. OK. Let's give it one. I take a smk

file from another game (smk files are quite standard for animation in games),

and rename it 10.smk. Run SH again. No change. Still asks for CD.



5. Now, I think it's time to do it the hard way.It's time for little assembler

and crackin'.

I modify KGB to log all DOS functions (not only Open, Close, Execute File)

and dump registers for each function (how cool was the guy who wrote

the program, cause he gave the source code too).

Launch (Yamato)KGB then run SH.EXE. Then you'll have a trace of all DOS

functions called by program.



6. Now it's time to remember about what +ORC has taught us. It's time to use

his best advice:

Take a cool Martini Vodka, sit down, and meditate. (I don't use Martini Vodka

due to reasons I cannot tell you. I drink only mineral water or orange juice.

But remember! Only pure, sparkling mineral water from Carpatian mountains

will do)



Well, the log looks like this (I'll show you only AX register, here):



any other file than "10.smk"

ax=3d00, bx=... open file

ax=4400, bx=... get device info (why?)

ax=4201, bx=... seek current

ax=4202, bx=... seek end (check length?)

ax=4200, bx=... seek start

ax=3e05, bx=... close handle

ax=3d00, bx=... reopen file

ax=4400, bx=... get device info

ax=3f00, bx=... read data

ax=3f00, bx=...

ax=3e05, bx=... close for good



the 10.smk file access looks different

ah=2a wow! this is weird (get current date of system, maybe for a

future compare?!)

ax=3d00 ... open

ax=4400 ... get device info

ax=4400 ... again (?)

ax=5700 ... get time stamp (REALLY WEIRD!!!!)



As you can see, the program checks the time stamp of the original file, and

probably it compares it with a built in value. This must be the protection.

But how can we crack it??????

Well, load the exe in your favourite hex editor (mine is DOS Navigator) and

search the string 57,CD,21.(mov ah,57; int 21)

And, bingo, only one occurrence. Now write down on a paper some bytes from

that address. This will be the signature of our timestamp function.



6. Now it's time to use our programming experience. As you know probably, today's

games are written in C/C++ with some few parts in assembler (for optimizing).

The most used compiler for DOS games is Watcom C/C++. It cames with support

libraries and debugger for DOS4GW extender.

So. A typical today's game is a program written in C, compiled with Watcom

and linked with Watcom 32 bit libraries. You can verify this. Just run your

favourite game and you'll see a message like:

"Rational DOS4GW Runtime System v1.97...."

(A little parenthesis: it seems that more and more games are written to work

in Windows95 with DirectX. Maybe it's easier for the guys who program the game

but for us, the users, this is shit. I used to play my favourite DOS game,

with 8Megs of RAM, a 486 DX2 66 processor, and it works very well. It loads

in a few seconds. But now, to play a game I must have a Pentium processor

16 Megs of RAM, and to tweak my Win95, and only to load the game I need 40 seconds.

And why all this? Because Micro$oft wants to sell its fat operating systems,

Intel to sell its processors. But we don't want that. Who cares?

This stinks! >:-P . Sorry, but I'm pissed)

Well, back to cracking. A DOS program with DOS extender(like DOS4GW) consists

of 3 parts:

-an initialisation code, which puts the processor in protected mode

-the main program (written by programmer; this is the most important part)

-some exit code which puts processor back in real mode.



Parts 1 and 3, usually doesn't interest us, but we have to find a method to

skip it in our stepping through program, and find the real entry point, in

the main() function (that main() from C language)



Now remember what +ORC thaught us in lesson 6.1:

"...search for INT 21, AH=4c.It should be after the call to main function".

All right! Let's search! But ... :-( , what a disappointement;

too much INTs 21,4c.

I got to find another method to reach the main function ('cause I'm lazy)



Let's search for the string "WATCOM"... and... toward the end of file

I find "Watcom c/c++32 runtime system". Great , this must be the runtime

library, linked with the main program. And just before this string is a

"EB 76" relative jump. Search again for "int 21, ah=4c" from here. ONE

occurence. Yeah. This must be the int21 +ORC talked about. But if I am wrong?

Check another DOS4GW program (Warcraft2 for example). Same "watcom c/c++32"

string and same EB 76. Great.



Try to replace EB 76 with CD 03 (int 3) and run program. SoftIce pops up

(assumed you set I3HERE on) and finnaly you're in protected mode code.

Put back EB 74, and see what happens.

The prog reads the environment, the command line and then, calls main().



7. Search the signature you wrote on paper :"57 CD 21...". Found.

BPX on the entry point in routine (you'll find the entry point looking up

in the code till you encounter some PUSH instructions or ENTER.

Here you'll find both)

When BPX is toggled, fetch the calling address from the stack.

In SH the at the calling address you find:



E84D030A00 call get_time_stamp



Now find the entry point of this routine too and BPX on the entry point.

The call to protection routine looks like this:



E8760B0000 call protection



Then sit down, take a cool mineral water (remember, only sparkling

mineral water from Carpatians will do :-) ) and watch the program running.



After some observation you'll notice that the protection routine is called

only for the "10.smk" file. Till then, no call.

So, if the call isn't made, it's a chance the protection to be removed.

Well, let's try to deactivate the call protection instruction, and see if

it works.

Replace E8760B0000 with 5033C05890 i.e



push eax

xor eax,eax

pop eax

nop



As +ORC told us, always try to avoid using too much NOP's! Newer protection

schemes smell NOP patches. Here we used only one NOP. And maybe there is a

solution with no nop. But I dunno all opcodes.



8. Now it's a good chance that the program checks for CD several times, not

just once. If this is the case, our disable trick won't work. To see if

this is the case, set a breakpoint on memory range over the two routines,

to see if there is some access on them across the game.

And, incredible there is no other access.



The game runs smooth, never checks the file on CD, and the player is happy.



9. Here is the complete code for the protection routine. It's pretty well explained:



000857A2: C9 leave

000857A3: 5E pop edx

Ý 000857A5: 59 pop ecx

Ý 000857A6: 5B pop ebx

Ý 000857A7: C3 retn

.

.

.

Ý 00086151: 53 push ebx ; entry point

Ý 00086152: 51 push ecx

Ý 00086153: 52 push edx

Ý 00086154: 56 push esi

Ý 00086155: C8480000 enter 0048,00

Ý 00086159: 31F6 xor esi,esi

Ý 0008615B: 85F6 test esi,esi

Ý 0008615D: 0F853FF6FFFF jnz 000857A2 ;if esi not 0 goto leave...

Ý 00086163: 6A0A push 0A

Ý 00086165: 68543A0100 push 000013A54

Ý 0008616A: 6875010000 push 000000175

Ý 0008616F: 68B48C0200 push 000028CB4

Ý 00086174: E885000A00 call 001261FE

Ý 00086179: 83C410 add esp,010

Ý 0008617C: 6800020000 push 000000200

Ý 00086181: 68B48C0200 push 000028CB4

Ý 00086186: BE01000000 mov esi,000000001

Ý 0008618B: E815010A00 call 001262A5 ;try to open 10.smk

Ý 00086190: 83C408 add esp,008

Ý 00086193: 89C3 mov ebx,eax ;eax=handle of opened file

Ý 00086195: 83F8FF cmp eax,-001 ;or -1 if file not found

Ý 00086198: 7504 jne 0008619E ;jmp if opened OK

Ý 0008619A: 31F6 xor esi,esi

Ý 0008619C: EB1F jmps 000861BD

Ý 0008619E: 8D55B8 lea edx,[ebp][-0048]

Ý 000861A1: E84D030A00 call 001264F3 ;GET TIME STAMP

Ý 000861A6: 83F8FF cmp eax,-001

Ý 000861A9: 7409 je 000861B4

Ý 000861AB: 817DCEA4D60301 cmp dword [ebp][-0032],00103D6A4 ;!!!!compare timestamp

Ý 000861B2: 7402 je 000861B6

Ý 000861B4: 31F6 xor esi,esi

Ý 000861B6: 89D8 mov eax,ebx

Ý 000861B8: E824040A00 call 001265E1 ;close handle

Ý 000861BD: 85F6 test esi,esi

Ý 000861BF: 759A jne 0008615B

Ý 000861C1: 687E010000 push 00000017E

Ý 000861C6: B985010000 mov ecx,000000185

Ý 000861CB: BB88010000 mov ebx,000000188

Ý 000861D0: BA9E010000 mov edx,00000019E

Ý 000861D5: B8C0010000 mov eax,0000001C0

Ý 000861DA: E8278F0300 call 000BF106 ;put nag screen

Ý 000861DF: 83F8FE cmp eax,-002 ;eax = user input (retry,cancel)

Ý 000861E2: 0F8573FFFFFF jne 0008615B ;if retry goto ^ test esi,esi

Ý 000861E8: 31D2 xor edx,edx

Ý 000861EA: 31C0 xor eax,eax

Ý 000861EC: E8C7590200 call 000ABBB8

Ý 000861F1: E965FFFFFF jmp 0008615B ;goto ^test esi,esi and leave

Ý 000861F6: 0000 add [eax],al ;never reach this address???

Ý 000861F8: C3 retn



Well that's all. So I cracked my first program. Now, when I'm looking back it seems

easy, but it took me one week of full work to crack it. And it was a simple call.

I wonder if there was multiple CD checks across the game, how long would have taken?

[Morteza_SOS]

Reversing the CD Lock protection


Introduction:

CD Lock is a cd-rom protection that can't be copied when you duplicate
a cd. It's used by a lot of games, for the purpose of this tutorial I tried
Dark Project: La Guilde des Voleurs (French Version of Thief: Dark Project)

I decided to write this tutorial for Fusion Cracker Team. Bcoz The time is
a precious element to crack.


How recognize CD Lock:


Show your cd rom and if you can see 4 files .afp (size >600Mo) then
CD Lock hit again ! On

کد:

برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید

, you can find some tips to burn
a perfect copy of your original with CD Lock Protection. but if you have
a poor cd writer as me (yamaha cdr401t ide suxx) and if CD Lock protection
is added to Overtime protection then you must need to reverse CD Lock to
make your new cd master (without unnecessary stuffs as directx, demo...)

This target is only CD Lock protection without overtime protection. Forgive
me if I'm not clear or if my english is bad, but i'm a poor froggie ;o)

A) Learn:


we know CD Lock protection looks all .afp files (>600Mo) so we must search
this call. To make this , launch your w32dasm:

1) Seek and Destroy all .afp


* Referenced by a CALL at Addresses:
|:0050D80E , :0050DA6F , :0050DA8E
|
:00526100 8A442404 mov al, byte ptr [esp+04]
:00526104 53 push ebx
:00526105 56 push esi
:00526106 57 push edi

* Possible StringData Ref from Data Obj ->"rb"
|
:00526107 6838056100 push 00610538

* Possible StringData Ref from Data Obj ->"d:\KXEP.AFP"
|
:0052610C 6878046100 push 00610478
:00526111 A278046100 mov byte ptr [00610478], al -> cdletter:\file.afp
:00526116 A288046100 mov byte ptr [00610488], al -> ""
:0052611B A298046100 mov byte ptr [00610498], al -> ""
:00526120 A2A8046100 mov byte ptr [006104A8], al -> ""
:00526125 E886550700 call 0059B6B0
:0052612A 8BF0 mov esi, eax
:0052612C 83C408 add esp, 00000008
:0052612F 85F6 test esi, esi
:00526131 7504 jne 00526137
:00526133 33FF xor edi, edi
:00526135 EB2C jmp 00526163

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00526131(C)
|
:00526137 6A00 push 00000000
:00526139 6800508229 push 29825000
:0052613E 56 push esi
:0052613F E8CC710700 call 0059D310
:00526144 83C40C add esp, 0000000C
:00526147 56 push esi
:00526148 E8F35F0700 call 0059C140
:0052614D 83C404 add esp, 00000004
:00526150 33C9 xor ecx, ecx
:00526152 83F834 cmp eax, 00000034
:00526155 0F94C1 sete cl
:00526158 56 push esi
:00526159 8BF9 mov edi, ecx
:0052615B E890530700 call 0059B4F0
:00526160 83C404 add esp, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00526135(U)
|
:00526163 33DB xor ebx, ebx

* Possible StringData Ref from Data Obj ->"rb"
|
:00526165 683C056100 push 0061053C
:0052616A 85FF test edi, edi

* Possible StringData Ref from Data Obj ->"d:\KZXP.AFP"
|
:0052616C 6888046100 push 00610488
:00526171 0F95C3 setne bl
:00526174 E837550700 call 0059B6B0
:00526179 8BF0 mov esi, eax
:0052617B 83C408 add esp, 00000008
:0052617E 85F6 test esi, esi
:00526180 7504 jne 00526186
:00526182 33FF xor edi, edi
:00526184 EB2C jmp 005261B2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00526180(C)
|
:00526186 6A00 push 00000000
:00526188 6800E88229 push 2982E800
:0052618D 56 push esi
:0052618E E87D710700 call 0059D310
:00526193 83C40C add esp, 0000000C
:00526196 56 push esi
:00526197 E8A45F0700 call 0059C140
:0052619C 83C404 add esp, 00000004
:0052619F 33D2 xor edx, edx
:005261A1 83F857 cmp eax, 00000057
:005261A4 0F94C2 sete dl
:005261A7 56 push esi
:005261A8 8BFA mov edi, edx
:005261AA E841530700 call 0059B4F0
:005261AF 83C404 add esp, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00526184(U)
|
:005261B2 85DB test ebx, ebx
:005261B4 740B je 005261C1
:005261B6 85FF test edi, edi
:005261B8 7407 je 005261C1
:005261BA BB01000000 mov ebx, 00000001
:005261BF EB02 jmp 005261C3

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005261B4(C), :005261B8(C)
|
:005261C1 33DB xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005261BF(U)
|

* Possible StringData Ref from Data Obj ->"rb"
|
:005261C3 6840056100 push 00610540

* Possible StringData Ref from Data Obj ->"d:\TFJB.AFP"
|
:005261C8 6898046100 push 00610498
:005261CD E8DE540700 call 0059B6B0
:005261D2 8BF0 mov esi, eax
:005261D4 83C408 add esp, 00000008
:005261D7 85F6 test esi, esi
:005261D9 7504 jne 005261DF
:005261DB 33FF xor edi, edi
:005261DD EB2C jmp 0052620B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005261D9(C)
|
:005261DF 6A00 push 00000000
:005261E1 6800F88329 push 2983F800
:005261E6 56 push esi
:005261E7 E824710700 call 0059D310
:005261EC 83C40C add esp, 0000000C
:005261EF 56 push esi
:005261F0 E84B5F0700 call 0059C140
:005261F5 83C404 add esp, 00000004
:005261F8 33C9 xor ecx, ecx
:005261FA 83F835 cmp eax, 00000035
:005261FD 0F94C1 sete cl
:00526200 56 push esi
:00526201 8BF9 mov edi, ecx
:00526203 E8E8520700 call 0059B4F0
:00526208 83C404 add esp, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005261DD(U)
|
:0052620B 85DB test ebx, ebx
:0052620D 740B je 0052621A
:0052620F 85FF test edi, edi
:00526211 7407 je 0052621A
:00526213 BB01000000 mov ebx, 00000001
:00526218 EB02 jmp 0052621C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0052620D(C), :00526211(C)
|
:0052621A 33DB xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00526218(U)
|

* Possible StringData Ref from Data Obj ->"rb"
|
:0052621C 6844056100 push 00610544

* Possible StringData Ref from Data Obj ->"d:\IGYQ.AFP"
|
:00526221 68A8046100 push 006104A8
:00526226 E885540700 call 0059B6B0
:0052622B 8BF0 mov esi, eax
:0052622D 83C408 add esp, 00000008
:00526230 85F6 test esi, esi
:00526232 7504 jne 00526238
:00526234 33FF xor edi, edi
:00526236 EB2C jmp 00526264

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00526232(C)
|
:00526238 6A00 push 00000000
:0052623A 6800688129 push 29816800
:0052623F 56 push esi
:00526240 E8CB700700 call 0059D310
:00526245 83C40C add esp, 0000000C
:00526248 56 push esi
:00526249 E8F25E0700 call 0059C140
:0052624E 83C404 add esp, 00000004
:00526251 33D2 xor edx, edx
:00526253 83F874 cmp eax, 00000074
:00526256 0F94C2 sete dl
:00526259 56 push esi
:0052625A 8BFA mov edi, edx
:0052625C E88F520700 call 0059B4F0
:00526261 83C404 add esp, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00526236(U)
|
:00526264 85DB test ebx, ebx
:00526266 740D je 00526275
:00526268 85FF test edi, edi
:0052626A 7409 je 00526275
:0052626C B801000000 mov eax, 00000001
:00526271 5F pop edi
:00526272 5E pop esi
:00526273 5B pop ebx
:00526274 C3 ret



* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00526266(C), :0052626A(C)
|
:00526275 5F pop edi
:00526276 5E pop esi
:00526277 33C0 xor eax, eax
:00526279 5B pop ebx
:0052627A C3 ret


2) First Constatation:


with this little using of CD Lock protection, you can crack
this soft with 2 nop:

:00526264 85DB test ebx, ebx
:00526266 740D je 00526275 -> Nop
:00526268 85FF test edi, edi
:0052626A 7409 je 00526275 -> Nop
:0052626C B801000000 mov eax, 00000001

but this simple method don't work with all games and you haven't
reversed the cd lock protection. so we forgot this error and we
check the TRUE cd lock protection scheme.


3) The True CD Lock:


to check the .afp , a cd lock scheme uses this functions:

:00526125 E886550700 call 0059B6B0 ->> file.afp
:0052612A 8BF0 mov esi, eax ->> exists ?
:0052612C 83C408 add esp, 00000008
:0052612F 85F6 test esi, esi
:00526131 7504 jne 00526137 ->> if it is
:00526133 33FF xor edi, edi
:00526135 EB2C jmp 00526163

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00526131(C)
|
:00526137 6A00 push 00000000
:00526139 6800508229 push 29825000 ->> !!!!!!!
:0052613E 56 push esi
:0052613F E8CC710700 call 0059D310 ->> SetFilePointer
:00526144 83C40C add esp, 0000000C
:00526147 56 push esi
:00526148 E8F35F0700 call 0059C140 ->> ReadFile
:0052614D 83C404 add esp, 00000004
:00526150 33C9 xor ecx, ecx
:00526152 83F834 cmp eax, 00000034 ->> CMP !!!


As you can see it, the verification scheme is very simple. It checks
if file.afp exists and load one byte on buffer; and compares this
little information with the simple CMP instruction.


B) Destroy Cd Lock:

We must create 4 files .afp with the byte asked by the protection.

- KXEP.AFP BYTE 34
- KZXP.AFP BYTE 57
- TFJB.AFP BYTE 35
- IGYQ.AFP BYTE 74

if you try to launch your game after this simple change, you'll see a bad
messagebox appears on your screen. Why ? it's simple, a system begin to
read from a file pointer, and as it indicates wrong thing The readfile
function returns -1. So, if you want see your "one BYTE", you must change
the filepointer. To make this :

:00526137 6A00 push 00000000
:00526139 6800508229 push 29825000 ->> Offset !!!!
:0052613E 56 push esi
:0052613F E8CC710700 call 0059D310 ->> SetFilePointer

change push 29825000 with PUSH 00000000 (hexa: 6800000000)

don't forget to change this filepointer with all file.afp verification.


C) Final Words:

This CD Lock is very simple, but Eidos (a principal cdlock user) add
some cd check, tracks audio verification, afp verification encrypted...
Then plz check your crack before spread it !!

Few games with cd lock protection:
Gangsters: hard (multi verif+cd check encrypted+$$$.$$$$...)
Tomb Raider 3: Normal
Dark Project (Thief): easy
Commando: easy

Special Greets to my great friend lgb M0rT3zA=SOS,Wolf
,Web Toaster

[Morteza_SOS]

Intro:
DOS cd protections are still live and kicking . I have discovered that at a friend's house when he asked me to crack the 3dFX patch for Tomb Raider . Without my "cracking environment" (Winice , IDA..) i had to crack it with my "bare hands"
As it turned out the crack qualifies for other TR patches and 3dFX patches.
Tools needed:
- KGB - a cool DOS 'file monitor' . Can be found at +fravia's awesome site .
- FakeCD - I bet u know what this is
- A simple ASM compiler . A86.COM (31 kb) will do .
- Oh and the patch . Can be found at

کد:

برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید

The Crack:
Running TOMB3DFX.EXE gives out "Please insert the TombRaider CD" - those sentences u just love to hate .. - and exit. We also notice that it's a protected mode program - DOS4GW. ( Good thing we didn't download Winice , we all know
how nervous it gets around other protected mode programs
Fair enough .
Lets spy on it with KGB . This is what we get :

OpenFile-R : C:\data\title.phd
OpenFile-R : D:\data\title.phd
OpenFile-R : E:\data\title.phd
OpenFile-R : F:\data\title.phd
OpenFile-R : G:\data\title.phd
OpenFile-R : H:\data\title.phd
OpenFile-R : I:\data\title.phd
(It goes on till drive Z)

Hmm , is searches for title.phd .. ok , NP , i have it in my TOMB directory , But it's not in the ROOT directory (it searches
Drive:\Data .. ) , so lets use FakeCD.
Copy FakeCD.EXE to TR directory , and run : Fakecd.exe . /l:J
This way fakecd will emulate a cd drive in drive J . Any drive (except the real HD) is ok .

Re-run TR ... Still not OK .. Lets see why , run KGB , and this is what we get :

OpenFile-R : C:\data\title.phd
OpenFile-R : D:\data\title.phd
OpenFile-R : E:\data\title.phd
OpenFile-R : F:\data\title.phd
OpenFile-R : G:\data\title.phd
OpenFile-R : H:\data\title.phd
OpenFile-R : I:\data\title.phd
OpenFile-R : J:\data\title.phd
OpenFile-W : J:\YNJZOMMI
CreateFile : J:\YNJZOMMI < y like the TR mystiqe edition .(See essay by +Alt-F4 at +Fravia's).

This edition can be cracked like the mystiqe edition , however, i had something else in mind - a TSR .
The idea is to make a small program , that will nest in memory , hooking the Open_For_Write_Only function ; when it "sees"
that a program is trying to use this function on the Faked Drive it will change the FileName parameter (the random filename) to NULL . This way the return value of this function is CAN'T OPEN THE REQUESTED FILE (because it's empty) , and
the program will think it's the CD.

I tried it , and it worked ! Not only on the 3dFX edition , but also the Mystiqe edition , and propably other 3dFX patches from 3dfxmania Site.

The basic TSR is below , for a more compatible version - to enter the drive letter in command line - please search for PC_T3DFX.ZIP . I didn't put an un-install option because i figured whoever has a 3dFX card , can spare 100 bytes off his
memory

BTw , if it doesn't work (on other patches) , u can always hook the CreateFile function (Int 21h / Ah=3Ch), and use the
same trick (FileName -> Null) .
* It might work for windows too (To understand windows TSRs read Stone's doc on trainers).
If and when i'll find a windows game with CD protection i'll try this on it , and if succesful ,i'll update this essay. Should anyone else wants to do it , be my guest
(May i suggest hooking on GetDriveTypeA , and return 5 (cd-rom) on the faked drive?

That's it , i hope u've enjoyed and learned from this .
If u find other patches / games / programs that this TSR will crack , please drop me a note . (My e-mail is down below .)

Greetings:
PC members , +FraVia and all +HCUkers , friends . :-)

------ Cut here ------
;This is a TSR for tomb-raider,when the prg. checkes for the cd
;is tries to open for write only a random file and to further
;check,it tries to create that random file & delete it -if successful
;it tells u that there is no cd.
;so what this TSR does is intersept the open for write only instruction-
;(INT 21h,function 3Dh,sub-function 01h)
;and also CoMPers the ds:dx if equal "J:\" if so it gives to ds:dx
;(the random file name ) 0 at the beginig and so the return of the open
;instruction in CAN'T OPEN THE REQUESTED FILE (because it's empty)
;thus the prg thinks there is a cd in drive J and runs properly...

start: lea dx,msg ;print msg
mov ah,9
int 21h

mov ax,3521h ;Get address of Int 21h into ES:BX
int 21h

mov real_ip,bx ;Save the real valuse for later use
mov real_cs,es

mov ax,2521h ;Hook the vector 21h to point to ds:dx
lea dx,int_21
int 21h

lea dx,end_pro+1
int 27h ;Go TSR from cs:0 till end_pro+1 byte
;--------------------------------------------

int_21: cmp ax,3d01h ;Check if it's Open_For_Write_Only function request
jne return2normal
;Here u can add the check for CreateFile (or DeleteFile) if necessary

push si ;save si

mov si,dx ;mov dx to si in order to use ds:[si](=ds:[dx])

cmp byte ptr [si] , 'J' ;"J" -- the faked drive letter
jnz c2

inc si
cmp byte ptr [si] , ':' ;":"
jnz c2

inc si
cmp byte ptr [si] , '\' ;"\"
jnz c2

inc si
mov byte ptr [si],0 ;put 0 at the begining of the file's name

c2: pop si ;restore old value

return2normal:
db 0eah ; == Jmp to the real INT 21h
real_ip dw 0
real_cs dw 0

[Morteza_SOS]

YOU ARE STANDING IN A OPEN FIELD WEST OF A WHITE HOUSE...

Hello!
Well, I don't know about you, but I'm a guy who play gladly
oldies; I mean old games. Do you remember Zork? You know: "You
are standing in a open field, ..." then, "open mailbox", etc...
Oldies are interesting, because:

First, you must *find* them on the web. Beyond the Warez, where you
can find a few, you can use here what we've learned in the Fravia
site to search them. Like zork.zip <- This is a easy and ridiculous
example! :-) Try to find "The Guild of Thieves"... A good one...
theguildofthieves.zip ? No, no... Search better!

Second, when you've found them, enjoy to play them.
You can find jewels. Remember "Bard's Tale"? Marvelous to
play this 8086's one with a Pentium!

Third, even if found in the WareZ scene, you're playing for a moment
when you see something like that: "Please enter the word of the page..."!
Well, this is where the oldies is very funny to play:
cracking this old protection scheme. Because they are DOS-based, and sometimes,
very difficult.

Well, follow me for a easy one, a 1994 DOS game (not so much oldie...)
with two CD-checks, whose the second is interesting,
interesting cause if you are like me, unable to run
Softice DOS due to some video card problems, you'll run this
game with WindoZ95, using Winice, but our beloved and young Winnie
hang running this oldie!
Better, IDA Pro 3.7 doesn't reverse correctly it!
Then, welcome to Sourcer 7, cracked by Frog's Print, somewhere on our
Fravia WebSite!



Tools required
OPEN TOOLBOX...

Sourcer 7, Frog's Print reversed.
Softice 3.22 proudly bought, proudly reversed or shamefully stolen, regged, on the web.
X-ray 1.5 by Tom Kihlken, a old good DOS tsr freeware, somewhere on the net.


Target's URL/FTP
The target: DOMINUS, a strategy game by US GOLD, 1994. 13.9Mo.
You can order this old game at US-GOLD, if you like jokes! :-)

Program History
None.
But I'll soon say that his protection will soon be a old history...

Essay

THE GREAT UNDERGROUND EMPIRE (was called Zork itself)

Well, we say that you've done a good research and found the target,
the game DOMINUS, 13.9Mo.
I know, you're hurry to play with it. Ok, run it.
Well, an amazing "Please insert the Dominus CD" screen come in front
of our honest eyes; sure, we'd like buy and insert this CD :-)
but we cannot find it nowhere in any store... it's a DEAD program!

Then, since on the contrary we can find Winnie on the net, we run it
nevertheless...

You want to know how? Did you read the good essay of Animadei on the
DOS CD checks?

Well, we use Winnie to do a

BPINT 2F IF (AH==15)

Remember? The DOS CD-ROM resident MSCDEX is called with this
interruption, 2F, and AH set to 15. We don't care AL. We want
just to know where is the *first* CD-check that this game does.

Run Dom.bat. Winnie stops; good.
We are in LOADER.EXE, that is in the batch DOM.BAT we've started.

