

                     L                ZZZZZZ         RRRRR           SSSSS
                     L                    Z          R    R         S
                     L          aaa      Z      aaa  R    R  u   u  S
                     L            a     Z         a  RRRRR   u   u  SSSSS
               XX    L         aaaa    Z       aaaa  R    R  u   u       S
              XXXX   L        a   a   Z       a   a  R    R  u   u       S
             XXXXXX  LLLLLLL  aaaaa  ZZZZZZZ  aaaaa  R    R  uuuuu  SSSSSS
             XXXXXX       
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXX
             XXXXXX
              XXXX        proudly presents his 13.Cracking Tutorial (29.04.1999)
               XX                    Italian Football Manager 2 1.10

I.   Tools you need for my tutorial
II.  The Crack
III. BTW

I.   Tools you need for my tutorial
     Italian Soccer Manager 2 1.10 (http://www.geocities.com/Colosseum/6149)
     IDA (get it at CrackZ page (find a link at http://come.to/hellforge)
     TRON (search for +TRON +Unpack in Altavista)


II.  Cracking:
     Greetings dear reader. This time it is a DOS game which I am going to crack. It is the
     first DOS program I have ever cracked and the first time I used IDA. I just cracked it
     and I am still so happy, that I have to write down how I did it. First I want to thank
     Freeman. Without him this crack and the tutorial would never be done. He told me that
     the EXE file is packed, sent me the unpacker and had a look at another version of ISM2.
     When I describe how I handle IDA there might be better ways to do this and that, but I
     don't know them. The only time I ever used IDA was for this crack. OK, let's go.
     The first time I disassembled it (W32Dasm) I got only bullshit, but no deadlisting you
     could work with :( Using SICE wasn't as valuable, too. I was only able to bpx on the
     mouse interrupt and this led me "deep in the dark codewoods" where I terribly lost the
     right way. Hopeless I asked in Sandman's forum (www.idca.com/~thesandman) if someone can
     help me and Freeman released me from my pain ;-) He downloaded another version of ISM2
     and cracked this one and then he gave me some hints. 

     When you run ISM2 you see that you are only able to play one year (in the game, of course).
     Then the programm doesn't let you play further saying that this isn't allowed in the
     shareware version.
     At first you have to unpack Soccer.exe with TRON. Then disassemble the new file (I called
     it s.exe) in IDA. Remember the message saying thas you should buy the full version. It
     contains the word shareware. Now in IDA choose Navigate/Search for/Text and enter "Share".
     You will see this: 

     seg060:10C0 aALLENATOREShar db 'A L L E N A T O R E - Shareware version', 0

     This means the string (it was the topic of the "Buy me" message) is stored at the adress
     10C0. Now search for "10C0h". You'll see this:

     seg060:057F mov ax, 10C0h

     This is the place where the string is used in the program (e.g. the "Buy me" message).
     Scroll little up and you'll see a line with the text "S u b r o u t i n e". This means
     we're inside a routine that calls the "Buy me" message. Two lines below you see:

     seg060:0574 sub_E5E_574   proc far           ;;CODE XREF: sub_31BB_5CD8+24P

     The "sub_E5E_574" is the identifier of this routine. So we have to look where it is called.
     Search for "sub_E5E_574" and you'll see this (Search until you see this. IDA will show 
     you some references before, but these are all proc definitions):
     
     seg072:5CF7      cmp    ax, 0Ah
     seg072:5CFA      jl     loc_31BB_5D0E
     seg072:5CFC      call   sub_E5E_574
     
     As you can easily see, the call calls our "Buy me" message, the jl one line above jumps
     somewhere after the call. Do you think what I think? Of course: Making this jump permanent
     would make us play ISM2 forever. So change the offset at ??? I still don't know how to find
     out the offset you have to patch in IDA. I did the patch in this way: Highlight the jl line
     and choose Edit/Patch program/Assemble and use as new instruction jmp loc_31BB_5D0E. Then
     save the patched file with File/Produce output file/Produce EXE file. Then start the new
     file and look what happens. I tell you: We did. Now you can play ISM2 forever (and even
     longer if you want to ;-)

III. BTW
     Hope my tutorial was helpful for you and see you again in my next tutorial. 
     
     Greets to: Fravia+, tKC, ED!SON, Moral Insanity, The Sandman, Eternal Bliss, DaVinci and 
     all [hf] members


All Tutorials by LaZaRuS [hf]

 #|  date  |   name           |version|W32Dasm|Soft-Ice|kind of crack            |
--|--------|------------------|-------|-------|--------|-------------------------|
01|20.01.99|Jaylock           |1,0,0,1|  (X)  |   (X)  |serial#                  |
02|31.01.99|Goldwave          |4.02   |  (X)  |   (X)  |serial#,nag-screens      |
03|28.03.99|AxMan             |3.00   |  (X)  |   (X)  |serial#,remove date-limit|
  |        |                  |       |       |        |nag-screen, key generator|
04|29.03.99|C++Builder Strings|       |  (X)  |   (X)  |how to find strings in   |
  |        |                  |       |       |        |C++ Builder that are not |
  |        |                  |       |       |        |hardcoded                |
05|29.03.99|Better Protection |       |       |        |How to protect shareware |
  |        |                  |       |       |        |better against crackers  |
06|04.04.99|Start Clean       |1.2    |  (X)  |   (X)  |nag-screen/serial/keygen |
07|06.04.99|MP3 TO EXE        |1.02   |  (X)  |   (X)  |nag-screen/serial        |
08|06.04.99|HexDecCharEditor  |1.02   |  (X)  |        |make it registered       |
09|20.04.99|PowerZip          |4.51   |  (X)  |        |serial/time-check/...    |
10|24.04.99|eKH CrackMe       |1.0    |  (X)  |        |serial                   |
11|25.04.99|F-Secure          |4.02   |  (X)  |        |time limit/nag           |
12|29.04.99|Latido's JS       |3.0    |       |        |serial                   |
  |        |Reverse Me        |       |       |        |                         |
13|24.05.99|Italian Soccer    |1.10   | (IDA) |        |patch to remove the time |
  |        |Manager           |       |       |        |limit                    |
     
LaZaRuS [hf]
Visit Hellforge at http://come.to/hellforge for more tutorials and high quality cracking links.
If you want to mail me: lazarus666@gnwmail.com