Game hack secrets
how to stop lamers from hex-editing your cracks
by Jon
5 January 1997

please reformat using formamus.htm
(please refer to rules.htm for an explanation)


(Sorry about this, Jon, I'm "overworked"... but I corrected both links you asked me to)


GameHack 1.0 -- Cracked by Jon, January 4, 1998!



Hi, and a happy (and crack-filled) new-year everybody!



In this essay I'll describe how I cracked GameHack 1.0. GameHack is an

utility that runs

in the background of a game, and it's activated by a hot-key. GameHack

is sort of a 

"debugger for games" in other words: A trainer. It allows you to enter a

value (like number

of lives, energy, etc.), go back to the game, then go back to the

trainer and enter the new

value, which will make the list of possible addresses smaller. This

process is VERY simple, 

and allows you to gain total control over your games, another way to put

this: Cheat! 

As always, the greedy shareware programmer has crippled this program in

the following ways: 



1. You're not able to save the cheats to a file, for later usage. 

2. You're not able to enter addresses and values (the cheats) manually. 

3. And finally it has a NAG text.



Well, let's go!





What you'll need:



GameHack itself -- Fetch it from http://www.gamehack.com/ in order to

follow this essay!

W32Dasm 8.9     -- My favorite tool (because it's so much more faster

than IDA).

A Hex-editor    -- To apply the patch on the EXE.

BRW             -- To check out the dialogs inside the EXE.

Tasm/Tlink      -- To compile the patch included later in this essay.





The Crack.



Start by making a copy of the executable, gamehack.exe --> backup.exe.

Now load backup.exe inside W32Dasm. While W32Dasm disassembles, open the

help file

in Netscape (to search for hints). At the first picture, you should see

that the NAG

text title-bar has been replaced by a name -- the pictures are from a

regged version!

This could mean that you're able to register it with a name/serial, but

you can't.

Anyway, open gamehack.exe inside BRW. Besides noticing that all the

dialogs have a

Spanish version, we discover a Register dialog at number 151! But

there's no way to

start it from the program. Maybe the programmer did as Nico Mak did with

the early 

versions of WinZip -- made the dialog a secret, with a special hot-key

to activate it.

I sure don't know (and I don't really care, because we don't need that

dialog :-))

Anyway, W32Dasm should be done by now... Go to string reference,

double-click

" - UNREGISTERED copy" *TWICE* (the first is not interesting). You

should see this:



* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:00405FB5(C), :00405FBC(C)                                             

;Where it's referenced from.

|

:00406021 8DBE88000000            lea edi, dword ptr [esi+00000088]



* Possible Reference to Dialog: DialogID_0088 

                                  |



* Possible Reference to String Resource ID=00136: " - UNREGISTERED copy"

;The NAG text we wish to avoid.

                                  |

:00406027 6888000000              push 00000088

:0040602C 8BCF                    mov ecx, edi



Let's take a look from where it was referenced from:



* Reference To: MSVCRT._stricmp, Ord:01BEh

                                  |

:00405F93 FF1554D94000            Call dword ptr [0040D954]

:00405F99 8944241C                mov dword ptr [esp+1C], eax

:00405F9D 83C408                  add esp, 00000008

:00405FA0 DB442414                fild dword ptr [esp+14]

:00405FA4 D825109B4000            fsub dword ptr [00409B10]

:00405FAA D81D149B4000            fcomp dword ptr [00409B14]

:00405FB0 DFE0                    fstsw ax

:00405FB2 F6C440                  test ah, 40                           

;First check.

:00405FB5 746A                    je 00406021                           

;If equal jmp to bad_guy.

:00405FB7 8B17                    mov edx, dword ptr [edi]

:00405FB9 395AF8                  cmp dword ptr [edx-08], ebx           

;Second check.

:00405FBC 7463                    je 00406021                           

;If equal jmp to bad_guy.

:00405FBE 57                      push edi

:00405FBF 8D442418                lea eax, dword ptr [esp+18]



* Possible StringData Ref from Data Obj ->" - "                         

;This is what we want the title-bar to say.

                                  |

:00405FC3 687CC24000              push 0040C27C

:00405FC8 50                      push eax



Now, we patch the target:

at 53B5h change: 746A --> 4048 (inc eax, dec eax -- like nops)

at 53BCh change: 7463 --> 4048 (inc eax, dec eax -- like nops)



This will force the target to always display " - " instead of " -

UNREGISTERED copy".

I myself though that more patching would be necessary, but it isn't.

This is because

the code below :00405FC8 unlocks the crippled functions. (and we have

just made sure that 

it always does that).





Here's the source code for the patcher:









.Model   Small

.Code

Org      100h



Crack Proc

 Start:

  Mov    Dx,OffSet Intro

  Call   Print

  Mov    Dx,OffSet FileName

  Call   OpenFile

  Call   FindError

  Mov    Cx,0

  Mov    Dx,53B5h

  Call   FileSeek

  Call   FindError

  Mov    Si,OffSet Chg1.1

  Call   CheckByte

  Mov    Cx,0

  Mov    Dx,53B5h

  Call   FileSeek

  Call   FindError

  Mov    Cx,1

  Mov    Dx,OffSet Chg1.0

  Call   FileWrite

  Call   FindError

  Mov    Cx,0

  Mov    Dx,53B6h

  Call   FileSeek

  Call   FindError

  Mov    Si,OffSet Chg2.1

  Call   CheckByte

  Mov    Cx,0

  Mov    Dx,53B6h

  Call   FileSeek

  Call   FindError

  Mov    Cx,1

  Mov    Dx,OffSet Chg2.0

  Call   FileWrite

  Call   FindError

  Mov    Cx,0

  Mov    Dx,53BCh

  Call   FileSeek

  Call   FindError

  Mov    Si,OffSet Chg3.1

  Call   CheckByte

  Mov    Cx,0

  Mov    Dx,53BCh

  Call   FileSeek

  Call   FindError

  Mov    Cx,1

  Mov    Dx,OffSet Chg3.0

  Call   FileWrite

  Call   FindError

  Mov    Cx,0

  Mov    Dx,53BDh

  Call   FileSeek

  Call   FindError

  Mov    Si,OffSet Chg4.1

  Call   CheckByte

  Mov    Cx,0

  Mov    Dx,53BDh

  Call   FileSeek

  Call   FindError

  Mov    Cx,1

  Mov    Dx,OffSet Chg4.0

  Call   FileWrite

  Call   FindError

  Call   CloseFile

  Call   FindError

  Mov    Dx,OffSet CrackOK

  Call   Print

  Call   Quit



  CrackOK  Db 'The crack was Successfull!',13,10,'$'

  FHand  Dw 0

  FileName  Db 'GAMEHACK.EXE',0

  Chg1   Db 40h,74h

  Chg2   Db 48h,6Ah

  Chg3   Db 40h,74h

  Chg4   Db 48h,63h

  Buffer Db 1 Dup(1)

  Intro  Db 13,10,'GameHack 1.0 -- Cracked by Jon, January 4, 1998!'

         Db 13,10,'Patching: GAMEHACK.EXE',13,10,13,10,'$'

         Db 'Happy Cheating! Enjoy :-)$'

Crack EndP



Quit Proc

  Mov    Ax,4C00h

  Int    21h

Quit EndP



Print Proc

  Mov    Ah,9

  Int    21h

  Ret

Print EndP



OpenFile Proc

  Mov    Ax,3D02h

  Int    21h

  Jnc    Open

  Xor    Ax,Ax

  Stc

 Open:

  XChg   Ax,Bx

  Mov    FHand,Bx

  Ret

OpenFile EndP



FileSeek Proc

  Mov    Ax,4200h

  Int    21h

  Jnc    Seek

  Mov    Ax,4

  Stc

 Seek:

  Ret

FileSeek EndP



FileRead Proc

  Mov    Ah,3Fh

  Int    21h

  Jnc    Read

  Mov    Ax,2

  Stc

 Read:

  Ret

FileRead EndP



FileWrite Proc

  Mov    Ah,40h

  Int    21h

  Jnc    Write

  Mov    Ax,3

  Stc

 Write:

  Ret

FileWrite EndP



CloseFile Proc

  Mov    Bx,FHand

  Mov    Ah,3Eh

  Int    21h

  Jnc    Close

  Mov    Ax,1

  Stc

 Close:

  Ret

CloseFile EndP



FindError Proc

  Jnc    Exit

  Cmp    Al,0

  Jne    Er1

  Mov    Dx,OffSet FnFErr

  Call   Print

  Jmp    Quit2

 Er1:

  Cmp    Al,1

  Jne    Er2

  Mov    Dx,OffSet FcErr

  Call   Print

  Jmp    Quit2

 Er2:

  Cmp    Al,2

  Jne    Er3

  Call   CloseFile

  Mov    Dx,OffSet FrErr

  Call   Print

  Jmp    Quit2

 Er3:

  Cmp    Al,3

  Jne    Er4

  Call   CloseFile

  Mov    Dx,OffSet FwErr

  Call   Print

  Jmp    Quit2

 Er4:

  Cmp    Al,4

  Jne    Er5

  Call   CloseFile

  Mov    Dx,OffSet FsErr

  Call   Print

  Jmp    Quit2

 Er5:

  Cmp    Al,5

  Jne    Quit2

  Call   CloseFile

  Mov    Dx,OffSet SneErr

  Call   Print

  Jmp    Quit2

 Exit:

  Ret

 Quit2:

  Int    20h



  SneErr Db 'Wrong version (or file already patched)!',13,10,'$'

  FnFErr Db 'File not found!',13,10,'$'

  FcErr  Db 'File close error!',13,10,'$'

  FrErr  Db 'File read error!',13,10,'$'

  FwErr  Db 'File write error!',13,10,'$'

  FsErr  Db 'File seek error!',13,10,'$'

FindError EndP



CompareString Proc

  Push   Bx

  Xor    Bx,Bx

 Cmp1:

  LodSb

  Cmp    Es:[Di],Al

  Jnz    CmpEr

  Inc    Di

  Inc    Bx

  Cmp    Cx,Bx

  Jz     CmpOk

  Jmp    Cmp1

 CmpOk:

  Clc

  Jmp    CmpEx

 CmpEr:

  Mov    Ax,5

  Stc

 CmpEx:

  Pop    Bx

  Ret

CompareString EndP



CheckByte Proc

  Mov    Cx,1

  Mov    Dx,OffSet Buffer

  Call   FileRead

  Call   FindError

  Mov    Di,OffSet Buffer

  Mov    Cx,1

  Call   CompareString

  Call   FindError

  Ret

CheckByte EndP



End Start







This should be compiled with:

tasm crack.asm

tlink /t crack.asm



BTW, if you don't want lamers to hex-edit your cracks (I hate that!),

take the following steps:

1. Encrypt your crack.com about 5-10 times with a com-cryptor.

2. Convert the encrypted com-file to a exe with a convert utility.

3. Use an exe-protector to protect crack.exe



This should make it difficult for the stupid hex'ers!



Enjoy this app! Happy cheating! :-)



Greetings to:

+ORC, The +HCU, all +crackers, and everybody reading this!



Jon



---------------------------------------------------------------------