Midnights Hackers Private Club Where members or hackers groups come to exchange ideas, and show off skills. **** A Cracking Guide For Advanced Amateurs **** An Article By: The Psychopath TABLE OF CONTENTS ------------------- I. Introduction and Overview II. Types of Cracks A) Documentation Protection B) Config/Setup Protections III. Closing Remarks -------------------------------------------------------------------------------- Introduction: This is my second edition on cracking tutorials. This one will provide more information on the art of cracking as well as some more advanced cracking walkthrus. Take the learning process slow, and just let it come to you. Don't try tackling too much at once. Again I emphasize the importance of practice and experience as being the best teacher. And I think I'll mention this now... ALWAYS, ALWAYS make backup copies of the programs before you tamper with them with your debuggers and sector editors, because if you screw up and write to your only copy, you're plain outta luck. Cracking programs used in this issue: DOS Debug Turbo Debugger Quaid Analyzer Acquire these if you don't already have them. These are not the only cracking utilities, but they are the ones that I will be using in my lecture today. Here's a basic list of Debug commands in case you've forgotten: Command Function ------------------------------------------ *A [address] Assemble C range address Compare D [range] Dump E address [list] Edit F range list Fill *G [=address [address..]] Go H value value Hex I value Input L [address [drive:record record] Load M range address Move N filename [filename] Name O value byte Output *P [=address][value] Proceed *Q Quit *R [register-name] Register *S range list Search *T [=address][value] Trace *U [range] Unassemble *W [address [drive:record record] Write [* Indicates the only ones you need worry about for now. They are the main commands that you use). Basically, you will enter the letter command and then return (). Addresses only need to be specified based on necessity. (for example, you could just enter G and it would execute. Specifying an address would set a break point. (run the program up to that address). For P and T, just enter the letter name and . It's quicker.] Further explanation of the commands is provided in your DOS users manual. Read it for yourself. *** Note that not all forms of copy protection, nor their ways of removal are discussed in this news letter **** -------------------------------------------------------------------------------- Cracking Documentation Checks Part II: Okay, the most common form of copy protection is the documentation check. Doc checks are usually at the beginning of the software, with a few exceptions (some being in the middle or at the end). They range in variety from simple text questions, to having graphic and mouse interfacing. They, of course, range in difficulty from being extremely easy to being near impossible. In the past issue, I gave an extremely simple copy protection to remove (Fiendish Freddy, if you remember). Here, after a refresher course on what to do to remove the doc checks, we'll take a look at a complicated doc check. There are three basic ways to remove the Doc check: 1) Remove the CALL statement. a) By the NOP command. b) By jumping from the first byte to the last. 2) By changing the comparisons. a) By changing the CMPs to compare registers to themselves. b) By changing the jump statements that follow. 3) By Jumping around the Doc check to get to the part of the program that loads in the rest of the game. In the first option, as you know, we can remove the CALL statement by writing the assembly command NOP (No Option) in place of the CALL statement itself. Or we can simply jump from the first byte in the CALL statement to the last byte in the call statement (This has the same effect). The second option involved leaving the doc check entact, but making it so that what you enter (wether it be right or wrong) will be accepted by the computer, thus allowing you to continue with your game. You will usually find a CMP statement (i.e. CMP AX,[BP+2307]) after it calls for the text to be entered. What it's doing is comparing the value you entered (stored in the registers) to the value it wants. You can fix this by either changing the compare statement so that the register is compared to itself, (i.e. CMP AX,AX), or by changing the jump statements that follow. You'll get a jump statement similar to JNZ 1355, which will only jump to CS:1355 if the value from the compare is not zero. So just change it to read JMP 1355, which tells the program to always jump to CS:1355. The third option involves jumping past the doc check. Often times you'll execute the copy protection, and then it will take you to a new part of the program when it's finished, where it will make it's comparison, and then decide wether it will execute the remainder of the program (if you answered the question right) or boot you out to DOS (giving a wrong answer). If you know what one of the answers is (and you should if you have the originals with the docs included), then enter the correct answer and follow the program through until it executes the rest of the game. (Make note of where it executes the remainder of the game). Then, you exit out of the game, get back into your debugger, and go back before the doc check is called. Now, jump from the doc check over to where it executes the remaining portion of the game. This will remove the doc check completely if done properly. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Software Name: Martian Dreams Software Company: Origin Here is a walk through for cracking a moderately complicated doc check in the above mentioned game. I will present you with one way of cracking it. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Method : Jumping around the Doc Check (Method #3 as mentioned above). Find an uncracked copy of Martian Dreams. If you notice, there are 2 executable files. MARTIAN.EXE is the introduction file, and GAME.EXE is the actual game. (This can be found out by using Quaid Analyzer to watch the INT-21 output while tracing through MARTIAN.EXE) Now, make sure that you have a character created. You're going to need to get the prybar from the cowboy and move your character right above the hatch and then save the game and exit to DOS. Now we're ready to begin. Load GAME.EXE into your debugger (I'll be using good ol' DOS debug). Proceed through the program, making note of any loops you get into. (To get out of a loop such as something that makes a jump comparison and then sends you to a previous part of the program, just look at what address is after the jump and then go to that address (with the G
