Copy Link
Add to Bookmark
Report
Midnights Hackers Private Club 1
Midnights Hackers Private Club
Where members or hackers gourps come to exchange ideas, and show
off skills.
**** A Cracking Guide For Beginners ****
An Article By:
The Psychopath
TABLE OF CONTENTS
-------------------
I. Introduction and Overview
II. Cracking Doc Checks
A) General Info
B) A Cracking Tutorial
III. Cracking Disk Checks
IV. Cracking with Overlays
V. Closing Remarks
--------------------------------------------------------------------------------
Introduction:
This article is to provide help and give a basic understanding of cracking
for those that just plain don't understand it. A lot of you have heard about
ways of cracking and have gone of on your own into the unknown to try to crack
your first program. And undoubtedly you failed, unless you had guidance and
help from someone more experienced then yourself. Well, I know how rough it
is to learn how to crack, 'cause I've been there myself. It takes a lot of
time, work, and patience to become proficient at the art. So those wishing to
make a leap up in society to the status of a cracker, please read on.
Some of the most useful tools to a crackist are:
DOS Debug
Quaid Analyzer
Turbo Debugger
Locksmith
Step-13/Trap-13/PC-Watch
Soft Ice
Acquire any and all that you can. You'll want and need them. I'm only
going to discuss DOS Debug (Turbo Debugger is quite similar) and Step-13/Trap-13
The others you'll have to experiment with on your own.
Here's a basic list of Debug commands:
Command Function
------------------------------------------
*A [address] Assemble
C range address Compare
D [range] Dump
E address [list] Edit
F range list Fill
*G [=address [address..]] Go
H value value Hex
I value Input
L [address [drive:record record] Load
M range address Move
N filename [filename] Name
O value byte Output
*P [=address][value] Proceed
*Q Quit
*R [register-name] Register
*S range list Search
*T [=address][value] Trace
*U [range] Unassemble
*W [address [drive:record record] Write
[* Indicates the only ones you need worry about for now. They are the main
commands that you use). Basically, you will enter the letter command and then
return (<cr>). Addresses only need to be specified based on necessity. (for
example, you could just enter G<cr> and it would execute. Specifying an address
would set a break point. (run the program up to that address). For P and T,
just enter the letter name and <cr>. It's quicker.]
Further explanation of the commands is provided in your DOS users manual.
Read it for yourself.
*** Note that not all forms of copy protection, nor their ways of removal are
discussed in this news letter ****
--------------------------------------------------------------------------------
Cracking Doc Checks:
Okay, one of the most common forms of copy protection is the doc check.
This is where you are asked to input information from the documentation that
is included with the software purchased. I will discuss a few methods of
removing this protection scheme, and then will provide you with a sample
crack.
Doc checks are usually at the beginning of the software, with a few
exceptions (some being in the middle or at the end). They range in variety
from simple text questions, to having graphic and mouse interfacing. They, of
course, range in difficulty from Insulting (easy) to Mind Boggling (hard).
It's best to start with the easy ones, because you don't want to get in
over your head, and remember that experience is the best teacher.
Doc checks are executed by CALL statements, and sometimes a series of
CALL statements. When proceeding through a program in DEBUG, you will hit
a CALL statement that will execute the program. Remember what the address was
for it, 'cause you'll have to exit out of the game and go back to where it
took control from you. If the CALL statement runs the doc check then takes
you back to DEBUG, then you're allright, and can start changing it
there. If not, then you will have to trace (T<cr> option) through the CALL
statement down to the next layer of program. Now you will proceed again, until
you get to a call statement that executes the copy protection then returns
you to DEBUG.
There are three basic ways to remove the Doc check:
1) Remove the CALL statement.
a) By the NOP command.
b) By jumping from the first byte to the last.
2) By changing the comparisons.
a) By changing the CMPs to compare registers to themselves.
b) By changing the jump statements that follow.
3) By Jumping around the Doc check to get to the part of the program
that loads in the rest of the game.
The first option deals with the above mentioned CALL statements. When you
get to the one you want, you will assemlbe at that address (A Address<cr>) and
enter either NOP (being sure to NOP all the bytes of the call statement--NOP
represents NO Option) or jumping from the address of the first byte to the
address of the second byte. Either will do. Removing the CALL statement will
not always work. Sometimes it will do a wide variety of things to the program.
