Copy Link
Add to Bookmark
Report
Midnights Hackers Private Club 2
Midnights Hackers Private Club
Where members or hackers groups come to exchange ideas, and show
off skills.
**** A Cracking Guide For Advanced Amateurs ****
An Article By:
The Psychopath
TABLE OF CONTENTS
-------------------
I. Introduction and Overview
II. Types of Cracks
A) Documentation Protection
B) Config/Setup Protections
III. Closing Remarks
--------------------------------------------------------------------------------
Introduction:
This is my second edition on cracking tutorials. This one will provide
more information on the art of cracking as well as some more advanced cracking
walkthrus. Take the learning process slow, and just let it come to you. Don't
try tackling too much at once. Again I emphasize the importance of practice and
experience as being the best teacher. And I think I'll mention this now...
ALWAYS, ALWAYS make backup copies of the programs before you tamper with them
with your debuggers and sector editors, because if you screw up and write to
your only copy, you're plain outta luck.
Cracking programs used in this issue:
DOS Debug
Turbo Debugger
Quaid Analyzer
Acquire these if you don't already have them. These are not the only
cracking utilities, but they are the ones that I will be using in my lecture
today.
Here's a basic list of Debug commands in case you've forgotten:
Command Function
------------------------------------------
*A [address] Assemble
C range address Compare
D [range] Dump
E address [list] Edit
F range list Fill
*G [=address [address..]] Go
H value value Hex
I value Input
L [address [drive:record record] Load
M range address Move
N filename [filename] Name
O value byte Output
*P [=address][value] Proceed
*Q Quit
*R [register-name] Register
*S range list Search
*T [=address][value] Trace
*U [range] Unassemble
*W [address [drive:record record] Write
[* Indicates the only ones you need worry about for now. They are the main
commands that you use). Basically, you will enter the letter command and then
return (<cr>). Addresses only need to be specified based on necessity. (for
example, you could just enter G<cr> and it would execute. Specifying an address
would set a break point. (run the program up to that address). For P and T,
just enter the letter name and <cr>. It's quicker.]
Further explanation of the commands is provided in your DOS users manual.
Read it for yourself.
*** Note that not all forms of copy protection, nor their ways of removal are
discussed in this news letter ****
--------------------------------------------------------------------------------
Cracking Documentation Checks Part II:
Okay, the most common form of copy protection is the documentation check.
Doc checks are usually at the beginning of the software, with a few exceptions
(some being in the middle or at the end). They range in variety from simple
text questions, to having graphic and mouse interfacing. They, of course,
range in difficulty from being extremely easy to being near impossible.
In the past issue, I gave an extremely simple copy protection to remove
(Fiendish Freddy, if you remember). Here, after a refresher course on what to
do to remove the doc checks, we'll take a look at a complicated doc check.
There are three basic ways to remove the Doc check:
1) Remove the CALL statement.
a) By the NOP command.
b) By jumping from the first byte to the last.
2) By changing the comparisons.
a) By changing the CMPs to compare registers to themselves.
b) By changing the jump statements that follow.
3) By Jumping around the Doc check to get to the part of the program
that loads in the rest of the game.
In the first option, as you know, we can remove the CALL statement by
writing the assembly command NOP (No Option) in place of the CALL statement
itself. Or we can simply jump from the first byte in the CALL statement to
the last byte in the call statement (This has the same effect).
The second option involved leaving the doc check entact, but making it so
that what you enter (wether it be right or wrong) will be accepted by the
computer, thus allowing you to continue with your game. You will usually find
a CMP statement (i.e. CMP AX,[BP+2307]) after it calls for the text to be
entered. What it's doing is comparing the value you entered (stored in the
registers) to the value it wants. You can fix this by either changing the
compare statement so that the register is compared to itself, (i.e. CMP AX,AX),
or by changing the jump statements that follow. You'll get a jump statement
similar to JNZ 1355, which will only jump to CS:1355 if the value from the
compare is not zero. So just change it to read JMP 1355, which tells the
program to always jump to CS:1355.
