Author BiSHoP
Target

MadRobots 1.1 English

Public Release  April 28th , 2001
Author Contact bishop@lockless.com
Dedication Lockless
Difficulty Level (1-10) 1 (Very easy)
Tools Required SoftICE 3.2x

This tutorial is for educational purposes only!

Introduction

Welcome to my eleventh tutorial.

Hi, I am back after idling for so long. This time I will show you how to crack a
game. My friend requested me to crack this game because he could only find
cracks for the German version of the game not the English one. I am too lazy
and tired to make a keygen now so I will only show you how to find a valid serial.
And oh almost forgot, the game maker's webpage is:
http://ourworld.compuserve.com/homepages/XLMSoft
If this site cannot be found, there's other mirror sites that can be found by
doing a search for "Madrobots" at http://www.lycos.com.

Tutorial

OK, here's an overview of the game.
In the shareware version, you can only play 2 levels, in the full version, you can play all the
25 levels plus over hundreds of extra levels downloadable from XLMSoft's site. In the full version,
you have full access to the Level Editor for Mad Robots. And of course, the shareware version
has the annoying (nag) reminder everytime you start the game, asking you to register!
Knowing that all those features are all hidden in the game waiting to be unlocked
just makes you wanna drool doesn't it? =P~

Start the game and the shareware reminder pops up, so click "Enter Registeration Key..."
We get to type in a name and registeration key...so I enter "BiSHoP" for name and "12121212"
for registeration key. Now most beginner crackers might go right into SoftICE and do a bpx
on both GetDlgItemTextA and GetWindowTextA to see which API it uses. I will tell you
that is the less advanced (or lame =) way to find it. What if it doesn't use neither of it, then
you will not know what to do. The better way more intermediate crackers do this is using
hmemcpy. It is like a subfunction used by all (or mostly all) API's that involves something
to do with Strings. So do a bpx on hmemcpy in SoftICE and click OK in the registeration
box. SoftICE pops up, press F11 once, then
press F12 seven times and we reach within
the program codes. That is easily recognizable because in regular Windows 32bit applications
the addresses will change from 4 byte addresses to 8 byte addresses. Now we find out easily
the program uses GetWindowTextA to retrieve the text, and so now is a good time to clear
the hmemcpy bpx and do a bpx on GetWindowTextA so hmemcpy won't keep bugging you.
According to the Windows API reference, this is the prototype for GetWindowText:
int GetDlgItemText(HWND hWnd, LPTSTR lpString, int nMaxCount);
Of course that's in C++ calling convention. In assembly the parameters have to be pushed
onto the stack in reverse (First On Last Off ... FOLO). Example:
PUSH 00000064
PUSH OFFSET StrBuf
PUSH hWnd
CALL GetWindowTextA

Now we take a look at the MadRobot's parameters:
PUSH 00000032
PUSH 0041966C
PUSH 00000065
PUSH EBX
CALL GetDlgItem
PUSH EAX
CALL GetWindowTextA

Don't worry about the 65h and EBX, that's for GetDlgItem to return the handle of the EDIT boxes
for GetWindowTextA to use and will be popped off the stack automatically. If you dump 41966C
after GetWindowTextA (type D 41966C in SoftICE) you will see the name you typed in. So the
32h means that our name can be a maximum of 50 letters long, anything after the 50th position
will be truncated. Now we continue to trace...
PUSH 0000001E
PUSH 00419734
PUSH 00000066
PUSH EBX
CALL GetDlgItem
PUSH EAX
CALL GetWindowTextA
PUSH 00419734
CALL lstrlen
TEST EAX, EAX
JZ 40151A
PUSH 0041966C
CALL lstrlen
TEST EAX, EAX
JNZ 40151A


Simple checks to make sure you've typed in a name. Now here's the trick =)
The program now calls EndDialog and the dialog ends and you get kicked back into KERNEL
code. Now let's try to swim our way back in, keep pressing F12 until you return back into familiar
codes. You should eventually return to MadRobot's code right after a call to DialogBoxParamA.
Code snippets here:
CALL DialogBoxParamA
CALL 401142 <- You return here

Press F8 to Step into the call, now trace a few lines down...

MOV EDI, 00419734
MOV ESI, 00417784

Dump the address 419734 and we see the serial we entered "12121212".
Glad to see we are still in right territory...Now here's something interesting:
PUSH EDI
CALL lstrlen
CMP EAX, 0F <-Do a new bpx here
JZ 401178


EDI is pointing to our serial address, I typed in "12121212", that's only 8 letters long.
This checks if it is 15 letters long...Uh-oh clear all breakpoints and bpx on the line
with the compare. Continue tracing, it doesn't jump, let's breakout, press F5 and
we end up with a message telling us that our serial is in wrong format. Assuming
that the jump to 401178 is the right path, this time we enter a serial of 15 letters
in length "121212121212121" and click OK and if you did the bpx on the CMP
line, you should popup right on that line and this time it jumps to 401178 because
we entered 15 letters.
CMP BYTE PTR [EDI], 4D
JZ 40118E

Compares first byte that EDI is pointing to with ASCII character M. If not equal we get the
same message again. This time we enter M21212121212121 and click OK again, trace...
we bypass the check of the first letter with M, now it goes to check the second letter 2 with
ASCII character R and then E.
CMP BYTE PTR [EDI+01], 52
...
CMP BYTE PTR [EDI+02], 45

We will have to come back out and retype the serial with MRE as first 3 letters and delete
3 other letters to keep it 15 letters long.
CMP BYTE PTR [EDI+03], 2D
...
CMP BYTE PTR [EDI+07], 2D
...
CMP BYTE PTR [EDI+0B], 2D

Checks the fourth, eighth and twelth position for ASCII character -.
To satisfy that condition, I go back out and entered MRE-121-121-121.
Click OK, now we bypass all the checks of the serial format, then comes shitloads of serial
calculations. To save you the work, I will tell you that the serial check comes RVA 401323.
Do a bpx on 401323 while in MadRobots code and then press F5 and you should end up
there if your serial is in the right format (MRE-###-###-###). Examine the compares closesly
and you will find the good serial, it takes the last 4 numbers of the serial and compares it
with 4 numbers calculated from the long serial calculation.
MRE-121-121-121
..........1.500
MRE-121-121-500

OK that should work, enter name BiSHoP and enter MRE-121-121-500 as serial.
"Mad Robots was successfully unlocked. You now have the full version!"
Serial depends on your name and the first 5 letters of your serial, not including MRE-.
In MRE-xxx-xxo-ooo, any number can be entered for x, but o is calculated from
the name and the x's. Example, MRE-312-423-560 works with the name BiSHoP also.

Extra useless info: Name and serial gets stored in [C:\Windows\XLMSoft.ini] =P

Final Thoughts

This concludes my eleventh, hope you enjoyed it.
Look for my next tutorial soon...

Greetings to...

Pr1mus, Sheep, PhaNt0M, Dvs17, Potsmoke, Thrawn, r00t, abductor, seifer, ManKind, Rheingold,
Lord Anshar, Yado, X-Lock, BuG, Boba Fett, Acid_Cool_178, arachno, Trevil, tantox, SeCOND LiFE,
Elessar and all else who I have forgotten to include here.

Special thanks to lucifer48, defiler, alpine, ACiD BuRN, TSCube, roy, abductor, seifer and
LaZaRuS for their great tutorials, their tutorials are the ones I learned most of my stuff from.

Group Greetz to Hellforge, FHCF, TNO, WCC, EVC, Eclipse, Immortal Descendants.

Find me on IRC channel #Lockless.
E-mail: bishop@lockless.com
www.biteme.com went ByeBye:(

BiSHoP of Lockless Crew :: we fly high ::

 

The end.