===============================================================================================================
Title : ICEWIND DALE (GAME)
Version : 1.06
Description : RPG (BALDUR'S GATE CLONE)
Protection : CD CHECK
Producer : http://www.interplay.com/icewind
Cracker : Zaks (scorpion121@gmx.net)
Tools : Softice, W32Dasm, Hiew
Difficulty : Very Easy
Tutorial No. : 16
Font : Courier New (8) Bold
===============================================================================================================
1) Install IceWind Dale. Make the biggest install possible (around 1200 MB). Upgrade it to version 1.06. Start windows with Softice on. Run the game without the cd, wait until the screen "Icewind Dale insert cd2 in drive ?:" is shown then put breakpoint on getdrivetypea (bpx getdrivetypea). SoftIce pops up you press F12 ... :
:0043ADCF 83F805 cmp eax, 00000005
Note the address 43adcf. Clear all breakpoints in Softice (bc*), quit it CTRL+D and start W32Dasm. Copy idmain.exe to idmain.bak and open the last one with W32Dasm (it loads very slowly). Go to the address that you have noted before (43adcf) and you are in the middle of the check routine. Go above (Page Up) until you find "Referenced by a CALL at Addresses:" and try the addresses noted there.
* Referenced by a CALL at Addresses:
|:0068D101 , :0068D29E
|
:0043ACBA 55 push ebp
:0043ACBB 8BEC mov ebp, esp
:0043ACBD 6AFF push FFFFFFFF
:0043ACBF 68B9C89400 push 0094C8B9
:0043ACC4 64A100000000 mov eax, dword ptr fs:[00000000]
:0043ACCA 50 push eax
:0043ACCB 64892500000000 mov dword ptr fs:[00000000], esp
:0043ACD2 83EC5C sub esp, 0000005C
:0043ACD5 894D9C mov dword ptr [ebp-64], ecx
:0043ACD8 A1785F9F00 mov eax, dword ptr [009F5F78]
:0043ACDD 8945F0 mov dword ptr [ebp-10], eax
:0043ACE0 C745FC00000000 mov [ebp-04], 00000000
:0043ACE7 8B0D785F9F00 mov ecx, dword ptr [009F5F78]
:0043ACED 894DE0 mov dword ptr [ebp-20], ecx
:0043ACF0 C645FC01 mov [ebp-04], 01
:0043ACF4 8B559C mov edx, dword ptr [ebp-64]
:0043ACF7 33C0 xor eax, eax
:0043ACF9 8A82FF4B0000 mov al, byte ptr [edx+00004BFF]
:0043ACFF 83F801 cmp eax, 00000001
:0043AD02 7527 jne 0043AD2B
:0043AD04 C645B801 mov [ebp-48], 01
:0043AD08 C645FC00 mov [ebp-04], 00
:0043AD0C 8D4DE0 lea ecx, dword ptr [ebp-20]
:0043AD0F E88B605000 call 00940D9F
:0043AD14 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:0043AD1B 8D4DF0 lea ecx, dword ptr [ebp-10]
:0043AD1E E87C605000 call 00940D9F
:0043AD23 8A45B8 mov al, byte ptr [ebp-48]
:0043AD26 E9AC020000 jmp 0043AFD7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043AD02(C)
|
:0043AD2B 8B4D9C mov ecx, dword ptr [ebp-64]
:0043AD2E C681FF4B000000 mov byte ptr [ecx+00004BFF], 00
* Reference To: KERNEL32.GetLogicalDrives, Ord:0120h
|
:0043AD35 FF1528439800 Call dword ptr [00984328]
:0043AD3B 8945DC mov dword ptr [ebp-24], eax
:0043AD3E C645E400 mov [ebp-1C], 00
:0043AD42 EB09 jmp 0043AD4D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043AF0B(U)
|
:0043AD44 8A55E4 mov dl, byte ptr [ebp-1C]
:0043AD47 80C201 add dl, 01
:0043AD4A 8855E4 mov byte ptr [ebp-1C], dl
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043AD42(U)
|
:0043AD4D 8B45E4 mov eax, dword ptr [ebp-1C]
:0043AD50 25FF000000 and eax, 000000FF
:0043AD55 83F81F cmp eax, 0000001F
