Techniques in Cracking
Brought to you by -TOP-
We are Tired of Protection. Arent You?
The Following Information provided is a listing of some techniques the
-TOP- crackers have used in cracking Programs. This is NOT intended as a
Cracking Tutorial but as an enhancement to people who need to know just a bit
more in order to crack a certain program. -TOP- Crackers have spent time and
effort in comming up with these techniques. Get what information you can from
it. It will be updated each new Issue.
Listing of Techniques
1. Goldrush
2. Space Ace
3. SimEarth
4. StarControl 1
5. Bo Jackson Baseball
6. Mike Dikta Football
7. Con>Format 1.06
8. The Summoning
9. Martian Dreams
10. Sargon V
11. Secret Weapons of the Lutewaffa
12. Crimewave
13. 3 on 3: The Dream Team.
14. JACK 4.59: Landscape Designer
15. Blue Wave Reader v 2.1
16. Giflite v 2.0
17. Veil of Darkness
<*****************************************************************************>
Unprotect for GoldRush by Sierra!
**********************************
Sierra's Doc check AARGH!
**********************************
This one is a royal pain to do manually however, here it goes:
Using norton DE/Pctools enter the file AGI.
Look at the beginning of the file and start at the A
in 'Adventure game...' and enter the numbers on the
lefthand side of the screen. For those interested the
assembly code is on the right.
90 NOP
9C PUSHF
50 PUSH AX
53 PUSH BX
56 PUSH SI
8B 1E AA 00 MOV BX, [AA]
BE E3 73 MOV SI, 73E3
46 SCAN: INC SI
38 1C CMP [SI],BL
75 FB JNZ SCAN
8A 44 07 MOV AL, [SI+7]
A2 F7 00 MOV [F7], AL
5E POP SI
5B POP BX
58 POP AX
9D POPF
C3 RET
That is only part one, part two is shorter:
Using norton's DE or Pctools search 'AGI' for:
8A 87 09 00 00 85 09 00
^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^
90 90 90 90 2E E8 15 89
In Assembler: NOP
NOP
NOP
NOP
CALL CS:0
***********************************************************************
TO BYPASS THE PROTECTION YOU MUST ENTER AT LEAST ONE LETTER FOLLOWED BY
*****THE ENTER KEY*****
The method involved:
Sierra programs are a royal pain and even the old ones take me a
long time to crack. This one lets you type in an answer. I did a
search through memory to find the answer and then did a break if any
letter was read of the answer. I followed it through and found the the
program added the letters up into a single number (at ds:f7). I
followed this and found a compare that accessed this number. However, I
could not find anyplace to put a crack in so I went back to find how the
answer was obtained. What a royal pain. I found a number that was used
to index into a block of memory that had all the answer numbers --no
words, just numbers (started at ds:73e4). The program would compare its
index number to sub-blocks until it found the right number. It then
would scan a bit further until it found the number and then did its
compare. However, it was not done until it scanned the entire block for
any other equal numbers. So the crack involves using spare room inside
the sierra file AGI, grabbing the index number (at ds:aa) and scanning
through the memory block (starting at ds:73e4). Once the right
sub-block was found a went a bit further and took the number there and
put it back at ds:f7--which was where the program looks for my answer.
The second part of the crack is to call the subroutine.
The Mad Doctor
-TOP- crack.
<*****************************************************************************>
Cracker: The Mage
Program: Space Ace.
A Little Description of the Copy-Protection. The Copy Protect was
Off of a main loop. It was integrated into the program. A Main screen popped
up and it went in 4 different directions. One of these Directions led to the
Copy Protection screen which THEN let you into the game. The Game was also in
this main loop and so Nopping out the CALL would not avail me.
I searched the code through and through and found that it was using a
interesting comparison scheme to determine the Screens with which to load based
on 4 different variables and Combinations thereof. This was interesting. I
had to re-program the code to make it go to regular locations 3 out of 4 times
and the 4th time force it to jump to the game. This required some programming
and Assembly knowledge. The Copy Protection itself was different than any
others I have seen, or the way I got passed it was different.
<*****************************************************************************>
Cracker: The Mage and Majik
Program: Sim Earth
Some Background on the game.. When you load up the game it pops into a
nice menued system. This system allowed you to mess around But on 2 different
Commands (New Planet and Load Planet I think) had a DOC check. Now since there
was more than one CALL to the same procedure Majik had an Idea. Since it was a
window based system and you wouldn't be expected to keep answering the DOC
check, it seemed that there must be a counter or something that checked if you
had answered the question BEFORE asking it.
