[Reverse Engineering] – Crack Agricultural Simulator 2013

Today I’ll show you how you can easily crack Agricultural Simulator 2013 with the stupid method(string textsearch). From now on I won’t explain everything, most of the things I’ll do here were already described in previous tutorials. You’ll always need Olly(or any debugger you like) so you can patch your files(exe or dll usually).

Run the game and you’ll be prompted to write your serial. Hum, enter anything you want and then click in “Register”. Unless you’re some freak of nature you should get a message telling you that the serial you entered is incorrect. Alright.. At this point you probably know what we need to patch! Yeah, we need to trick the program into thinking that it is already registered.

For that, do a string search with anything that may led you to the solution. I choose to write “serial” and the first match I got was this:

Sem Título

I forgot to mention that the file we need to edit is agrasimulator2013.dll. This string looks nice, it seems like we’re creating a registry key in HKEY_CURRENT_USER\ActaLogic folder. Indeed if you Click Ctrl+R on your desktop, then write “regedit” and navigate to that folder. You can clearly check that the folder was created after the first run. It should have a AutoUdpate folder with the key being disabled/enabled. Double click on the first match and press Ctrl+A to run a quick analysis. My procedure it’s the following(your should be similar):

CPU Disasm
Address   Hex dump          Command                                  Comments
004653C0  /$  55            PUSH EBP                                 ; agrarsimulator2013_original.004653C0(guessed Arg1,Arg2)
004653C1  |.  8BEC          MOV EBP,ESP
004653C3  |.  83E4 F8       AND ESP,FFFFFFF8                         ; QWORD (8.-byte) stack alignment
004653C6  |.  B8 18240000   MOV EAX,2418
004653CB  |.  E8 507D1200   CALL 0058D120                            ; Allocates 9240. bytes on stack
004653D0  |.  833D B4650B02 CMP DWORD PTR DS:[20B65B4],0
004653D7  |.  56            PUSH ESI
004653D8  |.  8B75 0C       MOV ESI,DWORD PTR SS:[ARG.2]
004653DB  |.  57            PUSH EDI
004653DC  |.  8B7D 08       MOV EDI,DWORD PTR SS:[ARG.1]
004653DF  |.  0F85 D7000000 JNE 004654BC
004653E5  |.  6A 00         PUSH 0                                   ; /Arg3 = 0
004653E7  |.  68 E0C06500   PUSH OFFSET 0065C0E0                     ; |Arg2 = ASCII "Software\ActaLogic\SerialNumber"
004653EC  |.  68 E8B36A00   PUSH OFFSET 006AB3E8                     ; |Arg1 = agrarsimulator2013_original.6AB3E8
004653F1  |.  8D4C24 1C     LEA ECX,[LOCAL.2308]                     ; |
004653F5  |.  C74424 1C 000 MOV DWORD PTR SS:[LOCAL.2308],0          ; |
004653FD  |.  E8 6E7BFAFF   CALL 0040CF70                            ; \agrarsimulator2013_original.0040CF70
00465402  |.  837C24 10 00  CMP DWORD PTR SS:[LOCAL.2308],0
00465407  |.  0F84 AF000000 JE 004654BC
0046540D  |.  C74424 0C 100 MOV DWORD PTR SS:[LOCAL.2309],10
00465415  |.  83FE FF       CMP ESI,-1
00465418  |.  74 3C         JE SHORT 00465456
0046541A  |.  8D4424 0C     LEA EAX,[LOCAL.2309]
0046541E  |.  50            PUSH EAX                                 ; /Arg3 => OFFSET LOCAL.2309
0046541F  |.  68 20550B02   PUSH OFFSET 020B5520                     ; |Arg2 = agrarsimulator2013_original.20B5520
00465424  |.  B9 50670B02   MOV ECX,OFFSET 020B6750                  ; |
00465429  |.  E8 22BCF9FF   CALL 00401050                            ; |
