Use this tute only for cracking the EXEs of the CDs that you own...
This tutorial is for Educational purpose only.
Author: Creativity
Target Program: Ballance 2.0.0.1 (But the splash page displays v1.13)
Application type: Microsoft Visual C++ application (Use PEiD to find it out)
Tools required:
W32Dasm 8.93 or above.
Olly Debugger 1.10 (Debugging + Patching the game)
PEiD / ClonyXXL / ProtectionID
How to crack:
This is my first cracking tutorial... so please report me or forgive me for my mistakes that I made, I'm a newbie in cracking...
CLONY XXL STEPS:
Step 01: Insert the disc into the drive then click
Scan in clony XXL.
Oh great the game doesnot contain any CD protection.
PEiD STEPS:
Step 01: Click on "..." and open the target "Player.exe" in the bin folder in the game's installation directory.
Step 02: Oh cool the game doesn't contain any protection like Securom, safeDisc etc and it is not protected with any Exe protectors. We are lucky... and our cracking burden is reduced.
W32DASM STEPS:
Step 01:
Start the game without the CD... oh no... a window with
title "Attention" and It says
"Place the CD-ROM into the Drive and Start the Game again"
Step 02: Load up W32Dasm and disassemble the file "Player.exe" in the Bin folder...
Step 03: Since the error message
"Place the CD-ROM into the drive and start the game again" loads up in the runtime, so it is not possible to search with the string.
Step 04: In W32Dasm click on
"String Data references" button in the toolbar. Search for
"Attention" thats the title of error message window.An alternate method is by using the menu
"Search->Find Text" then type your text,
"Attention" in the text box. Click on
"Find next".
Step 05: It will take us to the line that displays the following
* Possible StringData Ref from Data Obj ->"Attention"
Step 06: Scroll a little below and you can find these lines.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040121B(C)
It says that the jump to this error message is from the address 0040121B and it also indicates what type of jump it is.
(C)-Conditional Jump (JNE's and JE's) and
(U)-Unconditional Jump (JMP)
So our jump is a conditional jump... (ie) it is checked for specific condition and then jumped.okay now that we've got the address where the game checks,Note it down in a piece of paper... Next is to Patch it out... close W32Dasm.
Note: There are two dialog with title "Attention", If you are not sure of which one is the dialog that points to CD-Check then run the target in a debugger to find out the correct Error string.
OLLY DEBUGGER STEPS:
i've added a screen shot of Olly and with the three important windows marked...
My interface and yours might differ because I've added new plugins and changed the color of the interface.
Step 01: Open the target file "Player.exe" in OllyDebugger
Step 02: Ollydebugger has many windows, we have to open the CPU window to debug the process. Click on the
"C" icon in the toolbar... It will display the decompiled code. Maximize the window.
Step 03: Now Right click in the window and Select
"Goto->Expression" and enter the address that you noted in W32Dasm... In this case it is
0040121B and then Click
"OK"
Step 04: Ok now we have successfully landed in our checking area 0040121B. We need to bypass the check so that we can run the game without the CD and with the CD. This is really important, because the game must be able to run with a CD and without a CD, in that way we must crack it.
Original code:
00401219 . 84C0 TEST AL,AL
0040121B 75 46 JNZ SHORT Player.00401263
What does this code do ?
To know what it does follow the steps,
Select the line 00401219 and then right click Select
"Breakpoint->Run to selection" Now look at the
information window, the sliced one that is just below the code window slice. We'll find that register
AL=00 if the CD is not inserted and
AL=01 when the CD is inserted. so the next line is JNZ(Jump if Not Zero) if the AL value is 0 it will not jump, So it'll jump only when the CD is inserted (ie.)when AL becomes 01, so this is a conditional Jump. We have to change it to unconditional jump, It must jump always. So we have to modify it. So follow the steps below.
Step 05:
Double Click on the line 0040121B or Click on the line and press Spacebar a window with title
"Assemble at 0040121B" will pop up, now change
"JNZ SHORT 00401263-->JMP SHORT 00401263", I've only changed the first three characters in the line.
Step 06: So we have patched the game in the memory, to patch the executable,
Right click in the code window and select "Copy to executable-> All modifications" and click "Copy All", Now a dump window(D in the title) will popup displaying all the modifications that we made. Now
Right click in the Dump window and
select "Save file" then save the file with some other name, example Player_cracked.exe...
Patched code:
00401219 . 84C0 TEST AL,AL
0040121B EB 46 JMP SHORT Player.00401263
Final Notes:
So we've successfully cracked the game Ballance 2.0.0.1 (V1.13 according to the splash page), Now the game will run when the CD is inserted and also when the CD is not in the drive. There are manys ways to crack this... one method is this one. Every program has its own weakness. Finding the weakness is the solution.
Greets:
To all NO-CD crackers in the world. And all the members of Lethal Injection team and Members in this MGForums.
A Simple NO-CD Cracking Tutorial
Linear Mode
