Example Cracks
-------------------------------------------------------------
OK, now let's put some of this information into practice by
examining a few cracks of some common programs. First we'll
look at a Crack for Mean-18 Golf by Accolade. Accolade has
been one of those companies that has a fervent belief in Copy
Protection.
-------------------------------------------------------------
Title: MEAN-18 UnProtect For CGA/EGA Version
This crack works by eliminating the code that tests for known
bad sectors on the original diskette to see if it is the
genuine article or an illegal copy. The code begins with an
INT 13 (CD 13 HEX), a DOS BIOS disk service routine followed
a few bytes later by another INT 13 instruction. The program
then checks the returned value for the bit configuration that
signifies the bad sectors and, if all is as expected, contin-
ues on with program execution.
The code that needs to be patched is in the GOLF.EXE file and
in the ARCH.EXE file. It is identical in both files and lies
near the end of each file.
In the following steps, you'll locate the start of the test
code and patch it by replacing it with NOP instructions (HEX
90). The method described uses the DOS DEBUG utility but
Norton's Utility (NU) works too.
Copy all of the files from the MEAN-18 disk onto a fresh
floppy using the DOS COPY command and place your original
diskette out of harm's way.
Assuming DEBUG is in the A: drive and the floppy containing
the files to be unlocked is in the B: drive , proceed as fol-
lows:
First REName the GOLF.EXE file so it has a different
EXTension other than .EXE.
REN GOLF.EXE GOLF.DEB
Next load the file GOLF.DEB into DEBUG and displays the "-"
DEBUG prompt.
A:> DEBUG B:GOLF.EXE
13
Search for the beginning of the code to be patched by typing:
- S CS:100 FFFF CD 13
Searches the file for the two byte INT 13 instruction. If
all goes well, two addresses should appear on the screen.
XXXX:019C
XXXX:01A8
XXXX indicates that the numbers preceeding the ":" vary from
system to system but the numbers following the ":" are the
same on all systems.
The next step is to use the "U" command as indicated to
un-assemble a few bytes in order to verify your position in
the file)
- U CS:019C
(Un-assembles 32 bytes of code. Verify the following se-
quence of instructions:
INT 13
JB 01E9
MOV AL,[BX+01FF]
PUSH AX
MOV AX,0201
INT 13
POP AX
JB 01E9
CMP AL,F7
JNZ 01B5
These are the instructions you'll be patching out in the fol-
lowing step)
- A CS:019C
This command assembles the new instructions you enter at the
keyboard into the addresses shown. Beginning at CS:019C, and
for the next 21 bytes, ending with and including CS:01B0, en-
ter the no op command "NOP" (90h) followed by a <return> or
<enter>. Just hit <enter> at address XXXX:01B1 to end the
assemble command.)
XXXX:019C NOP <enter>
XXXX:019D NOP <enter>
.
.
.
XXXX:01AE NOP <enter>
XXXX:01AF NOP <enter>
14
XXXX:01B0 NOP <enter>
XXXX:01B1 <enter>
This just wipes out the section of code containing the INT 13
check.
Now do a HEX dump and verify that bytes 019C through 01B0
have been set to 90 HEX.
- D CS:019C
If they have, write the patched file to the disk as follows)
- W
This writes the patched file back to the
disk where it can be run by typing GOLF just as before but
now, it can be run from any drive, including the hard
drive)
Now just [Q]uit or exit back to DOS. This command can be ex-
ecuted at any "-" DEBUG prompt if you get lost. No modifica-
tion will be made to the file on the disk until you issue the
"W" command.
- Q
The process is the same for the ARCH.EXE file but because it
is a different length, the segment address, (XXXX part of the
address), will be different. You should find the first INT
13 instruction at address XXXX:019C and the second one at
XXXX:01A8 as before.
You will again be patching 21 bytes and you will start with
019C and end with 01B0 as before. After doing the HEX dump
starting at address 019C, you again write the file back to
the disk with a "W" command then "Q" uit.
Norton's utilities can also be used to make this patch. Be-
gin by searcing the GOLF.EXE or ARCH.EXE files for the two
byte combination CD 13 (remember to enter these as HEX
bytes). Once located, change the 21 bytes, starting with the
first "CD" byte, to 90 (a NOP instruction). As a check that
you are in the right place, the byte sequence in both files
is CD 13 72 49 8A 87 FF 01 50 B8 01 02 CD 13 58 72 3C 3C F7
75 04. After modifying the bytes, write the modified file
back to the disk. It can then be run from any drive.
END.
15
------------------------------------------------------------
That was the first the tutorial cracks, here's another crack
based on the same ideas but using Norton's Utilities instead.
The following is an unprotect method for Eypx Submarine.
Eypx is another one of those companies bent on protecting the
world.
------------------------------------------------------------
By: Assembler Magic
Title: EPYX Submarine Unprotect
You will only need to make one modification to the main
executable program of Submarine, SUB.EXE. I will assume that
your computer has a hard disk and that you have a path to
DOS. It's time to fire up DEBUG as follows:
DEBUG SUB.EXE<cr>
The computer should respond with a "-" prompt. Now look at
the registers, just to make sure everything came up okay.
Type the letter "R" immediately after the prompt. The com-
puter should respond with a few lines of info as follows:
AX=0000 BX=0001 CX=6103 DX=0000 SP=0080 BP=0000 SI=0000
DI=0000 DS=12CE ES=12CE SS=37B2 CS=27FC IP=0010 NV UP EI PL
NZ NA PO NC
27FC:0010 8CC0 MOV AX,ES
-
Note the value of CS is "27FC". That is the hexadecimal
segment address for the beginning of the program code in your
computer's memory. It is highly probable that the value you
see for CS will differ from mine. Whatever it is, write it
down. Also, the values you see for DS, ES and SS will almost
certainly differ from mine and should not cause you concern.
The other registers should show the same values mine do, and
the flags should start with the same values.
Next, we will do a search for Interrupt 13's. These are
BIOS (not DOS) Interrupts built into the program which are
used to ensure that the original disk is being used to run
the program. The whole key to this unprotect scheme is to by-
pass these Interrupts in the program code. The tricky part
of this unprotect is to find them! They are not in the seg-
ment of program code starting at the value of CS equal to
"27FC". They are closer to the beginning of the program in
memory. Easy enough! Reset the value of CS to equal the
value of DS as follows; type immediately after Debug's "-"
prompt:
RCS<cr>
16
Debug will prompt you for the new value of CS with:
CS:27FC:
You respond by typing the value of DS you saw when you
dumped the registers the first time. For example, I typed
"12CE<cr>". The value you type will be different. Debug
will again respond with the "-" prompt which means we are
ready to do our search. Type in the following after the "-"
prompt:
S CS:0 FFFF CD 13<cr>
The computer should respond with three lines of information
which are the addresses of the three Interrupt 13 calls built
into the program. The first four digits are the segment ad-
dress and will equal to the value of CS you have just set.
The second four digits following the colon are the offset ad-
dresses which are of primary interest to us. On my machine
they came back as follows:
12CE:4307
12CE:431F
12CE:4335
The segment addresses will be identical and the three off-
set addresses should all be relatively close together. Now
look at the first offset address. (As you can see, mine was
"4307".) Write it down. Now we do a bit of Unassembly.
Type "U4307<cr>" which is the letter "U", followed immedi-
ately (with no blank spaces) by whatever your first offset
address turned out to be, followed by a carriage return. If
you are not familiar with unassembled machine code, it will
look like lines of gibberish as follows:
12CE:4307 CD13 INT 13
12CE:4309 4F DEC DI
12CE:430A 744C JZ 4358
.
.
12CE:431F CD13 INT 13
12CE:4321 4F DEC DI
.
.
12CE:4324 BF0400 MOV DI,0004
12CE:4326 B80102 MOV AX,0201
In my computer, Unassemble will automatically output 16
lines of code to the screen. Yours may differ. Note, in the
abbreviated list I have shown above, the addresses at the be-
ginning of the two lines which contain the Interrupt 13's
(INT 13) correspond to the first two addresses we found in
our search. Now we continue the unassemble, and here comes
17
another tricky part. Just type in "U<cr>" after the "-"
prompt.
You'll get sixteen more lines of code with the third Inter-
rupt 13 on a line which begins with the address (CS):4335 if
you have the same version of Submarine as I do. It's not
terribly important to this exercise, but it will at
least show you that things are proceeding okay. Now type in
"U<cr>" again after the prompt. You are now looking for
three key lines of code. On my program they appear as fol-
lows:
12CE:4335 07 POP ES
12CE:4356 5D POP BP
12CE:4357 CB RETF
The true key is the instruction "POP ES". This instruction
begins the normal return sequence after the program has ex-
ecuted its Interrupt 13 instructions and accompanying checks.
If Debug on your machine prints fewer than 16 lines of code
at a shot, you may have to type in "U" more than twice at the
"-" to find these instructions. (If you haven't found any of
this stuff, either get help on the use of Debug or go back to
using your diskette version!) Write down the offset address
of the "POP ES" instruction; the four digits following the
colon, which in my example is "4354". You're well on your
way now, so please persevere.
The next step is to modify the program to JUMP around the
code which executes the Interrupt 13's and go immediately to
the instruction which begins the normal return sequence
(again, it's the "POP ES". Type in the following instruc-
tions carefully:
A4307<cr>
This first bit tells Debug that new Assembler code will be
inserted at the address of the first Interrupt 13. If your
first Interrupt 13 is at an address other that "4307", use
the correct address, not mine. The computer will prompt you
with the address:
12CE:4307
After which you will immediately type:
JMP 4354<cr>
This instruction jumps the program immediately to the normal
return code instructions. Again, at the risk of being redun-
dant, if your "POP ES" instruction is at a different address,
use that address, not "4354"!
The computer will prompt you with the address of the next in-
18
struction if all went well. MAKE SURE you just hit the
carriage return at this point. Debug will then return the
familiar "-" prompt.
Now it's time to examine your handiwork. Let's do the
unassemble again starting at the address of what had been the
first Interrupt 13 instruction, but which is now the Jump in-
struction. Type in "U4307<cr>" or "U" followed by the appro-
priate address and a carriage return. The first line begin-
ning with the address should appear as follows:
12CE:4307 EB4B JMP 4354
The key here is the four bytes immediately following the ad-
dress. In my example they are "EB4B". Yours may not be.
But, they are VERY IMPORTANT because they represent the ac-
tual machine code which is the Jump instruction. WRITE THESE
FOUR BYTES DOWN AND MAKE SURE THEY ARE CORRECT.
Now if you want to have some fun before we go on, reset
register CS to its original value by first typing "RCS<cr>"
at the "-" prompt. Then type in the original value of CS
that I asked you to write down. Using my example, I typed
"27FC<cr>". Next, you will type "G<cr>" after the "-" prompt
which means GO! If all went well, SUB should run at this
point. At least it will if you put all of the Submarine
files onto the diskette or into the hard disk subdirectory
where youre working. If it didn't run, you may have made an
error. Check through what you have done.
Don't give up at this point if it does not run. Your version
of Debug may simply have not tolerated our shenanigans. When
you are done playing, quit Submarine ("Alt-Q<cr>") and type a
"Q<cr>" after the Debug prompt "-" appears.
Now comes the tough part. I can't walk you through this
phase in complete detail, because you may be using one of
several programs available to modify the contents of SUB.EXE.
Debug is not the way to go, because it can't write out .EXE
files, only .COM files.
-------------------------------------------------------------
Note: Another method of doing this is to REName the SUB.EXE
file so it has a different extension other than .EXE before
you enter DEBUG. That way after you've made the change you
can then [W]rite then changes out to the file right in DEBUG.
Then one drawback is that you can't run the program in DEBUG
once you've changed the name.
-------------------------------------------------------------
You have to get into your sector modification package (NORTON
works good) and work on the SUB.EXE file on your new diskette
or your hard disk. Remember, I warned you that doing this on
your hard disk is dangerous if you are not fully aware of
19
what you are doing. So, IF YOU MESS UP, it's YOUR OWN FAULT!
You are looking for the first occurrence of an Interrupt 13
(the "CD 13") using the search facility in your program. If
you don't have the ability to search for the two-byte hexa-
decimal code "CD 13" directly, then you will have to manually
search.
-------------------------------------------------------------
Note: Norton 4.x now has a search utility. When you get to
the point of typing in the search text, just press the TAB
key, and you can type in the actual hexadecimal code "CD 13".
-------------------------------------------------------------
Start at the beginning of SUB.EXE and proceed. Again, you
want to find the first of the three (first from the beginning
of the program).
I will give you a hint. I found it in NORTON at location
4407 hexadecimal which is location 17,415 decimal in the
SUB.EXE program file. DOS standard sectors are 512 decimal
bytes. Replace the two bytes "CD 13" with the "EB 4B" or
whatever your Jump instruction turned out to be. Write or
save the modified file.
That's ALL there is to modifying SUB.EXE. You can go ahead
and execute your program. If you have followed my instruc-
tions, it should run fine. Get help if it doesn't. Now, you
should be all set. You can load onto your hard disk, if you
haven't already. You can run it from a RAM disk using a BAT
file if you really want it to hum. Or, if you have the fa-
cilities, you can copy it from 5-1/4" floppy to 3-1/2" dis-
kette and run it on machines which accept that medium if you
upgrade to a new computer.
END.
20
-------------------------------------------------------------
Now let's take a look at a newer crack on the program, Space
Station Oblivion by Eypx. At a first [S]earch with Debug and
Norton's Utility no CD 13's could be found, and yet it was
using them... So a different approach had to be taken...
-------------------------------------------------------------
By: PTL
Title: Space Station Oblivion Crack
First of all, you must determine which file the INT 13's are
in, in this case it had to be the file OBLIVION.EXE since it
was the main program and probably contained the INT 13's. So
then rename it to a different EXTension and load it into De-
bug.
Then do a [S]earch for INT 13's.
-S 100 FFFF CD 13
Which will promptly turned up nothing. Hmmm...
Next you might decide that, maybe, the code was modifying it-
self. So quit from Debug and load up PC-Watch, include all
the INT 13 Calls. For those of you not familiar with
PC-Watch, it is a memory resident program that can be set to
look for any type of BIOS call. When that call is made
PC-Watch prints to the screen the contents of all the regis-
ters and the current memory location that the call was made
from.
After PC-Watch is initialized, then run the OBLIVION.EXE file
from the hard disk, leaving the floppy drive door open, and
sure enough, when the red light comes on in the diskette
drive, PC-Watch will report the address's of some INT 13
calls. Which you should then write down.
From there, quit the game, reboot, (To dump PC-Watch from
memory) and load the OBLIVION.EXE into Debug and issue a [G]o
command with a breakpoint. What address should you use for a
breakpoint? You guessed it, the same address PC-Watch gives
you.
Well, it locked up did'nt it? Which is quite common in this
line of work so don't let that discourage you. So next re-
loaded it into debug and this time [U]nassemble the address
that you got from PC-Watch. But instead of finding the INT
13's you'll find harmless INT 21's.
Hmm... could it be that the program was converting the CD
21's to CD 13's during the run? Well, to test the idea as-
semble an INT 20 (Program Terminate) right after the first
21
INT 21. Then I run the program, and yes immediately after the
red light comes on the drive, the program will terminate nor-
mally.
Then [U]nassemble that same area of memory, and low and be-
hold, some of the INT 21's have magically turned into INT
13's. How clever...
So, then it is just a matter of locating the address of the
routine that it jumped (JMP) to if the correct disk was found
in drive A:. Once you have that address, just go to the
start of all this nonsense and [A]ssemble a JMP XXXX command.
Where XXXX was the address to jump to if the original disk
was in drive A:.
Then just [W]rite the file back out to the disk and [Q]uit
debug, and then REName the file back to OBLIVION.EXE
afterwhich it should work fine.
END.