0046542E  |.  50            PUSH EAX                                 ; |Arg1
0046542F  |.  8D4424 1C     LEA EAX,[LOCAL.2308]                     ; |
00465433  |.  E8 C87DFAFF   CALL 0040D200                            ; \agrarsimulator2013_original.0040D200
00465438  |.  85C0          TEST EAX,EAX
0046543A  |.  74 1A         JZ SHORT 00465456
0046543C  |.  8B4424 10     MOV EAX,DWORD PTR SS:[LOCAL.2308]
00465440  |.  85C0          TEST EAX,EAX
00465442  |.  74 07         JZ SHORT 0046544B
00465444  |.  50            PUSH EAX                                 ; /hKey => NULL
00465445  |.  FF15 04806000 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe ; \ADVAPI32.RegCloseKey
0046544B  |>  B8 02000000   MOV EAX,2
00465450  |.  5F            POP EDI
00465451  |.  5E            POP ESI
00465452  |.  8BE5          MOV ESP,EBP
00465454  |.  5D            POP EBP
00465455  |.  C3            RETN
00465456  |>  8D4C24 0C     LEA ECX,[LOCAL.2309]
0046545A  |.  51            PUSH ECX                                 ; /Arg3 => OFFSET LOCAL.2309
0046545B  |.  68 30550B02   PUSH OFFSET 020B5530                     ; |Arg2 = agrarsimulator2013_original.20B5530
00465460  |.  B9 4C670B02   MOV ECX,OFFSET 020B674C                  ; |
00465465  |.  E8 E6BBF9FF   CALL 00401050                            ; |
0046546A  |.  50            PUSH EAX                                 ; |Arg1
0046546B  |.  8D4424 1C     LEA EAX,[LOCAL.2308]                     ; |
0046546F  |.  E8 8C7DFAFF   CALL 0040D200                            ; \agrarsimulator2013_original.0040D200
00465474  |.  85C0          TEST EAX,EAX
00465476  |.  75 35         JNZ SHORT 004654AD
00465478  |.  56            PUSH ESI                                 ; /Arg1
00465479  |.  8BC7          MOV EAX,EDI                              ; |
0046547B  |.  E8 70FEFFFF   CALL 004652F0                            ; \agrarsimulator2013_original.004652F0
00465480  |.  83C4 04       ADD ESP,4
00465483  |.  85C0          TEST EAX,EAX
00465485  |.  74 26         JZ SHORT 004654AD
00465487  |.  E8 34480300   CALL 00499CC0
0046548C  |.  8B4424 10     MOV EAX,DWORD PTR SS:[LOCAL.2308]
00465490  |.  830D B4650B02 OR DWORD PTR DS:[20B65B4],00000002
00465497  |.  85C0          TEST EAX,EAX
00465499  |.  74 07         JZ SHORT 004654A2
0046549B  |.  50            PUSH EAX                                 ; /hKey => NULL
0046549C  |.  FF15 04806000 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe ; \ADVAPI32.RegCloseKey
004654A2  |>  B8 01000000   MOV EAX,1
004654A7  |.  5F            POP EDI
004654A8  |.  5E            POP ESI
004654A9  |.  8BE5          MOV ESP,EBP
004654AB  |.  5D            POP EBP
004654AC  |.  C3            RETN
004654AD  |>  8B4424 10     MOV EAX,DWORD PTR SS:[LOCAL.2308]
004654B1  |.  85C0          TEST EAX,EAX
004654B3  |.  74 07         JZ SHORT 004654BC
004654B5  |.  50            PUSH EAX                                 ; /hKey => NULL
004654B6  |.  FF15 04806000 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe ; \ADVAPI32.RegCloseKey
004654BC  |>  33D2          XOR EDX,EDX
004654BE  |.  3915 B4650B02 CMP DWORD PTR DS:[20B65B4],EDX
004654C4  |.  0F94C2        SETE DL
004654C7  |.  F6C2 01       TEST DL,01
004654CA  |.  74 08         JZ SHORT 004654D4
004654CC  |.  33C0          XOR EAX,EAX
004654CE  |.  5F            POP EDI
004654CF  |.  5E            POP ESI
004654D0  |.  8BE5          MOV ESP,EBP
004654D2  |.  5D            POP EBP
004654D3  |.  C3            RETN
004654D4  |>  56            PUSH ESI                                 ; /Arg1
