Techniques in Cracking Brought to you by -TOP- We are Tired of Protection. Arent You? The Following Information provided is a listing of some techniques the -TOP- crackers have used in cracking Programs. This is NOT intended as a Cracking Tutorial but as an enhancement to people who need to know just a bit more in order to crack a certain program. -TOP- Crackers have spent time and effort in comming up with these techniques. Get what information you can from it. It will be updated each new Issue. Listing of Techniques 1. Goldrush 2. Space Ace 3. SimEarth 4. StarControl 1 5. Bo Jackson Baseball 6. Mike Dikta Football 7. Con>Format 1.06 8. The Summoning 9. Martian Dreams 10. Sargon V 11. Secret Weapons of the Lutewaffa 12. Crimewave 13. 3 on 3: The Dream Team. 14. JACK 4.59: Landscape Designer 15. Blue Wave Reader v 2.1 16. Giflite v 2.0 17. Veil of Darkness <*****************************************************************************> Unprotect for GoldRush by Sierra! ********************************** Sierra's Doc check AARGH! ********************************** This one is a royal pain to do manually however, here it goes: Using norton DE/Pctools enter the file AGI. Look at the beginning of the file and start at the A in 'Adventure game...' and enter the numbers on the lefthand side of the screen. For those interested the assembly code is on the right. 90 NOP 9C PUSHF 50 PUSH AX 53 PUSH BX 56 PUSH SI 8B 1E AA 00 MOV BX, [AA] BE E3 73 MOV SI, 73E3 46 SCAN: INC SI 38 1C CMP [SI],BL 75 FB JNZ SCAN 8A 44 07 MOV AL, [SI+7] A2 F7 00 MOV [F7], AL 5E POP SI 5B POP BX 58 POP AX 9D POPF C3 RET That is only part one, part two is shorter: Using norton's DE or Pctools search 'AGI' for: 8A 87 09 00 00 85 09 00 ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ 90 90 90 90 2E E8 15 89 In Assembler: NOP NOP NOP NOP CALL CS:0 *********************************************************************** TO BYPASS THE PROTECTION YOU MUST ENTER AT LEAST ONE LETTER FOLLOWED BY *****THE ENTER KEY***** The method involved: Sierra programs are a royal pain and even the old ones take me a long time to crack. This one lets you type in an answer. I did a search through memory to find the answer and then did a break if any letter was read of the answer. I followed it through and found the the program added the letters up into a single number (at ds:f7). I followed this and found a compare that accessed this number. However, I could not find anyplace to put a crack in so I went back to find how the answer was obtained. What a royal pain. I found a number that was used to index into a block of memory that had all the answer numbers --no words, just numbers (started at ds:73e4). The program would compare its index number to sub-blocks until it found the right number. It then would scan a bit further until it found the number and then did its compare. However, it was not done until it scanned the entire block for any other equal numbers. So the crack involves using spare room inside the sierra file AGI, grabbing the index number (at ds:aa) and scanning through the memory block (starting at ds:73e4). Once the right sub-block was found a went a bit further and took the number there and put it back at ds:f7--which was where the program looks for my answer. The second part of the crack is to call the subroutine. The Mad Doctor -TOP- crack. <*****************************************************************************> Cracker: The Mage Program: Space Ace. A Little Description of the Copy-Protection. The Copy Protect was Off of a main loop. It was integrated into the program. A Main screen popped up and it went in 4 different directions. One of these Directions led to the Copy Protection screen which THEN let you into the game. The Game was also in this main loop and so Nopping out the CALL would not avail me. I searched the code through and through and found that it was using a interesting comparison scheme to determine the Screens with which to load based on 4 different variables and Combinations thereof. This was interesting. I had to re-program the code to make it go to regular locations 3 out of 4 times and the 4th time force it to jump to the game. This required some programming and Assembly knowledge. The Copy Protection itself was different than any others I have seen, or the way I got passed it was different. <*****************************************************************************> Cracker: The Mage and Majik Program: Sim Earth Some Background on the game.. When you load up the game it pops into a nice menued system. This system allowed you to mess around But on 2 different Commands (New Planet and Load Planet I think) had a DOC check. Now since there was more than one CALL to the same procedure Majik had an Idea. Since it was a window based system and you wouldn't be expected to keep answering the DOC check, it seemed that there must be a counter or something that checked if you had answered the question BEFORE asking it. Entering Into the CALL we did some quick checking and sure enough right at the beginning of the call was