Welcome to the wonderful world of cracking.
This tutorial will explain how you can crack Micro Flight or any other game. Have fun!
Cracker: -FlyeRacK-
Date: February 2001
Target: Micro Flight
Toolz: W32Dasm; Soft-Ice; UltraEdit
Difficulty: Medium
NOTE: Fetch the serials for the toolz from any serialz page ;-)
First of all you will have to believe me; cracking is NOT difficult. I learned cracking in a few days. So read on and enjoy the ride :-)
Let's crack! Take the program W32Dasm and disassemble the mf.exe file. (Disassembler-->Open file to disassemble) Make sure to save the file and make a backup of mf.exe! Now click the "String reference data" button. (strn ref) Double click the "Demo Time Expired"" text. This will take you to the place where the string is flushed into the memory. If you double click the text again, it will take you to another place where the text can be found, if there is any. Let's try it. Ah, there is one, and two, and... Fuck, there are about (well very much) references to this string. Now what ?!! :-\ Relax We are very good, aren't we? If a text is flushed into the memory, the code is usually followed by a "messagebox" call. WTF is a "messagebox" call!! Okay, so you do not know anything about cracking. Well that's cool, but it will make it a little bit harder. At the end of this tutorial there is a very simple explanation about ASM code. Maybe it will be of some help. If you want to become a good cracker, I recommend that you download as much "cracking for newbies" tutorials from the net as possible. Just type "cracking tutorials" or "reverse engineering" in a search engine and a world opens :-)
Where was I? Oh yes. So you have to search for the messagebox call in the "imported functions" list. Click the "imp fn" button. Double click the "User32.MessageBoxA" line. You will now land at a place where this function is called. Look at the text above it to see what text will be put into the memory. Double click the line until you reach the "Demo Time Expired bla bla bla" text. You are now in the middle of the time protection scheme and you have bypassed the security of the endless amount of "demo time" strings. Good eh? *cough*...*cough* Now scroll to the top of this function to see where it is called. Shit... It is not called at all. You just see some jump references and above that there is a "ret" code. This is kind of rare, so lets see what happens here when the program is running. Set a breakpoint in softice at memory 00423E1B who who whoooo wait on... WTF are you brabbling about ?!! Well, if you don't understand what I am talking about, again I suggest you read some "cracking for beginners" tutorials from the web. Okay, so first start mf.exe At the intro screen load up softice (ctrl D). You have to start the flightsim first because all the memory locations have to be created, otherwise the breakpoints will not work :-( Type bpm 00423E1B x Run the flightsim. Wham! Soft-Ice pops up. Press F10 to "single step" through the code, and see what happens every time a line of code is executed. You will see this code: (if you do not see the hex code, just type code on in softice.
00423E1B 33DB xor ebx, ebx <--you will land here
00423E1D 8B0D482D4400 mov ecx, dword ptr [00442D48]
00423E23 A1542D4400 mov eax, dword ptr [00442D54]
00423E28 3BC8 cmp ecx, eax
00423E2A 0F8E9CFEFFFF jle 00423CCC <--you will jump back here
00423E30 6A01 push 00000001
00423E32 E8C932FEFF call 00407100
00423E37 A1B4E04900 mov eax, dword ptr [0049E0B4]
00423E3C 83C404 add esp, 00000004
Right. So if you execute jle 00423CCC then the code takes you back to another place, but we're in the neighbourhood of the time protection code and right now we are taken back to another place. Why? Well, that's simple. The time's not up yet, so the time-limit code is not needed. Let's examine what happens if the jump is not taken. If the white line is over jle 00423CCC , then press a and then:
