Midnights Hackers Private Club Where members or hackers gourps come to exchange ideas, and show off skills. **** A Cracking Guide For Beginners **** An Article By: The Psychopath TABLE OF CONTENTS ------------------- I. Introduction and Overview II. Cracking Doc Checks A) General Info B) A Cracking Tutorial III. Cracking Disk Checks IV. Cracking with Overlays V. Closing Remarks -------------------------------------------------------------------------------- Introduction: This article is to provide help and give a basic understanding of cracking for those that just plain don't understand it. A lot of you have heard about ways of cracking and have gone of on your own into the unknown to try to crack your first program. And undoubtedly you failed, unless you had guidance and help from someone more experienced then yourself. Well, I know how rough it is to learn how to crack, 'cause I've been there myself. It takes a lot of time, work, and patience to become proficient at the art. So those wishing to make a leap up in society to the status of a cracker, please read on. Some of the most useful tools to a crackist are: DOS Debug Quaid Analyzer Turbo Debugger Locksmith Step-13/Trap-13/PC-Watch Soft Ice Acquire any and all that you can. You'll want and need them. I'm only going to discuss DOS Debug (Turbo Debugger is quite similar) and Step-13/Trap-13 The others you'll have to experiment with on your own. Here's a basic list of Debug commands: Command Function ------------------------------------------ *A [address] Assemble C range address Compare D [range] Dump E address [list] Edit F range list Fill *G [=address [address..]] Go H value value Hex I value Input L [address [drive:record record] Load M range address Move N filename [filename] Name O value byte Output *P [=address][value] Proceed *Q Quit *R [register-name] Register *S range list Search *T [=address][value] Trace *U [range] Unassemble *W [address [drive:record record] Write [* Indicates the only ones you need worry about for now. They are the main commands that you use). Basically, you will enter the letter command and then return (). Addresses only need to be specified based on necessity. (for example, you could just enter G and it would execute. Specifying an address would set a break point. (run the program up to that address). For P and T, just enter the letter name and . It's quicker.] Further explanation of the commands is provided in your DOS users manual. Read it for yourself. *** Note that not all forms of copy protection, nor their ways of removal are discussed in this news letter **** -------------------------------------------------------------------------------- Cracking Doc Checks: Okay, one of the most common forms of copy protection is the doc check. This is where you are asked to input information from the documentation that is included with the software purchased. I will discuss a few methods of removing this protection scheme, and then will provide you with a sample crack. Doc checks are usually at the beginning of the software, with a few exceptions (some being in the middle or at the end). They range in variety from simple text questions, to having graphic and mouse interfacing. They, of course, range in difficulty from Insulting (easy) to Mind Boggling (hard). It's best to start with the easy ones, because you don't want to get in over your head, and remember that experience is the best teacher. Doc checks are executed by CALL statements, and sometimes a series of CALL statements. When proceeding through a program in DEBUG, you will hit a CALL statement that will execute the program. Remember what the address was for it, 'cause you'll have to exit out of the game and go back to where it took control from you. If the CALL statement runs the doc check then takes you back to DEBUG, then you're allright, and can start changing it there. If not, then you will have to trace (T option) through the CALL statement down to the next layer of program. Now you will proceed again, until you get to a call statement that executes the copy protection then returns you to DEBUG. There are three basic ways to remove the Doc check: 1) Remove the CALL statement. a) By the NOP command. b) By jumping from the first byte to the last. 2) By changing the comparisons. a) By changing the CMPs to compare registers to themselves. b) By changing the jump statements that follow. 