Yo 'gain leetoz!
Target game: Sid Meier's Gettysburg
Tools: W32Dasm, Soft-Ice if u want to trace thru the routine
Level: 1, newbies only!
Other: Nuffing this time.. gonna make it quick and then goto sleep ;)
Ok.. the game uses the typical GetDriveTypeA routine thats easy to follow
and even more easy to crack. I got this after disasming lee.w32 (backup!)
Huh?.. *ZZZZZZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzzzz*ZZZZZZZZZZZZZ*ZZZZZZZZZZZZZ*
.............................................................................
.............................................................................
... erhmm.... g'morning.. :).. seems like I had fallen asleep.. heheh.. oh
well.
NOTE! Cracking isnt this exhausting!.. I just had had a loonng day.. ;)
Okayz.. lets finish this piece of crap. Does this look familiar?
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004666F7(C)
|
:0046669D 8D45E4 lea eax, dword ptr [ebp-1C]
:004666A0 50 push eax
* Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh <-- i wonder..
|
:004666A1 FF1500655A00 Call dword ptr [005A6500]
:004666A7 83F805 cmp eax, 00000005 <-- check for CD-ROM
:004666AA 753F jne 004666EB <-- not found -> jump
:004666AC 68A0055A00 push 005A05A0
:004666B1 E85A020000 call 00466910
:004666B6 83C404 add esp, 00000004
:004666B9 8D45E4 lea eax, dword ptr [ebp-1C]
:004666BC 50 push eax
:004666BD 68A0055A00 push 005A05A0
:004666C2 E859020000 call 00466920
:004666C7 83C408 add esp, 00000008
:004666CA 56 push esi
:004666CB 68A0055A00 push 005A05A0
:004666D0 E84B020000 call 00466920
:004666D5 83C408 add esp, 00000008
:004666D8 8D85A4FDFFFF lea eax, dword ptr [ebp+FFFFFDA4]
:004666DE 50 push eax
:004666DF 68A0055A00 push 005A05A0
:004666E4 FFD7 call edi
:004666E6 83F8FF cmp eax, FFFFFFFF <-- CD found?
:004666E9 757D jne 00466768 <-- Nope, jump *Reverse This*
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004666AA(C)
|
:004666EB 8A45E4 mov al, byte ptr [ebp-1C]
:004666EE 43 inc ebx
:004666EF FEC0 inc al
:004666F1 83FB1A cmp ebx, 0000001A <-- check drive letters
:004666F4 8845E4 mov byte ptr [ebp-1C], al
:004666F7 7CA4 jl 0046669D <-- jump if not all done
:004666F9 8B450C mov eax, dword ptr [ebp+0C]
:004666FC 85C0 test eax, eax <-- check if all done and CD
found
:004666FE 0F859C000000 jne 004667A0 <-- Not found -> Jump, found ->
go on
:00466704 6A00 push 00000000
:00466706 8D8D98E0FFFF lea ecx, dword ptr [ebp+FFFFE098]
:0046670C 6A00 push 00000000
:0046670E 6AFF push FFFFFFFF
Sorry guys.. I could prolly give u more detailed infos if I had traced thru
this in SI..
but since I didnt.. I'll just make a "lucky guess"..haha.. not really a lucky
guess, coz
this protection doesnt differ that much its easy to find the correct patching
spot without
tracing.
Like I already pointed out in the code bit above, u should reverse the jump
over there.
That was my "lucky guess" and it turned out to be a right guess :) Next time
I'll be in
touch with SI again to give u more detailed and more specified info (I just
hope it wont
be getdrivetypea again..).
:04666E9 757D -> 747D
.. and you're done! all scenarios all playable and there wont be "CD not found"
at the
beginning. Congratz!
-C_DKnight <- c_dknight@iobox.com, IRC #Cracking4Newbies (EFnet)
Greetz: AB4DS, [LaZaRuS], TheSmurf, Sinn0r!!!, cTT!!!, R!SC, Dead-Mike and all
the other
unfortunates I mayhaps forgot :)
plus Tailz, F0ley, Mathras, Makis, LM555, MR-B
Cracking tut #xx