| Home Training Downloads Tutorials Arbitary Get Fate Proxy Info |
|
Training session 30: CD Rom Protections Difficulty: Medium Learn how to crack a simple CD Rom Protection Scheme Creator: m101 This tutorial is not so much how to crack Hexen II, but to show you just how a CD rom protection at its basic state works. You can get a copy of Hexen II from nearly any second hand games shop, or from the ancient stash of CD's one of your mates is bound to have. Heres what you will need - Hackers View Win32Dasm Hexen II Have you installed it yet? Well hurry up! Ok good, you are done. Now start up the game with the CD and observe the startup procedure... Now take out the CD and restart the game, I hope you are using the GL version cos if you aren't fix it. "You need to have the Hexen 2 CD in order to play!" how damn annoying is that Nag Screen. Quit the game and load up Win32Dasm, now click Refs and then String Data References. Now have a look for our Nag Screen. You got it? Good... Double click "You need to have the Hexen 2 CD " and you will see this:
:004047F5 F7D1 not ecx
:004047F7 49 dec ecx
:004047F8 7596 jne 00404790
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404782(C)
|
* Possible StringData Ref from Data Obj ->"You need to have the Hexen 2 CD "
->"in order to play!"
|
:004047FA C705D8D2460038C94500 mov dword ptr [0046D2D8], 0045C938
:00404804 C70548AF460000000000 mov dword ptr [0046AF48], 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004047D9(C)
|
:0040480E 5D pop ebp
:0040480F 5F pop edi
:00404810 5E pop esi
:00404811 5B pop ebx
:00404812 81C4140A0000 add esp, 00000A14
:00404818 C3 ret
Wow! Our annoying message! well have a look at that jump by double right clicking on the address and you will come up with this:
* Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00F7h
|
:00404767 FF15A0B5E000 Call dword ptr [00E0B5A0]
:0040476D 8DB42424020000 lea esi, dword ptr [esp+00000224]
:00404774 B9FFFFFFFF mov ecx, FFFFFFFF
:00404779 8BFE mov edi, esi
:0040477B 2BC0 sub eax, eax
:0040477D F2 repnz
:0040477E AE scasb
:0040477F F7D1 not ecx
:00404781 49 dec ecx
:00404782 7476 je 004047FA
* Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh
|
:00404784 8B1D9CB5E000 mov ebx, dword ptr [00E0B59C]
* Reference To: KERNEL32.GetVolumeInformationA, Ord:014Eh
|
:0040478A 8B2D84B5E000 mov ebp, dword ptr [00E0B584]
For those of you that dont know GetDriveTypeA checks a to see what type of drive a device is. Here is the API reference for it:
UINT GetDriveType(
LPCTSTR lpRootPathName // address of root path
);
Returns
0 Drive can't be determinded
1 Drive can't be determinded
2 Root Directory does not exist
3 Fixed Drive (Harddisk)
4 Remote Drive (Network)
5 CD-ROM-Drive
6 RAM-Disk (only GetDriveTypeA)
As you can see, if the return value is 05, then it tells the program that it is a CD. This stops us from using data on the HDD to act as a CD. Well this tells us that theres a a check somewhere between 00404782 and 004047f8. So have a look a bit lower at this:
:004047C5 8D44241C lea eax, dword ptr [esp+1C]
* Possible StringData Ref from Data Obj ->"Hexen II"
|
:004047C9 682CC94500 push 0045C92C
:004047CE 50 push eax
:004047CF E8ECEE0400 call 004536C0
:004047D4 83C408 add esp, 00000008
:004047D7 85C0 test eax, eax
:004047D9 7433 je 0040480E
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404796(C), :004047C3(C)
|
:004047DB 8BFE mov edi, esi
:004047DD B9FFFFFFFF mov ecx, FFFFFFFF
:004047E2 2BC0 sub eax, eax
:004047E4 F2 repnz
Notice those References to Jumps? Well have a look at them and what do you see? Yes its between 00404782 and 004047F8. Lets check them out:
:00404793 83F805 cmp eax, 00000005
:00404796 7543 jne 004047DB <==Test 1
:00404798 8D842420010000 lea eax, dword ptr [esp+00000120]
:0040479F 6804010000 push 00000104
:004047A4 8D4C241C lea ecx, dword ptr [esp+1C]
:004047A8 50 push eax
:004047A9 8D54241C lea edx, dword ptr [esp+1C]
:004047AD 51 push ecx
:004047AE 8D44241C lea eax, dword ptr [esp+1C]
:004047B2 52 push edx
:004047B3 8D4C242C lea ecx, dword ptr [esp+2C]
:004047B7 50 push eax
:004047B8 6804010000 push 00000104
:004047BD 51 push ecx
:004047BE 56 push esi
:004047BF FFD5 call ebp
:004047C1 85C0 test eax, eax
:004047C3 7416 je 004047DB <==Test 2
:004047C5 8D44241C lea eax, dword ptr [esp+1C]
* Possible StringData Ref from Data Obj ->"Hexen II"
|
:004047C9 682CC94500 push 0045C92C
:004047CE 50 push eax
:004047CF E8ECEE0400 call 004536C0
:004047D4 83C408 add esp, 00000008
:004047D7 85C0 test eax, eax
:004047D9 7433 je 0040480E
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404796(C), :004047C3(C)
Well to fix this just reverse these two jumps, thats not it though, have a look above the two referenced jumps, hmmm, if the Test is failed the Protection is still used, so here the locations to be changed::00404796 7543 jne 004047DB :004047C3 7416 je 004047DB :004047D9 7433 je 0040480EOkay look at the bottom of Win32Dasm and you will see @Offset and next to that a number, put the cursor on the first address and write this down and ignore the h, this just stands for hexidecimal. Then do this for the two other offsets. Open up Hackers View and press F4 and then F3 to get into ASM mode. Press F5 and type in the first adress and change the 75 into a 74 by pressing F3, typing the value and then pressing F9 to update and change the other two offsets from 74 into a 75. Quit and run "glh2.exe" without the CD, Wow!, it works! You should now have a basic understanding of how a simple program checks for a CD in the drive... |