3) By Jumping around the Doc check to get to the part of the program that loads in the rest of the game. The first option deals with the above mentioned CALL statements. When you get to the one you want, you will assemlbe at that address (A Address) and enter either NOP (being sure to NOP all the bytes of the call statement--NOP represents NO Option) or jumping from the address of the first byte to the address of the second byte. Either will do. Removing the CALL statement will not always work. Sometimes it will do a wide variety of things to the program. If this happends, then try one of the other options listed. The second option involved leaving the doc check entact, but making it so that any text entered will be accepted by the computer, thus allowing you to continue with your utility/game. You will usually find a CMP statement (i.e. CMP AX,[BP-20]) after it calls for the text to be entered. What it's doing is comparing the value you entered to the value it wants. You can fix this by either changing the compare statement to compare the register to itself (i.e. CMP AX,AX), or by changing the jump statements that follow. You might get a jump statement like JNZ 0345 which will only jump to CS:0345 if the value is not zero. So just change it to read JMP 0345, which will always jump to CS:0345. The third option involves jumping past the doc check (or CALL statement more appropriately put). Often times you'll execute the copy protection, and then it will take you to a new part of the program, where it will make it's comparison, and then decide wether it will run the rest of the program (if you answered the question correctly) or kick you out to DOS (or re ask the question depending on the software). If you know what one of the answers is (and you should if you have the originals), then enter the correct answer and follow the program through until it executes the rest of the game. (Make note of where it executes the rest of the game). Then, you exit out of the game, get back into DEBUG, and then go back before the doc check is called. Now, jump from the doc check over to where it executes the rest of the game. This will remove the doc check completely. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Software Name: Fiendish Freddy's Big Top of Fun Software Company: Mindscape Here is a walk through for cracking a simple text doc check in the above mentioned game. I will present you with two ways of cracking it. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Method #1: The most preferred way amoung pirates for having a copy protection removed is for the crackist to take it out completely. There two most common ways of doing that are: 1) Remove the call statement that executes the protection. 2) Jump around the protection. I'm going to teach you method 1 (removing the call statement). Find a copy of Fiendish Freddy, and type the following: DEBUG FREDDY.EXE After typing this, you will be in the program itself, and you will see the "-" to the left of the screen. To see where you are in the program, press R, and you will see something like this: AX=000 BX=0003 CX=4A40 DX=0000 SP=34BC BP=0000 SI=0000 DI=0000 DS=11EB ES=11EB SS=44B2 CS=11FB IP=3E93 NV UP EI PL NZ NA PO NC -11FB:3E93 9A00005341 CALL 415E:0000 ---------------------------Special Note---------------------------- The value of CS is "11FB". That is the hexadecimal segment address for the beginning of the program code in your computer's memory. It is highly possible that the value you see for CS is different from mine. ------------------------------------------------------------------- Now then, press P to proceed through the program until you come to the call statement located at CS:3EF8. Type U 3EF2 to unassemble around the call statement. You will see the following: . . 11FB:3EF2 55 PUSH BP 11FB:3EF3 89E5 MOV BP,SP 11FB:3EF5 83EC02 SUB SP,+02 11FB:3EF8 9A9C01291A CALL 1A29:019C 11FB:3EFD A2CA02 MOV [02CA],AC . . Okay, write down the HEX values before, including, and after the call statement. Now in order to change it, you will type A 3EF8 and you'll see this: CS:3EF8 Where the cursor is located, you will type NOP (No Option) 5 times, in order to wipe out the 5 bytes of the call statement, and then press . NOP is like erasing data. (i.e. 11FB:3EF8 NOP NOP NOP NOP NOP). Now press G to execute the game. The actual program should load up without executing the doc check at all. If not, then you screwed up and need to re-check your alterations to the program. -----------------------Saving the Changes----------------------- Remember now, that DEBUG can only write to .COM and files other then .EXE (with the W command). One way to save the changes (the more unreliable way) is to rename the .EXE file to Something like .HEY or whatever, and then going in and searching for