If this happends, then try one of the other options listed.
The second option involved leaving the doc check entact, but making it so
that any text entered will be accepted by the computer, thus allowing you to
continue with your utility/game. You will usually find a CMP statement (i.e.
CMP AX,[BP-20]) after it calls for the text to be entered. What it's doing
is comparing the value you entered to the value it wants. You can fix this
by either changing the compare statement to compare the register to itself
(i.e. CMP AX,AX), or by changing the jump statements that follow. You might
get a jump statement like JNZ 0345 which will only jump to CS:0345 if the
value is not zero. So just change it to read JMP 0345, which will always
jump to CS:0345.
The third option involves jumping past the doc check (or CALL statement
more appropriately put). Often times you'll execute the copy protection, and
then it will take you to a new part of the program, where it will make it's
comparison, and then decide wether it will run the rest of the program (if you
answered the question correctly) or kick you out to DOS (or re ask the question
depending on the software). If you know what one of the answers is (and you
should if you have the originals), then enter the correct answer and follow
the program through until it executes the rest of the game. (Make note of where
it executes the rest of the game). Then, you exit out of the game, get back
into DEBUG, and then go back before the doc check is called. Now, jump from
the doc check over to where it executes the rest of the game. This will remove
the doc check completely.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Software Name: Fiendish Freddy's Big Top of Fun
Software Company: Mindscape
Here is a walk through for cracking a simple text doc check in the above
mentioned game. I will present you with two ways of cracking it.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Method #1:
The most preferred way amoung pirates for having a copy protection removed
is for the crackist to take it out completely. There two most common ways of
doing that are:
1) Remove the call statement that executes the protection.
2) Jump around the protection.
I'm going to teach you method 1 (removing the call statement). Find a
copy of Fiendish Freddy, and type the following:
DEBUG FREDDY.EXE
After typing this, you will be in the program itself, and you will see
the "-" to the left of the screen. To see where you are in the program,
press R<cr>, and you will see something like this:
AX=000 BX=0003 CX=4A40 DX=0000 SP=34BC BP=0000 SI=0000 DI=0000
DS=11EB ES=11EB SS=44B2 CS=11FB IP=3E93 NV UP EI PL NZ NA PO NC
-11FB:3E93 9A00005341 CALL 415E:0000
---------------------------Special Note----------------------------
The value of CS is "11FB". That is the hexadecimal segment address
for the beginning of the program code in your computer's memory. It
is highly possible that the value you see for CS is different from
mine.
-------------------------------------------------------------------
Now then, press P<cr> to proceed through the program until you come to
the call statement located at CS:3EF8. Type U 3EF2<cr> to unassemble around
the call statement. You will see the following:
.
.
11FB:3EF2 55 PUSH BP
11FB:3EF3 89E5 MOV BP,SP
11FB:3EF5 83EC02 SUB SP,+02
11FB:3EF8 9A9C01291A CALL 1A29:019C
11FB:3EFD A2CA02 MOV [02CA],AC
.
.
Okay, write down the HEX values before, including, and after the call
statement. Now in order to change it, you will type A 3EF8<cr> and you'll
see this:
CS:3EF8
Where the cursor is located, you will type NOP (No Option) 5 times, in
order to wipe out the 5 bytes of the call statement, and then press <cr>.
NOP is like erasing data. (i.e. 11FB:3EF8 NOP NOP NOP NOP NOP<cr>). Now press
G<cr> to execute the game. The actual program should load up without executing
the doc check at all. If not, then you screwed up and need to re-check your
alterations to the program.
-----------------------Saving the Changes-----------------------
Remember now, that DEBUG can only write to .COM and files
other then .EXE (with the W<cr> command). One way to save the
changes (the more unreliable way) is to rename the .EXE file to
Something like .HEY or whatever, and then going in and searching
for the data to be changed (with the S command). Now edit the
data as normal, and save with the W<cr> command. Exit out
(Q<cr>) and rename the .HEY file back to .EXE
*** This will not always work ***
Another way to save changes is with a sector editor (The two most
widely used are Norton Utilities and PCTools). Search for the
HEX values (the values I told you to write down) of the data in
front of, including, and after the statement. When you find
The statement, edit it. (In the above case, you'd change the
HEX values of the CALL statement to read 90 90 90 90 90 --90 is
the HEX value for NOP).
