The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / zines / n_z / pirate3.003 < prev next >

Wrap

Text File | 2003-06-11 | 11.1 KB | 288 lines

*************************************************** *** Pirate Magazine Issue III-3 / File 3 of 9 *** *** Cracking Tips (Part 1) *** *************************************************** In this file: Jordan v. Bird Gauntlet Sierra Games Cracking is about learning computer programming, and the fun is in increasing skills. We've been sent some reprints of tips, and even if you have the programs, it's neat to make a backup copy and experiment. For some, these tips may be old hat, but for novices they show some of the basic techniques the that "pros" use. The more programing you know, the easier cracking is, and we recommend taking an intro course in your school. But most programs can be worked on using DOS DEBUG. Think of DEBUG like a text editor. The difference is that, instead of writing ASCII type stuff, you're working in BINARY files. Debug lets you "edit" (or alter) the contents of a program and then immediately re-execute to see if your changes worked. Before reading the following, check your DOS manual and read the DEBUG instructions. We've included old unprotects here for a reason: If you have some of these old programs laying around, dig them out and use them for practice. "Cracking" is one of the best (and most fun) ways to learn about what makes a program work. ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ^^^^^^^^^^^^^^^ We reprint the following tips by BUCKAROO BANZAI that beginners and intermediates should find helpful. ^^^^^^^^^^^^^^^^ **************************************** * B U C K A R O O B A N Z A I * * aka the Reset Vector * * * * presents * * * * Cracking On the IBMpc * * Part I * * * **************************************** Introduction ------------ For years, I have seen cracking tutorials for the APPLE computers, but never have I seen one for the PC. I have decided to try to write this series to help that pirate move up a level to a crackest. In this part, I will cover what happens with INT 13 and how most copy protection schemes will use it. I strongly suggest a knowledge of Assembler (M/L) and how to use DEBUG. These will be an important figure in cracking anything. INT-13 - An overview -------------------- Many copy protection schemes use the disk interrupt (INT-13). INT-13 is often use to either try to read in a illegaly formated track/sector or to write/format a track/sector that has been damaged in some way. INT-13 is called like any normal interupt with the assembler command which command to be used, with most of the other registers used for data. INT-13 Cracking Collage ----------------------- Although, INT-13 is used in almost all protection schemes, the easiest to crack is the DOS file. Now the protected program might use INT-13 to load some other data from a normal track/sector on a disk, so it is important to determine which tracks/sectors are inportant to the protection scheme. I have found the best way to do this is to use LOCKSMITH/pc (what, you don't have LS. Contact your local pirate for it.) Use LS to to analyze the diskette. Write down any track/sector that seems abnormal. These track are must likely are part of the protection routine. Now, we must enter debug. Load in the file execute a search for CD 13. Record any address show. If no address are picked up, this mean 1 or 2 things, the program is not copy protected (bullshit) or that the check is in an other part of the program not yet loaded. The latter being a real bitch to find, so I'll cover it in part II. There is another choice. The CD 13 might be hidden in self changing code. Here is what a sector of hidden code might look like -U CS:0000 1B00:0000 31DB XOR BX,BX 1B00:0002 8EDB MOV DS,BX 1B00:0004 BB0D00 MOV BX,000D 1B00:0009 3412 XOR AL,12 1B00:000D DF13 FIST WORD... to DF at location 1B00:0007. When you XOR DF and 12, you would get a CD(hex) for the INT opcode which is placed right next to a 13 ie, giving you CD13 or INT-13. This type of code cann't and will command. Finding Hidden INT-13s ---------------------- The way I find best to find hidden INT-13s, is to use a program called PC-WATCH (TRAP13 works well also). This program traps the interrupts and will print where they were called from. Once running this, you can just disassemble around the address until you find code that look like it is setting up the disk interupt. An other way to decode the INT-13 is breakpoint at the address give by PC-WATCH (both programs give the return address). Ie, -G CS:000F (see code above). When debug stops, you will have encoded not only the INT-13 but anything else leading up to it. What to do once you find INT-13 ------------------------------- Once you find the INT-13, the hard part for the most part is over. All that is left to do is to fool the computer in to thinking the protection has been found. To find out what the computer is looking for, examine the code right after the INT-13. Look