L ZZZZZZ RRRRR SSSSS L Z R R S L aaa Z aaa R R u u S L a Z a RRRRR u u SSSSS XX L aaaa Z aaaa R R u u S XXXX L a a Z a a R R u u S XXXXXX LLLLLLL aaaaa ZZZZZZZ aaaaa R R uuuuu SSSSSS XXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX XXXXXX XXXX proudly presents his 13.Cracking Tutorial (29.04.1999) XX Italian Football Manager 2 1.10 I. Tools you need for my tutorial II. The Crack III. BTW I. Tools you need for my tutorial Italian Soccer Manager 2 1.10 (http://www.geocities.com/Colosseum/6149) IDA (get it at CrackZ page (find a link at http://come.to/hellforge) TRON (search for +TRON +Unpack in Altavista) II. Cracking: Greetings dear reader. This time it is a DOS game which I am going to crack. It is the first DOS program I have ever cracked and the first time I used IDA. I just cracked it and I am still so happy, that I have to write down how I did it. First I want to thank Freeman. Without him this crack and the tutorial would never be done. He told me that the EXE file is packed, sent me the unpacker and had a look at another version of ISM2. When I describe how I handle IDA there might be better ways to do this and that, but I don't know them. The only time I ever used IDA was for this crack. OK, let's go. The first time I disassembled it (W32Dasm) I got only bullshit, but no deadlisting you could work with :( Using SICE wasn't as valuable, too. I was only able to bpx on the mouse interrupt and this led me "deep in the dark codewoods" where I terribly lost the right way. Hopeless I asked in Sandman's forum (www.idca.com/~thesandman) if someone can help me and Freeman released me from my pain ;-) He downloaded another version of ISM2 and cracked this one and then he gave me some hints. When you run ISM2 you see that you are only able to play one year (in the game, of course). Then the programm doesn't let you play further saying that this isn't allowed in the shareware version. At first you have to unpack Soccer.exe with TRON. Then disassemble the new file (I called it s.exe) in IDA. Remember the message saying thas you should buy the full version. It contains the word shareware. Now in IDA choose Navigate/Search for/Text and enter "Share". You will see this: seg060:10C0 aALLENATOREShar db 'A L L E N A T O R E - Shareware version', 0 This means the string (it was the topic of the "Buy me" message) is stored at the adress 10C0. Now search for "10C0h". You'll see this: seg060:057F mov ax, 10C0h This is the place where the string is used in the program (e.g. the "Buy me" message). Scroll little up and you'll see a line with the text "S u b r o u t i n e". This means we're inside a routine that calls the "Buy me" message. Two lines below you see: seg060:0574 sub_E5E_574 proc far ;;CODE XREF: sub_31BB_5CD8+24P The "sub_E5E_574" is the identifier of this routine. So we have to look where it is called. Search for "sub_E5E_574" and you'll see this (Search until you see this. IDA will show you some references before, but these are all proc definitions): seg072:5CF7 cmp ax, 0Ah seg072:5CFA jl loc_31BB_5D0E seg072:5CFC call sub_E5E_574 As you can easily see, the call calls our "Buy me" message, the jl one line above jumps somewhere after the call. Do you think what I think? Of course: Making this jump permanent would make us play ISM2 forever. So change the offset at ??? I still don't know how to find out the offset you have to patch in IDA. I did the patch in this way: Highlight the jl line and choose Edit/Patch program/Assemble and use as new instruction jmp loc_31BB_5D0E. Then save the patched file with File/Produce output file/Produce EXE file. Then start the new file and look what happens. I tell you: We did. Now you can play ISM2 forever (and even longer if you want to ;-) III. BTW Hope my tutorial was helpful for you and see you again in my next tutorial. Greets to: Fravia+, tKC, ED!SON, Moral Insanity, The Sandman, Eternal Bliss, DaVinci and all [hf] members All Tutorials by LaZaRuS [hf] #| date | name |version|W32Dasm|Soft-Ice|kind of crack | --|--------|------------------|-------|-------|--------|-------------------------| 01|20.01.99|Jaylock |1,0,0,1| (X) | (X) |serial# | 02|31.01.99|Goldwave |4.02 | (X) | (X) |serial#,nag-screens | 03|28.03.99|AxMan |3.00 | (X) | (X) |serial#,remove date-limit| | | | | | |nag-screen, key generator| 04|29.03.99|C++Builder Strings| | (X) | (X) |how to find strings in | | | | | | |C++ Builder that are not | | | | | | |hardcoded | 05|29.03.99|Better Protection | | | |How to protect shareware | | | | | | |better against crackers | 06|04.04.99|Start Clean |1.2 | (X) | (X) |nag-screen/serial/keygen | 07|06.04.99|MP3 TO EXE |1.02 | (X) | (X) |nag-screen/serial | 08|06.04.99|HexDecCharEditor |1.02 | (X) | |make it registered | 09|20.04.99|PowerZip |4.51 | (X) | |serial/time-check/... | 10|24.04.99|eKH CrackMe |1.0 | (X) | |serial | 11|25.04.99|F-Secure |4.02 | (X) | |time limit/nag | 12|29.04.99|Latido's JS |3.0 | | |serial | | |Reverse Me | | | | | 13|24.05.99|Italian Soccer |1.10 | (IDA) | |patch to remove the time | | |Manager | | | |limit | LaZaRuS [hf] Visit Hellforge at http://come.to/hellforge for more tutorials and high quality cracking links. If you want to mail me: lazarus666@gnwmail.com