informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/piracy/tdtlame.txt
root@procul 278a90f7ce Initial commit
2021-04-15 13:31:59 -05:00

202 lines
9.3 KiB
Plaintext
Raw Blame History

-*-*-*-*-*-* FUCK OFF, TDT *-*-*-*-*-*-
In this textfile, I will rag on TDT and the whole bunch of lamers
associated with them. Also, I will explain WHY I'm doing this. The
reason is the recent release of Might & Magic IV by FairLight, TDT
and of course RAZOR. First off, the Razor version was the only one
that has been put out COMPLETELY CRACKED AND WORKING unlike the
Flt and TDT versions. Now, two days later TDT puts out a "crackfix"
which is supposed to be 100% and that "you can use on the Razor and
FLT versions". Of course I was very suspicious about TDT's late
fix and so I downloaded this shit and looked at it since they
claimed that there was more than ONE doc check in the game. Here's
what I found....
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³TDT - how stupid they REALLY are....³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
OK, let's start. I will explain a _little_ of tech background to
you so that you're able to understand what I'm talking about.
The actual protection routine in Might & Magic IV is located in
a file called XEEN.DAT. This file is not a data file, but a renamed
EXE file. Also, New World Computing used PKLite to compress it and
make it harder to change stuff in it, however, we all know how to
get rid of PKlite, don't we ?
OK, well, after I got rid of PKLite I ran a filecompare between my
version and the one TDT put out. Here's the result:
Comparing files XEEN.DAT and MYXEEN.DAT
0001DD2A: 8E 38 <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
00026C9D: 90 9A <ÄÄÄÄ¿ ³
00026C9E: 90 00 <ÄÄÄÄ´ ³
00026C9F: 90 00 <ÄÄÄÄ´ ³
00026CA0: 90 CC <ÄÄÄÄ´ this is the only
00026CA1: 90 15 <ÄÄÄÄ´ byte required to
³ crack the game.
³
these are the bytes TDT
changed to "crack" the game.
Now, here's a litte explanantion of the bytes and what they mean.
If you don't know alot of assembly, don't worry if you don't
understand it. Actually the whole point of all this is that the
TDT version IS NOT WORKING ! Hahaha... Yes, you got me right.
TDT FUCKED UP THEIR CRACK, if you try to bypass the protection,
THE GAME WON'T LET YOU CONTINUE PLAYING.
Let me just explain what I did to crack the game:
The first byte you see at 1DD2A is an offset for a JMP instruction.
The original value in an uncracked version of MMIV is 8E and to
crack the game I changed it to 38. The reason is that the JMP
originally leads to the protection routine that asks you to enter
a certain word from a certain page in the manual. What I did is
to bypass the protection check in a way that the routine assumes
that you've already entered the correct word. That's why in my
version the protection doesn't even show up anymore. Also, that
way I don't have to worry HOW MANY protection checks there are in
the game. No matter how many times the protection routine is called,
it will ALWAYS return the correct result and let you go on playing.
Now, in the TDT version SOMEONE thought he has to be a REAL smartass
motherfucker. Here is what the dumbass did:
Translated to assembly, the five bytes starting at 26C9D will come
out as a FAR call instruction
CALL 15CC:0000
This CALL will lead to the protection and ask you for a word
from the manual.
TDT's lame-o cracker changed this CALL-instruction to something
else:
NOP
NOP
NOP
NOP
NOP
Well, what the dick was trying to do is to bypass the protection
simply by not even CALLING the protection routine. So, what's
wrong you may ask, if the protection is not even called, what is
Onyx moaning about !? Well, let me explain.
First of all there might be more than ONE call to the protection in
the game. The way I cracked it, the protection may be called 100reds
of times and each time it will come out fine, but in the TDT version
you can't be sure that there's not another CALL to the protection
somewhere else in the game. So, how do you fuckers in TDT even DARE
to tell people that "there's more than ONE check in the game", eh ?
