November 01, 2007

Cracking Tutorial : Quake 3 Arena

Note :
All my tutorials are for educational purposes only.

Some info about the target :
Title : Quake 3 Arena
Protection : CD Check

Click on the images to view the larger version.

Step 1 : Load OllyDbg and open "quake3.exe", which is our target.

Step 2 : Right click the CPU window and Choose "Search for > All referenced Text Strings". (Refer pic below)



Step 3 : Right Click and Choose "Search for Text".



Step 4 : Enter "CD" in the dialog box that popped up and dont forget to check "Case sensitive" and click "OK". (Refer pic below)



Step 6 : Hit "Ctrl+L" until you land in line "Game CD not in drive". Now double click on this line. It will take you to this line which is at the address 0042DFC6.

Code:

0042DFC6  |.  68 80E34B00   PUSH    quake3.004BE380                  ;  ASCII "Game CD not in drive"

Step 6: Observe the following lines, these lines are found above the previous line which we saw.

Code:

0042DFC2  |.  85C0          TEST    EAX, EAX
0042DFC4  |.  75 0F         JNZ     SHORT quake3.0042DFD5

TEST EAX,EAX -> Checks whether EAX is 0 or not.
JNZ -> Jump if Non-Zero ie. Jumps if EAX is 1.


Step 7 : Just modify the JNZ to JMP by double clicking on the line, so that the code looks like the one below.

Code:

0042DFC4  |.  75 0F         JMP     SHORT quake3.0042DFD5

Step 8 : Right click in the CPU window and select "Copy to Executable > All modifications" and choose "Copy All" in the dialog that pops up.



Step 9 : A dump window appears, right click on it and select "Save file", type a name, eg. quake3cracked.exe.


You can also change the

Code:

0042DFBD      E8 AE210100   CALL    quake3.00440170

to

Code:

0042DFBD      B8 01000000   MOV     EAX, 1

this CALL is above the line TEST EAX, EAX. There are a lot of ways to crack ! This is also a good method to crack, cuz it makes the program think that CD has been inserted.

That concludes the tutorial. I hope that you enjoyed it.

July 08, 2007

Cracking Tutorial : Tomb Raider - Last Revelation

Some info about the target :
Title : Tomb Raider - The last revelation (a.k.a) Tomb Raider 4
Version : Xp patched version downloaded from www.Tombraiderchronicles.com
Protection : CD check.

Cracking tools used : Ollydbg 1.10(Best Debugger)

Click on the images to view a Larger version of it.

Ok lets start cracking.
Intial steps.. run the game without CD. you'll note the following messagebox.



I read the text, and clicked on cancel. I loaded OllyDbg and opened the file "tomb4.exe", Its was disassembled and ready to be cracked.

Now I right clicked and selected "Search for > All Referenced Text strings",


A new window containing a lot of text popped up. Its called the "References" Window, I right clicked in the references window and chose "Search for text".



I typed a part of the string that the game displayed when I didnt insert the CD.. and hit enter.



I found the string.



Then I double clicked on it. That took me here.



I scrolled a few lines up and set a breakpoint on starting point of the routine at 0048E9C0. Later I realised that the check must before displaying the popup.. So I searched for conditional jumps within the routine and above the message string. I found two conditional jumps at 0048EA06 and 0048EA13. So cleared my previous breakpoint and made two breakpoints on 0048EA06 and 0048EA13.



Upon analyzing these two jumps I found out that first one will take past the message box.. so It might be the second one... there is a strange Call below the previous conditional jump and next conditional jump. That call might be the CDcheck.

Code :

0048EA04  |. 84C0           TEST AL,AL
0048EA06  |. 0F85 27040000  JNZ tomb4.0048EE33
0048EA0C  |. E8 FF51FEFF    CALL tomb4.00473C10 --> Strange Call, CD Check?
0048EA11  |. 84C0           TEST AL,AL
0048EA13  |. 75 25          JNZ SHORT tomb4.0048EA3A

Take a look at the code below the call, its checking some value returned by the call. I found out that the call returns value 01 when the disc is inserted and 00 when the disc is not in the drive. So, gotta remove the call and replace with someother code. This method is applicable to Ballance also.

So I'm gonna replace my call with MOV EAX,1. So I selected the call line and pressed space and type MOV EAX,1.



Other alternate is change the value of AL as 1.. so you gotta replace the call by MOV AL,1. Be sure to check the "Fill with NOP's",

This will also work but after modification the code will look look like this..

Code:

0048EA06  |. 0F85 27040000  JNZ tomb4.0048EE33
0048EA0C  |. B0 01          MOV AL,1
0048EA0E  |. 90             NOP
0048EA0F  |. 90             NOP
0048EA10  |. 90             NOP
0048EA11  |. 84C0           TEST AL,AL
0048EA13  |. 75 25          JNZ SHORT tomb4.0048EA3A

The call is a four byte code, since we are replacing it with a single byte code we have to fill NOP's, you'll be able to notice that there are three extra lines (NOP's), so a four bit code has to be replaced by a four byte code... thats what I like it to be.. if you dont use it wont cause any problem. I always try to avoid NOP's. So I recommend you to replace the call by 4 byte code "MOV EAX,1"

when you use MOV EAX,1 the code will look like..

Code:

0048EA06  |. 0F85 27040000  JNZ tomb4.0048EE33
0048EA0C  |. B8 01000000    MOV EAX,1
0048EA11  |. 84C0           TEST AL,AL
0048EA13  |. 75 25          JNZ SHORT tomb4.0048EA3A

In both these methods the crack will work..

Now I've changed the code only in the memory I gotta change it permanently in the exe file. So I right clicked and selected "Copy to executable > All modifications"



and I chose "copy all", a dump window popped up.. I right clicked there and I selected "Save file"



and I typed a new name for the cracked file.

Use the same method to crack Tomb raider - Chronicles XP Patched version.