Hello all, I know there is already a tutor on Midtown MadNess by Black Check, but the way to crack it is not the same that he has chosen, and I will explain more things than he did about pasting our new dumped sections in cracked EXE :) I also assume you read his tut, and you know some things about the PE file format ...

Tools required

    - Midtown Madness Orginal CD (a 1:1 copy and the Laxity crack should do it too)
    - SoftICE 3.23
    - SoftICE Tool to patch SoftICE (used to dump sections)
    - ProcDump 1.5 (for PE Editor)
    - HexWorkshop
    - Frogsice (to hide SoftICE)
    - Exescope

After installing your little game, PE edit the ".ICD" files with ProcDump. (Start ProcDump, click on PE Editor, Browse to your ".ICE" file, there it is MIDTOWN.ICE). Now, you must see:

		     - Entry Point : 00166C10
		     - Image Base  : 00400000
Ok, we will need the OEP (Original Entry Point) later, so to calculate it just add the Image Base and the Entry Point you get in ProcDump: 00400000 + 00166C10 = 566C10

Now, click on the "sections" Button, to see all sections of the file:
You will only need to have the Virtual Offset, Raw Size and Raw Offset values!

                     - for the ".text" section :

                        Virtual Offset: 00001000 
                              Raw Size: 18D78F
                            Raw Offset: 600

                     - for the ".Rdata" section :

                        Virtual Offset: 0018F000
                              Raw Size: 14C99
                            Raw Offset: 18DE00

                     - for the ".data" section :

                        Virtual Offset: 001A4000
                              Raw Size: 3D8A4
                            Raw Offset: 1A2C00

                     - for the ".data1" section :

                        Virtual Offset: 00314000
                              Raw Size: 20
                            Raw Offset: 1E0600

                     - for the ".rsrc" section :

                        Virtual Offset: 00315000
                              Raw Size: CB3
                            Raw Offset: 1E0800
Now we will dump all the sections of the ".ICD" file, except the ".Rdata" (you will later know why ....). BTW, you need to add the Image Base to the virtual Offset of all sections:

     .text  : 400000 + 00001000 = 00401000
     .rdata : 400000 + 0018F000 = 0058F000
     .data  : 400000 + 001A4000 = 005A4000
     .data1 : 400000 + 00314000 = 00714000
     .rsrc  : 400000 + 00315000 = 00715000

Ok, now we're gonna dump all this sections (except the .rdata). For this, we will need to set a breakpoint on the EOP (566C10 for us). Btw, I assume you read the Black Check tutor, and you patched your FrogsICE to hide your SoftICE (TORN@DO's note: or use latest FrogsICE), else go and read the nice tut before ...

Start your (patched) FrogsICE, and run your original game. You will see a little video, at this time, switch to SoftICE (Ctrl+D), and set a BPX on the OEP. BPX 56CC10 for this game!

Press F5 to let the game continue running and close it after. Now, run it, and it normally breaks on 56CC10. If it doesn't, look if you set the BPX to the good place (bl: you must get something like this: #025F:56CC10). I assume it breaked, now you can dump all the sections. Before dumping however, disable all your BPX, since we don't want shit in our dumped sections ...

The pagein command works like this:

     pagein "address to dump start" "size" "file name"

So, just type the following in SoftICE:

     pagein 401000 18D78F c:\text.bin
     pagein 5A4000 3D8A4 c:\data.bin
     pagein 714000 20 c:\data1.bin
     pagein 715000 CB3 c:\rsrc.bin

Ok, this dumped the sections to our hard disk! Now, we have to do the "nice" part, which is of course dumping our rdata sections, but it is not like the others!

First of all, you have to get the real address of the fuction, so we will trace into the CALL to our rdata section.

After breaking, we land here:

          00566C10   PUSH    EBP               <-- we break here, on entry point
          00566C11   MOV     EBP,ESP
          00566C13   PUSH    FF
          00566C15   PUSH    005968D0
          00566C1A   PUSH    00566724
          00566C1F   MOV     EAX,FS:[00000000]
          00566C25   PUSH    EAX
          00566C26   MOV     FS:[00000000],ESP
          00566C2D   ADD     ESP, -5C
          00566C30   PUSH    EBX
          00566C31   PUSH    ESI
          00566C32   PUSH    EDI
          00566C33   MOV     [EBP-18],ESP
          00566C36   CALL    [0058F14C]        <-- this is the call in our rdata section,
                                                   trace it (F8)

In this CALL, we land here:

          009A6485     pushad
          009A6486     push 00000031              
          009A6488     push 00000000              ---> it's 0 for kernels and 1 for users ...
          009A6490     call [9A64A6]              ---> get the real address of the function
          009A6496     add esp, 8
          009A6499     popad
          .......      jmp [XXXXXXXX]

Trace this code, and you see the jmp [XXXXXXXX] becoming jmp [KERNEL32!GetVersion] ...
Ok, it's good, you are on the good way ;). We're near done about starting to code the CALL fixer!

