Free Information Xchange '98 presents:

Claw (aka Captain Claw) - CD crack by Static Vengeance

Requirements:
Hex editor and full game install
W32Dasm if you wish to follow along
Time for another tutorial on CD check cracking. The game I chose to use
as an example is Claw
from Monolith productions. Claw is a great side scroller type of game. Claw ha
s great graphics, sound
and is very playable except for a minor BUG in the program. The bug I am speaki
ng of is the CD check
during the game. So I set out to disable the CD check so I could play the game
right from the hard
drive without putting in the CD.
I got W32Dasm (from URSoft) up and running and disassembled Claw.exe to
crack it. Once W32Dasm
had finished it's work I went up to the menu bar and selected "Refs" and then I
selected "String data
references" from the drop down menu. From there, you just grab the slider bar a
nd scroll down from the
pop-up box and start checking for strings like "Insert...", "Please insert.." or
some direct reference
to the CD or file from the game. In this case I came across "%c:\CLAW\CLAW.EXE"
, double clicking on that
put me right in the middle of the following:
* Referenced by a CALL at Addresses:
ler to the CD check
|:00422539 , :004225C0 , :004225D4
cations
|
:00422660 E80B000000
call 00422670
routine
:00422665 33C9
xor ecx, ecx
:00422667 84C0
test al, al
ro value
:00422669 0F95C1
setne cl
01
:0042266C 8BC1
mov eax, ecx
eax
:0042266E C3
ret
:0042266F 90
nop

; This is a second level cal

; Called from three other lo
; Call the primary CD check
; ZERO out ecx
; Test al for zero or non ze
; If non-zero then set cl to
; Put final value back into
; Return to caller

* Referenced by a CALL at Addresses:

; This is the primary level
of the CD check
|:00422660 , :0042D195
; Called from above and one
other location
|
:00422670 64A100000000
mov eax, dword ptr fs:[00000000]
:00422676 6AFF
push FFFFFFFF
:00422678 687B055100
push 0051057B
:0042267D 50
push eax
:0042267E A080645400
mov al, byte ptr [00546480]
:00422683 64892500000000
mov dword ptr fs:[00000000], esp
:0042268A 81EC60040000
sub esp, 00000460

:00422690 53
:00422691 33DB
ber of times through CD check
:00422693 56
:00422694 3AC3
:00422696 57
:00422697 0F852C010000
:0042269D 899C2450010000
:004226A4 53
:004226A5 6802000080
:004226AA 53

push ebx
xor ebx, ebx

; Counter used for num

push esi
cmp al, bl
push edi
jne 004227C9
mov dword ptr [esp+00000150], ebx
push ebx
push 80000002
push ebx

* Possible StringData Ref from Data Obj ->"1.0"

|
:004226AB 68385F5300
push 00535F38
* Possible StringData Ref from Data Obj ->"Claw"
|
:004226B0 68D45E5300
push 00535ED4
* Possible StringData Ref from Data Obj ->"Monolith Productions"
|
:004226B5 68205F5300
push 00535F20
:004226BA 8D8C2468010000
lea ecx, dword ptr [esp+00000168]
:004226C1 899C248C040000
mov dword ptr [esp+0000048C], ebx
:004226C8 E853B40900
call 004BDB20
* Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh
mes have we seen this call in
|
outines?
:004226CD 8B3D0C825100
mov edi, dword ptr [0051820C]
:004226D3 85C0
test eax, eax
:004226D5 0F8480000000
je 0042275B
:004226DB 8D44240C
lea eax, dword ptr [esp+0C]
:004226DF 53
push ebx
:004226E0 8D4C2414
lea ecx, dword ptr [esp+14]
:004226E4 50
push eax
:004226E5 51
push ecx

; How many ti
; CD check r

* Possible StringData Ref from Data Obj ->"CdRom Drive"

|
:004226E6 68145F5300
push 00535F14
:004226EB 8D8C2460010000
lea ecx, dword ptr [esp+00000160]
:004226F2 C744241C1E000000
mov [esp+1C], 0000001E
:004226FA 885C2420
mov byte ptr [esp+20], bl
:004226FE E85DB60900
call 004BDD60
:00422703 85C0
test eax, eax
:00422705 7454
je 0042275B
:00422707 8A442410
mov al, byte ptr [esp+10]
:0042270B 3C14
cmp al, 14
:0042270D 7E4C
jle 0042275B
:0042270F 0FBEF0
movsx esi, al
:00422712 56
push esi
:00422713 8D542434
lea edx, dword ptr [esp+34]
* Possible StringData Ref from Data Obj ->"%c:\"
ef string to check for
|
:00422717 680C5F5300
push 00535F0C

; Another common R

:0042271C
:0042271D
:0042271F
:00422724
:00422727
:0042272B
:0042272C
:0042272E
:00422731
:00422733
:00422734

52
8AD8
E82C8C0800
83C40C
8D442430
50
FFD7
83F805
7528
56
8D4C2454

push edx
mov bl, al
call 004AB350
add esp, 0000000C
lea eax, dword ptr [esp+30]
push eax
call edi
cmp eax, 00000005
jne 0042275B
push esi
lea ecx, dword ptr [esp+54]

* Possible StringData Ref from Data Obj ->"%c:\CLAW\CLAW.EXE"

t got us here
|
:00422738 683C5F5300
push 00535F3C
:0042273D 51
push ecx
:0042273E E80D8C0800
call 004AB350
:00422743 83C40C
add esp, 0000000C
:00422746 8D542450
lea edx, dword ptr [esp+50]
:0042274A 52
push edx
:0042274B E850150800
call 004A3CA0
:00422750 83C404
add esp, 00000004
:00422753 85C0
test eax, eax
:00422755 0F8586000000
jne 004227E1

; The string tha

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:004226D5(C), :00422705(C), :0042270D(C), :00422731(C)
|
:0042275B B341
mov bl, 41
* Referenced by a (U)nconditional
|:004227AE(C)
|
:0042275D 0FBEF3
:00422760 56
:00422761 8D842470030000

or (C)onditional Jump at Address:

movsx esi, bl
push esi
lea eax, dword ptr [esp+00000370]

* Possible StringData Ref from Data Obj ->"%c:\"

|
:00422768 680C5F5300
push 00535F0C
:0042276D 50
push eax
:0042276E E8DD8B0800
call 004AB350
:00422773 83C40C
add esp, 0000000C
:00422776 8D8C246C030000
lea ecx, dword ptr [esp+0000036C]
:0042277D 51
push ecx
:0042277E FFD7
call edi
:00422780 83F805
cmp eax, 00000005
:00422783 7524
jne 004227A9
:00422785 56
push esi
:00422786 8D542454
lea edx, dword ptr [esp+54]
* Possible StringData Ref from Data Obj ->"%c:\CLAW\CLAW.EXE" ; The "give away"
string
|
:0042278A 683C5F5300
push 00535F3C
:0042278F 52
push edx
:00422790 E8BB8B0800
call 004AB350
:00422795 83C40C
add esp, 0000000C
:00422798 8D442450
lea eax, dword ptr [esp+50]

:0042279C
:0042279D
:004227A2
:004227A5
:004227A7

50
E8FE140800
83C404
85C0
7538

push eax
call 004A3CA0
add esp, 00000004
test eax, eax
jne 004227E1

* Referenced by a (U)nconditional
|:00422783(C)
|
:004227A9 FEC3
unter
:004227AB 80FB5A
st max time through
:004227AE 7EAD
n keep trying
:004227B0 8D8C2450010000
:004227B7 C7842474040000FFFFFFFF
:004227C2 E879B40900
:004227C7 32C0
means CD check failed

or (C)onditional Jump at Address:

* Referenced by a (U)nconditional
|:00422697(C), :00422800(U)
|
:004227C9 8B8C246C040000
quit to the caller
:004227D0 5F
:004227D1 5E
:004227D2 64890D00000000
:004227D9 5B
:004227DA 81C46C040000
:004227E0 C3
turn

or (C)onditional Jump at Addresses:

* Referenced by a (U)nconditional
|:00422755(C), :004227A7(C)
|
:004227E1 8D8C2450010000
:004227E8 881D80645400
:004227EE C7842474040000FFFFFFFF
:004227F9 E842B40900
:004227FE 8AC3
a value other then ZERO!
:00422800 EBC7
the quit to caller section

or (C)onditional Jump at Addresses:

inc bl

; Increase co

cmp bl, 5A

; Check again

jle 0042275D

; If less the

lea ecx, dword ptr [esp+00000150]

mov dword ptr [esp+00000474], FFFFFFFF
call 004BDC40
xor al, al
; Zero in al

mov ecx, dword ptr [esp+0000046C] ; Set up to

pop
pop
mov
pop
add
ret

edi
esi
dword ptr fs:[00000000], ecx
ebx
esp, 0000046C
; Finally re

lea ecx, dword ptr [esp+00000150]

mov byte ptr [00546480], bl
mov dword ptr [esp+00000474], FFFFFFFF
call 004BDC40
mov al, bl
; How al gets
jmp 004227C9

; Loop up to

Well from the above code you can see that the inportant thing is that al
is equal to 01 on
the return from the CD check. After further digging round from the call made fr
om 42D195 bl should
also have a value of 41. So I overwrote each call the primary CD check routine
with code that loads
al with 01 and bl with 41. This requires 4 bytes and the calls take up 5 bytes
so I used one NOP as
a filler. The actual edits required to crack Claw v1.20 are as follows:
Edit Claw.exe v1.2
============================================
Search for: E8 0B 00 00 00 at offset 137,824
Change to : B3 41 C3 01 90

Search for: E8 D6 54 FF FF at offset 181,653

Change to : B8 01 00 00 00
Edit Claw.exe v1.3 Beta
============================================
Search for: E8 0B 00 00 00 at offset 137,616
Change to : B3 41 C3 01 90
Search for: E8 B6 53 FF FF at offset 181,733
Change to : B8 01 00 00 00
That's it for Captain Claw, becuase this game has been FiX'ed
Static Vengeance