nop (enter)
nop (enter)
nop (enter)
nop (enter)
nop (enter)
nop (enter)
(enter)
This will disable the entire jle 00423CCC function and the jump will not be taken. Now press F10 a couple of times and see what happens. Cool! The time-up message is displayed. We are close, can't you feel it :-) Of course we don't want this to happen every time we start the game, but lucky you, softice will leave the real code in the file alone so the next time you start up the game, all is back to normal. A little review: if the jump at 00423E2A is taken, everything is normal; if this jump is not taken, the time-up message is displayed. We never ever want the message be displayed, so the jump has to be taken always. Let's realise this. Repeat the whole procedure in softice and instead of nopping out the jle, change it to jmp. If the white line is at "00423E2A 0F8E9CFEFFFF jle 00423CCC" type a and type:
jmp 00423CCC (enter)
nop (enter)
(enter)
The nop is because a normal jump function consists of 5 bytes (two numbers or letters is one byte) but the jle 00423CCC function consists of 6 bytes. We can't just change a piece of code and leave the remaining code of that function alone. The program will crash if you do this. Nop, or 90 (in HEX) means "do nothing" by the way. Now type bc* in softice to remove all the breakpoints and run the program. Wait until the time limit is reached. 3..2...1.....Shit @#@$@!$ G*ddamm*t The game is terminated without any message. We only removed the message!! The game contains another protection scheme :-( Now the real cracking begins. I will use "the flag approach" This type of cracking isn't uses that often but it is a very effective strategy.
When time's up, there will be a certain value put into the memory somewhere saying "Bad cracker, your time is up". If we could change this... Always keep in mind two kind of things when you're cracking: "duplicate code" and "multiple references" Duplicate code means that a certain protection scheme is repeated multiple times within the program code. "Multiple references" means that one piece of protection code is called multiple times or is jumped to multiple times. So the holy "flag" location of the "time-up value" can be called multiple times or there can be multiple "time-up value" locations. Fortunately there is only one time-up flag location in mf.exe. It is called multiple times though. How do I know this? Again the piece of protection code:
00423E1B 33DB xor ebx, ebx
00423E1D 8B0D482D4400 mov ecx, dword ptr [00442D48] <--move a value into ecx
00423E23 A1542D4400 mov eax, dword ptr [00442D54] <--move a value into eax
00423E28 3BC8 cmp ecx, eax <--compare ecx and eax
00423E2A 0F8E9CFEFFFF jle 00423CCC <--jump if lower or equal
00423E30 6A01 push 00000001
00423E32 E8C932FEFF call 00407100
00423E37 A1B4E04900 mov eax, dword ptr [0049E0B4]
00423E3C 83C404 add esp, 00000004
So there are certain values moved into the ecx and eax registers (memory locations), before comparing these values and later jumping or not. Whether or not a jump is taken depends on the value of [00442D54] and [00442D48]. One is probably the maximum amount of seconds or minutes, and the other is the passed time so far. Note that [00442D48] is a certain memory location. If the [] signs are not used, 00442D48 is a value. Let's see how many times those two memory locations are called. Enter sofice following the same procedure as before. Type:
bpm ds:00442D48 (enter)
bpm ds:00442D54 (enter)
(If softice breaks, but you can't see your memory address reference anywhere, this is probably because something like [ebp-0C] is used instead of [00442D48]. This doesn't matter for us.
Run the flightsim. Wham! Soft-Ice pops up. Write down the memory address. Press ctrl D to let the program continue. Wham! Wham! Wham! Wham! Hey, I already had this one. Apparently there are only 4 references:
00423E23
004068A9
00409085
004090F1
Do you remember the address 00423E23 ? This one was used for the time-up message. change the jump below 00423E23 as before. See if you can find a jump under each of the 4 addresses, and change it, so that it reverses the jump (jump must become no jump and no jump must become a jump) See what happens. You will notice that one of the jumps has something to do with the "frames per second" counter because if you change this jump, the FPS counter pops up at the top left of the screen. Continue fiddling. Hey something fishy is going on at the jump below 004090F1. If you change the jump below this address, Micro Flight terminates!! Whew, this is probably the second protection scheme. Right, so we have to change the jumps below 004090F1 and 00423E23 to fool the program and make it believe the time is never up. The jumps below 004090F1 and 00423E23 are:
:004090FE 7E06 jle 00409106
and
:00423E2A 0F8E9CFEFFFF jle 00423CCC
The program always has to jump at these places. Back to our buggy OS (windows). Load UltraEdit and open mf.exe in it. Also open mf.exe with W32Dasm . Let's modify the :004090FE 7E06 jle0409106 first. In W32Dasm press "search" and type in 004090FE. Place the line right over this function until it becomes green. Note the "bla bla bla @Offset 000090FEh bla bla" text on the bottom of the screen. Go to the memory address 000090F in UltraEdit. Here you will see this:
000090f0h: 00 8B 15 54 2D 44 00 2B C2 3D E8 0# 00 00 7E 06
In W32Dasm you can see that the HEX code of jle 00409106 is "7E06" We have to change this into an "always jump". Search for the 7E 06 part in the code of UltraEdit. You will see it is located at the end. Change 7E 06 to EB 06 Now we are done with the :004090FE 7E06 jle 00409106 Part. Use the same procedure to locate :00423E2A 0F8E9CFEFFFF jle 00423CCC in UltraEdit. Here you will see this:
00023e20h: 2D 44 00 A1 54 3D 44 00 3B C8 0F 8E 9C FE FF FF
Change "0F 8E 9C FE FF FF" to "E9 9D FE FF FF 90"
Save the file and you just have cracked the time limit of Micro Flight!! That wasn't so hard now, was it?
copyright -FlyeRacK- 2001
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
ASM crash course:
A piece of ASM code (the code generated by W32Dasm, it is a sort of source code) will generally look like this:
* Possible StringData Ref from Data Obj ->"%s Could not load the %s scenery "
->"!"
|
:00401C88 68DCC04300 push 0043C0DC
:00401C8D 681C254400 push 0044251C
:00401C92 E8099E0200 call 0042BAA0
:00401C97 83C410 add esp, 00000010
:00401C9A E801FAFFFF call 00401E60
:00401C9F 5F pop edi
:00401CA0 5E pop esi
:00401CA1 5B pop ebx
:00401CA2 83C47C add esp, 0000007C
:00401CA5 C3 ret
* Referenced by a CALL at Address:
|:00401C9A
:00401E60 53 push ebx
:00401E61 8B5C2408 mov ebx, dword ptr [004418E4]
:00401E65 55 push ebp
:00401E66 56 push esi
:00401E67 8B03 mov eax, dword ptr [ebx]
:00401E69 C3 ret
Please don't be scared by this, it is not as hard as it seems.
"Possible string Ref... bla bla bla-> means this is a piece of text put into the memory. Now what is the rest?
memory address HEX code type ASM code type memory address
:00401C88 68DCC04300 push 0043C0DC
-push means "push something into the memory
-call means "go the the address which is displayed behind it, execute the code there. Wen it reaches the function "ret", then return to the place the call started. If you see something like:
* Reference To: KERNEL32.GlobalAlloc, Ord:0181h
|
:004020EE FF1574814300 Call dword ptr [00438174]
Then a function is called inside an other file. "KERNEL32.dll" in this case. The text behind kernel, which is "GlobalAlloc" in this case, is the type of call or function.
-add esp, 00000010 means "add the number 10 to memory address esp"
-pop means "take a value out of the memory"
-ret means "return to the function which made the call"
-jmp
-je
-jne --> means "jump to the address behind the code (depends on the code above)"
NOTE:
In order to make full use of Soft-Ice, you have to make some changes in winice.dat in the softice directory. Somewhere in this file you will see the following text line:
;EXP=c:\windows\system\kernel32.dll
Just remove the ; sign
copyright -FlyeRacK- 2001
------------------------------------------------------------------------------------------------ and force the conditional jump to allow the game