Indianapolis
500
A
Second Approach
by
ytc_ [tNO '99]
| Target | Indianapolis 500 |
| URL | Not available (but target can be found in ORCPAK2.ZIP at +Greythorne's website) |
| Tools used | Softice v3.x (I'm using WinNT version) |
| Hex editor (I used my previously cracked PSEdit v4.4 ;-) | |
| Protection | Paper protection |
| Level | Beginners/Newbies |
|
Introduction
|
Hmm... I must be going mad, looking through +ORC's lessons and discovering my own techniques (which have actually been discovered before, but +he did not use it in his lessons). Anyway, I find this method much faster than the method introduced by +ORC. And one more thing, I used the same method which is introduced in my previous tutorial on pooldemo.exe (discovering the loop).
|
Essay
|
I will assume that you have already set up your copy of Softice and know how to use it well, including knowing what the shortcut function keys are (F8, F10, F11 and F12). If not, I suggest you read some other essays on how to set up Softice first before continuing. I will also assume that you have a fair knowledge of assembly language
If you have read +ORC's Lesson 2: Tools and Tricks of the Trade, I am sure you will be frowning to experience how hard it is to follow the steps given. So, here I have thought of a better and faster method, which will SURELY bring us to the heart of the protection scheme.
Run indy.exe and bring up the screen where it asks for a question. And again, just like my previous essays on DOS cracking, we need to find the magic loop which scans for key presses. So, Ctrl-D into Softice, follow the instructions, and a few ret instructions if necessary. One will quickly find out the loop which looks something like this.
0539:C04B 56 PUSH SI <== beginning of loop ... 0539:C067 B406 MOV AH,06 0539:C069 B2FF MOV DL,FF 0539:C06B CD21 INT 21 <== Direct Console Input 0539:C06D 5F POP DI 0539:C06E 5B POP BX 0539:C06F 7440 JZ C0B1 <== jumps until a key is pressed 0539:C071 0AC0 OR AL,AL <== did user enter extended key code? 0539:C073 750A JNZ C07F <== jump if no 0539:C075 53 PUSH BX <== if yes, repeat loop ... 0539:C07D EBE8 JMP C067 0539:C07F 3C08 CMP AL,08 <== is backspace key pressed? 0539:C081 7441 JZ C0C4 <== jump if yes 0539:C083 3C0D CMP AL,0D <== is Enter/Return key pressed? 0539:C085 7448 JZ C0CF <== jump if yes ... routine to uppercase letters and append to end of string ... 0539:C0C2 EB87 JMP C04B <== jump back to beginning of loop 0539:C0C4 0BDB OR BX,BX ... erase last letter routine ... 0539:C0CD EBE2 JMP C0B1 0539:C0CF 32C0 XOR AL,AL <== return to caller if enter key is pressed 0539:C0D1 8801 MOV [BX+DI],AL <== terminate entered string with 00h 0539:C0D3 5E POP SI 0539:C0D4 8BF7 MOV SI,DI 0539:C0D6 C3 RET
For those who doesn't know anything, here's the description of the INT 21h, AH=06h, DL=FFh used in the above piece of code (taken for Ralf Brown's interrupts list).
INT 21 - DOS 1+ - DIRECT CONSOLE INPUT AH = 06h DL = FFh Return: ZF set if no character available AL = 00h ZF clear if character available AL = character read Notes: ^C/^Break are NOT checked if the returned character is 00h, the user pressed a key with an extended keycode, which will be returned by the next call of this function this function reads from standard input, which is always the keyboard under DOS 1.x, but may be redirected under DOS 2+ although the return of AL=00h when no characters are available is not documented, some programs rely on this behavior
Now we continue. You place a breakpoint at C0CFh and go back to the game. A bogus answer is entered and you press the Enter key. Immediately you pop back into Softice at the bpx you placed and follow the 'ret' instruction. Next, you land here.
0539:BFDA 51 PUSH CX 0539:BFDB BE7335 MOV SI,3573 0539:BFDE E84500 CALL C026 <== call retrieve_input 0539:BFE1 8B1E2432 MOV BX,[3224] <== you land here 0539:BFE5 8BBF28A5 MOV DI,[BX+A528] <== points DS:DI to encrypted answer 0539:BFE9 AC LODSB <== loads first byte of our bogus answer to AL 0539:BFEA B4FF MOV AH,FF <== prepare AH for decryption 0539:BFEC 2A25 SUB AH,[DI] <== decrypt AH 0539:BFEE 47 INC DI <== increase pointer 0539:BFEF 3AC4 CMP AL,AH <== compare results 0539:BFF1 751A JNZ C00D <== jnz bad_cracker 0539:BFF3 0AC0 OR AL,AL <== anymore letters? 0539:BFF5 75F2 JNZ BFE9 <== repeat if yes 0539:BFF7 59 POP CX 0539:BFF8 B400 MOV AH,00 0539:BFFA 9A1F001812 CALL 1218:001F 0539:BFFF 9A1C001812 CALL 1218:001C 0539:C004 B80100 MOV AX,0001 0539:C007 9A85001812 CALL 1218:0085 0539:C00C C3 RET 0539:C00D 59 POP CX 0539:C00E E2CA LOOP BFDA <== loop until CX=0 (number of tries) 0539:C010 E994FA JMP BAA7 <== jmp exit_game
BINGO!! Protection scheme found!! Looking at my comments, you should be able to understand how the key is compared to the real answer, and by now, you should also be able to figure out how to patch this code location to crack your game so that it accepts any answers. I will leave the patch solution to the readers to figure out themselves ;-). If you still can't figure it out, try reading my previous tutorials.
|
Final Notes
|
As you can see, this type of protection scheme is still used in today's sharewares, maybe improved a little bit, maybe encrypted some more. But nevertheless, it is important that newbies tackle OLD sharewares with OLD protection schemes to grasp the main concepts before going into higher levels. I've said this many times in my previous tutorials, and please, don't laugh... it was by studying older versions of Paint Shop Pro which helped me cracked the nag screen in the latest evaluation version (v5.01).
|
Greets
|
There's a lot of people that I know, so I'll just greet everyone, especially those in #tno, #win32asm, #cracking4newbies and #cracking at EFNet.
Email :
y_t_c@usa.net
Website : http://ytc98.cjb.net