The Only Remedy

Blog requires a complete makeover!

2009-04-27T21:27:00.003+05:30

Many might feel that the layout of the blog is bad, I'm gonna go for a completely new layout. Will create a layout and then add it. Planning to turn into an open source supporter. Will give away my blog templates for free!

Recently I learned to code in .NET framework, and also was working in ASP.NET for my college project, so was forced to learn CSS. Once I learnt that, I was amazed by the power of it and also realized the need for pure CSS 2.1 layouts for this blog. Will be doing all that ASAP.

Love web designing, its one area which allows to express myself as both an Artist and Coder!

Cracking Tutorial : Quake 3 Arena

2007-11-01T23:15:00.000+05:30

Note :
All my tutorials are for educational purposes only.

Some info about the target :
Title : Quake 3 Arena
Protection : CD Check

Click on the images to view the larger version.

Step 1 : Load OllyDbg and open "quake3.exe", which is our target.

Step 2 : Right click the CPU window and Choose "Search for > All referenced Text Strings". (Refer pic below)

Step 3 : Right Click and Choose "Search for Text".

Step 4 : Enter "CD" in the dialog box that popped up and dont forget to check "Case sensitive" and click "OK". (Refer pic below)

Step 6 : Hit "Ctrl+L" until you land in line "Game CD not in drive". Now double click on this line. It will take you to this line which is at the address 0042DFC6.

Code:

0042DFC6  |.  68 80E34B00   PUSH    quake3.004BE380                  ;  ASCII "Game CD not in drive"

Step 6: Observe the following lines, these lines are found above the previous line which we saw.

Code:

0042DFC2  |.  85C0          TEST    EAX, EAX

0042DFC4  |.  75 0F         JNZ     SHORT quake3.0042DFD5

TEST EAX,EAX -> Checks whether EAX is 0 or not.
JNZ -> Jump if Non-Zero ie. Jumps if EAX is 1.

Step 7 : Just modify the JNZ to JMP by double clicking on the line, so that the code looks like the one below.

Code:

0042DFC4  |.  75 0F         JMP     SHORT quake3.0042DFD5

Step 8 : Right click in the CPU window and select "Copy to Executable > All modifications" and choose "Copy All" in the dialog that pops up.

Step 9 : A dump window appears, right click on it and select "Save file", type a name, eg. quake3cracked.exe.

You can also change the

Code:

0042DFBD      E8 AE210100   CALL    quake3.00440170

Code:

0042DFBD      B8 01000000   MOV     EAX, 1

this CALL is above the line TEST EAX, EAX. There are a lot of ways to crack ! This is also a good method to crack, cuz it makes the program think that CD has been inserted.

That concludes the tutorial. I hope that you enjoyed it.

Cracking Tutorial : Tomb Raider - Last Revelation

2007-07-08T14:38:00.000+05:30

Some info about the target :
Title : Tomb Raider - The last revelation (a.k.a) Tomb Raider 4
Version : Xp patched version downloaded from www.Tombraiderchronicles.com
Protection : CD check.

Cracking tools used : Ollydbg 1.10(Best Debugger)

Click on the images to view a Larger version of it.

Ok lets start cracking.
Intial steps.. run the game without CD. you'll note the following messagebox.

I read the text, and clicked on cancel. I loaded OllyDbg and opened the file "tomb4.exe", Its was disassembled and ready to be cracked.

Now I right clicked and selected "Search for > All Referenced Text strings",

A new window containing a lot of text popped up. Its called the "References" Window, I right clicked in the references window and chose "Search for text".

I typed a part of the string that the game displayed when I didnt insert the CD.. and hit enter.

I found the string.

Then I double clicked on it. That took me here.

I scrolled a few lines up and set a breakpoint on starting point of the routine at 0048E9C0. Later I realised that the check must before displaying the popup.. So I searched for conditional jumps within the routine and above the message string. I found two conditional jumps at 0048EA06 and 0048EA13. So cleared my previous breakpoint and made two breakpoints on 0048EA06 and 0048EA13.

Upon analyzing these two jumps I found out that first one will take past the message box.. so It might be the second one... there is a strange Call below the previous conditional jump and next conditional jump. That call might be the CDcheck.

Code :

0048EA04  |. 84C0           TEST AL,AL

0048EA06  |. 0F85 27040000  JNZ tomb4.0048EE33

0048EA0C  |. E8 FF51FEFF    CALL tomb4.00473C10 --> Strange Call, CD Check?

0048EA11  |. 84C0           TEST AL,AL

0048EA13  |. 75 25          JNZ SHORT tomb4.0048EA3A

Take a look at the code below the call, its checking some value returned by the call. I found out that the call returns value 01 when the disc is inserted and 00 when the disc is not in the drive. So, gotta remove the call and replace with someother code. This method is applicable to Ballance also.

So I'm gonna replace my call with MOV EAX,1. So I selected the call line and pressed space and type MOV EAX,1.

Other alternate is change the value of AL as 1.. so you gotta replace the call by MOV AL,1. Be sure to check the "Fill with NOP's",

This will also work but after modification the code will look look like this..

Code:

0048EA06  |. 0F85 27040000  JNZ tomb4.0048EE33

0048EA0C  |. B0 01          MOV AL,1

0048EA0E  |. 90             NOP

0048EA0F  |. 90             NOP

0048EA10  |. 90             NOP

0048EA11  |. 84C0           TEST AL,AL

0048EA13  |. 75 25          JNZ SHORT tomb4.0048EA3A

The call is a four byte code, since we are replacing it with a single byte code we have to fill NOP's, you'll be able to notice that there are three extra lines (NOP's), so a four bit code has to be replaced by a four byte code... thats what I like it to be.. if you dont use it wont cause any problem. I always try to avoid NOP's. So I recommend you to replace the call by 4 byte code "MOV EAX,1"

when you use MOV EAX,1 the code will look like..

Code:

0048EA06  |. 0F85 27040000  JNZ tomb4.0048EE33

0048EA0C  |. B8 01000000    MOV EAX,1

0048EA11  |. 84C0           TEST AL,AL

0048EA13  |. 75 25          JNZ SHORT tomb4.0048EA3A

In both these methods the crack will work..

Now I've changed the code only in the memory I gotta change it permanently in the exe file. So I right clicked and selected "Copy to executable > All modifications"

and I chose "copy all", a dump window popped up.. I right clicked there and I selected "Save file"

and I typed a new name for the cracked file.

Use the same method to crack Tomb raider - Chronicles XP Patched version.

My blog !

2006-10-22T19:41:00.000+05:30

A few mins back I created this blog... I'll be sharing the stuff that I know about computers, mostly will be posting some tutorials for newbies. So visit often.