How to defeat a cd-lock protection
by zoltan
(24 September 1999)
CD-ROM faking
Courtesy of fravia's pages of reverse engineering ~ slightly edited by fravia+
HOW TO DEFEAT A CD-LOCK PROTECTION.
written by (c) zoltan
As example: COMMANDOS: Behind Enemy Lines
TOOLS REQUIRED:
-
SoftIce 4.0
W32Dasm, (if you want to follow)
Hackers View 6.15
TARGET:
Commandos: Behind Enemy Lines
- buy it or get the ripp + original exe.
Visit the tools section of our web page: http://protools.cjb.net a nice tool site...
Briefing about cd-lock:
Today nearly all games that get published has a form of protection called iSO protection (in the scene). It is there to prevent
end-users for pirating cd's by just copying them at home with cd-burners. Today im going to Teach you how to
reverse one of these
protections called CD-LOCK. You check if the cd you have is protected by CD-LOCK: simply explore your cd-drive and look
for 4 huge (.afp) files.
Introduction:
Another famous game: Commandos. This one was released to the public by CLASS PC on the 24th of June 1998. It's been
availible for download on the internet ever since. Think i leeched it the same day, and got the original (protected) exe from
some friends. I started cracking this (cd-check) like i thought it was, because i had never even heard of
this cd-lock protection. Anyway i cracked it fairly easy, but i had to admit to myself
that this must have been one of the hardest
(cd-check, like i thought) i had ever done.
Few months later i heard about the cd-lock protection schemes, and i was like "uhh ohh?
that protection got it's own name, cool!" ;). I actually love cracking protections
that got their own name, like CD-lock, gives sorta feeling for the scheme...
Anyways
enough crap chat... let's begin.
Start off by deleting the commandos.exe witch is Class' intro, or simply copy it over to another dir, if you
want to collect that junk like i do. Now you may delete the betasux.exe,
because that is the cracked exe from Class, and we dont
need it, since we are going to crack this game ourselfs. Run commandos.exe,
break on GetDriveTypea, press the "start a new
game" option and you should be landing here:
* Referenced by a CALL at Address:0044CAFF "rb" "d:\TBTP.AFP"
NOW. goto the code location where all this crap was called from, you should be here:
* Referenced by a CALL at Addresses:00447E9C, :00448015 "rb"
|
:0044CB12 68900F5F00 push 005F0F90
:0044CB17 BB00000000 mov ebx, 00000000
* Possible StringData Ref from Data Obj ->"d:\TBTP.AFP"
|
:0044CB1C 6810266000 push 00602610
:0044CB21 E8EA271800 call 005CF310
:0044CB26 83C408 add esp, 00000008
:0044CB29 8BF0 mov esi, eax
more code, more code... but you don't need to care about it ...
The best and the simplest way to crack this protection is probably to
find where the protection was called
from and then just simply cut isnide like this:
:00447E91 8883100D0000 mov byte ptr [ebx+00000D10], al
:00447E97 E834321200 call 0056B0D0
:00447E9C E84F4C0000 call 0044CAF0
You simply change both calls to mov eax, 1, and the game should run smooth. ;)
Special greets to: BMonkey, Carphatia, Fravia+, Neural_Noise ...
You'r deep inside fravia's pages of reverse engineering, choose your way out!
homepage
links
anonymity
+ORC
students' essays
academy database
bots wars
antismut
tools
cocktails
javascript wars
search_forms
mail_fravia
Is reverse engineering illegal?