LESSON 4B

Dos 4GW Cracking

This Lesson is still under construction. But I am working on it right now. It'll be released in a few weeks I hope

If You have cracked some dos4g games the please send me your work,.

Time is not my best friend. The hardest part in writing tutor's is to make them easy to follow. I've cracked and trained some protected mode games, but I can't really explain the approach I used. Simply because I used my intution and also had some luck. I would need to crack at least a few more to be able to explain it in an 'easy to follow ' way. Don't get me wrong here, it's not hard to crack them, it's just hard to explain how they work (at least with only 1 free hour/day to work on it). Therefor I hope some of you out there finds Pmode interesting and wanna learn more about it, by studing it alone. I'll write this lessons partly and update it every now and then. I hope it will be finished by the end of october, that is if I don't get any help.

Small Pmode training exercises (Acid Tetris)

One thing that is different in Protected Mode is the memory management. Pmode offers linear memory (more about this later). Data is not longer in a "special" area of the memory. It can be anywhere. The cpu can adress 4 GB, the data can therefor be anywhere from 0 > FFFFFFFF. You'll see later that it starts from 30:0. The game is available from Download.com Fetch it and read on. Start the game and switch to softice. You must use Winice. Look at at registers. Switch back and forth and you'll see how the CS, DS, ES, FS and GS change. Keep looking at DS. Lets begin with searching for the meny text like 'New Game'.

Do a search:

S 30:0 L ffffffff 'New Game'

You'll find it very quickly. When you switched back and forth between winice and Atetris, you should have seen that DS got diffrent values ie 00BF. Now Do that search again but from 00BF.

S 00BF:0 L ffffffff 'New Game'

See that the offset is the same as the offset in 30:0. That's beacuse they point to the same physical adress. Changing one will change the other. Try it and you'll see. Later you'll learn all about this in a Pmode tutorial that will be included in this lesson.

The fact that variables can be anywhere in memory makes training alot harder of course. We can't exclude areas that isn't used by the program like realmode, where we just use the 'MAP' command to see what memory areas that our program use. Next thing to do with this game is to locate where our current score is stored.

Now let's say we got 500 or 1000 points. The usual procedure would be to convert our score to hex, and search for it in data area. Searching for 100, 500 or 1000 in all of the computers memory will turn up over 40 location, and that is if you're lucky. Those numbers are very common and other program will store them in memory on many locations. Those does not interest us. We only want the locations that Atetris use. In fact we only want one location, where Atetris stores the current score.

How do we find that? We could search in 4Mb hunks. And investigate every location found. To make that easier we should play the game intil we get a score that's unlikely to be in memory by other programs. I played until I got 1600 points wich is 640h. Remeber that in memory it will be 40 06. S 30:0 L FFFFFFFF 00 00 00 40 06 Found 10 occurences. The first one is the goood one.

This was a small execise, making trainers is quite more complicated than just locating the code. I'll update this lesson as soon as I Got new Material.