Isn't it amzing how fast those warez dudes are. The only thing that matters to them are speed. The traders speak of zero dayz warez and zero dayz releases. I recently found a fishing game on a ftp site and decided to give it a try. I unrared the files and noticed that there was no install.exe nor setup.exe. Also missing was a crackfile, but according to the .nfo file the game was to be cracked. When I ran the game I realized this was not the case . First I got the impression that the protection was untouched. Later I found out that it was partly cracked. The protection is a "CD-rom check".
It first looks for a cd-rom using GetDriveTypeA. It then tries to play a sound file located on the original cd-rom. I don't have an URL for the game 'cause like all comercial software it always on the run. You should be able to find it on the net. If you dont find it you could still find something useful here:)
A Cd rom protection usually checks if the file is executed from a CD-ROM or it could try to open a file (could be hidden) on the cd. The API functions that can be used to detect a cd-rom are GetLocalDrives and GetDriveType. In this lesson we really dont care about that, we care for the part of the protection that determines that the "correct CD" is/isn't in the CD-Drive.
CD-protections under windows are usually not hard to defeat. Since most of them utilize API call to much instead of assembly routines. When you execute BASS2.exe a screen pops up and some music is played. Then a message box tells us it couldn't find the correct CD. We have two doors we could enter here, one is to enter through the MessageBox and the other is to run Filemon and see what file BASS2.exe is trying to open.
Filemon tells us that BASS2 is looking for a file called "CdAudio". It looks everywhere for that file not just on the cdrom drive (desperate program). Putting a BPX on CreateFileA won't do. Too many files are open and if you go trough all of them you will not encounter CdAudio. So we will have to enter trough the MessageBox (BPX MessageBoxA). When softice pops up, press F11 to get out of Messagebox and back to the BASS2.exe's code. You'll find your self here.
:004273E9 8B3580664900 mov esi, dword ptr [00496680]
:004273EF 68A0684800 push 004868A0
:004273F4 6A00 push 00000000
:004273F6 FFD6 call esi
:004273F8 83F804 cmp eax, 00000004 ; Here you are!!
:004273FB 0F8485000000 je 00427486
:00427401 6A01 push 00000001
:00427403 E8B80B0300 call 00457FC0
:00427408 83C404 add esp, 00000004
:0042740B EB0C jmp 00427419
Scanning upwards you'll see only one conditional jump, and that wont take you to a nice place. This means that we are taken here by another jump or call somewhere else in the code. We need to find out where that jump/call is. We need to get a calling hierarchy, so we can find the call that executes the protection. Trace out of this routine and you'll see this:
:0042735B 6645 inc bp :0042735D 6683FD03 cmp bp, 0003 :00427361 7ECF jle 00427332 :00427363 85F6 test esi, esi :00427365 7413 je 0042737A :00427367 56 push esi :00427368 E843000000 call 004273B0 :0042736D 83C404 add esp, 00000004 :00427370 33C0 xor eax, eax :00427372 5D pop ebp :00427373 5F pop edi :00427374 5E pop esi :00427375 5B pop ebx :00427376 83C43C add esp, 0000003C :00427379 C3 ret And we trace on: :0042617F E8DC0F0000 call 00427160 :00426184 83C404 add esp, 00000004 :00426187 55 push ebp :00426188 56 push esi :00426189 68C0644200 push 004264C0 :0042618E E88D420300 call 0045A420 :00426193 83C40C add esp, 0000000C :00426196 EB5D jmp 004261F5 ; this jump takes us to: :004261F5 B801000000 mov eax, 00000001 :004261FA 5D pop ebp :004261FB 5F pop edi :004261FC 5E pop esi :004261FD 5B pop ebx :004261FE 81C464010000 add esp, 00000164 :00426204 C21000 ret 0010
If you trace further you'll get to ThunkConnect32, so the Call to 00427160 must be the top call in the calling hierarchy. You can verify this by putting a bpx on it and you'll see that this is the executioner. Do notice that this call is on the top and is only called at the first time and not when we press retry. Ok lets trace that call and see how we get to the nag box.
