Cracking Tutorial
#60:
Cracking Shrek Activity Center -- Version 1.0.0.37 NOCD
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 07/2002
[difficulty:] beginner
[where:] find the EPH release or buy it
[tOOLz:] W32dasm 8.93, Hiew 6.x, & Softice 4.05
KANAL23 Tutorial
|
Shrek Activity Center V1.0.0.37 - NOCD |
|
|---|---|
|
Download it from |
find the EPH release or buy it |
|
Written by |
sLeEpY¿ |
|---|
|
Tools |
|
|---|
|
Rating |
|
|---|
|
Introduction |
|---|
I have this game for my kid and i always lose the cd somewhere and decided this one needed cracked cause i was bored. Anyway this is a quickie tutorial so if ya get a question email me =)
|
The Essay |
|---|
First make the usual backup and lets make this damn thing work without a cd. Run
the exe and you get the error message:
Shrek Activity Center Error
Blah blah blah you need the cd...
Here is the call with the error msg, you can
find this in the disassembled code by clicking on the string resource "Shrek
Activity Center Error", ok so you can either trace this back (very long) or
check below:
* Possible Reference to String
Resource ID=00550: "Shrek Activity Center Error"
:0045B56C 6826020000 push 00000226
:
:lines of code
:
:0045B646 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:01C3h
:0045B648 FF1570A34B00 Call dword ptr [004BA370]
:0045B64E 32C0 xor al, al
:0045B650 5F pop edi
:0045B651 5E pop esi
:0045B652 5B pop ebx
:0045B653 8BE5 mov esp, ebp
:0045B655 5D pop ebp
:0045B656 C3 ret <-step
into this return and you will end up right past 0045B527
* Referenced by a CALL at
Address:
|:004354CF
|
:0045B482 55 push ebp
:
:lines of code
:
:0045B527 FF5208 call [edx+08]
<-call our msgbox and error,
trace up...
The above way just takes to long and you have to
use w32dasm as a debugger to follow the calls as they are like [edx+08] and
crap. But we do now know where the badguy is. But it won't make a difference in
this tutorial because it is so far away from the deciding call. So lets just use
Softice and set a breakpoint on getdrivetypea,
getlogicaldrivestringsa, and
getvolumeinformationa. This will land you in the call right before the
call we need to modify.
:004A4F58 E844FEFFFF call
004A4DA1 <-cd checking
routine
:004A4F5D 83C404 add esp, 00000004
:004A4F60 8D8DFCFEFFFF lea ecx, dword ptr [ebp+FFFFFEFC]
:004A4F66 E82F090000 call 004A589A
<-call that decides eax
:004A4F6B 25FF000000 and eax, 000000FF
:004A4F70 85C0 test eax, eax
:004A4F72 7414 je 004A4F88
<-our jump (jump if eax = 1)
Inside the cd checking routine you will find
calls to:
* Reference To:
KERNEL32.GetLogicalDriveStringsA, Ord:0132h
* Reference To: KERNEL32.GetDriveTypeA, Ord:0117h
* Reference To: KERNEL32.GetVolumeInformationA, Ord:0191h
This is how we know it is our routine, now instead of patching a bunch of places
in this routine we will just check the next call and see that it decides our eax
= 1 or 0 and make it equal 1.
here is the call that decides our jump.
:004A4F66 E82F090000 call
004A589A
We just need to go into it and change the value of eax to =1
Eax = 0 if no cd, EAX = 1 with cd
You can see this if you use softice and set a bpx on this location and look at
the EAX register.
:004A4F66 E82F090000 call
004A589A
:004A4F6B 25FF000000 and eax, 000000FF
Try it with the cd in the drive and you wil see eax = 1, try it again without
the cd and you will see eax = 0.
So lets check out the call and see what we can do to it.
* Referenced by a CALL at
Addresses:
|:0045D318 , :0046AF56 , :0046AFAA , :0046B56A , :0046B65E
|:0046B98A , :0046B9D4 , :004A467C , :004A4715 , :004A4867
|:004A4F66 , :004A58B8 , :004A58C8
|
:004A589A 55 push ebp
:004A589B 8BEC mov ebp, esp
:004A589D 51 push ecx
:004A589E 894DFC mov dword ptr [ebp-04], ecx
:004A58A1 8B45FC mov eax, dword ptr [ebp-04]
:004A58A4 0FBE00 movsx eax, byte ptr [eax]
:004A58A7 F7D8 neg eax
:004A58A9 1BC0 sbb eax, eax
:004A58AB F7D8 neg eax
:004A58AD 8BE5 mov esp, ebp
:004A58AF 5D pop ebp
:004A58B0 C3 ret
Just change these lines of the above call:
:004A589A 55 push ebp
(offset A589A)
:004A589B 8BEC mov ebp, esp
To this:
:004A589A B801000000 mov
eax,001
:004A589F C390 ret
So now we made the call mov the value of 1 into EAX no matter what, so the jump
is never taken.
Of course another way is to just patch the jump:
:004A4F72 7414 je 004A4F88
(A4F72)
change to
:004A4F72 9090 nopnop
But that is boring. Anyway run the game without the cd in the drive and you will
see it load. We now have a NO CD patched copy of the game.
Laterz!
|
Final thoughts |
|---|
Word....and stuff.
CD...who needs a cd...
|
Greetings |
|---|
Groups:
FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN,
GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read
from everyone who writes them.
CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy &
http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com
This Document is copyrighted by kanal23 and it's members. Please mail the
author of this document for complaints and those things.
Kanal23
is signing out for now.