home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Game Cracker (Expanded Edition)
/
Game Cracker (Expanded Edition).iso
/
cracks
/
RC_KHG.ZIP
/
klingon.txt
< prev
next >
Wrap
Text File
|
1998-12-10
|
14KB
|
276 lines
>>best viewed in 1024*768 with your favourite text editor<<
Free Information Xchange presents:
Klingon Honor Guard v1.0 - CD crack by R!SC - 0A/0C/62 (10th Dec 98 !)
REQUIREMENTS:
Hex editor
W32Dasm
Lets get started then. Well, the game came on 2 CD's, I didn't like the look of that, 1.2gb of
data? I checked the first CD, 140mb install file, 140mb video. I checked the second CD, 353mb of
videos! Well, things are looking nicer know. We don't really need to worry about the game needing
data off the CD's once it is installed, so lets Kill that nasty CD check.
Install the game, take out the CD and load KHG(you know what I mean). Doesn't ask for a CD.
Select 'NEW' game, 'Single Player' ;), 'Insert the KHG CD into the CD-ROM'. Thats the message we
want. Its not a Windows message box, so this one might be tricky. I don't see any point in searching
for that message under the String Data References, so we will check the Function imports for
'GetDriveTypeA' ((nearly) always used in CD Protection). Hmm, uses the 'Unreal' engine, we know
in unreal the CD protection was in 'Window.dll', I loaded this into Wdasm, look under imports for
'GetDriveTypeA', nothing there, in a patch for Unreal, they moved the protection into 'Unreal.exe'
so I checked 'Klingons.exe', nothing there either, well I checked a few more Dll's, and found a
call to 'GetDriveTypeA' in 'windrv.dll'. BOOM! Make a copy of 'windrv.dll', load the copy into
W32dasm, click on functions/imports, scroll down until you get to KERNEL32.GetDriveTypeA, double
click on this, and again, and again, if you payed attention, two refs to this function, the first
one is ours. The second one is the jump to the windows routine in memory. I don't know how to explain
it, except like this:- CALL=good (our actual code) JMP=bad (windows kernel code) OK?
* Possible StringData Ref from Data Obj ->"CdPath" <-- Interesting?
|
:10A0533C 68001BA110 push 10A11B00
* Possible StringData Ref from Data Obj ->"Engine.Engine"
|
:10A05341 68401CA110 push 10A11C40
:10A05346 AA stosb
* Reference To: Core.?GetConfigString@@YAHPBD0PADH0@Z, Ord:01B1h
|
:10A05347 FF15D048A110 Call dword ptr [10A148D0]
* Possible StringData Ref from Data Obj ->"C:\" <-- common string in CD protection routines
|
:10A0534D BFFC1AA110 mov edi, 10A11AFC
:10A05352 83C9FF or ecx, FFFFFFFF
:10A05355 33C0 xor eax, eax
:10A05357 83C414 add esp, 00000014
:10A0535A F2 repnz
:10A0535B AE scasb
:10A0535C F7D1 not ecx
:10A0535E 2BF9 sub edi, ecx
:10A05360 8D542410 lea edx, dword ptr [esp+10]
:10A05364 8BC1 mov eax, ecx
:10A05366 8BF7 mov esi, edi
:10A05368 8BFA mov edi, edx
:10A0536A C1E902 shr ecx, 02
:10A0536D F3 repz
:10A0536E A5 movsd
:10A0536F 8BC8 mov ecx, eax
:10A05371 8D442410 lea eax, dword ptr [esp+10]
:10A05375 83E103 and ecx, 00000003
:10A05378 50 push eax
:10A05379 F3 repz
:10A0537A A4 movsb
:10A0537B 8B8D0C010000 mov ecx, dword ptr [ebp+0000010C]
:10A05381 8A9160040000 mov dl, byte ptr [ecx+00000460]
:10A05387 88542414 mov byte ptr [esp+14], dl
* Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh <-- Call that got us here.
|
:10A0538B FF15C04AA110 Call dword ptr [10A14AC0]
:10A05391 83F805 cmp eax, 00000005 <-- 05=CD-ROM
:10A05394 7435 je 10A053CB <-- If it finds a CD-ROM, it jumps
<-- to 10A053CB, we want this to happen!
<-- so we change this to a JMP (EB35)
* Possible StringData Ref from Data Obj ->"mpbad" <-- Not Good (heh!)
