home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
HPAVC
/
HPAVC CD-ROM.iso
/
TSRCRACK.ZIP
/
G.DOC
< prev
next >
Wrap
Text File
|
1994-12-12
|
23KB
|
585 lines
GAMETOOLS V3.40 Copyright (c) 1991,1992,1993,1994
by Wong Wing Kin
All rights reserved.
What is GAMETOOLS?
This is a TSR utility for cracking software protection such as
disk protection, password protection and registration screens.
It can also be used to modify the games so that they can be much
easier finished.
It includes an colorful internal debugger and ram viewer for
program debugging.
This program requires users to have some knowledge of IBM
PC assembly language and interrupts handling.
Some important histories of this GAMETOOLS:
This program is originally released by Computing Age Publisher(HK).
In mid 1990, I sent this program and some other utilities with related
articles to Computer Age. At first, GAMETOOLS V1.0 could only run on
PC/XT but not AT. But after several months, Version 2.0 released, it
had less bugs and run on AT. In 12/90, this program and related articles
are published in CA#77.
In 12/91, a much improved version 2.7 is released. It can not only
run on AT or above, but deal with EGA, VGA, SVGA and use EMS memory. In
this version it use "DOS-STACK SWAPPING" technique to solve DOS re-
entrance problem so that GAMETOOLS can be popped up at anytime.
In 4/92, GAMETOOLS V2.72 is finished and released as a freeware for
all game crackers. It use XMS and EMS to save main memory. Moreover, it
provides function for other screen capture programs. EMS version uses
overlay technique to leave 16K resident portion in main memory.
In 7/92, GAMETOOLS V2.80 for 386 is released. It support 386 Debug
Registers debugging. It can set Hardware Break Point like TURBO DEBUGGER.
In 12/92, GAMETOOLS V2.9 is released and uploaded to Internet as
a freeware. This version is more user-friendly and with less bugs.
In 1/92, GAMETOOLS V3.0 is released and uploaded to Internet as a
shareware. This version includes a colorful internal debugger.
Memory requirement:
There are three version of 3.40
Version Main memory need
-----------------------------------------------------------------------
G3.EXE ( use conventional memory only ) : 77536
G3X.EXE ( use extended memory only ) : 64112
G3E.EXE ( use expanded memory only ) : 11712 (need reg)
The above figures may be slightly different from yours because of
different configurations of your computer. The above programs all need
a 386 CPU to run.
You must register GAMETOOLS in order to get EMS version.
To run G3E.EXE, you must have expanded memory. QEMM and EMM386
is need to be loaded in the config.sys.
To run G3X.EXE, extended memory is required. XMS driver HIMEM.SYS
should be added to your config.sys.
Descriptions of all functions:
After loaded GAMETOOLS, press [PtrScr*] to pop up GAMETOOLS. There
is a new hot key that is [Alt]+[PtrScr*] which will suspend the game
and restore all the interrupts so that older programs loaded before
GAMETOOLS can be popped up. You can use some screen capture programs
to saved the current screen.
When you enter numbers in GAMETOOLS, you must add '$' in front of
the hex number. e.g. $1234. But GAMETOOLS has already pre-typed '$'
before you enter the numbers.
You can also use short-hand to input. CS, DS, ES, SS, PS (PSP),
AX, BX, CX, DS, SI, DI, BP, SP can be recognized in the input.
(New function in version 3.21)
Press [Tab] during inputting address will pop up a address-table
for choosing. Press [Tab] in Analysis Listing and Internal Debugger
will save the current address under the highlight bar to the
address-table.
Entering GAMETOOLS, you can have the following options to choose.
Just press the key to choose the option.
1. [A] - Global Analysis - find the addresses such that their contents
are increased or decreased according to your specifications. It is used
to find the locations of memory storage of the life or power inhe
game.
There are two kinds of analyse:
Sub-function [B] - Byte analysis
^^^^the memory storage is 1 byte
Sub-function [W] - Word analysis
^^^^the memory storage is 2 bytes
Analysis is not once only. You may need to do at least two times
to find out the addresses. e.g. The life & power of you in the game is
continuous decreasing. To find out the addresses containing the life,
choose the global analysis in the main menu and enter the DOS path for
GAMETOOLS to save temporary files. Exit GAMETOOLS and wait until the
life decrease again. Press [PtrScr*] to pop up GAMETOOLS and analyze
again. Repeat the procedure at least two times and then choose [L]
- List addresses in the menu to list out all the addresses found.
If the changes are not strictly decreasing, you can use the arrow
keys to select [increase] or [decrease] during each analysis. Then
press [Enter] to begin analysis.
