Copy Link
Add to Bookmark
Report
Midnights Hackers Private Club 5
Midnights Hackers Private Club
Where members or hackers groups come to exchange ideas, and show
off skills.
**** A Cracking Guide For Advanced Amateurs Part II****
An Article By:
The Psychopath
TABLE OF CONTENTS
-------------------
I. Introduction and Overview
II. Types of Cracks
A) Doc Check with a small Loader
B) Doc Check with a complex Loader
III. Closing Remarks
--------------------------------------------------------------------------------
Introduction:
This is my third edition on cracking tutorials. This one will provide
more information on the art of cracking as usual, and will provide a comparison
of 2 similar doc checks that vary in difficulty. Take the learning process slow,
and just let it come to you. Remember, don't try tackling too much at once.
Experience is the best teacher. Just a friendly little reminder here...
ALWAYS, ALWAYS make backup copies of the programs before you tamper with them
with your debuggers and sector editors, because if you screw up and write to
your only copy, you're plain outta luck holmes.
Cracking programs used in this issue:
DOS Debug
Acquire this if you don't already have it. This is the basic cracking
tool, and is my favorite. There are some advanced debuggers out there with
menus and fancy features, but when they fail, debug will come through for ya.
But of course, having the other debuggers can be handy at times, so I suggest
finding them if you don't already have them. Some good ones to get are:
Turbo Debugger (2.0 or greater)
Soft Ice (2.5 or greater)
Code View
I will no longer tell you how to access a debug command, so here's the
last time that I will refresh your memory as to what they are. If you don't
know what they mean by now, then you should go back and re-read my previous
articles.
Command Function
------------------------------------------
*A [address] Assemble
C range address Compare
D [range] Dump
E address [list] Edit
F range list Fill
*G [=address [address..]] Go
H value value Hex
I value Input
L [address [drive:record record] Load
M range address Move
N filename [filename] Name
O value byte Output
*P [=address][value] Proceed
*Q Quit
*R [register-name] Register
*S range list Search
*T [=address][value] Trace
*U [range] Unassemble
*W [address [drive:record record] Write
[* Indicates the only ones you need worry about for now. They are the main
commands that you use). Basically, you will enter the letter command and then
return (<cr>). Addresses only need to be specified based on necessity. (for
example, you could just enter G<cr> and it would execute. Specifying an address
would set a break point. (run the program up to that address). For P and T,
just enter the letter name and <cr>. It's quicker.]
Further explanation of the commands is provided in your DOS users manual.
Read it for yourself.
--------------------------------------------------------------------------------
Cracking Documentation Checks With Game Loaders:
Okay, the most common form of copy protection is the documentation check.
Doc checks are usually at the beginning of the software, with a few exceptions
(some being in the middle or at the end). They range in variety from simple
text questions, to having graphic and mouse interfacing. They, of course,
range in difficulty from being extremely easy to being near impossible.
In this issue, we're going to take a look at a programmers attempt to
cause frustration for us crackists. Someimtes you'll come upon a game that will
have you run one program, which will in turn run the main program. And of
course, you have to run the first (loader) program or the game won't work right.
Well, this poses a problem with debugging, for you can only load in one program
at a time, and most likely you won't be able to trace through one program to
get to the other, so how do we get to the copy protection and remove it? Well
let's go through two sample cracks and find out for ourselves eh.
Hopefully you remember what types of copy protection ASSEMBLY commands
to look for, and how to couteract them, cause I won't refresh your memory for
you....you'll have to re-read the past articles if you forgot.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Software Name: Gateway to the Savage Frontier
Software Company: S.S.I. & Beyond Software
Here is a walk through for cracking a simple attempt at a loader along with
a simple doc check. This should be eazy to follow, so let's get going eh.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Find an uncracked copy of Gateway to the Savage Empire. Now then, you'll
notice that there is a batch file entitled START.BAT This is what we run to
load in the game. Well, let's see what it's doing. Type the batch file out.
You should see this:
@echo off
start1
if errorlevel 1 goto end
go
:end
Now, if we run this batch file, it will execute START1.EXE which will
allow you to specify your graphics, sound, mouse, etc. etc., and when that's
done, it returns to the batch file, where you'll notice GO.BAT is then executed.
