| Program Name: |
Command & Conquer: Red
Alert 
|
| Date: |
30 - Oct - 1999 |
| Objective: |
Run Without CD (No CD) |
-
- NEEDED:
-
- SoftICE
- Hex ED
- Pen and Paper :)
-
- Heya welcome to another one of
my great CD tuts :), i'm gonna
- explain howto rip C&C2, this
one i found a bit tricky certainly
- the hardess i've done, and that
doesn't include Cdilla :P, anyways
- lets get on.
-
- This check had me stuck for a
day or so and i had to sleep on it
- i ended up doing a instruction
compare, and learning a new lesson
- on approachs to cd checks.
-
- Right lets get on and crack this
baby, first of all take CD 1 and
- install, notice theres no
installation type. Once the game has installed
- your notice that you have only
32mb installed on your computer, this
- can't be right we will need some
more file(s) from the CD, anyway
- remove your CD and store safely,
now run the game, what do we see?
-
- We see a error msg box which
doesn't want to screen grab, n/m i'm
- sure you know what it looks
like, now we have a Ok button and if we
- click it nothing happens apart
from maybe a small screen refresh, this
- is good because we know that its
checking something when we click
- OK, we'll just find out what its
doing by setting our breakpoints now.
-
- Sooo what could it be doing?
well our best bet is than its searching
- for a file, so lets check that
by typing in SoftICE,
- BPX CreateFileA
DO "D esp->4"
- you might think
WTF does that do? well its break with a extra function
- you may already
know what it means but for you unprivenged people
- i'll explain, this
means break when the api CreateFileA is called,
- SoftICE will popup and
DO a "D esp->4" thats dump 4th item on the
- stack pointer(ESP),
well i think it means that :P
-
- Right now we are setup,
click OK and see what happens, so what did
- happen? Well when i did
it nothing, so i spent a few hours trying
- every single stupid API
i could think of, but no joy, so then
- guess what, i figured
out you needed a CD in the drive duh..
- hehe anyways back to
the msg box, now make sure you have any old CD
- in the drive apart from
the Red Alert ones :P, now make sure you have
- the breakpoint set,
click OK, what happens, yay! a break.
eEk! lotz of
text............................
- :) ok so the program
breaks what do you notice?, yes! in our
- dump window it says
'E:\main.mix' press F5 and bang it breaks again
- looking for the same
file, then we are returned to the msg box, hmmm
- well we have a new
mission :) to make the program read Main.mix
- from somewhere else, so
lets start by copying it to our harddrive,
- i copied mine to C:\
the root directory would be best.
-
- Ok we now have the task of
making it read of the C drive, cos i;m dumb
- and not very good at this CD
check lark ;)) it took me a while to figure
- out it was GetDriveTypeA that
finds the Cdrom Drive letter and stores it
- for later use, so all we have to
do it make this API return the Harddisc
- as a CDROM, if you don't
understand to Getdrivetype API i recommend you
- look it up in the Win32Api ref,
you'll find it pushes a drive letter
- and when the api is called it
will return its type, so for e.g it would
- push A:\ and return 2 in EAX as
2 means Removable Drive, 3 means Fixed
- and 5 means CDROM thats all we
need know.
-
- So now exit to windows and set
this break point BPX GetDriveTypeA DO "D esp"
- ok now click our
RA95.exe icon cos thats what we are cracking by the way,
hehe
- and you'll see
SoftICE will break and the dump window will say A:\ press
F12
- and you'll see
this code :-
-
- 015F:005B5090 89E0
....................................MOV EAX,ESP
- 015F:005B5092 50
........................................PUSH EAX <--- Push Drive Letter
- 015F:005B5093 885C2404 ...........................MOV
[ESP+04],BL
- 015F:005B5097 2EFF1560026E00 ...............CALL
CS:[KERNEL32!GetDriveTypeA] <-
Call API
- 015F:005B509E 83F805 ...............................CMP
EAX,05 <-- We are here
- 015F:005B50A1 75DD .................................JNZ
005B5080
- 015F:005B50A3 8B4668 ..............................MOV
EAX,[ESI+68]
-
- Ok what can we see from that
code??? well look!! its comparing the
- drive type to 5 a CDROM!, and
A:\ isn't one so it jumps up, press F5
- and SoftICE will jump again,
this time it says B:\ and you should
- get the general drift now, its
comparing A:\ to Z:\ to see which
- is a CDROM Drive, this is done
at the CMP EAX,05 Soooooo lets change
- this to CMP EAX,03, i tried
pressing A and typing in CMP eax,03 but it
- just messed up because of the
length of the instruction or some Sh*t,
- anyway we will have to change
the HEX code, if you look it says 83F805
- hmm that means
CMP EAX,05 so what ever could be CMP EAX,03 yes thats
- right its 83F803 so at this point
create a copy of RA95.exe and call it Crack.exe and
search for '83F80375DD' notice the extra JNZ
- code in there as
well because there are several 83F805's in theres thats
- just to make we
have to right one, anyway patch that and save.
-
- Now we have a
exe which should in all theory run main.mix from C:\ ok
now
- save your work
and run the EXE and lets see if the game works!
- Ok so you just
got back from rebooting your computer :P, or infact you
- just skipped a
few lines ahead and read this and thought WHAT!
- hehehe, anyway
if you ran it you would of noticed that the mouse pops
- up then
disappears as if the .MIX is loading, and i can you for a
fact
- it is, but i'm
not allowed to tell you that because we don't know that
- :P,
aaaaaaaaaanyway so what the #"£! is wrong with
it????, Hmmmm well
- this is where i
went to bed :P, next day i was like right.... tryed
- lots of sh*t
out, but couldn't see SoftICE due to C&C2's colour
palette
- which made SI
invisable ,all black, so we have to resort to a
instruction
- cmp which old
pen and paper, don't know if other crackers ever do this
- but seems a bit
lame :P, any i cracked it :D, right what we have to
- do is go back to
our orignal exe (RA95) and hoax the CreateFileA to
- read in the .mix
from the C drive and note down on paper all the jumps
- and if they jump
or not, then we do the same again but this time, we
- insert the real
CD before clicking OK, lets gooo ...
-
- Ok clear ya
breakpoints and double click RA95.exe when we get to
- the error box
goto into SoftICE and set the breakpoint BPX CreateFileA
- now leave
SoftICE and click OK when it breaks type E ESP now a new
- window we open
at the top of the screen and some where in there it will
- say E:\main.mix with your mouse click
the E and type C over it now press
- enter, now press
F12 to return to the code and you'll see that the
- CreateFileA api
has return 40 or 30 in EAX to say it read 40/30 bytes
- instead of
returning FFFFFFFF to say file not found, anyway from
here on note
- down all our
jumps and if they jump all not, heres my list
-
- 004B67BF CMP
EAX,-01
- 004B67C2 JZ
......... NO JUMP
- 004B67D6 JG
......... JUMP
- 004B6804 JNZ
........ JUMP
- RET
- 004B693A Mov
- 004B693F JL
........ NO JUMP
- 004B6943 JZ
........ NO JUMP
- 004B6948 JZ
........ JUMP
- 004B6956 JNZ
...... JUMP
- 004B6ACD JLE
...... JUMP
- 004B6C52 JZ
....... JUMP
-
- BLEH!! after
that i though i'm not doing any more, i'm sure that was
enough ;)
- , ok now clear
all breakpoints and back to the msg box, now insert your
- C&C2 CD 1
first before setting the breakpoints !! go into SoftICE
and
- set BPX
CreateFileA now leave SoftICE and click
- Ok and when it
breaks at CreateFileA once again press F12 to get back to
the
- code, and check
all the exact same jumps for differences, heres my list.
- 004B67BF CMP
EAX,-01
- 004B67C2 JZ
......... NO JUMP
- 004B67D6 JG
......... JUMP
- 004B6804 JNZ
........ NO JUMP
BANG!! there is our
difference heres the code
- 015F:004B67FD E8AE910E00 ...........CALL 0059F9B0
- 015F:004B6802 85C0 ........................TEST EAX,EAX
- 015F:004B6804 75D7 ........................JNZ 004B67DD <--- BLEH!
-
- If you trace on
your notice that you get stuck in a mad loop, and thats
why
- when we ran our
Crack.exe it jammed up, so what the hell!! lets NOP this
jump
- out!!, open up
your Crack.exe and search for '85C075D7' ok now replace
with
- '85C09090' and
Save now run our Crack.exe and they!!!!!!!!!! The Game
works
- ~"£#£@$"£$
w00T!!! :) hehe, oh well, now that the game works, i went
back
- to investigate
that Call 0059F9B0 to find out what it was about, and it
was
- just comparing C
with A and some wired stuff, so i did a quick jump check
- with the real CD
and didn't find much out, until i have just finished
writting
- this doc.
- I found out that
the call was comparing C with S and i thought and thought
- and remembered
seeing a GetVolumeInformationA, so i looked up this and
it
- gets the Name of
a drive, this happens to be E:\ in this case, and the
- CD that i had in
my drive was Shadow of the empire, the volume name was
- 'SHADOWS' then i
reliased the first letter of this was S !!!, clever eh?
- i quickly
inserted a cd, that started with the letter R , guess
what!!!
- the Call
compared R to C !!!!!!!!!!!!11 thats it i cryed!! its
checking to
- see if the first
letter of the CD in the drive begins with a C , Jeezus!!
- i'm sooooo dumb,
anyway we managed to defeat that with some lame jump
compares
- and i thought i
would write all this out just to show where people go
wrong
- how people think
and blah blah blah :), if you just hex edit the
getdrivetype
- bit to cmp
eax,03 and insert a CD beginning with the letter C you'll
find it
- works, but we
have bypassed that anyway so thats it, a very long
interesting
- tutorial which
will have no doubt taught me the lesson checking that
programs
- aren't checking
the volume name, the API shall always be in the back of
my
- mind now :D,
anyway must stop typing,
-
Laterz [yAtEs]
-
-
-
-
-
-