Sub-function [L] - List addresses resulted from "Analysis". You
can have results only after two times analysis. You can use arrows
to scroll to and fro to view the addresses and press tab to save the
current address under the highlight bar to the address-table.
Analysis results will be in the following format :
the number of times of analysis; the first time is 0.
only the last 20 results will be kept.
v v v v
ANALYSIS 03 02 01 00 <- the first time
1234:0012 13 12 10 09 <- the contents in each analysis
1234:0019 31 30 2F 20
^the address found
After analysis, there may be many addresses found. Choose the one
that are most likely to be the desire address. That address may usually
have smaller value and small increment. Then change the content of that
address using the function [V] - RAM view to test if it is really the
one you want.
Sub-function [K] - It will put the address in the current
scroll bar into KEEP list. Byte analysis will put 1 byte
while Word analysis will put 2 bytes.
Sub-function [A] - It will set a hardware break point at
the current address. If the game modify the content of that
address, GAMETOOLS will pop up automatically and ask you
whether to modify the game to undead or not. (It will change
the code to NOPs.)
Sub-function [R] - initialize the analysis process and ignore the
pervious results.
2. [T] - Code tracing. Trace to find the address of the codes that
change the contents of the address you specified. You first enter an
address and then return to game. That address will be monitored by
GAMETOOLS. If the game try to change the contents of that address,
GAMETOOLS will pop up automatically and tell you the address of the
codes which have changed the contents. You can also choose to trace
the game till the content of that address changed to any value or
specified value. This function can be used to find the codes of the
game that change the life or power.
For the four 386 debug registers debugging, there are following
sub-functions:
Sub-function [0] - Memory Execution
When CPU execute at the Break Point address,
GAMETOOLS will break the game and pop up.
Sub-function [1] - Memory Write
When CPU write to the Break Point address,
GAMETOOLS will break the game and pop up.
Sub-function [2] - Memory Read/Write
When CPU read/write to the Break Point address,
GAMETOOLS will break the game and pop up.
Sub-function [3] - Memory Write and Decrease
When CPU change the Break Point address's content to a
smaller value, GAMETOOLS will break the game and
pop up.
Sub-function [4] - Memory Write and Change
When CPU change the Break Point address's content to a
different value, GAMETOOLS will break the game and
pop up.
Sub-function [5] - Memory Write and Increase
When CPU change the Break Point address's content to a
greater value, GAMETOOLS will break the game and
pop up.
Sub-function [6] - Memory Change to a specified value
When CPU change the Break Point address's content to a
specified value, GAMETOOLS will break the game and
pop up.
For sub-function [0] to [2], you have to enter the Size of
the Break Point address. The Size can be 1, 2, 4. For example, if
size of the Break Point is 4, the less significant 2 bits will
be masked (ignored) during Program Counter and Break Point
address comparsion.
Auto modify - It will set a hardware break point at the current
address. If the game modify the content of that address, GAMETOOLS
will pop up automatically and ask you whether to modify the game
to undead or not. It will change the code to NOPs.
Break point 0 may be use by GAMETOOLS during tracing and stepping.
3. [V] - Internal Debugger. This function is very handy to use.
You can use arrows, PageUp, PageDn, Home, End to scroll to and
fro to view the contents of memory locations.
The assembly codes are printed in differer colors.
Press [U] to toggle the display of memory in HEX/ASCII codes and
assembly codes.
Press [F] to search input string. There are String/Hex searches,
both limit to 16 bytes length.
Press [N] to find next matched string.
Press [W] to change the content of the address that is show on the
top left corner.
Press [C] to change the current viewing address.
Press [T] to trace one step.
Press [P] to step over one instruction code. It will not trace
inside the following instructions 'CALL', 'INT', 'LOOP'. The debugger
will place a hardware break point on the next instruction.
Press [H] to go to the highlighted address. It just set a hardware
break point on the highlighted address.
Press [R] to change the contents of the registers.
Press [L] to load a program and debug. Please use this command
only in the command prompt, don't use it when it is running another
program.
Press [S] to save a portion of memory to a file.
Press [Tab] to save the current address under the highlight bar
to the address-table.
Press [E] to view the user screen.
4. [D] - External Debugger. GAMETOOLS will execute an INT 3 and go
to DEBUG or SYMDEB that is loaded before the game.
