Cracking Tutorial #65:
Cracking The CD Check in Mechwarrior 2
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 08/2002
[difficulty:] beginner
[where:] http://www.buyitatthestore.com.org.net
[tOOLz:] W32dasm 8.93, Hiew 6.x

KANAL23 Tutorial

http://www.kanal23.net



Mechwarrior 2 - NOCD

Download it from

http://www.hellifiknow.com



Written by

sLeEpY¿

Tools

  • W32Dasm 8.93

  • Hiew 6.x

Rating

  • Easy {X}

  • Medium { }

  • Hard { }

  • Pro { }



Introduction


This game is old, but a nice one to practice cracking no-cds with.


The Essay

Old Skool Crackin'

Word and well what a boring ass day and all i can find is an old copy of Mech Warrior 2. I dont really like playing a lot of these games but hey why not a tutorial on how to crack the cd check.

So install the game and pop the cd out, lets disassemble the exe (52k, whoosh old, actually small like it should be). Located here: C:\Program Files\Activision\Mech2

Next try running it and you get the following error msg.

MECHWARRIOR 2
You must inset the MECHWARRIOR 2 CD into your CD-ROM drive.
[OK]


Well normally I would start tracing back from this but today lets just go after the API, these older games, from tuts I've read, are easy because they all used just about the same protection system. Check the drive and maybe some files on the cd. So check the imports and look for Kernel32.GetDriveTypeA, yes no softice this time, we dont need it.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401CF5(C)
|
:00401D05 6A01 push 00000001
:00401D07 6A69 push 00000069
:00401D09 E8460C0000 call 00402954
:00401D0E 83C408 add esp, 00000008
:00401D11 8945E4 mov dword ptr [ebp-1C], eax
:00401D14 8B45E4 mov eax, dword ptr [ebp-1C]
:00401D17 50 push eax
:00401D18 6A69 push 00000069

* Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00E5h
|
:00401D1A FF1554F14000 Call dword ptr [0040F154]

* Possible StringData Ref from Data Obj ->" :\OLD_HERC.DRV" <-file on CD prog is checking for
|
:00401D20 68A0D74000 push 0040D7A0
:00401D25 8D45EC lea eax, dword ptr [ebp-14]
:00401D28 50 push eax
:00401D29 E8F00C0000 call 00402A1E
:00401D2E 83C408 add esp, 00000008
:00401D31 8B45E4 mov eax, dword ptr [ebp-1C]
:00401D34 8985A0FEFFFF mov dword ptr [ebp+FFFFFEA0], eax
:00401D3A C7059CD7400000000000 mov dword ptr [0040D79C], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401DB0(U)
|
:00401D44 8B85A0FEFFFF mov eax, dword ptr [ebp+FFFFFEA0]
:00401D4A 0FBE00 movsx eax, byte ptr [eax]
:00401D4D 85C0 test eax, eax
:00401D4F 0F8460000000 je 00401DB5 <-jump to run game
:00401D55 8B85A0FEFFFF mov eax, dword ptr [ebp+FFFFFEA0]
:00401D5B 50 push eax

* Reference To: KERNEL32.GetDriveTypeA, Ord:00CEh
|
:00401D5C FF1564F14000 Call dword ptr [0040F164] <-here is where we begin!
:00401D62 83F805 cmp eax, 00000005 <-compare eax with 5(cdrom)
:00401D65 0F853E000000 jne 00401DA9 <-jump if no cdrom found and loop around
:00401D6B FF059CD74000 inc dword ptr [0040D79C]
:00401D71 8B85A0FEFFFF mov eax, dword ptr [ebp+FFFFFEA0]
:00401D77 8A00 mov al, byte ptr [eax]
:00401D79 8845EC mov byte ptr [ebp-14], al
:00401D7C 8D85A4FEFFFF lea eax, dword ptr [ebp+FFFFFEA4]
:00401D82 50 push eax
:00401D83 8D45EC lea eax, dword ptr [ebp-14]
:00401D86 50 push eax

* Reference To: KERNEL32.FindFirstFileA, Ord:0079h <-find OLD_HERC.DRV
|
:00401D87 FF1560F14000 Call dword ptr [0040F160] <-probably loadin' OLD_HERC.DRV
:00401D8D 8945E8 mov dword ptr [ebp-18], eax
:00401D90 837DE8FF cmp dword ptr [ebp-18], FFFFFFFF
:00401D94 0F840F000000 je 00401DA9 <-jump if not found, loop(shit jump)
:00401D9A 8B45E8 mov eax, dword ptr [ebp-18]
:00401D9D 50 push eax

* Reference To: KERNEL32.FindClose, Ord:0075h
|
:00401D9E FF1548F14000 Call dword ptr [0040F148]
:00401DA4 E90C000000 jmp 00401DB5 <-all ok, run the game

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401D65(C), :00401D94(C)
|
:00401DA9 8385A0FEFFFF04 add dword ptr [ebp+FFFFFEA0], 00000004
:00401DB0 E98FFFFFFF jmp 00401D44 <-loop back around/error out

Ok, there are a few different ways we can crack this. I always like to go back to the oldies every now and then, good for practice! Besides its so much harder to crack the new games/progs if you dont have a good foundation. If you have problems with new games, go back in time when it was so much easier hehe.

Anyway we see that we can just bypass the entire cd check here:
:00401D4F 0F8460000000 je 00401DB5
just make it jump!

Another way would be to make the cd check not care, like this:
Nop out these two lines:
:00401D65 0F853E000000 jne 00401DA9
:00401D94 0F840F000000 je 00401DA9

Now the loops are never taken and the cd check passes right through.

A third way to crack this would be like so:
:00401D62 83F805 cmp eax, 00000005 <-compare eax with cdrom
change it to this:
:00401D62 83F805 cmp eax, 00000003 <-compare eax with HD

Now it will look on your hard drive root for this file: OLD_HERC.DRV
So give it what it wants and create an empty file called OLD_HERC.DRV in Root C:, and we are done!

3 ways to crack an oldy.
Laterz!

Final thoughts


Beat your kids, Beat your wife.


Greetings


Groups: FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals: MiNioN, GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read from everyone who writes them.

CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy & http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com

This Document is copyrighted by kanal23 and it's members. Please mail the author of this document for complaints and those things.
Kanal23 is signing out for now.

ut out a lot of code and just left refs: