HPAVC

home *** CD-ROM | disk | FTP | other *** search

/ HPAVC / HPAVC CD-ROM.iso / PASSWORD.ZIP / PASSWDRM.TXT < prev

Wrap

Text File | 1996-07-08 | 11KB | 199 lines

5/26/89 Megaton Man Teaches Cracking ============================ DOC CHECK PROTECTION Hello all you young and ameatur crackers! Today's lessons is on DOC Checks. Doc Checks are pretty easy once you get to know them. But some are a pain in the ass, like that Sub 688 game. But still, if you have a good working knowledge of 8088 assembly, it shouldn't really be a problem. I myself, only a 17 year old cheese high school boy, learned this facinating art form of cracking. I see cracking as a game within a game. The first being the actual game, the second is the Protection. Ok, here we go. Get your Cracking tools out. They should consist of a good Debugger of your choice. My choice is Microsoft's CodeView. Pretty easy to use and it's been working so far. But most of the major crackers seem to use Dos's DEBUG.COM. Which is found on your dos disk. They use this primitive but powerful tool because its so small in size, and wont bother with a game in memory. But i found CodeView lets you CTRL-BRK out of programs easier. Your next tool is NORTON UTILITIES. This program should be at your side all the time. You should have Norton and your Debug program in the PATH always because you will use it alot. Well, in this little package, you should find a file named DOC1.COM. This file is an assembly language file i made which simulates a DOC check. It'll give you some phony message like - "ENTER PASSWORD:". then you must enter the password inorder for the Program to tell you that you cracked it. The password for DOC1.COM is MEGATON MAN. Yea, i'm an egotistic asshole. but i love it. This is your game plan. First trace the program until the program waits for the input prompt. At that point, enter "KOOK" or anything at the prompt. Anything except MEGATON MAN. Then keep tracing the program till it eats shit (terminates). Try to memorize what path the program took and if you cant memorize, pen and paper always works. Now, restart the program and trace the program until the input prompt asks you for the password. Now instead of typeing the wrong password, type in MEGATON MAN, which is the correct pass- word. Now keep tracing the program and try again to memorize the path. Ok. The first part is over. Now, compare the two paths, and find out where a detour was made. Once you find the detour, just force the program to go the correct way. Are you saying, "How do i force the program?". Well find the Detour first.. and when you do continue on reading... So stop reading and try to crack DOC1.COM. Now that you are continuing reading, i suspect that you did find the Detour, or your Stumped. Well it doesnt matter, just keep reading. Ok, This is the "map" of this little program. XXXX:0100 Jmp 1E8 : : XXXX:01E8 CALL 1F7 <--- Print Message and Ask for Password XXXX:01EB OR AX,AX <--- Is the AX register = 0? XXXX:01ED JNZ 1F2 <--- No. then jump to 1F2 XXXX:01EF CALL 225 <--- This is DEATH! XXXX:01F2 CALL 21C <--- Call if its CRACKED! ok, this is the main part your worried about. Line 100, makes a jump to line 1E8. Now, 1E8 is CALL 1F7. what this CALL does, is, it Displays the intro message and asks you to input the Password. Now before executing this CALL statement on 1E8, take a look at the AX register. Write it down. Now, EXECUTE the entire Call. Use a BOGUS password. Take a look at the AX register after the call. The IP register should be on 1E8. What does the AX register contain? All 0000's? or 0001? Well Most Protections are like this! Even INT 13 protections! This is what's happening. When you execute the CALL 1F7, if you typed in the wrong password, the call will return with AX = 0000. If you typed in the correct password, the AX register will contain 0001. Pretty neat eh? Well, look at line 1EB. It is OR AX,AX. now this is pretty much like the CMP AX,0000 instruction. By using the OR AX,AX it saves memory (sorta), and is supposed to be faster than CMP AX,0000. Dont ask me why its like this, its just one of those Professional Programmers rules or somthing. Now to keep things going, Line 1EB checks to see if AX is equal to Zero. If AX is equal to zero, the ZERO FLAG is set. if not, then the ZERo flag is cleared. Look at line 1ED. It is JNZ 1F2. It says, Jump if Not Zero to line 1F2. See, AX will not equal zero if you entered the correct password. So if you entered the wrong password, the IP register will go down to line 1EF, which contains CALL 225, which is the Eat it and Die call! You dont want this! NEVER! If the correct Password was entered, line 1ED will jump down to line 1F2 which will execute a Call to tell you that you cracked the program. Now how could we change the program to make it so it will always jump to the correct line? well, there are a few different wayz we could do this. One ,is the EASY way, but less professional way. The next way is also an easy way, but also not as professional. And the last way is the harder way, and it is the professional way. Lets first try the second easy way. Because if i told you the easiest way first, your screw the program up! ok. Have you heard of the instruction NOP? Which means NO Operation. Yea, it doesnt do anything! just sorta patches up some instruction. Now if we NOP line 1EF (CALL 225), the program will encounter a NOP and keep continuing until the Call we want is reached, which is line 1F2 (call 21C). The Hex