428 lines
20 KiB
Plaintext
428 lines
20 KiB
Plaintext
Midnights Hackers Private Club
|
|
|
|
Where members or hackers gourps come to exchange ideas, and show
|
|
off skills.
|
|
|
|
**** A Cracking Guide For Beginners ****
|
|
|
|
An Article By:
|
|
|
|
The Psychopath
|
|
|
|
TABLE OF CONTENTS
|
|
-------------------
|
|
|
|
I. Introduction and Overview
|
|
II. Cracking Doc Checks
|
|
A) General Info
|
|
B) A Cracking Tutorial
|
|
III. Cracking Disk Checks
|
|
IV. Cracking with Overlays
|
|
V. Closing Remarks
|
|
|
|
--------------------------------------------------------------------------------
|
|
Introduction:
|
|
|
|
This article is to provide help and give a basic understanding of cracking
|
|
for those that just plain don't understand it. A lot of you have heard about
|
|
ways of cracking and have gone of on your own into the unknown to try to crack
|
|
your first program. And undoubtedly you failed, unless you had guidance and
|
|
help from someone more experienced then yourself. Well, I know how rough it
|
|
is to learn how to crack, 'cause I've been there myself. It takes a lot of
|
|
time, work, and patience to become proficient at the art. So those wishing to
|
|
make a leap up in society to the status of a cracker, please read on.
|
|
|
|
Some of the most useful tools to a crackist are:
|
|
DOS Debug
|
|
Quaid Analyzer
|
|
Turbo Debugger
|
|
Locksmith
|
|
Step-13/Trap-13/PC-Watch
|
|
Soft Ice
|
|
|
|
Acquire any and all that you can. You'll want and need them. I'm only
|
|
going to discuss DOS Debug (Turbo Debugger is quite similar) and Step-13/Trap-13
|
|
The others you'll have to experiment with on your own.
|
|
|
|
Here's a basic list of Debug commands:
|
|
|
|
Command Function
|
|
------------------------------------------
|
|
*A [address] Assemble
|
|
C range address Compare
|
|
D [range] Dump
|
|
E address [list] Edit
|
|
F range list Fill
|
|
*G [=address [address..]] Go
|
|
H value value Hex
|
|
I value Input
|
|
L [address [drive:record record] Load
|
|
M range address Move
|
|
N filename [filename] Name
|
|
O value byte Output
|
|
*P [=address][value] Proceed
|
|
*Q Quit
|
|
*R [register-name] Register
|
|
*S range list Search
|
|
*T [=address][value] Trace
|
|
*U [range] Unassemble
|
|
*W [address [drive:record record] Write
|
|
|
|
[* Indicates the only ones you need worry about for now. They are the main
|
|
commands that you use). Basically, you will enter the letter command and then
|
|
return (<cr>). Addresses only need to be specified based on necessity. (for
|
|
example, you could just enter G<cr> and it would execute. Specifying an address
|
|
would set a break point. (run the program up to that address). For P and T,
|
|
just enter the letter name and <cr>. It's quicker.]
|
|
|
|
Further explanation of the commands is provided in your DOS users manual.
|
|
Read it for yourself.
|
|
*** Note that not all forms of copy protection, nor their ways of removal are
|
|
discussed in this news letter ****
|
|
--------------------------------------------------------------------------------
|
|
Cracking Doc Checks:
|
|
|
|
Okay, one of the most common forms of copy protection is the doc check.
|
|
This is where you are asked to input information from the documentation that
|
|
is included with the software purchased. I will discuss a few methods of
|
|
removing this protection scheme, and then will provide you with a sample
|
|
crack.
|
|
|
|
Doc checks are usually at the beginning of the software, with a few
|
|
exceptions (some being in the middle or at the end). They range in variety
|
|
from simple text questions, to having graphic and mouse interfacing. They, of
|
|
course, range in difficulty from Insulting (easy) to Mind Boggling (hard).
|
|
It's best to start with the easy ones, because you don't want to get in
|
|
over your head, and remember that experience is the best teacher.
|
|
|
|
Doc checks are executed by CALL statements, and sometimes a series of
|
|
CALL statements. When proceeding through a program in DEBUG, you will hit
|
|
a CALL statement that will execute the program. Remember what the address was
|
|
for it, 'cause you'll have to exit out of the game and go back to where it
|
|
took control from you. If the CALL statement runs the doc check then takes
|
|
you back to DEBUG, then you're allright, and can start changing it
|
|
there. If not, then you will have to trace (T<cr> option) through the CALL
|
|
statement down to the next layer of program. Now you will proceed again, until
|
|
you get to a call statement that executes the copy protection then returns
|
|
you to DEBUG.
|
|
|
|
There are three basic ways to remove the Doc check:
|
|
1) Remove the CALL statement.
|
|
a) By the NOP command.
|
|
b) By jumping from the first byte to the last.
|
|
2) By changing the comparisons.
|
|
a) By changing the CMPs to compare registers to themselves.
|
|
b) By changing the jump statements that follow.
|
|
3) By Jumping around the Doc check to get to the part of the program
|
|
that loads in the rest of the game.
|
|
|
|
The first option deals with the above mentioned CALL statements. When you
|
|
get to the one you want, you will assemlbe at that address (A Address<cr>) and
|
|
enter either NOP (being sure to NOP all the bytes of the call statement--NOP
|
|
represents NO Option) or jumping from the address of the first byte to the
|
|
address of the second byte. Either will do. Removing the CALL statement will
|
|
not always work. Sometimes it will do a wide variety of things to the program.
|
|
If this happends, then try one of the other options listed.
|
|
|
|
The second option involved leaving the doc check entact, but making it so
|
|
that any text entered will be accepted by the computer, thus allowing you to
|
|
continue with your utility/game. You will usually find a CMP statement (i.e.
|
|
CMP AX,[BP-20]) after it calls for the text to be entered. What it's doing
|
|
is comparing the value you entered to the value it wants. You can fix this
|
|
by either changing the compare statement to compare the register to itself
|
|
(i.e. CMP AX,AX), or by changing the jump statements that follow. You might
|
|
get a jump statement like JNZ 0345 which will only jump to CS:0345 if the
|
|
value is not zero. So just change it to read JMP 0345, which will always
|
|
jump to CS:0345.
|
|
|
|
The third option involves jumping past the doc check (or CALL statement
|
|
more appropriately put). Often times you'll execute the copy protection, and
|
|
then it will take you to a new part of the program, where it will make it's
|
|
comparison, and then decide wether it will run the rest of the program (if you
|
|
answered the question correctly) or kick you out to DOS (or re ask the question
|
|
depending on the software). If you know what one of the answers is (and you
|
|
should if you have the originals), then enter the correct answer and follow
|
|
the program through until it executes the rest of the game. (Make note of where
|
|
it executes the rest of the game). Then, you exit out of the game, get back
|
|
into DEBUG, and then go back before the doc check is called. Now, jump from
|
|
the doc check over to where it executes the rest of the game. This will remove
|
|
the doc check completely.
|
|
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
Software Name: Fiendish Freddy's Big Top of Fun
|
|
Software Company: Mindscape
|
|
|
|
Here is a walk through for cracking a simple text doc check in the above
|
|
mentioned game. I will present you with two ways of cracking it.
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
|
|
Method #1:
|
|
|
|
The most preferred way amoung pirates for having a copy protection removed
|
|
is for the crackist to take it out completely. There two most common ways of
|
|
doing that are:
|
|
1) Remove the call statement that executes the protection.
|
|
2) Jump around the protection.
|
|
I'm going to teach you method 1 (removing the call statement). Find a
|
|
copy of Fiendish Freddy, and type the following:
|
|
|
|
DEBUG FREDDY.EXE
|
|
|
|
After typing this, you will be in the program itself, and you will see
|
|
the "-" to the left of the screen. To see where you are in the program,
|
|
press R<cr>, and you will see something like this:
|
|
|
|
AX=000 BX=0003 CX=4A40 DX=0000 SP=34BC BP=0000 SI=0000 DI=0000
|
|
DS=11EB ES=11EB SS=44B2 CS=11FB IP=3E93 NV UP EI PL NZ NA PO NC
|
|
|
|
-11FB:3E93 9A00005341 CALL 415E:0000
|
|
|
|
---------------------------Special Note----------------------------
|
|
The value of CS is "11FB". That is the hexadecimal segment address
|
|
for the beginning of the program code in your computer's memory. It
|
|
is highly possible that the value you see for CS is different from
|
|
mine.
