This tutorial are coming from
Acid Cool 178
Tutorial Number 37
Target
Program_____________ SiN (Not Updated or something like that) Protection___________ CD-Check Downlaod it at ______ By the CD Date________________ June 2000
Toolz
Win32 Deassembler
Hex Editor (I use Ultra Edit Version 7.10A)
cRACKER nOTES
Essay
Well, I'm are in a bad mood now.. My internett connection are down and i can't find crackmes or apps to crack, no IRC, no net friends to talk with.. Only real life assholes and training hell.. I have been biking 5 miles under 2 hours today, so this are my little rest :)
Or, i was looking in my CD-Collection and i had some games that needed one CD to be plaid, so why the hell not ? I took SiN because i can remember that i could install all of the files to the HDD, 600 MB :/ Well.. Erm..
It took me about 10 min to install the complete game into my HDD, i took a snack break :) I have Windows 2000 PRO so it was cool only to see if the game did work.. Maaaany programs don't work now anymore,, like Norton Antivirus 2000 For Win98/95 FUCK!!! I downloaded one for WinNT but havent managed to crack it yet.. Damm..
Now, finally the game are installed, so i took the CD and inserted it back to the "normal" place.. The first thing that i did was to open the file sin.exe (The start file to the game) in an hex editor and searched for "dilla" "laserlock" just to check if the game was copy protected with C-Dilla and Laserlock, it wasn't :) Why i did that ? I have tried to crack other games and thay was protected :( Even LEGO Friends Version 1.0 was protected with C-Dilla.....
Task 1.0
<-- Cracking with W32Dasm
Task 1.1 <-- Cracking with W32Dasm Another
way to crack it on..
Task 1.0
Copy sin.exe to another directory and open it in Win 32 dissassembler, when that are done so start the game.. Now try to play it and you will get the the bad thing. "You must have the SiN CD in the drive to play." Heyyyy, fuck off, i want to play it without the CD!!
Now, write that message down and go back to Win 32 Deassembler, goto "Refs-->String Data References" and scroll down to the line "You must have the SiN CD in the" and click on that string. Now you will se this code..
* Possible StringData Ref from Data Obj ->"You must have the Sin CD in the "
->"drive to play." <-- Take one wild guess
|
:0045BBBA 685C014800 push 0048015C
:0045BBBF 6A00 push 00000000
:0045BBC1 E8DA16FCFF call 0041D2A0
Well, this are only guessing but as i can se this so are the first push pushing "You must have the Sin CD in the " to the stack and the seccond push are pushing "drive to play." to the stack. We can figure out that later.. The call are calling the messagebox and closing the game.. Fuck..
Scroll UP and you will se this code..
* Referenced by a CALL at Address: |:004568B4 | :0045BBB0 E8CBFEFFFF call 0045BA80 :0045BBB5 803800 cmp byte ptr [eax], 00 :0045BBB8 750F jne 0045BBC9 <-- This jump must be activated
* Possible StringData Ref from Data Obj ->"You must have the Sin CD in the "
->"drive to play."
|
:0045BBBA 685C014800 push 0048015C
:0045BBBF 6A00 push 00000000
:0045BBC1 E8DA16FCFF call 0041D2A0
:0045BBC6 83C408 add esp, 00000008
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045BBB8(C) <-- Jump here... | :0045BBC9 C3 ret
As you can see at the jump at 0045BBB8 are jumping to
0045BBC9 when it are activated and it are jumping OVER the badboy, so we have to change it
from JNE to JMP and now I got a problem in Win2K, Hiew don't work anymore.. I have to use
one hex editor.. But JMP have the code EB in hex, and that all i need to now..
Open sin.exe in you hex editor and start a search for "75 0F 68 5C 01 48" and
change it to "EB 0F 68 5C 01 48" and try to play the game..
CRACKED!!!!
Now that jump are always jumping OVER the badboy so it won't be executed and that's what i
want.. and did make it not to do...
Task 1.1
Well, we have the file sin.exe and want to crack on another
way.. Open fins the imports command and look for "KERNEL32.GetDriveTypeA"
BREAK!!!!!!
If you want to now what i'm are looking for so are it the API call to the CD-Check. This
are coming from "cRACKER nOTES"
GetDriveTypeA / GetDriveTypeW
Determines whether a
disk drive is a removable, fixed, CD-ROM, RAM disk, or network drive. UINT GetDriveType(
LPCTSTR lpRootPathName // address of root path
);
Returns |
Well TON@DO I love the cRACKER nOTES...
This are the API call that the game are using to check if
the CD are inserted or not, and it are comparint it with 5 wich are the CD-Rom Drive..
Back to Win 32 Dasm, fin the API import and click on it until you can see this code..
* Reference To: KERNEL32.GetDriveTypeA, Ord:00F0h
|
:0045BB4E FF15C0004700
Call dword ptr [004700C0] <--
LPCTSTR lpRootPathName ??
:0045BB54 83F805
cmp eax, 00000005 <-- The
comparing routine
:0045BB57 7544
jne 0045BB9D <-- Badboy jump
If we are looking at this so are the jump joing to this code..
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0045BB26(C), :0045BB57(C) | :0045BB9D 881D288C4E00 mov byte ptr [004E8C28], bl <-- Jumps here
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0045BAAB(C), :0045BAE8(C), :0045BB6A(C) | :0045BBA3 5F pop edi :0045BBA4 5E pop esi :0045BBA5 B8288C4E00 mov eax, 004E8C28 :0045BBAA 5B pop ebx :0045BBAB 83C450 add esp, 00000050 :0045BBAE C3 ret
:0045BBAF 90 nop
* Referenced by a CALL at Address: |:004568B4 | :0045BBB0 E8CBFEFFFF call 0045BA80 :0045BBB5 803800 cmp byte ptr [eax], 00 :0045BBB8 750F jne 0045BBC9
* Possible StringData Ref from Data Obj ->"You must have the Sin CD in the "
->"drive to play."
|
:0045BBBA 685C014800 push 0048015C
:0045BBBF 6A00 push 00000000
:0045BBC1 E8DA16FCFF call 0041D2A0
:0045BBC6 83C408 add esp, 00000008
No can we see that the jump must NOT be executes because it are going to the badboy and we dont want that.. Now we have to fins the jump in our hex editor and NOP it out 4 ever.. Search for the code "75 44 BF 28 8C 4E 00" and change it to "90 90 BF 28 8C 4E 00" and the jump are gone 4 ever :) the game are also CRACKED!!! :)
Ending
Well, i have tried to explain my best on cracking this game.. Hope that you will forgive all of my spelling and grammar errors....
LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^ , AC|D, Dark Wolf, Marton and all the other i have forgotten