|
Introduction:
OK, so it's an old one but it's still worth looking
at becasue of it's strange CD protection method. Two CDs, the first one
has all the important installation files and a 140MB AVI. CD #2 has the
rest of the AVIs and several audio tracks. This tutorial is in two parts.
The CD-check removal and the alteration of the code to enable the AVIs
to play from the hard drive........some said it could not be done but
i've proved them wrong.
You must apply patch 1.1 to the original game before attempting this crack.
The Protection:
Well it has to be said that this one is an unusual
one, and it could have been quite tricky if you don't have the correct
tools for the job. It involves calling a dll file that tries to write
a file to the CD-ROM, when it fails it knows it has found the CD in the
drive, then it looks for certain files on CD #2. If they are not present
then the check fails.
Tools required:
Soft-ice, FileMon, Wdasm, Hex-editor.
The Crack:
For this crack my game folder is D:\Games\Klingon and my
CD drive is E:
We need a program called FileMon first of all. This tracks
all calls made to reading and writing files so you can see what's happening
when the CD check fails.
Step 1: Install the game and leave the CD out of the drive. Goto start
a new game and you will get a message reading 'Insert
the gameplay CD in the CD-ROM drive then press enter'. Try as you might
to press enter and the message still stays on there. Press escape to get
back to the choice of 'New game' etc...
Step 2: Alt-Tab (or use the windows key) back to windows and run FileMon
then Alt-Tab back to the game. Now start a new game again to get the error
message. Press enter a couple of times then quickly Alt-Tab back to FileMon
and cancel the capturing (Ctrl-E). Now search up the window list to any
references to E: (CD-ROM drive) and any references to NOTFOUND.
Step 3: Here is a sample from FileMon that you should see when you try
it yourself:
Open E:\NOTCD.TXT NOTREADY
CREATENEW REPLACEEXISTING WRITEONLY DENYWRITE
Open E:\AVI\BUILDUP.AVI NOTREADY OPENEXISTING READONLY DENYNONE
Open E:\AVI\INTRO.AVI NOTREADY OPENEXISTING READONLY DENYNONE
Looking at the first line there is an attempt made to write to the CD-ROM
which is denied.
The next line there is an attempt made to open another file in the AVI
folder on CD #2 which fails because there is no CD in the drive. And on
the last line an attempt is made to access a file which is on CD #1.
So where is the access being called from then? is it KHG.EXE, EDITOR.EXE
or what?
Well the actual file it is being called from is WINDRV.DLL. You can find
this out in two ways.
[1] Trap the API function GetDriveTypeA which
checks which type of drive is being accessed.
[2] Do a text search through the files in the Klingon\System folder. Search
for 'notcd.txt' and you will also find it
in WINDRV.DLL.................are you still with me??
The
surrounding code is shown below:
:1110540F 68283E1111 push
11113E28
:11105414 8DBAD0030000 lea edi, dword ptr [edx+000003D0]
:1110541A 57 push edi
:1110541B FFD6 call esi
:1110541D 83C40C add esp, 0000000C
:11105420 8D4DD8 lea ecx, dword ptr [ebp-28]
:11105423 8D95D4FEFFFF lea edx, dword ptr [ebp+FFFFFED4]
:11105429 51 push ecx
* Possible StringData Ref
from Data Obj ->"%snotcd.txt"
:1110542A 681C3E1111 push 11113E1C
:1110542F 52 push edx
:11105430 FFD6 call esi
:11105432 83C40C add esp, 0000000C
:11105435 8D85D4FEFFFF lea eax, dword ptr [ebp+FFFFFED4]
:1110543B 6A00 push 00000000
:1110543D 6880000000 push 00000080
:11105442 6A02 push 00000002
:11105444 6A00 push 00000000
:11105446 6A01 push 00000001
:11105448 6800000040 push 40000000
:1110544D 50 push eax
* Reference To: KERNEL32.CreateFileA, Ord:0031h
:1110544E FF1594C21011 Call dword ptr [1110C294]
:11105454 83F8FF cmp eax, FFFFFFFF
:11105457 741A je 11105473
:11105459 50 push eax
Step
4: Put CD #2 back in, start the game again and go back to the screen where
you select 'New Game' from. Stop there for a moment. CTRL-D into Soft-ice
and set a breakpoint on GetDriveTypeA (bpx
getdrivetypea).
