Cracking Dark Omen Game CD Protection
This one is another tutorial that i’ve written for Krobar’s website and that you can find here. I believe that it has some good value, especially if you are into reverse engineering cd protections.
SOME IMPORTANT INFO ABOUT THE GAME
Dark Omen is a strategy game produced by Electronic Arts (EA).This might sound a bit frustrating, if we take into consideration their current protections in year 2001.However,this game was published in year 1997,so I don’t think it will be difficult for us.
WHAT WILL I NEED IN ORDER TO FOLLOW THIS TUTORIAL?
To follow this tut without having any problem,you will have to possess these three tools,or at least the first two of them.
*HIEW EDITOR (NEEDED)
*SOFTICE (OPTIONAL,but it will make you understand better how the protection works).
You will also need to have a fair knowledge of how these tools work.To obtain this knowledge,you could read my first tutorial on cracking two games with W32DASM and HIEW.If this won’t help you, you can always grab other tuts from Krobar’s site(http://zor.org/krobar).My tut is also located there. Moreover,you will have to obtain some knowledge on Softice,which is a great Numega tool,a wonderful debugger.To do this i would highly advise you to read Krobar’s tuts,at least the 8 first ones,about cracking two easy crackme’s.There are also other tuts from good crackers that will give you a fair
idea on how to use SoftIce.
WE MAY START…
As always install the game,(maximum install) and double-click on the Dark Omen shortcut to play the game,without the cd inserted in your cd-rom drive.It’s this message again…When will we see a game that will run without the cd???Never mind,we will have to crack it if we don’t want it to be inserted each time we want to play the game.(Or if we want to hear our new music cd at the same time we play the game…).So,let’s disassemble the executable of Dark Omen.But,where is it? Its in the “Dark Omen\Prg_eng” and it is named “EngRel”.Found it?Make two copies,name them as:
Disassemble EngRel.w32 so that you can make changes to the exe of the game,while you have W32Dasm opened.
WHAT WERE OUR MESSAGES?
When you double-clicked the shortcut to start the game,you entered the main screen of the game and when you tried to start playing the campaign,you saw a message saying something like that:
CD ROM MISSING
The cd rom is required for this selection.Ensure the cd-rom is present |E:| <-Drive letter and highlight the drive letter of your cd-rom drive. |F:| <-Drive letter
So,what can we make out of this message?We’ll see…Back to W32Dasm and click on String Data References.Try to find any message that should say something like:
“CD ROM MISSING” or “The cd-rom is required..”
Did you find anything?I hope you did.In fact,there are three strings which so do the job:
*CD ROM MISSING?
*THE CD-ROM IS REQUIRED FOR THIS…
*DARK OMEN CANNOT LOCATE THE CD-ROM…
So,there are three suspect strings.Let’s look at the first one.It’s “cd-rom missing” and there are three places in it to look for.I searched them all,set breakpoints on SoftIce to find if there was a place to check for the cd being on drive and I found nothing interesting.So,i didn’t even make the attempt to search into the other two strings and i started to think.Soon i understood something that i ought to have understood before.The bad message which we have seen before,says that it examines the drive in which there should be the cd,which is our cd-rom drive.So,we can make the judgement that it checks for the cd in one other place,highly likely a well-known API function. But,what is this function?
WHERE DOES IT CHECK IF I HAVE A CD-ROM INSERTED IN MY DRIVE?