Entering Into the CALL we did some quick checking and sure enough right
at the beginning of the call was a comparision that jmped pretty much to the
end of the procedure. Well by simply forcing this to happen you never saw the
CP again.
A HINT to people who usually just NOP out calls. NOP'ing out CALL's
works a lot of the time but I would suggest that you completly play the game
before you consider it cracked. By removing the CALL statement it just removes
that current CP but it may also be called later on in the program which would
then mean additional Removals. Look inside each CALL and see if there is a
simple way to JMP to the end of the CALL and thus eliminating that possibility.
<*****************************************************************************>
Unprotect for Starcon!
**********************************
Documentation Check
**********************************
use Pctools/Norton's DE and search STARCON.OVL for:
FE 00 75 03 E9 4C
^^ ^^
EB 2A
The method involved:
Actually not hard. I uncompressed starcon.exe with unlzexe to
make it easier to follow through and also to find the proper bytes if I
needed to but this wasn't necessary. By running through the code I
found the doc check. I found right after it where the program loaded
the addresses of my answer and the programs answer with a compare
statement and conditional jump afterward. I just made the program jump
immediately to that area. I could have made it so the screen would not
even show up but you would have seen some garbage on the screen and it
would have been a messier crack. Enjoy!
The Mad Doctor
-TOP- crack.
<*****************************************************************************>
Unprotect for The Bo Jackson Baseball!
**********************************
Pathetically simple protection
**********************************
Bo Jackson Baseball is another one of those protection checks in which
you need your manual to answer a question.
use Pctools/Nortons search for (in BALL.EXE)
9A 4C 04
^^ ^^
EB 14
The method involved:
The method here is so simple I am embarassed to relate it to
you. I ran the program once to see what the protection was. It
was one of those generic protection checks. I let the
protection kill the game and restarted it again under soft-ice.
This time I timed it a bit and stopped the program before it got
to the doc check. I stepped through it with soft-ice and found
2 calls that ran the protection. A few steps later I found a
conditional jump that went to the rest of the game. So I tried
the simplest thing. I put a JMP statement to the rest of the
game and it worked! I then went into norton diskedit and
searched for the bytes. It wasn't there, so I searched for a
shorter string (as above) and there was only one string like
that in the program. I made the changes above and it works!
Enjoy!
The Mad Doctor
-TOP- crack.
<*****************************************************************************>
Unprotect for Mike Ditka Football!
**********************************
Documentation Checks and Checksums
**********************************
Mike Ditka football has the standard documentation checks but also has
some checksums early on that also have to be fixed. This is a 3 part
unprotect.
use Pctools/Nortons search for (in MDFB.EXE)
Part 1: 75 6B 05 00
^^ ^^
90 90
re-search MDFB.exe for:
Part 2: 75 12 8E 46
^^ ^^
90 90
now look in DAT101.DAT for:
part 3: E8 A1 B7 B8 01
^^ ^^ ^^
90 90 90
The method involved:
This program uses the doc check which is not too difficult to
find. If you let the program run and then stop it with
soft-ice just prior to when the doc check pops up you will
find a call routine that calls the doc check up. If you NOP
it out you then go right to the main menu. OK, now we go to
norton's diskedit and make the changes and run the program.
Drat! the program says bad overlay--obviously someone put a
checksum to prevent exactly what I did. No problem, lets go
back into soft-ice and run the program using the soft-ice
again and stopping the program before it gets to that
bad overlay statement. I then find a call routine that makes
the statement and 2 conditional jumps that will lead up to
that call. So, I NOP them out and it works. I then went
back to diskedit and made the changes. Now, it works. Enjoy!
The Mad Doctor
-TOP- crack.
Addendum: This program was already supposedly cracked by others. It is
interesting that their crack works when I use soft-ice but does not work
without it. This crack works period.
<*****************************************************************************>
Another fine patch courtesy of Majik..
Con>Format is a fine product, but the opening banner is a pain in the you
know what, and requires a keypress, which kinda ruins putting it in
autoexec.bat....(I use loadhi from QEMM so it's always there but uses no
conventional memory).
ok, here is a step-by-step for version 1.06
1st!!!!! Run the configuration program to setup your system
2. debug confmt.com
-r ;To display registers upon entry - write down cx's value
AX=0000 BX=0000 CX=3560 DX=0000 SP=FFFE BP=0000 SI=0000 DI=0000
DS=24FE ES=24FE SS=24FE CS=24FE IP=0100 NV UP EI PL NZ NA PO NC
24FE:0100 E93F35 JMP 3642
keep pressing p (to proceed) until you see the following...
24FE:365C FF264036 JMP [3640] DS:3640=266A
- write this down ^^^^^
-p |
This has just completed the de-cryption algorithm for the TSR. |
So we will code around that for future start-up. |
-a cs:100 |
24FE:0100 jmp 266a <--- This should be what you wrote down up here -> |
24FE:0103 <ENTER>
Now to get rid of that opening screen...
24FE:2697 E8B40D CALL 344E This is the call to the opening screen
-e 2697
24FE:2697 E8.90 So we will NOP it out....
24FE:2698 B4.90 0D.90
-r cx
CX 0000
:3560 Enter the value from step 2 above.
-n cf.com Rename the working program to whatever you like
-w Write it to disk
writing 3560 bytes
-q Enjoy.... Majik
<*****************************************************************************>
Unprotect for The Summoning!
**********************************
Graphical documentation check
**********************************
use Pctools/Norton's DE and search 'CODE.1' for:
A3 CC 0C 56 57 0E
^^ ^^
EB 16
The method involved:
I ran the program with Soft-Ice and saw what the protection
looked like on the screen. I then went back, ran the program and
stopped it early to see what was going on. The program is fairly
straightforward with individual call routines doing individual things.
I quickly got to the protection portions and found two calls that
brought up the protection screen and the second actually did the test
for the answer and returned back where it checked ax to see if it was
zero or not. If it wasn't zero it wouldn't let you continue with the
game. I just jumped past the entire section and it worked! Enjoy!
The Mad Doctor
-TOP- crack.
<*****************************************************************************>
Unprotect for Martian Dreams!
Use your PC Tools or Norton Diskedit on the file game.exe
search for the hex string:
74 08 8b 5e 0a
^^ replace the 74 with:
eb
When the protection check comes up just press enter and it will work!
The method involved:
The difficulty in breaking this game wathat the program seemed
to be using the same sets of code no matter what it did and this
was extremely frustrating. I was trying to stop the protection
routine from even coming up. I was unable to do this so I went
for the next best thing, I inactivated the doc check. Here's
how: when you try to get out of the spaceship with the prybar
is when the protection springs up. Tesla asks you a question
from the manual. I filled in a word and then stopped the
program with soft-ice and searched for it in memory. I found it
at: 4161:eca8
I then put a watch on it with the bpmb command in S-I. By
following what the program was doing with my answer I found that
it moved it to another location:
4161:fe6e
I then stopped by other watch and followed this memory location.
Lo and behold I found it was comparing my answer to a memory
location with the answer!
4161:ec8e
I figured this out by changing my answer to the word found at
this location and the program worked. However, I needed more
than this. So, I started again and followed the location of the
answer until I got to a section of the code where there was a
comparison between my answer and their answer followed by a
conditional jump.
POP CX (not obvious here but now one register has one
POP DX letter or my answer and one of the real answer)
CMP DX,AX (if they are not the same then you lose)
JNZ 004C (this is what I changed to a JMP statement so it
doesn't matter what your answer is now)
I just changed that conditional jump to a regular jump and it works.
Enjoy!
The Mad Doctor
-TOP- crack.
<*****************************************************************************>
Unprotect for Sargon 5
*******************
Documentation Check
*******************
Using Norton's Diskedit or PCTools:
Search the file sargon5.exe for the following:
8e d6 eb a8
^^ ^^
d1 17
and that's it!
The method involved:
Sargon 5 uses a standard documentation check. If you run the
program under soft-ice and break it prior to the doc check you will find
the call statement that will call the doc check routine. On my setup:
program start 1a66:0
call routine 2fba:32be
I ran through the call routine and input some letters. Instead of
running the entire doc check I set soft-ice to look for my letters and
stop the program when accessed. This brought me near the end of the
routine. I went a bit farther and noticed a compare statement followed
by a conditional jump (at 2fba:4a92). I changed the condition of the jump
and lo! it worked. However, I didn't like this crack (too much work for
the gamer) and went back to the jump. After the conditional jump there
were 2 mov statements and a return. So, I went back to the call routine
and made the call go just to the end of the protection routine where the
mov statements were and that was it. Now I had to find it by
diskedit--however it wasn't there. So, since I knew where I wanted to
change memory I put soft-ice watching the spot. Soft-ice stopped the
program and I saw a movsb statement which had the area I wanted. That's
it--this was a more in depth discussion than usual, it wasn't hard at
all. Bye!
