WarLords 3 Cd-Check

("A Very Simple Protection")

by +-=Riddler=-+

(24 September 1997)

---

Courtesy of fravia's page of reverse engineering

Well, another interesting essay about CD-rom protections reverse engineering

	This is my first cd-check protection and it was quite easy I have
to say...I was reading Aesculapius's Cd-Check Essay on Virtua Fighter
when I decided to try this. 

	WarLords3 is a game published by Red Orb entertainment and I 
obtained this copy from a warez site...I wanted to try it since I heard 
it was a warcraft II type game. Anyway I decided to download it, I saw 
it was released by a group called Paradigm.  So let's get down to busines.

	Anyway so I unrar the program and install it and when I go to run 
it... I find that I get a message that says "CD not found Please insert 
the Warlords III cd before starting the game". 
Ok, So obviously this program was not cracked correctly or someone
didn't include the crack with the program. So I had two options at this
point. 
Either we could look on the internet and beg for a crack or we could do 
what we should be doing and crack this ourselves. Obviously we are going 
to crack it ourselves.

	Let's begin by loading up war3.exe into W32dasm and begin our 
conquest to defeat the ties that bind us to obey software companies. 
Once War3.exe is dissasembled we have several options. One being the fact 
that we could search for the text... But the fact is that it shows up 
several times and this is not the best method at all. 
We are going to search for GetLogicalDrives but why not GetDriveType you
ask... Well it is NOT going to be the culprit in this case due to the fact 
that when you set a breakpoint on GetDriveType it doesn't break anytime 
before the screen that says to enter the cd. 
So It must be GetLogicalDrives and in fact if you set a breakpoint
you will see it break. Now searching threw the dissembled text you 
will notice that for example that GetLogicalDrives only shows up once. 
I have a good feeling that this indeed will be very easy. 
Now about a paragraph above the kernel32.dll call you will
see that it was called by only one location that will indeed be the 
only check for the cd at startup. Ok now if you trace the call back from 
the GetLogicalDrives call you will find that the following code:

* Referenced by a CALL at Addresses:00441CFB   , :00441D6C   
|
* Possible StringData Ref from Data Obj ->"E"
                                  |
:00436E40 685CC24C00              push 004CC25C
:00436E45 E856090000              call 004377A0
:00436E4A 83C404                  add esp, 00000004
:00436E4D A258C24C00              mov byte ptr [004CC258], al
:00436E52 C3                      ret
		
Ok now we know that the call at "00436E45" will obviously be the checking
code. If you notice at Code Data location "00436E4D" that whatever is in 
al will be moved to memory location "004CC258". Then after that return code 
from al into the memory location we return program control to the calling 
function. Ok in this case we are going to go to code data location "00441CFB". 
At that location we find the following code:

* Referenced by a CALL at Address:004BE928   
|
:00441CD0 64A100000000            mov eax, dword ptr fs:[00000000]
:00441CD6 55                      push ebp
:00441CD7 8BEC                    mov ebp, esp
:00441CD9 6AFF                    push FFFFFFFF
:00441CDB 68E61D4400              push 00441DE6
:00441CE0 50                      push eax
:00441CE1 64892500000000          mov dword ptr fs:[00000000], esp
:00441CE8 33C0                    xor eax, eax
:00441CEA 83EC08                  sub esp, 00000008
:00441CED B94E9E0000              mov ecx, 00009E4E
:00441CF2 56                      push esi
:00441CF3 57                      push edi
:00441CF4 BFB8645000              mov edi, 005064B8
:00441CF9 F3                      repz
:00441CFA AB                      stosd
:00441CFB E84051FFFF              call 00436E40 <-call cd-checking function :00441D00 803D58C24C0000 cmp byte ptr [004CC258], 00 <-was the cd in drive??? :00441D07 0F8582000000 jne 00441D8F <-If it was, continue :00441D0D 8D4DF0 lea ecx, dword ptr [ebp-10] <-Nag them about cd! Ok so now by studying this code "that.class" tppabs="http://fravia.org/that.class" is commented will can very easily see that if the cd was in the drive "al" will load "004CC258" with "1" if it wasn't it will load "004CC258" with "0". Ok so as I was taught there is more than one way to crack or solve a protection scheme in any program. We could easily change the "jne 00441D8F" with jmp 00441D8F" therefore it will always jump to the good code or we could just as easily hardwire the value that is put into "004CC258" at "call 00436E40" by putting "1" into that location and removing the "al". For this solution I changed the "jne 0041D8F" to "jmp 0041D8F" due to the fact that if you notice the call to "00436E40" that code segment is called by another part of the code...It could in fact cause problems there...So we are going to patch it that way. I hope that everyone has enjoyed this essay, I hope to have more in the future. Please feel free to e-mail me at: Riddler@oceansintl.com Take Care, +-="Riddler=-+" 

Back to Project 4 ("CD-Rom protections")
homepage links anonymity +ORC students' essays academy database
tools cocktails antismut CGI-scripts search_forms mail_fravia
Is reverse engineering legal?