WarLords 3 Cd-Check
("A Very Simple Protection")
(24 September 1997)
Courtesy of Fravia's page
of reverse engineering
Well, another interesting essay about CD-rom protections reverse engineering
WarLords 3 Cd-Check
"A Very Simple Protection"
This is my first cd-check protection and it was quite easy I have
to say...I was reading Aesculapius's Cd-Check Essay on Virtua Fighter
when I decided to try this.
WarLords3 is a game published by Red Orb entertainment and I
obtained this copy from a warez site...I wanted to try it since I heard
it was a warcraft II type game. Anyway I decided to download it, I saw
it was released by a group called Paradigm. So let's get down to busines.
Anyway so I unrar the program and install it and when I go to run
it... I find that I get a message that says "CD not found Please insert
the Warlords III cd before starting the game".
Ok, So obviously this program was not cracked correctly or someone
didn't include the crack with the program. So I had two options at this
Either we could look on the internet and beg for a crack or we could do
what we should be doing and crack this ourselves. Obviously we are going
to crack it ourselves.
Let's begin by loading up war3.exe into W32dasm and begin our
conquest to defeat the ties that bind us to obey software companies.
Once War3.exe is dissasembled we have several options. One being the fact
that we could search for the text... But the fact is that it shows up
several times and this is not the best method at all.
We are going to search for GetLogicalDrives but why not GetDriveType you
ask... Well it is NOT going to be the culprit in this case due to the fact
that when you set a breakpoint on GetDriveType it doesn't break anytime
before the screen that says to enter the cd.
So It must be GetLogicalDrives and in fact if you set a breakpoint
you will see it break. Now searching threw the dissembled text you
will notice that for example that GetLogicalDrives only shows up once.
I have a good feeling that this indeed will be very easy.
Now about a paragraph above the kernel32.dll call you will
see that it was called by only one location that will indeed be the
only check for the cd at startup. Ok now if you trace the call back from
the GetLogicalDrives call you will find that the following code:
* Referenced by a CALL at Addresses:00441CFB , :00441D6C
* Possible StringData Ref from Data Obj ->"E"
:00436E40 685CC24C00 push 004CC25C
:00436E45 E856090000 call 004377A0
:00436E4A 83C404 add esp, 00000004
:00436E4D A258C24C00 mov byte ptr [004CC258], al
:00436E52 C3 ret
Ok now we know that the call at "00436E45" will obviously be the checking
code. If you notice at Code Data location "00436E4D" that whatever is in
al will be moved to memory location "004CC258". Then after that return code
from al into the memory location we return program control to the calling
function. Ok in this case we are going to go to code data location "00441CFB".
At that location we find the following code:
* Referenced by a CALL at Address:004BE928
:00441CD0 64A100000000 mov eax, dword ptr fs:
:00441CD6 55 push ebp
:00441CD7 8BEC mov ebp, esp
:00441CD9 6AFF push FFFFFFFF
:00441CDB 68E61D4400 push 00441DE6
:00441CE0 50 push eax
:00441CE1 64892500000000 mov dword ptr fs:, esp
:00441CE8 33C0 xor eax, eax
:00441CEA 83EC08 sub esp, 00000008
:00441CED B94E9E0000 mov ecx, 00009E4E
:00441CF2 56 push esi
:00441CF3 57 push edi
:00441CF4 BFB8645000 mov edi, 005064B8
:00441CF9 F3 repz
:00441CFA AB stosd
:00441CFB E84051FFFF call 00436E40 <-call cd-checking function :00441D00 803D58C24C0000 cmp byte ptr [004CC258], 00 <-was the cd in drive??? :00441D07 0F8582000000 jne 00441D8F <-If it was, continue :00441D0D 8D4DF0 lea ecx, dword ptr [ebp-10] <-Nag them about cd! Ok so now by studying this code "that.class" tppabs="http://Fravia.org/that.class" is commented will can very easily see that if the cd was in the drive "al" will load "004CC258" with "1" if it wasn't it will load "004CC258" with "0". Ok so as I was taught there is more than one way to crack or solve a protection scheme in any program. We could easily change the "jne 00441D8F" with jmp 00441D8F" therefore it will always jump to the good code or we could just as easily hardwire the value that is put into "004CC258" at "call 00436E40" by putting "1" into that location and removing the "al". For this solution I changed the "jne 0041D8F" to "jmp 0041D8F" due to the fact that if you notice the call to "00436E40" that code segment is called by another part of the code...It could in fact cause problems there...So we are going to patch it that way. I hope that everyone has enjoyed this essay, I hope to have more in the future. Please feel free to e-mail me at: Riddler@oceansintl.com Take Care, +-="Riddler=-+"
(c) Riddler 1997. All rights reversed
You are deep inside Fravia's page of reverse engineering,
choose your way out:
Back to Project 4 ("CD-Rom protections")
Is reverse engineering legal?