Sub-function [3] - Shell to DEBUG. First, you should load DEBUG
form DOS and then load and execute GAMETOOLS from DEBUG. Then load
COMMAND.COM and execute it. Now you can enter your game. When you
choose sub-function [3] to shell to DEBUG, it actually generate an
INT 3 inside GAMETOOLS. At this moment, you can disassemble the code
found from tracing and change the codes to see immediate results.
Remember that you are still inside GAMETOOLS and do not change any
registers or enter Q to exit to DOS, or else you system may hang.
When you finish you job, enter G to return to GAMETOOLS.
If you want to trace the game at which you break it, choose the
sub-function [4] to debug the game which actually generate an INT 3
at the point of exit so that when exiting GAMETOOLS you will return
to DEBUG and you can use Trace function of DEBUG to trace the game.
But sometimes when you press [PtrScr*] when DOS function is executing,
you can not generate an INT 3 at that point because DEBUG may call
DOS function again which will cause DOS re-entrance problem.
Sub-function [0] - to restore the address of INT 3 to the original
address that is the one when GAMETOOLS is first loading because the
game may change the address of INT 3 to avoid you send break point.
Sub-function [1] - to toggle between the last changed address of
INT 3 and the current address of INT 3.
5. [K] - Keep memory constant. You can enter an address and a value
so that GAMETOOLS will write that value to the address periodically
so as to keep it constant. The maximum number of addresses is 9 and
the address 0000:0000 means no address to be keep constant.
This function is useful when it is difficult to find all the codes
that change the life or power. You can first use [A] - Analyze to find
the address of the life and use [K] - to keep the address constant.
This procedure may not need any assembly language knowledge.
6. [I] - Interrupt monitor. GAMETOOLS will pop up automatically when
specified interrupt is called. The contents of AH, AL, BH, BL, CH, CL,
DH, DL, SI, DI, BP, SP, DS, ES, SS, CS, IP before and after the
execution of the interrupt will be displayed on pop up.
On choosing this option, user will be asked to enter the number of
the interrupt to be monitored. Then choose to trace or not trace if
that interrupt is called from DOS. This is useful when you are
monitoring INT 13H as it allows you to capture those interrupt called
directly from the game.
If you need conditional tracing, this means GAMETOOLS will pop up
automatically only when the contents of the registers match your
specifications, you can enter the contents of each register so that
GAMETOOLS will pop up when the registers match what you have entered.
Enter [*] for all matches.
e.g. If you enter AH=0, GAMETOOLS will pop up only when AH=0
before executing the INT.
7. [E] - User screen. View the game screen.
8. [B] - Restore Keyboard and Video states
Sub-function [0] - Restore INT 8, 9, 16 to the original address
that is the address when GAMETOOLS is first loaded and change video
mode to TEXT mode 3.
Sub-function [1] - Change INT 8, 9, 16 and video states to the
saved addresses and video states that are saved in the last operation
of the function [Debugging]-[Debug the game]. When you use the
[Debug the game] function, GAMETOOLS will change and save the keyboard
and video states so that you can use keyboard and screen to do
debugging. If then you want to continue to play the game, use this
function to restore the keyboard and video to the last saved states.
9. [S] - Shell to DOS. Please do not change the default directory
in any drives, otherwise the game can not find its files.
Sometimes, because of the conflicts between GAMETOOLS and the
game, the system may hang.
10. [Q] - Exit the game and back to DOS. Sometimes, because of the
conflicts between GAMETOOLS and the game, the system may hang.
11. [C] - Change the frequency of the clock. That is the frequency of
the occurrence of INT 8. The current frequency is showed on the top
of the screen.
Sub-function [0] - Change the frequency to zero.
Sub-function [1] - Change the frequency to normal (18.2Hz).
Sub-function [2] - Change the frequency to your input value.
This function can be used to increase or decrease the speed of
the game. Usually, increase the frequency will increase the speed
the game.
12. [U] - Uninstall GAMETOOLS. If you load other TSR after GAMETOOLS,
you may not uninstall it. Try to uninstall all the TSR load after
GAMETOOLS.
13 [P] - Change the Hot-key of GAMETOOLS.
How to modify the game to undead?
Using Internal Debugger:
1. execute GAMETOOLS
2. run the game
3. use Global Analysis function to find the addresses containing
the life or power in the game.
4. use Internal debugger's RAM view to modify the contents of
those addresses found to see which one is desired.
5. use Hardware Break Point to trace where the game modify the
addresses found.
6. use Internal debugger's debugging function to disassemble and
modify the code and see the immediate results.
7. if can't find the codes or don't know how to modify them,
use Keep function to keep the life or power constant when
playing the game.
