How to crack Tomb Raider 3dFX edition
Intro:
DOS cd protections are still live and kicking. I have discovered that at a friend's house when he asked me to crack the 3dFX patch for Tomb Raider. Without my "cracking environment" (Wince, IDA.) i had to crack it with my "bare hands" ;) As it turned out the crack qualifies for other TR patches and 3dFX patches.
Tools needed:
- KGB - a cool DOS 'file monitor’. Can be found at +fravia's awesome site.
- FakeCD - I bet u know what this is ;)
- A simple ASM compiler. A86.COM (31 kb) will do.
- Oh and the patch. Can be found at http://www.3dfxmania.com
The Crack: Running TOMB3DFX.EXE gives out "Please insert the Tomb Raider CD" - those sentences u just love to hate.. - And exit. We also notice that it's a protected mode program - DOS4GW. (Good thing we didn't download Winice , we all know how nervous it gets around other protected mode programs ;)
Fair enough.
Lets spy on it with KGB. This is what we get:
OpenFile-R : C:\data\title.phd
OpenFile-R : D:\data\title.phd
OpenFile-R : E:\data\title.phd
OpenFile-R : F:\data\title.phd
OpenFile-R : G:\data\title.phd
OpenFile-R : H:\data\title.phd
OpenFile-R : I:\data\title.phd
(It goes on till drive Z)
Hmm, is searches for title.phd .. Ok, NP, i have it in my TOMB directory, But it's not in the ROOT directory (it searches Drive:\Data.. ) , so lets use FakeCD. Copy FakeCD.EXE to TR directory, and run: Fakecd.exe. /l:J This way fakecd will emulate a cd drive in drive J . Any drive (except the real HD) is ok.
Re-run TR ... Still not OK. Lets see why, run KGB, and this is what we get:
OpenFile-R : C:\data\title.phd
OpenFile-R : D:\data\title.phd
OpenFile-R : E:\data\title.phd
OpenFile-R : F:\data\title.phd
OpenFile-R : G:\data\title.phd
OpenFile-R : H:\data\title.phd
OpenFile-R : I:\data\title.phd
OpenFile-R : J:\data\title.phd
OpenFile-W : J:\YNJZOMMI
CreateFile : J:\YNJZOMMI < y like the TR mystique edition .(See essay by +Alt-F4 at +Fravia's).
This edition can be cracked like the mystique edition; however, i had something else in mind - a TSR. The idea is to make a small program that will nest in memory, hooking the Open_For_Write_Only function; when it "sees" that a program is trying to use this function on the Faked Drive it will change the FileName parameter (the random filename) to NULL. This way the return value of this function is CAN'T OPEN THE REQUESTED FILE (because it's empty) , and the program will think it's the CD.
I tried it , and it worked ! Not only on the 3dFX edition, but also the Mystique edition, and propably other 3dFX patches from 3dfxmania Site.
The basic TSR is below , for a more compatible version - to enter the drive letter in command line - please search for PC_T3DFX.ZIP . I didn't put an un-install option because i figured whoever has a 3dFX card , can spare 100 bytes off his memory ;)
BTw, if it doesn't work (on other patches) , u can always hook the CreateFile function (Int 21h / Ah=3Ch), and use the same trick (FileName -> Null).
* It might work for windows too (To understand windows TSRs read Stone's doc on trainers).
If and when i'll find a windows game with CD protection i'll try this on it, and if successful, i’ll update this essay. Should anyone else wants to do it, be my guest :) (May i suggest hooking on GetDriveTypeA , and return 5 (cd-rom) on the faked drive? ;)
That's it , i hope u've enjoyed and learned from this . If u find other patches / games / programs that this TSR will crack, please drop me a note. (My e-mail is down below.)
Greetings: PC members, +FraVia and all +Hackers, friends. :-)
------ Cut here ------ ;
This is a TSR for tomb-raider, when the prg. checks for the CD ;is tries to open for write only a random file and to further ;check, it tries to create that random file & delete it -if successful ;it tells u that there is no cd. ;so what this TSR does is intercept the open for write only instruction- ;(INT 21h,function 3Dh,sub-function 01h) ;and also CoMPers the ds:dx if equal "J:\" if so it gives to ds:dx ;(the random file name ) 0 at the beginning and so the return of the open ;instruction in CAN'T OPEN THE REQUESTED FILE (because it's empty) ;thus the prg thinks there is a cd in drive J and runs properly...
start: lea dx,msg ;print msg
mov ah,9
int 21h
mov ax,3521h ;Get address of Int 21h into ES:BX
int 21h
mov real_ip,bx ;Save the real valuse for later use
mov real_cs,es
mov ax,2521h ;Hook the vector 21h to point to ds:dx
lea dx,int_21
int 21h
lea dx,end_pro+1
int 27h ;Go TSR from cs:0 till end_pro+1 byte
;--------------------------------------------
int_21: cmp ax,3d01h ;Check if it's Open_For_Write_Only function request
jne return2normal
;Here u can add the check for CreateFile (or DeleteFile) if necessary
push si ;save si
mov si,dx ;mov dx to si in order to use ds:[si](=ds:[dx])
cmp byte ptr [si] , 'J' ;"J" -- the faked drive letter
jnz c2
inc si
cmp byte ptr [si] , ':' ;":"
jnz c2
inc si
cmp byte ptr [si] , '\' ;"\"
jnz c2
inc si
mov byte ptr [si],0 ;put 0 at the begining of the file's name
c2: pop si ;restore old value
return2normal:
db 0eah ; == Jmp to the real INT 21h
real_ip dw 0
real_cs dw 0
msg db "TSR FOR TOMB-RAIDER ,CRACKED BY Q / PC$"
end_pro:
end start
