Free Information Xchange presents: Forsaken English version - CD crack by R!SC - Nov 29th, 1998 REQUIREMENTS: Full game install (I got the English version but cracking other versions should be the same) Hex editor W32Dasm Lets get started then. First off we do a full install of the game, take out the CD and try loading Forsaken. Heh, standard Win95 messagebox tells us "Please insert the Forsaken CD", that gives us a good starting place. Make a copy of the forsaken exe you want to crack(i started with forsakenHW.exe) Load the copy into W32dasm, after it has done its magic click on the string data references button and start looking for the message that we got. Double clicking on this takes us to the evil routine that asks us for the CD another double click reveals that this is the only reference to it. * Referenced by a CALL at Addresses: |:0042D4F3 , :0042DF2A , :00479DDF , :004CC2A7 <-- referenced to by four callers | <-- (all wanting a 01 returned in eax!) :004856D7 55 push ebp <-- could change this to 33c0 xor eax,eax :004856D8 8BEC mov ebp, esp <-- could change this to 40 inc eax <-- and the next byte to c3 ret ;who skips the CD check as often as possible? ;) but a jmp is easier * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004856F8(U) | :004856DA E855FFFFFF call 00485634 <-- CD check routine :004856DF 85C0 test eax, eax <-- returns a 1 in eax if CD was present :004856E1 7517 jne 004856FA <-- change this to a jmp to skip the messagebox * Possible StringData Ref from Data Obj ->"Please insert the Forsaken CD" <-- text that got us here | :004856E3 687C4E5B00 push 005B4E7C :004856E8 E8F79CFAFF call 0042F3E4 <-- show the messagebox (with ok and cancel buttons) :004856ED 83C404 add esp, 00000004 :004856F0 85C0 test eax, eax :004856F2 7504 jne 004856F8 <-- if you clicked ok, check for the CD again :004856F4 33C0 xor eax, eax :004856F6 EB07 jmp 004856FF <-- cancel == set the flag (eax) to NO-CD (0) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004856F2(C) | :004856F8 EBE0 jmp 004856DA * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004856E1(C) | * Possible Ref to Menu: APPMENU, Item: "About.. F1" | :004856FA B801000000 mov eax, 00000001 <-- set eax to say we found a CD * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004856F6(U) | :004856FF 5D pop ebp :00485700 C3 ret <-- return to caller...(see below) --one of the four calls to the code above-- :00479DDF E8F3B80000 call 004856D7 <-- call routine above to check for the CD :00479DE4 85C0 test eax, eax <-- eax=1 if there was a CD :00479DE6 751B jne 00479E03 <-- jump if eax is not equal to 0 * Possible StringData Ref from Data Obj ->"Forsaken CD required" | :00479DE8 6858435B00 push 005B4358 :00479DED E82355FBFF call 0042F315 <-- display nasty message :00479DF2 83C404 add esp, 00000004 * Possible Ref to Menu: APPMENU, Item: "About.. F1" | :00479DF5 C7058CA7860001000000 mov dword ptr [0086A78C], 00000001 :00479DFF 33C0 xor eax, eax :00479E01 EB78 jmp 00479E7B * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00479DE6(C) | :00479E03 E8CFDEFFFF call 00477CD7 <-- carry on with whatever cus we have a Forsaken CD Pretty straight forwards eh? A conditional jump just before the Ref that got us here, if the jump is taken, its sets eax to 1 to say that we have a CD present, so all we have to do is change the 'jne 004856FA' to a 'jmp 004856FA'. This routine is referenced by four CALL's from different parts of the program, Fig.2 displays one of these CALL's, all they do is call this routine, then check eax to see if we have a CD or not, if eax=1 then we jump over "Forsaken CD required" and carry on with the game. Changing the jne at 004856E1 skips both of the nasty message boxes and lets us play the game? Keep W32dasm running and load the original forsakenHW.exe into your hex editor. Double click on the 'jne 004856FA' above the Ref to "Please insert the Forsaken CD" in W32dasm and at the bottom of the screen will be your offset to Hexedit the program. Mine was 0084AE1, back into Hex editor, goto 0084AE1, change the 75 (jne) to a EB (jmp), save the file and run forsaken. Hmmn, it doesnt ask me for the CD now but tells me that my installation is invalid... Oh well, back into W32dasm and search for that string. This takes us to the code below, a call, a test, a jne. --A new message after removing the CD check-- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042D4FA(C) | :0042D510 E8EC810500 call 00485701 <-- proberbly a routine to check your installation :0042D515 85C0 test eax, eax <-- erm :0042D517 7514 jne 0042D52D <-- letz jump always and skip the message (EB14) * Possible StringData Ref from Data Obj ->"Installation invalid" <-- horrid message | :0042D519 688CDE5200 push 0052DE8C :0042D51E E8F21D0000 call 0042F315 <-- show message box with only an OK button :0042D523 83C404 add esp, 00000004 :0042D526 33C0 xor eax, eax :0042D528 E905030000 jmp 0042D832 <-- hello win95 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042D517(C) | :0042D52D E8DE8EFEFF call 00416410 <-- carry on, our install iz valid ;) Heh, weve seen this before, we have two choices, take the jump and carry on with the game, or dont take the jump and show us the nasty message. Well, i think we will take the JUMP. Double click on the 'jne 0042D52D' above the Ref to "Installation invalid". Get the offset at the bottom of the screen and enter it into your Hex Editor. Change the 75 (jne) to a EB (jmp), save the file and run forsaken again. Heh, it worked this time yes? Okay, compare the two files "copy of forsakenhw.exe" & "forsakenhw.exe", write down the offsets and the changes and make your patch (if your into that sort of thing). After testing the crack, you can test it with some other installs. Cracking the software version is just the same, other language versions of the game should have just the same protection. edit forsak~1.exe (forsakenHW.exe) (offsets are in hex) ======================================================= Search for: 75 17 at offset 84ae1 Change to : EB -- Search for: 75 14 at offset 2c917 Change to : EB -- Another tutorial comes to an end and another game has been FiX'ed! happy cracking love R!SC -- risc@notme.com