The answer is that it checks this with an API function,GetDriveTypeA.This is a function that checks if the cd is inserted in the drive the programmer would want it to and that should be our cd-rom drive,of course.So let’s open the “functions\imports” and search for “getdrivetypea”.Once you found it,double-click on it and you should be presented with the following piece of code:
* Referenced by a CALL at Address: |:0048A5E0 <-This is the address to goto | :0048A600 81EC04010000 sub esp, 00000104 :0048A606 53 push ebx :0048A607 56 push esi :0048A608 8BB42410010000 mov esi, dword ptr [esp+00000110] :0048A60F 57 push edi :0048A610 55 push ebp :0048A611 56 push esi * Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh | :0048A612 FF15C0645800 Call dword ptr [005864C0] <-We are thrown here :0048A618 83F805 cmp eax, 00000005 :0048A61B 740D je 0048A62A :0048A61D 33C0 xor eax, eax :0048A61F 5D pop ebp :0048A620 5F pop edi :0048A621 5E pop esi :0048A622 5B pop ebx :0048A623 81C404010000 add esp, 00000104 :0048A629 C3 ret
As you have learnt from my first tut,most times we have to goto the call or jump which we first see above the place where there is the string we double clicked on.This means that the piece of code after GetDriveTypeA,should be where the comparison between drives is held.But could it be something interesting in the above CALL?Let’s goto the address 0048A5E0.Then we see:
* Possible StringData Ref from Data Obj ->"[MOVIES]\Intro.tgq" <-What may this be? | :0048A59B BA78264F00 mov edx, 004F2678 :0048A5A0 899C24F8000000 mov dword ptr [esp+000000F8], ebx :0048A5A7 8D8C24F4000000 lea ecx, dword ptr [esp+000000F4] :0048A5AE 668B5A10 mov bx, word ptr [edx+10] :0048A5B2 8B420C mov eax, dword ptr [edx+0C] :0048A5B5 8A5212 mov dl, byte ptr [edx+12] :0048A5B8 68010B1200 push 00120B01 :0048A5BD 6A02 push 00000002 :0048A5BF 896908 mov dword ptr [ecx+08], ebp :0048A5C2 6A02 push 00000002 :0048A5C4 89410C mov dword ptr [ecx+0C], eax :0048A5C7 66895910 mov word ptr [ecx+10], bx :0048A5CB 8D442440 lea eax, dword ptr [esp+40] :0048A5CF 885112 mov byte ptr [ecx+12], dl :0048A5D2 8D8C2400010000 lea ecx, dword ptr [esp+00000100] :0048A5D9 8D542420 lea edx, dword ptr [esp+20] :0048A5DD 51 push ecx :0048A5DE 50 push eax :0048A5DF 52 push edx :0048A5E0 E81B000000 call 0048A600 <-We are thrown here.INTERESTING... :0048A5E5 83C418 add esp, 00000018 :0048A5E8 5D pop ebp :0048A5E9 5F pop edi :0048A5EA 5E pop esi :0048A5EB 5B pop ebx :0048A5EC 81C464020000 add esp, 00000264 :0048A5F2 C3 ret
So,if you scroll up a bit,we will see this:
* Possible StringData Ref from Data Obj ->”[MOVIES]\Intro.tgq”
Quite easy what this means.Let me explain now:
The call 0048A5E0 is the one that checks if there are certain files to be loaded in certain drives. To understand better this,think that the files needed for the game to run are all taken from C:\, except from one.This one is the “intro.tgp” file,which is taken from the cd.So,it checks for this file in E:\ and if it cannot find it,it calls for the bad message.As you may have already imagined, there are two solutions:
*Either noop(90) the call that checks for this file,
*Or copy the Movies\intro.tgq file into your directory of the game and MAKE it think it’s in C:\.
However,the first solution is the best,cause if you use the second one,you will also have to find a way so that it will always check if the intro.tgq file is in hard disk and not in cd-rom,which is its default checking.So,nooping the call is the best option.Therefore,we would not have to watch the intro each time we want to play.
If you pick the second choice,you will have to remember to visit the registry and pay attention to an API function,CreateFileA.For more,refer to your API reference.
You may be wondering what’s the use of SoftIce in this tutorial.The answer is simple.In order to be sure that the call at address 0048A5E0 is the one that checks for cd in cd-rom drive,I used a breakpoint at this address.I run the game and was placed into the main menu of the game. Then i set a breakpoint,by writing:
After that,i double-clicked on the “CAMPAIGN” option and BOOM!!!Softice broke at this address.This way i was sure that this was the test to see if cd is in drive and it was made by testing a single file,the intro one.
*Nop the call at address 0048A5E0.If you don’t know how to do this,read some tuts related on the use of Hiew Editor.I suggest you read Krobar’s Basic use of Hiew Editor.It should cover this thing and a lot more.