345 lines
16 KiB
Plaintext
345 lines
16 KiB
Plaintext
Midnights Hackers Private Club
|
|
|
|
Where members or hackers groups come to exchange ideas, and show
|
|
off skills.
|
|
|
|
**** A Cracking Guide For Advanced Amateurs Part II****
|
|
|
|
An Article By:
|
|
|
|
The Psychopath
|
|
|
|
TABLE OF CONTENTS
|
|
-------------------
|
|
|
|
I. Introduction and Overview
|
|
II. Types of Cracks
|
|
A) Doc Check with a small Loader
|
|
B) Doc Check with a complex Loader
|
|
III. Closing Remarks
|
|
|
|
--------------------------------------------------------------------------------
|
|
Introduction:
|
|
|
|
This is my third edition on cracking tutorials. This one will provide
|
|
more information on the art of cracking as usual, and will provide a comparison
|
|
of 2 similar doc checks that vary in difficulty. Take the learning process slow,
|
|
and just let it come to you. Remember, don't try tackling too much at once.
|
|
Experience is the best teacher. Just a friendly little reminder here...
|
|
ALWAYS, ALWAYS make backup copies of the programs before you tamper with them
|
|
with your debuggers and sector editors, because if you screw up and write to
|
|
your only copy, you're plain outta luck holmes.
|
|
|
|
Cracking programs used in this issue:
|
|
DOS Debug
|
|
|
|
Acquire this if you don't already have it. This is the basic cracking
|
|
tool, and is my favorite. There are some advanced debuggers out there with
|
|
menus and fancy features, but when they fail, debug will come through for ya.
|
|
But of course, having the other debuggers can be handy at times, so I suggest
|
|
finding them if you don't already have them. Some good ones to get are:
|
|
Turbo Debugger (2.0 or greater)
|
|
Soft Ice (2.5 or greater)
|
|
Code View
|
|
|
|
I will no longer tell you how to access a debug command, so here's the
|
|
last time that I will refresh your memory as to what they are. If you don't
|
|
know what they mean by now, then you should go back and re-read my previous
|
|
articles.
|
|
|
|
Command Function
|
|
------------------------------------------
|
|
*A [address] Assemble
|
|
C range address Compare
|
|
D [range] Dump
|
|
E address [list] Edit
|
|
F range list Fill
|
|
*G [=address [address..]] Go
|
|
H value value Hex
|
|
I value Input
|
|
L [address [drive:record record] Load
|
|
M range address Move
|
|
N filename [filename] Name
|
|
O value byte Output
|
|
*P [=address][value] Proceed
|
|
*Q Quit
|
|
*R [register-name] Register
|
|
*S range list Search
|
|
*T [=address][value] Trace
|
|
*U [range] Unassemble
|
|
*W [address [drive:record record] Write
|
|
|
|
[* Indicates the only ones you need worry about for now. They are the main
|
|
commands that you use). Basically, you will enter the letter command and then
|
|
return (<cr>). Addresses only need to be specified based on necessity. (for
|
|
example, you could just enter G<cr> and it would execute. Specifying an address
|
|
would set a break point. (run the program up to that address). For P and T,
|
|
just enter the letter name and <cr>. It's quicker.]
|
|
|
|
Further explanation of the commands is provided in your DOS users manual.
|
|
Read it for yourself.
|
|
|
|
--------------------------------------------------------------------------------
|
|
Cracking Documentation Checks With Game Loaders:
|
|
|
|
Okay, the most common form of copy protection is the documentation check.
|
|
Doc checks are usually at the beginning of the software, with a few exceptions
|
|
(some being in the middle or at the end). They range in variety from simple
|
|
text questions, to having graphic and mouse interfacing. They, of course,
|
|
range in difficulty from being extremely easy to being near impossible.
|
|
|
|
In this issue, we're going to take a look at a programmers attempt to
|
|
cause frustration for us crackists. Someimtes you'll come upon a game that will
|
|
have you run one program, which will in turn run the main program. And of
|
|
course, you have to run the first (loader) program or the game won't work right.
