Midnights Hackers Private Club Where members or hackers groups come to exchange ideas, and show off skills. **** A Cracking Guide For Advanced Amateurs Part II**** An Article By: The Psychopath TABLE OF CONTENTS ------------------- I. Introduction and Overview II. Types of Cracks A) Doc Check with a small Loader B) Doc Check with a complex Loader III. Closing Remarks -------------------------------------------------------------------------------- Introduction: This is my third edition on cracking tutorials. This one will provide more information on the art of cracking as usual, and will provide a comparison of 2 similar doc checks that vary in difficulty. Take the learning process slow, and just let it come to you. Remember, don't try tackling too much at once. Experience is the best teacher. Just a friendly little reminder here... ALWAYS, ALWAYS make backup copies of the programs before you tamper with them with your debuggers and sector editors, because if you screw up and write to your only copy, you're plain outta luck holmes. Cracking programs used in this issue: DOS Debug Acquire this if you don't already have it. This is the basic cracking tool, and is my favorite. There are some advanced debuggers out there with menus and fancy features, but when they fail, debug will come through for ya. But of course, having the other debuggers can be handy at times, so I suggest finding them if you don't already have them. Some good ones to get are: Turbo Debugger (2.0 or greater) Soft Ice (2.5 or greater) Code View I will no longer tell you how to access a debug command, so here's the last time that I will refresh your memory as to what they are. If you don't know what they mean by now, then you should go back and re-read my previous articles. Command Function ------------------------------------------ *A [address] Assemble C range address Compare D [range] Dump E address [list] Edit F range list Fill *G [=address [address..]] Go H value value Hex I value Input L [address [drive:record record] Load M range address Move N filename [filename] Name O value byte Output *P [=address][value] Proceed *Q Quit *R [register-name] Register *S range list Search *T [=address][value] Trace *U [range] Unassemble *W [address [drive:record record] Write [* Indicates the only ones you need worry about for now. They are the main commands that you use). Basically, you will enter the letter command and then return (). Addresses only need to be specified based on necessity. (for example, you could just enter G and it would execute. Specifying an address would set a break point. (run the program up to that address). For P and T, just enter the letter name and . It's quicker.] Further explanation of the commands is provided in your DOS users manual. Read it for yourself. -------------------------------------------------------------------------------- Cracking Documentation Checks With Game Loaders: Okay, the most common form of copy protection is the documentation check. Doc checks are usually at the beginning of the software, with a few exceptions (some being in the middle or at the end). They range in variety from simple text questions, to having graphic and mouse interfacing. They, of course, range in difficulty from being extremely easy to being near impossible. In this issue, we're going to take a look at a programmers attempt to cause frustration for us crackists. Someimtes you'll come upon a game that will have you run one program, which will in turn run the main program. And of course, you have to run the first (loader) program or the game won't work right. Well, this poses a problem with debugging, for you can only load in one program at a time, and most likely you won't be able to trace through one program to get to the other, so how do we get to the copy protection and remove it? Well let's go through two sample cracks and find out for ourselves eh. Hopefully you remember what types of copy protection ASSEMBLY commands to look for, and how to couteract them, cause I won't refresh your memory for you....you'll have to re-read the past articles if you forgot. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Software Name: Gateway to the Savage Frontier Software Company: S.S.I. & Beyond Software Here is a walk through for cracking a simple attempt at a loader along with a simple doc check. This should be eazy to follow, so let's get going eh. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Find an uncracked copy of Gateway to the Savage Empire. Now then, you'll notice that there is a batch file entitled START.BAT This is what we run to load in the game. Well, let's see what it's doing. Type the batch file out. You should see this: @echo off start1 if errorlevel 1 goto end go :end Now, if we run this batch file, it will execute START1.EXE which will allow you to specify your graphics, sound, mouse, etc. etc., and when that's done, it returns to the batch file, where you'll notice GO.BAT is then executed. Let's look at GO.BAT and see what it's doing. You'll see something similar to this (depending on the graphics and sound and such that you selected): ibmsnd game UseStart ibmsnd U Notice that the UseStart is a parameter specification on the game. If we try running GAME.EXE it will tell us to run start. Well, this is so simple it's not even funny. Notice what start does. It sets up your system specifications, then loads in the game. That UseStart parameter is the key to the whole thing. Instead of typing just "debug game.exe" specify the parameter as well (this will happen quite often with games that use parameters. They must be specified in the debugger if you want them loaded in). Type "debug game.exe UseStart" (and the capital/lower case letters ARE significant in the paramater settings). Now, we're ready to begin. Start proceeding. At CS:0037 CB RETF, you'll do a far return to a new code segment address, at CS:0038, here you'll proceed on. You'll hit a bunch of comparison jumps that will keep looping you around till you eventually get to CS:00DE, where you can start proceeding forward again. ('Course if you're smart you'll just take my advice and jump from CS:0038 to CS:00DE and proceed from there). Next you'll come to: CS:00FE 2E CS: CS:00FF FF2F JUMP FAR[BX] Proceed through this and you will be at a new code segment address at CS:0019, where you will find a long series of CALL statements. Start proceeding through them. You'll hit some that will load in the graphics and the title screen and such (if you press control-C when the Beyond Software screen appears, it will skip the intro screens). You should eventually come to: CS:01CE CALL 1303:002A This address calls in the option that will ask you if you want to PLAY the game or view a DEMO. We of course, want to play, so select play and press enter. Now, proceed on. It will eventually bring you up to this address: CS:0208 JNZ 0216 CS:020A CMP BYTE PTR [5D8E],00 CS:020F JNZ 0216 Now, we've already selected that we want to play the game, so what do you think this comparison means? Could it be that it's determining wether or not to load in the doc check? Well I do believe so. If you don't believe me, proceed on. You'll hit a CALL statement at CS:0211 That will load in the copy protection. So how do we remove this? Well, what I suggest doing is changing the jump at CS:0208 to read CS:0208 JMP 0216. This will tell the program to jump directly to CS:0216, thus skipping over the copy protection completely. Now, wasn't that simple. Just save the changes and you're done. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Software Name: Time Quest Software Company: Legend Here is a walkthru for cracking a more complex loader that calls in a moderately difficult doc check. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Obtain an uncracked copy of Time Quest, and prepare your debuggers. Okay, Here's the situation. The main part of the game is in the file TIMEMAIN.EXE, but we have to run TQ.EXE in order to play the game. If you try running TIMEMAIN.EXE, it will (as I mentioned) tell you to run TQ.EXE to load the game. So what do we do? Unlike the previous sample crack, there are no parameters that are displayed that we could load into the debugger. The TQ.EXE file loads in part of the title screen, and determines your graphics and sound modes, so we're in a bad situation. If you try debugging TQ.EXE to get to TIMEMAIN.EXE, the following will happen. You'll eventually reach the part where a CALL statement loads in TIMEMAIN.EXE. The program will take control or lock up. So naturally, you try tracing through, till you get to another CALL statement that does the same thing. You'll keep doing this until you get to the INT-21 that loads in the TIMEMAIN.EXE, and it will lock up there....if you trace through, it will take you to a part of the program that you don't ever want to tamper with. You'll be where it makes all the jump comparisons for all the INT-21's. Proceeding through this area will most likely bring up a message like "System Halted. Can Not load Command.com" so now were stuck....or are we? Now think for a minute and get creative. TQ.EXE somehow loads in TIMEMAIN.EXE. So what if we can trick TIMEMAIN.EXE into thinking that TQ.EXE has already been run. All we'll do in the process is leave out the Legend Software title screen. And, hopefully, we'll enact the default settings, which will bring in CGA graphics. This will make it easier to see what's going on, because with the CGA graphics, it's in black and white, and very simple structure, which is what we want when stepping through a debugger. So, let's get started. Load TIMEMAIN.EXE into your debugger