:0043AD58 0F8DB2010000 jnl 0043AF10
:0043AD5E 8B4D9C mov ecx, dword ptr [ebp-64]
:0043AD61 33D2 xor edx, edx
:0043AD63 8A91FF4B0000 mov dl, byte ptr [ecx+00004BFF]
:0043AD69 85D2 test edx, edx
:0043AD6B 0F859F010000 jne 0043AF10
:0043AD71 8B4DE4 mov ecx, dword ptr [ebp-1C]
:0043AD74 81E1FF000000 and ecx, 000000FF
:0043AD7A B801000000 mov eax, 00000001
:0043AD7F D3E0 shl eax, cl
:0043AD81 8B4DDC mov ecx, dword ptr [ebp-24]
:0043AD84 23C8 and ecx, eax
:0043AD86 85C9 test ecx, ecx
:0043AD88 0F847D010000 je 0043AF0B
:0043AD8E 8B55E4 mov edx, dword ptr [ebp-1C]
:0043AD91 81E2FF000000 and edx, 000000FF
:0043AD97 83C241 add edx, 00000041
:0043AD9A 8855D8 mov byte ptr [ebp-28], dl
:0043AD9D 0FBE45D8 movsx eax, byte ptr [ebp-28]
:0043ADA1 50 push eax
* Possible StringData Ref from Data Obj ->"%c:\"
|
:0043ADA2 68DCAA9D00 push 009DAADC
:0043ADA7 8D4DF0 lea ecx, dword ptr [ebp-10]
:0043ADAA 51 push ecx
:0043ADAB E81F435000 call 0093F0CF
:0043ADB0 83C40C add esp, 0000000C
:0043ADB3 8B55F0 mov edx, dword ptr [ebp-10]
:0043ADB6 8B42F8 mov eax, dword ptr [edx-08]
:0043ADB9 8945AC mov dword ptr [ebp-54], eax
:0043ADBC 8B4DAC mov ecx, dword ptr [ebp-54]
:0043ADBF 51 push ecx
:0043ADC0 8D4DF0 lea ecx, dword ptr [ebp-10]
:0043ADC3 E8BB635000 call 00941183
:0043ADC8 50 push eax
* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:0043ADC9 FF1520439800 Call dword ptr [00984320]
:0043ADCF 83F805 cmp eax, 00000005
:0043ADD2 0F8533010000 jne 0043AF0B
:0043ADD8 8B559C mov edx, dword ptr [ebp-64]
:0043ADDB 33C0 xor eax, eax
:0043ADDD 8A82F94B0000 mov al, byte ptr [edx+00004BF9]
:0043ADE3 85C0 test eax, eax
:0043ADE5 751C jne 0043AE03
:0043ADE7 8B4D9C mov ecx, dword ptr [ebp-64]
:0043ADEA C681F94B000001 mov byte ptr [ecx+00004BF9], 01
:0043ADF1 8D55F0 lea edx, dword ptr [ebp-10]
:0043ADF4 52 push edx
:0043ADF5 8B4D9C mov ecx, dword ptr [ebp-64]
:0043ADF8 81C1FA4B0000 add ecx, 00004BFA
:0043ADFE E889605000 call 00940E8C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043ADE5(C)
|
:0043AE03 6A01 push 00000001
* Reference To: KERNEL32.SetErrorMode, Ord:0264h
|
:0043AE05 FF1530439800 Call dword ptr [00984330]
:0043AE0B 8945E8 mov dword ptr [ebp-18], eax
:0043AE0E 8B45F0 mov eax, dword ptr [ebp-10]
:0043AE11 8B48F8 mov ecx, dword ptr [eax-08]
:0043AE14 894DA8 mov dword ptr [ebp-58], ecx
:0043AE17 6A00 push 00000000
:0043AE19 6A00 push 00000000
:0043AE1B 6A00 push 00000000
:0043AE1D 6A00 push 00000000
:0043AE1F 6A00 push 00000000
:0043AE21 6A00 push 00000000
:0043AE23 6A00 push 00000000
:0043AE25 8B55A8 mov edx, dword ptr [ebp-58]
:0043AE28 52 push edx
:0043AE29 8D4DF0 lea ecx, dword ptr [ebp-10]
:0043AE2C E852635000 call 00941183
:0043AE31 50 push eax
* Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h
|
:0043AE32 FF15EC419800 Call dword ptr [009841EC]
:0043AE38 85C0 test eax, eax
:0043AE3A 740C je 0043AE48
:0043AE3C 8B459C mov eax, dword ptr [ebp-64]
:0043AE3F C680FE4B000001 mov byte ptr [eax+00004BFE], 01
:0043AE46 EB0A jmp 0043AE52
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043AE3A(C)
|
:0043AE48 8B4D9C mov ecx, dword ptr [ebp-64]
:0043AE4B C681FE4B000000 mov byte ptr [ecx+00004BFE], 00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043AE46(U)
|
:0043AE52 8B55E8 mov edx, dword ptr [ebp-18]
