Brief Tutorial on CD Access Based Protection Schemes Under Windows
Cracking Virtua Fighter PC
by Aesculapius
(27 August 1997)
Courtesy of Fravia's page
of reverse engineering
Well, a VERY welcome contribution by
our Aesculapius! It was time that somebody took care of the CD-ROM checks,
which btw, in general, are NOT very difficult to defeat. I hope that with
the help of this addition many +crackers will be stimulated and work
on such schemes,
bringing ahead this poor and neglected (yet important) project 4!
Brief Tutorial on CD Access Based Protection Schemes Under Windows
Cracking Virtua Fighter PC
By Aesculapius
It should be beneficial for all of us to dedicate some time on CD
Access protection schemes reviewing, given the fact that ORC+ brilliant
tutorial on this matter isn't complete yet (check
http://207.30.50.126/fravia/howto51.htm) and there are few essays (although
brilliant indeed) on this matter at the +HCU. Writing essays on DOS4GW
Extender + CD Check would be a great addition for the +HCU.
Theoretical digression: CD access based protection schemes are
relatively frequent. These Schemes will basically, prevent the user from
running the program if the original disk is not inside the CD drive. This
assures that only one copy of the program runs at a time. In many cases,
all information in the CD is copied to the hard drive at installation,
making the presence of the disk in the unit a matter of copyright
restriction, and being not strictly necessary from the technical point
of view. In some cases, much of the info required stays in the CD drive,
making impossible to dispense the original disk. Remember, we're dealing in
this essay with those cases in which all the program is transferred from the
disk to the hard drive; other cases would require further discussion.
These schemes work all in a very similar fashion. The presence of
certain 'I_didn't_do_it-looking' file inside the CD drive is checked every
time the application runs. Primitive schemes could simply check for the
presence of a CD-ROM drive in the system even if it is empty or the disk
inside is not the right one. As CD-ROM units have become an standard
peripheral in most basic PC configurations, this gadget has been abandoned
or combined with the checking of some sort of information inside the CD
itself.
Given these facts, defeating CD access schemes could be achieved
by means of several techniques. You could simply fool the program to believe
that your hard drive is a CD unit (faking and relocating the right
information to be read in your hard drive); altering the behavior of the
program by means of assembly code editing is another possibility; using
ready_to_use or made_by_yourself CD fakers. We will discuss the second
possibility as it can produce a higher rate of successes (in my
personal experience).
Today's scapegoat is Virtua Fighter PC, a cool looking, third person
3D fight game by SEGA. I'm not able to give you the trail of this program
location as the gamez 'panorama' in the internet is a whirlpool of changing
URL's. However the game is widely available in the shells.
To achieve this crack you'll need SoftICE 3.x and your
preferred Hex editor (Psedit 4.4 in my case). Earlier versions of
SofICE will also work, but some of the SoftICE commands in this essay
will apply to version 3.x only. (Note: Remember to load all necessary
SoftICE exports and remove Virtua Fighter Compact Disk from the CD unit
before proceeding any further).
Load the main executable file: vfpc.exe in SoftICE's loader. After
SoftICE pops up, we should set a dense net (one at a time) of clever
breakpoints to catch the scheme in _flagrante delictum_. Most frequently
used Win32 application programming interface are:
GetDriveType
GetFileAttributesA **
GetFileSize
GetLogicalDrives
GetlogicalDriveStrings
GetLastError **
ReadFile
Any of these API's (and some others) can be used in one way or
another to query the presence and authenticity of a compact disk. In some
cases, the absence of the disk will force the API to return with an error
code. Almost all API's (in case of failed procedure) return with an error
code value of -1, 0xFFFFFFFF, equivalent to NULL. According to this, an
appropriate breakpoint on GetLastError API could be set.
In this particular case, SoftICE pops up when marked (**)
breakpoints in the list are set. Let's take a closer look of the snippet
where SoftICE pops up after pressing F12 one time:
* CALLs at Addresses:004AC3E6, :004AC42A ; As you can see, there is a double check!
|
:00535317 FF742404 push [esp+04]
* Reference To: KERNEL32.GetFileAttributesA, Ord:00D7h
|
:0053531B FF155064C000 Call dword ptr [00C06450]
:00535321 83F8FF cmp eax, FFFFFFFF; Procedure failed?
:00535324 7516 jne 0053533C; No, then jump, otherwise
go on
* Reference To: KERNEL32.GetLastError, Ord:00E1h
|
:00535326 FF15D463C000 Call dword ptr [00C063D4] ; Query error
:0053532C 50 push eax ; in detail
:0053532D E86E72FFFF call 0052C5A0
:00535332 83C404 add esp, 4
:00535335 B8FFFFFFFF mov eax, FFFFFFFF ; Procedure failed
:0053533A EB28 jmp 00535364 ; Retr with EAX=FFFFFFFF
Some instructions eliminated!
:00535362 33C0 xor eax, eax ;Procedure Successful
;Return with EAX=0
Some instructions eliminated!
:00535364 C3 ret
As you can see, a cleverly set breakpoint landed SoftICE right in the middle
of the protection scheme check. The first API is checking attributes of
certain hidden file located in the original compact disk, if the procedure
fails, it returns with EAX=-1, therefore EAX=FFFFFFFF (Valid compact disk
absent). If the API succeed, then EAX<>-1 and eventually EAX=0.
Now let's take a look at the two procedures that CALL these
API's
FIRST LOCATION
--------------
:004AC3CF 689C72B500 push 00B5729C
:004AC3D4 8D45AC lea eax, dword ptr [ebp-54]
:004AC3D7 50 push eax
:004AC3D8 E890C90700 call 00528D6D
:004AC3DD 83C410 add esp, 00000010
:004AC3E0 6A00 push 00000000
:004AC3E2 8D45AC lea eax, dword ptr [ebp-54]
:004AC3E5 50 push eax
:004AC3E6 E82C8F0800 call 00535317 ; Check File on CD
:004AC3EB 83C408 add esp, 00000008
:004AC3EE 85C0 test eax, eax ; EAX=0 Success
:004AC3F0 0F850C000000 jne 004AC402 ; If Success then Jump
:004AC3F6 33C0 xor eax, eax ; Otherwise erase EAX
:004AC3F8 E953000000 jmp 004AC450 ; Beggar off! Display NAG
:004AC3FD E94E000000 jmp 004AC450
SECOND LOCATION
---------------
:004AC413 68A472B500 push 00B572A4
:004AC418 8D45AC lea eax, dword ptr [ebp-54]
:004AC41B 50 push eax
:004AC41C E84CC90700 call 00528D6D
:004AC421 83C410 add esp, 00000010
:004AC424 6A00 push 00000000
:004AC426 8D45AC lea eax, dword ptr [ebp-54]
:004AC429 50 push eax
:004AC42A E8E88E0800 call 00535317 ; Check file again
:004AC42F 83C408 add esp, 00000008
:004AC432 85C0 test eax, eax ; EAX=0 Success
:004AC434 0F850C000000 jne 004AC446 ; If Success jump
:004AC43A 33C0 xor eax, eax ; Otherwise erase EAX
:004AC43C E90F000000 jmp 004AC450 ; Beggar off! Display NAG
:004AC441 E90A000000 jmp 004AC450
Needless to say, both locations are exact mirrors. The code
is self-explaining. Finally you can unveil the secret file by taking a
closer look at the GetFileAttributes API parameters. Simply, trace inside
the API and check all used memory locations. The file to be read is
X:\VFPC\vfrright.txt, where 'X:' means the drive letter of your CD unit.
Now that we know all the facts, let's discuss how the protection
scheme works: 1. There are two mirror locations that CALL the same code
segment where two API's will check the presence and authenticity of a certain
file on the compact disk. GetFileAttributesA checks the file, if any error
occurs, GetLastError API will query detailed information on that error.
Result from the query sets the Flag in EAX (which follows the standard API
convention, as EAX=FFFFFFFF is not successful). To crack this
scheme all we have to do is fake the API result.
Change:
:00535335 B8FFFFFFFF mov eax, FFFFFFFF
To:
:00535335 B800000000 mov eax, 00000000
When the API fails to check the file, it'll try to return at
:0053533A with EAX=FFFFFFFF. If we change it to return with EAX=0, both
mirror locations of the protection scheme are deactivated because they use
the same common API's to accomplish their job.
As always, if you have any comment or question, don't hesitate to
write me.
(Note: I tried to keep the essay as short as possible).
Aesculapius - August 97
aesculapius@cryogen.com
aesculapius.home.ml.org
Aesculapius 1997: All rights reversed
You are deep inside fravia's page of reverse engineering,
choose your way out:
Back to Project 4
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering illegal?