
5/26/89

                     Megaton Man Teaches Cracking
                     ============================


                         DOC CHECK PROTECTION



Hello all you young and ameatur crackers! Today's lessons is on DOC Checks.
Doc Checks are pretty easy once you get to know them. But some are a pain
in the ass, like that Sub 688 game. But still, if you have a good working
knowledge of 8088 assembly, it shouldn't really be a problem. I myself,
only a 17 year old cheese high school boy, learned this facinating art form
of cracking. I see cracking as a game within a game. The first being the
actual game, the second is the Protection.

Ok, here we go. Get your Cracking tools out. They should consist of a good
Debugger of your choice. My choice is Microsoft's CodeView. Pretty easy to
use and it's been working so far. But most of the major crackers seem to use
Dos's DEBUG.COM. Which is found on your dos disk. They use this primitive but
powerful tool because its so small in size, and wont bother with a game in
memory. But i found CodeView lets you CTRL-BRK out of programs easier. Your
next tool is NORTON UTILITIES. This program should be at your side all the
time. You should have Norton and your Debug program in the PATH always because
you will use it alot.

Well, in this little package, you should find a file named DOC1.COM. This file
is an assembly language file i made which simulates a DOC check. It'll give
you some phony message like - "ENTER PASSWORD:". then you must enter the
password inorder for the Program to tell you that you cracked it. The password
for DOC1.COM is  MEGATON MAN. Yea, i'm an egotistic asshole. but i love it.
This is your game plan. First trace the program until the program waits for
the input prompt. At that point, enter "KOOK" or anything at the prompt.
Anything except MEGATON MAN. Then keep tracing the program till it eats
shit (terminates). Try to memorize what path the program took and if you cant
memorize, pen and paper always works. Now, restart the program and trace
the program until the input prompt asks you for the password. Now instead of
typeing the wrong password, type in MEGATON MAN, which is the correct pass-
word. Now keep tracing the program and try again to memorize the path. Ok.
The first part is over. Now, compare the two paths, and find out where a
detour was made. Once you find the detour, just force the program to go the
correct way. Are you saying, "How do i force the program?". Well find the
Detour first.. and when you do continue on reading... So stop reading and
try to crack  DOC1.COM.

Now that you are continuing reading, i suspect that you did find the Detour,
or your Stumped. Well it doesnt matter, just keep reading.

Ok, This is the "map" of this little program.

         XXXX:0100    Jmp  1E8
             :
             :
         XXXX:01E8    CALL  1F7    <--- Print Message and Ask for Password
         XXXX:01EB    OR    AX,AX  <--- Is the AX register = 0?
         XXXX:01ED    JNZ   1F2    <--- No. then jump to 1F2
         XXXX:01EF    CALL  225    <--- This is DEATH!
         XXXX:01F2    CALL  21C    <--- Call if its CRACKED!

ok, this is the main part your worried about. Line 100, makes a jump to line
1E8. Now, 1E8 is CALL 1F7. what this CALL does, is, it Displays the intro
message and asks you to input the Password. Now before executing this CALL
statement on 1E8, take a look at the AX register. Write it down. Now,
EXECUTE the entire Call. Use a BOGUS password. Take a look at the AX register
after the call. The IP register should be on 1E8. What does the AX register
contain? All 0000's? or 0001? Well Most Protections are like this! Even
INT 13 protections! This is what's happening. When you execute the CALL 1F7,
if you typed in the wrong password, the call will return with AX = 0000. If
you typed in the correct password, the AX register will contain 0001. Pretty
neat eh? Well, look at line 1EB. It is OR AX,AX. now this is pretty much like
the CMP AX,0000 instruction. By using the OR AX,AX it saves memory (sorta),
and is supposed to be faster than CMP AX,0000. Dont ask me why its like this,
its just one of those Professional Programmers rules or somthing. Now to
keep things going, Line 1EB checks to see if AX is equal to Zero.  If AX is
equal to zero, the ZERO FLAG is set. if not, then the ZERo flag is cleared.
Look at line 1ED. It is JNZ 1F2. It says, Jump if Not Zero to line 1F2.
See, AX will not equal zero if you entered the correct password. So if you
entered the wrong password, the IP register will go down to line 1EF, which
contains CALL 225, which is the Eat it and Die call! You dont want this!
NEVER! If the correct Password was entered, line 1ED will jump down to line
1F2 which will execute a Call to tell you that you cracked the program. Now
how could we change the program to make it so it will always jump to the
correct line? well, there are a few different wayz we could do this. One ,is
the EASY way, but less professional way. The next way is also an easy way,
but also not as professional. And the last way is the harder way, and it is
the professional way.

Lets first try the second easy way. Because if i told you the easiest way
first, your screw the program up! ok. Have you heard of the instruction
NOP? Which means NO Operation. Yea, it doesnt do anything! just sorta
patches up some instruction. Now if we NOP line 1EF (CALL 225), the program
will encounter a NOP and keep continuing until the Call we want is reached,
which is line 1F2 (call 21C). The Hex value for NOP is 90. So Disassemble
the area we need to change and write down the bytes on, and around the area.
Now flip out Norton Utilities and search for these bytes. Once found, do not
Display them and change them! Continue with the search. Make sure there are
no more discoveries. If you found another match, go back to the program,
disassemble it and write down some more bytes around , and on the part you
want fixed. Go back and search for these bytes. make sure there is only one
occurance. ok, So there is one occurance, go find the bytes that you need
changed. Once found, replace them with the hex value 90. Save your changes
and bail out of Norton Utilites. Now Run DOC1.COM and type a wrong pasword.
The program should tell you that its Cracked no matter what you type! if
it told you that it was cracked, well you Cracked it! yea!

The file DOC1.COM is cracked. Go to your MASTER DISK and copy the file on
the MASTER DISK over to your SCREW AROUND DISK. which will get rid of the
newly cracked DOC1.COM.

Now that you have the DOC1.COM that is NOT cracked, lets begin the second
way to crack the same program. Some DOC Check PROTECTORS are sorta lame
and lazy. Remember i told you the password was MEGATON MAN? Well, when you
purchase a game from EggHead or any other software place, and a DOC Protection
accompanies the disk, there is always the DOC's that you need! well lets
say for instance that you bought Silpheed. It's a DOC check type thingy. Well
lets say one of the passwords was SIERRA. Pull out Norton Utilites and search
for the characters S I E R R A.  Norton should beep and show you where the
word SIERRA was found. Now look around that area and see if there are any
other words or letters around SIERRA. If so, read them. Now look in your Book
of DOC's and see if a word on the screen matches a PASSWORD in the book.
Yes? if so, BINGO, you found the password list. Now you could change the
passwords to anything you want. But take note, a delimiter is usually put
at the end of each password. Now whats a delimiter you say? its like a
character or HEX value thats at the end of each password. For instance a
hex value of 00 may be at the end of each password. Or each password is
8 characters long. Or somthing like that. Well, change them to what you
please. I did this when i Cracked Silpheed. Kinda weak eh? well who cares.
Now i dont really call this method "Cracking". Its more like hacking.
But to prove to my self, i cracked it the next day. not hacking.

The file DOC1.COM is cracked. Go to your MASTER DISK and copy the file on
the MASTER DISK over to your SCREW AROUND DISK. which will get rid of the
newly cracked DOC1.COM.

OK, we cracked DOC1.COM two differnt wayz. Now the third way, which is the
best. This method will totally eliminate the DOC check. Which means, NO
SIGN of PROTECTION can be detected! Which means, you gotta remove the part
where it ask for the password. Now take a look at the Listing. Ill copy the
listing down here so you dont have to switch your face back and forth.

         XXXX:0100    Jmp  1E8
             :
             :
         XXXX:01E8    CALL  1F7    <--- Print Message and Ask for Password
         XXXX:01EB    OR    AX,AX  <--- Is the AX register = 0?
         XXXX:01ED    JNZ   1F2    <--- No. then jump to 1F2
         XXXX:01EF    CALL  225    <--- This is DEATH!
         XXXX:01F2    CALL  21C    <--- Call if its CRACKED!

Now look at line 1E8 (call 1F7). This call Ask for the password and returns
AX=0000 if its wrong, and AX=0001 if its correct. Well, our goal is to get
to line 1F2 (call 21c)! Well, couldn't we just NOP line 1e8 thru 1Ef? Sure
we can! Now thats what we gotta do. So write down the bytes around and on
this area. Use Norton Utilites to search for these bytes and replace them
with NOP's which is a HEX value of 90. Save your changes and run DOC1.COM.
The program should just say.. GAME is CRACKEd. or somthing like that.
Yip, just one line of Text.

Ok, yea! we have cracked this simple doc check program 3 differnt wayz and
3 differnt times. Seems pretty easy eh? Well there are some problems. What
if you didnt have a Correct password to trace thru? Well this is somthing
only experience could teach. You must experiment with the jumps. If there
seems to be a compare involved, usually the AX register is changed, and a
conditional jump instuction follows, force the jump and see what happens.
If it still eats shit, then dont force it and see what happens. If it still
eats it, then keep following the path until another conditional jump
is reached and do the same.

Some INT 13's are similar to the Doc checks i explained above. Look at line
1e8 (call 1f7). This subroutine asks for the password and reutns the
appropriate code. Now what if the Disk drive light lit up when this
call is executed? If the DISK Protection was found, AX=0001. if its not
found AX=0000. See its sorta the same.

Oh, now what if the Doc Check is later on in the game. Like Questron II,
Larry Bird One on One, and Demon Stalker. Well, Load up your debugger with
the intro exe file. Then Press "g" for go and run the program while your
debugger is in the background. when the program asks for the Password,
just type "SHIT" and presss CTRL-BRK! The Debugger should regain control
and will show you where the current line is at. Trace thru at that point
and look for them conditional jumps and Comparisons.

Well that wraps it up for this lesson. Any questions? well call ...

THE ROACH MOTEL
818-369-2083
12/24/and 9600! USR HST!
100+ Megz
Sysop : Black Flag
Co's  : Megaton Man (me)
        Eternal Warrior
        Lone Wolf

Ask for Megaton Man.

END. Line 199.