|Assembly Language Tutorial|
| Please choose a tutorial page:
This example is going to cover the steps I took to crack a not-very-popular computer game. Rather than showing all the trial-and-error, I'm going to demonstrate the strategy that worked. Note that there are probably many ways to go about this, the way I'll demonstrate is only one way.
For fear of legal issues, I'm not going to name the game I use in this thread. If you wish to know which game, talk to me privately.
The reason I chose this game is twofold:
- Its protection is fairly simple, providing a useful tutorial.
- It's a really good game made by a fantastic company that I like a lot. So encouraging people who've never heard of it to try it can only be positive.
In other words, if you think this game is interesting, buy it! This demonstration is for educational purposes only.
If you believe this is your game, and you don't wish this information to be here, please send me an email and I will remove this page (if indeed it is yours).
All you need for this is IDA and TSearch. They can be found on the tools page. A hex editor can be substituted for TSearch to permanently patch the game instead of patching it in memory.
If this is your first time using IDA, you might want to take some time getting used to it. I'm going to be using IDA 5 for this demonstration, but any version technically works.
First, you'll probably want to run the game to familiarize yourself with the protection scheme. In the bottom-right corner you'll see a "registration code", and if you press "register" you'll be prompted for a registration key. Try a couple keys, maybe you'll get lucky. Hint: all codes are integers between 10000 and 19999.
When you get bored, load up IDA and load the game's .exe file. At the bottom left, you'll see the analysis status. You can look around all you want while it's analyzing, but once it says "idle" we can start poking around.
If this is your first time in IDA, take some time to familiarize yourself with it. I won't pretend that IDA is an easy program to use, I haven't even scratched the surface of what I know it is capable of. But some of the commands you might want to try are:
- Renaming variables/arguments/addresses (click on a variable and press 'n').
- Setting a prototype for a function (click on the function header and press 'y' -- note that you can define a __cdecl, __stdcall, or __fastcall function this way).
- Adding a comment to a function (click on the function header and press ';').
- Adding a comment to a line (click on the line and press ':').
- Finding function cross references (click on the function header and press 'ctrl x')
- Following cross references (double click on a variable, function, address, etc)
- Experiment with highlighting (whenever you click or highlight something, everything that matches highlights)
Those are the features I use most frequently. They can all be accessed via menus, so you don't have to memorize those hotkeys, but knowing the hotkeys will speed things up a lot.
Finding the Validation
Finding the validation is the most difficult part, but if you follow these steps it shouldn't be terribly difficult. This section will cover the steps used to find the proper address. I'm omitting any trial-and-error steps from this.
If you have any ideas of your own, feel free to try this on your own! If you find another way to crack this game, I'll include it here.
In the "Strings" window of IDA, search for "Unregistered". Do this by bringing up the strings tab/window, and typing the word. You should see a string that will warn the user that the game is unregistered, which is the string that is used on the main window. Double-click it.
You will see the string in the data section now. Press ctrl-x to bring up the cross references (ie, where the string is used). There should only be one. Double-click it. You should see the following code (addresses removed to protect the innocent (me)):
cmp ds:byte_AAAAAA, 0 jnz short loc_BBBBBB mov edx, ds:dword_CCCCCC push edx ; HGDIOBJ mov eax, ds:dword_DDDDDD push eax ; HDC call ds:SelectObject movsx eax, word_EEEEEE push eax push offset aUnregisteredCo ; "Unregistered Copy... lea eax, [ebp+var_188] push eax call sub_FFFFFF
Cracking the game
Now that you know the address of the verification, we can test it. Do the following to crack it (again, if you think you can do this on your own, please do!):
- Run the game
- Minimize it
- Run TSearch
- Use "Open Process" in TSearch to open the game
- Enable TSearch's "Hex Editor"
- Click on the left-most icon on the hex editor, and type in the address of the jnz/jz??? instruction
- Change the instruction to jmp/nop???
- Go back to the game, enter any registration code
- Any code should now be accepted!
Feel free to edit this section and post questions, I'll do my best to answer them. But you may need to contact me to let me know that a question exists.