Home    Training    Downloads    Tutorials    Arbitary    Get Fate    Proxy Info
 
Training session 30: CD Rom Protections
Difficulty: Medium
Learn how to crack a simple CD Rom Protection Scheme
Creator: m101


This tutorial is not so much how to crack Hexen II, but to show you just how a CD rom protection at its basic state works. You can get a copy of Hexen II from nearly any second hand games shop, or from the ancient stash of CD's one of your mates is bound to have.

Heres what you will need -

Hackers View
Win32Dasm
Hexen II

Have you installed it yet? Well hurry up! Ok good, you are done. Now start up the game with the CD and observe the startup procedure...

Now take out the CD and restart the game, I hope you are using the GL version cos if you aren't fix it. "You need to have the Hexen 2 CD in order to play!" how damn annoying is that Nag Screen. Quit the game and load up Win32Dasm, now click Refs and then String Data References. Now have a look for our Nag Screen. You got it? Good... Double click "You need to have the Hexen 2 CD " and you will see this:
:004047F5 F7D1                    not ecx
:004047F7 49                      dec ecx
:004047F8 7596                    jne 00404790

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404782(C)
|

* Possible StringData Ref from Data Obj ->"You need to have the Hexen 2 CD "
                                        ->"in order to play!"
                                  |
:004047FA C705D8D2460038C94500    mov dword ptr [0046D2D8], 0045C938
:00404804 C70548AF460000000000    mov dword ptr [0046AF48], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004047D9(C)
|
:0040480E 5D                      pop ebp
:0040480F 5F                      pop edi
:00404810 5E                      pop esi
:00404811 5B                      pop ebx
:00404812 81C4140A0000            add esp, 00000A14
:00404818 C3                      ret
Wow! Our annoying message! well have a look at that jump by double right clicking on the address and you will come up with this:
* Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00F7h
                                  |
:00404767 FF15A0B5E000            Call dword ptr [00E0B5A0]
:0040476D 8DB42424020000          lea esi, dword ptr [esp+00000224]
:00404774 B9FFFFFFFF              mov ecx, FFFFFFFF
:00404779 8BFE                    mov edi, esi
:0040477B 2BC0                    sub eax, eax
:0040477D F2                      repnz
:0040477E AE                      scasb
:0040477F F7D1                    not ecx
:00404781 49                      dec ecx
:00404782 7476                    je 004047FA

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh
                                  |
:00404784 8B1D9CB5E000            mov ebx, dword ptr [00E0B59C]

* Reference To: KERNEL32.GetVolumeInformationA, Ord:014Eh
                                  |
:0040478A 8B2D84B5E000            mov ebp, dword ptr [00E0B584]
For those of you that dont know GetDriveTypeA checks a to see what type of drive a device is. Here is the API reference for it:
     UINT GetDriveType(
      LPCTSTR  lpRootPathName 	               // address of root path
     );

Returns
0 Drive can't be determinded
1 Drive can't be determinded
2 Root Directory does not exist
3 Fixed Drive (Harddisk)
4 Remote Drive (Network)
5 CD-ROM-Drive
6 RAM-Disk (only GetDriveTypeA)
As you can see, if the return value is 05, then it tells the program that it is a CD. This stops us from using data on the HDD to act as a CD. Well this tells us that theres a a check somewhere between 00404782 and 004047f8. So have a look a bit lower at this:
:004047C5 8D44241C                lea eax, dword ptr [esp+1C]

* Possible StringData Ref from Data Obj ->"Hexen II"
                                  |
:004047C9 682CC94500              push 0045C92C
:004047CE 50                      push eax
:004047CF E8ECEE0400              call 004536C0
:004047D4 83C408                  add esp, 00000008
:004047D7 85C0                    test eax, eax
:004047D9 7433                    je 0040480E

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404796(C), :004047C3(C)
|
:004047DB 8BFE                    mov edi, esi
:004047DD B9FFFFFFFF              mov ecx, FFFFFFFF
:004047E2 2BC0                    sub eax, eax
:004047E4 F2                      repnz
Notice those References to Jumps? Well have a look at them and what do you see? Yes its between 00404782 and 004047F8. Lets check them out:
:00404793 83F805                  cmp eax, 00000005
:00404796 7543                    jne 004047DB				<==Test 1
:00404798 8D842420010000          lea eax, dword ptr [esp+00000120]
:0040479F 6804010000              push 00000104
:004047A4 8D4C241C                lea ecx, dword ptr [esp+1C]
:004047A8 50                      push eax
:004047A9 8D54241C                lea edx, dword ptr [esp+1C]
:004047AD 51                      push ecx
:004047AE 8D44241C                lea eax, dword ptr [esp+1C]
:004047B2 52                      push edx
:004047B3 8D4C242C                lea ecx, dword ptr [esp+2C]
:004047B7 50                      push eax
:004047B8 6804010000              push 00000104
:004047BD 51                      push ecx
:004047BE 56                      push esi
:004047BF FFD5                    call ebp
:004047C1 85C0                    test eax, eax
:004047C3 7416                    je 004047DB				<==Test 2
:004047C5 8D44241C                lea eax, dword ptr [esp+1C]

* Possible StringData Ref from Data Obj ->"Hexen II"
                                  |
:004047C9 682CC94500              push 0045C92C
:004047CE 50                      push eax
:004047CF E8ECEE0400              call 004536C0
:004047D4 83C408                  add esp, 00000008
:004047D7 85C0                    test eax, eax
:004047D9 7433                    je 0040480E

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404796(C), :004047C3(C)
Well to fix this just reverse these two jumps, thats not it though, have a look above the two referenced jumps, hmmm, if the Test is failed the Protection is still used, so here the locations to be changed:
:00404796 7543                    jne 004047DB
:004047C3 7416                    je 004047DB
:004047D9 7433                    je 0040480E
Okay look at the bottom of Win32Dasm and you will see @Offset and next to that a number, put the cursor on the first address and write this down and ignore the h, this just stands for hexidecimal. Then do this for the two other offsets. Open up Hackers View and press F4 and then F3 to get into ASM mode. Press F5 and type in the first adress and change the 75 into a 74 by pressing F3, typing the value and then pressing F9 to update and change the other two offsets from 74 into a 75. Quit and run "glh2.exe" without the CD, Wow!, it works!

You should now have a basic understanding of how a simple program checks for a CD in the drive...
Name

URL or Email

Message