home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Jason Aller Floppy Collection
/
61.img
/
FF1FRM-1.ZIP
/
WARLORD.TK
< prev
next >
Wrap
Text File
|
1989-09-30
|
3KB
|
56 lines
CRACKING FERRARI FORMULA ONE by -=The Knack=-
---------------------------------------------
OK dude, this is NOT a common practice, but being a nice guy I
quickly explain how I cracked this game Ferrari Formula One. First I ran
the damn thing and screwed around till I found some CP (Copy Protection).
Found a doc check, tried control-break (some idiot programmers do leave
this in) nadda. Next I checked the F.EXE file for encryption, nope all
the text was intact, .EXE header was normal, that's good! Then I checked
for CD16 (Int 16 - Keyboard) found none, CD13 (Int 13 - Disk) no disk
check and CD21 (Int 21 DOS Services) tons of'em, that means the program
uses DOS services without going straight to BIOS. Then I started tracing
the beginning just to see what I could see, 5 minutes later I had no
keyboard response. After reboot I found the routine that programmed the
PIC (Programmable Interrupt Controller) to stop keyboard, what a drag.
Besides that everything looked clean, very good. So at this point I
usually do one of 2 things.
1: Check out all the INT 21's to find keyboard entry routines, then I
change any 06 functions (Direct Keyboard Input, Ignores CNTRL-BREAK) to 07
functions (which allow CNTRL-BREAK), then run the program and break out at
the doc check. This works about half the time, some programs revector INT
24 (where CNTRL-BREAK goes) to do something nasty but usually you wind up
in Debug in a great position to start tracing and find the doc check code.
2: Run Quaid's Analyser - This one gives quicker results (if it works at
all). I chose this option and trapped INT 21, it was pretty boring
because of all the intial DOS calls. But that output to the PIC
controller fucked Quaids, meaning it didn't trap CD21 anymore cause the
keyboard was screwed, but when I answered the doc check incorrectly, boom,
the PIC enabled the keyboard again and Quaids popped up. I was in the
"bomb" routine about to abort to DOS. I wrote down the segment and offset
of this routine and the first five entries in the stack. I let the
program end, reloaded under Debug and checked out those numbers. Sure
enough, the stack pointed right to the doc check routine (the doc check code
used a far call to get to the bomb routine so the next instruction's
segment and offset were pushed onto the stack before jumping to the bomb
routine). The rest is elementary, I found the code that compared your
answer to the correct one, wrote over it with 90H's (NOP - No Operation)
and changed the conditional jump to a forced jump (which jumps over the
call to the bomb routine). A little bit futher down there was the code
that counted you tries, I changed that to 1 so you only had to press
return once to get by the doc check since they gave you three tries to
answer the doc check successfully (how nice). Finally I searched the rest
of the code for references to the doc check routine and the bomb routine
to make sure there wasn't some other shit later on, everything was cool,
WALLA!
I know that's breif, but that should help you somewhat (and alot
of other people!) don't expect this to be a regular thing unless you're in
The -=FiRM=- !!!
-=Tk 1989=-