|
|
Well, this poses a problem with debugging, for you can only load in one program
|
|
at a time, and most likely you won't be able to trace through one program to
|
|
get to the other, so how do we get to the copy protection and remove it? Well
|
|
let's go through two sample cracks and find out for ourselves eh.
|
|
|
|
Hopefully you remember what types of copy protection ASSEMBLY commands
|
|
to look for, and how to couteract them, cause I won't refresh your memory for
|
|
you....you'll have to re-read the past articles if you forgot.
|
|
|
|
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
Software Name: Gateway to the Savage Frontier
|
|
Software Company: S.S.I. & Beyond Software
|
|
|
|
Here is a walk through for cracking a simple attempt at a loader along with
|
|
a simple doc check. This should be eazy to follow, so let's get going eh.
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
|
|
Find an uncracked copy of Gateway to the Savage Empire. Now then, you'll
|
|
notice that there is a batch file entitled START.BAT This is what we run to
|
|
load in the game. Well, let's see what it's doing. Type the batch file out.
|
|
You should see this:
|
|
|
|
@echo off
|
|
start1
|
|
if errorlevel 1 goto end
|
|
go
|
|
:end
|
|
|
|
Now, if we run this batch file, it will execute START1.EXE which will
|
|
allow you to specify your graphics, sound, mouse, etc. etc., and when that's
|
|
done, it returns to the batch file, where you'll notice GO.BAT is then executed.
|
|
Let's look at GO.BAT and see what it's doing. You'll see something similar
|
|
to this (depending on the graphics and sound and such that you selected):
|
|
|
|
ibmsnd
|
|
game UseStart
|
|
ibmsnd U
|
|
|
|
Notice that the UseStart is a parameter specification on the game. If we
|
|
try running GAME.EXE it will tell us to run start. Well, this is so simple
|
|
it's not even funny. Notice what start does. It sets up your system
|
|
specifications, then loads in the game. That UseStart parameter is the key
|
|
to the whole thing. Instead of typing just "debug game.exe" specify the
|
|
parameter as well (this will happen quite often with games that use parameters.
|
|
They must be specified in the debugger if you want them loaded in). Type "debug
|
|
game.exe UseStart" (and the capital/lower case letters ARE significant in the
|
|
paramater settings). Now, we're ready to begin. Start proceeding.
|
|
|
|
At CS:0037 CB RETF, you'll do a far return to a new code segment address,
|
|
at CS:0038, here you'll proceed on. You'll hit a bunch of comparison jumps
|
|
that will keep looping you around till you eventually get to CS:00DE, where you
|
|
can start proceeding forward again. ('Course if you're smart you'll just take
|
|
my advice and jump from CS:0038 to CS:00DE and proceed from there). Next
|
|
you'll come to:
|
|
|
|
CS:00FE 2E CS:
|
|
CS:00FF FF2F JUMP FAR[BX]
|
|
|
|
Proceed through this and you will be at a new code segment address at
|
|
CS:0019, where you will find a long series of CALL statements. Start proceeding
|
|
through them. You'll hit some that will load in the graphics and the title
|
|
screen and such (if you press control-C when the Beyond Software screen appears,
|
|
it will skip the intro screens). You should eventually come to:
|
|
|
|
CS:01CE CALL 1303:002A
|
|
|
|
This address calls in the option that will ask you if you want to PLAY the
|
|
game or view a DEMO. We of course, want to play, so select play and press
|
|
enter. Now, proceed on. It will eventually bring you up to this address:
|
|
|
|
CS:0208 JNZ 0216
|
|
CS:020A CMP BYTE PTR [5D8E],00
|
|
CS:020F JNZ 0216
|
|
|
|
Now, we've already selected that we want to play the game, so what do you
|
|
think this comparison means? Could it be that it's determining wether or not to
|
|
load in the doc check? Well I do believe so. If you don't believe me, proceed
|
|
on. You'll hit a CALL statement at CS:0211 That will load in the copy
|
|
protection. So how do we remove this? Well, what I suggest doing is changing
|
|
the jump at CS:0208 to read CS:0208 JMP 0216.
|
|
|
|
This will tell the program to jump directly to CS:0216, thus skipping over
|
|
the copy protection completely. Now, wasn't that simple. Just save the
|
|
changes and you're done.
|
|
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
Software Name: Time Quest
|
|
Software Company: Legend
|
|
|
|
Here is a walkthru for cracking a more complex loader that calls in a
|
|
moderately difficult doc check.