The third option involves jumping past the doc check. Often times you'll
execute the copy protection, and then it will take you to a new part of the
program when it's finished, where it will make it's comparison, and then decide
wether it will execute the remainder of the program (if you answered the
question right) or boot you out to DOS (giving a wrong answer). If you know
what one of the answers is (and you should if you have the originals with the
docs included), then enter the correct answer and follow the program through
until it executes the rest of the game. (Make note of where it executes the
remainder of the game). Then, you exit out of the game, get back into your
debugger, and go back before the doc check is called. Now, jump from the doc
check over to where it executes the remaining portion of the game. This will
remove the doc check completely if done properly.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Software Name: Martian Dreams
Software Company: Origin
Here is a walk through for cracking a moderately complicated doc check in
the above mentioned game. I will present you with one way of cracking it.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Method : Jumping around the Doc Check (Method #3 as mentioned above).
Find an uncracked copy of Martian Dreams. If you notice, there are 2
executable files. MARTIAN.EXE is the introduction file, and GAME.EXE is the
actual game. (This can be found out by using Quaid Analyzer to watch the INT-21
output while tracing through MARTIAN.EXE) Now, make sure that you have a
character created. You're going to need to get the prybar from the cowboy and
move your character right above the hatch and then save the game and exit to
DOS. Now we're ready to begin.
Load GAME.EXE into your debugger (I'll be using good ol' DOS debug).
Proceed through the program, making note of any loops you get into. (To get
out of a loop such as something that makes a jump comparison and then sends you
to a previous part of the program, just look at what address is after the jump
and then go to that address (with the G <address> <cr> command) i.e.
CS:003C JNZ 0034 is in the early part of the game. We notice that CS:003E lies
just after this call statement, so jump to it--G 3E<cr>).
Now, keep going until you come to the following:
CS:00FC CALL 14C8:0941
(The 14C8 segment may be different on your machine, depending on you memory).
Trace through this call statement (proceeding through it will execute the
game, so don't). Now, start proceeding again. You'll come to the following
address:
CS:0C5E CALL 2015:0013
This will switch graphics modes, so we know we're on the right track. Keep
proceeding. Next you'll start hitting addresses that will call parts of the
picture to the screen. At the following:
CS:0CEA CALL 0509
CS:0F69 CALL 3433:04B1
Each of these calls in a different picture...we're getting close, so keep
going. When you come to the following address:
CS:0FD7 CALL 2409:133A
Trace through it. (Proceeding through will execute the game). Now, keep going.
Again, you'll hit CALL statements that load in graphics pictures, at the
following addresses:
CS:1B51 CALL 0A47
CS:1B64 CALL 0084
CS:1B83 CALL 18B4
CS:1B95 CALL 0221
Keep proceeding until you come to:
CS:1BA5 CALL 3433:28CC
Trace through this (proceeding through will execute the "command entering" part
of the game. It will execute a full command at once, so we need to trace
trough it to break up the command into parts). Tracing trough, and proceeding
on, we come to the following:
CS:2902 CALL 20AD
This allows one key movement/command to be entered at a time. Proceed through
this call statement and type a "U" to get the character to use an item. Now
you're back at the program. If you proceed on, you'll hit the RETF and
eventually come to the following:
CS:1BC5 LOOP 1BBB
This will loop back and take control of the program until your command has
been fully executed, then you'll be back at the debugger again. We don't want
this, because we need to proceed through and see what happends step by step,
before it calls the doc check, so do the following. at the CS:2902 address,
you proceeded though the first time right? and you entered a "U", well jump back
to CS:2902 (i.e. G 2902<cr>) and proceed through again. Keep doing this until
you have entered all the following commands:
U = to get your character to use an item.
TAB, Left arrow key = moves over to your inventory, then select
prybar.
Down arrow key = Points at hatch.
Now, after you do the last input, proceed on through the program. When you
come to the following:
CS:0831 CALL FAR [BP-0E]
Trace through this call statement (proceeding through it will execute the game).