3AB7:0099 B8 1500 mov ax,1500h
3AB7:009C CD 2F int 2Fh ; Yes!
3AB7:009E 89 0E 29CA mov WORD PTR [29CA],cx
3AB7:00A2 8B C1 mov ax,cx
3AB7:00A4 07 pop es
...
3AB7:00AC CB retf

We see an INT 2F called with AX set to 1500. Look at your Interrupt list.
This is done to know how many CD-ROM drives you've got on your machine.
Just hit F12, to land in this classic protection scheme you can trace
for the pleasure (we land in 350D:0147 after hiting F12):


350D:0140 59 pop cx
350D:0141 59 pop cx
350D:0142 9A 3AB7:008F call 3AB7:008F ; how many CD drives?
350D:0147 A3 017A mov word ptr 017A,ax
350D:014A 83 3E 017A 00 cmp word ptr 017A,0 ; no CD drives?
350D:014F 74 54 je 350D:01A5 ; then jump to "insert CD..."
350D:0151 1E push ds
350D:0152 B8 0227 mov ax,227h
350D:0155 50 push ax
350D:0156 16 push ss
350D:0157 8D 46 96 lea ax,[bp-6Ah]
350D:015A 50 push ax
350D:015B 9A 3067:41EF call 3067:41EF ; stringcopy "A:\DOMINUS.ZIP"
350D:0160 83 C4 08 add sp,8
350D:0163 A0 017A mov al,byte ptr 017A ; the number of your CD drive
350D:0166 04 41 add al,41h ; change to "XOMINUS.ZIP"
350D:0168 88 46 96 mov [bp-6Ah],al
350D:016B 1E push ds
350D:016C B8 0236 mov ax,236h
350D:016F 50 push ax
350D:0170 16 push ss
350D:0171 8D 46 96 lea ax,[bp-6Ah]
350D:0174 50 push ax
350D:0175 9A 3067:2F38 call 3067:2F38 ; open "XOMINUS.ZIP"
350D:017A 83 C4 08 add sp,8
350D:017D 89 56 FE mov [bp-02],dx ; Was
350D:0180 89 46 FC mov [bp-04],ax ; the good file DOMINUS.ZIP
350D:0183 0B 46 FE or ax,[bp-02] ; on the CD?
350D:0186 75 2F jnz 350D:01B7 ; ax!=0 then jump to good user!
.... else, ax==0 and "Insert CD" and no game... how sad...

Well, it's not too difficult, in fact, it's like the classic
Win32 GetDriveTypeA we all know when reversing WindoZ applications.

The program, here LOADER.EXE, look first for the number of CD drives you got
using the interruptions of MSCDEX. No matter if you haven't loaded it
because WindoZ95 emulate it (at least one thing it can do).
LOADER.EXE find your drive, elsewhere you'll got the message "Insert CD".
Then, it copies in memory the string "AOMINUS.ZIP". Uh? Strange?
Next, it copies the letter of your CD drive, let say 'X' in this string,
which becomes "XOMINUS".
Then, using again some 2F interruptions we'll not describe here because
it has been already done by Animadei, it just check if the file "XOMINUS.ZIP"
is on your CD-drive, how fun!
If ax!=0, you're a good gamer, since you've bought the right CD.

Since we are also good crackers ;-), we just change the 350D:0140 bytes with:

350D:0140 EB 75 jmp 01B7 ; jmp good user!

avoiding with this all the boring CD and comparison checks.
Not our fault, as I said: the right CD isn't in any shop.

Well, we run the game, see a pretty US-GOLD presentation screen,
(of 1994 of course), and we run a new game.

I DON'T KNOW THE WORD "SOFTICE"

Err... we won't play a new game, because SoftIce has hanged.
We just can reboot our machine.
Reset.
Bios check.
Presentation screen.
Yes, I say presentation screen because we've got to boot in DOS.
I'm sure you've got a boot manager, haven't you? hehehe...
Then, we boot DOS. And we run the game.
The same that under W95: The PC hangs.

That is here we gonna use this sympathic freeware, X-RAY 1.5, a good
spy utility. We must know what's going on just before the PC hangs.
Just use:

XRAY /J /F

To say the program to Jump instead of calling the original
interrupt address (seems to work better with that.), and to
write a log File on our hard drive, named c:\xray.log
Then, run dom.bat. The game hangs when you choose a new game.

Well, reboot with WindoZ 95. Open XRAY.LOG with your favorite text editor.
Xray just show the Interrupts 21 calls. But it's enough. Cause if
you're not tired, you will see at the line 5113 the following Int 21:

34h, GET BUSY FLAG
30h, GET DOS VERSION
3Dh, OPEN FILE, F:\DOMINUS.ZIP ;line 5113
3Fh, READ DEVICE, Handle=5, 0Ah bytes
3Eh, CLOSE FILE, Handle=5

Ha ha! Seems like the program search a second time for his
favorite file on his favorite CD!

Mmmm... If you disassemble LOADER.EXE with IDA Pro, all will be great,
but you'll not see others CD-checks references in it.
Then, the bytes we've changed don't appear any more in this
executable. This is not this program which checks for the second
time the CD.
Who checks? Mmm...
Just hit control+f in WindoZ95. Search the string "DOMINUS.ZIP"
in all your \DOMINUS directory.
Haha! It is present in LOADER.EXE, we knew it, and in
TEMP.EXE
But Softice hang, we couldn't trace this second CD check,
then we run in laughing IDA Pro 3.7, asking it to reverse
this ridiculous TEMP.EXE of little 210Ko.

Argh again! IDA Pro 3.7 doesn't reverse correctly this little
executable. We see a lot of DB, you know all that.
Curious. Coz IDA recognize well this program compiled with
Borland C, like the precedent LOADER.EXE, marking sometimes
some call _fileopen and other call _strcpy. But the rest of the
listing is a pretty garbage. What happens to you, beloved IDA? ;-)

You can try to reverse TEMP.EXE with W32Dasm, it does it well,
but you know how W32Dasm reverse Dos based applications, we get
no Data X-Ref at all, and it's not funny at all to follow such a
dead listing...

At this point, I was really bored, without my Winice and IDA,
frightened to the idea to follow a long W32Dasm listing with no
help at all, lost in these large and dark codewoods for many hours,..

IT'S PITCH DARK

I began to follow this "Data Xref crippled" listing of TEMP.EXE
reversed by W32Dasm, and it took me a lot of hours to understand
very little. It made me think to all these old text adventures games
we played, when we were lost in giant labyrinths. Darker and darker...

I thought that reversing was exactly the same thing that playing
text adventure games. A lot of places, you're obliged to write a map,
some of them were very difficult, some were easy, some were fabulous,
some were boring...
And like in all this kind of game, come the point where you're stuck.
Really stuck. With no way out, no solution...

Reversing is really like playing a big huge ZORK!

Cause at a given moment, you find the right thing to do, you remember
the right tool to use, you devise the right sentence to enter.

LIGHT LAMP

Well, I've remembered a nice soft I've let in a dark and sad place
on my HD, forgetting it since using IDA. It was Sourcer 7, reversed
by Frog's Print.

Hope came in my mind. I used the version 6.51 of it before passing
to (welcome) IDA in order to debug Dos applications, and it was already
a nice one.

Put TEMP.EXE in your Sourcer directory,
be sure to have enough low Dos memory left, and just type:

SR TEMP.EXE

setting the Passes to 9; the more analysys you got, the better is
the result.

And yeepee! We got a pretty listing, with all the Data Xref we want!
Sorry to have almost forgotten you, Sourcer! Welcome again!

Because you now just need to search the dead-listing TEMP.LST
for "DOMINUS.ZIP" with your favorite Text-Editor!
And look, it's here, just in front of your eyes:

;Indexed Entry Point

31A9:00A1 loc_233:
31A9:00A1 74 2B jz loc_235 ; Jump if zero
31A9:00A3 04 41 add al,41h ; 'A'
assume ds:seg_j
31A9:00A5 A2 01A7 mov byte ptr data_845,al ; (54AC:01A7='A:\DOMINUS.ZIP')
31A9:00A8 9A 4872:01EA call far ptr sub_593 ; (4872:01EA)
31A9:00AD B4 3D mov ah,3Dh ; '='
31A9:00AF B0 00 mov al,0
31A9:00B1 BA 01A7 mov dx,offset data_845 ; (54AC:01A7='A:\DOMINUS.ZIP')
31A9:00B4 CD 21 int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
31A9:00B6 72 16 jc loc_235 ; Jump if carry Set
31A9:00B8 8B D8 mov bx,ax
31A9:00BA B4 3F mov ah,3Fh ; '?'
31A9:00BC B9 000A mov cx,0Ah
31A9:00BF BA 01A7 mov dx,offset data_845 ; (54AC:01A7='A:\DOMINUS.ZIP')
31A9:00C2 CD 21 int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
31A9:00C4 72 08 jc loc_235 ; Jump if carry Set
31A9:00C6 B4 3E mov ah,3Eh
31A9:00C8 CD 21 int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
31A9:00CA 72 02 jc loc_235 ; Jump if carry Set
31A9:00CC EB 05 jmp short loc_236 ; (00D3)
31A9:00CE loc_235: ; xref 31A9:00A1, 00B6, 00C4, 00CA
31A9:00CE B8 4C01 mov ax,4C01h
31A9:00D1 CD 21 int 21h ; DOS Services ah=function 4Ch
; terminate with al=return code
31A9:00D3 loc_236: ; xref 31A9:00CC
GOOD USER...


Should I really comment better this part of code Sourcer already reversed?
Really self-explanatory, no?

Then... this second crack to the CD check is quickly made:
The program came at 31A9:00A1 which is the protection check.
The "jz loc_235" is here to see if you got at least one CD drive.
You got no one? Or you got, like you see in the following code, not
the right CD? Then this program eject you immediately to the terrific
int 21 with ah set to 4C, the DOS termination... Oh, no...

But, we are very clever. Remark the "jmp short loc_236" at offset
31A9:00CC, just at the end of the protection routine and just before the
horrible Dos termination.
Then we just need to jump to this location.

What about a sympathic:
31A9:00A1 JMP loc_236
instead of the original sad:
31A9:00A1 jz loc_235
which say the program we got obviously the right CD rom in our drive?

Yes?
We just need to change the jz loc_235 74 2B in our clever JMP loc_236.
First, replace the jz opcode "74" by the jmp opcode "EB".
Second, we need to jmp location 236 instead of the 235 one,
which is placed 5 octets after. Then, jmp loc_236 is jmp loc_235 + 5,
is EB (2B + 5), is finally EB 30. Yeah!

Then, just four bytes more to change, for esthetic you know,
to avoid the light of our CD drive twinkle when TEMP.EXE ask
MSCDEX to look how many CD drives you got.
If you haven't no CD drive on your machine, just don't care. But if
you are Cresus or Bill Gates, you'd like avoid all of your 56 CD light drives
to light! :-)

Remember that it was INT 2F with ah set to 15 that check your CD drive?
Then, we've got just to replace in our code the opcode CD 2F, present at
two locations, with some 40 48 opcodes, for example.

Then, exit your hexeditor and run a new game.
Well, it works! And now we can play!

[Morteza_SOS]

How To Code A KeyGen
A Lesson For Newbies
By: Cardenal Mendoza


Introduction
-------------------------------------------------------------------
This time I will teach you how to code a very simple keygen. The
essay I wrote is one year old, so it is time for a new, is it? OK,
this time you will need SoftIce (of course!), W32dasm or IDA for
making a dead listing, and a c++ compiler. I will use Borland Turbo
C++ 3 :-) I know it is pretty old, but I have buyed a legal (!)
copy of it for 15 $. And for our purpose it will be enough. Oh, of
course you need GIF Movie Gear 2.63, our target. You can download
it at

کد:

برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید

. If you use only SoftIce and not W32dasm you
should have pen and paper, too. Don't ask me where to get these
tools, ask you local software dealer ;-)
I will assume that you know how to use SoftIce, W32dasm and your
compiler. If not, go out and by a good book.

Finding The Reg Routine
-------------------------------------------------------------------
When you run the target, a silly nag pops up, probably a bug. So
let us do a bit of debugging. Fire up SoftIce and run the target.
Click a little bit around, and search some dialog where you can
enter your name and a serial. Try to search under the <Help> menu,
<Register Now...> ;-)
Type in your name and a dummy serial. Of course your serial is not
the right one. If it is, wow, that is what I call zen cracking ;-)
Lets try the default breakpoints. I think GetWindowTextA and
GetDlgItemTextA will do good. With this two breakpoints, try to reg
again. And, what a surprise, SoftIce pops up. Wait for the second
call to GetWindowTextA and disable all breakpoints. Now you should
see something like this:

0xxx:0042C33F lea ecx, [esp+78] ; ecx = our fake serial
0xxx:0042C343 lea edx, [esp+14] ; edx = our name
0xxx:0042C347 push ecx ; push our fake serial
0xxx:0042C348 push edx ; push our name
0xxx:0042C349 call 0042C0C0 ; call the reg routine
0xxx:0042C34E add esp, 8 ; add 8 to esp
0xxx:0042C351 test eax, eax ; is eax == 0?
0xxx:0042C353 jz 0042C3FF ; if yes, jmp bad_boy :-(

I think this should be all clear. If not you should learn assembly.
So we found our routine.

Getting One Valid Serial
-------------------------------------------------------------------
Before we code the keygen, we should fish one valid serial out of
SoftIce. Step into the call and further. Always look what the code
does. At first it compares the first char of our serial with 'm'
if it is not equal, it jumps to the end of the routine. But before
we follow this jump, because our serial probably starts not ith a
'm', look a little bit further. The code after it compares the
second char with 'v', the third with 'g' and the fourth with '2'.
If they aren't equal, our serial is wrong. OK, type in a new serial
which starts with 'mvg2'. Step again in the call. You should pass
all the compares without problems. No we get to this piece of code:

0xxx:0042C0F0 mov ebx, 004462A8 ; ebx = ptr to a serial
0xxx:0042C0F5 mov edx, dword ptr [ebx] ; edx = a serial
0xxx:0042C0F7 or ecx, FFFFFFFF ;
0xxx:0042C0FA mov edi, edx ; edi = a serial
0xxx:0042C0FC xor eax, eax ; eax = 0
0xxx:0042C0FE repnz
0xxx:0042C0FF scasb ; load serial
0xxx:0042C100 not ecx
0xxx:0042C102 dec ecx
0xxx:0042C103 mov edi, edx ; the serial
0xxx:0042C105 mov esi, ebp ; our fake serial
0xxx:0042C107 xor eax, eax ; eax = 0
0xxx:0042C109 repz ; while byte ptr != 0
0xxx:0042C10A cmpsb ; cmp edi, esi
0xxx:0042C10B je 0042C172 ; jmp bad_boy if equal
0xxx:0042C10D add ebx, 00000004 ; ebx += 4
0xxx:0042C110 cmp ebx, 0044635C ; ebx==offset last serial
0xxx:0042C116 jl 0042C0F5 ; if not jmp 0042C0F5

So what does this code do? It is easy, it just compares our serial
with some other serials. So this serials are the right? Of course
not, havn't you read my comments? ;-) They are all not legal ones.
The programmer have searched the web for such cracker serials and
if a serial is equal to one of them, it is always wrong. Instead of
searching the net for cracks for their own programme, they should
have coded a better protection! But they are so lazy. Therefore it
would be senseless to publish a single serial, because next version
it would be black-listed, but we are going to do a keygen :-)
Just go on stepping. Now your fourth char is compared with 's'.
Why? If it has a 's' as the fourth char it is a serial for the
site license of the application. Of course we want to have that ;-)
So replace the fourth char of your serial with a 's' and step again
until you get to this point. Now the programme changes the pointer
to our serial. It is esp, it skipps the first 7 ( or 6 if you have
no site license ) chars. Ok, then a call follows. Overstep it, it
only moves the serial in [eax]. But what does this mean? It simply
means, that the 5th, 6th and 7th char could be anything you want.
So we can give our serial a signature. I use eVC because it is my
group, but you can use any 3 chars you want, of course you could
use numbers, too. So after the call there is someting moved to edx.
Guess what it is, it is our name! So we are near the bitchs nest!

