Cracking Tutorial
#66:
Cracking The CD Check in WCW Nitro
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 08/2002
[difficulty:] beginner
[where:]
http://www.buyitatthestore.com.org.net
[tOOLz:] W32dasm 8.93, Hiew 6.x
KANAL23 Tutorial
|
WCW Nitro - NOCD |
|
|---|---|
|
Download it from |
http://www.hellifiknow.com |
|
Written by |
sLeEpY¿ |
|---|
|
Tools |
|
|---|
|
Rating |
|
|---|
|
Introduction |
|---|
This game is old, but a nice one to practice cracking no-cds with.
|
The Essay |
|---|
Old Skool Crackin'
YOOOOOOOOOOOOOOO
today is cd check day for me, So this is my second tutorial in a couple hours.
I'm cracking another old piece of crap wintendo 95 game so we can play it
without the cd. I don't like wrestling but everyone has there own opinion. So
anyway we run the game without the cd and here is our bug in the program.
Error
The WCW Nitro PC CD must be in the drive to play.
[OK]
Once again we dont need softice but you can use it if you wanna see how the call
works in the end. Disassemble the prog in w32dasm and lets check out the
imports...well nothing under kernel32.getdrivetypea, so i guess we will tackle
the error message instead. Double click on "Error" and you will get dropped
around here:
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:00405B8F(C)
|
:00405BB0 E86B110000 call 00406D20
:00405BB5 E8A60A0000 call 00406660 <-this call does
some registry stuff
:00405BBA 85C0 test eax, eax
:00405BBC 0F84A6010000 je 00405D68 <-jump to crap,
no error, just crap
:00405BC2 E879090000 call 00406540 <-check for X:\launcher.exe,
see below
:00405BC7 85C0 test eax, eax
:00405BC9 7521 jne 00405BEC <-jump to all ok, run
game
:00405BCB 53 push ebx
* Possible StringData Ref from Data Obj ->"Error"
<-our error msg, start here!
:00405BCC 68C8744300 push 004374C8
* Possible StringData Ref from Data Obj ->"The WCW Nitro PC CD must be in "
->"the drive to play."
:00405BD1 68DC944300 push 004394DC
:00405BD6 53 push ebx
* Reference To: USER32.MessageBoxA, Ord:01BEh
<-message box
:00405BD7 FF1570314300 Call dword ptr [00433170]
<-message box error msg
:00405BDD 5F pop edi
:00405BDE 5E pop esi
:00405BDF 5D pop ebp
:00405BE0 33C0 xor eax, eax
:00405BE2 5B pop ebx
:00405BE3 81C4AC000000 add esp, 000000AC
:00405BE9 C21000 ret 0010
Into this call..
:00405BC2 E879090000 call
00406540
* Referenced by a CALL at
Address:
|:00405BC2
|
:00406540 81EC00010000 sub esp, 00000100
:00406546 8D442400 lea eax, dword ptr [esp]
:0040654A 56 push esi
:0040654B 689C1B4500 push 00451B9C
:00406550 50 push eax
:00406551 BE01000000 mov esi, 00000001
* Reference To: KERNEL32.lstrcpyA, Ord:0302h
:00406556 FF1508314300 Call dword ptr [00433108]
:0040655C 8D4C2404 lea ecx, dword ptr [esp+04]
* Possible StringData Ref from Data Obj ->"LAUNCHER.EXE"
<-file on cd we are checking
for!
:00406560 6814954300 push 00439514
:00406565 51 push ecx
* Reference To: KERNEL32.lstrcatA, Ord:02F9h
:00406566 FF15D0304300 Call dword ptr [004330D0]
:0040656C 8D542404 lea edx, dword ptr [esp+04]
* Possible StringData Ref from Data Obj ->"r"
:00406570 6810954300 push 00439510
:00406575 52 push edx
:00406576 E82E4D0200 call 0042B2A9
:0040657B 83C408 add esp, 00000008
:0040657E 85C0 test eax, eax
:00406580 7508 jne 0040658A
:00406582 5E pop esi
:00406583 81C400010000 add esp, 00000100
:00406589 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406580(C)
|
:0040658A 50 push eax
:0040658B E82B4B0200 call 0042B0BB
:00406590 83C404 add esp, 00000004
:00406593 8BC6 mov eax, esi <-put value of esi into eax
:00406595 5E pop esi
:00406596 81C400010000 add esp, 00000100
:0040659C C3 ret
If the above call returns with 0, we fail, how
do we know, because of this:
:00405BC7 85C0 test eax, eax
:00405BC9 7521 jne 00405BEC
<-jump if not zero to run game
So Eax has to have a value other then 0, So we can tell by the code that if it
finds
Launcher.exe on the cdrom it will ret with EAX having something other then 0.
So to defeat this protection we just have to
make this happen:
Change this:
:00405BC9 7521 jne 00405BEC
Change to
:00405BC9 EB21 jmp 00405BEC
Now we will jump no matter what is stored in EAX.
Another way we can crack this game is by going into the call here:
:00405BC2 E879090000 call
00406540
And changing the following code:
Change this:
:00406540 81EC00010000 sub esp,
00000100
To this:
:00406540 B801000000 mov
eax,001
:00406545 C3 ret
Now when the check is made for the file it will just not happen, instead EAX
will have the value 1 moved into it and then the call will return back to here:
:00405BC7 85C0 test eax, eax
:00405BC9 7521 jne 00405BEC
Eax will be tested and will have the value of 1, therefore the jump will be
taken.
I dunno if this screws up any other registers but the game works =).
Laterz!
|
Final thoughts |
|---|
A sign of insanity
is realizing it.
|
Greetings |
|---|
Groups:
FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN,
GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read
from everyone who writes them.
CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy &
http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com
This Document is copyrighted by kanal23 and it's members. Please mail the
author of this document for complaints and those things.
Kanal23
is signing out for now.