by Zaks [DBC]

Title : RAGE OF MAGES 2 (GAME)
Version : 1.0
Description : RPG (DIABLO CLONE)
Protection : CD CHECK
Producer : http://www.rageofmages.com

Tools : Softice, W32Dasm, Hiew

Beginner (X) Advanced ( ) Expert ( )


PART 1 : EXAMINE AND UNDERSTAND THE PROTECTION


1) Install Rage of mages 2 (make the smallest install). Usually you do the largest install but I found that the smallest install (140 MB around) is good in this case too. Remove the Cd from the drive and run the game. A message is displayed "Incorrect Cd or no Cd detected ..." and you click cancel to exit from the game. Backup the file rom2.exe to rom2.bak and open the last file with W32Dasm. Search for the string "Incorrect Cd or no Cd detected ..." in string data references and ... give up because there is no such string shown there.

2) CTR+D and you are in Softice. Put breakpoint on getdrivetypea (bpx getdrivetypea) and run rom2.exe again. The game will run and Softice will not pop up. Exit the game, CTRL+D (back in Softice) where you clear your breakpoint (bc * or bc 0). Now put breakpoint on getvolumeinformationa (bpx getvolumeinformationa) and run rom2.exe again. Softice breaks and you press F12 to return to the place which called the function getvolumeinformationa. Now begin to trace with F10 and write down the conditional jumps you encounter and if they are taken or not. Line 00481079 is conditional jump and the jump is not taken. Disable the breakpoint (bd 0) and press F5 until you exit Softice. Then exit the game. In Softice enable the breakpoint again (be 0). Maybe you will ask : why the hell should I disable the breakpoint first and then enable it again. If you do not disable it you have to press F5 more then 50 times before Softice stop breaking ... if you wish try yourself. Now insert the game cd and run the game. Softice breaks, you press F12 again and start to trace and examine the protection and mainly the conditional jumps you encounter. You quickly notice that the jump in line 00481079 is taken now when the cd is in. This means that when the cd is in, and the program (Rom 2) refers to getvolumeinformationa, the function tells the program that Cd with the same label was found and then the jump at line 00481079 is taken. If the Cd is not inserted the function will return that the cd was not found and the jump will not be taken. You see that the jump do only one thing, skip or does not skip line :

0048107B C705AC27620000000000 mov dword ptr [006227AC], 00000000

This is very suspicious. This means that the line above is very important and if the Cd is inserted the line will be skipped, otherwise the line will be taken. You clear the breakpoint (bc *) and set a new breakpoint this time on memory address 6227ac (bpm 6227ac). This tells Softice to break every time when the program write or read something from memory address 6227ac.


// Part of rom2.exe

* Reference To: KERNEL32.GetVolumeInformationA, Ord:014Fh
|
:0048105D FF152CED6C00 Call dword ptr [006CED2C]

* Possible StringData Ref from Data Obj ->"ROM2"
|
:00481063 68282F5F00 push 005F2F28
:00481068 8D8DE0FDFFFF lea ecx, dword ptr [ebp+FFFFFDE0]
:0048106E 51 push ecx
:0048106F E8AC151000 call 00582620
:00481074 83C408 add esp, 00000008
:00481077 85C0 test eax, eax // was cd found ?
:00481079 740A je 00481085 // if yes the Zero flag is set and the jump is taken
:0048107B C705AC27620000000000 mov dword ptr [006227AC], 00000000 // very important line

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00481079(C)
|

* Possible StringData Ref from Data Obj ->"Allods"
|
:00481085 68302F5F00 push 005F2F30


3) Press F5 to make Softice to break on the new breakpoint and it breaks on the following line :

:004817D5 833DAC27620000 cmp dword ptr [006227AC], 00000000 // compares the value of 62227ac with 0
:004817DC 0F8480000000 je 00481862 // this jump is not taken when the cd is in

Note that the jump at 004817DC is not taken when the cd is in. The game starts, you begin New Game, create your hero press accept and Softice breaks again :

:0040D83C 8B35AC276200 mov esi, dword ptr [006227AC] // esi takes the value of 62227ac

Nothing of interest here. Lets F5 again :

:004F101E 3B05AC276200 cmp eax, dword ptr [006227AC] // compares the value of 62227ac and eax
:004F1024 745B je 004F1081 // this jump is taken when the cd is in

F5 again and the game starts and all looks fine. Lets quit to the main menu of the game and try the multiplayer option. Create your hero, choose your connection type and Softice breaks :

:00445F19 833DAC27620000 cmp dword ptr [006227AC], 00000000 // compares the value of 62227ac with 0
:00445F20 750F jne 00445F31 // this jump is taken when the cd is in

F5 and when you create map Softice breaks again on the line that you already know :

:004F101E 3B05AC276200 cmp eax, dword ptr [006227AC] // compares the value of 62227ac and eax
:004F1024 745B je 004F1081 // this jump is taken when the cd is in

Quit the game and run it again without removing the memory breakpoint. Note that the first break is here :

:00480FE7 C705AC27620001000000 mov dword ptr [006227AC], 00000001

Just remember this line or better write it down. Clear all breakpoints and quit the game. Now you are done with the observation and I guess you are ready to crack the game.


PART 2 : CRACK THE PROTECTION


1) Now you know the importance of address 006227AC (for this game) and that if its value is 0 the game assume that no Cd is found, there are several ways to defeat the protection :

A) You already know that by default dword ptr [006227AC] is 1, remember the line :

:00480FE7 C705AC27620001000000 mov dword ptr [006227AC], 00000001

If you NOP (90) all the lines that change this memory address to 0 later, then the value of 006227AC will remain 1 and the game will not know that the cd is not in. Switch to W32Dasm window (where rom2.bak is disassembled) and locate all the addresses and their offsets that modify the memory address [006227AC] to 0. You can do this with Softice too. They are :

48107b - offset 8047b
4810bc - offset 804bc
4810d5 - offset 804d5
48119e - offset 8059e
4811dd - offset 805dd

Open the file rom2.exe with Hiew and go to all this offsets and NOP the lines C705AC27620000000000 to 90909090909090909090. Note that you have to write 90 ten times or you will damage the exe file. Example : F4 - decode, F5 - goto (you write 8047b and press ENTER), F3 - edit (you write 90 ten times), F9 - update. You go on with the next offsets.

B) There is a way to change the jumps so they will always be taken where is necessary. To prepare for this run the game once again with cd in, break with Softice on memory address 006227AC and note all of the conditional jumps and if they are taken or not. I will help you :

481079 - offset 80479 - JUMP // GETVOLUMEINFO CHECK
4817dc - offset 80bdc - NO JUMP // BEFORE THE GAME STARTS
4f1024 - offset f0424 - JUMP // SINGLE AND MULTI PLAYER CONDITIONAL JUMP
445f20 - offset 45320 - JUMP // MULTI PLAYER CONDITIONAL JUMP
40D83C - offset cc3c // mov esi, dword ptr [006227AC] will be changed to mov esi,1

Open the file rom2.exe with Hiew. F4 - decode, F5 - goto 80479, F3 - edit and change 740A to EB0A (JUMP no matter what is set). F9 to save. F5 - goto 80bdc, F3 - edit, change the line 0F8480000000 to 909090909090 (90 six times) and NO JUMP will be done there. F9 to save. F5 - goto f0424 and change 745B to EB5B (JUMP no matter what is set). F9 to save. F5 - goto 45320 and change 750F to EB0F (JUMP no matter what is set). F9 to save. F5 - goto cc3c, F3 - edit, F2 for ASM and change mov esi, dword ptr [006227AC] to mov esi,1 and on the next line write 90. F9 to save. ESC - exit.