I cannot believe this completely unsupported fan-made utility from 1997 is failing to work on modern windows
-
but the tl;dr for how classic cracking works.
You find the spot in the program that looks like this:
if (is_pirated()){
printf("NO WAREZ!\n");
exit(-1);
}in the disassembly (on x86, at least) that'll look something like:
CALL (address of is_pirated)
TEST EAX, EAX
JZ (address of rest of the game)
(some code to yell at the pirate) -
@foone Have you ever paid for your WinRAR license?
-
the return code of is_pirated is in EAX (in cdecl calling convention). test EAX,EAX compares it against itself so the status flags are set, and then JZ jumps if the Zero Flag is set.
Basically, if is_pirated returned 0, we jump to the game, otherwise we yell at the pirate and quit.
-
so you just change the conditional JZ to an unconditional JMP.
Now we call is_pirated, but no matter what it returned (0, 1, 3.14159, or "hello world"), we jump to the rest of the game. -
And what's the difference between how you encode JZ vs JMP?
One byte:E9 71 JMP +71
74 71 JZ +71 -
so you patch exactly one byte and now the pirated game works.
-
@cr1901 No. I have paid for WinZip though, technically. I bought a used copy in a bunch of compute crap
-
Foone🏳️⚧️replied to Foone🏳️⚧️ last edited by [email protected]
a significant amount of all anti-cracking development in the last 45 years is figuring out ways to make it impossible to crack a game with just one byte.
-
The main ways to do this boil down to:
1. You layer or repeat the checks. now you gotta patch multiple places, in different ways, and what if you miss one? you're still fucked!
2. You don't have this check at all. Derive some constants from the check results and now all the levels load inside out and upside down, or something. This just makes it harder to figure out where to patch.
3. Forget it, and you protect your software elsewhere: hardware, OS DRM layers, etc. -
@foone Can we automate changing each byte to a NOP until we find the one that works? Think brute-forcer, not smarter.
-
@crobbler I am currently working on a system to do basically that, to reverse engineer DOS games by randomly corrupting them in parallel
-
Anyway back to hacking this Renderware-using game. So, I can't load the models. Why not? Are they fundamentally different, like they're encrypted or compressed? are they just the wrong version number? can we hack the version number?
-
Foone🏳️⚧️replied to Foone🏳️⚧️ last edited by [email protected]
arg, all my renderware models on hand are either the .RWB ones from the game that don't work, or they're .RWX from the Modeller. RWB is a binary compiled version of RWX, but they're completely different
-
dang it, the other files I can find online are also .RWX
-
@foone I reverse engineer malware, which I don’t exactly love because they have moved way past obvious checks based on one branch (as, of course, have some legitimate developers). It’s getting harder and harder. If more of those malware authors lived in different countries, they could easily get jobs making anti-piracy stuff. But now that I’m thinking of it as repeated endless software cracking…maybe this seems more fun??
-
@kaced
see that's the nice thing about hacking games from 1996: they're way back in this arms race. Shit is barely protected at all!I need to get into that malware reverse engineering, though. It may be less fun, but it's far more likely to get me paid.
-
@foone I love that your first response here appears to be to hack on old software to get model rendering working rather than just focusing on reverse engineering the format itself
I know that if I were in your shoes I'd be just trying to figure out how to extract a vertex list from the file and I'm not sure if I'd be very successful
-
so I don't have (and can't find) any docs for these two formats, but I might have something that'll work:
I have the renderware DLLs for the game's version, right? Presumably the game is calling whichever Renderware functions it needs to read out that file.I could just write a little code to call them myself, then inspect the in-memory structures it returns.
-
@gfaster yeah, I have spent a LOT of time staring at hex editors in my years, so my ethos is to get the program itself to do stuff for me. if it can open the files, I make it do that, and I pull out the results.
I find it a lot faster than the more traditional "look at the file until it makes sense" method. -
oh hey, GTA 3 uses RenderWare (presumably a later version).
That was reverse engineered, I wonder if the RE source interacts with renderware? maybe they made some tools for this.