Arcade Pool Demonstration
A Second Approach
by ytc_ [tNO '99]

Looking at +ORC's tutorial, I thought, "Geez, this is hard." So I devised a second approach which is not mentioned in +his lesson to defeat this 2-minute time limit, and I feel that this is a MUCH quicker and BETTER way. I wonder if this will earn me the missing lessons ;-).

I will assume that you have already set up your copy of Softice and know how to use it well, including knowing what the shortcut function keys are (F8, F10, F11 and F12). If not, I suggest you read some other essays on how to set up Softice first before continuing. I will also assume that you have a fair knowledge of assembly language

If you have read +ORC's Lesson 1: An Approach, I am sure you will be frowning to experience how hard it is to follow the steps given. So, here I have thought of a better and faster method, which will SURELY bring us to the heart of the protection scheme, that is the 2-minute counter.

Run pooldemo.exe and let the 2-minutes go by till you see the 'time is up' nag (eeww...ugly). At this moment, you notice that the only way to remove the nag is by clicking one of the two buttons with your mouse. A-hah! Time to formulate a plan. If a nag waits for a mouse click, there should be some kind of loop which detects it. From there, we can follow the 'ret' instructions and eventually land RIGHT AFTER the 'call nag_screen' instruction. So, fire up Softice and start tracing to find the loop, following the 'ret' instructions if necessary.

Now, there is one piece of code which puzzles me and couldn't figure out the logic behind it. I am very sure that you will find this part of code too.

0539:86A8  3A0624A7            CMP     AL,[A724]
0539:86AC  74FA                JZ      86A8
0539:86AE  E8D702              CALL    8988

Isn't that loop extremely puzzling? How is it going to break out of that loop and continue since the memory location at A724h can not be written over? Anyway, I just skipped over this part by typing 'g 86AE' in Softice and continued tracing from there. Eventually, you will reach this piece of code.

0539:1FB1  E8065C              CALL    7BBA <== beginning of loop
0539:1FB4  8B3EB002            MOV     DI,[02B0]
0539:1FB8  8B7502              MOV     SI,[DI+02]
0539:1FBB  57                  PUSH    DI
0539:1FBC  E82400              CALL    1FE3
0539:1FBF  5E                  POP     SI
0539:1FC0  8B5C04              MOV     BX,[SI+04]
0539:1FC3  FFD3                CALL    BX
0539:1FC5  E8BC1E              CALL    3E84
0539:1FC8  E8FF09              CALL    29CA
0539:1FCB  E89166              CALL    865F
0539:1FCE  E8A9FF              CALL    1F7A
0539:1FD1  833EA402FF          CMP     WORD PTR [02A4],-01
0539:1FD6  74D9                JZ      1FB1 <== jump to beginning of loop
0539:1FD8  C7069501FFFF        MOV     WORD PTR [0195],FFFF
0539:1FDE  8F06A402            POP     WORD PTR [02A4]
0539:1FE2  C3                  RET

You should land somewhere around the 'call' instructions from line 1FC3h to 1FCEh. You have found the loop (1FB1h to 1FD6h). Place a breakpoint outside the loop and press F5 to get back to the game (I placed one on 1FD8h). Click on any of the 'buttons' and you should pop back immediately into Softice. Follow the 'ret' instruction and you should land here.

0539:07DC  53                  PUSH    BX
0539:07DD  1E                  PUSH    DS
0539:07DE  07                  POP     ES
0539:07DF  8BF0                MOV     SI,AX
0539:07E1  BF0F70              MOV     DI,700F <== DS:SI points to string "Yes, play"
0539:07E4  B90600              MOV     CX,0006
0539:07E7  F3A5                REPZ MOVSW
0539:07E9  5E                  POP     SI
0539:07EA  BF1C70              MOV     DI,701C <== DS:SI points to "No, Exit"
0539:07ED  B90600              MOV     CX,0006
0539:07F0  F3A5                REPZ MOVSW
0539:07F2  E8346A              CALL    7229
0539:07F5  741D                JZ      0814
0539:07F7  BED500              MOV     SI,00D5
0539:07FA  E8A217              CALL    1F9F
0539:07FD  833E3A0200          CMP     WORD PTR [023A],00 <== you land here
0539:0802  750A                JNZ     080E
0539:0804  F606980210          TEST    BYTE PTR [0298],10
0539:0809  7403                JZ      080E
0539:080B  E87531              CALL    3983
0539:080E  833E3A0200          CMP     WORD PTR [023A],00
0539:0813  C3                  RET
0539:0814  B80100              MOV     AX,0001
0539:0817  0BC0                OR      AX,AX
0539:0819  C3                  RET

This is very familiar!! The strings "Yes, Play" and "No, Exit" are actually the 'buttons'! This means we are now INSIDE the nag creation routine, and the 'CALL 1F9F' at line 07FAh retrieves the mouse-click. Following the 'ret' instruction once more, you land here.

0539:0A8A  813E20A7201C        CMP     WORD PTR [A720],1C20 <== counter!!!
0539:0A90  7C07                JL      0A99 <== conditional jump!!!
0539:0A92  E834FD              CALL    07C9 <== call nag_screen
0539:0A95  7555                JNZ     0AEC <== you land here

BINGO!! A very typical time limit protection scheme using the JL conditional jump!! The memory location at A720h is of course the 'counter' storage, and 1C20h represents the 2 minutes. Need I say more? ;-) Open pooldemo.exe with your favourite hex editor and change 'JL 0A99' to 'JMP 0A99'. Or you might want to follow +ORC's advice and increase the time limit instead. Just to make sure, lets try playing the cracked version until it exceeds the 2 minutes. Did it work? Yes!!

Another interesting DOS cracking (my second one actually) session ;-). I feel embarrassed to mention how many thousand times I tried to follow the steps given in +ORC's lesson without success. And I am very sure that I am not the only one too. Anyway, I hope this tutorial can help beginners grasp the base concept of attacking nag screens or time-limit demos.

There's a lot of people that I know, so I'll just greet everyone, especially those in #tno, #win32asm, #cracking4newbies and #cracking at EFNet.

Email     : y_t_c@usa.net
Website : http://ytc98.cjb.net