Welcome to Cracking Tutorial #28! Ah finally, sorry for delays but no modem at my home yet. :-/ For a bonus I'll do 5 versions today. (#26, 27, 28, 29, and 30) *HELL!* Like I said earlier, nothing is gonna stop me now! :) Anyway, enjoy it! :) Ok, let's rave! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.25 W32Dasm 8.93 Hacker's View 6.10 SmartCheck 6.03 TASM 5.00 Windows Commander 3.53 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR or http://harvestr.cjb.net http://atlantez.nl.eu.org/Iczelion http://protools.cjb.net or ask any crackers to get you these tools! Are you ready?! OK! ;) Am I ever getting bored to this?... maybe not... Target game: Rollercoaster Tycoon ... this is not a usual crack Thingies: Nothing... except the original rollercoaster cd (you bought it... didn't ya?) Yeah... Step 1. When I first approached on this protection, I started with making a full installation (170 megs). After it I tried to start Rct without a cd. And surprisingly "Please insert cd" box pops-up. Hmm... not an ordinary protection I thought. I made two backups of Rct.exe (.w32 & .bak) and loaded .w32 on W32Dasm89. But I couldn't find that blasted messagebox... so that's for it. So how about Soft-Icing it? Ok... let's give it a shot. Bpx getdrivetypea and launch Rct... no breaks... "Whatta hell?". I tried a couple of others breakpoints but nothing. So I decided to take a good luck at the messagebox. I pressed ok when it asked for the cd and another messagebox..."missing or inaccesible data file" popped-up. Step 2. Then I took a sneak peek at the installation dir and checked out the files in Data folder. "I wonder if something's missing?...". I inserted cd and copied all the data files (you only need csg1.dat & mp.dat) from the Data folder on cd. I took out the cd from the drive and tried Rct again. What?... Can't be... It works... "Whatta weird protection", I thought. But I don't care as long as the game works =)... -Cloud [StarGazer] Greetz to: Friends, tKC + every cracker on earth Mail me if ya got questions/comments or something: zakeman@hotmail.com Yikes, I'm back with a new tut for ya Target game: Rollcage Useful thingies: Hiew 6.04 W32Dasm89 Drink... My choice this time is... Pepsi (not Max) Dodiih... Let's do something =) My english is not perfect... so just try to hang on... Ok... at first you must (of course) install Rollcage. My pick was Medium installation (dammit, i should buy a new HD)... After the install is finished... throw the cd away (not literally =) and start Rollcage without a cd. An error message pops-up: "Please insert the Rollcage cd"... you can get through this by pressing ok... but that's meant only for a multiplayer game. No solo games available... Make two backups of rollcage.exe (rollcage.bak and rollcage.w32). Then load rollcage.w32 on W32Dasm. Go to Strn Ref and find the error message. You found it? Way cool! This is how it looked on my computer (should be same with yours too) :00474980 E87B250000 call 00476F00 :00474985 83C404 add esp, 00000004 :00474988 85C0 test eax, eax :0047498A 5B pop ebx :0047498B 7472 je 004749FF <--- Hmm... could it be this one? :0047498D 6A09 push 00000009 * Possible StringData Ref from Data Obj ->"PC_ERROR_MESSAGES" | :0047498F 6864004B00 push 004B0064 :00474994 8D4C2410 lea ecx, dword ptr [esp+10] :00474998 6804010000 push 00000104 :0047499D 51 push ecx :0047499E E82D9DFBFF call 0042E6D0 :004749A3 8A442418 mov al, byte ptr [esp+18] :004749A7 83C410 add esp, 00000010 :004749AA 84C0 test al, al :004749AC 7511 jne 004749BF :004749AE B90D000000 mov ecx, 0000000D * Possible StringData Ref from Data Obj ->"Please insert the Rollcage CD " ->"into the CD ROM drive." So... because I'm just a newbie I don't fully understand all that asm code, but I somehow managed to figure out what's happening there. You probably saw (what?... you didn't?.. look again) my reference up there, so it shouldn't be hard to guess what to do with that. So let's just change the jump from je to jne... easy huh? So, move on to referenced line on W32Dasm and check out the @offset code: 7498B. Exit W32Dasm and load up Hiew. Goto decode mode and to line 7498B. Press F3 and change 74 -> 75. That was easy. Now as you start Rollcage you see that the messagebox has disappeared and you can choose league mode in the start. Kewl!... U did it! If you have any problems later in the game, try the full installation... my version worked fine... "hmm... that was third already" -Cloud [StarGazer] For any remarks... send me an e-m@il at zakeman@hotmail.com or find me from Kiss' chat (www.kiss.fi/chatropol/town/playstation Greetz to: My friends (IRL and at chat)... tKC and dAvId nIgHtMaRe If you happen to have any problems with my crack, please let me know. Written 25th of May 1999 Here I am back again Target game: Might & Magic 6 v1.1 (patched) I decided to go for this game, 'cuz I don't have mm7 yet, and because of that, I wanted to play mm6 as for training. Things you