DON'T YOU LAMERS UNDERSTAND THAT EVEN IF THERE IS MORE THAN ONE
CHECK, YOUR GODDAMN VERSION WILL NOT WORK UNDER ANY CIRCUMSTANCES
BECAUSE YOU ONLY REMOVED *ONE* OF THEM ? Fuck you lamers, you should
go back to cracking school and LEARN how to do things correctly.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³TDT - my grandma can do better cracks ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Now here's what's even WORSE about TDT's crack:
Due to the fact that the file XEEN.DAT is an EXE file, it contains
lots of addresses that have to be relocated when the file is loaded
to memory. This is refered to as the relocation table. I will not
go into a too much detailed explanation of the EXE file structure
here, but it all comes down to the fact that Sir Platinum doesn't
seem to know a shit about DOS and EXE files.
Each entry in the relocation table points to an instruction of
the program that needs to be altered to make the program work.
Something called a SEGMENT-OFFSET has to be added to some instructions
to make them work correctly. In this case, the CALL instruction that
TDT changed needed to be relocated. To make it a little bit more
understandable for you, here's an example:
un-relocated instruction: bytes in memory:
CALL 15CC:0000 9A 00 00 CC 15
Now, let's assume the program has been loaded to segment offset 1234
the whole thing would look like this AFTER the relocation:
relocated instruction: bytes in memory:
CALL 2800:0000 9A 00 00 00 28
The segment offset of 1234 has been ADDED to the original offset
of 15CC. The result is 2800. This is how it SHOULD look like.
Now how did TDT fuck up ? Here's how....
Since DOS does an automatic relocation of all entries in the
relocation table, it will not check if the relocation it just made
was VALID. To cut a long explanation short, here's what it looks
like with the TDT version:
^^^
un-relocated instruction(s): bytes in memory:
NOP 90
NOP 90
NOP 90
NOP 90
NOP 90
After the relocation process....
relocated instruction(s): bytes in memory:
NOP 90
NOP 90
NOP 90
LES SP,[BP+SI+0509] C4 A2 ....
The offset 1234 has been added to the 9090 bytes that represtented
the NOP instructions.
Due to the fact that Sir Platinum changed the original JMP
instruction to NOP instructions, the relocation will create
a new, UNPREDICTABLE instruction instead of the NOPs. As a
result THE GAME MIGHT EVEN CRASH ! YES, YOU GOT IT RIGHT, THE
WAY TDT CRACKED THIS MIGHT CRASH THE GAME ! Fuck you kids...
You apparently don't know a flying fuck about what you're doing.
Don't you fuckers know that according to what is added to your
NOP instuctions the actual CODE changes every time ? The instruc-
tions created might be total NONSENSE and lock up the game.
Goddamnit.... you lamers are so fucken stupid, you shouldn't be
allowed to touch games like Might & Magic IV since all you do is
to FUCK THEM UP.
OK, Sir Lametinum, here's what you COULD have done even tho it
STILL wouldn't get rid of ALL the doc checks in the game, just
this particular one:
9A 00 00 CC 15 CALL 15CC:0000
could have been changed to
90 NOP
EB 02 JMP IP+02 <Ä¿jumps OVER the relocation
CC 15 XXXX ³offset.
.. ..<ÄÄÄÄÄÄÄÄÄÙ
. .
Obviously you're not a proffessional cracker, just a little dumb-o
wannbe that still has alot to learn to play in the MAJOR LEAGUE
together with the BIG BOYS....
Also, to all of you out there, take this as a WARNING and think twice
before you decide to download a TDT release in the future. Who knows,
the "change" they make to a program might accidently format your hard
drive....
GO FOR QUALITY - GO FOR RAZOR RELEASES ! WE KNOW OUR BUSINESS !
- ONYX [RAZOR 1911]
10/04/92
Reference in New Issue View Git Blame Copy Permalink