Anyway, we need to know how many Kernels and users imports there is in this game! To do this, there are severals way, you can dissassemble the ".icd" with W32DASM and count them, you can trace in SoftICE too, or use the tool (like I did) EXESCOPE to see how many imports it has ...

In my midtown.icd, I have:

          - 127 kernels import
          - 042 users import

Ok, but we need to have this number in hexadecimal, because SoftICE uses only hexa value =)

   127 = 7Fh
    42 = 2Ah

My favourite parts starts now: Coding the CALL fixer. First of all, we don't have write access (read only access) to the Rdata section, so we will move the rdata section to the data section place ...

For coding the CALL fixer, I start to code at EOP place, so enable your BPX on it and run the game again. Wait until we break ... now we have to move the rdata section in data section place in memory.

To do this, just type:

     m "virtual offset of data section + image base" l "rdata size"M "data virtual offset"
         NOTE: For the data virtual offset, use a greater number, it's better ...
         5A4000 is our normal virtual offset, I've used 5B0000 (greater like i said)

So just type this:

     m 58F000 l 14C99 5B0000

Ok, now it's time for coding. You are at the line:

   566C10 PUSH EBP

We will code something looking like this:

          00 pushad
          01 push ebx
          02 push 0
          04 call [XXXXXXXX]
          0A add esp,8
          0D mov edx, XXXXXX 
          12 cmp eax,[edx] 
          14 je 20
          16 inc edx
          17 cmp edx, XXXXXX + XXXXX
          1D jne 12
          1F int 03       
          20 mov [edx],ecx
          22 popad
          23 inc ebx
          24 cmp ebx, XX  
          2A jne 00
          2C int 03
Type in SoftICE: A <enter>

And code:

          566C10   pushad
          566C11   push ebx
          566C12   push 0
          566C14   call [009A64A6]            <-- real address , we found this when we
          566C1A   add esp,8                  <-- traced in the call
          566C1D   mov edx, 5B0000            <-- address where we copied our .rdata
          566C22   cmp eax,[edx]              <-- section in
          566C24   je 566C40
          566C26   inc edx
          566C27   cmp edx, 5B0000 + 14C99    <-- adress where we copied our
          566C3D   jne 566C22                 <-- .rdata in + rdata size 
          566C3F   int 03                     <-- safty, if it found no match, break here.
          566C40   mov [edx],ecx    
          566C42   popad
          566C43   inc ebx
          566C44   cmp ebx, 7F                <-- number of api to fix 
          566C4A   jne 566C10
          566C4C   int 03

Now set EBX to 0 (R ebx 0) , set your EIP to line 0 (line 0 = 566C10 here , so R EIP 566C10) type "i3here on" and press F5 to run it. Normaly you should break at 566C4C ... Now set EBX back to 0, change line 02 (56CC12 here) to "push 1" and change line 24 to 'cmp ebx, user_import_number' (2A for us) and set EIP back line 0 (R EIP 566C10). Run it again. Normaly, all is ok now, it should break at 566C4C again. Now, we can dump our rdata section safely:

     pagein 5B0000 14C99 c:\rdata.bin

We've just to rebuild a working executable file. I tried ProcDump to import sections, but this bitch didn't change anything (TORN@DO's note: check new ProcDump ... Lucifer48 did something great), so I've imported my sections manually. I'll show you all how I've done it ;)
First of all, make a copy of the ".icd" file, for us: MIDTOWN.ICD, and rename it with the name you want, but with ".EXE" extension. E. g. damnit.exe

