Post by £åߥ®Ñth on Jan 25, 2008 13:05:10 GMT -5
Here is another example of reversing real world applications.
Ages of Empires Gold Edition exe.
We are going to reverse the exe so we dont have to use a cd.
Credits: SunBeam & Labyrnth
There are a few ways to do this, as SunBeam showed me himself.
But i will show a pretty easy way once i was guided by my ole pal SB.
Ok, basically how you would get an idea how to get into the code.
1. You could look for string references. But that will not be any help to us here. There are none related to the "Please insert cd message"
2. We will have to set a break on an API. "GetDriveTypeA"
This basically is a windows api that checks for the drives.
So we set our break point in the bottom of olly.
Type: bp GetDriveTypeA
Hit enter to set it.
Run the application and see where we break. You want to run it until you break in the Games module not a dll. *Watch the lower right window for the module. "Stack Window"
In the lower right box click where you see GetDriveTypeA. Now hit enter. To get back to the EMPIRE module and not in kernel32.
We land here:
Now scoll up a bit. Till you see: Test EAX,EAX
This has to = 1 to skip the cd check.
If you follow the Instruction above it to 56817C in the lower left window you will see the byte are 00 00 00 00 00 00 00 00.
So if the Test of EAX is = to 0 then the jump will happen. See Image
Now, take a look in the registers window. "Top right"
We can see 2 registers that are = to 1.
ECX and EDX. So what can we do?
Lets alter the Test. We can use either register we want.
We can see not the jump doesnt happen.
Now, lets save the change so we can make a release.
Save file
Select the executable
Yes to over write it. *Dont worry olly makes backup files.
And there you go. And cracked exe and the Empires.bak is the original. If anything went wrong just delete the exe and rename .bak to .exe and you have restored to the original file.
Ages of Empires Gold Edition exe.
We are going to reverse the exe so we dont have to use a cd.
Credits: SunBeam & Labyrnth
There are a few ways to do this, as SunBeam showed me himself.
But i will show a pretty easy way once i was guided by my ole pal SB.
Ok, basically how you would get an idea how to get into the code.
1. You could look for string references. But that will not be any help to us here. There are none related to the "Please insert cd message"
2. We will have to set a break on an API. "GetDriveTypeA"
This basically is a windows api that checks for the drives.
So we set our break point in the bottom of olly.
Type: bp GetDriveTypeA
Hit enter to set it.
Run the application and see where we break. You want to run it until you break in the Games module not a dll. *Watch the lower right window for the module. "Stack Window"
In the lower right box click where you see GetDriveTypeA. Now hit enter. To get back to the EMPIRE module and not in kernel32.
We land here:
Now scoll up a bit. Till you see: Test EAX,EAX
This has to = 1 to skip the cd check.
If you follow the Instruction above it to 56817C in the lower left window you will see the byte are 00 00 00 00 00 00 00 00.
So if the Test of EAX is = to 0 then the jump will happen. See Image
Now, take a look in the registers window. "Top right"
We can see 2 registers that are = to 1.
ECX and EDX. So what can we do?
Lets alter the Test. We can use either register we want.
We can see not the jump doesnt happen.
Now, lets save the change so we can make a release.
Save file
Select the executable
Yes to over write it. *Dont worry olly makes backup files.
And there you go. And cracked exe and the Empires.bak is the original. If anything went wrong just delete the exe and rename .bak to .exe and you have restored to the original file.