0xxx:0042C12F mov edi, edx ; edi = our name
0xxx:0042C131 xor ecx, ecx ; ecx = 0
0xxx:0042C133 mov dl, byte ptr [edx] ; dl = name[0]
0xxx:0042C135 mov esi, 000006FE ; esi = 1790
0xxx:0042C13A test dl, dl ; dl == 0
0xxx:0042C13C je 0042C164 ; jmp to the cmp
0xxx:0042C13E movsx edx, dl ; edx = name[0]
0xxx:0042C141 inc ecx ; ecx = 1
0xxx:0042C142 imul edx, ecx ; edx *= ecx
0xxx:0042C145 add esi, edx ; esi = edx
0xxx:0042C147 cmp esi, 00000DFD ; esi <= 3581?
0xxx:0042C14D jle 0042C155 ; if not
0xxx:0042C14F sub esi, 00000DFD ; esi -= 3581
0xxx:0042C155 cmp ecx, 0000000A ; ecx == 10?
0xxx:0042C158 jle 0042C15C ; if yes
0xxx:0042C15A xor ecx, ecx ; ecx = 0
0xxx:0042C15C mov dl, byte ptr [edi+01] ; dl = next char
0xxx:0042C15F inc edi ; edi += 1
0xxx:0042C160 test dl, dl ; dl == 0?
0xxx:0042C162 jne 0042C13E ; if not loop
0xxx:0042C164 cmp esi, eax ; esi == eax?
0xxx:0042C166 jne 0042C172 ; if not jmp bad_boy

I think with my comments this loop is easy to understand, too. At
the point 0042C164 do a '? esi' and you see the second part of your
serial. So, if you understand the loop completly, we could make the
keygen, right??

Coding The Keygen
-------------------------------------------------------------------
We will use C++, of course asm is better and normally I code my
keygen's in w32 asm, but it is not so easy to understand, and
since this text is for newbies...
So how is a keygen build up? First we must show a logo. I think
this is easy, is it? Then we must get the username, I will use
gets() for this purpose. Then we will calculate the second part of
the serial and print it our, with a 'mvg2seVC' in front of it.
See my source code and mail me if you couldn't understand all:

#include <stdio.h>
#include <iostream.h>
#include <string.h>



int main()
{
char n[255];
long ebx = 0, ecx = 0, edx = 0, esi = 0x6FE;
cout << " *KeyGen*" << endl;
cout << " By Cardenal Mendoza" << endl;
cout << " ----------------------" << endl;
cout << " !rEAD tHE .nFO!" << endl << endl;
cout << "Please enter your name: ";
gets( n );
if( strlen(n)==0 ) { cout << "You should enter a name!"; return 0; }
for( int i = 0; i < strlen(n); i++)
{
ecx++;
edx = n[i];
ebx = ecx;
ebx *= edx;
esi += ebx;
if( esi > 0xDFD ) esi -= 0xDFD;
if( ecx > 0xA ) ecx = 0;
}
cout << "Your serial is : mvg2seVC" << esi;
cout << endl << endl << "Another KeyGen coded by Cardenal Mendoza...";
return 0;
}


This source code is really easy and not optimized. But you should
understand it. In the appendix I will give you a optimized version.

Outro
-------------------------------------------------------------------

Ok, this is it for this time. I hope you learned something. If you
want another tutor mail me. Of course you can also mail me flames,
criticism, or any other things. But please no spam and mail bombs.
I will trace you, trust me ;-)

:13/10/99 Cardenal Mendoza [EVC]:


Appendix
-------------------------------------------------------------------

#include <stdio.h>
#include <iostream.h>
#include <string.h>


int main()
{
char n[255];
long ecx = 0, esi = 0x6FE;
cout << " *KeyGen*" << endl;
cout << " By Cardenal Mendoza" << endl;
cout << " ----------------------" << endl;
cout << " !rEAD tHE .nFO!" << endl << endl;
cout << "Please enter your name: ";
gets( n );
if( strlen(n)==0 ) { cout << "You should enter a name!"; return 0; }
for( int i = 0; i < strlen(n); i++)
{
ecx++;
esi += ecx*n[i];
if( esi > 0xDFD ) esi -= 0xDFD;
if( ecx > 0xA ) ecx = 0;
}
cout << "Your serial is : mvg2eVC" << esi;
cout << endl << endl << "Another KeyGen coded by Cardenal Mendoza...";
return 0;
}

[Morteza_SOS]

Bug Error 2000
---------------

Gamez Cracking Guide Release 1
-------------------------------



1) Introduction
----------------


Hi, guy, and welcome to the cracking game scene
I think it's now time to share knowledge about cracking gamez.
In this tutor, you'll learn to crack different protection used in gamez, and sometimes
in some programms, like Encarta 2000, for safedisc protection.
I'll trying to explain with high precision how to crack all protection used in gamez.

This tutor is only for educational purpose, crakcking is not illegal, but crack a game
only for backup, and don't crack a game to keep just a copy !!!!!!!!!!



Toolz that you'll need
-----------------------

- W32Dasm
- Soft-Ice
- Hiew
- Procdump




First approach with assembler language and hexadecimal
--------------------------------------------------------

To be able to crack a game or an app, you need to know assembler language also know as machine's language.
The assembler is the code that the microprocessor can understand.
I'm gonna give you the more important code :


- call : call an adresse or an under-routine

- jump : makes an inconditional jump to a part of the prog

- ja : Jump Above

- jnbe : Jump not below

- jae : jump above or equal

- jnb : jump not below

- jb : jump below

- jnae : jump not above or equal

- jbe : jump below or equal

- jna : jump not above

- je : jump equal

- jz : jump zero

- jne : jump not equal

- jnz : jump not zero

- jl : jump less

- jnge : jump not greater or equal

- jge : jump greater or equal

- jnl : jump not less

- jle : jump less or equal

- jng : jump not greater

- jg : jump greater

- jnle : jump not less or equal

- int : code for interruption (Interruption can call a BIOS' function or a operating system's function)


=> int 03 : begin of prog
=> int 21 : end og prog

- nop : means no operation, very useful to crack

- ret : return to the caller's prog


Whats is W32 DASM ?
--------------------


- W32DASM is a powerful disassembler and for me, it's the best and the easiest of the disassembler.
With this tool, you'll be able to disassemble EXE, DLL,... files.


Whats is Soft-Ice ?
--------------------

- Soft-Ice is simply the best debugger to debug, trace, edit registers, dump from memory
with a patch... of a running prog.
- Edit "winice.dat" with notepad, and remove the ; at the end, to have your file like this :

EXP=c:\windows\system\vga.drv
EXP=c:\windows\system\vga.3gr
EXP=c:\windows\system\sound.drv
EXP=c:\windows\system\mouse.drv
EXP=c:\windows\system\netware.drv
EXP=c:\windows\system\system.drv
EXP=c:\windows\system\keyboard.drv
EXP=c:\windows\system\toolhelp.dll
EXP=c:\windows\system\shell.dll
EXP=c:\windows\system\commdlg.dll
EXP=c:\windows\system\olesvr.dll
EXP=c:\windows\system\olecli.dll
EXP=c:\windows\system\mmsystem.dll
EXP=c:\windows\system\winoldap.mod
EXP=c:\windows\progman.exe
EXP=c:\windows\drwatson.exe
; ***** Examples of export symbols that can be included for Windows 95 *****
; Change the path to the appropriate drive and directory
EXP=c:\windows\system\kernel32.dll
EXP=c:\windows\system\user32.dll
EXP=c:\windows\system\gdi32.dll
EXP=c:\windows\system\comdlg32.dll
EXP=c:\windows\system\shell32.dll
EXP=c:\windows\system\advapi32.dll
EXP=c:\windows\system\shell232.dll
EXP=c:\windows\system\comctl32.dll
EXP=c:\windows\system\crtdll.dll
EXP=c:\windows\system\version.dll
EXP=c:\windows\system\netlib32.dll
EXP=c:\windows\system\msshrui.dll
EXP=c:\windows\system\msnet32.dll
EXP=c:\windows\system\mspwl32.dll
EXP=c:\windows\system\mpr.dll




-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_



2) Let's gonna crack an easy cd-check : Sin 1.0 No CD
------------------------------------------------------

Tools That you'll need
-----------------------

- W32dasm 8.93
- Hiew 6 or higher


Initial notes
--------------

- First, install the full game
- Make sure that the cd isn't on your drive )


First approach with the CD-check protection
--------------------------------------------

- Run the game
- Choose Game
- Choose new game
- Select your level difficulty
- Then, you back in windows and a message is showing : "You must have the sin CD in the drive to play"
- Note it, you'll need this



First Approach with W32 DASM
-----------------------------


- Run W32dasm and click on "Disassemble"
- Then, choose "Open file to disassemble" and choose "sin.exe"
- After a few seconds, the file's going to be disassemble

=> If it's the first time that you disassemble a file, then, goto "Disassembler" / Font / Select font and choose Times new Roman


- Oki, the file is disassembled, click on "String Data Ref" button near the print button
- Now, you must see the "List of Strings Data References" box
- We'll find the error message here
- Scroll at the ends, an double-click on "You must have the sin CD in the"
- Click on close
- You must see this :



* Referenced by a CALL at Address:
|:004568B4
|
:0045BBB0 E8CBFEFFFF call 0045BA80
:0045BBB5 803800 cmp byte ptr [eax], 00
:0045BBB8 750F jne 0045BBC9 => Very very very and also very interesting

* Possible StringData Ref from Data Obj ->"You must have the Sin CD in the " => You're here
->"drive to play."
|
:0045BBBA 685C014800 push 0048015C
:0045BBBF 6A00 push 00000000
:0045BBC1 E8DA16FCFF call 0041D2A0
:0045BBC6 83C408 add esp, 00000008

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045BBB8(C)
|
:0045BBC9 C3 ret
:0045BBCA 90 nop
:0045BBCB 90 nop
:0045BBCC 90 nop
:0045BBCD 90 nop
:0045BBCE 90 nop
:0045BBCF 90 nop


- Place you on :0045BBB8 and take a look on the bottom, you're seeing the offset, it's 0005AFB8
- Note it, you'll need this
- To bypass the cd-check, you'll change JNE to JMP


Crack the Sin.exe file
-----------------------

- To do this, you'll need Hiew
- Launch Hiew, and load "sin.exe"
- Press F4 and choose "decode"
- Press F5, and enter the offset, here it is 0005AFB8
- Press F4 and choose "Hex"
- Press F3 to edit and type EB
- Press F9 to update the EXE
- Hiiiiiiiihaaaaaaaaa, you cracked Sin, try to crack Quake 2 if you have it, or update for Sin, it's the same

- So why EB ?? Cause EB is the hex code of JUMP

Here, you can find a small list of more important function and the hex code



nope : 90
ret : c3
call : E8
jump : EB
je : 74 or 0F84
jne : 75 or 0F85



Make your own "Crack.exe"
--------------------------

Maybe you want to give your crack to interesting people through Internet, oki, no prob, here it's my source code
of my crack, you can modify it if you want.
The used language is pascal, so, use delphi to compile it


Const
FileN : String = 'sin.exe'; {name of file to patch}
BytesToChange : Integer = 1; {bytes to patch}
FileS : LongInt = 536064; {size if the exe, to check the version}
A : Array[1..1] of Record
A : Longint;
B : Byte;
End =

((A:$5afb8;B:$eb)); {offset to modify + code to replace}


Var
F : File;
Ch : Char;
I : LongInt;

Begin
fichier.filename := '*.exe';
fichier.filter := FileN;
if fichier.execute then
begin
AssignFile(F, fichier.filename);
Reset(F,1);
If FileSize(F)<>FileS then
begin
ShowMessage('File is incorrect size');
halt(1);
end
else
begin
end;
For I := 1 to BytesToChange do
begin
Seek(F,A[I].A);
Ch:=Char(A[I].B);
Blockwrite(F,Ch,1);
end;
ShowMessage ('File successfully cracked');
end;
end;
end.