Let's look at GO.BAT and see what it's doing. You'll see something similar
to this (depending on the graphics and sound and such that you selected):
ibmsnd
game UseStart
ibmsnd U
Notice that the UseStart is a parameter specification on the game. If we
try running GAME.EXE it will tell us to run start. Well, this is so simple
it's not even funny. Notice what start does. It sets up your system
specifications, then loads in the game. That UseStart parameter is the key
to the whole thing. Instead of typing just "debug game.exe" specify the
parameter as well (this will happen quite often with games that use parameters.
They must be specified in the debugger if you want them loaded in). Type "debug
game.exe UseStart" (and the capital/lower case letters ARE significant in the
paramater settings). Now, we're ready to begin. Start proceeding.
At CS:0037 CB RETF, you'll do a far return to a new code segment address,
at CS:0038, here you'll proceed on. You'll hit a bunch of comparison jumps
that will keep looping you around till you eventually get to CS:00DE, where you
can start proceeding forward again. ('Course if you're smart you'll just take
my advice and jump from CS:0038 to CS:00DE and proceed from there). Next
you'll come to:
CS:00FE 2E CS:
CS:00FF FF2F JUMP FAR[BX]
Proceed through this and you will be at a new code segment address at
CS:0019, where you will find a long series of CALL statements. Start proceeding
through them. You'll hit some that will load in the graphics and the title
screen and such (if you press control-C when the Beyond Software screen appears,
it will skip the intro screens). You should eventually come to:
CS:01CE CALL 1303:002A
This address calls in the option that will ask you if you want to PLAY the
game or view a DEMO. We of course, want to play, so select play and press
enter. Now, proceed on. It will eventually bring you up to this address:
CS:0208 JNZ 0216
CS:020A CMP BYTE PTR [5D8E],00
CS:020F JNZ 0216
Now, we've already selected that we want to play the game, so what do you
think this comparison means? Could it be that it's determining wether or not to
load in the doc check? Well I do believe so. If you don't believe me, proceed
on. You'll hit a CALL statement at CS:0211 That will load in the copy
protection. So how do we remove this? Well, what I suggest doing is changing
the jump at CS:0208 to read CS:0208 JMP 0216.
This will tell the program to jump directly to CS:0216, thus skipping over
the copy protection completely. Now, wasn't that simple. Just save the
changes and you're done.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Software Name: Time Quest
Software Company: Legend
Here is a walkthru for cracking a more complex loader that calls in a
moderately difficult doc check.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Obtain an uncracked copy of Time Quest, and prepare your debuggers. Okay,
Here's the situation. The main part of the game is in the file TIMEMAIN.EXE,
but we have to run TQ.EXE in order to play the game. If you try running
TIMEMAIN.EXE, it will (as I mentioned) tell you to run TQ.EXE to load the game.
So what do we do? Unlike the previous sample crack, there are no parameters
that are displayed that we could load into the debugger. The TQ.EXE file loads
in part of the title screen, and determines your graphics and sound modes, so
we're in a bad situation.
If you try debugging TQ.EXE to get to TIMEMAIN.EXE, the following will
happen. You'll eventually reach the part where a CALL statement loads in
TIMEMAIN.EXE. The program will take control or lock up. So naturally, you
try tracing through, till you get to another CALL statement that does the same
thing. You'll keep doing this until you get to the INT-21 that loads in the
TIMEMAIN.EXE, and it will lock up there....if you trace through, it will take
you to a part of the program that you don't ever want to tamper with. You'll
be where it makes all the jump comparisons for all the INT-21's. Proceeding
through this area will most likely bring up a message like "System Halted. Can
Not load Command.com" so now were stuck....or are we?
Now think for a minute and get creative. TQ.EXE somehow loads in
TIMEMAIN.EXE. So what if we can trick TIMEMAIN.EXE into thinking that TQ.EXE
has already been run. All we'll do in the process is leave out the Legend
Software title screen. And, hopefully, we'll enact the default settings, which
will bring in CGA graphics. This will make it easier to see what's going on,
because with the CGA graphics, it's in black and white, and very simple
structure, which is what we want when stepping through a debugger. So, let's
get started. Load TIMEMAIN.EXE into your debugger and start proceeding.