After tracing through, you'll see this:
CS:0066 INT 3F
This is another form of a CALL statment. Trace through it (proceeding through
will execute the game). Now, keep going until you come to the following:
* CS:0A81 JNZ 0A9D
CS:0A83 PUSH AX
CS:0A84 CALL 2D04:4759
CS:0A89 PSUH AX
CS:0A8A MOV AX,3DAF
CS:0A8D PUSH AX
CS:0A8E MOV AX,183C
CS:0A91 PUSH AX
CS:0A92 CALL 3433:33F8
CS:0A97 ADD SP,+06
CS:0A9A JMP 0B51
CS:0A9D MOV AL,[6ED6]
CS:0AA0 MOV AH,00
CS:0AA2 TEST AH,0010
* CS:0AA5 JZ 0AC2
CS:0AA7 MOV AL,[6ED6]
Here's the deal. Those two marked jump statements are the key to the whole
thing. The comparisons made are trying to determine if you have answered the
question already and correctly. What you want to do is get the program to
go to the addresses listed in the statements all the time. So change them
to say:
CS:0A81 JMP 0A9D
CS:0AA5 JMP 0AC2
This will jump past the copy protection completely. Now, to explain how I knew
to do this. What I did is proceed through to the doc check itself, and then
entered a correct answer, followed the program through until it got back to
where you could enter commands again (CS:2902), and then I did those commands
again (if you recall, you have to open the door twice). This time, I followed
through, making note of all the jump statements, seeing where it went, until
it opened the door for me. Next, I went back in with the debugger and got back
up to the doc check and entered a wrong answer, then followed it through, until
it got back to CS:2902, and then I entered the commands again, and followed it
through, making note of the jump statements. After I got past a certain point
(past the address where it opened the door on a correct answer) I compared
the jump statements between the two scenerios, and found the differences, so
I changed the jumps to always think that you've already entered a correct
answer (As shown above). You'll need to know some right answers to do this,
so what I reccommend is either getting a copy of the docs, or get your
encyclopedias handy (some of the questions asked are actual historical facts).
I'll now describe how to get to the doc check, if you want to try this out
for yourself.
Okay, you've traced throught CS:0831 and CS:0066, right? And now you're
proceeding on. You'll eventually come to the following:
CS:0ABA CALL 417E:0034
Trace through this, to get to this:
CS:0034 INT 3F
Trace through this as well. (Remember what I said above about it being a type
of call statement). Now, proceed on. You'll next come to the following:
CS:0396 CALL 0000
Trace through this and then proceed on. You'll next come upon this:
CS:0156 CALL 4183:0034
Tracing through will once again bring you to this:
CS:0034 INT 3F
Trace through again, and then proceed on. You'll next hit a bunch of CALL
statements that will load in graphics pictures and text. Just keep proceeding
on. (Just so you know where you are, some of these CALL statements will be at
these addresses):
CS:1A0F CALL 2015:1E2B
CS:1A67 CALL 1675:024B
Now, you'll come up to the following:
CS:1E9E CALL 1756
This is the doc check. Proceed through, so that it is loaded in. It will ask
the question and then boot you back to the program, so proceed on. You'll next
come to:
CS:1B6B CALL 3433:33F8
This will wait for you to press enter, then put you back in the program. So
press <cr> and proceed on. Next you'll come to this:
CS:1B80 CALL 3433:2AF1
This will wait for you to enter your response to the question. So enter a right
answer, and then press <cr>, and now proceed on. Keep going on until you get
back to where I described up above, and do as I mentioned. This will show
you why I changed those jump statements. So, when you're through with this,
be sure to save the changes, and if you've forgotten how to save, here's a
little memory refresher:
-----------------------Saving the Changes-----------------------
Remember now, that debuggers can only write to .COM and files
other then .EXE (with the W<cr> command). One way to save the
changes (the more unreliable way) is to rename the .EXE file to
Something like .HEY or whatever, and then going in and searching
for the data to be changed (with the S command). Now edit the
data as normal, and save with the W<cr> command. Exit out
(Q<cr>) and rename the .HEY file back to .EXE
*** This will not always work ***
Another way to save changes is with a sector editor (The two most
widely used are Norton Utilities and PCTools). Search for the
HEX values (the values I told you to write down) of the data in
front of, including, and after the statement. When you find
The statement, edit it. (i.e. Changing the HEX values of a CALL
statement to read 90 90 90 90 90 (90 is the HEX value for NOP)).