and start proceeding. You should come to CS:0548 JMP 29B1:09A2 where you will proceed through, jumping to a new code segment address. Keep proceeding on. You'll come to CS:0A20 where you'll then be kicked into a new code segment address. Proceeding on will just bring you back to CS:0A21, so instead of going through all that, jump to CS:0A21 before you reach CS:0A20, and then keep proceeding. After you reach the following: CS:0A41 CALL 232E:1AFB Trace through here, and keep going (proceeding through this call statement will terminate the program and bring up that message telling you to run TQ.EXE first). Keep proceeding till you come to the following: CS:1B12 CALL 18CA Trace through here, and keep going (proceeding through will have the same result as the above mentioned). Now, you'll soon see the following: CS:18D6 CMP WORD PTR [BP+06],+09 CS:18DA JZ 18F6 If we just proceed through these, the program will soon terminate as above mentioned, but if we jump to 18f6, the game will start to load, so let's fix this by changing CS:18DA to be the following: CS:18DA JMP 18F6 Note, that this change is not to be permanent. It is merely a temporary change to allow us to load in the game so we can make the permanent chane to the copy protection. Now then, proceed on. You'll hit a CALL statement that will switch to the graphics mode, then you'll eventually reach: CS:1AFA RETF Proceed through this, and you'll return back to CS:1BC5. Proceed on. You will hit a few calls along the way that will load in the screens, and eventually you'll reach: CS:1C68 CALL 1F6F:188B This will call in the option that lets you type in a command, so type in the following commands in this order (and note, that after you press enter, you'll be back in the debugger. Instead of proceeding on, which will eventually bring you back to CS:1C68, just go to 1C68 again and proceed through. It will wait for you to input another command. Keep doing this until you've input all the commands). wait wait w open drawer take card enter interkron put card in slot timeset rome 44 Now, after entering the last command, (DO NOT JUMP back to 1C68 again) proceed on. You will eventually come to: CS:2496 CALL 0D40 Trace through this call statement (proceeding through will bring up the doc check). Now, proceed on until you eventually come to: CS:106E CALL 1B46:05C5 Trace through here (for the same reason as mentioned above), and then proceed on and you'll eventually reach: CS:05F5 CS: CS:05F6 JMP [BX+0B14] Proceed through this (If you ever try jumping (with the go command) to a two part jump statement like this, make sure you go to the address with the "CS:" and not the JMP, otherwise you will screw up the program and it will jump you to the wrong place). Trace through: CS:09FC CALL 1CA7:1520 Now, proceed on till you come to: CS:160C CALL 45EA:1F8E Trace through this, and then trace through the call statement that you immediately come upon, which is: CS:1F8E CALL 4537:0307 If you proceed through this, it will try to access your floppy drive, because it won't be able to find the overlay file, so trace through it. Now, proceed on till you get to CS:0379, where you will be taken back to CS:1F95, now keep proceeding on, and you will go through a series of jump compare statements, if you keep going on, you will eventually hit: CS:029F CALL 1E35:000C This is where the doc check will pop up. These jump comparisons are the key to the doc check. If you notice, at: CS:029D JNZ 02B5 Here, is where it makes an obviously important comparison. Why is it important you ask, well because look at what happends. If the value it's comparing is zero, it proceeds on to CS:029F, where the doc check comes in, so what happends if the value is not zero? Well, let's find out. Change CS:029D to read CS:029D JMP 02B5 and then proceed on. You will soon hit a CALL statement that will give a message displayed only after you pass the doc check, thus we know we made it to the right area. So just make that change at CS:029D permanent. And just to give you a little hint, the change you need to make will have to go in the overlay file. So, now we're done. Wasn't so tough after all now was it. ** Notice. This cracking scenario for Time Quest was done without any saved games. Having saved games will effect the debugging process. You will have a few other detours along the way before you get to CS:1C68, so either try it on your own, if you have saved games, or move your saved games to a different directory and try it without them first. It'll be easier. ** -------------------------------------------------------------------------------- Hopefully this will aid you on your quest to become a crackist. And remember, don't get in over your head by attempting to crack something difficult, 'cause it won't help ya at all, G. Laterz... - The Psychopath