home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Game Cracker (Expanded Edition)
/
Game Cracker (Expanded Edition).iso
/
cracks
/
M&M-CRK1.ZIP
/
CRACK.DOC
next >
Wrap
Text File
|
1999-02-14
|
9KB
|
220 lines
Ok, I'm a novice cracker, 'cause usually you find the cracks to all
the games on the net. But this cool game was nowhere to find.
I suspected a title change for the european version but nothing
to find anywhere.
It's the game Magic & Mayhem from Mythos.
And since I have to put a lot of time into cracking this thing, I'll
let you read along so you might do your own crack next.
------------------
1) Ok welcome. First of all we have to know if a game is really protected.
To do this, we try to make an as good as possibly CD copy of the
original.
I did, and after putting in the CD it complained with a window if I
wanted to run a multiplayer version, retry or abort.
So it's protected.
2) We start up WDASM32 and decompile the chaos.exe file.
This takes a while..
3) I wrote down what the game says when it runs into a copied cd.
So we're going to search for the error message with the
'String Data References` menu. But nothing turns up, no
matter what we look for.
4) Ok let's think about what we know. It's data from CD it uses for
the protection scheme. So let's go look for 'drivetype' with the
'Find text' button.
We get 'GetDriveTypeA' in the list of functions used, click
'Find next' and wait a bit..
5) Ok here we go.. a hit on address 0047BE54.
The piece of code is below..
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047BF5D(C), :0047BF68(C), :0047BF73(C)
|
:0047BE47 8BBC241C010000 mov edi, dword ptr [esp+0000011C]
:0047BE4E C644241300 mov [esp+13], 00
:0047BE53 57 push edi
* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:0047BE54 FF157C305A00 Call dword ptr [005A307C]
:0047BE5A 83F805 cmp eax, 00000005
:0047BE5D 0F85FA010000 jne 0047C05D
:0047BE63 8B953C030000 mov edx, dword ptr [ebp+0000033C]
:0047BE69 8D8D7C030000 lea ecx, dword ptr [ebp+0000037C]
:0047BE6F 51 push ecx
:0047BE70 6802010000 push 00000102
:0047BE75 6814080000 push 00000814
:0047BE7A 52 push edx
:0047BE7B C7858403000001000000 mov dword ptr [ebp+00000384], 00000001
:0047BE85 FFD3 call ebx
:0047BE87 85C0 test eax, eax
:0047BE89 0F85CE010000 jne 0047C05D
:0047BE8F 8A8580030000 mov al, byte ptr [ebp+00000380]
:0047BE95 83F84B cmp eax, 0000004B
:0047BE98 7409 je 0047BEA3
:0047BE9A 83F84C cmp eax, 0000004C
:0047BE9D 0F85BA010000 jne 0047C05D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047BE98(C)
|
:0047BEA3 83C9FF or ecx, FFFFFFFF
:0047BEA6 33C0 xor eax, eax
:0047BEA8 F2 repnz
:0047BEA9 AE scasb
:0047BEAA F7D1 not ecx
:0047BEAC 2BF9 sub edi, ecx
:0047BEAE 8D542418 lea edx, dword ptr [esp+18]
:0047BEB2 8BC1 mov eax, ecx
:0047BEB4 8BF7 mov esi, edi
:0047BEB6 8BFA mov edi, edx
6) Ok, this looks like a good place to start. We look up the
'GetDriveTypeA' function in the Windows API guide.
The function returns '5' when the drive is a CD drive.
:0047BE5A 83F805 cmp eax, 00000005
Hmm looks like it is looking for a CD drive, so we might be
on the right track.
7) Let's look on ahead. If it's not a CD drive it jumps somewhere.
But we assume that this is the protection scheme. So we read on,
and don't follow the jump.
It moves some addresses and data around, calls something and goes
on to test the result of that call.
8) Ok now we are ready to go and see what goes on there. So we do
a 'Load Process' from the debug menu. We go to the address
where we're working on, and select where to break.
:0047BE87 85C0 test eax, eax
I put a break on here so we can see what the three checks do after
the call.
9) Put in the original CD and hit 'Run program'. After only a few seconds
the program pauses and we go back to WDASM. We're on our location.
Now hit F7 a few times and see where it goes.
:0047BE95 83F84B cmp eax, 0000004B
:0047BE98 7409 je 0047BEA3
It jumps away on the second check.
10) Terminate the process, put in the CD copy, and run the program again.
11) It stops on the same place. Hit F7 a few times.
12) Hey! It doesn't go where it went the first time. AX contains
4A instead of 4B. So it does look like this is the place where
the copy scheme is implemented.
13) Ok, let's go crack it! Let's NOP (90h) all these commands, so it
runs into 0047BEA3 automatically.
:0047BE89 0F85CE010000 jne 0047C05D
:0047BE8F 8A8580030000 mov al, byte ptr [ebp+00000380]
:0047BE95 83F84B cmp eax, 0000004B
:0047BE98 7409 je 0047BEA3
:0047BE9A 83F84C cmp eax, 0000004C
:0047BE9D 0F85BA010000 jne 0047C05D
14) Patch the chaos.exe file, and start it.
15) Hey! No go! :( Why not?
Let's see, it compares with something in the memory at location
ebp+380h. So we run the program again with the original CD and
with the CD copy. When it breaks we investigate the memory
at the ebp+380h location. We write down the following.
Original: 4B 24 17 00 01 00 00 00 00 00 00 00 45 3A 00
Copy : 4A 33 15 00 01 00 00 00 00 00 00 00 45 3A 00
Looks like there are 3 bytes different from the original CD.
16) The idea is to write those 3 bytes in the memory, and we can
do that at the place where we're nopping out all those
instructions. I think there are other checks that inspect
that piece of memory.
17) It'll look something like this after you edited the chaos.exe
file.
:0047BE6F 51 push ecx
:0047BE70 6802010000 push 00000102
:0047BE75 6814080000 push 00000814
:0047BE7A 52 push edx
:0047BE7B C7858403000001000000 mov dword ptr [ebp+00000384], 00000001
:0047BE85 FFD3 call ebx
:0047BE87 C785800300004B241700 mov dword ptr [ebp+00000380], 0017244B
:0047BE91 90 nop
:0047BE92 90 nop
<snip>
:0047BEA1 90 nop
:0047BEA2 90 nop
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047BE98(C)
|
:0047BEA3 83C9FF or ecx, FFFFFFFF
:0047BEA6 33C0 xor eax, eax
:0047BEA8 F2 repnz
18) You'll have to add the
:0047BE87 C785800300004B241700 mov dword ptr [ebp+00000380], 0017244B
part yourself.
19) Pop in the CD copy, and start the program.
20) YES! IT WORKS :)
But it seems a bit sluggish.. Maybe because my audio tracks on my
CD aren't 100% (You need an 80 minute CD for a good copy)
21) So we quit the game, remove all CD's and start the chaos.exe file.
Nope, we get another error message.
22) Let's start to remove all the nonsense we don't need. Also let's
try to nop out the call and see if it all still works.
23) Yes it does.. The game speeds up, and the only difference we notice
is the short timeouts we have during the start of a game, when
commands are send to the CD drive to start an audio track.
Just nop out everything after the point where functions jump into.
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047BF5D(C), :0047BF68(C), :0047BF73(C)
|
:0047BE47 90 nop
And DON'T FORGET to leave our command in there to write those bytes
to avoid other places where it might be checked.
24) Ok we're done :) Took be a bit to figure all of this out, but I'm
happy with it. Something I can be happy with to have achived.
MR CUR$0R 02/1999