:00427160 8B4C2404 mov ecx, dword ptr [esp+04] :00427164 83EC3C sub esp, 0000003C :00427167 66C741180000 mov [ecx+18], 0000 :0042716D 833DA4F7460000 cmp dword ptr [0046F7A4], 00000000 :00427174 53 push ebx :00427175 56 push esi :00427176 57 push edi :00427177 55 push ebp :00427178 0F8423020000 je 004273A1 :0042717E 833DACF7460000 cmp dword ptr [0046F7AC], 00000000 :00427185 0F8416020000 je 004273A1 :0042718B E800030000 call 00427490 :00427190 8B4C2450 mov ecx, dword ptr [esp+50] :00427194 6683790402 cmp word ptr [ecx+04], 0002 :00427199 7D0A jge 004271A5 ; !!!Here!!! :0042719B 33C0 xor eax, eax :0042719D 5D pop ebp :0042719E 5F pop edi :0042719F 5E pop esi :004271A0 5B pop ebx :004271A1 83C43C add esp, 0000003C :004271A4 C3 ret
The JGE 004271A5 takes us to a subroutine wich has a call 004273B0 wich triggers the nag. I noticed something strange about this, if you press retry a couple of times you will get on to the intro screen. That is odd. We do not wanna jump so either change the JGE to a JMP 0042719B or as I did first NOP 'em out, you could use +ORC's nops (inc ax,dec ax) (+Orcs nop is inc ax,nop,dec ax, but we only wanto to get rid of two bytes therefor we leave the nop in the middle).
Now you'll pass the first check however you wont get far until the same soup starts all over again but from a different place this time.
Choose practise from the menu and press ok. Do the same for player name. Now Softice will start to argument with us about a page error, just enter 'r' and press Ctrl-D a couple of times and the show will go on, (these error do not occur when softice isn't running). Now you'll be at the lake select screen, when you press ok here you'll get:
"Please insert Lake Disk 1..." and after that MessageBox you'll get:0044619B 51 push ecx :0044619C 52 push edx :0044619D 891D004F4600 mov dword ptr [00464F00], ebx :004461A3 55 push ebp :004461A4 FFD7 call edi :004461A6 668BF0 mov si, ax ; here's where you are :004461A9 891DA00F4900 mov dword ptr [00490FA0], ebx If you scroll up a bit you'll see this: :00446146 0FBE0544154900 movsx eax, byte ptr [00491544] :0044614D 66BE0100 mov si, 0001 :00446151 8A80970C4900 mov al, byte ptr [eax+00490C97]: :00446157 38051C0F4900 cmp byte ptr [00490F1C], al :0044615D 0F84CF000000 je 00446232 wich takes us here :00446232 6683FE02 cmp si, 0002 :00446236 746F je 004462A7 :00446238 660FBE0D44154900 movsx cx, byte ptr [00491544] :00446240 0FBFD1 movsx edx, cx :00446243 A01C0F4900 mov al, byte ptr [00490F1C] :00446248 3882970C4900 cmp byte ptr [edx+00490C97], al :0044624E 7557 jne 004462A7
cmp byte ptr [00490F1C], al. 00490F1C is FE and al is 01. If these were the same we would have skipped the annoying messages and the game would have moved on. You could suspect this by just looking on the Jump, its a very far jump and it's jumping over the:
You can verify this by edit 490F1C and change the value to 01.The game will go on and never bother us again. Now we need to know from where 00490F1C is beeing set to FE. If you step through the routine starting from CS:00446151 you'll get here:
:004461BE E86D14FEFF call 00427630; Returns with AX=FFFE :004461C3 0FBE0D44154900 movsx ecx, byte ptr [00491544] :004461CA A21C0F4900 mov byte ptr [00490F1C], al ; Here al=FE :004461CF 3881970C4900 cmp byte ptr [ecx+00490C97], al :004461D5 745B je 00446232 :004461D7 6800040000 push 00000400 :004461DC A18C674800 mov eax, dword ptr [0048678C] :004461E1 C705A00F490001000000 mov dword ptr [00490FA0], 00000001 :004461EB 68A0684800 push 004868A0So somewhere in the call 00427630 is AX set to FFFE. Tracing this routine you'll see at the end of the routine this:
:00427630 81EC00010000 sub esp, 00000100 | | Skipping unrelevant code | :00427662 66B8FEFF mov ax, FFFE ; Here!! Change to 0001 :00427666 81C400010000 add esp, 00000100 :0042766C C3 ret
Change mov ax, FFFE to mov ax, 0001 and everything will work fine. I used the Live approach because first i was curious on the protection and i manged to crack this before i dissassembled it (within half an hour). However if you dissassemble BASS2.exe you'll see that CreateFile(A)/ReadFile is not used to open/read CDAudio. Instead it utilizes mciSendCommandA. Thats why we did'nt find it when we BPX:ed on CreateFileA.
In the version I downloaded the only thing that was cracked was the GetDriveTypA. If you start up windows without a Cd-rom the game wont ask you for one. I realize that there's probably a correct crack out now (or should be). I still find it odd that speed can be so important that only half the work is done.
Anyway as i said in the beginning there were no setup so you could choose "no sound" and similair. I guess that if there were one could disable the cd sound and the game would have worked.