need: Hiew 6.04 Soft-Ice 3.24 or better W32Dasm 8.93 Mm6 v1.1 patch (1.6 mb) Drink... once again I chose Frisco's apple lemonade (I've drank 9 litres of it in past three days =) ...and perhaps some music... I chose Winamp and my mp3 collection (a very heavy based) Ready, get set, go! Step 1. Start with full install (include extra graphics) and after installation patch the game to version 1.1. Now make the necessary backups of mm6.exe (.w32 & .bak). Ok... now we're ready to start cracking. Put a breakpoint on GetDriveTypeA (bpx getdrivetypea) in Soft-Ice. Start mm6 and it won't take long until SI breaks. Get the hex # of the place where you landed (should be 458163). Clear breakpoint (bc*) and load mm6.w32 on W32Dasm. Disassembling is quickly done and you're ready to goto line 458163. So make your way to there. :00458163 83F805 cmp eax, 00000005 <-- Is cd in drive? :00458166 750B jne 00458173 <-- no, jump :00458168 8ACB mov cl, bl :0045816A E8F1FBFFFF call 00457D60 :0045816F 84C0 test al, al :00458171 7532 jne 004581A5 <-- you naughty cracker...go away... * Referenced by a (U)nconditional or (C)onditional Jump at Address: This is all we need. As you probably already guessed, we need to change the last jump to je, instead of jne. Hiew and mm6.exe are excellent combination for doing this job. Decode mode, goto line, and @offset number (which is 57571). When you got to correct place and line, press F3 and change 75 --> 74, so it will look like this: 7432. After you're fin¡to with this, start mm6 and it bypasses the check and you can freely play it without the cd present =)... Kewl Greetz: Friends (IRL and chat), tKC + to you! =) -Cloud [StarGazer] Written 14th of June Should you have any questions/comments/problems, u can Contact me via zakeman@hotmail.com Back again Target game: Sin (Uk) v1.01 (updated) Tools I used: Hiew 6.04 Soft-Ice 3.24 W32Dasm v8.93 But no drink this time...but you can turn on TV, choose MTV channel and suffer =) Yup... Let's get it on. Step 1. Make a full install. After it's done, make backups of Sin.exe (.w32 & w.bak). Step 2. After you've grabbed the cd out of the drive, start Sin. Everything is fine until you press New game. Message box pops-up saying You must have Sin cd ... or similar. Load Sin.w32 on W32Dasm. After it's finished goto Strn Ref and find the error message. When you find it, d-click on it and you should see this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00457425(U) | :00457444 E827530000 call 0045C770 <-- I wonder what this is... It's pretty obvious what to do. Yes... Launch Hiew and load Sin.exe on it. Decode mode and goto line (@offset should be 56844). Then just nop the call out E827530000 --> 9090909090 Easy... isn't it?... Exit Hiew and start Sin and try pressing New game button and yeah... no complaints on anything!... You made it! This game was pretty easy... but try ripping this game... it's quite hard because the actual files are in the .sin files... =) But we're not gonna try that, so I guess we're finished for the time being now. Greetz to: Friends, tKC + all other crackers Contact me at zakeman@hotmail.com or come to www.kiss.fi/chatropol/town/playstation... I might be hanging around there... -Cloud [StarGazer] Ok, this is my first article, so if there is any mistake, let me know. And this is the brain new article, too. I'll teach you how to patch a Java class file, sound interesting? Yeah, it's true. I've NOT seen any tutorial about this. So, let's rock. TARGET: JFORGE 2.61 (http://www.tek-tools.com/jforge/) TOOLS: JAD (java decompiler at http://www.geocities.com/SiliconValley/Bridge/8617/jad.html, this tool is cool) WINDOWS COMMANDER (or any utility alike you can have) HIEW (or any hex editor you can have) Ok, now, what will you do? Yeah, decompile all the class files now with this command: jad -a *.class [enter] You'll have a lot of JAD file, right? So, what should we do next? Well, let's see... When you run JForge, it askes you to enter user name and id, right? And if you wrong, a dialog box will appear tell you "Unregistered JForge", right? Ok, we now will eliminate this annoy dialog and patch our JForge to registered. Remember, when we run JForge, it runs Builder.class, right? Let's check Builder.jad. What will you think first? Search the string "Unregis....". Ok, let's do it. Ooppss, there is NO, right? Ok, scroll to end of file, we see a mothod a(String s1) and it's strange, huuh? What will you think? Yeah, it's the encryption method. What next? Let's make a temp.java file to check what is the string "Unre...." in Builder.jad. In temp.java you need a method a(String s1), too (very simple, just copy exactly method a(String s1) in Builder.java) and add several line System.out.println( a("...........") ) in main method. What? You ask what is ".........."