command) i.e. CS:003C JNZ 0034 is in the early part of the game. We notice that CS:003E lies just after this call statement, so jump to it--G 3E). Now, keep going until you come to the following: CS:00FC CALL 14C8:0941 (The 14C8 segment may be different on your machine, depending on you memory). Trace through this call statement (proceeding through it will execute the game, so don't). Now, start proceeding again. You'll come to the following address: CS:0C5E CALL 2015:0013 This will switch graphics modes, so we know we're on the right track. Keep proceeding. Next you'll start hitting addresses that will call parts of the picture to the screen. At the following: CS:0CEA CALL 0509 CS:0F69 CALL 3433:04B1 Each of these calls in a different picture...we're getting close, so keep going. When you come to the following address: CS:0FD7 CALL 2409:133A Trace through it. (Proceeding through will execute the game). Now, keep going. Again, you'll hit CALL statements that load in graphics pictures, at the following addresses: CS:1B51 CALL 0A47 CS:1B64 CALL 0084 CS:1B83 CALL 18B4 CS:1B95 CALL 0221 Keep proceeding until you come to: CS:1BA5 CALL 3433:28CC Trace through this (proceeding through will execute the "command entering" part of the game. It will execute a full command at once, so we need to trace trough it to break up the command into parts). Tracing trough, and proceeding on, we come to the following: CS:2902 CALL 20AD This allows one key movement/command to be entered at a time. Proceed through this call statement and type a "U" to get the character to use an item. Now you're back at the program. If you proceed on, you'll hit the RETF and eventually come to the following: CS:1BC5 LOOP 1BBB This will loop back and take control of the program until your command has been fully executed, then you'll be back at the debugger again. We don't want this, because we need to proceed through and see what happends step by step, before it calls the doc check, so do the following. at the CS:2902 address, you proceeded though the first time right? and you entered a "U", well jump back to CS:2902 (i.e. G 2902) and proceed through again. Keep doing this until you have entered all the following commands: U = to get your character to use an item. TAB, Left arrow key = moves over to your inventory, then select prybar. Down arrow key = Points at hatch. Now, after you do the last input, proceed on through the program. When you come to the following: CS:0831 CALL FAR [BP-0E] Trace through this call statement (proceeding through it will execute the game). After tracing through, you'll see this: CS:0066 INT 3F This is another form of a CALL statment. Trace through it (proceeding through will execute the game). Now, keep going until you come to the following: * CS:0A81 JNZ 0A9D CS:0A83 PUSH AX CS:0A84 CALL 2D04:4759 CS:0A89 PSUH AX CS:0A8A MOV AX,3DAF CS:0A8D PUSH AX CS:0A8E MOV AX,183C CS:0A91 PUSH AX CS:0A92 CALL 3433:33F8 CS:0A97 ADD SP,+06 CS:0A9A JMP 0B51 CS:0A9D MOV AL,[6ED6] CS:0AA0 MOV AH,00 CS:0AA2 TEST AH,0010 * CS:0AA5 JZ 0AC2 CS:0AA7 MOV AL,[6ED6] Here's the deal. Those two marked jump statements are the key to the whole thing. The comparisons made are trying to determine if you have answered the question already and correctly. What you want to do is get the program to go to the addresses listed in the statements all the time. So change them to say: CS:0A81 JMP 0A9D CS:0AA5 JMP 0AC2 This will jump past the copy protection completely. Now, to explain how I knew to do this. What I did is proceed through to the doc check itself, and then entered a correct answer, followed the program through until it got back to where you could enter commands again (CS:2902), and then I did those commands again (if you recall, you have to open the door twice). This time, I followed through, making note of all the jump statements, seeing where it went, until it opened the door for me. Next, I went back in with the debugger and got back up to the doc check and entered a wrong answer, then followed it through, until it got back to CS:2902, and then I entered the commands again, and followed it through, making note of the jump statements. After I got past a certain point (past the address where it opened the door on a correct answer) I compared the jump statements between the two scenerios, and found the differences, so I changed the jumps to always think that you've already entered a correct answer (As shown above). You'll need to know some right answers to do this, so what I reccommend is either getting a copy of the docs, or get your encyclopedias handy (some of the questions asked are actual historical facts). I'll now describe how to get to the doc check, if you want to try this out for yourself. Okay, you've traced throught CS:0831 and CS:0066, right? And now you're proceeding on. You'll eventually come to the following: CS:0ABA CALL 417E:0034 Trace through this, to get to this: CS:0034 INT 3F Trace through this as well. (Remember what I said above about it being a type of call statement). Now, proceed on. You'll next come to the following: CS:0396 CALL 0000 Trace through this and then proceed on. You'll next come upon this: CS:0156 CALL 4183:0034 Tracing through will once again bring you to this: CS:0034 INT 3F Trace through again, and then proceed on. You'll next hit a bunch of CALL statements