claw
If you can't read please download the document
TRANSCRIPT
Free Information Xchange '98 presents:Claw (aka Captain Claw) - CD crack by Static VengeanceRequirements:Hex editor and full game installW32Dasm if you wish to follow alongTime for another tutorial on CD check cracking. The game I chose to use as an example is Clawfrom Monolith productions. Claw is a great side scroller type of game. Claw has great graphics, soundand is very playable except for a minor BUG in the program. The bug I am speaking of is the CD checkduring the game. So I set out to disable the CD check so I could play the game right from the harddrive without putting in the CD.I got W32Dasm (from URSoft) up and running and disassembled Claw.exe to crack it. Once W32Dasmhad finished it's work I went up to the menu bar and selected "Refs" and then I selected "String datareferences" from the drop down menu. From there, you just grab the slider bar and scroll down from thepop-up box and start checking for strings like "Insert...", "Please insert.." or some direct referenceto the CD or file from the game. In this case I came across "%c:\CLAW\CLAW.EXE", double clicking on thatput me right in the middle of the following:* Referenced by a CALL at Addresses: ; This is a second level caller to the CD check|:00422539 , :004225C0 , :004225D4 ; Called from three other locations|:00422660 E80B000000 call 00422670 ; Call the primary CD check routine:00422665 33C9 xor ecx, ecx ; ZERO out ecx:00422667 84C0 test al, al ; Test al for zero or non zero value:00422669 0F95C1 setne cl ; If non-zero then set cl to 01:0042266C 8BC1 mov eax, ecx ; Put final value back into eax:0042266E C3 ret ; Return to caller:0042266F 90 nop* Referenced by a CALL at Addresses: ; This is the primary level of the CD check|:00422660 , :0042D195 ; Called from above and one other location|:00422670 64A100000000 mov eax, dword ptr fs:[00000000]:00422676 6AFF push FFFFFFFF:00422678 687B055100 push 0051057B:0042267D 50 push eax:0042267E A080645400 mov al, byte ptr [00546480]:00422683 64892500000000 mov dword ptr fs:[00000000], esp:0042268A 81EC60040000 sub esp, 00000460:00422690 53 push ebx:00422691 33DB xor ebx, ebx ; Counter used for number of times through CD check:00422693 56 push esi:00422694 3AC3 cmp al, bl:00422696 57 push edi:00422697 0F852C010000 jne 004227C9:0042269D 899C2450010000 mov dword ptr [esp+00000150], ebx:004226A4 53 push ebx:004226A5 6802000080 push 80000002:004226AA 53 push ebx* Possible StringData Ref from Data Obj ->"1.0" |:004226AB 68385F5300 push 00535F38* Possible StringData Ref from Data Obj ->"Claw" |:004226B0 68D45E5300 push 00535ED4* Possible StringData Ref from Data Obj ->"Monolith Productions" |:004226B5 68205F5300 push 00535F20:004226BA 8D8C2468010000 lea ecx, dword ptr [esp+00000168]:004226C1 899C248C040000 mov dword ptr [esp+0000048C], ebx:004226C8 E853B40900 call 004BDB20* Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh ; How many times have we seen this call in | ; CD check routines?:004226CD 8B3D0C825100 mov edi, dword ptr [0051820C]:004226D3 85C0 test eax, eax:004226D5 0F8480000000 je 0042275B:004226DB 8D44240C lea eax, dword ptr [esp+0C]:004226DF 53 push ebx:004226E0 8D4C2414 lea ecx, dword ptr [esp+14]:004226E4 50 push eax:004226E5 51 push ecx* Possible StringData Ref from Data Obj ->"CdRom Drive" |:004226E6 68145F5300 push 00535F14:004226EB 8D8C2460010000 lea ecx, dword ptr [esp+00000160]:004226F2 C744241C1E000000 mov [esp+1C], 0000001E:004226FA 885C2420 mov byte ptr [esp+20], bl:004226FE E85DB60900 call 004BDD60:00422703 85C0 test eax, eax:00422705 7454 je 0042275B:00422707 8A442410 mov al, byte ptr [esp+10]:0042270B 3C14 cmp al, 14:0042270D 7E4C jle 0042275B:0042270F 0FBEF0 movsx esi, al:00422712 56 push esi:00422713 8D542434 lea edx, dword ptr [esp+34]* Possible StringData Ref from Data Obj ->"%c:\" ; Another common Ref string to check for |:00422717 680C5F5300 push 00535F0C:0042271C 52 push edx:0042271D 8AD8 mov bl, al:0042271F