("A Very Simple Protection")
by +-=Riddler=-+
(24 September 1997)
Courtesy of fravia's page
of reverse engineeringWell, another interesting essay about CD-rom protections reverse engineering
Courtesy of fravia's page
of reverse engineering
This is my first cd-check protection and it was quite easy I have
to say...I was reading Aesculapius's Cd-Check Essay on Virtua Fighter
when I decided to try this.
WarLords3 is a game published by Red Orb entertainment and I
obtained this copy from a warez site...I wanted to try it since I heard
it was a warcraft II type game. Anyway I decided to download it, I saw
it was released by a group called Paradigm. So let's get down to busines.
Anyway so I unrar the program and install it and when I go to run
it... I find that I get a message that says "CD not found Please insert
the Warlords III cd before starting the game".
Ok, So obviously this program was not cracked correctly or someone
didn't include the crack with the program. So I had two options at this
point.
Either we could look on the internet and beg for a crack or we could do
what we should be doing and crack this ourselves. Obviously we are going
to crack it ourselves.
Let's begin by loading up war3.exe into W32dasm and begin our
conquest to defeat the ties that bind us to obey software companies.
Once War3.exe is dissasembled we have several options. One being the fact
that we could search for the text... But the fact is that it shows up
several times and this is not the best method at all.
We are going to search for GetLogicalDrives but why not GetDriveType you
ask... Well it is NOT going to be the culprit in this case due to the fact
that when you set a breakpoint on GetDriveType it doesn't break anytime
before the screen that says to enter the cd.
So It must be GetLogicalDrives and in fact if you set a breakpoint
you will see it break. Now searching threw the dissembled text you
will notice that for example that GetLogicalDrives only shows up once.
I have a good feeling that this indeed will be very easy.
Now about a paragraph above the kernel32.dll call you will
see that it was called by only one location that will indeed be the
only check for the cd at startup. Ok now if you trace the call back from
the GetLogicalDrives call you will find that the following code:
* Referenced by a CALL at Addresses:00441CFB , :00441D6C
|
* Possible StringData Ref from Data Obj ->"E"
|
:00436E40 685CC24C00 push 004CC25C
:00436E45 E856090000 call 004377A0
:00436E4A 83C404 add esp, 00000004
:00436E4D A258C24C00 mov byte ptr [004CC258], al
:00436E52 C3 ret
Ok now we know that the call at "00436E45" will obviously be the checking
code. If you notice at Code Data location "00436E4D" that whatever is in
al will be moved to memory location "004CC258". Then after that return code
from al into the memory location we return program control to the calling
function. Ok in this case we are going to go to code data location "00441CFB".
At that location we find the following code:
* Referenced by a CALL at Address:004BE928
|
:00441CD0 64A100000000 mov eax, dword ptr fs:[00000000]
:00441CD6 55 push ebp
:00441CD7 8BEC mov ebp, esp
:00441CD9 6AFF push FFFFFFFF
:00441CDB 68E61D4400 push 00441DE6
:00441CE0 50 push eax
:00441CE1 64892500000000 mov dword ptr fs:[00000000], esp
:00441CE8 33C0 xor eax, eax
:00441CEA 83EC08 sub esp, 00000008
:00441CED B94E9E0000 mov ecx, 00009E4E
:00441CF2 56 push esi
:00441CF3 57 push edi
:00441CF4 BFB8645000 mov edi, 005064B8
:00441CF9 F3 repz
:00441CFA AB stosd
:00441CFB E84051FFFF call 00436E40
(c) Riddler 1997. All rights reversed
You are deep inside fravia's page of reverse engineering,
choose your way out:
Back to Project 4 ("CD-Rom protections")
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering legal?