Cracking Tutorial #59:
Cracking Sega Smash Pack II NOCD
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 07/2002
[difficulty:] beginner
[where:] http://www.sega.com or find the EPH release from 10/16/00
[tOOLz:] W32dasm 8.93, Hiew 6.x, Softice 4.05, Ultraedit 9

KANAL23 Tutorial

http://www.kanal23.net

This game has a bunch of old sega genesis games bundled in one. Only problem is that it has a bug in it that wont let you play your copy without the cd in the drive.

Hello , I'm bored so today its time for a cd check crack! Today We are gonna target Sega Smash Pack II because its Saturday, and I have to work my usual 4 hours like every saturday so why not spend 1 of those hours writing this tut and getting paid.

The sega smash pack II I'm running is the EPH release from 10/16/00, I had the sucker laying around and tried to crack it once a long time ago but couldnt, things are different now =). EPH has not modified the main exe as far as i know as it still requires the CD. So we want to fix this bug so we can play the game without a cd in the drive. So run the game "Smash2.exe" without the cd in the drive and there is that bug.

CD-ROM Not Found.
Please insert the Sega Smash Pack II CD-ROM in your CD-ROM Drive.
[OK] [CANCEL]

Well we check the dialog and see nothing so do a search and you will find this:

Name: DialogID_0070, # of Controls=003, Caption:"CD-ROM Not Found.", ClassName:""
001 - ControlID:0001, Control Class:"BUTTON" Control Text:"OK"
002 - ControlID:0002, Control Class:"BUTTON" Control Text:"Cancel"
003 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Please insert the Sega Smash Pack II CD-ROM in your CD-ROM Drive."

So now we know our bad message is DialogID_0070. Well at first I figured we could just go to the dialog refs and find it and bypass it quick, wrong, there is about a million refs to that dialog but at least we know part of the puzzle now.

Lets use w32dasm 8.93 as a debugger and try to find the call. (you can use softice too but always try different tools to keep your options open) Make sure the smash2 exe is disassembled and click debug, load process, load and you will be at the entry point. This is where we set breakpoints on calls and jumps until we hit the error message. F2 to set a breakpoint.

using the debugger we find the cdrom not found in this routine:

:00444084 E8C709FCFF call 00404A50 <-first call...

This trickles down to this call =)

:00404B13 E848C5FFFF call 00401060 <-the important call, this call does the cd check and when we leave it we have our error msg!

This isnt really anything that we are going to be concerned with but i always like to point out where eax is the drive. This is in the above call.

* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h

:004010AA FF1520904400 Call dword ptr [00449020] <-call getdrivetypea
:004010B0 83F805 cmp eax, 00000005 <-5 is cdrom, eax is 5 if cd is in drive, 3 if not
:004010B3 0F859E010000 jne 00401257 <-bad jump, if 5 doesnt equal eax
:004010B9 8BFB mov edi, ebx
:004010BB 83C9FF or ecx, FFFFFFFF

We can see it all trickle down to the bad message.

* Possible Reference to Dialog: DialogID_0070 <-our bad message, remember dialog from above, this is where it is actually used.

:00401285 6A70 push 00000070
:00401287 52 push edx

* Reference To: USER32.DialogBoxParamA, Ord:0093h

:00401288 FF15FC904400 Call dword ptr [004490FC] <-call dialog error msg
:0040128E 83F801 cmp eax, 00000001 <-1 is cancel button, if eax = 1 then quit
:00401291 7447 je 004012DA <-cancel button, exit
:00401293 E9D8FDFFFF jmp 00401070 <-OK button, try again for cd and loop

Ok so now we see what the call is all about, lets go back and use Softice and figure out a cheap way to beat this cd check involving bypassing the entire cd check routine.

What does this call come back with? that is what we need to know.
:00404B13 E848C5FFFF call 00401060 <-from above, important call!

Open some code around it:

* Reference To: USER32.CreateWindowExA, Ord:0059h <-our breakpoint!

:00404B00 FF1520914400 Call dword ptr [00449120]
:00404B06 3BC7 cmp eax, edi
:00404B08 A308E25B00 mov dword ptr [005BE208], eax
:00404B0D 0F8496010000 je 00404CA9
:00404B13 E848C5FFFF call 00401060 <-from above, important call!
:00404B18 85C0 test eax, eax <-check registers here

Load up Softice and CTRL+D into it and set a breakpoint on CreateWindowExA, why this breakpoint well its because its the closest to our call. Now make sure the cd is out of the drive and keep an eye on the registers, F12 out of the createwindowexa call and press F10 until you get to this location (you will have to press cancel on the no-cd error box):

:00404B18 85C0 test eax, eax

Now lets take a look at the registers, in particular EAX.
EAX = 0 without the cd. So we know that 0 is the baddy. Now put the cd in the drive and re-run the exe again and goto the same location and check EAX. You will see that now EAX = 1. So the solution is simple. Open Hiew and make sure you are in decode mode. Locate where this call takes us:

:00404B13 E848C5FFFF call 00401060

Which is location 401060 or offset 1060 and you should see some code like so:

:00401060 81EC04020000 sub esp, 00000204 <-offset 1060
:00401066 53 push ebx
:00401067 55 push ebp

* Reference To: KERNEL32.GetFileAttributesA, Ord:010Dh

:blah blah lines of code...

Now this is the entire cd check routine so lets just make it return with a 1 in eax and never have the call to the bad dialog box or any of the checks for the cd. Easy modify these lines like so:

Change this:
:00401060 81EC04020000 sub esp, 00000204 <-start of long cd check
:00401066 53 push ebx
:00401067 55 push ebp

To this:
:00401060 B801000000 mov eax, 0000000001 <-move 1 into eax
:00401066 C20000 retn 00000 <-return from call


Now the second it hits the call for the cd check routine it just loads 1 into eax and returns from the call rather than doing the entire cd check. Also there is now a ton of space if you wanted to insert your own code for some reason or another.

Run the game without the cd, hey works great! NO-CD Patch finished!

Now since its cracked we can play with it with a hex editor, i like ultraedit 9. Lets take this thing apart.

Now when running the game we see this:
CLICK ON PICTURE OR PRESS START TO PLAY (GAMENAME)

So all we really need to do is open the app up in ultraedit and look for that string. You should see it here:
0008c650h: 53 45 20 41 20 47 41 4D 45 00 00 00 43 4C 49 43 ; SE A GAME...CLIC
0008c660h: 4B 20 4F 4E 20 50 49 43 54 55 52 45 20 4F 52 00 ; K ON PICTURE OR.
0008c670h: 50 52 45 53 53 20 53 54 41 52 54 20 54 4F 20 50 ; PRESS START TO P
0008c680h: 4C 41 59 00 53 45 4C 45 43 54 20 47 41 4D 45 00 ; LAY.SELECT GAME.

I changed mine like so:
0008c650h: 53 45 20 41 20 47 41 4D 45 00 00 00 43 52 61 43 ; SE A GAME...CRaC <-here
0008c660h: 4B 45 64 20 62 59 20 73 4c 65 45 70 59 20 20 00 ; KeD bY sLeEpY  . <-here
0008c670h: 50 52 45 53 53 20 53 54 41 52 54 20 54 4F 20 50 ; PRESS START TO P
0008c680h: 4C 41 59 00 53 45 4C 45 43 54 20 47 41 4D 45 00 ; LAY.SELECT GAME.

Save it and run it, make sure you only replace, dont add extra chars or loose any. Now run the game and when it loads goto select game or whatever and you will see cracked by sLeEpY or whatever you put in there.

Laterz!

Word....and stuff. CD Checking made easy heh...

Groups: FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals: MiNioN, GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read from everyone who writes them.

CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy & http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com

This Document is copyrighted by kanal23 and it's members. Please mail the author of this document for complaints and those things.
Kanal23 is signing out for now.