Man I really wish people would use the
formamus.htm model when submitting an
essay... IT WOULD SPARE ME WORK! Please, if you intend to
contribute, read the rules and advices
before submitting your work!
MORE DOS4GW STUFF: CD ROM / 3DFX Cracking
28 February 1998, by
The_Gimp!
Courtesy of Fravia's page of
reverse engineering
Subject: Tutorial: Project 4 - CD ROM / 3DFX Cracking
MDK 3DFX EXECUTABLE PATCHED TO REMOVE THE CD CHECK - MORE DOS4GW STUFF
URL HTTP://WWW.3DFX.COM/FILES/PATCHES/MDK3DFX.ZIP also at WWW.SHINY.COM
More & more, 3DFX & its variants are fast becoming the 'de-facto' for any
serious gamers. When you experience the sheer quality & frame rate improvements
first-hand it's almost a let down to play a non-accelerated game again.
This is all well & good but by its very nature, the disk-intensiveness of many
modern games can cause real problems when you add the 'stupid' CD check routine
- ranging from "Please insert the XXXXX CD in drive X" messages regardless of
whether it's there or not, failures to play red-book audio to a complete game-crash
or system lock-up. (Carmageddon is one such example).
It is therefore in the spirit of "getting the thing to run the way it should"
as much as the spin-off benefit of a CD-less gameplay, that I submit this little
tutorial & would also suggest that a section be started - dedicated to 3DFX
cracking!
So, to work then.
Well, call me a plagurist or whatever, but for this little crack I used nothing
more than:
DOS's File Compare
Yamato's published essay from +ORC's lesson about DOS4GW CD cracking.
An old MDK Win95 exe file already patched to remove the CD check.
Hedit v2.00 (OK, but I'm used to it!)
W32Dasm 8.7 (cracked to my liking of course!)
Having read the essay I had an idea of what was going on with this protection
(that +ORC is an amazing guy, how does he work out all this cram?), so I decided
to dissasemble the cracked exe & compare it to the original just to see it for
myself.
Sure enough, just as the man said, there was a compare followed by the setting
of a flag of doom with an optional jump to freedom. Now the sneaky part, 3DFX
exe's are structurally quite similar to native Win95 exe's - ie: both utilise
DirectX & D3D etc.
With this in mind I decided to dissasemble the MDK3DFX.EXE file that I had
downloaded from 3DFX.COM earlier in the day. Again, sure enough, there were
many similarities including data object strings etc. To cut a long story short
all I did was to track down the protection routine by comparing the data & string
positions between the Win95 executable & the 3DFX executable. Having narrowed
it down I simply traced the dead-listing back to the point where the check began
& ensured that (with as little code alteration as possible vis-a-vis +ORC's
advice) it followd a route avoiding the dreaded "BADEXE" string - you can imagine
what that means eh?
Anyway, below is a small excerpt from the 'CD cracked Win95 exe' followed by
the dead-listing to crack the 3DFX target.
**************** NATIVE WIN95 EXECUTABLE CD-PROTECTION CRACK *******************
(COURTESY OF ANON)
****** mdk95-org.txt
:00401D83 833DA699530000 cmp dword ptr [005399A6], 00000000
:00401D8A 7409 je 00401D95
:00401D8C E85F650700 call 004782F0
****** mdk95-crk.txt
:00401D83 833DA699530000 cmp dword ptr [005399A6], 00000000
:00401D8A EB09 jmp 00401D95 ***THIS MAKES IT GO TO THE SETTING OF THE
:00401D8C E85F650700 call 004782F0 GOOD GUY FLAG ROUTINE & ON TO FREEDOM***
******
Obviously, if you people out there don't have a 3DFX card you can still use this
to patch the win95 exe.
***************** 3DFX EXECUTABLE CD-PROTECTION CRACK ****************************
(COURTESY OF THE_GIMP!)
* Possible StringData Ref from Data Obj ->"MISC\MDKFONT.FTI"
|
:00402860 B810B24800 mov eax, 0048B210
* Referenced by a Jump at Address:0040298A(U)
|
:00402865 E83A2F0200 call 004257A4
:0040286A 31FF xor edi, edi
:0040286C A174965300 mov eax, dword ptr [00539674]
:00402871 893DFC965300 mov dword ptr [005396FC], edi
:00402877 E824020000 call 00402AA0
:0040287C E8276D0100 call 004195A8
:00402881 E846310100 call 004159CC
:00402886 E8D5550000 call 00407E60
:0040288B E8DCF9FFFF call 0040226C
:00402890 31C0 xor eax, eax
:00402892 E865240700 call 00474CFC
:00402897 E8BD240700 call 00474D59
:0040289C E8BB0B0200 call 0042345C
:004028A1 E816B10100 call 0041D9BC
:004028A6 E871ED0200 call 0043161C
:004028AB E844240100 call 00414CF4 FLAG
:004028B0 833D0097530000 cmp dword ptr [00539700], 00000000 *** CHECK FOR CD ***
:004028B7 0F84D2000000 je 0040298F ***JNE*** CHANGE TO JUMP IF NO CD!
