�ｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿ�



               00000              00000000            0000  0000      
      377O    00000      J77t    30000000  O7J  t7W   000Q 0000      H0000
   d00000000  00000    00000000  0000;    0000000000  000 J000       0000
   0003 0000 00000   W0000 0000  0000    W0000 00000  000W000        
  0000   ,0  0000O   0000 c0000 0000000d 0000  0000  c000000    0ZZ 0000
  000000    00000   0000000000  0000000  0000 0000U  200000   0000000000
    W00000  0000Q   0000       00000    0000  0000   U0000   00000 0000
 W    0000 00000   0000d 0000 :0000    00000 0000Q   0000;  00000    
0000t 000; 0000St0 0000 3000  00000 0d 0000  0000   t0000   0000Q  0000
000000000 00000000 00000000, 00000000 S000000000    00000  c0000  00000
  HZZH    00ZZZZ0    HZWZ    00ZZZZZH 0000  QQ,    :0QW0   U0000000000 
                                     t077H                  H0000U   


Cracking Tutorial #9:
CrAcKiNG Freecell for Win2k and WinXP
[cracked bY:] sLeEpYｿ[FWA/NWA/FTPR8Z] iN 02/2002
[difficulty:] beginner
[where:] On your Wintendo Entertainment System

�ｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿ�

tOOLz: w32dasm, Hiew or hex editor of your choice...
       filemon -optional
       resource hacker -optional

YOYO, ok this is a 2 part tutorial on FREECELL. Why? because freecell everyone can
find on there harddrives usually. (Windoze users anyway)

The first part is over Freecell for windows 2000 (mine is server but i think they are
all the same on the games).  I noticed that the windoze 2000 and winXP freecell games
are a little different so i did a double tutorial i suppose.  The second part will be
on windozeXP freecell.  What is going to happen is we are going to change the code in
the game so that we dont have to hear our girlfriends or wives complaining about 
losing. Basically after the modifications you can put any card in the game anywhere
and thus making it impossible to lose the game.
(YES you can automatically win the game by pressing ctrl+shift+F10 all at the same
time but we want to learn and move cards around and stuff.)

�ｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿ�

[PART1]

Ok here we go, get your favorite drink and a smoke if you smoke.  

Make the usual 3 copies of freecell:
freecell.exe, freecell.W32, freecell.BAK

Start freecell and write down the error messages you get when you try to put a card 
where it doesn't belong. ("That move is not allowed")

Disassemble freecell.W32 with W32dasm:

click string references button

Look under string references till when you find:
"That move is not allowed" because thats the error you get when you put
a card in a spot it isnt allowed to go in.
Double click it and it drops us here:

"* Possible Reference to String Resource ID=00306: "That move is not allowed""

Let me open the code around so you can see whats going on...
(for time and tpying sake whenever there is just ":" its usually some code
that isnt needed but there is code there, i just dont type it)

ﾝ珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珎

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0100495F(U)  <---here is the jump that brought us here, go find it...(1)
* Reference TO: USER32.LoadStringW, Ord:01B0h
:
:
:
:
* Possible Reference to String Resource ID=00301: "FreeCell"
:
:
:
:
:010049E1 56				push esi
* Possible Reference to String Resource ID=00306: "That move is not allowed"

ﾝ珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珎

:010048C0 (C) <--look for this jump that brought us here(2)
:
:01004959 0F84E8000000			je 01004A47
:0100495F KB5B				jmp 010049BC <---the jump(1)


ﾝ珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珎

:010048C0 0F868D000000			jbe 01004953 <--the jump (2)
change the above code to:
:010048C0 90				nop
:010048C1 90				nop
:010048C2 90				nop
:010048C3 90				nop
:010048C4 90				nop
:010048C5 90				nop

why nop? no-operation
this makes the jump non-existent so it will never take it therefore when we put a 
card in the wrong spot it wont take that jump to the error msg or compare the cards, 
it will just work so you can put cards anywhere because it thinks that its the 
correct card! 

WHy so many nops you might ask, well a general cracking rule is if you replace a
line of code you have to replace it all.  Each 2 hex is 1 byte, but the jbe 
instrcution is only 1 byte but the line has 6 bytes of code, so we have to nop out 
the whole line. So: 0F 86 8D 00 00 00 has to be: 90 90 90 90 90 90 else we'll get
an error most likely. Well that takes care of freecell for win2k, no on to XP 
freecell.

�ｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿ�

[PART2]

Make the usual 3 copies of freecell:
freecell.exe, freecell.W32, freecell.BAK

disassemble freecell.w32
Do a string search for "That move is not allowed"

ﾝ珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珎

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:01003C37 (U) <---trace this back, we were jumped here from this location
:
:unneeded info
:
:01003C9A 57			push edi
* Possible Reference to String Resource ID=00306: "That move is not allowed"

ﾝ珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珎

:01003B7C <-trace this call back
:blah
:01003c31 0F84BD000000		je 01003CF4   <--no error msg but not what we want
:01003C37 EB54			jmp 01003C8D  <--jumps to the badguy

ﾝ珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珎

:01003B7C 0F86A9000000		jbe 01003C2B <----AHA! EVIL CODE HERE!
	  [6 bytes   ]
nop out the jump!(all six bytes)
:01003B7C 90			nop
:01003B7D 90			nop
:01003B7E 90			nop
:01003B7F 90			nop
:01003B80 90			nop
:01003B81 90			nop

OK, cracked!, but wait, someone wanted more! This crack like the above one allows you
too put cards anywhere as long as you are on the bottom section, "I wanna put cards
where the aces are supposed to go", she says.

Hmm, what about the top area, we still get the error there?...
Lets kill that one then dammit...

ﾝ珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珎

only 1 call to that move is not allowed, the other is just a jump that trickles down

So i found this, go back up to where we nopped out the :01003B7C and right above that
you will see 3 places where a jump to 01003C39 is executed
:01003B4E
:01003B57
:01003B69

so follow it and it takes ya to here:
:01003C39 FF750C		push [ebp+0C]
:
:
:
:
:01003C4D 85C0			test eax, eax <--testing
:01003C4F 742C			je 01003C7D <---badguy

the jump at 01003C4F eventually leads to "that move is not allowed"
so just nop it out and it will never take it.

So change this:
:01003C4F 742C			je 01003C7D
to this:
:01003C4F 90			nop
:01003C50 90			nop

ﾝ珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珮粤蒟珎

Now the game is fixed so you can move any card anywhere, hell i just move em all up
to the upper right, it doesnt matter what order anymore, soon as you get em all
stacked up there you win. The woman can still play by the rules but she can also cheat
when things don't go her way and you won't have to here the whining.

[Optional Stuff]
Something extra for ya, you can use a program called "filemon" to see what all the
exe you are using calls, which in this case is "cards.dll"  in your system DIR, 
you can then open that DLL with the program "resource hacker" to view the contents,
which is all the cards and graphics and stuff, modify em in paint if you want and save
em, the modified cards will appear when you play freecell.

Later all...

ｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿ

email me if you are bored: sleepy@linuxwaves.com

                           ._Tutorialz_.
[-------------------------------------------------------------------]
[1. Cracking Cosmi's Generic Installshield Protection               ]
[2. CRACKING(?) MATH WORKSHOP 2.0                                   ]
[3. CrAcKiNG DLSuperCBT Resynchronizing Byte Compare Program        ]
[4. CrAcKiNG the nag on DLSuperCBF - Dir Binary File Compare Program]
[5. CrAcKiNG n)0(va crackme v3 (crazy approach)                     ]
[6. CrAcKiNG mIRC(R) v5.91 Internet Relay Chat Client               ]
[7. CrAcKiNG Actionizer 1.4                                         ]
[8. CrAcKiNG Tag Wizard 4.3.0                                       ]
[9. CrAcKiNG Freecell for Win2k and WinXP                           ]
ｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿ

gReEtz: MiNioN, GreycZ, KlutCh, KiNgEr, MidNight, FWA, NWA, FTPiRatEz! HAR! BEASTFXP!

ｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿ

CopyLeft: 
                              __        ______  __  __ _
                        _____/ /  ___  / ____/__\ \/ /(_)
                       / ___/ /  / _ \/ __/ / __ \  // /
                      (__  ) /__/  __/ /___/ /_/ / / _/_
                     /____/_____|___/_____/ .___/_/\___/
                                         /_/

	                   [all rights reversed] 
                     Boredom causes crackers and babies.

ｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿｿ