Professional Documents
Culture Documents
Lession #1
��������������������Ŀ
� CRACKING DOS Files �
����������������������
By Buckaroo Banzai
The above example, when used with the last example show
a typical call to a protection routine. The perfered method
to crack this protection would not be to simply fake the
return, but to remove the call to the protection. How to do
it, simple. Just jump over the check. Change line 10 to
"jmp Good2". This will bypass the protection routine.
Now, you might ask why would you want to take the extra
step of finding the call to the protection routine rather
than simply faking an int13 and returning with the proper
registers set. 2 reasons. First, What if there wasn't
enough room to setup the registers the way you needed them.
Then you would have to take the extra step. Second, what if
somewhere down the line, that routine is used for something
else (like the int13 is modified into an int10 in a game).
Since you have changed the bytes at that location, the
modifying routine would create code that wasn't exepcted.
But as always, if you can fake the return, and the program
works, leave it. After all, not to many people go around
look at other peoples cracks (do they???).
One last thing. After you have cracked the program, try
running it from a hard drive with PW set to trap calls to INT
21h function 1Bh (get fat byte). If the program make a call
to here, get the address and find that section of code. What
the program is trying to do is check to see if you are
running from a hard drive (most programs have diffrent
protection routines for hard drives). When you find it,
simply replace the "INT 21h" with a "MOV DS:[BX],FDh". This
will fake the program in to thinking you are working on a
floppy disk.
18FD:0343 1E PUSH DS
18FD:0344 B80000 MOV AX,0000
18FD:0347 50 PUSH AX
18FD:0348 B89724 MOV AX,2497
18FD:034B 8ED8 MOV DS,AX
18FD:034D BB1000 MOV BX,0010
18FD:0350 2E CS:
18FD:0351 8A07 MOV AL,[BX]
18FD:0353 3C00 CMP AL,00
18FD:0355 7418 JZ 036F
18FD:0343 1E PUSH DS
18FD:0344 B80000 MOV AX,0000
18FD:0347 50 PUSH AX
A CS:355
18FD:355 JMP 36F
A CS:37C
Now, you might ask why I didn't simple force a jump over
the code. The answer is what if DA uses the value at C620 at
a later time (which it doesn't but let's pretend). If I had
forced the jump then the value might not have been
initialized and the crack might not work. Now that we have
simulated running from diskette, we must deal for the check
for the key disk.
; Check to see if the OK flag was set (ax = 0001h means check
; was good)
18FD:038E 3D0100 CMP AX,0001
18FD:0391 7450 JZ 03E3
A 1BFD:7934
1BFD:7934 MOV AX,0000
1BFD:7936 RET
S CS:0 FFFF B4 19 CD 21 8A D0
I will tell you this. When SETDRAW checks the key disk,
first it checks to see if the protection exists and then to
see if the track hasn't been modified. It again uses AX to
determine what happeded. I used Periscope to trace through
the original version to find out what the correct values are.
Here is the asm code...
18FD:0000 1E PUSH DS
18FD:0001 B80000 MOV AX,0000
18FD:0004 50 PUSH AX
18FD:0005 B8321A MOV AX,1A32
18FD:0008 8ED8 MOV DS,AX
18FD:000A B40F MOV AH,0F
18FD:000C CD10 INT 10
18FD:000E 3C02 CMP AL,02
18FD:0010 740D JZ 001F
18FD:0012 3C03 CMP AL,03
18FD:0014 7409 JZ 001F
18FD:0016 A28900 MOV [0089],AL
18FD:0019 B002 MOV AL,02
18FD:001B B400 MOV AH,00
18FD:001D CD10 INT 10
A 18FD:2C
18FD:002C mov AL,FD
18FD:002E nop
18FD:002F nop
18FD:0030 nop
18FD:0031 nop
A 18FD:40
-Buckaroo Banzai
page 9