? Ok, very simple, they're what you see in Builder.jad where method a is called. Just put them all in your temp.java. Well, run temp class and you see what string is decoded to "Unregister....". You know what to do now. Search this string, of course. Ha, now, you see it and see the variable Q too, right? Guest what? Perhaps, it's the boolean to check if this is the registered version of JForge. Try it out. Search the whole Builder.jad to see where Q is set. We see 2 lines: one is Q = true and one is Q = W.equals(X). Yes, the first one is set to true. And, BOOOM, the second one is where this shit check. Yes, remember what these lines below are. Here we go, make a plan now. We need to patch so that Q is always true. Fire HIEW now, open Builder.class and search B6 01 41, change them to 00 00 04 (that means search "invokevirtual #321" and replace to "nop nop iconst_1"). You ask me how could I know to replace it? Ok, the answer is make a look at JVM instruction at http://www.java.sun.com/docs/ You'll find what you need to know about JVM opcodes and many more... Oh, yes, return to our plan. Well, we patched it. Run JForge now. BOOOMMMMMM, there's no dialog any more, and will be no time limit as well. Bye for now. Next time, I'll teach you how to make keygen for the famous Anfy Java 1.4. Sleep well! PS: Sorry for my bad English, I'm a little Vietnamese child. Contact me at: NamNT from Ground Zero Inc, email: NamNT@bigfoot.com THE SAINT Man 16.06.1999 Cracking have had some e-mails requesting fore how to crack with soft ice(The cd-protections). This is not hard to do, but I Haven't got that much time to give you a big explanation on how to do this, so if you have any problems then send me a letter and I will answer it as soon ass I'm back from my vacation(IM back in Julie the 19th). Tools needed: Only Soft Ice 3.24 or newer and a little know legion of assembling (I Could send you a tutorial of assembling if you don't know what it is(zaaz12@post.tele.dk). English: This is up to you to decide(and IM Danish so don't blame me) Level: Beginners Ok! Make sure that you soft ice is running. Start the program you want to crack. Go to the registration screen. Type in any name and key the same as serial, but DONT press ok yet. Press Ctrl + D to get into soft ice. Make a breakpoint on Hmemcpy(like this: bpx hmemcpy and then enter. Do this twice)(Ps. If the soft ice says that Bpx Hmemcpy is an invalid command then fuck it.....sorry.....No if it says this then send me a mail and I'll send you a file named winice.dat just replace this file with the one in the soft ice director and then it should work) <------ (get winice.dat from tKC's Tutor #16 .....tKC) Press ctrl + D and you are out of soft ice and back to the registration screen. Press ok. Ok! Jep you are back in soft ice again I know you are. DONT PRESS F12. Press F10 about 17-25 time until you find something similar to this: PUSH ECX SHR ECX,2 REPZ MOVSD POP ECX AND ECX,3 REPZ MOVSB XOR DX XOR AX And remember this is what it looks like in almost every program also your. Use the F10 to get on the REPZ MOVSD. THE PRESS: D DS:ESI and then enter. Now you should be able to see the name and the key you entered. Now enter: D ES:EDI Ok this will show you the stinky location of were your information will be copied to i.e. 22bf:00000000 (STRANGE 22bf). Ok now press F10 until you are past REPZ MOVSB. THE TYPE: PAGE 22BF:00000000 (22BF:00000000 MEANS THAT YOU HAVE OTHER NUMBERS THEN THESE) and something like this should show up(if not then then to bad fore you ) Linear Physical Attributes Type 80284960 01603960 P D AU RW System What we want to do is put a BPR (break point on range) at the address of the linear location. To do this you need to know how many bytes are in the range, and you HAVE to use the SELECTOR 30. example: BPR 30:80284960 30:80284969 RW This just set a break on the range for 9 bytes during RW (read/write) access. If you want to see how different addresses can actually be the same you can: D 30:80284960 ALWAYS use the selector 30, because it ALWAYS exists. That's just the facts. Basically all this does is keep the user from having to f12 out of the normal API and then searching for his serial/name. This is extremely useful for 16 bit programs, because the segment always changes. Now you can go about your merry way (F5) and repeat the process or BD (whatever break point it is) and you should break when your serial/name is read. Simple ;) FINAL NOTES: WELL ASS I SAID IF YOU HAVE ANY QUESTION OR ANYTHING JUST MAIL ME THE SAINT Man Zaaz12@post.tele.dk We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #29 soon! ;) And as I said last time: Without knowledge, there's no power!!! ;) Credits go to: iNC for Splash Logo. Cloud [StarGazer] for providing 4 tuts in this version. NamNT/Ground Zero Inc for providing a tut in this version. The Saint Man for providing a tut in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday... be sure that I really appreciate your mails!!! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 23 June 1999 Cracking Tutorial #28 is dedicated to Ms_Jessca... who else?