Quake2 CD-Rom reversing
(More about CD-ROM deprotections and Cd-Checks)

by -= +DataPimp =-

(19 December 1997, slightly edited by fravia+)

Courtesy of fravia's page of reverse engineering
Well, I'm happy to host this essay about the removing of a CD-ROM protection check. In fact I just wonder what is keeping our fellow readers (and +crackers) to work a little on the CD-ROM protections used by Micro$oft in order to 'embrace and absorb' the whole game sector... I'm speaking of Microsoft Flight Simulator 98 and of Age of Empires, for instance. In fact they are not difficult to remove... and you have the Xmas-New year weeks to work on them! Merry Xmas to everyone!
Cracking Quake2 (Cracking "the most anticipated game of the decade") 
	Well that's what quake2 has been called. The game was released 
        in the USA on December 9th, although it has been availible for 
        download on the internet since last month. 

In this essay we are going to explore a cd-check crack and an 
interesting problem that it introduces and how to fix it. 
When we complete this essay we will no doubt have a fully working 
crack. 

Let's start off by running quake2, we run it and so far it has not 
given us an error, ok let's try to start a new game, then all of a 
sudden the protection scheme kicks us out and we get a message saying 
"You must have the Quake2 CD in the drive to play". 

Damn, now let's fix that error message. I think that this kind of 
protections are wrong, companies do this on purpose, if they make you 
have the cd in the drive at the time of play then you can't play network 
games without everyone you want to play having a cd. It's unjust! I 
bought my game and I want to play my bought game with my friends! Besides 
I like to hear my own music when I play... and I should not be able 
to use my own CD-drive to hear my own music in my own house? Companies 
do this on purpose, they probably hate good music :)

Well let's fix that... in a few short minutes we will have it cracked. 
	
OK let's begin by loading up "Quake2.exe" in the dissembler, and we 
already know the text that appears inside the error message box. 
Ok so let's look at the string data references, hmmm, ah, yes!
towards the bottom you notice the text that we are looking for, so we 
double click on it inside wdasm.

Doing that, we now land inside the following code:

* Referenced by a Jump at Address:0042B0FE(C)
|
:0042B115 8A442404                mov al, byte ptr [esp+04]
:0042B119 FEC0                    inc al
:0042B11B 3C7A                    cmp al, 7A
:0042B11D 88442404                mov byte ptr [esp+04], al
:0042B121 0F8E6AFFFFFF            jle 0042B091

* StringData Ref from Data Obj ->"You must have the Quake2 CD in "
                               ->"the drive to play."

Ok so let's now go to code offset "0042B0FE", and have a look at the 
code that calls the above snippet. 
When we examine "0042B0FE" we see the following, please have a 
'deep' reversing look at it, see if you can feel the protection by 
yourself:

* Referenced by a Jump at Address:0042B0BC(C)
|
:0042B0D3 8D4C2404                lea ecx, dword ptr [esp+04]
:0042B0D7 8D542408                lea edx, dword ptr [esp+08]
:0042B0DB 51                      push ecx

* Possible StringData Ref from Data Obj ->"%s\quake2.exe"
                                  |
:0042B0DC 6880474400              push 00444780
:0042B0E1 52                      push edx
:0042B0E2 E839430000              call 0042F420
:0042B0E7 83C40C                  add esp, 0000000C
:0042B0EA 8D442408                lea eax, dword ptr [esp+08]

* Possible StringData Ref from Data Obj ->"r"
                                  |
:0042B0EE 6890474400              push 00444790
:0042B0F3 50                      push eax
:0042B0F4 E897250000              call 0042D690
:0042B0F9 83C408                  add esp, 00000008
:0042B0FC 85C0                    test eax, eax
:0042B0FE 7415                    je 0042B115
:0042B100 50                      push eax
:0042B101 E86A200000              call 0042D170
:0042B106 83C404                  add esp, 00000004
:0042B109 8D4C2404                lea ecx, dword ptr [esp+04]
:0042B10D 51                      push ecx
:0042B10E FFD6                    call esi
:0042B110 83F805                  cmp eax,5
:0042B113 7421                    je 0042B136

Ok now before we do anything else, we need to backup the original 
"quake2.exe" file. 
Ok now let's have a look at the code above, which tells me that it 
is looking for "quake2.exe".
Now if you notice the string "%s\quake2.exe" you might be wondering 
what that "%s" means, well that "%s" is a variable that will be assigned 
to it as the program runs, so that it might become "e:\quake2.exe", 
for example, at run time. 

Now hmmm, how can we fix that?
Well, you see there... that is a string data refrence, it's plain 
text, let's search for it in ultraedit, so load up quake2.exe into 
ultraedit and let's search for the ASCII string "%s\quake2.exe" you 
will notice that it shows up. 
Now, we want to be able to run this program without any problem and 
without the silly cd that we have bought, therefore just with the 
files that the game needs. 
Now we are going to move it, get the "%" highlighted hit the 
insert key and then hit space bar. We have now cleared the "%" out 
of the string, now our cursor is positioned on the "s".
Go ahead now and type ".". Leave the "\quake2.exe" alone. 
Doing this we have told the program to look in the current dir for 
the file instead of where it would have been looking. 
	
Ok, let's fire up quake2 again, after of course you save the changes 
that you have made to the file, and you will see now that you will be 
able to launch a new game, if you feel like it. 

Why does it work? 
Simple (if you understand dos): if you type "cd.." at the command prompt 
while in the windows dir, then it will take you to "c:\" because it means 
to drop one level lower in the dir tree.
But "." is the current dir, if you would have just wiped out both the
"%" and the "s" then it would have been looking in the root dir of 
whatever drive you had the quake2 files in. 

Now it seems as if we have completed our crack. 
Yet this is not true. Remember what I said at the beginning about a 
problem that our crack produces? Now, if you look towards the end 
of the snippet of code above you will see a "cmp eax,5". Just above 
that compare there is a call and then, below the compare, there is 
a je command. 
Right when I saw this I knew what it was: our target is checking if 
that what it has found is or not a cd-rom! 
Now if you don't have a cd-rom installed in your computer at all 
then you will still get the error message. 
So let's change that "je" to "jmp" and save that file. 
As an hexeditor I personally use HIEW. 
Now let's fire up Quake2, and you will see that it works fine.
 
So it has turned out now that we have totally completed the crack, our 
target won't require the cd at all. 
I hope this helps all people that love music. 
If you have any questions or comments please contact me using one of 
the methods below.

E-Mail: DataPimp@hotmail.com
ICQ: 5613620
Or Join #o13 on EFNet

Thanks goes to: 
Everyone in o13, rake, Balti, WTFMI, Teir, thanks for the idea :)
(c) -= +DataPimp =- All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redBack to Project 4
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?