:0043AE55 52 push edx
* Reference To: KERNEL32.SetErrorMode, Ord:0264h
|
:0043AE56 FF1530439800 Call dword ptr [00984330]
:0043AE5C 8B459C mov eax, dword ptr [ebp-64]
:0043AE5F 33C9 xor ecx, ecx
:0043AE61 8A88FE4B0000 mov cl, byte ptr [eax+00004BFE]
:0043AE67 83F901 cmp ecx, 00000001
:0043AE6A 0F859B000000 jne 0043AF0B
:0043AE70 C645EC02 mov [ebp-14], 02
:0043AE74 8D4DBC lea ecx, dword ptr [ebp-44]
:0043AE77 E838F44E00 call 0092A2B4
:0043AE7C C645FC02 mov [ebp-04], 02
:0043AE80 8D55F0 lea edx, dword ptr [ebp-10]
:0043AE83 52 push edx
:0043AE84 8D4DE0 lea ecx, dword ptr [ebp-20]
:0043AE87 E800605000 call 00940E8C
* Possible StringData Ref from Data Obj ->"cd"
|
:0043AE8C 68D8AA9D00 push 009DAAD8
:0043AE91 8D4DE0 lea ecx, dword ptr [ebp-20]
:0043AE94 E896625000 call 0094112F
:0043AE99 8B45EC mov eax, dword ptr [ebp-14]
:0043AE9C 25FF000000 and eax, 000000FF
:0043AEA1 83C030 add eax, 00000030
:0043AEA4 50 push eax
:0043AEA5 8D4DE0 lea ecx, dword ptr [ebp-20]
:0043AEA8 E8A9625000 call 00941156
* Possible StringData Ref from Data Obj ->"\data\iwdcd."
|
:0043AEAD 68C8AA9D00 push 009DAAC8
:0043AEB2 8D4DE0 lea ecx, dword ptr [ebp-20]
:0043AEB5 E875625000 call 0094112F
:0043AEBA 8B4DEC mov ecx, dword ptr [ebp-14]
:0043AEBD 81E1FF000000 and ecx, 000000FF
:0043AEC3 83C130 add ecx, 00000030
:0043AEC6 51 push ecx
:0043AEC7 8D4DE0 lea ecx, dword ptr [ebp-20]
:0043AECA E887625000 call 00941156
:0043AECF 6A00 push 00000000
:0043AED1 8B55E0 mov edx, dword ptr [ebp-20]
:0043AED4 52 push edx
:0043AED5 8D4DBC lea ecx, dword ptr [ebp-44]
:0043AED8 E89AF44E00 call 0092A377
:0043AEDD 85C0 test eax, eax
:0043AEDF 740C je 0043AEED
:0043AEE1 8B459C mov eax, dword ptr [ebp-64]
:0043AEE4 C680FF4B000001 mov byte ptr [eax+00004BFF], 01
:0043AEEB EB0A jmp 0043AEF7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043AEDF(C)
|
:0043AEED 8B4D9C mov ecx, dword ptr [ebp-64]
:0043AEF0 C681FF4B000000 mov byte ptr [ecx+00004BFF], 00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043AEEB(U)
|
:0043AEF7 8D4DBC lea ecx, dword ptr [ebp-44]
:0043AEFA E82EF44E00 call 0092A32D
:0043AEFF C645FC01 mov [ebp-04], 01
:0043AF03 8D4DBC lea ecx, dword ptr [ebp-44]
:0043AF06 E8E6F34E00 call 0092A2F1
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0043AD88(C), :0043ADD2(C), :0043AE6A(C)
|
:0043AF0B E934FEFFFF jmp 0043AD44
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0043AD58(C), :0043AD6B(C)
|
:0043AF10 8B559C mov edx, dword ptr [ebp-64]
:0043AF13 33C0 xor eax, eax
:0043AF15 8A82F94B0000 mov al, byte ptr [edx+00004BF9]
:0043AF1B 85C0 test eax, eax
:0043AF1D 7554 jne 0043AF73
:0043AF1F 8B0DECC69F00 mov ecx, dword ptr [009FC6EC]
:0043AF25 894DA0 mov dword ptr [ebp-60], ecx
:0043AF28 8B55A0 mov edx, dword ptr [ebp-60]
:0043AF2B C782F44B0000B0290000 mov dword ptr [ebx+00004BF4], 000029B0
:0043AF35 8B45A0 mov eax, dword ptr [ebp-60]
:0043AF38 C780F04B000010000000 mov dword ptr [ebx+00004BF0], 00000010
:0043AF42 8B4DA0 mov ecx, dword ptr [ebp-60]
:0043AF45 83C178 add ecx, 00000078
:0043AF48 894DA4 mov dword ptr [ebp-5C], ecx
:0043AF4B 837DA400 cmp dword ptr [ebp-5C], 00000000
:0043AF4F 7509 jne 0043AF5A
:0043AF51 C7459800000000 mov [ebp-68], 00000000
:0043AF58 EB09 jmp 0043AF63
