Cracking Tutorial #61:
Cracking Crazy Taxi PC - NOCD
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 07/2002
[difficulty:] beginner
[where:] You're local game store
[tOOLz:] W32dasm 8.93, Hiew 6.x, & Softice 4.05


KANAL23 Tutorial

http://www.kanal23.net




Crazy Taxi PC - NOCD

Download it from

The Store



Written by

sLeEpY¿

Tools

  • W32Dasm 8.93

  • Hiew 6.x, Softice 4.05

Rating

  • Easy {X}

  • Medium { }

  • Hard { }

  • Pro { }



Introduction

Well downloaded this one and found it had a bug in it that prevents you from playing it if you don't have the cd in the drive. Crazy Taxi is an kool game and I loved it at the arcade for the cheap rush that you would get playing it. Anyway now its finally out for PC so lets check it out.


The Essay


First make the usual backup and lets make this damn thing work without a cd. Run the exe and you get the error message:

Crazy Taxi
Please insert the original Crazy Taxi CD and launch the game again
[OK]


And we have no String refs to help us so check the import functions.
Hmm lets try GetDriveTypeA as it is the api call for a cd/drive check, and it appears in 1 location only. Here:


* Referenced by a CALL at Address:
|:0042A17E
<-our call, goto this location
|
:00429DA0 81EC08010000 sub esp, 00000108
:00429DA6 53 push ebx
:00429DA7 55 push ebp
:00429DA8 8BAC2414010000 mov ebp, dword ptr [esp+00000114]
:00429DAF 56 push esi

* Reference To: USER32.wsprintfA, Ord:02ACh

:00429DB0 8B3530124C00 mov esi, dword ptr [004C1230]
:00429DB6 33C9 xor ecx, ecx
:00429DB8 57 push edi

* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
<-here it is =) lets see where the call is

:00429DB9 8B3D74104C00 mov edi, dword ptr [004C1074]


Now getdrivetypea is an api call that wintendo uses to identify the cdrom drive and crap. If it fails our game will not run because it says we need the cd to play. Ok lets check out where our call came from at 0042A17E.


:0042A17E E81DFCFFFF call 00429DA0 <-call into the cd check
:0042A183 83C404 add esp, 00000004
:0042A186 84C0 test al, al
:0042A188 7546 jne 0042A1D0
(offset 2A188) <-our conditional jump, we want to jmp
:0042A18A 68FF000000 push 000000FF
:0042A18F 8D8D94FCFFFF lea ecx, dword ptr [ebp+FFFFFC94]
:0042A195 51 push ecx
:0042A196 6A03 push 00000003
:0042A198 8B15249D9700 mov edx, dword ptr [00979D24]
:0042A19E 52 push edx

* Reference To: USER32.LoadStringA, Ord:01ABh
<-load string? hmm maybe our error msg =)

:0042A19F FF152C124C00 Call dword ptr [004C122C]
:0042A1A5 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Crazy Taxi"
<-error msg title bar

:0042A1A7 6830314F00 push 004F3130
:0042A1AC 8D8594FCFFFF lea eax, dword ptr [ebp+FFFFFC94]
:0042A1B2 50 push eax
:0042A1B3 6A00 push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BEh
<-msg box with our error msg

:0042A1B5 FF15E0114C00 Call dword ptr [004C11E0]
:0042A1BB 33C0 xor eax, eax
:0042A1BD 8B4DF0 mov ecx, dword ptr [ebp-10]
:0042A1C0 64890D00000000 mov dword ptr fs:[00000000], ecx
:0042A1C7 5F pop edi
:0042A1C8 5E pop esi
:0042A1C9 5B pop ebx
:0042A1CA 8BE5 mov esp, ebp
:0042A1CC 5D pop ebp
:0042A1CD C21000 ret 0010


Well now we know where to patch it for an easy fix:
Change this:
:0042A188 7546 jne 0042A1D0 (offset 2A188)
to this:
:0042A188 EB46 jmp 0042A1D0

Now the game will always run, who needs the damn cd. Anyway lets use softice and see what value we have that decides this.

Ctrl+D into Softice.
Set a BPX on GetDriveTypeA, run the exe, when softice breaks set another BPX on the location right after the call. BPX 42A183, now press Ctrl+D again and Softice will break about 20 or so times on that getdrivetypea but eventually will break at this new location. Lets check the registers once with the cd, and once again without the cd.

Here we go, with the cd in the drive we get this:
:0042A17E E81DFCFFFF call 00429DA0 <-call into the cd check
:0042A183 83C404 add esp, 00000004
<-EAX = 1
:0042A186 84C0 test al, al
<-AL = 1
:0042A188 7546 jne 0042A1D0
<-jump taken (jump if not zero (jne = jnz)

With no CD in the drive we get this:
:0042A17E E81DFCFFFF call 00429DA0 <-call into the cd check
:0042A183 83C404 add esp, 00000004
<-Eax = 0
:0042A186 84C0 test al, al
<-AL = 0
:0042A188 7546 jne 0042A1D0
<-jump not taken, proceed to error msg.

So another way to defeat this cd check is to go into the call here:

:0042A17E E81DFCFFFF call 00429DA0

and change the code around, from this:

* Referenced by a CALL at Address:
|:0042A17E
|
:00429DA0 81EC08010000 sub esp, 00000108
(offset 29DA0)

To this:

* Referenced by a CALL at Address:
|:0042A17E
|
:004A589A B801000000 mov eax,001
:004A589F C3 ret


Now EAX is loaded with a 1 and the cd check will pass everytime.
Laterz!

Final thoughts


Word....and stuff. CD...who needs a cd...


Greetings


Groups: FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN, GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read from everyone who writes them.

CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy & http://www.bright.net/~testsubject001

Mail sleepy@linuxwaves.com


This Document is copyrighted by kanal23 and it's members. Please mail the author of this document for complaints and those things.
Kanal23 is signing out for now.