Press F5 to run go back to the game. Select 'New Game' and you will be
returned to Soft-ice.
IMPORTANT NOTE: If you are using a Voodoo/3D card then the game must be
in windowed mode as you may see nothing when Soft-ice pops up.
OK......now that you've been returned to Soft-ice, press F12 to go back
to the place the call was made from and you will see that you are now
inside WINDRV.DLL. Notice the value of EAX. Press F12 until EAX=5. The
value 5 is a CD-ROM drive whereas 3 is a hard drive.
Trace the code by pressing F10 until you get to CreateFileA,
this is where the file 'notcd.txt' is 'written'
to the CD-ROM. Stop at 1105457 and
check the value in EAX, it should be FFFFFFFF (-1, minus 1=error).
Step 6: Continue to trace the code down to here:
:11105473 57 push edi
:11105474 8D95D4FEFFFF lea edx, dword ptr [ebp+FFFFFED4]
*
Possible StringData Ref from Data Obj ->"%sbuildup.avi"|
:1110547A 680C3E1111 push 11113E0C
:1110547F 52 push edx
:11105480 FFD6 call esi
:11105482 83C40C add esp, 0000000C
:11105485 8D85D4FEFFFF lea eax, dword ptr [ebp+FFFFFED4]
:1110548B 50 push eax
* Reference To: Core.?appFSize@@YAHPBD@Z,
Ord:03D4h|
:1110548C FF151CC11011 Call dword ptr [1110C11C]
:11105492 83C404 add esp, 00000004
:11105495 85C0 test eax, eax
:11105497 7F28 jg
111054C1
:11105499 57 push edi
:1110549A 8D8DD4FEFFFF lea ecx, dword ptr [ebp+FFFFFED4]
You
should land at the first line after the CreateFileA error. Trace down
(F10) to 111057A. This is
where another file is being prepared to be accessed. This one is in the
AVI folder on the CD. Continue tracing and stop at 11105495
and check the value in EAX. It should not be FFFFFFFF, it should be a
positive number and the following line should jump to 111054C1 instead
of generating the 'Insert CD..' message.
This is interesting, we should be able to force the jump to 111054C1 to
fake the CD check now by replacing the JG
with JMP. You could also do this at 1105457.
The instruction here would be EB28
rather then 7F28.
Exit the game now and load WINDRV.DLL into a hexeditor
and goto offset 4897h and enter EB
in place of 7F. You have now cracked the CD-Check........Well done!
You
can
stop
cracking
there
if
you
wish.......but
you'll
miss
out
on
all
the
mission
breifings
that
are
played
from
the
CD.
HOWEVER.............what about all of the important mission breifings.
Some of the timed missions would be impossible as you wouldn't know what
to do.
Well, you could leave them on the CD and the game would still play them
or you could play them off the hard drive.
Try copying the AVI folder into your game folder and play your cracked
game now...................it does not access them as the path it is looking
for is E:\AVI\ and our default game folder is D:\Games\Klingon\System,
so we need to force the code to read D:\Games\Klingon\AVI.
How do we do that then???................Read on dear cracker............
Here is the code we need to change with an explaination for each part.
:111053DD 83FB5A cmp ebx, 0000005A
:111053E0 0F8F05010000 jg 111054EB
:111053E6 53 push ebx
:111053E7 8D45D8 lea eax, dword ptr [ebp-28]
*
Possible StringData Ref from Data Obj ->"%c:\"
-----> A path of C:\ is prepared here.
How about we change it to ..\ Just like the DOS command CD.. would go
back one folder, this is what we want to do.
This would force the path to go back 1 folder from D:\Games\Klingon\System
to D:\Games\Klingon.
So find where '%c:\' is in the file, offset 12830h,
and change it to '..\' and add 2 zeroes to the end of it. So in effect
you enter the value 2E2E5C00.
:111053EA 68303E1111 push 11113E30
:111053EF 50 push eax
:111053F0 FFD6 call esi
:111053F2 83C40C add esp, 0000000C
:111053F5 8D4DD8 lea ecx, dword ptr [ebp-28]
:111053F8 51 push ecx
* Reference To: KERNEL32.GetDriveTypeA,
Ord:00DFh|
:111053F9 FF15A0C21011 Call dword ptr [1110C2A0]
:111053FF 83F805 cmp eax, 00000005
:11105402 0F85B3000000 jne 111054BB
-----------------> After
the drive type is checked we want to ignore it so change the JNE to several
NOPs. We need 6 NOPs in all to fill this space (NOP=90h) so got to offset
4802h and enter 909090909090 to ignore
this check.
:11105408 8B55EC mov edx, dword ptr [ebp-14]
:1110540B 8D45D8 lea eax, dword ptr [ebp-28]
:1110540E 50 push eax
* Possible StringData Ref from Data Obj
->"%sAVI\"-------->
Now our path will be D:\Games\Klingon\AVI\ so make sure you've copied
the AVI folder to the correct location !
:1110540F 68283E1111 push 11113E28
:11105414 8DBAD0030000 lea edi, dword ptr [edx+000003D0]
:1110541A 57 push edi
:1110541B FFD6 call esi
:1110541D 83C40C add esp, 0000000C
:11105420 8D4DD8 lea ecx, dword ptr [ebp-28]
:11105423 8D95D4FEFFFF lea edx, dword ptr [ebp+FFFFFED4]
:11105429 51 push ecx
* Possible StringData Ref from Data Obj ->"%snotcd.txt"
:1110542A 681C3E1111 push 11113E1C
:1110542F 52 push edx
:11105430 FFD6 call esi
:11105432 83C40C add esp, 0000000C
:11105435 8D85D4FEFFFF lea eax, dword ptr [ebp+FFFFFED4]
:1110543B 6A00 push 00000000
:1110543D 6880000000 push 00000080
:11105442 6A02 push 00000002
:11105444 6A00 push 00000000
:11105446 6A01 push 00000001
:11105448 6800000040 push 40000000
:1110544D 50 push eax
* Reference To: KERNEL32.CreateFileA, Ord:0031h
:1110544E FF1594C21011 Call dword ptr [1110C294]
:11105454 83F8FF cmp eax, FFFFFFFF
:11105457 741A je 11105473 ---------------------->
Ignore the check on the file creation by replacing with JMP instead of
JE. Goto offset 4857h and enter EB
in place of 74. Or alternitavely, replace with 2 NOPs (9090)
so that the created file is deleted.
:11105459 50 push eax
* Reference To: KERNEL32.CloseHandle, Ord:0018h
:1110545A FF159CC21011 Call dword ptr [1110C29C]
:11105460 8D8DD4FEFFFF lea ecx, dword ptr [ebp+FFFFFED4]
:11105466 51 push ecx
* Reference To: KERNEL32.DeleteFileA, Ord:004Eh
:11105467 FF1598C21011 Call dword ptr [1110C298]
:1110546D 43 inc ebx
:1110546E E96AFFFFFF jmp 111053DD
----------> If you chose the alternative method above then change these
2 lines to NOPs by going to offset 486Dh
and entering 909090909090.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:11105457(C)
:11105473 57 push edi ---------------------->
We end up here.
:11105474 8D95D4FEFFFF lea edx, dword ptr [ebp+FFFFFED4]
*
Possible StringData Ref from Data Obj ->"%sbuildup.avi"---->
Our path is now D:\Games\Klingon\AVI\buildup.avi
:1110547A 680C3E1111 push 11113E0C
:1110547F 52 push edx
:11105480 FFD6 call esi
:11105482 83C40C add esp, 0000000C
:11105485 8D85D4FEFFFF lea eax, dword ptr [ebp+FFFFFED4]
:1110548B 50 push eax
* Reference To: Core.?appFSize@@YAHPBD@Z,
Ord:03D4h
:1110548C FF151CC11011 Call dword ptr [1110C11C]
:11105492 83C404 add esp, 00000004
:11105495 85C0 test eax, eax
:11105497 7F28 jg 111054C1 ---------> Is the
file there ? Ignore it and jump anyway by changing JG to JMP. Goto offset
4897h and enter EB in place of 7F.
Well, that's all for now.......remember, you can
copy all the data from both CDs onto one CD and you will then be able
to play the AVIs from the CD if you don't have enough space on your hard
drive. I've ACEd my game folder to 127MB so it will easily fit onto a
CD with the AVI folder. You can even bin the 140MB INTRO.AVI to save even
more room.
Another one bites the dust.
If anyone has a newer version then 1.1 then drop me a line and i'll see
if I can help you..............
|
|