Now, start HexWorkshop, open the EXE, and open the 1st section we've dumped ... it was : c:\text.bin
It is now, you need the Raw offset of each section, I've written down in the first part of the tut. I'll recall them here, to help you understanding this crap :p

          for the ".text"  section: Raw Offset:    600      Size : 18D78F
          for the ".Rdata" section: Raw Offset: 18DE00      Size:   14C99
          for the ".data"  section: Raw Offset: 1A2C00      Size:   3D8A4
          for the ".data1" section: Raw Offset: 1E0600      Size:      20
          for the ".rsrc"  section: Raw Offset: 1E0800      Size:     CB3

Ok , you got all shits here! We want to do the 1st section ".text" so:

In HexWorkshop, press Alt + F5, enter the Raw offset of the section you want to paste (here: 600), and click on OK. Now select the edit menu, and click on "Select block" enter the size of the section (here: 18D78F). Now look at the other opened file (text.bin), and press 'Ctrl + A' to select all. Go back to the main executable window in HexWorkshop and paste the bytes you've just copied into the clipboard with 'Ctrl + V' (or edit menu , and paste). Save your file! GOOD ... you've just updated the '.text' section with our dumped section ;)

OK, I do another section import with you, and you will do the others using the same way!

2nd section : Rdata!

You can close the window 'text.bin', and open with HexWorkshop the file 'rdata.bin'. Click on the main exe window, press 'Alt + F5', enter the size of the Raw Offset of the rdata section (18DE00). Click on OK, select from the Edit Menu "Select block", enter the rdata size section (14C99). Look the window of rdata.bin, press 'Ctrl + A' to select all bytes, and go back to the main executable (damnit.exe) window in HexWorkshop. Now just copy & paste them with 'Ctrl + C'.

Ok, I think you've understood that now now. Just do the same with all sections and then save your executable. Now you may unload FrogsICE, because the anti-SoftICE is no longer in our rebuilded exe. Remove the original cd of midtown madness, and run 'damnit.exe' or 'whateverunameit.exe'.

WOW, the game run - very quickly - without this lame window, telling us to wait during the CD Verification ... and voila the game is runing very well =)

But to make a perfect executable, you've to rebuild the file's PE like it is mentioned in Black Checks tutorial:

If you try to run it on another Windows 9x Version. It will crash. It would only run on Win98, because the rdata section contained the address's of all the functions from win98 (can be only on win95 if you cracked it on win95). The addresses we put in the import table are only valid for the Windows version we cracked it on. Let's fix that:

     - Start Procdump (very good job G-RoM :)
     go to Options and select:

     [v] Recompute Object Size
     [v] Optmize PE Structure

     [X] Use actual import infos
     Then click on the OK button ...

Now we've to rebuild the file, click on Rebuild PE and browse to your cracked file (damnit.exe). Procdump produces for us a valid import table and our executable is now fixed - and perfect!
(I hope so ;p ) it should run on all win9x version ...

C-Dilla SafeDISC Cracking (Black Check)
"The SAFEDISC technology is comprised of three key features:

(1) an authenticating digital signature
(2) encryption that protects the content and
(3) anti-hacking software.

During premastering, the content is encrypted and carries with it authentication instructions. A unique SAFEDISC digital signature issubsequently added to the title during mastering. When a user plays an original disc, the authentication software reads the digital signature allowing the program to be decrypted and to play normally. SAFEDISC also includes anti-hacking technology that prevents the compromise of its security features. The anti-hacking technology is designed to not only deter casual copying, but also to provide strong resistance to DESTRUCTIVE hackers and commercial pirates."

From the SafeDISC homepage:

Hhmm ... let's be DESTRUCTIVE.

As you probably know Safedisc is another comercial protection by C-Dilla. Protected CDs always have the files CLOKSPL.EXE and DPLAYERX.DLL in the root. Our target is Midtown Madness [German]. There is a Generic Crack by Pedro [Laxity], but i don't like inserting CDs in my drive just for playing a game :-)

The executables consist of two parts. One is just the loader (MIDTOWN.EXE) and then there is always a *.ICD file that contains the encrypted original EXE. When the game is run the loader decrypts itself and the game EXE using a key on the CD. What we have to do is to dump the decrypted EXE to disc and fix it.