------------------------------------------------------------------
Method #2:
Another way to remove copy protection is to leave the doc check entact,
but change it so that it accepts the values that you enter 100% of the time,
regardless of what it is. The ways you can do this are:
1) Change the CMP (compare) of what you entered to what it's supposed
to be, so that it compares what you entered to what you entered
(i.e. CMP AX,[BX-23] would be changed to CMP AX,AX).
2) Change the Jump statements (JNZ, JZ, JB, JA, JG, JL, etc.)
We will use Option #2 this time, and again using Fiendish Freddy. Type
the following to get started:
DEBUG FREDDY.EXE
Now then, proceed back up to where we saw the CALL statement that executes
the protection. (CS:3EF8) And this time, trace through it (T<cr>). Now then,
your CS will change to something else, because you've moved down one level in
the program. Start proceeding through. You'll come upon several CALL
statements that load in the text for the doc check. Ignore them, they cause
no harm. (Just for your info, they exist at CS:022A, CS:0246, CS:025C, CS:0271,
CS:028D, CS:02A3, CS:02B8, CS:02D4). Now then, at CS:02F2 CALL 415E:0C73
appears. What this does call for the user to enter some text from the keyboard.
Proceed through the CALL statement, and the screen will wait for a key to be
pressed. Enter something like "kskdksdk<cr>" and then it will take you back
to the program.
Proceed on until you come to the following:
CS:030E 3B86DFFE CMP AX,[BP+FEDF]
CS:0312 7F25 JG 0339
CS:0314 8946FD MOV [BP-03],AX
Now, what is happening is the program is making a comparison of what was
entered. If that value is greater then what it wants, then it jumps to CS:0339
and if it isn't then it just continues on. Now we want to fool it into
thinking that the text is correct. So change CS:0312 to read JMP 0339. This
way, the program will jump to 0339 every time, no matter what is entered. Now,
we're not through yet. You'll soon come to this:
CS:0349 9A....... CALL 415E:0419
CS:034E 7404 JZ 0354
CS:0350 B000 MOV AL,00
CS:0352 EB02 JMP 0356
Now we have another comparison here. The CALL statement is calling a
compare routine, and when it's finished, if the value is equal to 0, it will
jump to CS:0354, and if not, it will simply continue on. We need to fool the
computer once again, and change CS:034E to read JMP 0354, so that it will
always jump to 0354. This is the last change that needs to be made. Go ahead
and type G<cr> to test it out. When you're done, be sure to make the changes
permanent, as described above.
--------------------------------------------------------------------------------
Disk Checks:
(INT-13)
Some copy protection schemes use the disk interrupt (INT-13). INT-13 is
often used to either try to read in an ilegally formatted track/sector, or to
write/format a track/sector that has been damaged.
INT-13 is called like any normal interrupt with the assembler command
INT 13 (CD 13). The AH register is used to select which command is to be used,
with most of the other registers used for data.
Now, the copy protected file might use INT-13 to load some other data from
a normal track/sector on a disk, so it is important to determine which tracks/
sectors are important to the cp scheme. There are two common ways to do this
1) Use Quaid Analyzer to keep track of INT-13 activity
2) Use Locksmith to track down unusual traks/sectors.
With Locksmith you can analyze the diskette. Write down any tracks/sectors
that seem abnormal. These are most likely part of the protection routine. Now
we must enter debug and load in the file to execute a search for CD 13. Record
any addresses shown. (i.e. S CS:100 FFFF CD 13).
If no addresses are picked up, then either the interrupt is encoded, or
it's in a part of the program not yet loaded. Here's what a sector of hidden
code might look like:
CS:0000 31DB XOR BX,BX
CS:0002 8EDB MOV DS,BX
CS:0004 BB0D00 MOV BX,000D
CS:0007 8A07 MOV AL,[BX]
CS:0009 3412 XOR AL,12
CS:000B 8807 MOV [BX],AL
CS:000D DF13 ...........
