TUTORIAL NUMBA 1 ~~~~~~~~~~~~~~~~ Date: 04/14/2000 ~~~~~ App/Game: Soldier of Fortune V1.03 UK ~~~~~~~~~ Hiyah and welcome to my first tut! Don't start laughing if you read it, I'm still new at cracking ;). K! lets start with a kind of toc: 1.) Kinda preface ;) 2.) Tools 3.) Attack the check *g* 4.) Final words 1.) K! This tut is about the UK-Version of Soldier of Fortune and it's my first cracked cd-check so don't laugh! Search and destroy the cd-check, cause we want to play without a cd in da drive ;). There's only a check for the right cd, no encrypters or packers were used (my luck, else there wouldn't be tut now ;) ). K, that's all first, going to the tools now. 2.) The used tools are: SoftIce 4.0 (or another version) W32Dasm 8.93 A hex-editor (I'll use WinHex 8.8 for searchin and Hackers View to change asm code) Sof installed Pen & Paper Some Time goto http://protools.cjb.net you'll find them here I think (except sof, pen, paper and time ;) ). 3.) I think you allready installed da game, if not do it now. K, start the game, play it, if you have the original CD in da drive it'll run. If you've copied it and you've ripped something, cause you didn't want to use a 80 mins CD, it'll not run anymore (hehe). That's the check for the original cd (of course). If you take a look on the CD you'll see that there're two traks on it, the first one is a data track and the second one is an audio track. The audio track is just a fool, if you want to listen to it, you'll hear some, hmm.. dunno what to call this, but it's no music. So why don't rip it and use an 74 mins CD? The CD check looks for the audio track and I think it looks whether it still start at the right sectors or something like that. So now we know that there's no real music and we don't need it. Now exit the game if you're still playing. Take the cd out of the drive and start again. It runs, but start playing, after some time loading, after 4 or 5 bullets, it says "Won Error, Please insert the original CD and try again". K, what to do now, crack it of course. Fire up SoftIce and set a breakpoint on GetDriveTypeA (bpx getdrivetypea). Try playin again, SI pops up at the 4th or 5th bullet and you'll see somethin like that: 0177:BFF7791B 57 PUSH EDI <= Here we're 0177:BFF7791B 6A21 PUSH 21 0177:BFF7791B 2BD2 SUB EDX, EDX 0177:BFF7791B 681F19FABF PUSH BFFA191F 0177:BFF7791B 64FF32 PUSH DWORD PTR : [EDX] 0177:BFF7791B 648922 MOV FS : [EDX], ESP 0177:BFF7791B 8B7C2414 MOV EDI [ESP + 14] 0177:BFF7791B 0BFF OR EDI, EDI Don't ya? Then you did somethin wrong I think ;) So now we look how often SI pops up if you press F5 and write it down! 1,2,3...,26 and "Won Error ... blah blah". K, now we know that SI pops 26 times up until the error msg comes. Start again and let SI pop up for 26 times, so know it should look like this: 0177:BFF7791B 57 PUSH EDI <= Here we're 0177:BFF7791B 6A21 PUSH 21 0177:BFF7791B 2BD2 SUB EDX, EDX 0177:BFF7791B 681F19FABF PUSH BFFA191F 0177:BFF7791B 64FF32 PUSH DWORD PTR : [EDX] 0177:BFF7791B 648922 MOV FS : [EDX], ESP 0177:BFF7791B 8B7C2414 MOV EDI [ESP + 14] 0177:BFF7791B 0BFF OR EDI, EDI Hey, the same as above ;), if you looked at the code by every time you pressed F5 you recognized that the code is everytime the same. So know we still don't know where it checks the CD. But look at the bottom of your code window, there is a module name, "KERNEL32!_FREQASM+6916", but we need to be in sof.exe, what to do, let's press F12 one time, and ta ta, we're in sof.exe (SOF!.text+0006AEC9) and it should look so: 0177:2006BECB 83F805 CMP EAX, EAX <== Here we're! 0177:2006BECE 0F85CF000000 JNZ 2006BFA3 0177:2006BED4 33C0 XOR EAX, EAX 0177:2006BED6 8A4C2440 MOV CL, [ESP + 40] 0177:2006BEDA 89442414 MOV [ESP + 14], EAX 0177:2006BEDE 8D542430 LEA EDX, [ESP + 30] 0177:2006BEE2 89442418 MOV [ESP + 18], EAX 0177:2006BEE6 884C2430 MOV [ESP + 30], CL 0177:2006BEEA 8944241C MOV [ESP + 1C], EAX That's enough to know where you should be ;) Now press F10 until you see this: 0177:2006BFB8 33C0 XOR EAX, EAX 0177:2006BFBA 5B POP EBX 0177:2006BFBB 81C434050000 ADD ESP, 00000534 0177:2006BFC1 C3 RET <==Return out of the call we're in 0177:2006BFC2 5F POP EDI 0177:2006BFC3 5E POP ESI 0177:2006BFC4 5D POP EBP 0177:2006BFC5 B801000000 MOV EAX, 00000001 0177:2006BFCA 5B POP EBX 0177:2006BFCB 81C434050000 ADD ESP, 00000534 For your help it should be 13 times. On the "RET" (Return) you get straight outta a call, the call we're right in now. So step over it and wow, a whole new section ;). Now it should look like this here: 0177:2000B10A 8BF0 MOV ESI, EAX 0177:2000B10C 892D58022E20 MOV [202E0258], EBP 0177:2000B112 E8990B0600 CALL 2006BCB0 <==Our call! 0177:2000B117 89442414 MOV [ESP + 14], EAX <==Now we're here 0177:2000B11B 6A02 PUSH 02 0177:2000B11D DB442418 FILD DWORD PTR [ESP + 18] 0177:2000B121 DC0D08F71720 FMUL REAL8 PTR [2017F708] 0177:2000B127 D91D70712520 FSTP REAL4 PTR [20257170] 0177:2000B12D E88EA30100 CALL 200254C0 0177:2000B132 D90570712520 FLD REAL4 PTR [20257170] and so on. So now write down the code from "8BF0" to "6A02" and disable all breakpoints (bd *). Shut the game down and fire up WDasm. Load sof.exe and do somethin usefull while it loads. An hour later, so it's disassembled now, now fire up your hexeditor, in my case winhex. Now search for the hexvalues you've written down. Find it, k! The call starts at the offset "0000B112", now shut Winhex down and go to WDasm. Press on "Go to start code" (it's the 5th button, read from left to right). There's the first adress, 20001000, if you doubleklick on it, that's highlighted, WDasm says you where the offset from this line is, on the bottom of the program window, it's 00001000 so logicaly the offset "0000B112" should be called "2000B112". So klick on "Go to code location (it's the 8th button, read left to right) and type "2000B112" and hey, that's the call we were in just a min ago. So if the call is highlighted you can execute the call in WDasm by pressin the "Call" button (the 11th button). After you've executed it you're on line "2006BCB0", here the call is doin some stuff and I think would you move the value "1" into eax here the value should be present at the check, and if we want that sof thinks that cd is in da drive we need the value "1" in eax, but there's a "SUB ESP, 00000534", so now we can do 3 things, the first two are nearly the same change the code that it moves "1" into eax and the other one is that we look from where this procedure was called from and try "noping" the calls out. So let's try out which one will work that you need no cd. First make a copy of your sof.exe and call it what ever u want. Then look what we have on the line 2006BCB0, it's 81EC34050000 so fire up Hackers View and open your copy! of sof.exe, now press F4 (mode) and change to "Decode" now "goto" (F5) to ".2006BCB0" and it should look like this: .2006BCAE: 59 POP ECX .2006BCAF: C3 RETN .2006BCB0: 81EC34050000 SUB ESP,000000534 <= We're here .2006BCB6: 53 PUSH EBX Now press F3 (edit) and then F2 (asm) and change the "SUB ESP,000000534" into "MOV EAX, 00000001" (move the value "1" into eax). Then the next line changed automatically into "005355 ADD [EBX] [00055], DL" change this into "RET" now press escape and then F9 (update) then exit HView. Before you try runing it exit WDasm and rename the original sof.exe into any other name and rename your cracked file into sof.exe, then take the cd out of your drive and start. If you did anything I said before it should run now. The other way to move "1" into eax would be to change the ".2006BCB0: 81EC34050000 SUB ESP,000000534" into "XOR EAX, EAX" to delete everything in the register and then the next line would be atomatically called "XOR AL, 005" change it into "INC EAX" (increment eax) that will add the value "1" to the register and then the next line would be "ADD EAX, 055530000" change it into "RET" to return back out of the call and the next two lines you change into "NOP" then it should work too. Both ways work fine as I tested it, now the last way, noping out the calls. Back in WDasm on the line "2006BCB0" you see the "SUB ESP,000000534" and if you look one line over it you see from where this procedure was called, Referenced by a CALL at Addresses: | :2000AF0C , :2000AFC6 , :2000B112 now press the button "goto code location" and type these adresses in there, write the offsets down, they're "0000AF0C, 0000AFC6, 0000B112" now open another copy of your original sof.exe with your hexeditor and goto this locations, change the first one, E89F0D0600 into 9090909090, do it the same with the other calls and save the file. Change the name to sof.exe and start the game. Hey, it worx too. So choose the way to crack this game on your own, they all work. That wasn't so difficult eh? naw that was easy. If every protection would be so easy..., reading more tuts will help a bit for learning the other protections too! Greetin's: Of course yAtEs, thx for a lot of help, t.u.g and for answering my stupid questions, tKC for his tuts, gizmo for the crackme tip, eax, anticmos40, _tARG0N, sat0r, all the tut writers, all I forgot and u ;) Any requests to: tha_godfatha@hotmail.com Cya maybe in da next tut :) Tha Godfathaeen up, toggle over to