Mech Warrior 3 - Tutorial by BlueFox

"Well I'd like to thank BlueFox for this well-written and newbie oriented essay on basic CD check cracking which in this case isn't much different from most Windows cracks. I'm sorry to say that for the most part CD check cracking is rather a tedious "NOP the beggar_off" affair, unless you are fortunate enough and indeed patient enough to download some bloated game protected by one of the commercial schemes e.g. C-Dilla, SecureROM". "Ever so slightly edited by CrackZ".

CD Check Series, Tutorial #1

Hi! and welcome to this, my first tutorial :) I will try to explain everything, so this tutorial will be suitable for newbies. We will be dealing here with a relatively easy CD check protection. This should get you started on cracking more complex CD based schemes.

OK, the most common, but not the only, way to check for the presence of the games CD is to check for a certain file on the CD, it may also read the file and verify the contents, or maybe multiple files, you get the idea its *usually* based around file I/O. NOTE: we are talking about games that DONT REQUIRE files off the CD, but they just check to see if they are present.

Now, the first thing to do when dealing with a game of this sort is to run the program w/o the CD to see WHERE in the game and how many times the CD is checked for. For example it might have one check at the beginning of the game, and then once more when you try to host a multiplayer game or something. Also does the game just boot you out when it doesn't find the CD? Does it show an error box then kick you out? does the error box, if any, have a "retry" button? If there is an error box, is it a MessageBox? Or just a regular window? These are all important to the crack, so figure it out, and keep what you find in mind. NOTE: you can determine if a window is a MessageBox by using SoftICE and typing 'bpx MessageBoxA' then run the game and get it to display the error, if its a MessageBox you will break.

OK, now you know that our target, Mech3, has only ONE check at the very beginning, and that it displays an error message with a retry button(!). The retry button could come in very handy because it will act as an entry point to the protection code, (but we wont use it here). We now have eneough info. to crack this target, but let us first try and get a little more to help us recognize what we will be looking for in the protection code. Now, since this target has a nice little window with a retry button, we will run the game w/o the CD and wait for the window to pop up.

You there? Good =) OK, now remember I said that a lot of CD check protections use the file system to check for the CD. So, fire up FileMon, set the process filter to mech3*. Now click on the 'OK' button of the error window, you will get the following: (NOTE: I have deleted a couple lines, that were obviously worthless).

Mech3	                Ioctl		A:			SUCCESS	
Subfunction: 08h Mech3	Ioctl		C:			SUCCESS	
Subfunction: 08h Mech3	FindOpen	C:\*.*			SUCCESS	
DISK2PAR.T01 Mech3	FindClose	C:\*.*			SUCCESS
Mech3			Ioctl		D:			SUCCESS
Subfunction: 08h Mech3	FindOpen	E:\VIDEO\C1.AVI		NOTREADY *

* The file name will be the same for you, but the DRIVE letter may change.

OK, you can see accessing to all the drive letters in your system, but why? why not just the drive letter of your CD drive?. Well, because this game is scanning all the drives until it finds a CD-Rom drive, then it will attempt to open the file 'c1.avi'. OK simple enough, now how is the best way to try and crack this?. We saw that it is scanning all the drives in the system, GetDriveTypeA is usually used to do something like that so let us set a break on it and see what we get.

Run the game w/o the CD, it will pop up on that error window. Go into SoftICE (Ctrl-D) and type 'bpx GetDriveTypeA' now quit with another Ctrl-D. Run the game and you will break on a call to GetDriveTypeA. This is where we will begin our descent into the deep, dark, spooky code woods. Scared? YES? Good, me too =). Now, we are in SoftICE, inside system code, so we will hit F12 to keep going until we exit the GetDriveTypeA API call. We will be at this code:

JZ 0056F7E8     ;If eax = 3 then it will jump.
JNZ 0056F80C    ;If eax = 5 then it won't jump.
PUSH 007263A8   ;Dump this location, you will see "x:\video\c1.avi".
CALL [005B5590]	;This is pushed as a parameter to this CALL.
ADD ESP, 08	;Fix stack.
TEST EAX, EAX	;Test outcome of CALL.
JNZ 0056F80C	;Guess: if we jump here this will give us the error.
JMP 0056F804	;This will take us into the game.

Now you will notice, if you scroll down the code window (Ctrl-Down.Arrow) that a constant is pushed onto the stack as parameter to the CALL following it. Well we are curious, so do a 'd 7263A8' and what do we see but our lovely 'a:\video\c1.avi' now this is set for the A drive but that is not what we want (remember that it scans all the drive letters), so hit Ctrl-D (several times) until that turns into 'x:\video\c1.avi' where x is the letter of your CD drive. So now you are back again from that last call to GetDriveTypeA and we have our correct string in the data window, so we hit F8 to single step down until we are on top of the CALL [005B5590], go now hit F10 to step over the call.

OK, now what do you suppose the CALL [005B5590] does? well the pointer to the string 'e:\video\c1.avi' is pushed on the stack as a parameter to this call, so that tells me that this call is probably doing the checking to see if that file is there, now for most calls the return value, is stored in EAX, so the TEST EAX, EAX line is setting the ZF based upon what is in EAX. OK, so we think for 1 sec, and we guess that we are *supposed* to take the JMP 0056F804, so how are we going to do that if that nasty JNZ 0056F80C is always jumping us away just before we get there?.

Well the simplest way to do this is to press F8 until you are on top of the JNZ 0056F80C now type 'e eip 90 90' this will put the bytes 90 90 at your current point in the code, 90 is a NOP which means 'No OPeration', you see now that it just passes over the NOP's and takes the JMP like we want it to, so clear your breakpoints with 'bc *' and hit Ctrl-D. BINGO! We found the right place. Mech 3 is now cracked.

OK, you go play the game for a while. then you come back, and the next time you try and play it you still get the same error! What gives!, we only patched the game in memory, to make our crack permanent we must patch the mech3.exe file, so open it up with a good hex editor (like UEdit or Hiew) and search for some bytes surrounding the JNZ:

83 C4 08 85 C0 75 26 EB 1C  --> change 75 26 to 90 90.

Thats it. Good luck. BlueFox greets some good crackers, and overall cool people. NeUrAl_N, TORN@DO, HarvestR, yoshi, DEZM, Tin, WarezPup, tKC and everyone in PC, Iczelion, hutch, Lord Caligo, CrackZ, Mammon_, Fravia+, Greythorne, +ORC, YES, there are lot of people I missed, sorry :-). This entire work is copyright, BlueFox 1999.

CD Checks Return to Main Index

© 1999 Hosted by CrackZ. 27th August 1999.