:004028BD E83E1C0700 call 00474500 ** ELSE NAG ME TO DEATH!
:004028C2 85C0 test eax, eax ** CHECK AGAIN - BUT WERE'RE ALREADY GONE!
:004028C4 0F85C5000000 jne 0040298F ** NOW IRRELEVANT **
******
****** LINES OF CODE
******
* Referenced by a Jump at Addresses:004028B7(C), :004028C4(C)
|
:0040298F 833DEC96530000 cmp dword ptr [005396EC], 00000000 ** MORE CHECKING **
:00402996 7532 jne 004029CA ** WE COULD FORCE THE JUMP HERE BUT LET'S
** LISTEN TO +ORC's ADVICE & LET IT ROLL! **
* Possible StringData Ref from Data Obj ->"rb"
|
:00402998 BA34B24800 mov edx, 0048B234
* Possible StringData Ref from Data Obj ->"MISC\FONTG.FTI"
|
:0040299D B838B24800 mov eax, 0048B238
:004029A2 E8BD940100 call 0041BE64
:004029A7 89C2 mov edx, eax
:004029A9 85C0 test eax, eax
:004029AB 7405 je 004029B2
:004029AD E8B7230700 call 00474D69
* Referenced by a Jump at Address:004029AB(C)
|
:004029B2 85D2 test edx, edx
:004029B4 7414 je 004029CA **JMP** HA! TIME TO FORCE THE JUMP - WE DO
NOT WANT TO GO DOWN THIS ROAD!!!
* Possible StringData Ref from Data Obj ->"BADEXE"
|
:004029B6 B848B24800 mov eax, 0048B248 *** BAD NEWS - DIE CD'LESS BANE!***
:004029BB E800220100 call 00414BC0 *** CUSSING ROUTINE ***
:004029C0 E85B050100 call 00412F20 *** MORE CUSSING ***
:004029C5 E900FFFFFF jmp 004028CA *** THE END OF LIFE! ***
* Referenced by a Jump at Addresses:00402996(C), :004029B4(C)
|
:004029CA B801000000 mov eax, 00000001 *** GOOD GUY! - HAVE A NICE FLAG! ***
:004029CF E828B00100 call 0041D9FC *** BLAH ***
:004029D4 E8478A0600 call 0046B420 *** BLAH ***
:004029D9 E88EF2FFFF call 00401C6C *** BLAH ***
:004029DE E9E7FEFFFF jmp 004028CA *** JUMP TO JOY! & PLAY MDK WITHOUT A CD
:004029E3 90 nop FOREVER & EVER MORE!!! ***
Well, there you go, patch away & enjoy! They say neccessity is the mother
of invention & I reckon I saved about 4 hours on a possibly fruitless
net-search for a 'ready-made' crack.
Laziness rules - even for crackers!
The_Gimp!
P.S.
Just in case any of you don't have it, here's the DOS version of the bytes
to patch:
Comparing files MDK-ORG.TXT and MDK-CRK.TXT
****** MDK-ORG.TXT
Disassembly of Linear Executable (LE) File: Mdk-ORG.exe
****** MDK-CRK.TXT
Disassembly of Linear Executable (LE) File: Mdk.exe
******
****** MDK-ORG.TXT
:0002E103 833D2AD20A0000 cmp dword ptr [000AD22A], 00000000
:0002E10A 7409 je 0002E115
:0002E10C E89FA60400 call 000787B0
****** MDK-CRK.TXT
:0002E103 833D2AD20A0000 cmp dword ptr [000AD22A], 00000000
:0002E10A EB09 jmp 0002E115 ******* DO IT HERE! *******
:0002E10C E89FA60400 call 000787B0
******
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note for Fravia:
If you feel this is NOT worthy for project 4, maybe +Gthorne can use it?
I previously submitted the 3D Game Menu newbie tutorial, you said you'd passed it on
but I didn't see it?
Regards,
The_Gimp!