|
|
-------------------------------------------------------------------
|
|
|
|
Now then, press P<cr> to proceed through the program until you come to
|
|
the call statement located at CS:3EF8. Type U 3EF2<cr> to unassemble around
|
|
the call statement. You will see the following:
|
|
.
|
|
.
|
|
11FB:3EF2 55 PUSH BP
|
|
11FB:3EF3 89E5 MOV BP,SP
|
|
11FB:3EF5 83EC02 SUB SP,+02
|
|
11FB:3EF8 9A9C01291A CALL 1A29:019C
|
|
11FB:3EFD A2CA02 MOV [02CA],AC
|
|
.
|
|
.
|
|
Okay, write down the HEX values before, including, and after the call
|
|
statement. Now in order to change it, you will type A 3EF8<cr> and you'll
|
|
see this:
|
|
|
|
CS:3EF8
|
|
|
|
Where the cursor is located, you will type NOP (No Option) 5 times, in
|
|
order to wipe out the 5 bytes of the call statement, and then press <cr>.
|
|
NOP is like erasing data. (i.e. 11FB:3EF8 NOP NOP NOP NOP NOP<cr>). Now press
|
|
G<cr> to execute the game. The actual program should load up without executing
|
|
the doc check at all. If not, then you screwed up and need to re-check your
|
|
alterations to the program.
|
|
|
|
-----------------------Saving the Changes-----------------------
|
|
Remember now, that DEBUG can only write to .COM and files
|
|
other then .EXE (with the W<cr> command). One way to save the
|
|
changes (the more unreliable way) is to rename the .EXE file to
|
|
Something like .HEY or whatever, and then going in and searching
|
|
for the data to be changed (with the S command). Now edit the
|
|
data as normal, and save with the W<cr> command. Exit out
|
|
(Q<cr>) and rename the .HEY file back to .EXE
|
|
|
|
*** This will not always work ***
|
|
|
|
Another way to save changes is with a sector editor (The two most
|
|
widely used are Norton Utilities and PCTools). Search for the
|
|
HEX values (the values I told you to write down) of the data in
|
|
front of, including, and after the statement. When you find
|
|
The statement, edit it. (In the above case, you'd change the
|
|
HEX values of the CALL statement to read 90 90 90 90 90 --90 is
|
|
the HEX value for NOP).
|
|
------------------------------------------------------------------
|
|
|
|
Method #2:
|
|
|
|
Another way to remove copy protection is to leave the doc check entact,
|
|
but change it so that it accepts the values that you enter 100% of the time,
|
|
regardless of what it is. The ways you can do this are:
|
|
1) Change the CMP (compare) of what you entered to what it's supposed
|
|
to be, so that it compares what you entered to what you entered
|
|
(i.e. CMP AX,[BX-23] would be changed to CMP AX,AX).
|
|
2) Change the Jump statements (JNZ, JZ, JB, JA, JG, JL, etc.)
|
|
|
|
We will use Option #2 this time, and again using Fiendish Freddy. Type
|
|
the following to get started:
|
|
|
|
DEBUG FREDDY.EXE
|
|
|
|
Now then, proceed back up to where we saw the CALL statement that executes
|
|
the protection. (CS:3EF8) And this time, trace through it (T<cr>). Now then,
|
|
your CS will change to something else, because you've moved down one level in
|
|
the program. Start proceeding through. You'll come upon several CALL
|
|
statements that load in the text for the doc check. Ignore them, they cause
|
|
no harm. (Just for your info, they exist at CS:022A, CS:0246, CS:025C, CS:0271,
|
|
CS:028D, CS:02A3, CS:02B8, CS:02D4). Now then, at CS:02F2 CALL 415E:0C73
|
|
appears. What this does call for the user to enter some text from the keyboard.
|
|
Proceed through the CALL statement, and the screen will wait for a key to be
|
|
pressed. Enter something like "kskdksdk<cr>" and then it will take you back
|
|
to the program.
|
|
Proceed on until you come to the following:
|
|
|
|
CS:030E 3B86DFFE CMP AX,[BP+FEDF]
|
|
CS:0312 7F25 JG 0339
|
|
CS:0314 8946FD MOV [BP-03],AX
|
|
|
|
Now, what is happening is the program is making a comparison of what was
|
|
entered. If that value is greater then what it wants, then it jumps to CS:0339
|
|
and if it isn't then it just continues on. Now we want to fool it into
|
|
thinking that the text is correct. So change CS:0312 to read JMP 0339. This
|
|
way, the program will jump to 0339 every time, no matter what is entered. Now,
|
|
we're not through yet. You'll soon come to this:
|
|
|
|
CS:0349 9A....... CALL 415E:0419
|
|
CS:034E 7404 JZ 0354
|
|
CS:0350 B000 MOV AL,00
|
|
CS:0352 EB02 JMP 0356
|
|
|
|
Now we have another comparison here. The CALL statement is calling a
|
|
compare routine, and when it's finished, if the value is equal to 0, it will
|
|
jump to CS:0354, and if not, it will simply continue on. We need to fool the
|
|
computer once again, and change CS:034E to read JMP 0354, so that it will
|
|
always jump to 0354. This is the last change that needs to be made. Go ahead
|
|
and type G<cr> to test it out. When you're done, be sure to make the changes
|
|
permanent, as described above.
|
|
|
|
--------------------------------------------------------------------------------
|
|
Disk Checks:
|
|
(INT-13)
|
|
|
|
Some copy protection schemes use the disk interrupt (INT-13). INT-13 is
|
|
often used to either try to read in an ilegally formatted track/sector, or to
|
|
write/format a track/sector that has been damaged.
|
|
|
|
INT-13 is called like any normal interrupt with the assembler command
|
|
INT 13 (CD 13). The AH register is used to select which command is to be used,
|
|
with most of the other registers used for data.
|
|
|
|
Now, the copy protected file might use INT-13 to load some other data from
|
|
a normal track/sector on a disk, so it is important to determine which tracks/
|
|
sectors are important to the cp scheme. There are two common ways to do this
|
|
1) Use Quaid Analyzer to keep track of INT-13 activity
|
|
2) Use Locksmith to track down unusual traks/sectors.
|
|
|
|
With Locksmith you can analyze the diskette. Write down any tracks/sectors
|
|
that seem abnormal. These are most likely part of the protection routine. Now
|
|
we must enter debug and load in the file to execute a search for CD 13. Record
|
|
any addresses shown. (i.e. S CS:100 FFFF CD 13).
|
|
|
|
If no addresses are picked up, then either the interrupt is encoded, or
|
|
it's in a part of the program not yet loaded. Here's what a sector of hidden
|
|
code might look like:
|
|
|
|
CS:0000 31DB XOR BX,BX
|
|
CS:0002 8EDB MOV DS,BX
|
|
CS:0004 BB0D00 MOV BX,000D
|
|
CS:0007 8A07 MOV AL,[BX]
|
|
CS:0009 3412 XOR AL,12
|
|
CS:000B 8807 MOV [BX],AL
|
|
CS:000D DF13 ...........
|
|
|
|
In this section, AL is set to DF at location CS:0007. When you XOR DF
|
|
and 12, you would get a CD (hex) for the INT code, which is placed right next
|
|
to a 13, thus giving uou CD13 or INT-13.
|
|
|
|
---------------------------Finding Hidden INT-13s-------------------------------
|
|
A good way to find hidden INT-13s is with Quaid Analyzer, or Step-13 (or
|
|
Trap-13, or PC-Watch....all work equally as well). Step-13 traps the interrupts
|
|
and will print where they were called from. Once running this, you can jut
|
|
disassemble around the address until you find a code that looks like it is
|
|
setting up the disk interrupt.
|
|
|
|
Another way to decode the INT-13 is to use the G (go) command in DOS DEBUG.
|
|
Just set a breakpoint at the address given by Step-13. i,e, G CS:000f (see
|
|
above code). When debug stops, you will have encoded not only the INT-13 but
|
|
anything else leading up to it.
