By Q [Phrozen Crew]
Courtesy of Fravia's page of reverse engineering
1 June 1998
Project four
Tools needed:
- KGB - a cool DOS 'file monitor' . Can be found at Fravia's awesome
site .
- FakeCD - I bet u know what this is ;)
- A simple ASM compiler . A86.COM (31 kb) will do .
- Oh and the patch . Can be found at http://www.3dfxmania.com
The Crack:
Running TOMB3DFX.EXE gives out "Please insert the TombRaider CD"
- those sentences u just love to hate .. - and exit. We also notice that
it's a protected mode program - DOS4GW. ( Good thing we didn't download
Winice , we all know
how nervous it gets around other protected mode programs ;)
Fair enough .
Lets spy on it with KGB . This is what we get :
OpenFile-R : C:\data\title.phd
OpenFile-R : D:\data\title.phd
OpenFile-R : E:\data\title.phd
OpenFile-R : F:\data\title.phd
OpenFile-R : G:\data\title.phd
OpenFile-R : H:\data\title.phd
OpenFile-R : I:\data\title.phd
(It goes on till drive Z)
Hmm , is searches for title.phd .. ok , NP , i have it in my TOMB directory
, But it's not in the ROOT directory (it searches
Drive:\Data .. ) , so lets use FakeCD.
Copy FakeCD.EXE to TR directory , and run : Fakecd.exe . /l:J
This way fakecd will emulate a cd drive in drive J . Any drive (except
the real HD) is ok .
Re-run TR ... Still not OK .. Lets see why , run KGB , and this is what we get :
OpenFile-R : C:\data\title.phd
OpenFile-R : D:\data\title.phd
OpenFile-R : E:\data\title.phd
OpenFile-R : F:\data\title.phd
OpenFile-R : G:\data\title.phd
OpenFile-R : H:\data\title.phd
OpenFile-R : I:\data\title.phd
OpenFile-R : J:\data\title.phd
OpenFile-W : J:\YNJZOMMI
CreateFile : J:\YNJZOMMI
< y like the TR mystiqe edition .(See essay by +Alt-F4
at +Fravia's).
This edition can be cracked like the mystiqe edition , however, i had
something else in mind - a TSR .
The idea is to make a small program , that will nest in memory , hooking
the Open_For_Write_Only function ; when it "sees"
that a program is trying to use this function on the Faked Drive it
will change the FileName parameter (the random filename) to NULL . This
way the return value of this function is CAN'T OPEN THE REQUESTED FILE
(because it's empty) , and
the program will think it's the CD.
I tried it , and it worked ! Not only on the 3dFX edition , but also the Mystiqe edition , and propably other 3dFX patches from 3dfxmania Site.
The basic TSR is below , for a more compatible
version - to enter the drive letter in command line - please search for
PC_T3DFX.ZIP . I didn't put an un-install option because i figured whoever
has a 3dFX card , can spare 100 bytes off his
memory ;)
BTw , if it doesn't work (on other patches) , u can always hook the
CreateFile function (Int 21h / Ah=3Ch), and use the
same trick (FileName -> Null) .
* It might work for windows too (To understand windows TSRs
read Stone's doc on trainers).
If and when i'll find a windows game with CD protection i'll try this
on it , and if succesful ,i'll update this essay. Should anyone else wants
to do it , be my guest :)
(May i suggest hooking on GetDriveTypeA , and return 5 (cd-rom)
on the faked drive? ;)
That's it , i hope u've enjoyed and learned from this .
If u find other patches / games / programs that this TSR will crack
, please drop me a note . (My e-mail is down below .)
Greetings:
PC members , +Fravia and all +HCUkers , friends . :-)
------ Cut here ------
;This is a TSR for tomb-raider,when the prg. checkes
for the cd
;is tries to open for write only a random file and to further
;check,it tries to create that random file & delete it -if successful
;it tells u that there is no cd.
;so what this TSR does is intersept the open for write only instruction-
;(INT 21h,function 3Dh,sub-function 01h)
;and also CoMPers the ds:dx if equal "J:\" if so it gives to ds:dx
;(the random file name ) 0 at the beginig and so the return of the
open
;instruction in CAN'T OPEN THE REQUESTED FILE (because it's empty)
;thus the prg thinks there is a cd in drive J and runs properly...
start: lea dx,msg
;print msg
mov ah,9
int 21h
mov ax,3521h
;Get address of Int 21h into ES:BX
int 21h
mov real_ip,bx
;Save the real valuse for later use
mov real_cs,es
mov ax,2521h
;Hook the vector 21h to point to ds:dx
lea dx,int_21
int 21h
lea dx,end_pro+1
int 27h
;Go TSR from cs:0 till end_pro+1 byte
;--------------------------------------------
int_21: cmp ax,3d01h
;Check if it's Open_For_Write_Only function request
jne return2normal
;Here u can add the check for CreateFile (or DeleteFile) if necessary
push si ;save si
mov si,dx ;mov dx to si in order to use ds:[si](=ds:[dx])
cmp byte ptr [si] , 'J'
;"J" -- the faked drive letter
jnz c2
inc si
cmp byte ptr [si] , ':'
;":"
jnz c2
inc si
cmp byte ptr [si] , '\'
;"\"
jnz c2
inc si
mov byte ptr [si],0
;put 0 at the begining of the file's name
c2: pop si ;restore old value
return2normal:
db 0eah
; == Jmp to the real INT 21h
real_ip dw 0
real_cs dw 0
msg db "TSR FOR TOMB-RAIDER ,CRACKED BY Q / PC$"
end_pro:
end start
------ Cut here ------
Phrozen_q@CyberDude.Com
sEE yA :)
-Q
homepage
links
anonymity
+ORC
students' essays
academy database
bots wars
antismut
tools
cocktails
javascript wars
search_forms
mail_Fravia Is reverse engineering illegal?