E82C8C0800 call 004AB350:00422724 83C40C add esp, 0000000C:00422727 8D442430 lea eax, dword ptr [esp+30]:0042272B 50 push eax:0042272C FFD7 call edi:0042272E 83F805 cmp eax, 00000005:00422731 7528 jne 0042275B:00422733 56 push esi:00422734 8D4C2454 lea ecx, dword ptr [esp+54]* Possible StringData Ref from Data Obj ->"%c:\CLAW\CLAW.EXE" ; The string that got us here |:00422738 683C5F5300 push 00535F3C:0042273D 51 push ecx:0042273E E80D8C0800 call 004AB350:00422743 83C40C add esp, 0000000C:00422746 8D542450 lea edx, dword ptr [esp+50]:0042274A 52 push edx:0042274B E850150800 call 004A3CA0:00422750 83C404 add esp, 00000004:00422753 85C0 test eax, eax:00422755 0F8586000000 jne 004227E1* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:004226D5(C), :00422705(C), :0042270D(C), :00422731(C)|:0042275B B341 mov bl, 41* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004227AE(C)|:0042275D 0FBEF3 movsx esi, bl:00422760 56 push esi:00422761 8D842470030000 lea eax, dword ptr [esp+00000370]* Possible StringData Ref from Data Obj ->"%c:\" |:00422768 680C5F5300 push 00535F0C:0042276D 50 push eax:0042276E E8DD8B0800 call 004AB350:00422773 83C40C add esp, 0000000C:00422776 8D8C246C030000 lea ecx, dword ptr [esp+0000036C]:0042277D 51 push ecx:0042277E FFD7 call edi:00422780 83F805 cmp eax, 00000005:00422783 7524 jne 004227A9:00422785 56 push esi:00422786 8D542454 lea edx, dword ptr [esp+54]* Possible StringData Ref from Data Obj ->"%c:\CLAW\CLAW.EXE" ; The "give away" string |:0042278A 683C5F5300 push 00535F3C:0042278F 52 push edx:00422790 E8BB8B0800 call 004AB350:00422795 83C40C add esp, 0000000C:00422798 8D442450 lea eax, dword ptr [esp+50]:0042279C 50 push eax:0042279D E8FE140800 call 004A3CA0:004227A2 83C404 add esp, 00000004:004227A5 85C0 test eax, eax:004227A7 7538 jne 004227E1* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00422783(C)|:004227A9 FEC3 inc bl ; Increase counter:004227AB 80FB5A cmp bl, 5A ; Check against max time through:004227AE 7EAD jle 0042275D ; If less then keep trying:004227B0 8D8C2450010000 lea ecx, dword ptr [esp+00000150]:004227B7 C7842474040000FFFFFFFF mov dword ptr [esp+00000474], FFFFFFFF:004227C2 E879B40900 call 004BDC40:004227C7 32C0 xor al, al ; Zero in al means CD check failed* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:00422697(C), :00422800(U)|:004227C9 8B8C246C040000 mov ecx, dword ptr [esp+0000046C] ; Set up to quit to the caller:004227D0 5F pop edi:004227D1 5E pop esi:004227D2 64890D00000000 mov dword ptr fs:[00000000], ecx:004227D9 5B pop ebx:004227DA 81C46C040000 add esp, 0000046C:004227E0 C3 ret ; Finally return* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:00422755(C), :004227A7(C)|:004227E1 8D8C2450010000 lea ecx, dword ptr [esp+00000150]:004227E8 881D80645400 mov byte ptr [00546480], bl:004227EE C7842474040000FFFFFFFF mov dword ptr [esp+00000474], FFFFFFFF:004227F9 E842B40900 call 004BDC40:004227FE 8AC3 mov al, bl ; How al gets a value other then ZERO!:00422800 EBC7 jmp 004227C9 ; Loop up to the quit to caller sectionWell from the above code you can see that the inportant thing is that al is equal to 01 onthe return from the CD check. After further digging round from the call made from 42D195 bl shouldalso have a value of 41. So I overwrote each call the primary CD check routine with code that loadsal with 01 and bl with 41. This requires 4 bytes and the calls take up 5 bytes so I used one NOP asa filler. The actual edits required to crack Claw v1.20 are as follows:Edit Claw.exe v1.2============================================Search for: E8 0B 00 00 00 at offset 137,824Change to : B3 41 C3 01 90Search for: E8 D6 54 FF FF at offset 181,653Change to : B8 01 00 00 00Edit Claw.exe v1.3 Beta============================================Search for: E8 0B 00 00 00 at offset 137,616Change to : B3 41 C3 01 90Search for: E8 B6 53 FF FF at offset 181,733Change to : B8 01 00 00 00That's it for Captain Claw, becuase this game has been FiX'edStatic Vengeance