Tools required

    - Midtown Madness Orginal CD (a 1:1 copy and the Laxity crack should do it too)
    - SoftICE for W9x
    - ProcDump 1.4
    - ADump
    - Frogsice 0.14
    - W32Dasm
    - knowledge of the PE format
    - some time, nerves and a brain


1. Eliminating the Anti Softice Code
SafeDISC uses two well known SICE detection methods. The first one is known as 'MeltICE' and has been released by David Eriksson. It just calls CreateFileA with the SICE Drivers

    "\\.\NTICE" (not important in this case)

First I passed this with a SoftICE Macro:

    macro NOSICE ="d @(esp+4);e @(esp+4) 0;x;"


    BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' do "nosice"

This works fine, but it's too slow. This crap is called about a hundred times! Another disadvantage is that you can't set breakpoints on CreateFileA anymore. If anyone knows better please e-mail me.

The solution is much more simple. Just open MIDTOWN.EXE and search for 'ss' (ASCII) you'll find something like that:


Just change 'ss' to 'xx' or whatever. You have to do this with 'DPLAYERX.DLL', too. The CreateFile checks are now out, but if you run the game with SoftICE loaded it just crashes. Seems like there is another check. I played around with BPINT 2F, 41 etc. but nothing. It uses INT 68:

      425205:  xor eax, eax
      425207:  mov ax, 4300
      42520B:  int 68
      42520D:  mov [ebp-9c], eax
      425213:  cmp eax, 4300
      425218:  jz blablabla...
Don't try to patch this. There's a tool around called FrogsICE. Once you load it you get a blue screen everytime it detects Anti SoftICE INTs. FrogsICE has an option to fool the programm but this won't work because INT 68 returns 0x4300 in eax when SoftICE is not loaded. FrogsICE returns 0x0000, so we'll have to patch FrogsICE:

    - open FROGSICE.VXD
    - search for 60 80 7D 1D 43
    - change the first byte to C3 (ret)

FrogsICE will now handle all CALLs to INT 68 correctly without popping up all the time :-) Well the game now runs fine with SoftICE loaded. Let's get to the annoying part.

2. Rebuilding the Encrypted Executable
The enycrypted EXE contains the following objects:

      Object01: .text    RVA: 00001000 Offset: 00000400 Size: 0018D800 Flags: 60000020
      Object02: .rdata   RVA: 0018F000 Offset: 0018DC00 Size: 00014E00 Flags: 40000040
      Object03: .data    RVA: 001A4000 Offset: 001A2A00 Size: 00030000 Flags: C0000040
      Object04: .data1   RVA: 00314000 Offset: 001D2A00 Size: 00000200 Flags: C0000040
      Object05: .rsrc    RVA: 00315000 Offset: 001D2C00 Size: 00000E00 Flags: 40000040

      .text    -> encrypted
      .rdata   -> contains the Import Data. Invalid since it only points to SafeDISC routines
      .data    -> encrypted
      .data1   -> encrypted
      .rsrc    -> not encrypted (very honest... )
2.1 Dumping the .text section
IMPORTANT! Be sure to replace that damn Microsoft AVI file, you will see it some times ... :-)

Run the game. Don't forget to load FrogsICE and wait until you get to the main menu. Now minimize it and run ProcDump. Dump the whole process (MIDTOWN.ICD) with standard options. HexEdit your dump and copy the .text section to another file. If you don't know how to do this, stop reading and get some info on the PE File format (or think a bit). You can get the Object Infomation by disassembling MIDTOWN.ICD since the PE header isn't crypted.

Note that the Raw Offsets of the sections aren't the same in the dump. They're moved by 0x200 bytes. In our dump of MIDTOWN.ICD the .code section begins at 0x600 NOT at 0x400 !!!

2.2 Dumping the .data sections
As you can guess the .data sections are modified when the game runs. So we need them in an 'untouched' state.

Set a BPX on the Programm Entrypoint of MIDTOWN.ICD (not MIDTOWN.EXE!). You can get it out of the PE Header, or with W32Dasm. You have to be sure that you're in MIDTOWN.ICD when setting it.

Press Ctrl-D while the AVI plays. Make sure that the process string on the bottom right is MIDTOWN. Now set your BPX (566C10). Run the game again and wait until SoftICE pops up. Now halt the Programm by assembling 'EB FE' to current EIP. It should look like this:

   566C10: EB FE      jmp 566c10
Now press F5 and dump the whole process with standard options again. Copy the .data and .data1 sections to another file. Remember the 0x200 bytes. You can kill the tasks now with ProcDump.

Now make a copy of MIDTOWN.ICD and call it WHATEVERULIKE.EXE
Paste your dumped sections. What about the .rdata section you're asking? Read on and cry ...

3. A bitch called .rdata
The .rdata section once contained addresses of the imported DLL's used by MIDTOWN.EXE. But when SafeDISC messed it up it changed them to point to SafeDISC routines that CALL the DLL functions. Theese SafeDISC routines are in DPLAYERX.DLL and depend on the correct CD Signature. Since this crap isn't loaded in our rebuilded EXE it just crashes when it tries to call a DLL.

Run the protected EXE again. Enable your breakpoint on the entry point and step into the first API CALL.

Now you're not in GetVersion but in the SafeDISC routine:

   push 00000031               --> the number of the imported function
                               --> if this value is too large the call crashes.

   push 00000000               --> number of imported dll
   call [9b6146]               --> get the real address of the function
   add esp, 8
   jmp[09b6140]                --> and jump there
This code pushes the numbers of the function and the DLL and then CALLs a routine that returns the real address in ECX and the wrong reference in the .rdata section in EAX. Debug a little till you understand. Then come back.

As i figured out only the two first DLLs are handled this way (KERNEL & USER). The import data for the others is ok. Now you have to find out how many imported functions there are. You can count them in W32Dasm (please be smarter).

There are 0x106 KERNEL32.DLL imports. The number of USER32.DLL imports doesn't matter because we can let the programm crash afterwards.

Now load Adump. With the 'r' command you get the address where you can start dumping to. For me this is 82ABD000. Now start the EXE and stop at the SafeDISC function. Copy the .rdata section to Adump Start Address + 1000:

    -m 58f000 l 14e00 82abe000

Set your EIP to 82ABD000 and SoftICE-assemble this:

   -a 82abd000
   @1:   push ebx           ----> manually set EBX to 0 !!!!!!
         push 00000000      ----> DLL number - you have to change this later !
         call [9b6146]      ----> get values into EAX and ECX
         mov  edx, 58f000   ----> this is the address of the .rdata section
   @2:   cmp dword ptr[edx], eax  ; search for entry
         je @3
         inc edx
         cmp edx, 5a3dfd    -----> |    14e00h       + 58f00h        - 3 |
                                   | size of .rdata  + offset rdata  - 3 |
         je  @4
         jmp @2
   @3:   sub edx, 58f000    -----> rdata adr.
         add edx, 82abe000  -----> Adump Start Address +1000h
         mov [edx], ecx            ; put the real Address into our new .rdata
   @4:   inc ebx
         cmp ebx, 106       -----> number of exports from KERNEL32
         jnz @1
   @5:   jmp @5             -----> stop here
This will CALL the SafeDISC routine with every function number as a parameter. The correct Address is returned in ECX. The wrong index in the .rdata section is in EAX. Now it just searches the .rdata in Memory for the incorrect reference and puts the real value from ECX to the .rdata block we copied to Adump Memory.

The values mentioned above are correct for my version of Midtown Madness. If you're working on another game you must compute them yourself.

Now let our little proggie run. Wait a little. If you did it right nothing should crash. Go back into SoftICE. The cursor should be on @5.

Now set EBX back to 0. Set EIP back to @1. And change the PUSH 00000000 to PUSH 00000001. Run again. The programm will crash because we pushed a value too large in EBX. That's ok.
We have what we wanted >:)

Now go back to Adump and write our .rdata section to disc. Paste it into our rebuilded EXE. Start it and kiss your screen! IT WORKS !!!!!!

4. Making it a little more compatible
Well our rebuilded EXE runs fine. But it's still not perfect. Just try running it on another Windows 9x version. It will crash. Why? The addresses we put in the import table are only valid for the Windoze version we ran it on. Normally the OS puts theese values there when the EXE is loaded. Since we put them there by hand other Win9x will crash. Let's fix that:

      - start ProcDump (i really love it!)
      - go to Options
      - select:

                [v] Recompute Object Size
                [v] Optmize PE Structure
                [ ] Use actual import infos

      - click on Rebuild PE
      - choose our rebuilded EXE
ProcDump will now generate a valid import table. Our rebuild is now perfect. Eject the ugly original CD and enjoy how fast the game starts :))!


You can safely delete theese 'Safe'DISC-bullshit files:

    CLOCKSPL.EXE (very nice icon)

86 MB less crap on your drive :)

This tutorial is dedicated to Sir Gambit (ich warte auf dich, du Arsch!)