-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_



3) Let's gonna crack a multiple CD-Check : Gruntz 1.0
------------------------------------------------------


Tools That you'll need
-----------------------

- W32dasm 8.93
- Hiew 6 or higher


Initial notes
--------------

- First, install the full game
- Make sure that the cd isn't on your drive )


First approach with the CD-check protection
--------------------------------------------

- Run the game
- You must see this : "Gruntz CD hasn't been detected"
- Click on No


First Approach with W32 DASM
-----------------------------


- Run W32dasm and click on "Disassemble"
- Then, choose "Open file to disassemble" and choose "gruntz.exe"
- After a few seconds, the file's going to be disassemble

=> If it's the first time that you disassemble a file, then, goto "Disassembler" / Font / Select font and choose Times new Roman

- Click on "Debug" and choose "Load Process" and click on "Load"
- Click on "Run"
- Click on "Step into" to trace the game
- Click on "Terminated" and choose "Yes"
- Now, you must see this :


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041FBC7(C)
|
:0041FBED 8B8424E8010000 mov eax, dword ptr [esp+000001E8]
:0041FBF4 8D4C2418 lea ecx, dword ptr [esp+18]
:0041FBF8 6A34 push 00000034
:0041FBFA 8D54245C lea edx, dword ptr [esp+5C]
:0041FBFE 51 push ecx
:0041FBFF 52 push edx
:0041FC00 50 push eax

* Reference To: USER32.MessageBoxA, Ord:0195h => You're here
|
:0041FC01 FF15E4346C00 Call dword ptr [006C34E4]
:0041FC07 83F806 cmp eax, 00000006
:0041FC0A 7536 jne 0041FC42
:0041FC0C C7050448640001000000 mov dword ptr [00644804], 00000001



- Now, scroll up until you see this :


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041FA5D(C) => Double-right click on it
|
:0041FB6D 8B0D30086500 mov ecx, dword ptr [00650830]

* Reference To: USER32.LoadStringA, Ord:0183h
|
:0041FB73 8B2DE8346C00 mov ebp, dword ptr [006C34E8]
:0041FB79 8D442458 lea eax, dword ptr [esp+58]
:0041FB7D 6A7C push 0000007C
:0041FB7F 50 push eax

* Possible Reference to String Resource ID=32801: "Le CD-Rom Gruntz n'a pas été détecté. Voulez-vous jouer en m" => Héhé, our fucking message
|
:0041FB80 6821800000 push 00008021
:0041FB85 51 push ecx
:0041FB86 FFD5 call ebp
:0041FB88 85C0 test eax, eax
:0041FB8A 7524 jne 0041FBB0


- Now, you must see this :


* Possible StringData Ref from Data Obj ->"%s\%s"
|
:0041FA38 68F8B66000 push 0060B6F8
:0041FA3D 50 push eax
:0041FA3E C68424F001000001 mov byte ptr [esp+000001F0], 01
:0041FA46 E83D261900 call 005B2088
:0041FA4B 8B4C2420 mov ecx, dword ptr [esp+20]
:0041FA4F 83C410 add esp, 00000010
:0041FA52 51 push ecx
:0041FA53 E8FD47FEFF call 00404255
:0041FA58 83C404 add esp, 00000004
:0041FA5B 85C0 test eax, eax
:0041FA5D 0F850A010000 jne 0041FB6D => You're here
:0041FA63 8B9C24E8010000 mov ebx, dword ptr [esp+000001E8]


- Oki, we have the fucking test routine
- Be sure that you're on :0041FA5D and take the offset, it's 0001EE5D



Crack the gruntz.exe file
--------------------------

- To do this, you'll need Hiew
- Launch Hiew, and load "gruntz.exe"
- Press F4 and choose "decode"
- Press F5, and enter the offset, here it is 0001EE5D
- Press F4 and choose "Hex"
- Press F3 to edit and type 0F84
- Press F9 to update the EXE
- Run the game again
- Hm, what's happening ??? : "Insert CD into your drive" ;(((((
- Héhé, don't cry, this is another CD-check



Approach with the second CD-Check
----------------------------------


- Disassemble again "Gruntz.exe"
- Click on "Debug" and choose "Load Process" and click on "Load"
- Click on "Run"
- Click on "Step into" to trace the game
- Click on "Terminated" and choose "Yes"
- Now, you must see this :

* Reference To: USER32.MessageBoxA, Ord:0195h
|
:0041FAE6 FF15E4346C00 Call dword ptr [006C34E4]
:0041FAEC 83F801 cmp eax, 00000001 => You're here
:0041FAEF 0F854D010000 jne 0041FC42
:0041FAF5 E8542E1B00 call 005D294E
:0041FAFA 8B4804 mov ecx, dword ptr [eax+04]
:0041FAFD E832E31900 call 005BDE34
:0041FB02 C68424E001000002 mov byte ptr [esp+000001E0], 02
:0041FB0A E82C2AFEFF call 0040253B
:0041FB0F 85C0 test eax, eax
:0041FB11 752E jne 0041FB41
:0041FB13 68E8030000 push 000003E8



- Scroll up until you see this :


:0041F9A5 CC int 03
:0041F9A6 CC int 03
:0041F9A7 CC int 03
:0041F9A8 CC int 03
:0041F9A9 CC int 03
:0041F9AA CC int 03
:0041F9AB CC int 03
:0041F9AC CC int 03
:0041F9AD CC int 03
:0041F9AE CC int 03
:0041F9AF CC int 03 => Haha, very interesting

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F2C(U)
|
:0041F9B0 64A100000000 mov eax, dword ptr fs:[00000000] => Be sure you're here
:0041F9B6 6AFF push FFFFFFFF
:0041F9B8 6891845D00 push 005D8491
:0041F9BD 50 push eax
:0041F9BE 64892500000000 mov dword ptr fs:[00000000], esp
:0041F9C5 81ECC8010000 sub esp, 000001C8
:0041F9CB 53 push ebx
:0041F9CC 55 push ebp
:0041F9CD 56 push esi
:0041F9CE 57 push edi
:0041F9CF E8672BFEFF call 0040253B
:0041F9D4 85C0 test eax, eax
:0041F9D6 7414 je 0041F9EC
:0041F9D8 C7050448640000000000 mov dword ptr [00644804], 00000000
:0041F9E2 B801000000 mov eax, 00000001
:0041F9E7 E97D020000 jmp 0041FC69


- Place you on :0041F9B0 and take the offset, it's 0001EDB0


Crack the gruntz.exe file
--------------------------

- To do this, you'll need Hiew
- Launch Hiew, and load "gruntz.exe"
- Press F4 and choose "decode"
- Press F5, and enter the offset, here it is 0001EDB0
- Press F4 and choose "Hex"
- Press F3 to edit and type C3
- Press F9 to update the EXE
- Run the game, and, Hiiiiiiiihaaaaaaaaa, you cracked Gruntz


So, why C3 ??
--------------

- At :0041F9AF you see int 03, that means that the program stopped to execute the cd-check routine, then, you
must go to the main prog directly with the "ret" code, and "ret" code in hex is C3


Cracking source code
---------------------

Const
FileN : String = 'gruntz.exe'; {name of file to patch}
BytesToChange : Integer = 3; {bytes to patch}
FileS : LongInt = 2512896; {size if the exe, to check the version}
A : Array[1..3] of Record
A : Longint;
B : Byte;
End =

((A:$1ee5d;B:$0f), {offset to modify + code to replace}
(A:$1ee5e;B:$84),
(A:$1edb0;B:$c3));


Var
F : File;
Ch : Char;
I : LongInt;

Begin
fichier.filename := '*.exe';
fichier.filter := FileN;
if fichier.execute then
begin
AssignFile(F, fichier.filename);
Reset(F,1);
If FileSize(F)<>FileS then
begin
ShowMessage('File is incorrect size');
halt(1);
end
else
begin
end;
For I := 1 to BytesToChange do
begin
Seek(F,A[I].A);
Ch:=Char(A[I].B);
Blockwrite(F,Ch,1);
end;
ShowMessage ('File successfully cracked');
end;
end;
end.



-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_



3) Let's gonna crack by trace with soft-ice : Quake 3 1.14
-----------------------------------------------------------


Initial notes
--------------

- First, install the full game and apply Patch 3.14
- Then, be sure that Soft-ice is loaded in autoexec.bat
=> C:\PROGRA~1\SOFTIC~1\WINICE.EXE
- Make sure that the cd isn't on your drive )


First approach with Soft-Ice
----------------------------

- Run the game
- When you're in the game choose Single Player
- Then, choose a map
- Click on Fight
- Press CTRL + D to go in soft-ice
- In soft-ice pormpt command, type : BPX GetDriveTypeA
- Press enter key
- Press CTRL + D to go back on Q3A
- Click on Fight, and surprise, you're back in Soft-Ice )
- Why ? Cause you've putted a breakpoint to Kernel32!GetDriveTypeA!
- OK, in Soft-Ice, press F11 to get the GetDriveTypeA's caller
- Aha, you should see that now :


0177:00440CD8 CMP EAX,05 => You're here )
0177:00440CDB JNZ 00440D25
0177:00440CDD PUSH 004C4070
0177:00440CE2 LEA ECX,[ESP+08]
0177:00440CE6 PUSH ECX
0177:00440CE7 PUSH 004BACC4
0177:00440CEC PUSH 0059BC00
0177:00440CF1 CALL 004A0DAF
0177:00440CF6 PUSH 004C4064
0177:00440CFB PUSH 0059BC00
0177:00440D00 LEA EDX,[ESP+20]
0177:00440D04 PUSH 004C405C


- Note 00440CD8, you'll need this



Disassembling File with W32dasm
-------------------------------

- Load W32dasm and open "quake3.exe"
- After a few time, the file'll be disassemble
- Now, click on "goto" in the menu
- Click on "Goto Code Location"
- Type 00440CD8 (normally, you've wrote this adress)
- You must see that now :


* Referenced by a CALL at Address:
|:0042E7BD => Hihaaaaaa, double right click on it
|
:00440CB0 81EC84000000 sub esp, 00000084
:00440CB6 56 push esi

* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:00440CB7 8B3590304B00 mov esi, dword ptr [004B3090]
:00440CBD C64424053A mov [esp+05], 3A
:00440CC2 C64424065C mov [esp+06], 5C
:00440CC7 C644240700 mov [esp+07], 00
:00440CCC C644240463 mov [esp+04], 63

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00440D31(C)
|
:00440CD1 8D442404 lea eax, dword ptr [esp+04]
:00440CD5 50 push eax
:00440CD6 FFD6 call esi
:00440CD8 83F805 cmp eax, 00000005 => Héhé, you're here
:00440CDB 7548 jne 00440D25


- After double right click on 0042E7BD, you must see this :

:0042E7A3 6834834B00 push 004B8334
:0042E7A8 E803E9FEFF call 0041D0B0
:0042E7AD D81D58334B00 fcomp dword ptr [004B3358]
:0042E7B3 83C404 add esp, 00000004
:0042E7B6 DFE0 fstsw ax
:0042E7B8 F6C440 test ah, 40
:0042E7BB 7418 je 0042E7D5
:0042E7BD E8EE240100 call 00440CB0 => You're here (The fucking cd-check routine)
:0042E7C2 85C0 test eax, eax
:0042E7C4 750F jne 0042E7D5

* Possible StringData Ref from Data Obj ->"Game CD not in drive" => Hm, i don't want to see this
|
:0042E7C6 6854084C00 push 004C0854
:0042E7CB 6A03 push 00000003
:0042E7CD E8FEB9FEFF call 0041A1D0
:0042E7D2 83C408 add esp, 00000008


- Place you on 0042E7C4 and click on the "Jump To" button, you must see this :

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042E7BB(C), :0042E7C4(C)
|
:0042E7D5 A15CAB5900 mov eax, dword ptr [0059AB5C] => You're here
:0042E7DA 85C0 test eax, eax
:0042E7DC 7409 je 0042E7E7
:0042E7DE 50 push eax
:0042E7DF E85CC3FEFF call 0041AB40
:0042E7E4 83C404 add esp, 00000004


- Did you see, if JNE if execute, it bypass the cd-check and run
- Oki, click on the "Ret Jump" Button
- You're back here :

:0042E7A3 6834834B00 push 004B8334
:0042E7A8 E803E9FEFF call 0041D0B0
:0042E7AD D81D58334B00 fcomp dword ptr [004B3358]
:0042E7B3 83C404 add esp, 00000004
:0042E7B6 DFE0 fstsw ax
:0042E7B8 F6C440 test ah, 40
:0042E7BB 7418 je 0042E7D5
:0042E7BD E8EE240100 call 00440CB0
:0042E7C2 85C0 test eax, eax
:0042E7C4 750F jne 0042E7D5 => You're back here

- Place you on 0042E7BD and take a look at the bottom to see the offset
- The offset is 0002E7BD
- Write this offset, you'll need this



- Cracking the EXE file
------------------------

- Open Hiew, and load "quake3.exe"
- Press F4 and choose "decode"
- Press F5, and enter the offset, here it is 0002E7BD
- Press F4 and choose "Hex"
- Press F3 to edit and type 9090909090
- Press F9 to update the EXE

- Why 90 ??
------------

- You saw that the 0042E7BD calls the cd-check routine, then, we must "delete it"
- 90 means nope in assembler language, that means to do nothing
- But why 5x 90 ?
- Cause the code of the caller is E8EE240100, this takes 5 bytes, then, 5 bytes to 90



- Big surprise
---------------

- Run the game
- What's happening ?!????!!!!???
- The game runs without CD )


Héhé, you've cracked Quake 3 Arena, enjoy )


- Crack Source
---------------

- If you want to make a crack.exe and distribute it on internet, you must make a prog that can be
- change the 5 original bytes to 5 nope
- So, i included my source code made with delphi 5, it works also with 1,2,3 or 4



Const
FileN : String = 'quake3.exe'; {name of file to patch}
BytesToChange : Integer = 5; {5 bytes to patch}
FileS : LongInt = 876601; {size if the exe, to check the version}
A : Array[1..5] of Record
A : Longint;
B : Byte;
End =

((A:$2e7bd;B:$90), {offset to modify + code to replace}
(A:$2e7be;B:$90),
(A:$2e7bf;B:$90),
(A:$2e7c0;B:$90),
(A:$2e7c1;B:$90));

Var
F : File;
Ch : Char;
I : LongInt;

Begin
fichier.filename := '*.exe'; {i've put an OpenDialog and name it "fichier"}
fichier.filter := FileN;
if fichier.execute then
begin
AssignFile(F, fichier.filename);
Reset(F,1);
If FileSize(F)<>FileS then
begin
ShowMessage('File is incorrect size');
halt(1);
end
else
begin
end;
For I := 1 to BytesToChange do
begin
Seek(F,A[I].A);
Ch:=Char(A[I].B);
Blockwrite(F,Ch,1);
end;
ShowMessage ('File successfully cracked');
end;
end;
end.



