--------------------------
CD-Check cracking by _cdk_
^^^^^^^^^^^^^^^^^^^^^^^^^^
Target: Star Trek Armada (updated version 1.1)
Tools: SICE
Level: 1+1 (the other 1 comes from this messy tute)
Protection: CD-Checks
Background:
Being a big Star Trek fan and after having read the review from the local
computer games
magazine I just had to go out and buy this game.. well surprisingly there was
no SafeDisc
but simple cd-checks :
I BPX on GetDriveTypeA as normally.. and after pressing F5 few times to get to
the cd-rom
checking code (see that EAX=5) I find myself here:
* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:004FC715 FF1584EB6B00 Call dword ptr [006BEB84]
:004FC71B 83F805 cmp eax, 00000005 <-- is it
CD-ROM drive?
:004FC71E 0F85BF000000 jne 004FC7E3 <-- if not,
jump
:004FC724 33C0 xor eax, eax
:004FC726 8A8DD4FEFFFF mov cl, byte ptr [ebp+FFFFFED4] <-- current
drive letter
:004FC72C 8945EC mov dword ptr [ebp-14], eax
:004FC72F 8D55D8 lea edx, dword ptr [ebp-28]
:004FC732 8945F0 mov dword ptr [ebp-10], eax
:004FC735 884DD8 mov byte ptr [ebp-28], cl
:004FC738 8945F4 mov dword ptr [ebp-0C], eax
:004FC73B C745F404020000 mov [ebp-0C], 00000204
:004FC742 8945F8 mov dword ptr [ebp-08], eax
:004FC745 C645D93A mov [ebp-27], 3A
:004FC749 8945FC mov dword ptr [ebp-04], eax
:004FC74C 8845DA mov byte ptr [ebp-26], al
:004FC74F 8D45EC lea eax, dword ptr [ebp-14]
:004FC752 8975FC mov dword ptr [ebp-04], esi
:004FC755 50 push eax
:004FC756 6802330000 push 00003302
:004FC75B 6803080000 push 00000803
:004FC760 56 push esi
:004FC761 8955F8 mov dword ptr [ebp-08], edx
:004FC764 8975EC mov dword ptr [ebp-14], esi
:004FC767 8975F0 mov dword ptr [ebp-10], esi
:004FC76A FFD7 call edi <-- Is there a
cd in the drive?
:004FC76C 85C0 test eax, eax <-- if there
isnt...
:004FC76E 7573 jne 004FC7E3 <-- ...jump
:004FC770 8B4DF0 mov ecx, dword ptr [ebp-10]
The first check here.. you can patch it easily by nopping the jump for
example..
This is of course not obligatory if you have an audio cd or any other cd in the
drive
:004FC773 68E8030000 push 000003E8
:004FC778 8D95D4FAFFFF lea edx, dword ptr [ebp+FFFFFAD4]
:004FC77E 51 push ecx
:004FC77F 52 push edx
:004FC780 E88B000000 call 004FC810 <-- another
check
:004FC785 83C40C add esp, 0000000C <-- if
succesful, EAX=0
:004FC788 8BF0 mov esi, eax
:004FC78A 8B45F0 mov eax, dword ptr [ebp-10]
:004FC78D 6A00 push 00000000
:004FC78F 6A02 push 00000002
:004FC791 6808080000 push 00000808
:004FC796 50 push eax
:004FC797 FFD7 call edi <-- dont mind
this one
:004FC799 8B4DF0 mov ecx, dword ptr [ebp-10]
:004FC79C 6A00 push 00000000
:004FC79E 6A00 push 00000000
:004FC7A0 6804080000 push 00000804
:004FC7A5 51 push ecx
:004FC7A6 FFD7 call edi <-- check
again
:004FC7A8 85F6 test esi, esi
:004FC7AA 7537 jne 004FC7E3 <-- jump if
wrong cd or no cd
:004FC7AC 8B95D4FAFFFF mov edx, dword ptr [ebp+FFFFFAD4]
:004FC7B2 8B85D4FCFFFF mov eax, dword ptr [ebp+FFFFFCD4]
:004FC7B8 3BD0 cmp edx, eax <-- check
:004FC7BA 7527 jne 004FC7E3 <-- jump if
wrong cd
:004FC7BC B802000000 mov eax, 00000002
:004FC7C1 3BD0 cmp edx, eax
:004FC7C3 7E1A jle 004FC7DF <-- this wont
jump
:004FC7C5 33C9 xor ecx, ecx
:004FC7C7 8BB40DDCFAFFFF mov esi, dword ptr [ebp+ecx-00000524]
:004FC7CE 3BB40DDCFCFFFF cmp esi, dword ptr [ebp+ecx-00000324]
:004FC7D5 7508 jne 004FC7DF <-- this jumps
:004FC7D7 40 inc eax
:004FC7D8 83C104 add ecx, 00000004
:004FC7DB 3BC2 cmp eax, edx
:004FC7DD 7CE8 jl 004FC7C7
:004FC7DF 3BC2 cmp eax, edx <-- final
compare
:004FC7E1 7413 je 004FC7F6 <-- jump if
succesful
the final compare takes you here:
:004FC7F6 5F pop edi <-- remove
from
:004FC7F7 5E pop esi <-- stack
* Possible Reference to Dialog: DialogID_0001
|
:004FC7F8 B801000000 mov eax, 00000001 <-- set
succesful flag
:004FC7FD 5B pop ebx
:004FC7FE 8BE5 mov esp, ebp
:004FC800 5D pop ebp
:004FC801 C3 ret <-- return
from the call
Ok ppl .. thats it .. if you're a newbie and don't know where and how to patch
I'll show
it now... advanced ppl who read this for fun to see how lame i am can now move
to the EOF
to see if your in greetings. If you know your not, close this file now.
