Cracking Tutorial
#59:
Cracking Sega Smash Pack II NOCD
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 07/2002
[difficulty:] beginner
[where:] http://www.sega.com or find the EPH
release from 10/16/00
[tOOLz:] W32dasm 8.93, Hiew 6.x, Softice 4.05, Ultraedit 9
KANAL23 Tutorial
Sega Smash Pack II - NOCD |
|
---|---|
Download it from |
http://www.sega.com or find the EPH release from 10/16/00 |
Written by |
sLeEpY¿ |
---|
Tools |
|
---|
Rating |
|
---|
Introduction |
---|
This game has a bunch of old sega genesis games bundled in one. Only problem is that it has a bug in it that wont let you play your copy without the cd in the drive.
The Essay |
---|
Hello , I'm bored so today its time for a cd check crack! Today We are gonna
target Sega Smash Pack II because its Saturday, and I have to work my usual 4
hours like every saturday so why not spend 1 of those hours writing this tut and
getting paid.
The sega smash pack II I'm running is the EPH release from 10/16/00, I had the
sucker laying around and tried to crack it once a long time ago but couldnt,
things are different now =). EPH has not modified the main exe as far as i know
as it still requires the CD. So we want to fix this bug so we can play the game
without a cd in the drive. So run the game "Smash2.exe" without the cd in the
drive and there is that bug.
CD-ROM Not Found.
Please insert the Sega Smash Pack II CD-ROM in your CD-ROM Drive.
[OK] [CANCEL]
Well we check the dialog and see nothing so do a search and you will find this:
Name: DialogID_0070, # of
Controls=003, Caption:"CD-ROM Not Found.", ClassName:""
001 - ControlID:0001, Control Class:"BUTTON" Control Text:"OK"
002 - ControlID:0002, Control Class:"BUTTON" Control Text:"Cancel"
003 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Please insert the
Sega Smash Pack II CD-ROM in your CD-ROM Drive."
So now we know our bad message is DialogID_0070.
Well at first I figured we could just go to the dialog refs and find it and
bypass it quick, wrong, there is about a million refs to that dialog but at
least we know part of the puzzle now.
Lets use w32dasm 8.93 as a debugger and try to find the call. (you can use
softice too but always try different tools to keep your options open) Make sure
the smash2 exe is disassembled and click debug, load process, load and you will
be at the entry point. This is where we set breakpoints on calls and jumps until
we hit the error message. F2 to set a breakpoint.
using the debugger we find the cdrom not found in this routine:
:00444084 E8C709FCFF call 00404A50
<-first call...
This trickles down to this call =)
:00404B13 E848C5FFFF call
00401060 <-the
important call, this call does the cd check and when we leave it we have our
error msg!
This isnt really anything that we are going to
be concerned with but i always like to point out where eax is the drive. This is
in the above call.
* Reference To:
KERNEL32.GetDriveTypeA, Ord:0104h
:004010AA FF1520904400 Call dword ptr [00449020]
<-call getdrivetypea
:004010B0 83F805 cmp eax, 00000005
<-5 is cdrom, eax is 5 if cd
is in drive, 3 if not
:004010B3 0F859E010000 jne 00401257
<-bad jump, if 5 doesnt equal
eax
:004010B9 8BFB mov edi, ebx
:004010BB 83C9FF or ecx, FFFFFFFF
We can see it all trickle down to the bad message.
* Possible Reference to
Dialog: DialogID_0070
<-our bad message, remember dialog from above, this is where it is actually
used.
:00401285 6A70 push 00000070
:00401287 52 push edx
* Reference To: USER32.DialogBoxParamA, Ord:0093h
:00401288 FF15FC904400 Call dword ptr [004490FC]
<-call dialog error msg
:0040128E 83F801 cmp eax, 00000001
<-1 is cancel button, if eax =
1 then quit
:00401291 7447 je 004012DA
<-cancel button, exit
:00401293 E9D8FDFFFF jmp 00401070
<-OK button, try again for cd
and loop
Ok so now we see what the call is all about,
lets go back and use Softice and figure out a cheap way to beat this cd check
involving bypassing the entire cd check routine.
What does this call come back with? that is what we need to know.
:00404B13 E848C5FFFF call
00401060 <-from above,
important call!
Open some code around it:
* Reference To:
USER32.CreateWindowExA, Ord:0059h
<-our breakpoint!
:00404B00 FF1520914400 Call dword ptr [00449120]
:00404B06 3BC7 cmp eax, edi
:00404B08 A308E25B00 mov dword ptr [005BE208], eax
:00404B0D 0F8496010000 je 00404CA9
:00404B13 E848C5FFFF call 00401060
<-from above, important call!
:00404B18 85C0 test eax, eax
<-check registers here
Load up Softice and CTRL+D into it and set a breakpoint on CreateWindowExA, why
this breakpoint well its because its the closest to our call. Now make sure the
cd is out of the drive and keep an eye on the registers, F12 out of the
createwindowexa call and press F10 until you get to this location (you will have
to press cancel on the no-cd error box):
:00404B18 85C0 test eax, eax
Now lets take a look at the registers, in particular EAX.
EAX = 0 without the cd. So we know that 0 is the
baddy. Now put the cd in the drive and re-run the exe again and goto the same
location and check EAX. You will see that now EAX = 1.
So the solution is simple. Open Hiew and make sure you are in decode mode.
Locate where this call takes us:
:00404B13 E848C5FFFF call
00401060
Which is location 401060 or offset 1060 and you
should see some code like so:
:00401060 81EC04020000 sub esp,
00000204 <-offset 1060
:00401066 53 push ebx
:00401067 55 push ebp
* Reference To: KERNEL32.GetFileAttributesA, Ord:010Dh
:blah blah lines of code...
Now this is the entire cd check routine so lets
just make it return with a 1 in eax and never have the call to the bad dialog
box or any of the checks for the cd. Easy modify these lines like so:
Change this:
:00401060 81EC04020000 sub esp,
00000204 <-start of
long cd check
:00401066 53 push ebx
:00401067 55 push ebp
To this:
:00401060 B801000000 mov eax,
0000000001 <-move 1
into eax
:00401066 C20000 retn 00000
<-return from call
Now the second it hits the call for the cd check routine it just loads 1 into
eax and returns from the call rather than doing the entire cd check. Also there
is now a ton of space if you wanted to insert your own code for some reason or
another.
Run the game without the cd, hey works great! NO-CD Patch finished!
Now since its cracked we can play with it with a hex editor, i like ultraedit 9.
Lets take this thing apart.
Now when running the game we see this:
CLICK ON PICTURE OR PRESS START TO PLAY (GAMENAME)
So all we really need to do is open the app up in ultraedit and look for that
string. You should see it here:
0008c650h: 53 45 20 41
20 47 41 4D 45 00 00 00 43 4C 49 43 ; SE A GAME...CLIC
0008c660h: 4B 20 4F 4E 20 50 49 43 54 55 52 45 20 4F 52 00 ; K ON PICTURE OR.
0008c670h: 50 52 45 53 53 20 53 54 41 52 54 20 54 4F 20 50 ; PRESS START TO P
0008c680h: 4C 41 59 00 53 45 4C 45 43 54 20 47 41 4D 45 00 ; LAY.SELECT GAME.
I changed mine like so:
0008c650h: 53 45 20 41 20 47 41 4D 45 00 00 00 43 52 61 43
; SE A GAME...CRaC <-here
0008c660h: 4B 45 64 20 62 59 20 73 4c 65 45 70 59 20 20 00 ; KeD bY sLeEpY
. <-here
0008c670h: 50 52 45 53 53 20 53 54 41 52 54 20 54 4F 20 50 ; PRESS START TO P
0008c680h: 4C 41 59 00 53 45 4C 45 43 54 20 47 41 4D 45 00 ; LAY.SELECT GAME.
Save it and run it, make sure you only replace, dont add extra chars or loose
any. Now run the game and when it loads goto select game or whatever and you
will see cracked by sLeEpY or whatever you put in there.
Laterz!
Final thoughts |
---|
Word....and stuff.
CD Checking made easy heh...
Greetings |
---|
Groups:
FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN,
GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read
from everyone who writes them.
CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy &
http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com
This Document is copyrighted by kanal23 and it's members. Please mail the
author of this document for complaints and those things.
Kanal23
is signing out for now.