Sauron's tutorial on "dOC sNydEr's TRSi Crackme"

Whoever aint able to crack this little proggie cant call himself
a game cracker. Because this proggie is the essence of a simple
cd check which appears in every cd-rom based game nowadays.
Let's do an approach on what this program does and how to reverse
engineer it in the desired way.

The proggie starts with a nice messagebox greeting and introducing us
to the crackme.
The box has an "OK" button, hit it and look what happens.
If you got a cd in your drive, remove it or you will get a message
like "either there is a cd-rom in your drive or you made a working
crack". and since we didnt even touch the file yet... ;>
re-run the proggie, hit OK and you will obtain an error messagebox
containing a string "No CD inserted, asswipe!". That's what this
program does: it checks wheter a cd is inserted in any cd drive
or not and messages us about the result.
Now let's take a look inside and find out how the crackme works.

The program calls a GetDriveTypeA to check if the given drive is a
CD-ROM. If so, it tries to get the CD label by using a GetVolumeInformationA. 
After that the crackme performs a GetDiskFreeSpaceA and checks if there's
more than 0 byte free space (which shouldn't be the case on a read
only media like a cd-rom).
That's all. So.. how to crack it?

There are several approaches.. debugging w/ SICE, disassembling w/
W32Dasm.. i prefer disassembling for now. After disassembly, we try to find
the string "no CD in the drive..". It's not hard to find due to the 
very size of the program, aint it? Well. We look around a bit and
recognize that ugly call to GetDriveTypeA. We dont hesitate to NOP it,
of course. 
And we NOP the conditioned jump that follows, too.

* Reference To: KERNEL32.GetDriveTypeA, Ord:0000h
                                  |
:0040102D E878000000              Call 004010AA      ; take this one out
:00401032 83F805                  cmp eax, 00000005
:00401035 75DC                    jne 00401013       ; and this
:00401037 6A00                    push 00000000

Now the program goes on with GetVolumeInformationA. We NOP the call,
too. 

* Reference To: KERNEL32.GetVolumeInformationA, Ord:0000h
                                  |
:0040104D E85E000000              Call 004010B0      ; this one pisses us off
:00401052 0BC0                    or eax, eax
:00401054 74BD                    je 00401013
:00401056 6A00                    push 00000000

The last thing to do is to NOP the GetDiskFreeSpaceA call
in order to disable the last check. 

* Reference To: KERNEL32.GetDiskFreeSpaceA, Ord:0000h
                                  |
:00401066 E84B000000              Call 004010B6	      ; just NOP this whore
:0040106B A15F224000              mov eax, dword ptr [0040225F]
:00401070 0BC0                    or eax, eax
:00401072 759F                    jne 00401013

Now it's done. The whole thing should have taken us 2 minutes max :>
We cracked TRSi Crackme.

-Sauron/TRSi