As we could see plenty of checks .. most of them just confirm the previous
check so
we just set one jump that will save the day so we dont have to patch every
spot..
well actually we have to patch few times.. to make sure the check wont fail
just incase
if you dont have cd in the drive..patch at these locations:
:004FC76E 7573 jne 004FC7E3
NOP the jump
:004FC780 E88B000000 call 004FC810
change to mov eax,00000000 (B800000000)
:004FC7AA 7537 jne 004FC7E3
change to jmp 004FC7E1
and
:004FC7E1 7413 je 004FC7F6
make it always jmp 4FC7F6
Hmmh.. four patches.. very messy, dont like this at all.. there's gotta be an
easier way
Heh.. after tracing and tracing I found a much simpler way which I should've
figured
right in the beginning.. (which i could've found if i had checked strn refs..
krhm.. :))
:0043E75B 0F95C0 setne al
:0043E75E 84C0 test al, al
:0043E760 0F858B000000 jne 0043E7F1 <-- nasty
bastard
* Possible StringData Ref from Data Obj ->"Please insert Armada CD"
Oh well.. you know what to do.. before I had figured this simple patch out I
had done
few interesting patches too that let me enable to play this game without the
cd..
i'll show the one I liked :)
-----------------------------------------------------------------------------------------------
:004FC76A FFD7 call edi <-- Is there a
cd in the drive?
:004FC76C 85C0 test eax, eax <-- if there
isnt
:004FC76E 7573 jne 004FC7E3 <-- jump
changed to:
:004FC76A: E987004000 jmp 0004FC7F6 <-- jump to
flag set 1
------------------------------------------------------------------------------------------------
HERE:
:004FC7F6 5F pop edi <-- remove
from
:004FC7F7 5E pop esi <-- stack
|
:004FC7F8 B801000000 mov eax, 00000001 <-- set
succesful flag
:004FC7FD 5B pop ebx
:004FC7FE 8BE5 mov esp, ebp
:004FC800 5D pop ebp
:004FC801 C3 ret
Changed this to:
:004FC7F6: B801000000 mov eax,000000001 <-- set the
flag
:004FC7FB: 68EDC74F00 push 0004FC7ED <-- push the
location for ret
:004FC800: C3 retn <-- return to
4FC7ED
You still have to change the final check:
:0043E760 0F858B000000 jne 0043E7F1 <-- nasty
bastard
just make it always jump
------------------------------------------------------------------------------------------------
Alrighty, a pretty messy way to defeat the check.. but something different :)
But to get the easiest way you just make the program always jump at :0043E760
and you're done. I was stupid coz i didnt figure out that initially.. which I
could've done
easily if I had checked strn refs.. could've defeated the check without SICE
even :]
Final notes:
Well.. a usual cdcheck thats easy to defeat.. dunno if there are more checks
coz i dont care
and if there are, I'll leave them for you to disable.
And I bet lots of ppl think if I actually own the games I crack, YES most of
the time I do.
I admit for few cracks I used copies but I buy games like every normal (??)
user.
-C_DKnight, c_dknight@iobox.com / c_dknight@hotmail.com
cdk greets Yates for hosting a great site as the CDChecks and my tutes there :)
http://yates2k.co.uk for my and others tutes on cdcheck cracking
AB4DS, r!SC, Dead-Mike, NrOC, WarezPup, Hutch, [yAtEs], [E_BLiss], [LaZaRuS],
SeKt0r, nchanta,
Icecream, |Xmen|, LordOfLA, F0dder, Predator, aCiDHaC, ACiD BuRN, DnNuke, noos,
nu, Thesmurf,
defiler, Sinn0r, ^tCM^, Norika, cTT, Weazel, MisterE, Dawai, RevX, Maybird,
BlackBird, FireWorx,
SheeP14o, extasy_, KaOsAuS, _zoltan, Torn@do, ByteBurn, Miscreant, croc, Br4t,
[ViKiNg], N|Te,
=Metal=, B|aze, Moredhel, Seffren, Speedsta, Rad|cal, [Daze], VisionZ, KaKTuZ,
Stilgreen,
Kwazy Webbit, Falcon, Gandalf plus all my friends at #cracking4newbies and
other chans..