-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_


4) Let's gonna crack a DLL file where the CD-check is located : Starcraft 1.0
------------------------------------------------------------------------------


Toolz that you'll need
-----------------------

- Soft-Ice 3.23 or higher
- W32dasm 8.93 or higher
- hiew 6 or higher


- Initial Notes
----------------

- Install the game (full)
- Copy "install.exe" from your original cd to your starcraft directory
- Please be sure that you don't have the cd into your drive


First Approach
--------------

- Press CTRL + D to go in Soft-Ice
- Set a breakpoint on GetDriveTypea : BPX GetDriveTypeA
- Press F5
- Run the game, and you're back in Sot-Ice
- Press F11 to get the caller
- You must see this :

0177:15012c40 call [KERNEL32!GetDriveTypeA]
0177:15012c46 mov esi, eax

- You see also that you're into Strom.dll
- So, you know that the cd check is in "storm.dll"
- Note the address 15012c46, you'll need this


Disassembling the target
------------------------

- Run W32dasm, and open "storm.dll"
- Click on goto and goto code location, and enter 15012c46
- You must see this :

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh

:15012c40 ff15f0240315 Call dword ptr [150324f0]
:15012c46 8bf0 mov esi, eax

- Scroll down till you see :

:15012c85 eb78 jmp 15012cff

- Click on Jump To's icon
- You must see this :



:15012ce5 6681f9001f cmp cx, 1f00
:15012cea 740b je 15012cf7 => Force this to JUMP...
:15012cec 6681f9001f cmp cx, 0805
:15012cf1 895c2410 mov dword ptr [esp+10], ebx
:15012cf5 7508 jne 15012cff

* Referenced by a (U)nconditional or (C)onditional Jump at address
:15012cea(C)

:15012cf7 c744241001000000 mov [esp+10], 00000001 => ...to go here )


* Referenced by a (U)nconditional or (C)onditional Jump at address
:15012c85(U), 15012cbe(U), :15012cf5(C)

:15012cff 399c2440020000 cmp dword ptr [esp+00000240], ebx => You're here


- Please be sure that you're on 15012cea and take the @offset in the task, here
it's 00012cea


Let's gonna crack )
---------------------

- Run Hiew and open "storm.dll"
- Press F4 and choose "Decode"
- Press F5 and enter 12cea
- Press F4 and choose "Hex"
- Press F3 and enter EB
- Press F9 to update the file



-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_


5) Let's gonna crack a game without String Ref : Half-Life 1.0.0.5
-------------------------------------------------------------------

Initial Notes
--------------

- When you run the game without cd and click on new game, it prompts you to insert the cd.
- Please be sure that the cd is not in the drive, you'll crack it )



Disassembling HL.EXE
---------------------

- Run W32dasm and open "hl.exe"
- Click on "Strn Ref" and find "valve.ico" reference, and double click on it
- You must see this :

* Referenced by a CALL at Addresses:
:0043eb3e , :0043eb7d => Ahah, the two's fucker caller


:0041ed60 mov eax, 00001218
:0041ed65 call 00477e80
:0041ed6a mov [esp+04], 00000007
:0041ed72 push ebx
:0041ed73 push esi
:0041ed74 push edi
:0041ed75 push ebp
:0041ed76 call 0041f030
:0041ed7b lea eax, dword ptr [esp+10]
:0041ed7f push 00001266
:0041ed84 mov [esp+14], 00000000


* Possible StringData Ref from Data Obj ->"valve.ico"

:0041eb8c push 004bd2ec => You're here )
:0041eb91 push eax
:0041eb92 call 0041ec80
...


- Click on "goto" and "goto code location" and type 0043eb3e
- You must arrived here :

:0043eb3e call 0041ed60

- Take the offset, and note it, this is 0003DF3E
- Click on "goto" and "goto code location" and type 0043eb7d
- You must arrived here :

:0043eb7d call 0041ed60

- Take the offset, and note it, this is 0003DF7D


Let's gonna crack
------------------

- Run Hiew and open "hl.exe"
- Press F4 and choose "decode"
- Press F5 and type 0003df3e
- Press F4 and choose Hex
- Press F3 to edit, and enter : 9090909090
- Press F4 and choose "decode"
- Press F5 and type 0003df7d
- Press F4 and choose Hex
- Press F3 to edit, and enter : 9090909090

Why 90 ??
---------

- 90 is the hexadecimal code of Nop.
- Nop is a mnemonic's code in assembler's language
- Nop means "no operation"
- Nop code is used here to bypass the cd-check, and like that, you can
play without cd )
- Yeah, you've cracked it )


-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_



6) Let's gonna crack Safedisc : Heroes of Might & Magic 7 1.0 US
-----------------------------------------------------------------



Toolz :
-------

- Soft-Ice 3.23
- ProcDump 1.5
- Frog-Sice (To bypass anti-debugging protection)
- Sicetool (To patch soft-ice and modify pagein command)
- HexWorkshop
- ExeScope

About ICD Files
----------------

- Run ProcDump
- Click on PE Editor and open "mm7.icd"

Entry Point => 000CF9AE
Image Base => 00400000

- Now, you must calculate EIP : Entry Point + Image Base => 004cf9ae

- Click on Sections to get this :


Virt. Offset RAW Size RAW Offset

.text 00001000 000DA000 00001000
.rdata 000DB000 00007000 000DB000
.data 000E2000 00017000 000E2000
.rsrc 00B99000 00010000 000F9000

- To dump these sections, you'll need the begin address :

=> Begin address : Image Base + Virtual Offset

.text => 401000
.rdata => 4db000
.data => 4e2000
.rsrc => f99000



- Run ExeScope, and open "mm7.icd"
- Click on Imports
- Choose Kernel, and count how many api are there : here, it's 96, and in hexadecimal : 60h
- Now, choose User, and count how many api are there : here, it's 33, and in hexadecimal : 33h
- You must convert decimal's number to hexadeciaml, cause soft-ice doesn't like decimal )



Dump Sections
--------------


- Run the game
- Wait for the splash screnn, and press CTRL + D
- In Sot-Ice, if you're in DPLAYER.DLL, type BPX FREELIBRARY
- Press F11
- After a few seconds, you're back in soft-ice
- Type d 4cf9ae to see if the icd's file is decrypted, if not, press f5, and wait )
- If ICD's file is decrypted, type BC*
- Ok, now, you'll dump all sections, except .rdata with pagein command
- In soft-ice, type :



pagein 401000 da000 c:\text.bin
pagein 4e2000 17000 c:\data.bin
pagein f99000 10000 c:\rsrc.bin


About Safedisc's caller
------------------------

- Type bpx 4cf9ae and press F5
- What do we get ?

0177:004cf9ae push ebp
0177:004cf9af mov ebp, esp
0177:004cf9b1 push ff
0177:004cf9b3 push 004de160
0177:004cf9b8 push 004d311c
0177:004cf9bd mov eax, fs: [00000000]
0177:004cf9c3 push eax
0177:004cf9c4 mov fs: [00000000], esp
0177:004cf9cb sub esp, 58
0177:004cf9ce push ebx
0177:004cf9cf push esi
0177:004cf9d0 push edi
0177:004cf9d1 mov [ebp-18], esp
0177:004cf9d4 call [004db164] => Press F8 here to trace it


- Now, you must get this :

0177:012678e7 pushad
0177:012678e8 push 0000004b
0177:012678ed push 00000000
0177:012678f2 call [01267908] => Haha, this is our c-dilla's caller, note this, you'll need
0177:012678f8 add esp, 08
0177:012678fb popad
0177:012678fc jump [01267902]


Move .RDATA in .DATA
---------------------

- Due to .rdata section is read only, you'll need to move this in another sections with M and L command

=> M "RAW Size of .rdata + Image Base" L "Raw Size of .rdata" "Virtual Offset of .data + Image Base"

- In soft-Ice, type :

M 407000 L 7000 4f0000


Fix .rdata section for Kernel's API
------------------------------------

- In soft-ice, type :

R eip 4cf9ae
.
a eip

- Now, write this call's fixer :

4CF9AE pushad
4CF9AF push ebx
4CF9B0 push 0 => 0 means kernel import
4CF9B2 call [01267908] => The address tha you've found by traccing
4CF9B8 add esp, 8
4CF9BB mov edx, 4F0000 => Where you've moved .rdata
4CF9C0 cmp eax, [edx]
4CF9C2 je 4cf9ce
4CF9C4 inc edx
4CF9C5 cmp edx, 4f7000
4CF9CB jne 4cf9c0
4CF9CD int 03
4CF9CE mov [edx], ecx
4CF9D0 popad
4CF9D1 inc ebx
4CF9D2 cmp ebx, 60 => 60 is kernel's api in hex
4CF9D5 jne 4cf9ae
4CF9D7 int 03



Fix .rdata section for User's API
----------------------------------

- In soft-ice, type :

R eip 4cf9ae
.
a eip

- Now, write this call's fixer :

4CF9AE pushad
4CF9AF push ebx
4CF9B0 push 01 => 01 means user import
4CF9B2 call [01267908] => The address tha you've found by traccing
4CF9B8 add esp, 8
4CF9BB mov edx, 4F0000 => Where you've moved .rdata
4CF9C0 cmp eax, [edx]
4CF9C2 je 4cf9ce
4CF9C4 inc edx
4CF9C5 cmp edx, 4f7000
4CF9CB jne 4cf9c0
4CF9CD int 03
4CF9CE mov [edx], ecx
4CF9D0 popad
4CF9D1 inc ebx
4CF9D2 cmp ebx, 33 => 33 is user's api in hex
4CF9D5 jne 4cf9ae
4CF9D7 int 03


- Now, you'll be able to dump .rdata section :

pagein 4f0000 7000 c:\rdata.bin



Rebuild EXE file
-----------------

- Now, you have all dumped's cestion, you must rebuild a new "mm7.exe" file
- Copy "mm7.exe" into a temp directory with all dumped's section
- Rename "mm7.icd" by "mm7.exe"
- Run Hexworkshop, and open "mm7.exe"
- Open "text.bin"
- Focus on "mm7.exe" and press ALT + F5
- Enter the RAW Offset of text's section : 1000 (Select at the beginning)
- Go to Edit, and select "Select Block" and type the Raw Size of .text's section : da000
- Focus on "text.bin" and go to Editand click on Select All
- Press CTRL + C
- Focus on "mm7.exe" and press CTRL + V
- Do the same thing for rdata, data and rsrc's section )
- Save the new "mm7.exe"

Rebuild PE
----------

- Run procdump and choose "Rebuild PE"
- Choose your new "mm7.exe" and click on OK
- OK, your EXE is fixed, and you've cracked Safedisc )




-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_


This first release of this tutor is finished, there'll be other update of this tutor.
If you want to contact me : [ برای مشاهده لینک ، با نام کاربری خود وارد شوید یا ثبت نام کنید ]

Best regards to : Sevand02K, Kab00m, Apus, NADA, MasterF, BlackRacer, Izidor, lobo,LoKi, [scara], Thezor, ZuleikaH, Morteza_SOS
BeN!H, dERZ, HGSTaBRF, SHi, SarRik, The Magic Byte, Crack Magic, BoBa, DayaBlo, DaBrain, Ghost,
gZM, JTK, LAP, LiMiTer oNe, LoKI, Melenium, safedisc-killer, Skorpyion, Speedystep, The Drunkman, TiVe,
WeaxWeasel, my lovely Kobold666, and R!sc


Sorry if i forgot you )

[Morteza_SOS]

Program Details
Program Name: Tomb Raider III
Program Type: Game
Program Location: N/A

Tools Used:
CD-Writer
Nero or you can use CDRWIN
Softice
W32Dasm
HexWorkshop
Rating Easy ( X ) Medium ( X ) Hard ( ) Pro ( ) There is a crack, a crack in everything. That's how the light gets in.


--------------------------------------------------------------------------------

TOMB RAIDER III
"Understanding CD Protections Systems"
Written by +Sandman

Introduction
Greetings Reversers',
At the time of this essay their are currently around half-a-dozen or so commercial protection systems for PC CD games/utilities, they being:-


SecuROM
SafeDisc
SafeCast
LaserLock
ProtectCD
CD-Cops
DiscGuard
The Copy-Protected CD & The Bongle

In addition, there are a number of methods which can also be used to protect a CD, they being:-

OverSize/OverBurn the CD
Illegal TOC
Dummy Files
Physical Errors.

Of course, some CD's have a combination of the above which then complicates matters even worse when you try and backup your CD's as I do.
Tomb Raider III is considered as having a 'weak' protection system even though it uses a number of distinct protections systems/methods to prevent the non reverser from making a backup of their game CD.

About this protection system
Tomb Raider III employs the following CD Protection systems:-

Dummy Files
Illegal TOC
CD Checks

You may have come across references to 'Dummy Files' but may still be unsure to what they mean and how they work, therefore allow me to explain what they are.

Dummy Files are, in basic terms, simply a number of files (usually there are five of these on a CD) that, when you check their sizes in File Manager show that they are around 600+ megabytes in size!!. In fact, you will usually see four of these files with this huge file size while the other is around 116 bytes and is unreadable.

Currently, these Dummy Files are very easy to spot, they ALL have the file extension of .AFP, and will use different file names on different CD games but all end with the .AFP file extension.

In general, these large dummy files are checked in the following manner.

The program will often 'read' a number of bytes into these dummy files and look for a specific byte to make sure they are intact. Often the program will 'read' thousands or even millions of bytes into these files just to read a single number from them. Defeating this kind of check is -fairly- easy, all you would have to do is to delete these dummy files and replace them with a 1 byte text file using the original names of the dummy files. Then, you would locate where in the program it 'read's these dummy files and where it pushes the offset value for the number of bytes to -read- you would replace this value with '0', so that it reads the first byte in our dummy text files. You would also need to check what value it's going to look for and put this value into your 1 byte text file. This would have to be repeated within the program for each of the dummy files that it checks for.

On the Tomb Raider III CD the following files are the dummy ones:-



File Name Comments
Awcs.afp
Config.afp
Neir.afp
Oket.afp
Vfaw.afp File size reported as 680 megabytes
File size reported as 116 bytes
File size reported as 681 megabytes
File size reported as 680 megabytes
File size reported as 681 megabytes


Of course standard CD's cannot hold more than 650 megabytes of data so these reported file sizes are there only to confuse any program you use to copy them. In reality, these over-large files have been deliberately corrupted and it's data will be pointing to other parts of the CD. CD Writers, when they come across these types of files will often refuse to copy these files because they are not recognized as being part of the CD ISO standards that defines how files are to be stored on CD's.
In cases such as this, these files are know to use Illegal Table Of Contents (T.O.C) which only a few CD Copiers can handle. The two most talked about CD Copiers around are Nero and CDR-WIN which are able to ignore illegal TOC's. Under the CD ISO standards, all CD's are suppose to use a recognized format or structure that defines how files are to be stored on the CD. The Table Of Contents on CD's is very much like the FAT16 / FAT32 format used on our hard disks, which, if changed or damaged, will in most cases, prevent our hard disk from being recoqnised by our software programs that are not programed to accept any other type of directory system.

Have you noticed yet that the protection system Dummy Files are also related to Illegal (TOC's). This is often the case, one protection method is usually directly or indirectly related to other protection systems/methods. Solving them will often require you to go about backing up your software in some interesting ways, which, may at first look rather complicated for the newbie reverser to master.

For many newbies, the common question they all ask is "What is the thought process that goes into reversing a protection system?".

Well, lets take this question a little higher, here's how I reversed this CD Protection right from scratch. From knowing absolutely nothing about it to solving it so that I can back it up.

Yes, I'm aware that by writing this tutorial I'm in effect showing you how to pirate this and other games and if that's your intention then your a lamer. Backing up our legal software for our personal use is considered paramount because of the expense of the original software.
The Essay

After purchasing Tomb Raider III I had no idea what kind of protection system it used that would prevent me from backing it up. First thing I did was to open up the File Manager and have a look at the files and folders stored on the CD.

Because I have read a number of references on the web related to CD Protections systems I know that many of these can be recoqnised in a number of ways..

First, I looked at the CD itself to see if I could see a picture on the inside ring that would identify that this CD was protected by SecuROM. No picture was found. SecuROM protected CD's have an electronic marking printed on the CD surface which assigns a unique ID-Code to each CD. There are currently 4 versions of SecureRom, known as: SecuROM R1, SecuROM R2, SecuROM R3, SecuROM R4.

Next, I looked for a hidden directory on the CD called "LaserLock", which, if existed would tell me that it was protected by LaserLock. In this case no such directory existed. LaserLock uses a combination of encryption software and unique laser marking on the CD surface made during the special LaserLock mastering procedure, in order to make copying practically impossible. Every CD-ROM application has a unique locking parameter that provides a complete protection against illegal re-mastering and reproduction. LaserLock offers excellent protection for every application as each application package is characterized by a unique encryption parameter that is specified during LaserLocking procedure.

Next, while still looking at the files and directories of the CD I looked for the following files: 00000001.TMP, CLCD16.DLL, CLCD32.DLL and most important CLOKSPL.EXE.. If any or all of these files were found then I would know that this CD was protected by SafeDisc.None were not found.

Next, I checked the CD for any of the following files: CMS16.DLL, CMS_95.DLL or CMS_NT.DLL. None were found. However, had I found any of these files then I would know that this CD was protected by SecuROM.SecuROM is a patented CD-ROM copy protection technology that identifies a ‘genuine’ CD-ROM by a special authentication mechanism. During Sony DADC’s mastering process an electronic fingerprint is applied onto the glass master which assigns a unique number to each CD-ROM title.

SafeCast and CD-Copswere not checked for because little is known about them and or have no visible means to identify them or, as in the case of ProtectCDthey are not know to be used in any commercial program at this time.

This now leaves Illegal TOC's and Dummy Files..

Well what do you know, under the File Manager I see five files all ending with .AFP. Checking their reported file sizes I see four of them are well over 680 megabytes. Now if you check the properties for this CD while still in the File Manager you will see that the total size of this CD is 690 megabytes. Too big to backup on a standard CD. If, like me you have a CD Writer that doesn't have the Overburn option or, is not able to use 80 minute CD's then we may have a problem..

Okay, now if you have Nero installed then if you select your CD Drive under File Manager and right click on it you will see the menu option Properties. Select this and then click on the Volumes menu tab. You won't see the Volumes tab unless you have Nero installed. Right, can you see that we have:-

I. An ISO /Juliet track that is 534 megabytes in size.
II. Two Audio tracks
III A Second ISO / Juliet track that is ALSO 534 megabytes in size. Its this extra data track that fools many CD Copiers into giving up trying to copy this CD.

If your CD Writer is unable to 'OverBurn' CD's then trying to do a straight copy of this CD will result in an error message from Nero stating that this CD is too big to fit onto a standard CD. CDRWIN may also state the same although I didn't test this.

Now the fun begins...

Audio tracks on game CD's are 9 times out of ten optional. By optional I mean they are not always checked for when the game runs and that the game can run happily without them. At this point in my quest to backup this game I cannot be sure of this and will only know this for certain once I've done a test backup.

TIP. Everyone making backups should already know this. When making a test backup ALWAYS use a CD-RW first. That way, if you make a mistake somewhere and the game still does not work as you expect it to then you don't end up with a coaster, since your CD-RW disk can be re-written again, unlike a CD-R.

Okay, I've decided to leave out the two audio tracks and now left with two data tracks. Which one do I choose?. The answer is the First data track, since it's this first track that gets read by all CD Drives. The second data track is there to fool your copier software.

Right, we are now left with one data track, but how do we copy it?.. We could copy the whole CD but as already mentioned, my CD Writer can't handle CD's with more than 650 megabytes. The answer is we use Nero's ability to copy Selected Tracks.

This is how to do this under Nero..

Start up Nero and go into the CD-Recorder menu option. Select 'Choose Recorder' and make sure that Nero is told to use the 'Image Recorder'. This is important as this tells Nero to save the resulting track image onto your hard disk.

Next, go back into the menu option CD-Recorder and this time select the option Save Tracks. Nero should now bring up a new screen showing you all the tracks on our Tomb Raider III CD. You need to select the first track, leave all the others alone. Now fill in the data boxes telling Nero what filename to use and where to store this track image. Make sure the directory you choose already exists, else Nero won't accept this. Once you have done this, click on the Save button. Nero should now begin copying the first data track on our CD. Time for a cuppa I believe..

Once copying has been completed, there should have been no errors at this copying stage. Go back into the menu option CD-Recorder and again select 'Choose Recorder' and this time select your CD-Writer, which ever it is.

We should now have a 534 megabyte image file on our hard disk and now it's time to burn it on our CD-RW disk. Don't use a standard CD-R at this point, if we make a mistake at any point then we won't end up with an expensive coaster or two.

From Nero's File menu select 'Burn Image' and locate where you have stored your first Game Track image. Now follow the prompts and burn this image file onto our CD-RW disk.

Once completed, close down Nero and try and run Tomb Raider III. (You should have already installed the game before all this copying took place).

Opps, the game as expected has thrown up a message box telling us it needs the original game CD. Lets fix this bug..


Before we go any further it's time now to think like a reverser and analyse what we've done to our backup and what differences there might be that could trigger the game into not accepting our backup copy.. Right, we know we have all the dummy .AFP files intact so no problem there. We've left out two audio tracks that -might- be checked for but I doubt this. We have also left out a second, data track that is -not- used, it's there to help prevent the disk being copied, but it -could- still be checked?. They are the obvious things we notice, however, there are others, such as. Our backup CD is now 534 megabytes in size compared to the original of 690 megabytes, the program perhaps checks to see if there is 690 megabytes of data?, might use a CRC checksum?.

If you checked the game's directory you will see that Tomb Raider III installs about a two megabytes of files onto your hard disk, they being the 1MB executable file and the rest are made up of a few windows support .DLL files.

At this point some reversers may fire up Softice and begin tracking down where the program checks the CD and where it decides to reject or accept it but for me, I like to see where I'm going and what I'm up against first!.

Fire up W32Dasm and select the file:C:\ Program Files\Core Design\Tomb Raider III\tomb3.exe

If you checked the properties for your shortcut to Tomb Raider III then you will know that this is the file that gets executed, besides, it's the only executed file in this directory..

Now what do we look for?.

Lets take a look at the String Data Resources for this file.. Who know's, we might see something of interest to us?.

If we look for the message that the game gives us when it detected that our backup copy was not the original then we find that there are no references to this error message. Hardly surprising, that would have been too easy.. OK, what else can we see..

Well, there are four references to our dummy .AFP files..

"d:\VFAW.AFP"
"d:\NEIR.AFP"
"d:\OKET.AFP"
"d:\AWCS.AFP"

While we're in W32Dasm lets take a look at the four checks to our dummy files, and while we're there lets also make some notes for when we use Softice.

Okay, using the four reference strings (shown above) we can quickly locate where in the program's code they handled our four dummy files. Okay, now click on the String Reference to "d:\VFAW.AFP" and W32Dasm will take us to where in this program this string is referenced from. From here we must scroll up the window until we see where the beginning of this routine starts.


* Referenced by a CALL at Address: :004B2827
;Here's the beginning of four dummy file check routine, which is being called from memory

;address 004B2827. We should now note the following two memory address for when we use Softice.

;1. bpx 004B2827 --> Location of where the Call to the Dummy File checking routine

;2. bpx 0048D140 --> Start of the Dummy File checking routine.


:0048D140 56 push esi
:0048D141 57 push edi
:0048D142 E8F952FFFF call 00482440
:0048D147 85C0 test eax, eax
:0048D149 7521 jne 0048D16C
........
........
........ ;I will skip the rest of this routine for now to bring to your attention
........ ;the last few lines of this routine. While we may not know much about Assembly
........ ;we can at least make some educated (ZEN) guesses just by looking..
........
........

The Dummy File checking routine has two possible routes it can take when it has finished checking our four dummy files. We know this because there are two RET instructions that are referenced from within our file checking routine.

Two choices suggest a 'good cracker' and 'bad cracker' decision to me. The 'common' thing with both of these possible exits is it's setting of the AL register with a predetermined value.

The instruction XOR al,al will set the AL register to '0'
The instruction mov al,01 will set the AL register to '1'

The AL register is commonly used as a 'flag' to signal to the rest of the program wether or not a task was completed or not. Think of it as a True or False.

* Referenced by a (C)onditional Jump at Address: 0048D15D(C)

:0048D2C9 32C0 xor al, al ---> Register AL set to '0'
:0048D2CB 5F pop edi
:0048D2CC 5E pop esi
:0048D2CD C3 ret

* Referenced by a (C)onditional Jump at Addresses:
:0048D1CF(C), :0048D21B(C), :0048D267(C), :0048D2AF(C)

:0048D2CE 5F pop edi
:0048D2CF B001 mov al, 01 ---> Register AL set to '1'
:0048D2D1 5E pop esi
:0048D2D2 C3 ret

Okay, now save off your W32Dasm project, this will save us from having to disassemble the executable file again.

It's time to fire up Softice and do some work, this theory stuff is ok but we now need to verify our work and shed some more light on the way this program performs it's CD checks.

Press Ctrl + D to fire up Softice and lets try breaking in on that error message "Tomb Raider III CD?"

Type: bpx messageboxa
Type: X to exit softice.

Now try and run Tomb Raider III.

As you can see, we saw our CD being accessed but Softice failed to break on our error message.. Click the Cancel button to close this error message.

As we learn more and more about CD protection systems we learn that there are a number of API calls the protectionist can use to access the CD Disk.

Here's a few API functions we can use:-

GetDriveType

GetFileAttributesA **

GetFileSize

GetLogicalDrives

GetlogicalDriveStrings

GetLastError **

ReadFile

One of the most commonly used is the GetDriveTypeA api call. This function will return a value that corresponds to what drive types you currently have installed on your computer.

Here are the return values from the GetDriveTypeA API call.




Return Values Comments
0
1
2
3
4
5
6 Drive Cannot Be Determined
Root Directory Does Not Exist
Drive Is Removable (Zip drives etc)
A Fixed Disk (HardDrive)
Remote Drive(Network)
CD-Rom Drive
RamDisk


Right, lets use GetDriveTypeA as our Softice breakpoint. Fire up Softice ( Ctrl & D )
Type: bpx GetDriveTypeA
Type: bd 0 to disable our original messageboxa breakpoint which we now don't need anymore.
Type: x to exit softice

Run Tomb Raider III again.

Softice now breaks at system function: WritePrivateProfileStringA which was triggered by our
Press F11 once. This will tell Softice to continue executing our GetdriveTypeA function and break again once execution returns back to where it was originally called from, which we're hoping is within the Tomb Raider's code.

We're now back in the Tomb Raider III program code.

Okay, now remember those notes we made earlier in W32Dasm?. No?, well ok, I will remind you again. We found in W32Dasm where the four dummy files are handled and we also found where this routine was called from:-

;1. bpx 004B2827 --> Location of where the Call to the Dummy File checking routine
;2. bpx 0048D140 --> Start of the Dummy File checking routine.

So, while still in Softice type: bc * to clear all our previous breakpoints so that they won't interfere with our next set of breakpoints.

Next, lets take a look where the Call to our dummy file routine is located.
Type: u 004b2827
Then type: bpx 004b2827 to set a new breakpoint on this memory location.

Here's what our code section looks like:-

:004B2827 E814A9FDFF call 0048D140 ; Call CD Protection (Dummy File checks)
:004B282C 84C0 test al, al ; Does AL=0 (0=CD is not the original)
:004B282E 0F846A020000 jz 004B2A9E ; Display Error Message "Tomb Raider III CD?"
:004B2834 8B1594ED6C00 mov edx, dword ptr [006CED94]
:004B283A A190ED6C00 mov eax, dword ptr [006CED90]
:004B283F 52 push edx
:004B2840 50 push eax
:004B2841 6898ED6C00 push 006CED98
:004B2846 E8C5C1FDFF call 0048EA10
:004B284B 83C40C add esp, 0000000C
:004B284E C705E8ED6C00B0ED6C00 mov dword ptr [006CEDE8], 006CEDB0
:004B2858 C705E4ED6C0098ED6C00 mov dword ptr [006CEDE4], 006CED98
:004B2862 E8E9A1FDFF call 0048CA50
:004B2867 84C0 test al, al
:004B2869 7411 je 004B287C


Now type: x to exit softice.

Okay, run Tomb Raider III again. Softice now breaks at: 004b2827

If you we're to press F10 twice you will see that the register EAX = FFFFFF00 and that the Zero flag has been 'set' and that if we we're to press the F10 key again once more that Softice will jump to to memory location 004b2a9e where our error message will be displayed.. Since the test al,al instruction is testing the low byte of the EAX register we can type: al? to see the low value of the EAX register. Notice that the AL register has been given the value of 0?.

By all means test this out for yourself, it's the only way you will be able to slowly build up a picture of what is going off around. When you've done, simply re-run the game and you will once again break at memory location 004b2827.

Right press the T key once while softice is waiting on the call 0048D140 instruction. The T command simply tells Softice to (T)race into this function rather than skip over it. This will take Softice to the beginning of our four Dummy Files checking routine. We should now see this code section:-

I recommend that you study this code and try and visualize it's simplicity in it's execution. If I were to convert this routine into plain -English- then it would go something like this:-

Check in turn for the presence of each of our four dummy files. For each check, push onto the stack two numbers, a file offset number and another number that should exist at this file offset.