the data to be changed (with the S command). Now edit the data as normal, and save with the W command. Exit out (Q) and rename the .HEY file back to .EXE *** This will not always work *** Another way to save changes is with a sector editor (The two most widely used are Norton Utilities and PCTools). Search for the HEX values (the values I told you to write down) of the data in front of, including, and after the statement. When you find The statement, edit it. (In the above case, you'd change the HEX values of the CALL statement to read 90 90 90 90 90 --90 is the HEX value for NOP). ------------------------------------------------------------------ Method #2: Another way to remove copy protection is to leave the doc check entact, but change it so that it accepts the values that you enter 100% of the time, regardless of what it is. The ways you can do this are: 1) Change the CMP (compare) of what you entered to what it's supposed to be, so that it compares what you entered to what you entered (i.e. CMP AX,[BX-23] would be changed to CMP AX,AX). 2) Change the Jump statements (JNZ, JZ, JB, JA, JG, JL, etc.) We will use Option #2 this time, and again using Fiendish Freddy. Type the following to get started: DEBUG FREDDY.EXE Now then, proceed back up to where we saw the CALL statement that executes the protection. (CS:3EF8) And this time, trace through it (T). Now then, your CS will change to something else, because you've moved down one level in the program. Start proceeding through. You'll come upon several CALL statements that load in the text for the doc check. Ignore them, they cause no harm. (Just for your info, they exist at CS:022A, CS:0246, CS:025C, CS:0271, CS:028D, CS:02A3, CS:02B8, CS:02D4). Now then, at CS:02F2 CALL 415E:0C73 appears. What this does call for the user to enter some text from the keyboard. Proceed through the CALL statement, and the screen will wait for a key to be pressed. Enter something like "kskdksdk" and then it will take you back to the program. Proceed on until you come to the following: CS:030E 3B86DFFE CMP AX,[BP+FEDF] CS:0312 7F25 JG 0339 CS:0314 8946FD MOV [BP-03],AX Now, what is happening is the program is making a comparison of what was entered. If that value is greater then what it wants, then it jumps to CS:0339 and if it isn't then it just continues on. Now we want to fool it into thinking that the text is correct. So change CS:0312 to read JMP 0339. This way, the program will jump to 0339 every time, no matter what is entered. Now, we're not through yet. You'll soon come to this: CS:0349 9A....... CALL 415E:0419 CS:034E 7404 JZ 0354 CS:0350 B000 MOV AL,00 CS:0352 EB02 JMP 0356 Now we have another comparison here. The CALL statement is calling a compare routine, and when it's finished, if the value is equal to 0, it will jump to CS:0354, and if not, it will simply continue on. We need to fool the computer once again, and change CS:034E to read JMP 0354, so that it will always jump to 0354. This is the last change that needs to be made. Go ahead and type G to test it out. When you're done, be sure to make the changes permanent, as described above. -------------------------------------------------------------------------------- Disk Checks: (INT-13) Some copy protection schemes use the disk interrupt (INT-13). INT-13 is often used to either try to read in an ilegally formatted track/sector, or to write/format a track/sector that has been damaged. INT-13 is called like any normal interrupt with the assembler command INT 13 (CD 13). The AH register is used to select which command is to be used, with most of the other registers used for data. Now, the copy protected file might use INT-13 to load some other data from a normal track/sector on a disk, so it is important to determine which tracks/ sectors are important to the cp scheme. There are two common ways to do this 1) Use Quaid Analyzer to keep track of INT-13 activity 2) Use Locksmith to track down unusual traks/sectors. With Locksmith you can analyze the diskette. Write down any tracks/sectors that seem abnormal. These are most likely part of the protection routine. Now we must enter debug and load in the file to execute a search for CD 13. Record any addresses shown. (i.e. S CS:100 FFFF CD 13). If no addresses are picked up, then either the interrupt is encoded, or it's in a part of the program not yet loaded. Here's what a sector of hidden code might look like: CS:0000 31DB XOR BX,BX CS:0002 8EDB MOV DS,BX CS:0004 BB0D00 MOV BX,000D CS:0007 8A07 MOV AL,[BX] CS:0009 3412 XOR AL,12 CS:000B 8807 MOV [BX],AL CS:000D DF13 ........... In this section, AL is set to DF at location CS:0007. When you XOR DF and 12, you would get a CD (hex) for the INT code, which is placed right next to a 13, thus giving uou CD13 or INT-13. ---------------------------Finding Hidden INT-13s------------------------------- A good way to find hidden INT-13s is with Quaid Analyzer, or Step-13 (or Trap-13, or PC-Watch....all work equally as well). Step-13 traps the interrupts and will print where they were called from. Once running this, you can jut disassemble around the address until you find a code that looks like it is setting up the disk interrupt. Another way to decode the INT-13 is to use the G (go) command in DOS DEBUG. Just set a breakpoint at the address given by Step-13. i,e, G CS:000f (see above code). When debug stops, you will have encoded not only the INT-13 but anything else leading up to it. -------------------------------------------------------------------------------- Once you find the INT-13, all that is left to do is to get the computer to think that the protection has been found. To find out what the computer is looking for, examine the code right after the INT-13. Look for anything having to do with the CARRYFLAG or any CMP to the AH register. If a JNE or JC (etc.) happens, then unassemble (u address) the address listed with the jump. If it is a CMP then just read on. Here you must decide of the program was looking for a protected track or just a normal track. If it has a CMP AH,0 and it has read in a protected track, it can be assumed that it was looking to see if the program had successfully completed the read/format of that track and that the disk had been copied thus jumping back to DOS (usually -with INT 19). If this is the case, just NOP the bytes for the CMP and its corresponding JMP. If the program just checked for the carry flag to be set, and it isn't, then the program usually assumes that the disk has been copied. For example: CS:0002 INT 13 (Reads the sector) CS:0004 JC 0345 (Jump comparison) CS:0006 INT 19 (reboot) CS:0345 Rest of program.. The program carries out the INT and finds an error (the ilegally formatted sector) so the carry flag is set. The computer, at the next instruction, sees that the carry flag is set and knows that the protection has not been breached. But, when you make a copy, it will see the breached protection, and execute the INT 19. To avoid this, change the JC 0345 to read JMP 0345. * Note that the protection routine might be found in more then just one part of the program * Here is a chart describing INT-13 using the AH register to select the function to be used. AH=0 Reset Disk AH=1 Read the status of the disk system into AL AL ERROR ----------------- 00 - Successful 01 - Bad Command given to INT *02 - Address mark not found 03 - Write attempted on a write protected disk *04 - Request sector not found 08 - DMA overrun 09 - Attempt to cross DMA boundary *10 - Bad CRC on disk read 20 - Controller has failed 40 - Seek operation failed 80 - Attatchement failed * Represents the most commonly used in the Copy protection input: DL = Drive Number (0-3) DH = Head Number (0 or 1) CH = Track Number CL = Sector Number AL = # of sectors to read ES:BX = Load address output: AH = error number (shown above) [Carry flag set] AL = Number of sectors read AH=3 Writes (Params. as above) AH=4 Verify (Params. as above ES:BX) AH=5 Format (Params. as above CL,AL ES:BX points to format table) -------------------------------------------------------------------------------- Cracking Overlays: Sometimes the copy protection is executed in an overlay file. The best way to find out which file it is in, is to use Quaid Analyzer to track the INT 21 calls and see which program is loaded in. Next, if it was an INT-13 type protection, then you'll do as usual and just look for it in the overlay file. If it was a doc check, then you'll proceed through the .EXE file as usual (with DEBUG or whatever), and go up to the doc check. Now the changes you make might have to be made in the overlay file. What I mean, is if you search the .EXE file and don't find the HEX values, then search the overlay file. You'll have a high probability of finding them there. Then, just change the bytes in the overlay file as usual and execute the game. It should run, this time with the crack entact. -------------------------------------------------------------------------------- Hopefully this will aid you on your quest to become a crackist. And remember, don't get in over your head by attempting to crack something difficult, 'cause it will benefit you 0%. Laterz... - The Psychopath