a comparision that jmped pretty much to the end of the procedure. Well by simply forcing this to happen you never saw the CP again. A HINT to people who usually just NOP out calls. NOP'ing out CALL's works a lot of the time but I would suggest that you completly play the game before you consider it cracked. By removing the CALL statement it just removes that current CP but it may also be called later on in the program which would then mean additional Removals. Look inside each CALL and see if there is a simple way to JMP to the end of the CALL and thus eliminating that possibility. <*****************************************************************************> Unprotect for Starcon! ********************************** Documentation Check ********************************** use Pctools/Norton's DE and search STARCON.OVL for: FE 00 75 03 E9 4C ^^ ^^ EB 2A The method involved: Actually not hard. I uncompressed starcon.exe with unlzexe to make it easier to follow through and also to find the proper bytes if I needed to but this wasn't necessary. By running through the code I found the doc check. I found right after it where the program loaded the addresses of my answer and the programs answer with a compare statement and conditional jump afterward. I just made the program jump immediately to that area. I could have made it so the screen would not even show up but you would have seen some garbage on the screen and it would have been a messier crack. Enjoy! The Mad Doctor -TOP- crack. <*****************************************************************************> Unprotect for The Bo Jackson Baseball! ********************************** Pathetically simple protection ********************************** Bo Jackson Baseball is another one of those protection checks in which you need your manual to answer a question. use Pctools/Nortons search for (in BALL.EXE) 9A 4C 04 ^^ ^^ EB 14 The method involved: The method here is so simple I am embarassed to relate it to you. I ran the program once to see what the protection was. It was one of those generic protection checks. I let the protection kill the game and restarted it again under soft-ice. This time I timed it a bit and stopped the program before it got to the doc check. I stepped through it with soft-ice and found 2 calls that ran the protection. A few steps later I found a conditional jump that went to the rest of the game. So I tried the simplest thing. I put a JMP statement to the rest of the game and it worked! I then went into norton diskedit and searched for the bytes. It wasn't there, so I searched for a shorter string (as above) and there was only one string like that in the program. I made the changes above and it works! Enjoy! The Mad Doctor -TOP- crack. <*****************************************************************************> Unprotect for Mike Ditka Football! ********************************** Documentation Checks and Checksums ********************************** Mike Ditka football has the standard documentation checks but also has some checksums early on that also have to be fixed. This is a 3 part unprotect. use Pctools/Nortons search for (in MDFB.EXE) Part 1: 75 6B 05 00 ^^ ^^ 90 90 re-search MDFB.exe for: Part 2: 75 12 8E 46 ^^ ^^ 90 90 now look in DAT101.DAT for: part 3: E8 A1 B7 B8 01 ^^ ^^ ^^ 90 90 90 The method involved: This program uses the doc check which is not too difficult to find. If you let the program run and then stop it with soft-ice just prior to when the doc check pops up you will find a call routine that calls the doc check up. If you NOP it out you then go right to the main menu. OK, now we go to norton's diskedit and make the changes and run the program. Drat! the program says bad overlay--obviously someone put a checksum to prevent exactly what I did. No problem, lets go back into soft-ice and run the program using the soft-ice again and stopping the program before it gets to that bad overlay statement. I then find a call routine that makes the statement and 2 conditional jumps that will lead up to that call. So, I NOP them out and it works. I then went back to diskedit and made the changes. Now, it works. Enjoy! The Mad Doctor -TOP- crack. Addendum: This program was already supposedly cracked by others. It is interesting that their crack works when I use soft-ice but does not work without it. This crack works period. <*****************************************************************************> Another fine patch courtesy of Majik.. Con>Format is a fine product, but the opening banner is a pain in the you know what, and requires a keypress, which kinda ruins putting it in autoexec.bat....(I use loadhi from QEMM so it's always there but uses no conventional memory). ok, here is a step-by-step for version 1.06 1st!!!!! Run the configuration program to setup your system 2. debug confmt.com -r ;To display registers upon entry - write down cx's value AX=0000 BX=0000 CX=3560 DX=0000 SP=FFFE BP=0000 SI=0000 DI=0000 DS=24FE ES=24FE SS=24FE CS=24FE IP=0100 NV UP EI PL NZ NA PO NC 24FE:0100 E93F35 JMP 3642 keep pressing p (to proceed) until you see the following... 