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
|
|
|
|
Obtain an uncracked copy of Time Quest, and prepare your debuggers. Okay,
|
|
Here's the situation. The main part of the game is in the file TIMEMAIN.EXE,
|
|
but we have to run TQ.EXE in order to play the game. If you try running
|
|
TIMEMAIN.EXE, it will (as I mentioned) tell you to run TQ.EXE to load the game.
|
|
So what do we do? Unlike the previous sample crack, there are no parameters
|
|
that are displayed that we could load into the debugger. The TQ.EXE file loads
|
|
in part of the title screen, and determines your graphics and sound modes, so
|
|
we're in a bad situation.
|
|
|
|
If you try debugging TQ.EXE to get to TIMEMAIN.EXE, the following will
|
|
happen. You'll eventually reach the part where a CALL statement loads in
|
|
TIMEMAIN.EXE. The program will take control or lock up. So naturally, you
|
|
try tracing through, till you get to another CALL statement that does the same
|
|
thing. You'll keep doing this until you get to the INT-21 that loads in the
|
|
TIMEMAIN.EXE, and it will lock up there....if you trace through, it will take
|
|
you to a part of the program that you don't ever want to tamper with. You'll
|
|
be where it makes all the jump comparisons for all the INT-21's. Proceeding
|
|
through this area will most likely bring up a message like "System Halted. Can
|
|
Not load Command.com" so now were stuck....or are we?
|
|
|
|
Now think for a minute and get creative. TQ.EXE somehow loads in
|
|
TIMEMAIN.EXE. So what if we can trick TIMEMAIN.EXE into thinking that TQ.EXE
|
|
has already been run. All we'll do in the process is leave out the Legend
|
|
Software title screen. And, hopefully, we'll enact the default settings, which
|
|
will bring in CGA graphics. This will make it easier to see what's going on,
|
|
because with the CGA graphics, it's in black and white, and very simple
|
|
structure, which is what we want when stepping through a debugger. So, let's
|
|
get started. Load TIMEMAIN.EXE into your debugger and start proceeding.
|
|
|
|
You should come to CS:0548 JMP 29B1:09A2 where you will proceed through,
|
|
jumping to a new code segment address. Keep proceeding on. You'll come to
|
|
CS:0A20 where you'll then be kicked into a new code segment address. Proceeding
|
|
on will just bring you back to CS:0A21, so instead of going through all that,
|
|
jump to CS:0A21 before you reach CS:0A20, and then keep proceeding.
|
|
|
|
After you reach the following:
|
|
|
|
CS:0A41 CALL 232E:1AFB
|
|
|
|
Trace through here, and keep going (proceeding through this call statement
|
|
will terminate the program and bring up that message telling you to run TQ.EXE
|
|
first). Keep proceeding till you come to the following:
|
|
|
|
CS:1B12 CALL 18CA
|
|
|
|
Trace through here, and keep going (proceeding through will have the same
|
|
result as the above mentioned). Now, you'll soon see the following:
|
|
|
|
CS:18D6 CMP WORD PTR [BP+06],+09
|
|
CS:18DA JZ 18F6
|
|
|
|
If we just proceed through these, the program will soon terminate as
|
|
above mentioned, but if we jump to 18f6, the game will start to load, so let's
|
|
fix this by changing CS:18DA to be the following:
|
|
|
|
CS:18DA JMP 18F6
|
|
|
|
Note, that this change is not to be permanent. It is merely a temporary
|
|
change to allow us to load in the game so we can make the permanent chane to
|
|
the copy protection. Now then, proceed on. You'll hit a CALL statement that
|
|
will switch to the graphics mode, then you'll eventually reach:
|
|
|
|
CS:1AFA RETF
|
|
|
|
Proceed through this, and you'll return back to CS:1BC5. Proceed on. You
|
|
will hit a few calls along the way that will load in the screens, and eventually
|
|
you'll reach:
|
|
|
|
CS:1C68 CALL 1F6F:188B
|
|
|
|
This will call in the option that lets you type in a command, so type in
|
|
the following commands in this order (and note, that after you press enter,
|
|
you'll be back in the debugger. Instead of proceeding on, which will
|
|
eventually bring you back to CS:1C68, just go to 1C68 again and proceed through.