for any branches having to do with the CARRY FLAG or any CMP to the AH register. If a JNE or JC (etc) occurs, then jump. If it is a CMP then just read on. Here you must decide if the program was looking for a protected track or just a normal track. If it has a CMP AH,0 and it has read in a protected track, it can be assumed that it was looking to see if the program had successfully complete the READ/FORMAT of that track and that the disk had been copied thus JMPing back to DOS (usually). If this is the case, Just NOP the bytes for the CMP and the corrisponding JMP. If the program just checked for the carry flag to be set, and it isn't, then the program usually assumes that the disk has been copied. Examine the following code INT 13 <-- Read in the Sector JC 1B00 <-- Protection found INT 19 <-- Reboot 1B00 (rest of program) The program carries out the INT and find an error (the illegaly formatted sector) so the carry flag is set. The computer, at the next instruction, see that the carry flag is set and know that the protection has not been breached. In this case, to fool the computer, just change the "JC 1B00" to a "JMP 1B00" thus defeating the protection scheme. NOTE: the PROTECTION ROUTINE might be found in more than just 1 part of the program Handling EXE files ------------------ As we all know, Debug can read .EXE files but cannot write them. To get around this, load and go about cracking the program as usual. When the protection scheme has been found and command) to save + & - 10 bytes of the code around the INT 13. Exit back to dos and rename the file to a .ZAP (any extention but .EXE will do) and reloading with debug. Search the program for the 20+ bytes surrounding the code and record the address found. Then just load this section and edit it like normal. Save the file and exit back to dos. Rename it back to the .EXE file and it should be cracked. ***NOTE: Sometimes you have to fuck around for a while to make it work. DISK I/O (INT-13) ----------------- This interrupt uses the AH resister to select the function to be used. Here is a chart describing the interrupt. AH=0 Reset Disk AH=1 Read the Status of the Disk system in to AL AL Error ---------------------------- 00 - Successful 01 - Bad command given to INT *02 - Address mark not found 03 - write attempted on write prot *04 - request sector not found 08 - DMA overrun 09 - attempt to cross DMA boundry *10 - bad CRC on disk read 20 - controller has failed 40 - seek operation failed 80 - attachment failed (* denotes most used in copy protection) AH=2 Read Sectors input DL = Drive number (0-3) DH = Head number (0or1) CH = Track number CL = Sector number AL = # of sectors to read ES:BX = load address output AH =error number (see above) AL = # of sectors read AH=3 Write (params. as above) AH=4 Verify (params. as above -ES:BX) AH=5 Format (params. as above -CL,AL ES:BX points to format Table) For more infomation on INT-13 see the IBM Techinal Reference Manuals. Comming Soon ------------ In part II, I will cover CALLs to INT-13 and INT-13 that is located in diffrents overlays of the program Happy Cracking..... Buckaroo Banzai <-------+-------> PS: This Phile can be Upload in it's unmodified FORM ONLY. PPS: Any suggestion, corrections, comment on this Phile are accepted and encouraged..... * * * * * * * * * * **************************************** * B U C K A R O O B A N Z A I * * aka the Reset Vector * * * * presents * * * * Cracking On the IBMpc * * Part II * * * **************************************** Introduction ------------ Ok guys, you now passed out of Kopy Klass 101 (dos files) and have this great new game with overlays. How the phuck do I crack this bitch. You scanned the entire .EXE file for the CD 13 and it's nowhere. Where can it be you ask yourself. In part II, I'll cover cracking Overlays and the use of locksmith in cracking. If you haven't read part I, then I suggest you do so. The 2 files go together. Looking for Overlays -------------------- I won't discuss case 1 (or at least no here) because so many UNP files are devoted to PROLOCK and SOFTGUARD, if you can't figure it out with them, your PHUCKEN stupid. If you have case 3, use the techinque in part I and restart from the beg. And if you have case 4, shoot your self. Using PC-Watch to Find Overlays ------------------------------- You Have Found the Overlays --------------------------- Locksmith and Cracking ---------------------- The copy/disk utility program Locksmith by AlphaLogic is a great tool in cracking. It's analyzing ability is great for determining what and where the protection is. I suggest that you get locksmith if you don't already have it. Check your local pirate board for the program. I also suggest getting PC-Watch and Norton Utilities 3.1. All of these program have many uses in the cracking world. Have Phun Phucker Buckaroo Banzai The Banzai Institute special thanks to the Honk Kong Cavliers Call Spectrum 007 (914)-338-8837 <-----<<END>>-----> ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ !