Introduction
Hello all, I know there is already a tutor on Midtown MadNess by Black Check,
but the way to crack it is not the same that he has chosen, and I will explain
more things than he did about pasting our new dumped sections in cracked EXE :)
I also assume you read his tut, and you know some things about the PE file format ...
Tools required
- Midtown Madness Orginal CD (a 1:1 copy and the Laxity crack should do it too)
- SoftICE 3.23
- SoftICE Tool to patch SoftICE (used to dump sections)
- ProcDump 1.5 (for PE Editor)
- HexWorkshop
- Frogsice (to hide SoftICE)
- Exescope
After installing your little game, PE edit the ".ICD" files with ProcDump.
(Start ProcDump, click on PE Editor, Browse to your ".ICE" file, there it is
MIDTOWN.ICE). Now, you must see:
- Entry Point : 00166C10
- Image Base : 00400000
Ok, we will need the OEP (Original Entry Point) later, so to calculate it just add
the Image Base and the Entry Point you get in ProcDump: 00400000 + 00166C10 = 566C10
Now, click on the "sections" Button, to see all sections of the file:
You will only need to have the Virtual Offset, Raw Size and Raw Offset values!
- for the ".text" section :
Virtual Offset: 00001000
Raw Size: 18D78F
Raw Offset: 600
- for the ".Rdata" section :
Virtual Offset: 0018F000
Raw Size: 14C99
Raw Offset: 18DE00
- for the ".data" section :
Virtual Offset: 001A4000
Raw Size: 3D8A4
Raw Offset: 1A2C00
- for the ".data1" section :
Virtual Offset: 00314000
Raw Size: 20
Raw Offset: 1E0600
- for the ".rsrc" section :
Virtual Offset: 00315000
Raw Size: CB3
Raw Offset: 1E0800
Now we will dump all the sections of the ".ICD" file, except the ".Rdata" (you will
later know why ....). BTW, you need to add the Image Base to the virtual Offset of
all sections:
.text : 400000 + 00001000 = 00401000
.rdata : 400000 + 0018F000 = 0058F000
.data : 400000 + 001A4000 = 005A4000
.data1 : 400000 + 00314000 = 00714000
.rsrc : 400000 + 00315000 = 00715000
Ok, now we're gonna dump all this sections (except the .rdata). For this, we will need
to set a breakpoint on the EOP (566C10 for us). Btw, I assume you read the Black Check
tutor, and you patched your FrogsICE to hide your SoftICE (TORN@DO's note: or use latest
FrogsICE), else go and read the nice tut before ...
Start your (patched) FrogsICE, and run your original game. You will see a little video, at this
time, switch to SoftICE (Ctrl+D), and set a BPX on the OEP. BPX 56CC10 for this game!
Press F5 to let the game continue running and close it after. Now, run it, and it normally
breaks on 56CC10. If it doesn't, look if you set the BPX to the good place
(bl: you must get something like this: #025F:56CC10). I assume it breaked, now you can
dump all the sections. Before dumping however, disable all your BPX, since we don't want shit
in our dumped sections ...
The pagein command works like this:
pagein "address to dump start" "size" "file name"
So, just type the following in SoftICE:
pagein 401000 18D78F c:\text.bin
pagein 5A4000 3D8A4 c:\data.bin
pagein 714000 20 c:\data1.bin
pagein 715000 CB3 c:\rsrc.bin
Ok, this dumped the sections to our hard disk! Now, we have to do the "nice" part, which
is of course dumping our rdata sections, but it is not like the others!
First of all, you have to get the real address of the fuction, so we will trace into the CALL to
our rdata section.
After breaking, we land here:
00566C10 PUSH EBP <-- we break here, on entry point
00566C11 MOV EBP,ESP
00566C13 PUSH FF
00566C15 PUSH 005968D0
00566C1A PUSH 00566724
00566C1F MOV EAX,FS:[00000000]
00566C25 PUSH EAX
00566C26 MOV FS:[00000000],ESP
00566C2D ADD ESP, -5C
00566C30 PUSH EBX
00566C31 PUSH ESI
00566C32 PUSH EDI
00566C33 MOV [EBP-18],ESP
00566C36 CALL [0058F14C] <-- this is the call in our rdata section,
trace it (F8)
In this CALL, we land here:
009A6485 pushad
009A6486 push 00000031
009A6488 push 00000000 ---> it's 0 for kernels and 1 for users ...
009A6490 call [9A64A6] ---> get the real address of the function
(9A64A6)
009A6496 add esp, 8
009A6499 popad
....... jmp [XXXXXXXX]
Trace this code, and you see the jmp [XXXXXXXX] becoming jmp [KERNEL32!GetVersion] ...
Ok, it's good, you are on the good way ;). We're near done about starting to code the CALL
fixer!
Anyway, we need to know how many Kernels and users imports there is in this game!
To do this, there are severals way, you can dissassemble the ".icd" with W32DASM
and count them, you can trace in SoftICE too, or use the tool (like I did) EXESCOPE
to see how many imports it has ...
In my midtown.icd, I have:
- 127 kernels import
- 042 users import
Ok, but we need to have this number in hexadecimal, because SoftICE uses only hexa value =)
127 = 7Fh
42 = 2Ah
My favourite parts starts now: Coding the CALL fixer. First of all, we don't have write
access (read only access) to the Rdata section, so we will move the rdata section
to the data section place ...
For coding the CALL fixer, I start to code at EOP place, so enable your BPX on it and
run the game again. Wait until we break ... now we have to move the rdata section in data
section place in memory.
To do this, just type:
m "virtual offset of data section + image base" l "rdata size"M "data virtual offset"
NOTE: For the data virtual offset, use a greater number, it's better ...
5A4000 is our normal virtual offset, I've used 5B0000 (greater like i said)
So just type this:
m 58F000 l 14C99 5B0000
Ok, now it's time for coding. You are at the line:
566C10 PUSH EBP
We will code something looking like this:
00 pushad
01 push ebx
02 push 0
04 call [XXXXXXXX]
0A add esp,8
0D mov edx, XXXXXX
12 cmp eax,[edx]
14 je 20
16 inc edx
17 cmp edx, XXXXXX + XXXXX
1D jne 12
1F int 03
20 mov [edx],ecx
22 popad
23 inc ebx
24 cmp ebx, XX
2A jne 00
2C int 03
Type in SoftICE: A <enter>
And code:
566C10 pushad
566C11 push ebx
566C12 push 0
566C14 call [009A64A6] <-- real address , we found this when we
566C1A add esp,8 <-- traced in the call
566C1D mov edx, 5B0000 <-- address where we copied our .rdata
566C22 cmp eax,[edx] <-- section in
566C24 je 566C40
566C26 inc edx
566C27 cmp edx, 5B0000 + 14C99 <-- adress where we copied our
566C3D jne 566C22 <-- .rdata in + rdata size
566C3F int 03 <-- safty, if it found no match, break here.
566C40 mov [edx],ecx
566C42 popad
566C43 inc ebx
566C44 cmp ebx, 7F <-- number of api to fix
566C4A jne 566C10
566C4C int 03
Now set EBX to 0 (R ebx 0) , set your EIP to line 0 (line 0 = 566C10 here , so R EIP 566C10) type
"i3here on" and press F5 to run it. Normaly you should break at 566C4C ... Now set EBX back to 0,
change line 02 (56CC12 here) to "push 1" and change line 24 to 'cmp ebx, user_import_number'
(2A for us) and set EIP back line 0 (R EIP 566C10). Run it again. Normaly, all is ok now, it should break at 566C4C again.
Now, we can dump our rdata section safely:
pagein 5B0000 14C99 c:\rdata.bin
We've just to rebuild a working executable file. I tried ProcDump to import sections, but this bitch didn't change anything
(TORN@DO's note: check new ProcDump ... Lucifer48 did something great), so I've imported my sections manually.
I'll show you all how I've done it ;)
First of all, make a copy of the ".icd" file, for us: MIDTOWN.ICD, and rename it with the name you want, but with
".EXE" extension. E. g. damnit.exe
Now, start HexWorkshop, open the EXE, and open the 1st section we've dumped ... it was : c:\text.bin
It is now, you need the Raw offset of each section, I've written down in the first part of the tut. I'll recall them
here, to help you understanding this crap :p
for the ".text" section: Raw Offset: 600 Size : 18D78F
for the ".Rdata" section: Raw Offset: 18DE00 Size: 14C99
for the ".data" section: Raw Offset: 1A2C00 Size: 3D8A4
for the ".data1" section: Raw Offset: 1E0600 Size: 20
for the ".rsrc" section: Raw Offset: 1E0800 Size: CB3
Ok , you got all shits here! We want to do the 1st section ".text" so:
In HexWorkshop, press Alt + F5, enter the Raw offset of the section you want to paste (here: 600), and click on OK.
Now select the edit menu, and click on "Select block" enter the size of the section (here: 18D78F).
Now look at the other opened file (text.bin), and press 'Ctrl + A' to select all. Go back to the main executable window in
HexWorkshop and paste the bytes you've just copied into the clipboard with 'Ctrl + V' (or edit menu , and paste).
Save your file! GOOD ... you've just updated the '.text' section with our dumped section ;)
OK, I do another section import with you, and you will do the others using the same way!
2nd section : Rdata!
You can close the window 'text.bin', and open with HexWorkshop the file 'rdata.bin'. Click on
the main exe window, press 'Alt + F5', enter the size of the Raw Offset of the rdata section
(18DE00). Click on OK, select from the Edit Menu "Select block", enter the
rdata size section (14C99). Look the window of rdata.bin, press 'Ctrl + A' to select
all bytes, and go back to the main executable (damnit.exe) window in HexWorkshop.
Now just copy & paste them with 'Ctrl + C'.
Ok, I think you've understood that now now. Just do the same with all sections and then
save your executable. Now you may unload FrogsICE, because the anti-SoftICE is no longer
in our rebuilded exe. Remove the original cd of midtown madness, and run 'damnit.exe' or
'whateverunameit.exe'.
WOW, the game run - very quickly - without this lame window, telling us to wait during the
CD Verification ... and voila the game is runing very well =)
But to make a perfect executable, you've to rebuild the file's PE like it is mentioned
in Black Checks tutorial:
If you try to run it on another Windows 9x Version. It will crash. It would only run on
Win98, because the rdata section contained the address's of all the functions from win98
(can be only on win95 if you cracked it on win95). The addresses we put in the import
table are only valid for the Windows version we cracked it on. Let's fix that:
- Start Procdump (very good job G-RoM :)
go to Options and select:
[v] Recompute Object Size
[v] Optmize PE Structure
[X] Use actual import infos
Then click on the OK button ...
Now we've to rebuild the file, click on Rebuild PE and browse to your cracked file
(damnit.exe). Procdump produces for us a valid import table and our executable
is now fixed - and perfect!
(I hope so ;p ) it should run on all win9x version ...
|