8. if you can successfully modify the game to undead, record that
portion of codes and shell to DOS to use some HEX file editor
to search and modify the executable files after exiting the game.
9. if cannot find them using HEX file editor, the executable files
may be packed by some executable file compressors. Use UP.EXE
to unpack the files and search again.
Using External Debugger:
1. Load DEBUG or SYMDEB.
2. Load GAMETOOLS inside the debugger
3. execute it
4. Load COMMAND.COM and run inside the debugger
5. run the game
6. use Global Analysis function to find the addresses containing
the life or power in the game.
7. use RAM view to modify the contents of those addresses found
to see which one is desired.
8. use Hardware Break Point to trace where the game modify the
addresses found.
9. use [shell to debug] function to use debug to disassemble and
modify the code and see the immediate results.
10. if can't find the codes or don't know how to modify them,
use Keep function to keep the life or power constant when
playing the game.
11. if you can successfully modify the game to undead, record that
portion of codes and use some HEX file editor to search and
modify the executable files after exiting the game.
12. if cannot find them using HEX file editor, the executable files
may be packed by some executable file compressors. Use UP.EXE
to unpack the files and search again.
How to crack password protection?
Using Internal Debugger:
1. execute GAMETOOLS
2. run the game
3. When the program ask you to enter password, pop up GAMETOOLS
and use Internal Debugger function to debug the game.
4. Use function [H] to set break point at the codes RET, RETF.
5. Trace the codes and return to the caller routines.
6. See if there are comparsion codes below the caller routines
e.g. OR AX, AX ; CMP AX, 0 ;
7. Modify comparsion codes and see what happen.
8. Do the similar thing as modifying the game to undead.
Using External Debugger:
1. Load DEBUG or SYMDEB.
2. Load GAMETOOLS inside the debugger
3. execute it
4. Load COMMAND.COM and run inside the debugger
5. run the game
6. When the program ask you to enter password, pop up GAMETOOLS
and use [Debug the game] function to debug the game.
7. try to understand what are the game doing.
8. Modify the game
9. Do the similar thing as modifying the game to undead.
Use GAMETOOLS in QEMM, DV or WINDOWS 3.1:
GAMETOOLS can not be runned under DV. If you load DV after GAMETOOLS,
GAMETOOLs will be disable when DV is running and will be reenable
after DV is finished.
GAMETOOLS can be runned in WINDOWS 3.1 dosprompt provided that the
the EMS Memory locked option in advanced options of the DOSPRMPT.PIF
is setted. Under WINDOWS 3.1, the hardware breakpoint function can
not function properly.
Distribution of GAMETOOLS:
You are encouraged to distribute the original package to anywhere
by uploading it to Local BBS, anonymous ftp sites.
You can now find the most updated version of gametools in
Hong Kong BBS:
Conqueror BBS, 6:700/392, 55:400/13, SysOp:Billy Or, 852-856-1379
FTP sites:
ftp.uwp.edu : /pub/msdos/romulus/cracks
wuarchive.wustl.edu : /pub/MSDOS_UPLOADS/games/Cheat/GameTools
(^the file can be kept there for a very short time)
Or finger me to get the uuencoded file:
finger cs_wwkin@uststu.ust.hk | uudecode
Registering GAMETOOLS:
GAMETOOLS is released as a shareware program. This method gives the
user the opportunity to evaluate the program before actually
registering the software. If after a one month evaluation period you
determine that GAMETOOLS meets your needs, you are required to
register your copy of GAMETOOLS. After registration you are free to
use it and will get free upgrade for one year.
If you are a student, you can get 10% discount on the product.
If you are a UST student (My classmate?), you can get 20% discount on
the product.
To register your copy of GAMETOOLS, complete the registration form
that is distributed with the package, include your payment and mail to
[Gametools Registration]
P.O. Box 80044,
Cheung Sha Wan Post Office,
Hong Kong.
When your registration form is processed you will be mailed or e-mailed
a password to unpack GT3-R.ARJ and an individual serial number that
allow you to register EMS version of GAMETOOLS which need 11k
conventional memory only so that you have more rooms to load other
programs. You can also get an updated version of UP.EXE and TURBO C
source codes of TSRCRACK in GT3-R.ARJ
You can contact the author through e-mail:
Internet e-mail address:
cs_wwkin@stu.ust.hk
Discliamer:
GAMETOOLS is supplied as is. The author disclaims all warranties,
expressed or implied, including, without limitation, the warranties
of merchantability and of fitness for any purpose. The author
assumes no liability for any damages, direct or consequential, which
may result from the use of, or inability to use GAMETOOLS.