Use this file offset value to read through the dummy file and read what number is found at this file offset. Is the -read- value the same as the number on the stack?. If so then continue with checking the next dummy file. If not, then CD is NOT an original so zero the AL register using xor al,al. If however, everything checks out ok then set the AL register to 1 using the instruction: mov al, 01


* Referenced by a CALL at Address: :004B2827

:0048D140 56 push esi
:0048D141 57 push edi
:0048D142 E8F952FFFF call 00482440
:0048D147 85C0 test eax, eax
:0048D149 7521 jne 0048D16C ;1st check ok? then jump
:0048D14B A190ED6C00 mov eax, dword ptr [006CED90]
:0048D150 50 push eax
:0048D151 6A66 push 00000066
:0048D153 E838120000 call 0048E390
:0048D158 83C408 add esp, 00000008
:0048D15B 84C0 test al, al
:0048D15D 0F8466010000 je 0048D2C9 ;Bad Cracker jump, so set AL = 0
:0048D163 E8D852FFFF call 00482440
:0048D168 85C0 test eax, eax
:0048D16A 74DF je 0048D14B
:0048D16C A0203F6300 mov al, byte ptr [00633F20] ;-> AL = CD Drive Letter
:0048D171 A2A8EF4C00 mov byte ptr [004CEFA8], al ; Save CD Drive Letter
:0048D176 A2B8EF4C00 mov byte ptr [004CEFB8], al ; " " " "
:0048D17B A2C8EF4C00 mov byte ptr [004CEFC8], al ; " " " "
:0048D180 A2D8EF4C00 mov byte ptr [004CEFD8], al ; " " " "
:0048D185 68D47A4C00 push 004C7AD4 ;->"rb"
:0048D18A 68A8EF4C00 push 004CEFA8 ;->"d:\VFAW.AFP" ;Save Filename on the STACK
:0048D18F E88C8D0200 call 004B5F20 ;Check if file d:\VFAW.AFP exist?
:0048D194 8BF0 mov esi, eax
:0048D196 83C408 add esp, 00000008
:0048D199 85F6 test esi, esi
:0048D19B 7504 jne 0048D1A1 ;File exist? then proceed onto the next check.
:0048D19D 33FF xor edi, edi ;Else, set edi to 0
:0048D19F EB2C jmp 0048D1CD
:0048D1A1 6A00 push 00000000
:0048D1A3 6800508429 push 29845000 ;Save the file offset value 298545000h
:0048D1A8 56 push esi
:0048D1A9 E8F2970200 call 004B69A0 ;Goto the dummy file's offset value
:0048D1AE 83C40C add esp, 0000000C
:0048D1B1 56 push esi
:0048D1B2 E8B9970200 call 004B6970 ;Now read value found at this offset location
:0048D1B7 83C404 add esp, 00000004
:0048D1BA 33C9 xor ecx, ecx
:0048D1BC 83F87B cmp eax, 0000007B ;Does value in file = 7Bh?
:0048D1BF 0F94C1 sete cl
:0048D1C2 56 push esi
:0048D1C3 8BF9 mov edi, ecx
:0048D1C5 E8C6960200 call 004B6890
:0048D1CA 83C404 add esp, 00000004
:0048D1CD 85FF test edi, edi
:0048D1CF 0F85F9000000 jne 0048D2CE
:0048D1D5 68D47A4C00 push 004C7AD4 ;->"rb"
:0048D1DA 68B8EF4C00 push 004CEFB8 ;->"d:\NEIR.AFP" ;Save Filename on the STACK
:0048D1DF E83C8D0200 call 004B5F20 ;Check if file d:\VFAW.AFP exist?
:0048D1E4 8BF0 mov esi, eax
:0048D1E6 83C408 add esp, 00000008
:0048D1E9 85F6 test esi, esi
:0048D1EB 742C je 0048D219 ;File exist? then proceed onto the next check.
:0048D1ED 6A00 push 00000000
:0048D1EF 6800588229 push 29825800 ;Save the file offset value 29825800h
:0048D1F4 56 push esi
:0048D1F5 E8A6970200 call 004B69A0 ;Goto the dummy file's offset value
:0048D1FA 83C40C add esp, 0000000C
:0048D1FD 56 push esi
:0048D1FE E86D970200 call 004B6970 ;Now read value found at this offset location
:0048D203 83C404 add esp, 00000004
:0048D206 33D2 xor edx, edx
:0048D208 83F833 cmp eax, 00000033 ;Does value in file = 33h?
:0048D20B 0F94C2 sete dl
:0048D20E 56 push esi
:0048D20F 8BFA mov edi, edx
:0048D211 E87A960200 call 004B6890
:0048D216 83C404 add esp, 00000004
:0048D219 85FF test edi, edi
:0048D21B 0F85AD000000 jne 0048D2CE
:0048D221 68D47A4C00 push 004C7AD4 ;->"rb"
:0048D226 68C8EF4C00 push 004CEFC8 ;->"d:\OKET.AFP" ;Save Filename on the STACK
:0048D22B E8F08C0200 call 004B5F20 ;Check if file d:\VFAW.AFP exist?
:0048D230 8BF0 mov esi, eax
:0048D232 83C408 add esp, 00000008
:0048D235 85F6 test esi, esi
:0048D237 742C je 0048D265 ;File exist? then proceed onto the next check.
:0048D239 6A00 push 00000000
:0048D23B 6800288429 push 29842800 ;Save the file offset value 29842800h
:0048D240 56 push esi
:0048D241 E85A970200 call 004B69A0 ;Goto the dummy file's offset value
:0048D246 83C40C add esp, 0000000C
:0048D249 56 push esi
:0048D24A E821970200 call 004B6970 ;Now read value found at this offset location
:0048D24F 83C404 add esp, 00000004
:0048D252 33C9 xor ecx, ecx
:0048D254 83F875 cmp eax, 00000075 ;Does value in file = 75h?
:0048D257 0F94C1 sete cl
:0048D25A 56 push esi
:0048D25B 8BF9 mov edi, ecx
:0048D25D E82E960200 call 004B6890
:0048D262 83C404 add esp, 00000004
:0048D265 85FF test edi, edi
:0048D267 7565 jne 0048D2CE
:0048D269 68D47A4C00 push 004C7AD4 ;->"rb"
:0048D26E 68D8EF4C00 push 004CEFD8 ;->"d:\AWCS.AFP" ;Save Filename on the STACK
:0048D273 E8A88C0200 call 004B5F20 ;Check if file d:\VFAW.AFP exist?
:0048D278 8BF0 mov esi, eax
:0048D27A 83C408 add esp, 00000008
:0048D27D 85F6 test esi, esi
:0048D27F 742C je 0048D2AD ;File exist? then proceed onto the next check.
:0048D281 6A00 push 00000000
:0048D283 6800E08129 push 2981E000 ;Save the file offset value 2981E000h
:0048D288 56 push esi
:0048D289 E812970200 call 004B69A0 ;Goto the dummy file's offset value
:0048D28E 83C40C add esp, 0000000C
:0048D291 56 push esi
:0048D292 E8D9960200 call 004B6970 ;Now read value found at this offset location
:0048D297 83C404 add esp, 00000004
:0048D29A 33D2 xor edx, edx
:0048D29C 83F87B cmp eax, 0000007B ;Does value in file = 7Bh?
:0048D29F 0F94C2 sete dl
:0048D2A2 56 push esi
:0048D2A3 8BFA mov edi, edx
:0048D2A5 E8E6950200 call 004B6890
:0048D2AA 83C404 add esp, 00000004
:0048D2AD 85FF test edi, edi
:0048D2AF 751D jne 0048D2CE ;If all checks complete, then jump to
;Good Cracker Exit Point.
:0048D2B1 A190ED6C00 mov eax, dword ptr [006CED90]
:0048D2B6 50 push eax
:0048D2B7 6A66 push 00000066
:0048D2B9 E8D2100000 call 0048E390
:0048D2BE 83C408 add esp, 00000008
:0048D2C1 84C0 test al, al
:0048D2C3 0F85BCFEFFFF jne 0048D185 ;CD Verified so jump and set AL = 1

* Referenced by a (C)onditional Jump at Address: :0048D15D(C) ( Bad Cracker Exit )

:0048D2C9 32C0 xor al, al
:0048D2CB 5F pop edi
:0048D2CC 5E pop esi
:0048D2CD C3 ret

* Referenced by a Jump at Addresses: :0048D1CF(C), :0048D21B(C), :0048D267(C), :0048D2AF(C)

:0048D2CE 5F pop edi
:0048D2CF B001 mov al, 01
:0048D2D1 5E pop esi
:0048D2D2 C3 ret


If you study the above code fragment you will no doubt notice that we -could- nop or change just two conditional jumps at memory location(s):-

1. :0048D15D 0F8466010000 je 0048D2C9 ;Bad Cracker jump, so set AL = 0
2. :0048D2C3 0F85BCFEFFFF jne 0048D185 ;CD Verified so jump and set AL = 1

However, these are pretty obvious locations to change if you are thinking to distribute this game in a pirate form since in which case you would not include the four dummy files, which in any case are not required for the game to run and therefore would be considered as excess baggage. Remember, our backup of this game DOES contain these dummy files so therefore any checks made by the program on our four dummy files WILL prove true and will be accepted by the checking routine. However, in creating a backup of the original game there are other changes to it that we couldn't help but make that, in turn, the protection routine does detect. Okay, enough rambling...

If you follow through the above routine using Softice you will see that we are sent to the 'Bad Cracker' exit point here:-


:0048D2AF 751D jne 0048D2CE ; If all checks complete, then jump to
;Good Cracker Exit Point.

Therefore, all we need to do is to change the conditional jump into an unconditional jump, one that will ALWAYS jump to the Good Cracker Exit point and which will set our AL register to 1.

Our line therefore should read:-


:0048D2AF EB1D jp 0048D2CE ; Always jump to Good Cracker Exit Point.


Notice that all we have done is to change one byte which has changed a conditional jump into an unconditional jump.

[Morteza_SOS]

Some general info about cd-protections

Basically this "tutorial" will teach you the basics of cd-checks and how to disable/patch them.
Because I'm only a newbie, there can (and possibly will) be errors. But if someone experienced
cracker is willing to revise this text, feel free to do so.
I hope this piece of text won't be too hard to understand due to my bad english, grammatical
errors and any mistakes I've made

But that's enough of blah blah... let's start.

Some programs that are generally proved to be useful are:

Windows 32 Disassembler v8.93 (or shortly as I prefer W32Dasm)
Soft-Ice v3.2x or newer (very useful...although it's use won't be explained here)
Hiew 6.04 or newer (or any other hex editor)

Lesson 1. Identifying the protection

Usually when you're installed a game and started without a cd, it'll display an error message
like "Please insert TheNameOfTheGame cd." This kind of protection is usually quite easy to
patch (I'll show that later) and thus bypass the check. Then there are ingame messages,
which are little bit harder (WarZone 2100 has one for example or Commandos:Behind enemy lines).
Let's assume you have this game called Dog Trapper (DT). You've installed it and tried to
start it without the cd. And an error message "Please insert Dog Trapper cd" is thrown right
in front of your eyes. Now you're wondering "How on earth am I gonna bypass that check?"
Firstly, before you start cracking, make two backups of the main executable that's used to start
the game (in this case I'd call it Dog Trapper.exe). I name those backups like this:
DI.bak and DI.w32. DI.w32 is the file I load on W32Dasm and DI.bak is used to recover
the original Dog Trapper.exe incase I happen to screw it while cracking

Lesson 2. Approaching the protection

After the backups have been created, we can start the actual cracking. Because the error message
box is created by Windows' API commands (let's assume MessageBoxA...A stands for 32-bit
application. There wouldn't be A in 16-bit application) and not by some ingame procedures,
we can use W32Dasm to easily (usually) find that spot. So let's load DI.w32 on W32Dasm.
Few minutes pass and now it's ready after disassembling. Now there are two ways to
find the error message. You can use Search to find it manually (type the text) or you can
try looking it in String Data Refences (Strn Ref). Ok... so we found it. What now?
Now we can try to locate the "creator" of that message. Usually it's generated by some
kind of comparing that compares one value to another. And if the values don't match,
an error message will appear. But... if the values match, check is passed and game will go on.

Lesson 3a. Cracking the protection... the easier one

Let's assume we have a protection like this:

:00001000 cmp eax, 00000001 <-- Is the cd in drive...1=no, 0=yes
:00001001 jne 00001005 ...no, then jump

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00001001(C)


Possible StringData Ref from Data Obj ->"Please insert Dog Trapper cd"


This is very easy example. You could either change the eax to 0 or reverse the jump to je.
Either way the check would pass. Here's another protection example:

:00001000 call 12345678 <-- check against the cd
:00001001 test eax, eax <-- is the cd there?
:00001002 jne 00001010 <-- no, then jump
-------------
-------------
:00001029 call 00001035 <-- must get here for passed check

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00001002(C)


Possible StringData Ref from Data Obj ->"Please insert Dog Trapper cd"


* Referenced by a CALL at Address:
| : 00001029

:00001035 mov, eax 00000001 <-- flag for passed check... let's assume it'd be here

This kind of check is very common and can be found in many games. The easiest way usually
to pass these checks is simply to change the call 12345678 to mov, eax 00000001
(to make the game think the cd is in drive) . In some cases reversing the following jump
can bypass the check.

Many EA Sports' games follow those kind of protections.

Lesson 3b. Cracking the protection...the bit harder... but still quite easy

Ok... so we went through the "normal" (I call 'em normal... u can call 'em whatever u want)
checks. Now let's try one of the ingame checks. Let's assume that Dog Trapper 2 has just arrived
and you've ready to start it (and you threw the cd into the well). You can't play it because you
don't have the cd and you can't crack the ingame protection the way we did above. Let's go straight to the protection. You try to start the game and it goes fine until you press "New game" button and a nice picture saying "Would you mind placing the cd in da drive?" ruins your day. You load DI2.w32 on W32Dasm and search for the message, but nothing is found. "Screw those ingame checks" you swear. So what does make the check?
"Cure" is found. You happen to have one of those API reference cards which says "GetDriveTypeA
(u can try to set a breakpoint in Soft-Ice on it) is one way for game to access cd drive".
That gives you new idea... "What if I try to search for that GetDriveTypething"...
(or u can use Imported Functions Imp Fn to find it). But anyway you manage to find it and see
a thing like this:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00102002(C) <-- jump from somewhere to this cd check process

:00101010 mov esi

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh
|
:00101011 Call dword ptr [00654321]
:00101012 cmp eax, 00000005 <-- 5 stands for cd drive... 3 for fixed disk
:00101013 jne 00123456 <-- no cd... jump

In very rare cases (if there are any) the above check can be bypassed by changing 5 to 3,
which stands for fixed disk a.k.a. hard drive. But usually when you scroll a bit up you can
see that kinda thing that I put there. It should help you to crack through the check...
or sometimes you have to scroll down a bit to find the correct call or jump.
Greatly depends on a game.


:00102001 test eax, eax
:00102002 jne 00101010

Possible StringData Ref from Data Obj ->"No Cd %:\ " <-- or something corresponding...

It isn't always as this easy, but this time we'd pass the check by changing
above jne to je... simple.

EnD.