"Big Race USA V1.18"



 
 
 
 
 
 

This tutorial is coming from...

 
 

##########                     #######  ####                ####   #####    ########## 
  ###    ###                       ###     #   ###                    ###   #          #         ### 
  ###    ###        ###         ###  #      ###     ###          ###  #           #        ### 
  ###    ###      ## ##        ###  #      ###    ## ##         ####                     ### 
  ###   ###      ### ###     ######    ###   ### ###         ###                   ### 
  #######       #######    ###  #      ###   #######        ###                  ### 
  ### ###        ###           ###  #      ###   ###               ####                ### 
  ###  ###       ###           ###          ###   ###             #  ###               ###      # 
  ###   ###      ###           ###          ###   ###            #   ###              ###       # 
 ###    ###       ###  #      ###          ###    ###  #      #     ###            ###       ## 
####### ####   ####   #######    #####   ####   #####  ######    ########## 


 
ReFleXZ '99

Url: Http://ReFleXZ99.cjb.net
Email: ReFleXZ@fcmail.com
 


 
 
About the essay...
Written by
Klefz 
 
Date: 3rd May 1999
Program name: Big Race USA v1.18
Program type: Game 
Program location: N/A
Program filename: N/A
Program size: 748 Kb 
 
Tools required: 
Softice 3.2 - Debugger 
 
Difficult level: 
Easy ( X )  Medium (   )  Hard (    )  Pro (    ) 
 

 
Introduction...
This is just another simple CD-Protection..

 
 
 
About the protection...

 
Type of protection:
Cd-Check
The Essay...
1. Crack it to play without the CD

Since it's a Cd-Check, we set a breakpoint on GetDriveTypeA to break when checking
the drives.. so we should land here when we start:

:004646DD  2EFF158CC34D00      CALL    CS:[KERNEL32!GetDriveTypeA];almost always used on win32 cd prots
:004646E4  83F805              CMP     EAX,05                     ;05=cd-rom
:004646E7  7510                JNZ     004646F9
:004646E9  83FEFF              CMP     ESI,-01
:004646EC  7502                JNZ     004646F0
:004646EE  89DE                MOV     ESI,EBX
:004646F0  E8B3FEFFFF          CALL    004645A8                   ;the main check routine
:004646F5  85C0                TEST    EAX,EAX
:004646F7  7506                JNZ     004646FF
:004646F9  43                  INC     EBX
:004646FA  83FB1A              CMP     EBX,1A
:004646FD  7CD0                JL      004646CF
:004646FF  83FB19              CMP     EBX,19
:00464702  7E3A                JLE     0046473E

Inside the call:

:004645A8  51                  PUSH    ECX
:004645A9  52                  PUSH    EDX
:004645AA  83EC34              SUB     ESP,34
:004645AD  6A00                PUSH    00
:004645AF  6A00                PUSH    00
:004645B1  6A00                PUSH    00
:004645B3  6A00                PUSH    00
:004645B5  8D442430            LEA     EAX,[ESP+30]
:004645B9  50                  PUSH    EAX
:004645BA  6A20                PUSH    20
:004645BC  8D442418            LEA     EAX,[ESP+18]
:004645C0  50                  PUSH    EAX
:004645C1  68F0C04900          PUSH    0049C0F0
:004645C6  2EFF15ACC34D00      CALL    CS:[KERNEL32!GetVolumeInformationA];gets the volume info.
:004645CD  85C0                TEST    EAX,EAX
:004645CF  7457                JZ      00464628                           ;if it's wrong, jump
:004645D1  BAF8C84800          MOV     EDX,0048C8F8
:004645D6  89E0                MOV     EAX,ESP
:004645D8  E815FE0000          CALL    004743F2                           ;evil check
:004645DD  85C0                TEST    EAX,EAX                            ;and test
:004645DF  7547                JNZ     00464628                           ;jump if it fails
:004645E1  89442430            MOV     [ESP+30],EAX
:004645E5  8D442424            LEA     EAX,[ESP+24]
:004645E9  50                  PUSH    EAX
:004645EA  8D44242C            LEA     EAX,[ESP+2C]
:004645EE  50                  PUSH    EAX
:004645EF  8D442434            LEA     EAX,[ESP+34]
:004645F3  50                  PUSH    EAX
:004645F4  8D44243C            LEA     EAX,[ESP+3C]
:004645F8  50                  PUSH    EAX
:004645F9  68F0C04900          PUSH    0049C0F0
:004645FE  2EFF1588C34D00      CALL    CS:[KERNEL32!GetDiskFreeSpaceA]    ;check the free space
:00464605  837C242800          CMP     DWORD PTR [ESP+28],00              ;is it 0bytes
:0046460A  751C                JNZ     00464628                           ;if not, jump
:0046460C  8B44242C            MOV     EAX,[ESP+2C]
:00464610  0FAF442430          IMUL    EAX,[ESP+30]
:00464615  0FAF442424          IMUL    EAX,[ESP+24]
:0046461A  3D0090EC28          CMP     EAX,28EC9000                       ;check if some sum is 28EC9000h
:0046461F  7207                JB      00464628                           ;jump if below, (to bad code)
:00464621  B801000000          MOV     EAX,00000001
:00464626  EB02                JMP     0046462A
:00464628  31C0                XOR     EAX,EAX
:0046462A  83C434              ADD     ESP,34
:0046462D  5A                  POP     EDX
:0046462E  59                  POP     ECX
:0046462F  C3                  RET

so what we will do is to NOP out some parts of the code =], and i hope you know what parts?
if not, here is the changes:

search for: 85 C0 74 57 BA F8 C8 48 00
replace   :       90 90

search for: E8 15 FE 00 00 85 C0 75 47
replace   : 90 90 90 90 90 90 90 90 90

search for: 83 7C 24 28 00 75 1C
replace   :                90 90

search for: 3D 00 90 EC 28 72 07
replace   :                90 90
---
/Klefz [ReFleXZ '99] - http://klefz.cjb.net


 
 
Final notes...
Nothing to say as usual =]

My thanks and gratitude goes to:-

All members of ReFleXZ
All members of Fluke
All members of ECLiPSE
Maktone (stop tagging KLEFZ over sand-boxes!), looman, andrez, topaz, sparky, oxygener, malacai, Duelist, Eternal Bliss and all i've surley forgotten!


 
 
Disclaimer...
This tutorial is written for EDUCATIONAL purposes only.
So if you want to use the program after its trial period ends please BUY IT!
Support shareware(and its authors), this is our learning tool!

ReFleXZ is not responsibile for any damage caused with this essay or any of its parts.
So everything what you're doing and 'experimenting' is on your own responsibile!

Also, in this tutorial you'll not find any serial numbers, so try to search elsewhere 
under Cracks and Warez.

Copyright © 1999 by ReFleXZ '99
All rights reserved