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043AF4F(C)
|
:0043AF5A 8B55A4 mov edx, dword ptr [ebp-5C]
:0043AF5D 8B421C mov eax, dword ptr [edx+1C]
:0043AF60 894598 mov dword ptr [ebp-68], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043AF58(U)
|
:0043AF63 6A00 push 00000000
:0043AF65 6A00 push 00000000
:0043AF67 6A10 push 00000010
:0043AF69 8B4D98 mov ecx, dword ptr [ebp-68]
:0043AF6C 51 push ecx
* Reference To: USER32.PostMessageA, Ord:01DEh
|
:0043AF6D FF15D0449800 Call dword ptr [009844D0]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043AF1D(C)
|
:0043AF73 8B559C mov edx, dword ptr [ebp-64]
:0043AF76 33C0 xor eax, eax
:0043AF78 8A82FE4B0000 mov al, byte ptr [edx+00004BFE]
:0043AF7E 85C0 test eax, eax
:0043AF80 740F je 0043AF91
:0043AF82 8B4D9C mov ecx, dword ptr [ebp-64]
:0043AF85 33D2 xor edx, edx
:0043AF87 8A91FF4B0000 mov dl, byte ptr [ecx+00004BFF]
:0043AF8D 85D2 test edx, edx
:0043AF8F 7524 jne 0043AFB5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043AF80(C)
|
:0043AF91 C645B400 mov [ebp-4C], 00
:0043AF95 C645FC00 mov [ebp-04], 00
:0043AF99 8D4DE0 lea ecx, dword ptr [ebp-20]
:0043AF9C E8FE5D5000 call 00940D9F
:0043AFA1 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:0043AFA8 8D4DF0 lea ecx, dword ptr [ebp-10]
:0043AFAB E8EF5D5000 call 00940D9F
:0043AFB0 8A45B4 mov al, byte ptr [ebp-4C]
:0043AFB3 EB22 jmp 0043AFD7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043AF8F(C)
|
:0043AFB5 C645B001 mov [ebp-50], 01
:0043AFB9 C645FC00 mov [ebp-04], 00
:0043AFBD 8D4DE0 lea ecx, dword ptr [ebp-20]
:0043AFC0 E8DA5D5000 call 00940D9F
:0043AFC5 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:0043AFCC 8D4DF0 lea ecx, dword ptr [ebp-10]
:0043AFCF E8CB5D5000 call 00940D9F
:0043AFD4 8A45B0 mov al, byte ptr [ebp-50]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0043AD26(U), :0043AFB3(U)
|
:0043AFD7 8B4DF4 mov ecx, dword ptr [ebp-0C]
:0043AFDA 64890D00000000 mov dword ptr fs:[00000000], ecx
:0043AFE1 8BE5 mov esp, ebp
:0043AFE3 5D pop ebp
:0043AFE4 C3 ret
2) The first one 68d101 looks very suspicious. You have CALL, TEST and conditional JUMP. You can check (with Softice by breaking on memory) and see that if the cd is in the JUMP is taken, if out it is not taken. If you are familiar with my previous tutorials you recognize this "protection" very well. To defeat it simply replace the conditional jump JNE with unconditional one JMP. Just mote the offset of JNE line - 28d10d for me.
:0068D101 E8B4DBDAFF call 0043ACBA
:0068D106 25FF000000 and eax, 000000FF
:0068D10B 85C0 test eax, eax
:0068D10D 0F8568030000 jne 0068D47B //offset 28d10d
3) Open idmain.exe with Hiew (or your favourite hex editor). F2 - decode, F5 - go to 28d10d, F3 - edit, F2 - write in ASM, replace JNE with JMP. You also have to note that you have changed the length of the line from 12 to 10, and to repair this write NOP on the next line, ESC then F9 to update and all is done.
===============================================================================================================
You can find all my tutorials and cracks on the following sites :
http://zarea.cjb.net
http://go.to/zzone
http://kickme.to/dbc
06.15.2001
Written by Zaksenced by a (U)nconditional or (C)onditional Jump at Address: