Unreal Cracking Tutorial ========== Difficulty : Easy/Medium For this tut , you need : 1) Unreal (The game CD); 2) A Debugger (I used SoftICE ); 3) WDasm 32 ( I used WDasm 32 8.93 ); 4) An Hex Editor ( I used Hiew ); 5) A working BRAIN . Welcome to this cracking tutorial. Today I'll show you how to crack Unreal, a good shooting game. First, install the game with the full installation, take off the CD and try to run the game... what happens? You are asked by a messagebox to insert the game CD. But you DON'T want to, do you? Well, the only thing to do is kick the CD CHECK's butt. Make a backup copy of the file UNREAL.EXE called 1.EXE, run WDasm, disassemble the file 1.EXE and minimize it.Now fire up SoftICE with CTRL-D and set a breakpoint on the API function MessageBoxA. Type like this: BPX MESSAGEBOXA . Return to Windows pressing F5 and double click the file UNREAL.EXE : when SoftICE pops up for the first time, press F11 to go back to the game, and when you get the messagebox asking you the CD press CANCEL . SoftICE will pop up again and you will see this piece of code: * Reference To: USER32.MessageBoxA, Ord:0195h | :004020E7 FF15FC514000 Call dword ptr [004051FC] :004020ED 83F802 cmp eax, 00000002 <------- YOU ARE HERE :004020F0 759F jne 00402091 <------- IF YOU PRESS OK, THIS JUMP IS TRUE :004020F2 A114514000 mov eax, dword ptr [00405114] :004020F7 6A00 push 00000000 :004020F9 C70001000000 mov dword ptr [eax], 00000001 Now step a little with F10 until you will go back to the windows messagebox : press OK and SoftICE will pop up again : keep pressing F10 until you reach this point and don't exit SoftICE yet : :00402091 A1E8504000 mov eax, dword ptr [004050E8] :00402096 833800 cmp dword ptr [eax], 00000000 :00402099 756C jne 00402107 <------------| | * Reference To: Core.?GIsClient@@3HA, Ord:0189h | | | :0040209B 8B0DEC504000 mov ecx, dword ptr [004050EC] | :004020A1 833900 cmp dword ptr [ecx], 00000000 | :004020A4 7461 je 00402107 <------------| :004020A6 8D9518F8FFFF lea edx, dword ptr [ebp+FFFFF818] | THREE STRANGE JUMPS :004020AC 52 push edx |THEY ALL GO TO 00402107 | * Reference To: Core.?appFSize@@YAHPBD@Z, Ord:0311h | | | :004020AD FF1534514000 Call dword ptr [00405134] | :004020B3 83C404 add esp, 00000004 | :004020B6 85C0 test eax, eax | :004020B8 7F4D jg 00402107 <------------| :004020BA 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Window" <------------| | | :004020BC 68DC804000 push 004080DC | | * Possible StringData Ref from Data Obj ->"InsertCdTitle" <------------| | | :004020C1 68E4814000 push 004081E4 | :004020C6 FFD7 call edi | :004020C8 83C40C add esp, 0000000C | :004020CB 8BF0 mov esi, eax |THIS PROCEDURE CALLS THE :004020CD 6A00 push 00000000 |MESSAGEBOX | * Possible StringData Ref from Data Obj ->"Window" <------------| | |YOU CAN SEE THE STRINGS :004020CF 68DC804000 push 004080DC |POINTED BY THE ARROWS IN |WDASM, WHEN YOU DISASM * Possible StringData Ref from Data Obj ->"InsertCdText" <------------|THE FILE UNREAL.EXE | | :004020D4 68D4814000 push 004081D4 | :004020D9 FFD7 call edi | :004020DB 83C40C add esp, 0000000C | :004020DE 6801200000 push 00002001 | :004020E3 56 push esi | :004020E4 50 push eax | :004020E5 6A00 push 00000000 | | * Reference To: USER32.MessageBoxA, Ord:0195h <------------| | :004020E7 FF15FC514000 Call dword ptr [004051FC] :004020ED 83F802 cmp eax, 00000002 :004020F0 759F jne 00402091 :004020F2 A114514000 mov eax, dword ptr [00405114] :004020F7 6A00 push 00000000 :004020F9 C70001000000 mov dword ptr [eax], 00000001 * Reference To: KERNEL32.ExitProcess, Ord:006Bh | :004020FF FF157C514000 Call dword ptr [0040517C] :00402105 EB8A jmp 00402091 <------------ THE CD CHECK AGAIN * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00402099(C), :004020A4(C), :004020B8(C) | :00402107 8D4DC4 lea ecx, dword ptr [ebp-3C] <-----| :0040210A 6A00 push 00000000 <-----| THE GAME IS RUN :0040210C 51 push ecx <-----| Now, you have seen how the CD CHECK is executed... but before it you can see three CONDITIONAL JUMPS to 00402107, where the game is run. Which one of them is to be turned in an UNCONDITIONAL JUMP to fuck the CD CHECK and make the game run with NO CD ??? Simple... using SoftICE you can understand which is the correct JUMP to change: type BD* and BC* to disable and clear all breakpoints which were previously set, then type : BPX 402096 and then press F5. Close the messagebox, insert the game CD - YOU DO HAVE IT, DON'T YOU? - (no matter if original or burned) and double-click UNREAL.EXE again. SoftICE will break at address 00402096. Now, with the CD in the drive, we can see which JUMP has to be changed in an unconditional jump. After we step with f10 through the three jumps, we realize that we must turn the third conditional jump ( jg 00402107 ) to an unconditional jump ( jmp 00402107 ). While still in SoftICE, type BD* and BC* , and then press F5. Enlarge WDasm window and place the cursor over the address 004020B8, look at the low part of the screen and you can see the OffSet of the address 004020B8. Start Hiew and open the file UNREAL.EXE : press F4, select DECODE and press ENTER. Then press F5, type the offset you read before ( 14B8 ) and press ENTER. Press F3, type EB, press F9 to save and F10 to exit. Here's what we've just done: We turned the string 7F4D jg 00402107 In the string EB4D jmp 00402107 EB is the HEX value of the UNCONDITIONAL JUMP. Now take off the CD, close WDasm and double-click the file UNREAL.EXE and even if it takes a while to load, you can actually play without the game CD . This game was not too hard to crack. ************************************************************************************************* NoTe: THIS TUTORIAL IS FOR EDUCATIONAL PURPOSES ONLY. YOU ARE USING IT AT YOUR OWN RISK AS NO WARRANTY IS PROVIDED WITH THIS FILE. AND REMEMBER: THE CRACK THAT COMES WITH THIS PACKAGE WAS INTENDED TO HELP YOU TO PLAY BETTER - AS CDROM ACCESS CAN SLOWDOWN YOUR MACHINE - NOT TO GIVE YOU A FREE COPY OF THE GAME. IF YOU LIKE A SOFTWARE, THEN BUY IT: GOOD SOFTWARE DESIGNERS DESERVE YOUR SUPPORT. ************************************************************************************************* Si Vis Pacem , Para Bellum . Seeya in the next tut . ----====( ShadowMan )====---- - 13 April 2001 -UE (non-zero)