BiSHoP's Tutorial # 6 (May 31, 2000) Topic: Removing CD check Target: TRSi's little crackme (CD check) Where: http://crackmes2.cjb.net Index: 1. Introduction 2. Requirements 3. Start 4. Cracking 5. Final Notes 6. Greetz & Thanx --------------------------------------------------- 1. Introduction- Greetingz fellow cracker! This is the 6th tutorial, this is the first tutorial I wrote on CD checks. CD checks are pretty easy to remove if the file isn't packed and most of them are very similar. This will prepare you to crack games which need the CD to play. 2. Requirements- W32Dasm, Hiew (or any ol' hex editor) and of course (as they say) a BRAIN :) 3. Start- Our target is TRSi's little crackme. And I have to say that the CD check is MAD easy to remove, you'll have no problem! I am not even sure why I wrote this tutorial for? This tutorial is for newbies crackers who just started cracking yesterday. 4. Cracking- Start cracking...run the program and it says "No CD inserted, Asswipe!", ok, I wanna make sure this is for real. So click OK, put any CD in and it says "GOOD JOB". We know it is not fake so it's worth cracking. Remove the CD. Disassemble the crackme.exe and look for the No CD string, should be on 401093. ---------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401020(C) <==I assume this is from the bad guy jump | :0040108C 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"TRSi -... | :0040108E 68A5214000 push 004021A5 * Possible StringData Ref from Data Obj ->"No CD inserted, asswipe!" | :00401093 6800204000 push 00402000 :00401098 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:0000h | :0040109A E81D000000 Call 004010BC --------------------------------------------------------------- Let's go to 401020, where the jump is made from. The codes there should look something like below: --------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00401035(C), :00401054(C), :00401072(C) <==Three other checks | :00401013 33C0 xor eax, eax :00401015 A05A224000 mov al, byte ptr [0040225A] :0040101A 3A055E224000 cmp al, byte ptr [0040225E] :00401020 746A je 0040108C <==Jumps to NO CD :00401022 FE055A224000 inc byte ptr [0040225A] --------------------------------------------------------------- Now we definitely know the jump to 40108C is to display the BAD message. But also realize that there's a jump from 401035 and 401054, those jumps check whether the CD is in or not. There are 3 jumps we have to patch. At 620h, 635h, and 654h. Hex Edit crackme.exe and go to 620h and change 746A to 776A, go to 635h and NOP (90h) 75DC (change 75DC to 9090) and goto 654 and change 74BD to 75BD. And now run the program and "Good Job" :) We just cracked this CD check. 5. Final Notes- So easy right? But don't think all CD checks is this easy. This program's check is probably obsolete by now. The software industry has improved CD protection alot since then. 6. Greetz & Thanx- Greetinz: UCF, Mexelite, Phrozen Crew, CiA, CORE, ODDITY, CookieCrK, Prophecy, RTD, HellForge, Genocide, and to any of ya I left out! Personal Greetz: Dark_Wolf, AC_178, Mercution, Ac|dFusio, LaZaRuS^, Falcon, SoleSurvivor, and to the rest of ya in HellForge and the German HellForge! Thanx to: tKC for all his tutorials, CookieCrK for providing me with some cracking toolz, and to all the sites in the Reverse EngineeRING for all their tuts, and oh yeah thanx for reading this tut! Peace out 'til next time yall! -BiSHoP- diablo337@hotmail.com