|
|
--------------------------------------------------------------------------------
|
|
|
|
Once you find the INT-13, all that is left to do is to get the computer to
|
|
think that the protection has been found. To find out what the computer is
|
|
looking for, examine the code right after the INT-13. Look for anything having
|
|
to do with the CARRYFLAG or any CMP to the AH register. If a JNE or JC (etc.)
|
|
happens, then unassemble (u address<cr>) the address listed with the jump. If it
|
|
is a CMP then just read on.
|
|
|
|
Here you must decide of the program was looking for a protected track or
|
|
just a normal track. If it has a CMP AH,0 and it has read in a protected
|
|
track, it can be assumed that it was looking to see if the program had
|
|
successfully completed the read/format of that track and that the disk had
|
|
been copied thus jumping back to DOS (usually -with INT 19). If this is
|
|
the case, just NOP the bytes for the CMP and its corresponding JMP.
|
|
|
|
If the program just checked for the carry flag to be set, and it isn't,
|
|
then the program usually assumes that the disk has been copied. For example:
|
|
|
|
CS:0002 INT 13 (Reads the sector)
|
|
CS:0004 JC 0345 (Jump comparison)
|
|
CS:0006 INT 19 (reboot)
|
|
CS:0345 Rest of program..
|
|
|
|
The program carries out the INT and finds an error (the ilegally formatted
|
|
sector) so the carry flag is set. The computer, at the next instruction, sees
|
|
that the carry flag is set and knows that the protection has not been breached.
|
|
But, when you make a copy, it will see the breached protection, and execute the
|
|
INT 19. To avoid this, change the JC 0345 to read JMP 0345.
|
|
|
|
* Note that the protection routine might be found in more then just one
|
|
part of the program *
|
|
|
|
Here is a chart describing INT-13 using the AH register to select
|
|
the function to be used.
|
|
|
|
AH=0 Reset Disk
|
|
AH=1 Read the status of the disk system into AL
|
|
|
|
AL ERROR
|
|
-----------------
|
|
00 - Successful
|
|
01 - Bad Command given to INT
|
|
*02 - Address mark not found
|
|
03 - Write attempted on a write protected disk
|
|
*04 - Request sector not found
|
|
08 - DMA overrun
|
|
09 - Attempt to cross DMA boundary
|
|
*10 - Bad CRC on disk read
|
|
20 - Controller has failed
|
|
40 - Seek operation failed
|
|
80 - Attatchement failed
|
|
|
|
* Represents the most commonly used in the Copy protection
|
|
|
|
input:
|
|
DL = Drive Number (0-3)
|
|
DH = Head Number (0 or 1)
|
|
CH = Track Number
|
|
CL = Sector Number
|
|
AL = # of sectors to read
|
|
ES:BX = Load address
|
|
output:
|
|
AH = error number (shown above)
|
|
[Carry flag set]
|
|
AL = Number of sectors read
|
|
|
|
AH=3 Writes (Params. as above)
|
|
AH=4 Verify (Params. as above ES:BX)
|
|
AH=5 Format (Params. as above CL,AL
|
|
ES:BX points to format table)
|
|
|
|
--------------------------------------------------------------------------------
|
|
Cracking Overlays:
|
|
|
|
Sometimes the copy protection is executed in an overlay file. The best
|
|
way to find out which file it is in, is to use Quaid Analyzer to track the
|
|
INT 21 calls and see which program is loaded in. Next, if it was an INT-13
|
|
type protection, then you'll do as usual and just look for it in the overlay
|
|
file.
|
|
If it was a doc check, then you'll proceed through the .EXE file as usual
|
|
(with DEBUG or whatever), and go up to the doc check. Now the changes you make
|
|
might have to be made in the overlay file. What I mean, is if you search the
|
|
.EXE file and don't find the HEX values, then search the overlay file. You'll
|
|
have a high probability of finding them there. Then, just change the bytes in
|
|
the overlay file as usual and execute the game. It should run, this time with
|
|
the crack entact.
|
|
--------------------------------------------------------------------------------
|
|
|
|
Hopefully this will aid you on your quest to become a crackist. And remember,
|
|
don't get in over your head by attempting to crack something difficult, 'cause
|
|
it will benefit you 0%. Laterz...
|
|
|
|
- The Psychopath
|