The Mad Doctor
-TOP- crack.
<*****************************************************************************>
Secret Weapons of the Lutwaffe Unprotect
Cracked By The Mage
Type of Check: Doc Check in the Beginning of the Game.
What was done: Enabled it to press Enter 3 Times and you are into the Game.
Very Sloppy, but works perfectly. Not bad for a 15 minute crack.
Method Involved.
While talking to The Mad Doctor and while we were working on Tony
Larussa's Ultimate Baseball he showed me a new technique for cracking that I
had not thought of.. simple and easier. Anyways, At the DOC check you type in
a Name (any name, I use MAGE) and then you search memory for the name. Search
from the first program block on up into memory. You them in SOFT-ICE put a
Break point on Memory Access and Read. You then continue the program and press
enter to finish the check. You will have reads on the memory and chances are
you will find a CMP to that memory location and a simple jmp afterwards. This
also helps you stay in the Copy Protection routines. Well It wasn't as simple
as all that and what I had to do was jump over a lot of checking code. I found
a JMP to a far location and used it by taking a much earlier JAE and changing
it to JMP to the far location and whammo bypassed the code and enabled you to
get into the program. Since it was doing overlays I wasn't sure where the call
was to the whole program so I left it at hitting enter 3 times and into the
game you go.
Anyways Get out DiskEdit/Pctools andd search
the file NOTCAMP.OVL
Search for: 73 74 8B 5E
Change to : E9 64 02
^^ ^^ ^^
And that is it!
Thanks and greets go to everyone in -TOP-. thanks to The Mad Doctor for the
new Technique in my collection.
The Mage
<*****************************************************************************>
Unprotect for Crime Wave by Access
Cracked by The Mage
--------
Type of Protection: Doc check at the Beginning of the program.
What was done: A JZ changed to JMP.
Method Involved.
Well I loaded this sucker up and the program was using interupts to
process strings so I could not search through memory for a sample string
that I inputed. Since at the Doc check itself it was sitting in DOS and I/O
system blocks of memory I put in a bad value and got a PRESS ESC or SPACE BAR
message from the program. I then traced to where it compared to a space
like CMP AH,20 and set this to true. Then a Simple trace to where it compared
the answer after the Interupt and a change and simple.. all of 7 minutes while
talking on the phone.. <grin> Very Very Easy. I tried taking out the call
completely but was unable to do so without extensive work.
Get out Norton/Pcshell
Search the File CW.EXE
Search for: 80 3D 00 74 05
Change to: -- -- -- EB --
And save it and press enter at the DOC check. You are in!
The Mage
<*****************************************************************************>
--------- By Gron -----------
--------- 3 on 3 Basketball : The Dream Team by Data East -----------
Protection : Doc Check
Search : DREAM.EXE
Locate : 7D 00 75 55 C6 06
Replace: EB
Method : After loading the game into memory, I ran the program
until the doc check popped up. I then kicked out to
Soft-Ice and traced until I found where it was looking
for a compare to 0D which is the ENTER key. I then traced
until it failed the protection. This brought me back to
the original CALL which was used to get keyboard input,
followed by a conditional jump. Since the program did not
jump with my bogus input, I changed the conditional jump
to an unconditional one. This worked beautifully. However,
the protection scheme still came up and forced the user to
enter three numbers before it would go on.
Therefor, I looked back in the code and discovered that
immediately before the CALL which asked for input there were
a series of CALLs and jumps. I noted the address of the
last jump in that series which jumped just beyond where the
conditional jump I had changed earlier was jumping. I
reloaded the program and ran to the address I had noted. The
protection scheme had yet to come up. I changed the
conditional jump to an unconditional one and continued
running the program. It went right to the main menu,
bypassing the protection entirely. After playing the game
for an hour or so, the protection never again surfaced nor
did any noticeable side-effects of the change.