Also, make sure that you write down the new hex values after
changing the assembly code in the program with the debugger.
Then you'll replace the original HEX values with what you want
them to be.
------------------------------------------------------------------
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Software Name: Castles
Software Company: Interplay
Here is a walkthru for cracking a config/setup type copy protection. This will
be fairly simple to crack, so get relaxed.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Method: Changing Jump Statements
Obtain an uncracked copy of Castles, and prepare your debuggers. First
off, you'll notice that you need to run the setup program to get the game
configured for your system so it can be properly run. When you enter the
options to fit your system, you'll then be asked a question from the manual, and
it will then write a number into the batch file it saves. If you answer wrong,
it will write a "wrong" number in the batch file, and if you answer right, it
will write a "right" number in the batch file. To remove any possible
complications and hassles, we're going to remove the question and remove where
the game checks to see what the number is. So, two cracks will be needed. One
in SETUP.EXE, and the other in CASTLES1.EXE. Load SETUP.EXE into your debugger
and start proceeding.
Now, you'll come up to the following:
CS:00EF CALL 14DD:0B69
Trace through this and start proceeding.
*** Note that I will not be mentioning when the graphics mode is switched or
when it calls in graphics pictures. You should know what they are by now ***
You'll come up into a loop that goes back and redraws the menu screen. IF you
keep proceeding through the loop, it will be a slow process trying to configure
your system, so just jump past that jump statement to CS:0BC5. This will allow
you to enter your setup options. After doing this, select continue, and press
enter. Now, proceed on. You'll notice the following soon:
CS:0BCD CALL 033A
This is the doc check. Proceed on and see what happends. At CS:0BD8 CALL 04E3
it will write that number to the batch file. So, let's get rid of the question.
We want it to just jump past the doc check, and save the configuration to the
batch file, so do this. Notice before the doc call at CS:0BCA there is a
JZ 0BDF. This can be changed to: JMP 0BD7, thus jumping past the doc
CALL, and onto the part where it writes the number. Next, proceed on, and
you'll come to this:
CS:0BE8 JZ 0BF0
This is comparing what you entered and if it's wrong, it will exit out and
tell you to try again, and if it's write, it'll jump to CS:0BF0. So let's
just tell it to jump to 0BF0 all the time. (i.e. CS:0BE8 JMP 0BF0).
Now, save the changes and let's start on the game. Load CASTLES1.EXE into your
debugger (Make notice of the parameters set in the batch file, because you'll
need to specify these when loading it into the debugger, so that it will run
the way you configured it on your system - i.e. DEBUG CASTLES1.EXE /VGA
/NOTITLE /NOMUSIC) Start proceeding through.
You'll come up to the following:
CS:00EF CALL 1DDD:0752
Trace through this and proceed on. Next you'll come to some jump and CALL
statements. If you proceed through, it will kick you out to DOS, so make note
of the following jump statements, and what they are doing:
CS:0669 JZ 0670
CS:0678 JNZ 0680
CS:067E JZ 0691
If you notice what happends when you proceed through on a wrong number, you'll
see that the following needs to be done to those jump statements, so that
we jump around the statements that call to verify the copy protection:
CS:0669 JMP 0670
CS:0678 NOP NOP
CS:067E JMP 0691
Now, save these changes, and you're all done. The Setup program will no longer
ask the question, and the game itself will no longer check to see if you
answered the question right. So you're congratulate yourself.
--------------------------------------------------------------------------------
Hopefully this will aid you on your quest to become a crackist. And remember,
don't get in over your head by attempting to crack something difficult, 'cause
it won't help ya at all, G. Laterz...
- The Psychopath
