6
Posted January 2, 2010 by Spyros in Reverse Engineering
 
 

Cracking Dark Omen Game CD Protection

cd_cracked
cd_cracked

This one is another tutorial that i’ve written for Krobar’s website and that you can find here. I believe that it has some good value, especially if you are into reverse engineering cd protections.

SOME IMPORTANT INFO ABOUT THE GAME

Dark Omen is a strategy game produced by Electronic Arts (EA).This might sound a bit frustrating, if we take into consideration their current protections in year 2001.However,this game was published in year 1997,so I don’t think it will be difficult for us.

WHAT WILL I NEED IN ORDER TO FOLLOW THIS TUTORIAL?

To follow this tut without having any problem,you will have to possess these three tools,or at least the first two of them.

*W32DASM (NEEDED)
*HIEW EDITOR (NEEDED)
*SOFTICE (OPTIONAL,but it will make you understand better how the protection works).

You will also need to have a fair knowledge of how these tools work.To obtain this knowledge,you could read my first tutorial on cracking two games with W32DASM and HIEW.If this won’t help you, you can always grab other tuts from Krobar’s site(http://zor.org/krobar).My tut is also located there. Moreover,you will have to obtain some knowledge on Softice,which is a great Numega tool,a wonderful debugger.To do this i would highly advise you to read Krobar’s tuts,at least the 8 first ones,about cracking two easy crackme’s.There are also other tuts from good crackers that will give you a fair
idea on how to use SoftIce.

WE MAY START…

As always install the game,(maximum install) and double-click on the Dark Omen shortcut to play the game,without the cd inserted in your cd-rom drive.It’s this message again…When will we see a game that will run without the cd???Never mind,we will have to crack it if we don’t want it to be inserted each time we want to play the game.(Or if we want to hear our new music cd at the same time we play the game…).So,let’s disassemble the executable of Dark Omen.But,where is it? Its in the “Dark Omen\Prg_eng” and it is named “EngRel”.Found it?Make two copies,name them as:

*EngRel

*EngRel.w32

Disassemble EngRel.w32 so that you can make changes to the exe of the game,while you have W32Dasm opened.

WHAT WERE OUR MESSAGES?

When you double-clicked the shortcut to start the game,you entered the main screen of the game and when you tried to start playing the campaign,you saw a message saying something like that:

CD ROM MISSING

The cd rom is required for this selection.Ensure the cd-rom is present |E:| <-Drive letter and highlight the drive letter of your cd-rom drive. |F:| <-Drive letter

So,what can we make out of this message?We’ll see…Back to W32Dasm and click on String Data References.Try to find any message that should say something like:

“CD ROM MISSING” or “The cd-rom is required..”

Did you find anything?I hope you did.In fact,there are three strings which so do the job:

*CD ROM MISSING?
*THE CD-ROM IS REQUIRED FOR THIS…
*DARK OMEN CANNOT LOCATE THE CD-ROM…

So,there are three suspect strings.Let’s look at the first one.It’s “cd-rom missing” and there are three places in it to look for.I searched them all,set breakpoints on SoftIce to find if there was a place to check for the cd being on drive and I found nothing interesting.So,i didn’t even make the attempt to search into the other two strings and i started to think.Soon i understood something that i ought to have understood before.The bad message which we have seen before,says that it examines the drive in which there should be the cd,which is our cd-rom drive.So,we can make the judgement that it checks for the cd in one other place,highly likely a well-known API function. But,what is this function?

WHERE DOES IT CHECK IF I HAVE A CD-ROM INSERTED IN MY DRIVE?

The answer is that it checks this with an API function,GetDriveTypeA.This is a function that checks if the cd is inserted in the drive the programmer would want it to and that should be our cd-rom drive,of course.So let’s open the “functions\imports” and search for “getdrivetypea”.Once you found it,double-click on it and you should be presented with the following piece of code:

* Referenced by a CALL at Address:
|:0048A5E0                     <-This is the address to goto
|
:0048A600 81EC04010000            sub esp, 00000104
:0048A606 53                      push ebx
:0048A607 56                      push esi
:0048A608 8BB42410010000          mov esi, dword ptr [esp+00000110]
:0048A60F 57                      push edi
:0048A610 55                      push ebp
:0048A611 56                      push esi

