CD-Rom reversing MechWarrior2 Mercenaries
("Another Approach to the Cd-Check scheme")
by +-=Riddler=-+
(26 September 1997)
Courtesy of fravia's page
of reverse engineering
Well, Riddler is slowly "specialising" in this very interesting
cracking subject! Here is his SECOND essay in a very short time.
Let's hope he keeps sending material, as I will
repeat (once more): "I hope that with the help of this addition many
+crackers will be stimulated and work on such schemes, bringing ahead
this poor and neglected (yet important) project 4!"
How to Crack MechWarrior2 Mercenaries
(Another Approach to the Cd-Check scheme)
by +-=Riddler=-+
This is a well known game and should be widely availible from
the internet. I personally purchased this game. I played it for a bit
and then I discarded it into the box with the rest of my cd's. I tired
of it and it was in a way a waste of my money. But it makes a good
program to write a tutorial on due to the fact that it can be widely
found and also that I am going to approach this program and also
sucessfully crack it.
Ok, as usual let's get down to business. MechWarrior2 Mercenaries
is a 3-D fighting game and is well known. Even if you do a FULL INSTALL
at 150MB, it still requires the cd to start. This kind of protection is
in effect controling the consumer. I personally beleive that if you pay
$55 for a game like I did, that you should be at least able to play
against a friend over a network or modem or whatever. But in a case like
this that means you would need 2 cd's, to play like, that or more depending
on the number of players.
Ok, now this cd comes with 2 versions on it. It has a Windows95
version of the program and a DOS version of the program. In this case
we are going to crack the protection in the Windows95 Version. Now if
you read my essay on the WarLords3 Cd-Check crack we where able to make
the program jump to the good code to continue no matter what the procedure
GetLogicalDrives returned with, a success or a failure.
So in this case instead of making it jump wheather it is a sucess or a
failure, we are going to approach it another way and that being the fact
that we are going to change where it looks for the file.
I am going to walk through it and this, for example, maybe an easier
way to crack a cd-check because say for example you have a program that will
acutually verify the file, (which this one doesn't) you can copy that file
to the harddisk and tell it to look there.
That way if it needs data to run off the cd, it can
still get the data and it won't really require the cd to run.
That's how we are going to crack this program.
Ok, I began this crack by loading "mercswin.exe" into w32dsm
and I decompiled it. Ok now I decided to start off looking in the dissembled
text for "GetLogicalDrives" because as we all know is a well used function
to begin to verify a cd-rom.
Along with with "GetLogicalDrives" you can also have several others such
as "GetDriveType" and "GetLogicalDriveStrings".
It turns out that "GetLogicalDrives" is not used in this program at all,
but searching for it, it brought me to "GetLogicalDriveStrings" and in
this case it's right where we need and want to be.
Ok, so this is the code that we find when we search for
"GetLogicalDriveStrings":
* Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00E5h
|
:00401036 FF1568B14000 Call dword ptr [0040B168]
:0040103C 8D442410 lea eax, dword ptr [esp+10]
* StringData Ref from Data Obj ->" :\OLD_MERC.DRV" <--This is the file verified
|
:00401040 6838804000 push 00408038
:00401045 50 push eax
:00401046 E875090000 call 004019C0
:0040104B C7053480400000000000 mov dword ptr [00408034], 00000000
:00401055 83C408 add esp, 00000008
:00401058 803F00 cmp byte ptr [edi], 00
:0040105B 7442 je 0040109F
Ok that we know the file that the program is going to look for...Let's
scroll down some and take a careful look at the code that follows:
* Reference To: KERNEL32.FindFirstFileA, Ord:0079h
|
:0040105D 8B3574B14000 mov esi, dword ptr [0040B174] <--Load offset of
filename
* Reference To: KERNEL32.GetDriveTypeA, Ord:00CEh
|
:00401063 8B2D64B14000 mov ebp, dword ptr [0040B164]
* Referenced by a Jump at Address:00401094(C)
|
:00401069 53 push ebx
:0040106A FFD5 call ebp <--Call GetDriveTypeA Function
:0040106C 83F805 cmp eax, 5 <--Is Drive CD-Rom?????
:0040106F 751D jne 0040108E <--IF it's not get cd-rom
:00401071 8D4C2424 lea ecx, dword ptr [esp+24]
:00401075 FF0534804000 inc dword ptr [00408034]
:0040107B 8A03 mov al, byte ptr [ebx]
:0040107D 51 push ecx
:0040107E 88442414 mov byte ptr [esp+14], al
:00401082 8D442414 lea eax, dword ptr [esp+14]
:00401086 50 push eax
:00401087 FFD6 call esi
:00401089 83F8FF cmp eax, FFFFFFFF <--Does Function Fail?
:0040108C 750A jne 00401098 <--If it doesn't continue
Now before we do anything else with the program we are going to concentrate on
one thing and that being the fact that the "cmp eax,00000005" at Code Offset
"0040106C". Let's Review the Properties of "GetDriveTypeA"
GetDriveTypeA Return Function codes:
Value Meaning
0 Drive Cannot Be determined
1 Root Dir Does not exist
2 DriveRemoveable
3 A Fixed Disk (HardDrive)
4 Remote Drive(Network)
5 Cd-Rom Drive
6 RamDisk
Ok now when "eax" is compared to "5" it is just seeing that the drive
it has found is indeed a cd-rom.
Ok Break out Hiew and load up "mercswin.exe" and we are going
to goto the offset of the "cmp eax, 5" we can see that is at offset
"046Ch" now we are going to change that 5 in the instruction to a "3"
that way it will look for a HardDrive instead of a Cd-Rom.
Ok, so save that change and then stop a second and think.
OK, we have patched the code and it should work but there
is still the manner of ":\OLD_MERC.DRV" ok so we know that
it will look at it in the root dir of the drive.
In this case the drive where "mercswin.exe" installed to.
Ok so create a file "OLD_MERC.DRV" in the root dir.
Now after you have done that go and try to run "mercswin.exe" and
you will see that is works without a hitch.
The program will fire right up. This program simply checks for the
presence of the file but does not verify it's contents nor does it
verify its date, size, time, attributes or anything of that nature.
Now we can run the program without the cd by changing one byte in
the file.
I have seen a crack for this before, published by the PhroZen Crew.
They packaged the "OLD_MERC.DRV" file and fakecd to run it.
I personally prefer the method I have explained above, due to the
fact that this is in essence a "worldwide crack", for any cd-rom
based protection that will call that function to verify if
the drive is a cd-rom.
I hope that this has shed some light on cd-protection.
I should have some more essays in the near future.
Thanks and Take Care,
+-=Riddler=-+
Riddler@oceansintl.com
(c) Riddler 1997. All rights reversed
Indeed, Riddler, you are right! Teaching people interested in learning
and working on this stuff
HOW TO reverse engineer all protection of a given kind (all software
for that matter, not only protections) seems to us (and I believe and hope
that I'm speaking
for the whole +HCU) much more interesting and constructive (and correct)
than releasing ready made "pre-cooked" (easy) cracks for all lusers
and leechers. People that would eventually have been able to help us, if
we had only helped them a little to develop, will never learn anything thattaway!
Whatta waste!
C'mon fellow crackers of all the groups of the alphabet...
you know as well as I do how much fun our activity is... how rewarding and interesting
it is to understand alien code... once you know how to proceed... once you
have learned at least some of the hundred little tricks... C'mon! Share your
knowledge with those that deserve it, instead of showing off for the greedy
eyes of the "me-too" lusers!
Teach people how to start, some need only a little
help to get rolling, and they will send us back TREASURES of knowledge
once they have learned the basic stuff (and the advanced techniques as well :-)
We should never forget the words that +ORC printed in each lesson of his
tut:"Give a man a crack, and he'll be hungry again tomorrow,
teach him how to crack, and he'll never be hungry again"
You are deep inside fravia's page of reverse engineering,
choose your way out:
Back to Project 4 ("CD-Rom protections")
>
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering legal?