<*****************************************************************************>
Unprotect for JACK 4.59
Cracked by The Mage and Gron
--------------
Type of Protection: Password Entry
What was done: Removed Protection entirely
Method:
It came up with a screen to hit enter before the copy protection was
shown. Broke into the code and just traced until the call to the copy
Protection. Noped it out and it ran like a champ. Problem arose in that the
call was a CALL FAR and this could not be found when Hex Searching. So traced
1 statement into the CALL and JMP'd to the RETF (end of the CALL) and this was
in the Hex Search. One Note: This Program Sucks.
Anyways Search the File JACK1.EXE
Search for : CD 3F 14 10
Change to : E9 8D 01 90
You are done
Later
The Mage
<*****************************************************************************>
-------------------------------------------------------------------------------
--------- Another -TOP- unprotect -----------
--------- By Gron -----------
--------- -----------
--------- Blue Wave Offline Mail Reader 2.10 by Cutting Edge -----------
-------------------------------------------------------------------------------
Protection : Registration Number
Search : BWAVE.EXE
Locate : 06 A2 00 00 5E 8B
Replace: 01
Method : After loading the program into memory, I traced until I
found the CALL that brought up the UNREGISTERED screen.
Immediately before this CALL was a CMP AX,0000 and a
JNZ XXXX which jumped over the offending CALL. I looked
a bit further back in the code and found a MOV AL,[XXXX]
and a MOV AH,00. I reloaded the program and placed a
breakpoint (BPMB) on the DS:XXXX address from earlier.
It eventually popped out where it was moving a 00 into that
location. I looked back a bit in code and found a JNZ that
had jumped over a MOV that would have placed a 01 into the
location. Rather than change the jump, I simply changed
the MOV BYTE PTR [XXXX],00 to a 01. Since every registered
function in the program checked this address, all features
are now enabled, as well as any name and registration number
will work.
<*****************************************************************************>
-------------------------------------------------------------------------------
--------- Another -TOP- unprotect -----------
--------- By Gron -----------
--------- -----------
--------- GifLite 2.00 by White River Software -----------
-------------------------------------------------------------------------------
Protection : Registration #
Search : GIFLITE.EXE (UnPklite)
Locate : C6 06 F3 00 01 C4
Replace: 00
Method : I loaded the program into memory with no options and
traced through until I found the CALL that brought up
the shareware notice. I then reloaded and traced until
I found the series of CALLs that drew each line of the
screen. I then traced until I found a conditional jump
immediately preceding a CALL which would draw some
shareware info. I noted the address being checked, and
changed the JZ to JMP to see what happened. Sure enough,
that shareware section was skipped, but the rest was drawn.
At this point, I reloaded the program and put a BPMB (Break
Point on Memory Byte) on the address I noted earlier. I
then ran the program until it popped out at a
MOV BYTE PTR [00F3],01
Since the compare had been against 00 earlier, I changed the
MOV to MOV BYTE PTR [00F3],00. That was all she wrote.
At this point, search the GIFLITE.EXE for "null" and change
it to whoever you want the program registered to. I could
have changed the built-in registration (which I probably
should have done) to accept any name and registration number,
but I didnt really feel like taking the trouble since I didnt
find it unil I was half-way through this method.
<*****************************************************************************>
-------------------------------------------------------------------------------
--------- Another -TOP- unprotect -----------
--------- By Gron -----------
--------- -----------
--------- Veil of Darkness by Strategic Simulations Inc. -----------
-------------------------------------------------------------------------------
Protection : Doc Check
Search : CODE.2
Locate : 26 FE 47 0B 0E E8
Replace: 0A
Method : I loaded the program into memory and broke into Soft-Ice
right before the doc check screen was to come up. I then
traced until I found the CALL to the protection scheme.
Immediately before the CALL was a
CMP BYTE PTR ES:[BX+0A],01
JZ XXXX (beyond the CALL)
where ES:[BX+0A] was equal to 00. I tried changing the
01 to a 00 which worked at first. However, when I attempted
to leave the first room in the game, the protection popped
up again using the same method as above. I set a breakpoint
(BPMB) on the ES address and reloaded the program. I didnt
find what I was looking for, but I did notice that ES:[BX+0B]
was being incremented to 01 a few lines before the first
doc check. I changed the 0B to a 0A and all the protection
disappeared.
<*****************************************************************************>
<*****************************************************************************>
<*****************************************************************************>
<*****************************************************************************>
<*****************************************************************************>
<*****************************************************************************>
<*****************************************************************************>
<*****************************************************************************>
<*****************************************************************************>
<*****************************************************************************>
<*****************************************************************************>
End Methods File.