value for NOP is 90. So Disassemble the area we need to change and write down the bytes on, and around the area. Now flip out Norton Utilities and search for these bytes. Once found, do not Display them and change them! Continue with the search. Make sure there are no more discoveries. If you found another match, go back to the program, disassemble it and write down some more bytes around , and on the part you want fixed. Go back and search for these bytes. make sure there is only one occurance. ok, So there is one occurance, go find the bytes that you need changed. Once found, replace them with the hex value 90. Save your changes and bail out of Norton Utilites. Now Run DOC1.COM and type a wrong pasword. The program should tell you that its Cracked no matter what you type! if it told you that it was cracked, well you Cracked it! yea! The file DOC1.COM is cracked. Go to your MASTER DISK and copy the file on the MASTER DISK over to your SCREW AROUND DISK. which will get rid of the newly cracked DOC1.COM. Now that you have the DOC1.COM that is NOT cracked, lets begin the second way to crack the same program. Some DOC Check PROTECTORS are sorta lame and lazy. Remember i told you the password was MEGATON MAN? Well, when you purchase a game from EggHead or any other software place, and a DOC Protection accompanies the disk, there is always the DOC's that you need! well lets say for instance that you bought Silpheed. It's a DOC check type thingy. Well lets say one of the passwords was SIERRA. Pull out Norton Utilites and search for the characters S I E R R A. Norton should beep and show you where the word SIERRA was found. Now look around that area and see if there are any other words or letters around SIERRA. If so, read them. Now look in your Book of DOC's and see if a word on the screen matches a PASSWORD in the book. Yes? if so, BINGO, you found the password list. Now you could change the passwords to anything you want. But take note, a delimiter is usually put at the end of each password. Now whats a delimiter you say? its like a character or HEX value thats at the end of each password. For instance a hex value of 00 may be at the end of each password. Or each password is 8 characters long. Or somthing like that. Well, change them to what you please. I did this when i Cracked Silpheed. Kinda weak eh? well who cares. Now i dont really call this method "Cracking". Its more like hacking. But to prove to my self, i cracked it the next day. not hacking. The file DOC1.COM is cracked. Go to your MASTER DISK and copy the file on the MASTER DISK over to your SCREW AROUND DISK. which will get rid of the newly cracked DOC1.COM. OK, we cracked DOC1.COM two differnt wayz. Now the third way, which is the best. This method will totally eliminate the DOC check. Which means, NO SIGN of PROTECTION can be detected! Which means, you gotta remove the part where it ask for the password. Now take a look at the Listing. Ill copy the listing down here so you dont have to switch your face back and forth. XXXX:0100 Jmp 1E8 : : XXXX:01E8 CALL 1F7 <--- Print Message and Ask for Password XXXX:01EB OR AX,AX <--- Is the AX register = 0? XXXX:01ED JNZ 1F2 <--- No. then jump to 1F2 XXXX:01EF CALL 225 <--- This is DEATH! XXXX:01F2 CALL 21C <--- Call if its CRACKED! Now look at line 1E8 (call 1F7). This call Ask for the password and returns AX=0000 if its wrong, and AX=0001 if its correct. Well, our goal is to get to line 1F2 (call 21c)! Well, couldn't we just NOP line 1e8 thru 1Ef? Sure we can! Now thats what we gotta do. So write down the bytes around and on this area. Use Norton Utilites to search for these bytes and replace them with NOP's which is a HEX value of 90. Save your changes and run DOC1.COM. The program should just say.. GAME is CRACKEd. or somthing like that. Yip, just one line of Text. Ok, yea! we have cracked this simple doc check program 3 differnt wayz and 3 differnt times. Seems pretty easy eh? Well there are some problems. What if you didnt have a Correct password to trace thru? Well this is somthing only experience could teach. You must experiment with the jumps. If there seems to be a compare involved, usually the AX register is changed, and a conditional jump instuction follows, force the jump and see what happens. If it still eats shit, then dont force it and see what happens. If it still eats it, then keep following the path until another conditional jump is reached and do the same. Some INT 13's are similar to the Doc checks i explained above. Look at line 1e8 (call 1f7). This subroutine asks for the password and reutns the appropriate code. Now what if the Disk drive light lit up when this call is executed? If the DISK Protection was found, AX=0001. if its not found AX=0000. See its sorta the same. Oh, now what if the Doc Check is later on in the game. Like Questron II, Larry Bird One on One, and Demon Stalker. Well, Load up your debugger with the intro exe file. Then Press "g" for go and run the program while your debugger is in the background. when the program asks for the Password, just type "SHIT" and presss CTRL-BRK! The Debugger should regain control and will show you where the current line is at. Trace thru at that point and look for them conditional jumps and Comparisons. Well that wraps it up for this lesson. Any questions? well call ... THE ROACH MOTEL 818-369-2083 12/24/and 9600! USR HST! 100+ Megz Sysop : Black Flag Co's : Megaton Man (me) Eternal Warrior Lone Wolf Ask for Megaton Man. END. Line 199.