How to crack Pharaoh  ver 1.0
by  C@LiBuR

About the game

Sierra, the creator of the famous Caesar 3 is now back with a new (not so new actually!!)
empire building simulation, that is Pharaoh. Hmm....the game is almost like  Caesar 3
especially the graphics.....however the game does not allow us to listen to  our favourite CD
while playing the game......why? because the game insisted us to have the CD inside the CDROM drive even if we chose FULL install............since we have spent our precious money
to buy the CD.....why cant we modify the game a bit....?

Tools  U  Need...

1) WinDASM  8.9x
2) Any Hex Editor , i prefer HIEW......

The Project......

Step 1 : Do a FULL install.....
Step 2 : Take  the CD out of the drive......run the Pharaoh.....what happened? The game said
              pliz insert the CD .........we dont like this ,do we?  =)
Step 3 : copy the file Pharaoh.exe into another backup folder.......
Step 4 : Fire up WDASM......disassamble the backup copy of  Pharaoh.exe...
Step 5 : Click String Data Reference.....look for the message that appeared when we run Pharaoh without the CD.........u should  remember it......
Step 6 : u will see this....

* Referenced by a CALL at Addresses:
|:0040FB73   , :004B7535   , :004B7AD3   , :004B7BE6   , :0051D8EE   <--- called 5 times
|
:004B7A10 83EC64                  sub esp, 00000064
:004B7A13 8D442400                lea eax, dword ptr [esp]

* Possible StringData Ref from Data Obj ->"Please insert your Pharaoh CD." <---the string
                                  |
:004B7A17 68F03C5700              push 00573CF0
:004B7A1C 50                      push eax
:004B7A1D E81D130700              call 00528D3F
:004B7A22 83C408                  add esp, 00000008
:004B7A25 8D4C2400                lea ecx, dword ptr [esp]
:004B7A29 6801000400              push 00040001

* Possible StringData Ref from Data Obj ->"Pharaoh"

Step 7 : lets check the first call.......double right click on   0040FB73...u will be somewhere.....

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040FB8A(C)
|
:0040FB6E 83FE01                  cmp esi, 00000001
:0040FB71 7519                    jne 0040FB8C
:0040FB73 E8987E0A00              call 004B7A10   <-------the call
:0040FB78 8BF0                    mov esi, eax
:0040FB7A 8D4DDC                  lea ecx, dword ptr [ebp-24]
:0040FB7D 51                      push ecx
:0040FB7E E8FDBD0000              call 0041B980
:0040FB83 83C404                  add esp, 00000004
:0040FB86 8BF8                    mov edi, eax
:0040FB88 3BFB                    cmp edi, ebx
:0040FB8A 74E2                    je 0040FB6E   <-----check this out

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040FB71(C)
|
:0040FB8C 3BFB                    cmp edi, ebx
:0040FB8E 7515                    jne 0040FBA5     <-----check this out
:0040FB90 33C0                    xor eax, eax
:0040FB92 8B4DF0                  mov ecx, dword ptr [ebp-10]
:0040FB95 64890D00000000          mov dword ptr fs:[00000000], ecx
:0040FB9C 5F                      pop edi
:0040FB9D 5E                      pop esi
:0040FB9E 5B                      pop ebx
:0040FB9F 8BE5                    mov esp, ebp
:0040FBA1 5D                      pop ebp
:0040FBA2 C21000                  ret 0010

Step 8 : Explore the both jump....nothing interesting in the first.....it only jump again to the top..
i guess it is used to recheck whether the cd is in......

Step 9 : Take a look at the second jump.....

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040FB41(C), :0040FB8E(C)
|
:0040FBA5 8A55DC                  mov dl, byte ptr [ebp-24]
:0040FBA8 88158A8EDA00            mov byte ptr [00DA8E8A], dl

* Possible StringData Ref from Data Obj ->"Pharaoh_MM.eng"     <-----read file
                                  |
:0040FBAE 68E49E5300              push 00539EE4

* Possible StringData Ref from Data Obj ->"Pharaoh_Text.eng"  <----also read a file...
                                  |
:0040FBB3 68D09E5300              push 00539ED0
:0040FBB8 E893800A00              call 004B7C50
:0040FBBD 83C408                  add esp, 00000008
:0040FBC0 85C0                    test eax, eax
:0040FBC2 7524                    jne 0040FBE8
:0040FBC4 53                      push ebx
:0040FBC5 53                      push ebx

* Possible StringData Ref from Data Obj ->"ERR:Exited Pharaoh, 'Pharaoh_Text.eng' "
                                        ->"or 'Pharaoh_MM.eng' files not "
                                        ->"found or too large."
                                  |
:0040FBC6 68749E5300              push 00539E74
:0040FBCB E8407B0A00              call 004B7710
 

aha...this is the jump that we want......when the program read the file that mean it think
the CD is in.......so open pharaoh.exe with hexeditor......

goto  FB8e in hex  and force the jump..change 75 to EB......btw...do u still remember the first jump.....?
in order to guarantee the second jump will be  taken......we have to make sure the first is NOPed.....goto FB8a  in hex and NOP the jump........replace 74e2 with 9090.......

Step 10 : Run Pharaoh.......wut!!!!....the message box is still there......now click OK.....
hey....the game works finely after i click OK......so we cracked the game...but we still have to
eradicate the annoying message box right......click String Data Reference and double click
"Please insert......"...u will see this again.....

* Referenced by a CALL at Addresses:
|:0040FB73   , :004B7535   , :004B7AD3   , :004B7BE6   , :0051D8EE
|
:004B7A10 83EC64                  sub esp, 00000064
:004B7A13 8D442400                lea eax, dword ptr [esp]

* Possible StringData Ref from Data Obj ->"Please insert your Pharaoh CD."
                                  |
:004B7A17 68F03C5700              push 00573CF0
:004B7A1C 50                      push eax
:004B7A1D E81D130700              call 00528D3F
:004B7A22 83C408                  add esp, 00000008
:004B7A25 8D4C2400                lea ecx, dword ptr [esp]
:004B7A29 6801000400              push 00040001  <-----transfer them here....

* Possible StringData Ref from Data Obj ->"Pharaoh"
                                  |
:004B7A2E 68E83C5700              push 00573CE8
:004B7A33 51                      push ecx
:004B7A34 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BEh
                                  |
:004B7A36 FF15EC315300            Call dword ptr [005331EC]
:004B7A3C 83C464                  add esp, 00000064   <------transfer this
:004B7A3F C3                      ret   <----------------------------transfer this

now what can we do here...?  now u need some knowledge about Windows functions....
The MessageBoxA function needs a few data to be PUSH onto the stack b4 u can use the function.....here u can see FOUR PUSHes b4 the function.......in order to eliminate the box,
you have to skip the PUSHes and the CALL.......u cant just skip the Call only coz this will crash your system......so now we have to transfer the 2 last codes at address 004B7A3C and 004B7A3F to address 004B7A29.......
to do this...goto to address B7A29 in hex in your hexeditor....and overwrite the code by typing
83C464C3.........as u transfer the code, u might notice that the code at address below the address that u r editing had changed....dont worry about his....the RET command will prevent those
messed up codes from being executed.......

Now run Pharaoh....Yippies u should have successfully cracked the game......u can now  enjoy listening to your favourite CD while playing the game......

If u have any comments or critics just contact me........

C@LiBuR          luqmanz@pd.jaring.my
 

                                  |