The cracking of "Age of Empires"
(with a general digression about CD-based copy protections of most Windows95 games)

by TWD

(28 December 1997, poorly edited by fravia+)

Courtesy of fravia's page of reverse engineering
Well, it was about time! If all anti-micro$oft crackers would really put their reversing capabilities where their mouths are, Micro$oft would already be bankrupt... unfortunately we keep looking for interesting protection schemes, and there is really nothing much interesting in whatever these incredibly incapable bunch of commercial evil programmers do... yet, once more, this kind of cracking is VERY IMPORTANT! Age of empires is a (strategically crippled) 'megabucks' troyan horse... one of those -mostly pathetical- "Micro$oft sponsored" games that are pushed like few others in order to compel people to use windoze... look at the specs for Age of Empires, only very incapable programmers could compel such a config!
- Windoze95 or WindozeNT 4.0 with ServicePackBugCorrect 3 Why? Are they really so uncapable programmers that they have to target a single operating system or have they been bought by Micro$oft's banes to say this?;
- 24 Megabytes ram... why? There are magical graphical programs that squeeze vectors and graphics inside 8 (eight) megabytes... and this poor simple game needs 24!;
- 80 MB of available harddisk PLUS 50 Megabytes of swapping space... why? are they really uncapable to squeeze graphic? Do they really need 130 (read: onehundredand thirty) megabytes to have some catapults roll on board?;
- Quad-speed CD-ROM drive A typical request by incapable programmers...

It's disgusting: man I could myself squeeze this crap into less than one half of these specs in a couple of hours! It's a shame! "One of the most ambitious games we've ever seen..."? One of the most overbloated games we've ever seen!

Micro$oft bashing
~~~~~~~~~~~~~~~~~

The cracking of "Age of Empires"
================================
(a general digression about CD-based copy 
protections of most Windows95 games)
by TWD



Hi back again,

it's going to be Christmas and the whole world is going to shop. 
Advertising is legalized lying, said someone. 
Remember this, especially every time it's Christmas.

Examining a game from big brother Micro$oft (of course we have 
bought it: part NO: X03-44492 :-) we have noticed a bug that may 
annoy all the poor boys (and girls) all over the (poor) world, 
whose's (poor) father and mothers, for instance, have lost their 
(poor) jobs thanks to Micro$oft's (poor) society. 
See: this reversing is a present for those who won't get no 
presents at all during these merry (poor) holidays, poor chaps, 
yet would need so much to evaluate (fully) this interesting 
(if overbloated) historical game... so let's crack it! 

And anyway I need my own cd-drive free from my own bought CD-games 
in order to hear my own music CD... something against this? :-)

Age of Empires comes on one CD-ROM; the CD-ROM can be taken 
out after the game is running.
I think that this tells us, that there is only one check for the CD at
the beginning, when Age of Empires starts.


Little (important) digression
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let's say something general about copy protections of Windows95 games.
They are nearly all the same, and they aren't really copy protections.
They all work something like this :

    (1) put "c:\" in a variable, let's say "xrom"
    (2) test if "xrom" is the CD-Drive, by using "GetDriveTypeA"
    (3) if result = 5 then continue at step 5
    (4) else increment the drive letter and go back to (2)
    (5) use the letter in "xrom" to complete all path names.
    (6) if it will never find a CD-Drive, a error message appears


A lot of games are doing it like this.
How to crack this ??? Nothing easier like this. Don't put "c:\" in the 
variable, but the desired CD-drive letter. Then remove the
"GetDriveTypeA" call and write something like "mov eax, 00000005". 
Sometimes a "GetVolumeInformationA" follows, but it's no problem 
to avoid the program to exit by this.

Example games for this kind of protection :

  - Beasts and Bumpkins
  - Descent ][
  - Diablo
  - Panzer General IIID
  - and many more


End of digression
~~~~~~~~~~~~~~~~~


On the "Most stupid protections" +HCU's project is said that the 
more commercial a product is, the more stupid it's protection
will be.
This is sure confirmed if you take a look at "Age of Empires".

The path to the CD is stored in the registry and only needed to find 
the oversized AVI philez.

Set a breakpoint on "GetDriveTypeA" and start "Age of Empires".
SoftIce pops up a few times in the "LinkInfo" module, nut this is not 
interesting.
Sometime later, SoftIce pops up in the "Empire" module at 
this position:



:004D65F5 57             push edi                      <-- the CD path
:004D65F6 FF1554267000   Call KERNEL32.GetDriveTypeA   <-- SoftIce pops up here
:004D65FC 83F805         cmp eax, 00000005             <-- Is it the CD-ROM ???
:004D65FF 7404           je 004D6605                   <-- Yes ? --> jump !
:004D6601 33C0           xor eax, eax                  <-- No ?  --> stay !
:004D6603 EB53           jmp 004D6658


In edi is the pointer to the CD path. The result of GetDriveTypeA 
is "00000005" if the checked drive is a CD drive. If the given drive 
is a CD drive, the program continues below :

...

:004D662B 57                      push edi                      <-- the CD path
:004D662C FF1558267000            Call KERNEL32.GetVolumeInformationA
:004D6632 85C0                    test eax, eax
:004D6634 B800000000              mov eax, 00000000
:004D6639 741D                    je 004D6658
:004D663B 8B460C                  mov eax, dword ptr [esi+0C]
:004D663E 8D4C241C                lea ecx, dword ptr [esp+1C]
:004D6642 05FD020000              add eax, 000002FD
:004D6647 50                      push eax
:004D6648 51                      push ecx
:004D6649 E802D60500              call 00533C50                  <-- strcmpi
:004D664E 83C408                  add esp, 00000008
:004D6651 83F801                  cmp eax, 00000001
:004D6654 1BC0                    sbb eax, eax
:004D6656 F7D8                    neg eax


As you can see, not only the type of drive is checked, but also the name 
of the drive.
In ecx is the pointer to the name of the CD currently in your CD-ROM, in 
eax is the pointer to the expected name : "AOE"

If the compare succeeded, the result of the complete function is "01",
else it is zero.


To patch "Age of Empires", this function has to return "01" every time
it is called. No problem for us, of course: let's look at the top of 
the function :

:004D6550 81EC0C020000            sub esp, 0000020C
:004D6556 53                      push ebx
:004D6557 56                      push esi
:004D6558 8B410C                  mov eax, dword ptr [ecx+0C]
:004D655B 57                      push edi
:004D655C 55                      push ebp
:004D655D 8BF1                    mov esi, ecx
:004D655F 8B8808040000            mov ecx, dword ptr [eax+00000408]
:004D6565 85C9                    test ecx, ecx
:004D6567 750A                    jne 004D6573             <--blast this one
:004D6569 B801000000              mov eax, 00000001
:004D656E E9E5000000              jmp 004D6658             <--jump to the end

As we can see from the small piece of code above, the only thing which
is to do, is to blast the jne at 004d6567. If this is done, the function
will always return "eax = 01".

After I nopped out some bytes (in my essay about W32Dasm 8.7) I was mildly 
criticized by fravia+, now I learned and I prefer to use this sequence :

  41   inc ecx 
  49   dec ecx

This one is doing nothing as good as two nops would do, but it can not
be detected by some protection algorithms.

Summary
~~~~~~~

"Age of Empires" was as silly and easy to cheat as most of the time trial
versions, created by Micro$oft. The patch can be reduced to a single "jne 
blasting out", this should, normally, be too easy to be true, yet most of 
these games compel in such a silly way legitime users to occupy their own 
CD-drive with a CD-ROM they have NOT chosen to have there!

After patching the program, it is even possible to delete all the 
x-tra large avi phileZ, cause they waste nearly 100 megz of space.

Time to pay respect
~~~~~~~~~~~~~~~~~~~
Last but not least, 
there are two people I want pay respect to :

  - First fravia+ who hosts one of the most interesting pages on
    the whole net. If you want to find any knowledge about cracking
    (or computers in a more general way), pay a visit to 
    http://www.fravia.org

  - Second to Quine who had cracked IDA in a very special way.
    Disassembling with IDA is much more satisfying, than doing it 
    with good old W32Dasm, just try it.
    I have to say that I was nearly as far with cracking IDA, but 
    my 'working target' kept always crashing, because no mem was 
    reserved. Respects to Quine!

This was our Micro$oft cracking for today, questions can -as usual- 
be asked at :  
mailto:twd.rulez@gmx.net?subject=I've got a question about Micro$oftcracking...

Bye (till next time)

          TWD
(c) TWD All rights reversed
ObStupidreaders
Of course you should BUY this overbloated game (you better buy a Pentium 200 first, tough) and you should NOT come to the idea of using only one Age of empires CD-ROM (if ever... you could of course find the razor distributed copy on the web for free, if you seek) in order to 'seed' this game, as cracked above by TWD, in all your friends and friends' friends and friends' friends' friends computers. This would be un-ethical, I'm afraid, since Micro$oft and their overbloated programmers slaves would risk loosing some money thattaway. So don't do it, you scoundrels! I did'nt, I bought my own copy: 0897 Part No. 92681: "Simply fill in the card, choose your local Micro$oft office from the leaflet..." :-)
You are deep inside fravia's page of reverse engineering, choose your way out:

redBack to Project 9 (M$-bashing) redBack to Project 4 (CD-Rom)
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?