Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / Mendoza / cm_tut1.txt < prev next >

Wrap

Text File | 2000-05-25 | 6KB | 138 lines

Cardenal Mendoza'z tutor #1: HOW TO CRACK MICRO$OFT COMBAT $IMULATOR 98 (a very easy cd check) ------------------------------------------- Hi there this is my first tutorial, so don't expect too much. I hope you'll enjoy it anyway ;-) Please excuse my bad english, it's not my mother language... Part 1: The beginning... ------------------------ In this tutorial I expect that you know how to use W32dasm and how to modify the exe with your hex editor. Install the game and choose full install. Then Try to start it without the cd. It won't work. A Dialog pop's up and asks you to put in the cd. No problem - start W32dasm and disassemble COMBATFS.EXE. Ok, now you should see the deadlisting of the code. Part 2: The cd-check... ----------------------- Click on String Data References and search for your error message. Have you found it? Ok? Just click on it. You should now see the following part of the code: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401D4E(C) | :00401D9E 8B15E8C84100 mov edx, dword ptr [0041C8E8] * Reference To: USER32.LoadStringA, Ord:0183h | :00401DA4 8B35E81A4200 mov esi, dword ptr [00421AE8] :00401DAA 6804010000 push 00000104 :00401DAF 68C0084200 push 004208C0 * Possible Reference to String Resource ID=01500: "Bitte legen Sie die Microsoft« Combat Flight Simulator-CD ei" | :00401DB4 68DC050000 push 000005DC :00401DB9 52 push edx :00401DBA FFD6 call esi :00401DBC 8B0DE8C84100 mov ecx, dword ptr [0041C8E8] :00401DC2 8D8424A4000000 lea eax, dword ptr [esp+000000A4] :00401DC9 6804010000 push 00000104 :00401DCE 50 push eax Now doubleclick a second time on the string. It scrolls to a second location. Have a look at it. Hmm, this seems to be curios. Nothing interesting but the reference and a jmp. Look at the jump. Here is nothing interesting, too. That's why they call it possible reference. Not every time it is a reference. In this case it is not our string. But how to know that? Look back at the first location. Do you see the recerence to USER32.LoadStringA ?? I think I don't have to explain what this is. Most of the times real references are followed by a messageboxa, a showwindow or just any function which does something with our string, like lstrcpy or loadstringa. So let's go further. Click on our string to see if there is a "real" second location - no, we're back at our first place. Ok, now we should observe the whole function. First it does something in our registry. Do you see the string "InstalledFrom"? This should be our cd drive. Then there are the two strings of the error message ( the text and the caption of the dialog ). Then there follows a bunch of assembler code. Just ignore it for the moment. At the end there is a call to USER32.MessageBoxIndirectA. This is a unusual function and I see it here for the first time, but maybe I simply don't crack long enough :-( After the call there are two cmp's with a je after each. Now think what this could be... yes, it is the code which checks which button was pressed. The first cmp check's the cancel button. If you would change the je to jmp, it would close the game if no cd is inserted. The second jumps back, to see if the cd is now in the drive. After this two jumps you should see this: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00401E23(C), :00401E2D(C), :00401E48(C) | :00401E62 8B0DE8C84100 mov ecx, dword ptr [0041C8E8] :00401E68 51 push ecx :00401E69 E8F2F2FFFF call 00401160 :00401E6E 85C0 test eax, eax :00401E70 750B jne 00401E7D :00401E72 5F pop edi :00401E73 5E pop esi :00401E74 5D pop ebp :00401E75 5B pop ebx :00401E76 81C498010000 add esp, 00000198 :00401E7C C3 ret This seems to be the exit of the function for good guys, who have their cd in their drive. But we're bad, are we ;-) ... Part 3: The crack... -------------------- OK, if you look at the code above, the easiest thing would be to nop out the last two je, then the game would simply run to the good guy exit. But wait. First you should thing. You nop out the *check* of the buttons, therefore the errorwindow would popup, each time you would start the game. Of course it would run after you pressed something, but isn't there a better way. You could try to nop out the call to the USER32.MessageBoxIndirectA, too, but if there is one bad thing you could do, it is nopping out calls to a dll. You could try it, but then it will... Just try it, you will see. So look at the last part of the code. There are three different jumps to it. So the easiest working thing is, going to the first jump and change it to jump everytime. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401E60(C) | :00401E13 8A0DC0FF4100 mov cl, byte ptr [0041FFC0] :00401E19 51 push ecx :00401E1A E801FDFFFF call 00401B20 :00401E1F 8BF0 mov esi, eax :00401E21 3BF5 cmp esi, ebp :00401E23 753D jne 00401E62 <---- here it is... :00401E25 B341 mov bl, 41 :00401E27 885C241C mov byte ptr [esp+1C], bl Just change the 0x75 at the offset 0x00401E23 into a 0xEB. This will change it to jmp 00401E62. Try it... *KEWL* - It works. Isn't that a lame cd check?! I have expected something better from Micro$oft. Part 4: The finish... --------------------- I hope you had enjoyed this tutorial. Remember, it was my first - nothing is perfect at once :-) If you have suggestions for a second tutor, send me a mail to: Cardenal@gmx.net I hope to see you in tutor #2... OH, yes. Cracking a program you don't own yourself is illegal, so don't do this :-( Greetinx to: warp_9 & darkman & antos & homer Cardenal Mendoza 11/12/1998