q_tsr501.htm: A different approach cracking a DOS CD-protection

A different approach cracking a DOS CD-protection
By Q [Phrozen Crew]
Courtesy of fravia's page of reverse engineering
1 June 1998

Project four

Well, CD-ROM protections are interesting because they give us the opportunity to brush up all the DOS old (beautiful) floppy disk protection schemes... as you can see here once more... see, good old kgb, the incredibly good spy program by Master Horak is still useful (and it is not the only oldie still useful...)
Enjoy!

Cracking Tomb Raider 3dFX eDiTioN - Different Solution
By Q [Phrozen Crew]

* I'm not a native english speaker , so please bare with me .
Intro:
DOS cd protections are still live and kicking . I have discovered that at a friend's house when he asked me to crack the 3dFX patch for Tomb Raider . Without my "cracking environment" (Winice , IDA..) i had to crack it with my "bare hands" ;)
As it turned out the crack qualifies for other TR patches and 3dFX patches.

Tools needed:
- KGB - a cool DOS 'file monitor' . Can be found at +fravia's awesome site .
- FakeCD - I bet u know what this is ;)
- A simple ASM compiler . A86.COM (31 kb) will do .
- Oh and the patch . Can be found at http://www.3dfxmania.com

The Crack:
Running TOMB3DFX.EXE gives out "Please insert the TombRaider CD" - those sentences u just love to hate .. - and exit. We also notice that it's a protected mode program - DOS4GW. ( Good thing we didn't download Winice , we all know
how nervous it gets around other protected mode programs ;)
Fair enough .
Lets spy on it with KGB . This is what we get :

        OpenFile-R : C:\data\title.phd
        OpenFile-R : D:\data\title.phd
        OpenFile-R : E:\data\title.phd
        OpenFile-R : F:\data\title.phd
        OpenFile-R : G:\data\title.phd
        OpenFile-R : H:\data\title.phd
        OpenFile-R : I:\data\title.phd
(It goes on till drive Z)

Hmm , is searches for title.phd .. ok , NP , i have it in my TOMB directory , But it's not in the ROOT directory (it searches
Drive:\Data .. ) , so lets use FakeCD.
Copy FakeCD.EXE to TR directory , and run : Fakecd.exe . /l:J
This way fakecd will emulate a cd drive in drive J . Any drive (except the real HD) is ok .

Re-run TR ... Still not OK .. Lets see why , run KGB , and this is what we get :

This edition can be cracked like the mystiqe edition , however, i had something else in mind - a TSR .
The idea is to make a small program , that will nest in memory , hooking the Open_For_Write_Only function ; when it "sees"
that a program is trying to use this function on the Faked Drive it will change the FileName parameter (the random filename) to NULL . This way the return value of this function is CAN'T OPEN THE REQUESTED FILE (because it's empty) , and
the program will think it's the CD.

I tried it , and it worked ! Not only on the 3dFX edition , but also the Mystiqe edition , and propably other 3dFX patches from 3dfxmania Site.

The basic TSR is below , for a more compatible version - to enter the drive letter in command line - please search for PC_T3DFX.ZIP . I didn't put an un-install option because i figured whoever has a 3dFX card , can spare 100 bytes off his
memory ;)

BTw , if it doesn't work (on other patches) , u can always hook the CreateFile function (Int 21h / Ah=3Ch), and use the
same trick (FileName -> Null) .
* It might work for windows too (To understand windows TSRs read Stone's doc on trainers).
If and when i'll find a windows game with CD protection i'll try this on it , and if succesful ,i'll update this essay. Should anyone else wants to do it , be my guest :)
(May i suggest hooking on GetDriveTypeA , and return 5 (cd-rom) on the faked drive? ;)

That's it , i hope u've enjoyed and learned from this .
If u find other patches / games / programs that this TSR will crack , please drop me a note . (My e-mail is down below .)

Greetings:
PC members , +FraVia and all +HCUkers , friends . :-)

------ Cut here ------
;This is a TSR for tomb-raider,when the prg. checkes for the cd
;is tries to open for write only a random file and to further
;check,it tries to create that random file & delete it -if successful
;it tells u that there is no cd.
;so what this TSR does is intersept the open for write only instruction-
;(INT 21h,function 3Dh,sub-function 01h)
;and also CoMPers the ds:dx if equal "J:\" if so it gives to ds:dx
;(the random file name ) 0 at the beginig and so the return of the open
;instruction in CAN'T OPEN THE REQUESTED FILE (because it's empty)
;thus the prg thinks there is a cd in drive J and runs properly...

start:        lea dx,msg                       ;print msg
              mov ah,9
              int 21h

mov ax,3521h ;Get address of Int 21h into ES:BX
int 21h

mov real_ip,bx ;Save the real valuse for later use
mov real_cs,es

              mov ax,2521h                     ;Hook the vector 21h to point to ds:dx
              lea dx,int_21
              int 21h

lea dx,end_pro+1
int 27h ;Go TSR from cs:0 till end_pro+1 byte
;--------------------------------------------

int_21:     cmp ax,3d01h                       ;Check if it's Open_For_Write_Only function request
            jne return2normal
                                                                                     ;Here u can add the check for CreateFile (or DeleteFile) if necessary

push si ;save si

mov si,dx ;mov dx to si in order to use ds:[si](=ds:[dx])

cmp byte ptr [si] , 'J' ;"J" -- the faked drive letter
jnz c2

            inc si
            cmp byte ptr [si] , ':'             ;":"
            jnz c2

            inc si
            cmp byte ptr [si] , '\'             ;"\"
            jnz c2

inc si
mov byte ptr [si],0 ;put 0 at the begining of the file's name

c2: pop si ;restore old value

return2normal:
db 0eah ; == Jmp to the real INT 21h
real_ip dw 0
real_cs dw 0

msg db "TSR FOR TOMB-RAIDER ,CRACKED BY Q / PC$"

end_pro:

end start
------ Cut here ------

Phrozen_q@CyberDude.Com
sEE yA :)
-Q