:10A05396 68F41AA110 push 10A11AF4
:10A0539B 53 push ebx
* Reference To: Core.?Logf@FOutputDevice@@QAAXPBDZZ, Ord:024Dh
|
:10A0539C FF15A448A110 Call dword ptr [10A148A4] <-- this bit sez screw you, you ain't got no CD
* Reference To: Core.?GSystem@@3PAVFGlobalPlatform@@A, Ord:01A3h
|
:10A053A2 8B0D7848A110 mov ecx, dword ptr [10A14878]
:10A053A8 83C408 add esp, 00000008
:10A053AB 8B11 mov edx, dword ptr [ecx]
* Possible StringData Ref from Data Obj ->"CDK = DriveRoot"
|
:10A053AD 68E01AA110 push 10A11AE0
:10A053B2 68FA020000 push 000002FA
:10A053B7 52 push edx
* Reference To: Core.?Logf@FOutputDevice@@QAAXW4EName@@PBDZZ, Ord:024Eh
|
:10A053B8 FF159048A110 Call dword ptr [10A14890]
:10A053BE 83C40C add esp, 0000000C
:10A053C1 B801000000 mov eax, 00000001 <-- Say we failed CD-Check by putting
:10A053C6 E997030000 jmp 10A05762 <-- a 1 in eax and jumping to exit call
Well, this is quite good, checks for a CD-ROM, if it finds one it jumps to 10A053CB, if not, it
puts a '1' in EAX, then asks you for the CD? OK. Take the conditional jump after cmp eax,00000005
(make sure the blue bar is on it and push cursor right(or use the button at the top)) We get to
the code below. Have a look at it.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10A05394(C)
|
:10A053CB 8B850C010000 mov eax, dword ptr [ebp+0000010C] <-- jump that said we had a
<-- CD brought us here
* Reference To: Core.?appSprintf@@YAHPADPBDZZ, Ord:033Dh
|
:10A053D1 8B358848A110 mov esi, dword ptr [10A14888]
:10A053D7 0560040000 add eax, 00000460
:10A053DC 8D4C241C lea ecx, dword ptr [esp+1C]
:10A053E0 50 push eax
* Possible StringData Ref from Data Obj ->"%snotcd.txt" <-- well, nice of them wasn't it?
|
:10A053E1 68D01AA110 push 10A11AD0
:10A053E6 51 push ecx
:10A053E7 FFD6 call esi
:10A053E9 83C40C add esp, 0000000C
:10A053EC 8D54241C lea edx, dword ptr [esp+1C]
:10A053F0 6A00 push 00000000
:10A053F2 6880000000 push 00000080
:10A053F7 6A02 push 00000002
:10A053F9 6A00 push 00000000
:10A053FB 6A01 push 00000001
:10A053FD 6800000040 push 40000000
:10A05402 52 push edx
* Reference To: KERNEL32.CreateFileA, Ord:0031h <-- Try to Create a File on the
<-- Drive that GetDriveTypeA returned |
:10A05403 FF15C44AA110 Call dword ptr [10A14AC4]
:10A05409 83F8FF cmp eax, FFFFFFFF <-- FFFFFFFF(-1)=failed
:10A0540C 7434 je 10A05442 <-- CD-ROMS are READ ONLY so if we
<-- couldn't write to it, it must be
<-- a CD-ROM (change this to a JMP)
<-- (EB34)
* Possible StringData Ref from Data Obj ->"mpbad"
|
:10A0540E 68F41AA110 push 10A11AF4
:10A05413 53 push ebx
* Reference To: Core.?Logf@FOutputDevice@@QAAXPBDZZ, Ord:024Dh
|
:10A05414 FF15A448A110 Call dword ptr [10A148A4]
:10A0541A A17848A110 mov eax, dword ptr [10A14878]
:10A0541F 83C408 add esp, 00000008
:10A05422 8B08 mov ecx, dword ptr [eax]
* Possible StringData Ref from Data Obj ->"CDK = CanWrite" <-- we don't want this?
|
:10A05424 68BC1AA110 push 10A11ABC
:10A05429 68FA020000 push 000002FA
:10A0542E 51 push ecx
* Reference To: Core.?Logf@FOutputDevice@@QAAXW4EName@@PBDZZ, Ord:024Eh
|
:10A0542F FF159048A110 Call dword ptr [10A14890]
:10A05435 83C40C add esp, 0000000C
:10A05438 B801000000 mov eax, 00000001 <-- Say we failed CD-Check by putting
:10A0543D E920030000 jmp 10A05762 <-- a 1 in eax and jumping to exit call
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10A0540C(C)
|
:10A05442 8D54241C lea edx, dword ptr [esp+1C] <-- we get here if we couldn't 'CreateFileA'
:10A05446 689432A110 push 10A13294
:10A0544B 52 push edx
:10A0544C FFD6 call esi
:10A0544E 8B850C010000 mov eax, dword ptr [ebp+0000010C]
:10A05454 83C408 add esp, 00000008
:10A05457 0560040000 add eax, 00000460
:10A0545C 8D4C241C lea ecx, dword ptr [esp+1C]
:10A05460 50 push eax
* Possible StringData Ref from Data Obj ->"%sbuildup.avi" <-- one of the files on CD 2
|
:10A05461 68AC1AA110 push 10A11AAC
:10A05466 51 push ecx
:10A05467 FFD6 call esi
* Reference To: Core.?appFSize@@YAHPBD@Z, Ord:0311h <-- check the size??