24FE:365C FF264036 JMP [3640] DS:3640=266A - write this down ^^^^^ -p | This has just completed the de-cryption algorithm for the TSR. | So we will code around that for future start-up. | -a cs:100 | 24FE:0100 jmp 266a <--- This should be what you wrote down up here -> | 24FE:0103 Now to get rid of that opening screen... 24FE:2697 E8B40D CALL 344E This is the call to the opening screen -e 2697 24FE:2697 E8.90 So we will NOP it out.... 24FE:2698 B4.90 0D.90 -r cx CX 0000 :3560 Enter the value from step 2 above. -n cf.com Rename the working program to whatever you like -w Write it to disk writing 3560 bytes -q Enjoy.... Majik <*****************************************************************************> Unprotect for The Summoning! ********************************** Graphical documentation check ********************************** use Pctools/Norton's DE and search 'CODE.1' for: A3 CC 0C 56 57 0E ^^ ^^ EB 16 The method involved: I ran the program with Soft-Ice and saw what the protection looked like on the screen. I then went back, ran the program and stopped it early to see what was going on. The program is fairly straightforward with individual call routines doing individual things. I quickly got to the protection portions and found two calls that brought up the protection screen and the second actually did the test for the answer and returned back where it checked ax to see if it was zero or not. If it wasn't zero it wouldn't let you continue with the game. I just jumped past the entire section and it worked! Enjoy! The Mad Doctor -TOP- crack. <*****************************************************************************> Unprotect for Martian Dreams! Use your PC Tools or Norton Diskedit on the file game.exe search for the hex string: 74 08 8b 5e 0a ^^ replace the 74 with: eb When the protection check comes up just press enter and it will work! The method involved: The difficulty in breaking this game wathat the program seemed to be using the same sets of code no matter what it did and this was extremely frustrating. I was trying to stop the protection routine from even coming up. I was unable to do this so I went for the next best thing, I inactivated the doc check. Here's how: when you try to get out of the spaceship with the prybar is when the protection springs up. Tesla asks you a question from the manual. I filled in a word and then stopped the program with soft-ice and searched for it in memory. I found it at: 4161:eca8 I then put a watch on it with the bpmb command in S-I. By following what the program was doing with my answer I found that it moved it to another location: 4161:fe6e I then stopped by other watch and followed this memory location. Lo and behold I found it was comparing my answer to a memory location with the answer! 4161:ec8e I figured this out by changing my answer to the word found at this location and the program worked. However, I needed more than this. So, I started again and followed the location of the answer until I got to a section of the code where there was a comparison between my answer and their answer followed by a conditional jump. POP CX (not obvious here but now one register has one POP DX letter or my answer and one of the real answer) CMP DX,AX (if they are not the same then you lose) JNZ 004C (this is what I changed to a JMP statement so it doesn't matter what your answer is now) I just changed that conditional jump to a regular jump and it works. Enjoy! The Mad Doctor -TOP- crack. <*****************************************************************************> Unprotect for Sargon 5 ******************* Documentation Check ******************* Using Norton's Diskedit or PCTools: Search the file sargon5.exe for the following: 8e d6 eb a8 ^^ ^^ d1 17 and that's it! The method involved: Sargon 5 uses a standard documentation check. If you run the program under soft-ice and break it prior to the doc check you will find the call statement that will call the doc check routine. On my setup: program start 1a66:0 call routine 2fba:32be I ran through the call routine and input some letters. Instead of running the entire doc check I set soft-ice to look for my letters and stop the program when accessed. This brought me near the end of the routine. I went a bit farther and noticed a compare statement followed by a conditional jump (at 2fba:4a92). I changed the condition of the jump and lo! it worked. However, I didn't like this crack (too much work for the gamer) and went back to the jump. After the conditional jump there were 2 mov statements and a return. So, I went back to the call routine and made the call go just to the end of the protection routine where the mov statements were and that was it. Now I had to find it by diskedit--however it wasn't there. So, since I knew where I wanted to change memory I put soft-ice watching the spot. Soft-ice stopped the program and I saw a movsb statement which had the area I wanted. That's it--this was a more in depth discussion than usual, it wasn't hard at all. Bye! The Mad Doctor -TOP- crack. <*****************************************************************************> Secret Weapons of the Lutwaffe Unprotect Cracked By The Mage Type of Check: Doc Check in the Beginning of the Game. What was done: Enabled it to press Enter 3 Times and you are into the Game. Very Sloppy, but works perfectly. Not bad for a 15 minute crack. Method Involved. While talking to The Mad Doctor and while we were working on Tony Larussa's Ultimate Baseball he showed me a new technique for cracking that I had not thought of.. simple and easier. Anyways, At the DOC check you type in a Name (any name, I use MAGE) and then you search memory for the name. Search from the first program block on up into memory. You them in SOFT-ICE put a Break point on Memory Access and Read. You then continue the program and press enter to finish the check. You will have reads on the memory and chances are you will find a CMP to that memory location and a simple jmp afterwards. This also helps you stay in the Copy Protection routines. Well It wasn't as simple as all that and what I had to do was jump over a lot of checking code. I found a JMP to a far location and used it by taking a much earlier JAE and changing it to JMP to the far location and whammo bypassed the code and enabled you to get into the program. Since it was doing overlays I wasn't sure where the call was to the whole program so I left it at hitting enter 3 times and into the game you go. Anyways Get out DiskEdit/Pctools andd search the file NOTCAMP.OVL Search for: 73 74 8B 5E Change to : E9 64 02 ^^ ^^ ^^ And that is it! Thanks and greets go to everyone in -TOP-. thanks to The Mad Doctor for the new Technique in my collection. The Mage <*****************************************************************************> Unprotect for Crime Wave by Access Cracked by The Mage -------- Type of Protection: Doc check at the Beginning of the program. What was done: A JZ changed to JMP. Method Involved. Well I loaded this sucker up and the program was using interupts to process strings so I could not search through memory for a sample string that I inputed. Since at the Doc check itself it was sitting in DOS and I/O system blocks of memory I put in a bad value and got a PRESS ESC or SPACE BAR message from the program. I then traced to where it compared to a space like CMP AH,20 and set this to true. Then a Simple trace to where it compared the answer after the Interupt and a change and simple.. all of 7 minutes while talking on the phone.. Very Very Easy. I tried taking out the call completely but was unable to do so without extensive work. Get out Norton/Pcshell Search the File CW.EXE Search for: 80 3D 00 74 05 Change to: -- -- -- EB -- And save it and press enter at the DOC check. You are in! The Mage <*****************************************************************************> --------- By Gron ----------- --------- 3 on 3 Basketball : The Dream Team by Data East ----------- Protection : Doc Check Search : DREAM.EXE Locate : 7D 00 75 55 C6 06 Replace: EB Method : After loading the game into memory, I ran the program until the doc check popped up. I then kicked out to Soft-Ice and traced until I found where it was looking for a compare to 0D which is the ENTER key. I then traced until it failed the protection. This brought me back to the original CALL which was used to get keyboard input, followed by a conditional jump. Since the program did not jump with my bogus input, I changed the conditional jump to an unconditional one. This worked beautifully. However, the protection scheme still came up and forced the user to enter three numbers before it would go on. Therefor, I looked back in the code and discovered that immediately before the CALL which asked for input there were a series of CALLs and jumps. I noted the address of the last jump in that series which jumped just beyond where the conditional jump I had changed earlier was jumping. I reloaded the program and ran to the address I had noted. The protection scheme had yet to come up. I changed the conditional jump to an unconditional one and continued running the program. It went right to the main menu, bypassing the protection entirely. After playing the game for an hour or so, the protection never again surfaced nor did any noticeable side-effects of the change. <*****************************************************************************> Unprotect for JACK 4.59 Cracked by The Mage and Gron -------------- Type of Protection: Password Entry What was done: Removed Protection entirely Method: It came up with a screen to hit enter before the copy protection was shown. Broke into the code and just traced until the call to the copy Protection. Noped it out and it ran like a champ. Problem arose in that the call was a CALL FAR and this could not be found when Hex Searching. So traced 1 statement into the CALL and JMP'd to the RETF (end of the CALL) and this was in the Hex Search. One Note: This Program Sucks. Anyways Search the File JACK1.EXE Search for : CD 3F 14 10 Change to : E9 8D 01 90 You are done Later The Mage <*****************************************************************************> ------------------------------------------------------------------------------- --------- Another -TOP- unprotect ----------- --------- By Gron ----------- --------- ----------- --------- Blue Wave Offline Mail Reader 2.10 by Cutting Edge ----------- ------------------------------------------------------------------------------- Protection : Registration Number Search : BWAVE.EXE Locate : 06 A2 00 00 5E 8B Replace: 01 Method : After loading the program into memory, I traced until I found the CALL that brought up the UNREGISTERED screen. Immediately before this CALL was a CMP AX,0000 and a JNZ XXXX which jumped over the offending CALL. I looked a bit further back in the code and found a MOV AL,[XXXX] and a MOV AH,00. I reloaded the program and placed a breakpoint (BPMB) on the DS:XXXX address from earlier. It eventually popped out where it was moving a 00 into that location. I looked back a bit in code and found a JNZ that had jumped over a MOV that would have placed a 01 into the location. Rather than change the jump, I simply changed the MOV BYTE PTR [XXXX],00 to a 01. Since every registered function in the program checked this address, all features are now enabled, as well as any name and registration number will work. <*****************************************************************************> ------------------------------------------------------------------------------- --------- Another -TOP- unprotect ----------- --------- By Gron ----------- --------- ----------- --------- GifLite 2.00 by White River Software ----------- ------------------------------------------------------------------------------- Protection : Registration # Search : GIFLITE.EXE (UnPklite) Locate : C6 06 F3 00 01 C4 Replace: 00 Method : I loaded the program into memory with no options and traced through until I found the CALL that brought up the shareware notice. I then reloaded and traced until I found the series of CALLs that drew each line of the screen. I then traced until I found a conditional jump immediately preceding a CALL which would draw some shareware info. I noted the address being checked, and changed the JZ to JMP to see what happened. Sure enough, that shareware section was skipped, but the rest was drawn. At this point, I reloaded the program and put a BPMB (Break Point on Memory Byte) on the address I noted earlier. I then ran the program until it popped out at a MOV BYTE PTR [00F3],01 Since the compare had been against 00 earlier, I changed the MOV to MOV BYTE PTR [00F3],00. That was all she wrote. At this point, search the GIFLITE.EXE for "null" and change it to whoever you want the program registered to. I could have changed the built-in registration (which I probably should have done) to accept any name and registration number, but I didnt really feel like taking the trouble since I didnt find it unil I was half-way through this method. <*****************************************************************************> ------------------------------------------------------------------------------- --------- Another -TOP- unprotect ----------- --------- By Gron ----------- --------- ----------- --------- Veil of Darkness by Strategic Simulations Inc. ----------- ------------------------------------------------------------------------------- Protection : Doc Check Search : CODE.2 Locate : 26 FE 47 0B 0E E8 Replace: 0A Method : I loaded the program into memory and broke into Soft-Ice right before the doc check screen was to come up. I then traced until I found the CALL to the protection scheme. Immediately before the CALL was a CMP BYTE PTR ES:[BX+0A],01 JZ XXXX (beyond the CALL) where ES:[BX+0A] was equal to 00. I tried changing the 01 to a 00 which worked at first. However, when I attempted to leave the first room in the game, the protection popped up again using the same method as above. I set a breakpoint (BPMB) on the ES address and reloaded the program. I didnt find what I was looking for, but I did notice that ES:[BX+0B] was being incremented to 01 a few lines before the first doc check. I changed the 0B to a 0A and all the protection disappeared. <*****************************************************************************> <*****************************************************************************> <*****************************************************************************> <*****************************************************************************> <*****************************************************************************> <*****************************************************************************> <*****************************************************************************> <*****************************************************************************> <*****************************************************************************> <*****************************************************************************> <*****************************************************************************> End Methods File.