that will load in graphics pictures and text. Just keep proceeding on. (Just so you know where you are, some of these CALL statements will be at these addresses): CS:1A0F CALL 2015:1E2B CS:1A67 CALL 1675:024B Now, you'll come up to the following: CS:1E9E CALL 1756 This is the doc check. Proceed through, so that it is loaded in. It will ask the question and then boot you back to the program, so proceed on. You'll next come to: CS:1B6B CALL 3433:33F8 This will wait for you to press enter, then put you back in the program. So press and proceed on. Next you'll come to this: CS:1B80 CALL 3433:2AF1 This will wait for you to enter your response to the question. So enter a right answer, and then press , and now proceed on. Keep going on until you get back to where I described up above, and do as I mentioned. This will show you why I changed those jump statements. So, when you're through with this, be sure to save the changes, and if you've forgotten how to save, here's a little memory refresher: -----------------------Saving the Changes----------------------- Remember now, that debuggers can only write to .COM and files other then .EXE (with the W command). One way to save the changes (the more unreliable way) is to rename the .EXE file to Something like .HEY or whatever, and then going in and searching for the data to be changed (with the S command). Now edit the data as normal, and save with the W command. Exit out (Q) and rename the .HEY file back to .EXE *** This will not always work *** Another way to save changes is with a sector editor (The two most widely used are Norton Utilities and PCTools). Search for the HEX values (the values I told you to write down) of the data in front of, including, and after the statement. When you find The statement, edit it. (i.e. Changing the HEX values of a CALL statement to read 90 90 90 90 90 (90 is the HEX value for NOP)). Also, make sure that you write down the new hex values after changing the assembly code in the program with the debugger. Then you'll replace the original HEX values with what you want them to be. ------------------------------------------------------------------ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Software Name: Castles Software Company: Interplay Here is a walkthru for cracking a config/setup type copy protection. This will be fairly simple to crack, so get relaxed. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Method: Changing Jump Statements Obtain an uncracked copy of Castles, and prepare your debuggers. First off, you'll notice that you need to run the setup program to get the game configured for your system so it can be properly run. When you enter the options to fit your system, you'll then be asked a question from the manual, and it will then write a number into the batch file it saves. If you answer wrong, it will write a "wrong" number in the batch file, and if you answer right, it will write a "right" number in the batch file. To remove any possible complications and hassles, we're going to remove the question and remove where the game checks to see what the number is. So, two cracks will be needed. One in SETUP.EXE, and the other in CASTLES1.EXE. Load SETUP.EXE into your debugger and start proceeding. Now, you'll come up to the following: CS:00EF CALL 14DD:0B69 Trace through this and start proceeding. *** Note that I will not be mentioning when the graphics mode is switched or when it calls in graphics pictures. You should know what they are by now *** You'll come up into a loop that goes back and redraws the menu screen. IF you keep proceeding through the loop, it will be a slow process trying to configure your system, so just jump past that jump statement to CS:0BC5. This will allow you to enter your setup options. After doing this, select continue, and press enter. Now, proceed on. You'll notice the following soon: CS:0BCD CALL 033A This is the doc check. Proceed on and see what happends. At CS:0BD8 CALL 04E3 it will write that number to the batch file. So, let's get rid of the question. We want it to just jump past the doc check, and save the configuration to the batch file, so do this. Notice before the doc call at CS:0BCA there is a JZ 0BDF. This can be changed to: JMP 0BD7, thus jumping past the doc CALL, and onto the part where it writes the number. Next, proceed on, and you'll come to this: CS:0BE8 JZ 0BF0 This is comparing what you entered and if it's wrong, it will exit out and tell you to try again, and if it's write, it'll jump to CS:0BF0. So let's just tell it to jump to 0BF0 all the time. (i.e. CS:0BE8 JMP 0BF0). Now, save the changes and let's start on the game. Load CASTLES1.EXE into your debugger (Make notice of the parameters set in the batch file, because you'll need to specify these when loading it into the debugger, so that it will run the way you configured it on your system - i.e. DEBUG CASTLES1.EXE /VGA /NOTITLE /NOMUSIC) Start proceeding through. You'll come up to the following: CS:00EF CALL 1DDD:0752 Trace through this and proceed on. Next you'll come to some jump and CALL statements. If you proceed through, it will kick you out to DOS, so make note of the following jump statements, and what they are doing: CS:0669 JZ 0670 CS:0678 JNZ 0680 CS:067E JZ 0691 If you notice what happends when you proceed through on a wrong number, you'll see that the following needs to be done to those jump statements, so that we jump around the statements that call to verify the copy protection: CS:0669 JMP 0670 CS:0678 NOP NOP CS:067E JMP 0691 Now, save these changes, and you're all done. The Setup program will no longer ask the question, and the game itself will no longer check to see if you answered the question right. So you're congratulate yourself. -------------------------------------------------------------------------------- Hopefully this will aid you on your quest to become a crackist. And remember, don't get in over your head by attempting to crack something difficult, 'cause it won't help ya at all, G. Laterz... - The Psychopath