In this section, AL is set to DF at location CS:0007. When you XOR DF
and 12, you would get a CD (hex) for the INT code, which is placed right next
to a 13, thus giving uou CD13 or INT-13.
---------------------------Finding Hidden INT-13s-------------------------------
A good way to find hidden INT-13s is with Quaid Analyzer, or Step-13 (or
Trap-13, or PC-Watch....all work equally as well). Step-13 traps the interrupts
and will print where they were called from. Once running this, you can jut
disassemble around the address until you find a code that looks like it is
setting up the disk interrupt.
Another way to decode the INT-13 is to use the G (go) command in DOS DEBUG.
Just set a breakpoint at the address given by Step-13. i,e, G CS:000f (see
above code). When debug stops, you will have encoded not only the INT-13 but
anything else leading up to it.
--------------------------------------------------------------------------------
Once you find the INT-13, all that is left to do is to get the computer to
think that the protection has been found. To find out what the computer is
looking for, examine the code right after the INT-13. Look for anything having
to do with the CARRYFLAG or any CMP to the AH register. If a JNE or JC (etc.)
happens, then unassemble (u address<cr>) the address listed with the jump. If it
is a CMP then just read on.
Here you must decide of the program was looking for a protected track or
just a normal track. If it has a CMP AH,0 and it has read in a protected
track, it can be assumed that it was looking to see if the program had
successfully completed the read/format of that track and that the disk had
been copied thus jumping back to DOS (usually -with INT 19). If this is
the case, just NOP the bytes for the CMP and its corresponding JMP.
If the program just checked for the carry flag to be set, and it isn't,
then the program usually assumes that the disk has been copied. For example:
CS:0002 INT 13 (Reads the sector)
CS:0004 JC 0345 (Jump comparison)
CS:0006 INT 19 (reboot)
CS:0345 Rest of program..
The program carries out the INT and finds an error (the ilegally formatted
sector) so the carry flag is set. The computer, at the next instruction, sees
that the carry flag is set and knows that the protection has not been breached.
But, when you make a copy, it will see the breached protection, and execute the
INT 19. To avoid this, change the JC 0345 to read JMP 0345.
* Note that the protection routine might be found in more then just one
part of the program *
Here is a chart describing INT-13 using the AH register to select
the function to be used.
AH=0 Reset Disk
AH=1 Read the status of the disk system into AL
AL ERROR
-----------------
00 - Successful
01 - Bad Command given to INT
*02 - Address mark not found
03 - Write attempted on a write protected disk
*04 - Request sector not found
08 - DMA overrun
09 - Attempt to cross DMA boundary
*10 - Bad CRC on disk read
20 - Controller has failed
40 - Seek operation failed
80 - Attatchement failed
* Represents the most commonly used in the Copy protection
input:
DL = Drive Number (0-3)
DH = Head Number (0 or 1)
CH = Track Number
CL = Sector Number
AL = # of sectors to read
ES:BX = Load address
output:
AH = error number (shown above)
[Carry flag set]
AL = Number of sectors read
AH=3 Writes (Params. as above)
AH=4 Verify (Params. as above ES:BX)
AH=5 Format (Params. as above CL,AL
ES:BX points to format table)
--------------------------------------------------------------------------------
Cracking Overlays:
Sometimes the copy protection is executed in an overlay file. The best
way to find out which file it is in, is to use Quaid Analyzer to track the
INT 21 calls and see which program is loaded in. Next, if it was an INT-13
type protection, then you'll do as usual and just look for it in the overlay
file.
If it was a doc check, then you'll proceed through the .EXE file as usual
(with DEBUG or whatever), and go up to the doc check. Now the changes you make
might have to be made in the overlay file. What I mean, is if you search the
.EXE file and don't find the HEX values, then search the overlay file. You'll
have a high probability of finding them there. Then, just change the bytes in
the overlay file as usual and execute the game. It should run, this time with
the crack entact.
--------------------------------------------------------------------------------
Hopefully this will aid you on your quest to become a crackist. And remember,
don't get in over your head by attempting to crack something difficult, 'cause
it will benefit you 0%. Laterz...
- The Psychopath
