REVISION!
Target: Warlords 3 - Darklords Rising
Toolz: SICE, W32Dasm
Level: 1
Protection: 2 CD-checks plus a filesize check (I found only these!)
Background info:
I decided to do a revised version of this tute coz the first one was so lame.. I found out
several nice things I missed back then.. Heh.. when I first wrote this revision I had finished
the whole text but my comp goddam crashed. And since I hadnt done any savings I lost the initial
text.. fuck! :)
Lets move on (do backups now & disasm the file if you want)
* Reference To: KERNEL32.GetDriveTypeA, Ord:00CEh
|
:00445853 FF1540F85900 Call dword ptr [0059F840]
:00445859 83F805 cmp eax, 00000005 <-- you are here, and a check...
:0044585C 757A jne 004458D8 <-- ...for CD-ROM
:0044585E 8D45E4 lea eax, dword ptr [ebp-1C]
:00445861 8D4D94 lea ecx, dword ptr [ebp-6C]
:00445864 50 push eax
* Possible StringData Ref from Data Obj ->"%sW3.DAT" <-- Look for this file on CD
|
:00445865 68603E4F00 push 004F3E60 <-- push the file pointer
:0044586A 51 push ecx
:0044586B FFD7 call edi <-- call getdrivetypea
:0044586D 83C40C add esp, 0000000C
:00445870 8D4D94 lea ecx, dword ptr [ebp-6C]
:00445873 6A00 push 00000000
* Possible Reference to String Resource ID=00001: "Error!"
|
:00445875 6A01 push 00000001
:00445877 51 push ecx
:00445878 8D8D84FEFFFF lea ecx, dword ptr [ebp+FFFFFE84]
:0044587E E8FD330900 call 004D8C80 <-- check for the file (eax == 1 -> chk passed)
:00445883 85C0 test eax, eax <-- found it, or not
:00445885 7451 je 004458D8 <-- jump if file not found
:00445887 8D8D84FEFFFF lea ecx, dword ptr [ebp+FFFFFE84]
:0044588D E8DE350900 call 004D8E70
:00445892 8D45E4 lea eax, dword ptr [ebp-1C]
:00445895 8D4D94 lea ecx, dword ptr [ebp-6C]
:00445898 50 push eax
* Possible StringData Ref from Data Obj ->"%sDRAKDUM\DRAKDUM0.SMK" <-- also look for this file
|
:00445899 68483E4F00 push 004F3E48 <-- push file pointer
:0044589E 51 push ecx
:0044589F FFD7 call edi <-- call getdrivetypea
:004458A1 83C40C add esp, 0000000C
:004458A4 8D4D94 lea ecx, dword ptr [ebp-6C]
:004458A7 6A00 push 00000000
* Possible Reference to String Resource ID=00001: "Error!"
|
:004458A9 6A01 push 00000001
:004458AB 51 push ecx
:004458AC 8D8D84FEFFFF lea ecx, dword ptr [ebp+FFFFFE84]
:004458B2 E8C9330900 call 004D8C80 <-- check for it (eax == 1 -> chk passed)
:004458B7 85C0 test eax, eax <-- blah
:004458B9 741D je 004458D8 <-- blah
:004458BB 8D8D84FEFFFF lea ecx, dword ptr [ebp+FFFFFE84]
:004458C1 E89A360900 call 004D8F60 <-- Trace this!!
Ok.. thats for those two checks.. now lets see the last one, trace the call
:004D8F60 56 push esi
:004D8F61 57 push edi
:004D8F62 8BF9 mov edi, ecx
:004D8F64 33F6 xor esi, esi
:004D8F66 39B708010000 cmp dword ptr [edi+00000108], esi
:004D8F6C 7415 je 004D8F83
:004D8F6E 56 push esi
:004D8F6F 8B870C010000 mov eax, dword ptr [edi+0000010C]
:004D8F75 50 push eax
* Reference To: KERNEL32.GetFileSize, Ord:00DAh <-- get the filesize of DRAKDUM0.SMK
Thats it... GetFileSize is the last check which determines the size of DRAKDUM0.SMK and if no
file found eax will have the value of 0, but if the file found, EAX is 2B465C (the file size
in HEX! see for yourself if ya want -> 2836060 = 2B465C).
Huh.. we came thru the longer and harder way I had thought.. but we now know enuff to do some
patching
:0044587E E8FD330900 - call 004D8C80 change to -> B801000000 - mov eax, 00000001
:004458B2 E8C9330900 - call 004D8C80 change to -> B801000000 - mov eax, 00000001
:004458C1 E89A360900 - call 004D8F60 change to -> B85C462B00 - mov eax, 002B465C
-C_DKnight
I wanna greet:
AB4DS, [LaZaRuS], [E_BLiss], Tornado, Byteburn, sinn0r, cTT, Miscreant, nchanta, r!SC, Dead-Mike
Thesmurf, Icecream, _zoltan, Maybird, BlackB, aCiDHaC, SheeP140, Warezpup, Doufas, F0dder, Hutch
Weazel, X-Men, FireWorx, SeKt0r, KaOsAuS, [yAtEs], ^tCM^, night- & extasy_ & all the others
at #cracking4newbies
I dont wanna forget: Tailz, MR-B, Mathras, Makis & F0ley
Catch me at C_DKnight@iobox.com or #Cracking4Newbies, tute written on February 20th - 2000