You should come to CS:0548 JMP 29B1:09A2 where you will proceed through,
jumping to a new code segment address. Keep proceeding on. You'll come to
CS:0A20 where you'll then be kicked into a new code segment address. Proceeding
on will just bring you back to CS:0A21, so instead of going through all that,
jump to CS:0A21 before you reach CS:0A20, and then keep proceeding.
After you reach the following:
CS:0A41 CALL 232E:1AFB
Trace through here, and keep going (proceeding through this call statement
will terminate the program and bring up that message telling you to run TQ.EXE
first). Keep proceeding till you come to the following:
CS:1B12 CALL 18CA
Trace through here, and keep going (proceeding through will have the same
result as the above mentioned). Now, you'll soon see the following:
CS:18D6 CMP WORD PTR [BP+06],+09
CS:18DA JZ 18F6
If we just proceed through these, the program will soon terminate as
above mentioned, but if we jump to 18f6, the game will start to load, so let's
fix this by changing CS:18DA to be the following:
CS:18DA JMP 18F6
Note, that this change is not to be permanent. It is merely a temporary
change to allow us to load in the game so we can make the permanent chane to
the copy protection. Now then, proceed on. You'll hit a CALL statement that
will switch to the graphics mode, then you'll eventually reach:
CS:1AFA RETF
Proceed through this, and you'll return back to CS:1BC5. Proceed on. You
will hit a few calls along the way that will load in the screens, and eventually
you'll reach:
CS:1C68 CALL 1F6F:188B
This will call in the option that lets you type in a command, so type in
the following commands in this order (and note, that after you press enter,
you'll be back in the debugger. Instead of proceeding on, which will
eventually bring you back to CS:1C68, just go to 1C68 again and proceed through.
It will wait for you to input another command. Keep doing this until you've
input all the commands).
wait
wait
w
open drawer
take card
enter interkron
put card in slot
timeset rome 44
Now, after entering the last command, (DO NOT JUMP back to 1C68 again)
proceed on. You will eventually come to:
CS:2496 CALL 0D40
Trace through this call statement (proceeding through will bring up the
doc check). Now, proceed on until you eventually come to:
CS:106E CALL 1B46:05C5
Trace through here (for the same reason as mentioned above), and then
proceed on and you'll eventually reach:
CS:05F5 CS:
CS:05F6 JMP [BX+0B14]
Proceed through this (If you ever try jumping (with the go command) to a
two part jump statement like this, make sure you go to the address with the
"CS:" and not the JMP, otherwise you will screw up the program and it will
jump you to the wrong place). Trace through:
CS:09FC CALL 1CA7:1520
Now, proceed on till you come to:
CS:160C CALL 45EA:1F8E
Trace through this, and then trace through the call statement that you
immediately come upon, which is:
CS:1F8E CALL 4537:0307
If you proceed through this, it will try to access your floppy drive,
because it won't be able to find the overlay file, so trace through it. Now,
proceed on till you get to CS:0379, where you will be taken back to CS:1F95, now
keep proceeding on, and you will go through a series of jump compare statements,
if you keep going on, you will eventually hit:
CS:029F CALL 1E35:000C
This is where the doc check will pop up. These jump comparisons are the
key to the doc check. If you notice, at:
CS:029D JNZ 02B5
Here, is where it makes an obviously important comparison. Why is it
important you ask, well because look at what happends. If the value it's
comparing is zero, it proceeds on to CS:029F, where the doc check comes in,
so what happends if the value is not zero? Well, let's find out. Change
CS:029D to read CS:029D JMP 02B5 and then proceed on. You will soon hit a CALL
statement that will give a message displayed only after you pass the doc check,
thus we know we made it to the right area. So just make that change at CS:029D
permanent. And just to give you a little hint, the change you need to make will
have to go in the overlay file. So, now we're done. Wasn't so tough after all
now was it.
** Notice. This cracking scenario for Time Quest was done without any saved
games. Having saved games will effect the debugging process. You will
have a few other detours along the way before you get to CS:1C68, so either
try it on your own, if you have saved games, or move your saved games to
a different directory and try it without them first. It'll be easier. **
--------------------------------------------------------------------------------
Hopefully this will aid you on your quest to become a crackist. And remember,
don't get in over your head by attempting to crack something difficult, 'cause
it won't help ya at all, G. Laterz...
- The Psychopath