|
:10A05469 8B3DCC48A110 mov edi, dword ptr [10A148CC]
:10A0546F 83C40C add esp, 0000000C
:10A05472 8D54241C lea edx, dword ptr [esp+1C]
:10A05476 52 push edx
:10A05477 FFD7 call edi
:10A05479 83C404 add esp, 00000004
:10A0547C 85C0 test eax, eax
:10A0547E 0F8F97000000 jg 10A0551B <-- if that passed, jump to 10A0551B
:10A05484 A17848A110 mov eax, dword ptr [10A14878]
* Reference To: Core.?Logf@FOutputDevice@@QAAXW4EName@@PBDZZ, Ord:024Eh
|
:10A05489 8B2D9048A110 mov ebp, dword ptr [10A14890]
<-- otherwise do this bit...
* Possible StringData Ref from Data Obj ->"CDK = GPFNF" <-- GPFNF=general protection fault xx
| <-- (probably) not what we want...
:10A0548F 689C1AA110 push 10A11A9C
:10A05494 68FA020000 push 000002FA
:10A05499 8B08 mov ecx, dword ptr [eax]
:10A0549B 51 push ecx
:10A0549C FFD5 call ebp
:10A0549E 83C40C add esp, 0000000C
:10A054A1 8D54241C lea edx, dword ptr [esp+1C]
:10A054A5 689432A110 push 10A13294
:10A054AA 52 push edx
:10A054AB FFD6 call esi
:10A054AD 83C408 add esp, 00000008
:10A054B0 8D442410 lea eax, dword ptr [esp+10]
:10A054B4 8D4C241C lea ecx, dword ptr [esp+1C]
:10A054B8 50 push eax
* Possible StringData Ref from Data Obj ->"%sintro.avi"
|
:10A054B9 688C1AA110 push 10A11A8C
:10A054BE 51 push ecx
:10A054BF FFD6 call esi
:10A054C1 83C40C add esp, 0000000C
:10A054C4 8D54241C lea edx, dword ptr [esp+1C]
:10A054C8 52 push edx
:10A054C9 FFD7 call edi
:10A054CB 83C404 add esp, 00000004
:10A054CE 85C0 test eax, eax
:10A054D0 7F30 jg 10A05502
* Possible StringData Ref from Data Obj ->"mpbad"
Right then, the CD routine returns a '1' in eax if it failed (i.e. NO CD) otherwise, it does
whatever, and returns a '0' in eax, so we can take all the jumps it makes for a good CD check, or
we should be able to put a '0' in eax and jump to the exit routine. Well, I cant be bothered to
find out, so, the last conditional jump we had in the CD-CHECK for good CD was the size check
:10A0547E 0F8F97000000 jg 10A0551B
Change this to a Jmp (this being a long jump=change the 0F8F97000000 to 90E997000000) A jmp is one
byte smaller than a conditional jump, so we put a 90 (nop) at the start to fix this little problem.
Right, load 'windrv.dll' into your hex editor. Double click on the 'je 10A053CB' below the Ref to
"GetDriveTypeA" in W32dasm and at the bottom of the screen will be your offset to Hexedit the
program. Mine was 00004794, back into Hex editor goto 00004794, change the 7435 (je) to a EB35 (jmp),
W32Dasm again, double click 'je 10A05442' after the reference to 'CreateFileA', check the offset,
back into your hex editor and change the 7434 (je) to a EB34 (jmp). W32Dasm again!, double click
the 'jg 10A0551B' after the ref to 'Core.?appFSize' change the '0F8F97' to a '90E997' (jmp 10A0551B),
save your file in hex editor, run the game and BOOM! you can play with no CD.
edit windrv.dll (offsets are in hex)
=======================================
Search for: 74 35 at offset 4794
Change to : EB --
Search for: 74 34 at offset 480C
Change to : EB --
Search for: 0F 8F 97 00 00 00 at offset 487E
Change to : 90 E9 -- -- -- --
Another tutorial comes to an end and another game has been FiX'ed!
happy cracking love R!SC -- risc@notme.com