|
|
It will wait for you to input another command. Keep doing this until you've
|
|
input all the commands).
|
|
|
|
wait
|
|
wait
|
|
w
|
|
open drawer
|
|
take card
|
|
enter interkron
|
|
put card in slot
|
|
timeset rome 44
|
|
|
|
Now, after entering the last command, (DO NOT JUMP back to 1C68 again)
|
|
proceed on. You will eventually come to:
|
|
|
|
CS:2496 CALL 0D40
|
|
|
|
Trace through this call statement (proceeding through will bring up the
|
|
doc check). Now, proceed on until you eventually come to:
|
|
|
|
CS:106E CALL 1B46:05C5
|
|
|
|
Trace through here (for the same reason as mentioned above), and then
|
|
proceed on and you'll eventually reach:
|
|
|
|
CS:05F5 CS:
|
|
CS:05F6 JMP [BX+0B14]
|
|
|
|
Proceed through this (If you ever try jumping (with the go command) to a
|
|
two part jump statement like this, make sure you go to the address with the
|
|
"CS:" and not the JMP, otherwise you will screw up the program and it will
|
|
jump you to the wrong place). Trace through:
|
|
|
|
CS:09FC CALL 1CA7:1520
|
|
|
|
Now, proceed on till you come to:
|
|
|
|
CS:160C CALL 45EA:1F8E
|
|
|
|
Trace through this, and then trace through the call statement that you
|
|
immediately come upon, which is:
|
|
|
|
CS:1F8E CALL 4537:0307
|
|
|
|
If you proceed through this, it will try to access your floppy drive,
|
|
because it won't be able to find the overlay file, so trace through it. Now,
|
|
proceed on till you get to CS:0379, where you will be taken back to CS:1F95, now
|
|
keep proceeding on, and you will go through a series of jump compare statements,
|
|
if you keep going on, you will eventually hit:
|
|
|
|
CS:029F CALL 1E35:000C
|
|
|
|
This is where the doc check will pop up. These jump comparisons are the
|
|
key to the doc check. If you notice, at:
|
|
|
|
CS:029D JNZ 02B5
|
|
|
|
Here, is where it makes an obviously important comparison. Why is it
|
|
important you ask, well because look at what happends. If the value it's
|
|
comparing is zero, it proceeds on to CS:029F, where the doc check comes in,
|
|
so what happends if the value is not zero? Well, let's find out. Change
|
|
CS:029D to read CS:029D JMP 02B5 and then proceed on. You will soon hit a CALL
|
|
statement that will give a message displayed only after you pass the doc check,
|
|
thus we know we made it to the right area. So just make that change at CS:029D
|
|
permanent. And just to give you a little hint, the change you need to make will
|
|
have to go in the overlay file. So, now we're done. Wasn't so tough after all
|
|
now was it.
|
|
|
|
** Notice. This cracking scenario for Time Quest was done without any saved
|
|
games. Having saved games will effect the debugging process. You will
|
|
have a few other detours along the way before you get to CS:1C68, so either
|
|
try it on your own, if you have saved games, or move your saved games to
|
|
a different directory and try it without them first. It'll be easier. **
|
|
|
|
--------------------------------------------------------------------------------
|
|
|
|
Hopefully this will aid you on your quest to become a crackist. And remember,
|
|
don't get in over your head by attempting to crack something difficult, 'cause
|
|
it won't help ya at all, G. Laterz...
|
|
|
|
- The Psychopath
|