Copy Link
Add to Bookmark
Report
How to remove the CD protection in Pandemonium
Comment cracker PANDEMONIUM
La première chose à faire et de lancer le jeu sans le CD. Une boîte de dialogue apparaîtra, vous disant que “The Pandemonium CD Must Be In Drive”. Désassemblez PANDY3.EXE et sélectionnons “Refs” puis “String Data References”. Cherchons “The Pandemonium CD Must Be in Drive”. Vous allez atterri quelque part dans la routine de vérification du CD, regardons:
* Referenced by a call at adress
|:00436015
:00427C60 A1FCB14600 mov eax, dword ptr [0046B1FC]
:00427C65 85C0 test eax, eax
:00427C67 741C je 00427C85
:00427C69 E8324EFEFF call 0040CAA0
* Possible StringData Ref from Data Obj
:00427C6E 6810CC4600 push 0046CC10
:00427C73 E878000000 call 00427CF0
:00427C78 83C404 add esp, 00000004
:00427C7B 6A00 push 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00427C39(C)
|:00427C7D E89E3D0300 call 0045BA20
:00427C82 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00427C41(C), :00427C67(C)
|:00427C85 C3 ret
* Referenced by a CALL at Address:
|:00436015
:00427C60 A1FCB14600 mov eax, dword ptr [0046B1FC]
:00427C65 85C0 test eax, eax
:00427C67 741C je 00427C85
:00427C69 E8324EFEFF call 0040CAA0
* Possible StringData Ref from Data Obj
:00427C6E 6810CC4600 push 0046CC10
:00427C73 E878000000 call 00427CF0
:00427C78 83C404 add esp, 00000004
:00427C7B 6A00 push 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00427C39(C)
|:00427C7D E89E3D0300 call 0045BA20
:00427C82 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00427C41(C), :00427C67(C)
|:00427C85 C3 ret
La routine ci-dessous est appelé depuis l’adresse 436015 , alors vérifions cet appel . Listons le code :
* Referenced by a CALL at Addresses:
|:00407084 , :004070D7 , :004071F3 , :0040727E , :004072CC
|:00407319 , :004073A5 , :00407E94 , :00407EEC , :00407F6F
|:00408AE4 , :0040F655 , :0040F82B , :0040F8D7 , :00435F31
|:0044154F , :00441567 , :0045151C
|
:00436010 83EC04 sub esp, 00000004
:00436013 53 push ebx
:00436014 56 push esi
:00436015 E8461CFFFF call 00427C60
:0043601A A164E05900 mov eax, dword ptr [0059E064]
:0043601F 85C0 test eax, eax
:00436021 741D je 00436040
* Reference To: KERNEL32.Sleep, Ord:023Ah
:00436023 8B35B8B48100 mov esi, dword ptr [0081B4B8]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043603E(C)
|
:00436029 6A64 push 00000064
:0043602B FFD6 call esi
:0043602D E8AE000000 call 004360E0
:00436032 E8591CFFFF call 00427C90
:00436037 A164E05900 mov eax, dword ptr [0059E064]
:0043603C 85C0 test eax, eax
:0043603E 75E9 jne 00436029
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00436021(C)
|:00436040 8B442410 mov eax, dword ptr [esp+10]
:00436044 8A4C2418 mov cl, byte ptr [esp+18]
:00436048 A35CE05900 mov dword ptr [0059E05C], eax
:0043604D 84C9 test cl, cl
:0043604F 7424 je 00436075
:00436051 8B742414 mov esi, dword ptr [esp+14]
:00436055 56 push esi
:00436056 E8150A0000 call 00436A70
:0043605B C70564E0590000000000 mov dword ptr [0059E064], 00000000
:00436065 83C404 add esp, 00000004
:00436068 83F801 cmp eax, 00000001
:0043606B 1BC0 sbb eax, eax
:0043606D 23C6 and eax, esi
:0043606F 5E pop esi
:00436070 5B pop ebx
:00436071 83C404 add esp, 00000004
:00436074 C3 ret
Forçons donc le saut conditionnel en 00436021, et changeons le Jump Equal (je) et saut inconditionnel (jmp). Voici les changements à faire.
- 1°) Editez PANDY.EXE (version standard ) à l’offset 189,925
- 2°) Cherchez
E8 F6 3B 01 00 A1 D4 2B 59 00 85 C0 74 1D
et remplacez par90 90 90 90 90 A1 D4 2B 59 00 85 C0 EB 1D
- 3°) Editez PANDY3.EXE (version 3Dfx) à l’offset 218,133
- 4°) Cherchez
E8 46 1C FF FF A1 64 E0 59 00 85 C0 74 1D
et remplacez par90 90 90 90 90 A1 64 E0 59 00 85 C0 EB 1D
Et oui, vous venez de cracker Pandemonium