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh
                                  |
:0048A612 FF15C0645800            Call dword ptr [005864C0]  <-We are thrown here
:0048A618 83F805                  cmp eax, 00000005
:0048A61B 740D                    je 0048A62A
:0048A61D 33C0                    xor eax, eax
:0048A61F 5D                      pop ebp
:0048A620 5F                      pop edi
:0048A621 5E                      pop esi
:0048A622 5B                      pop ebx
:0048A623 81C404010000            add esp, 00000104
:0048A629 C3                      ret

As you have learnt from my first tut,most times we have to goto the call or jump which we first see above the place where there is the string we double clicked on.This means that the piece of code after GetDriveTypeA,should be where the comparison between drives is held.But could it be something interesting in the above CALL?Let’s goto the address 0048A5E0.Then we see:


* Possible StringData Ref from Data Obj ->"[MOVIES]\Intro.tgq"  <-What may this be?
                                  |
:0048A59B BA78264F00              mov edx, 004F2678
:0048A5A0 899C24F8000000          mov dword ptr [esp+000000F8], ebx
:0048A5A7 8D8C24F4000000          lea ecx, dword ptr [esp+000000F4]
:0048A5AE 668B5A10                mov bx, word ptr [edx+10]
:0048A5B2 8B420C                  mov eax, dword ptr [edx+0C]
:0048A5B5 8A5212                  mov dl, byte ptr [edx+12]
:0048A5B8 68010B1200              push 00120B01
:0048A5BD 6A02                    push 00000002
:0048A5BF 896908                  mov dword ptr [ecx+08], ebp
:0048A5C2 6A02                    push 00000002
:0048A5C4 89410C                  mov dword ptr [ecx+0C], eax
:0048A5C7 66895910                mov word ptr [ecx+10], bx
:0048A5CB 8D442440                lea eax, dword ptr [esp+40]
:0048A5CF 885112                  mov byte ptr [ecx+12], dl
:0048A5D2 8D8C2400010000          lea ecx, dword ptr [esp+00000100]
:0048A5D9 8D542420                lea edx, dword ptr [esp+20]
:0048A5DD 51                      push ecx
:0048A5DE 50                      push eax
:0048A5DF 52                      push edx
:0048A5E0 E81B000000              call 0048A600       <-We are thrown here.INTERESTING...
:0048A5E5 83C418                  add esp, 00000018
:0048A5E8 5D                      pop ebp
:0048A5E9 5F                      pop edi
:0048A5EA 5E                      pop esi
:0048A5EB 5B                      pop ebx
:0048A5EC 81C464020000            add esp, 00000264
:0048A5F2 C3                      ret

So,if you scroll up a bit,we will see this:

* Possible StringData Ref from Data Obj ->”[MOVIES]\Intro.tgq”

Quite easy what this means.Let me explain now:

The call 0048A5E0 is the one that checks if there are certain files to be loaded in certain drives. To understand better this,think that the files needed for the game to run are all taken from C:\, except from one.This one is the “intro.tgp” file,which is taken from the cd.So,it checks for this file in E:\ and if it cannot find it,it calls for the bad message.As you may have already imagined, there are two solutions:

*Either noop(90) the call that checks for this file,
*Or copy the Movies\intro.tgq file into your directory of the game and MAKE it think it’s in C:\.

However,the first solution is the best,cause if you use the second one,you will also have to find a way so that it will always check if the intro.tgq file is in hard disk and not in cd-rom,which is its default checking.So,nooping the call is the best option.Therefore,we would not have to watch the intro each time we want to play.

Cheat

If you pick the second choice,you will have to remember to visit the registry and pay attention to an API function,CreateFileA.For more,refer to your API reference.

SOFTICE

You may be wondering what’s the use of SoftIce in this tutorial.The answer is simple.In order to be sure that the call at address 0048A5E0 is the one that checks for cd in cd-rom drive,I used a breakpoint at this address.I run the game and was placed into the main menu of the game. Then i set a breakpoint,by writing:

bpx 0048A5E0

After that,i double-clicked on the “CAMPAIGN” option and BOOM!!!Softice broke at this address.This way i was sure that this was the test to see if cd is in drive and it was made by testing a single file,the intro one.

HIEW

So,remember:

*Nop the call at address 0048A5E0.If you don’t know how to do this,read some tuts related on the use of Hiew Editor.I suggest you read Krobar’s Basic use of Hiew Editor.It should cover this thing and a lot more.

Nop(no operation)=90h


Spyros