004654D5  |.  8BC7          MOV EAX,EDI                              ; |
004654D7  |.  E8 14FEFFFF   CALL 004652F0                            ; \agrarsimulator2013_original.004652F0
004654DC  |.  8BF8          MOV EDI,EAX
004654DE  |.  83C4 04       ADD ESP,4
004654E1  |.  85FF          TEST EDI,EDI
004654E3  |.  74 5F         JZ SHORT 00465544
004654E5  |.  F605 B4650B02 TEST BYTE PTR DS:[20B65B4],02
004654EC  |.  75 51         JNZ SHORT 0046553F
004654EE  |.  6A 01         PUSH 1                                   ; /Arg3 = 1
004654F0  |.  68 E0C06500   PUSH OFFSET 0065C0E0                     ; |Arg2 = ASCII "Software\ActaLogic\SerialNumber"
004654F5  |.  68 E8B36A00   PUSH OFFSET 006AB3E8                     ; |Arg1 = agrarsimulator2013_original.6AB3E8
004654FA  |.  8D4C24 1C     LEA ECX,[LOCAL.2308]                     ; |
004654FE  |.  C74424 1C 000 MOV DWORD PTR SS:[LOCAL.2308],0          ; |
00465506  |.  E8 657AFAFF   CALL 0040CF70                            ; \agrarsimulator2013_original.0040CF70
0046550B  |.  8B7424 10     MOV ESI,DWORD PTR SS:[LOCAL.2308]
0046550F  |.  85F6          TEST ESI,ESI
00465511  |.  74 2C         JZ SHORT 0046553F
00465513  |.  6A 10         PUSH 10                                  ; /DataSize = 16.
00465515  |.  68 30550B02   PUSH OFFSET 020B5530                     ; |Data = agrarsimulator2013_original.20B5530 -> 00
0046551A  |.  6A 03         PUSH 3                                   ; |Type = REG_BINARY
0046551C  |.  6A 00         PUSH 0                                   ; |Reserved = 0
0046551E  |.  B9 4C670B02   MOV ECX,OFFSET 020B674C                  ; |
00465523  |.  E8 28BBF9FF   CALL 00401050                            ; |
00465528  |.  50            PUSH EAX                                 ; |SubKey
00465529  |.  56            PUSH ESI                                 ; |hKey
0046552A  |.  FF15 10806000 CALL DWORD PTR DS:[<&ADVAPI32.RegSetValu ; \ADVAPI32.RegSetValueExA
00465530  |.  8B4424 10     MOV EAX,DWORD PTR SS:[LOCAL.2308]
00465534  |.  85C0          TEST EAX,EAX
00465536  |.  74 07         JZ SHORT 0046553F
00465538  |.  50            PUSH EAX                                 ; /hKey => NULL
00465539  |.  FF15 04806000 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe ; \ADVAPI32.RegCloseKey
0046553F  |>  E8 7C470300   CALL 00499CC0
00465544  |>  8BC7          MOV EAX,EDI
00465546  |.  5F            POP EDI
00465547  |.  5E            POP ESI
00465548  |.  8BE5          MOV ESP,EBP
0046554A  |.  5D            POP EBP
0046554B  \.  C3            RETN

 

Indeed we were right, the program is working with registry keys. You can check that by this call:

CPU Disasm
Address   Hex dump          Command                                  Comments
00465445  |.  FF15 04806000 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe ; \ADVAPI32.RegCloseKey

Place a breakpoint on 004653C0 (press F2) or doubleclick on it and run the game. The program will break multiple times on that address, meaning that we are probably in the right place. What we will do next is not to make the program think that we are registered, but instead we’ll skip the registration scheme! How?

You can see that this

CPU Disasm
Address   Hex dump          Command                                  Comments
004653DF  |. /0F85 D7000000 JNE 004654BC

jumps past all the registry checks. Press space on that line and replace the JNE by a JMP. The program will jump to XOR EDX, EDX. A few lines below you have

CPU Disasm
Address   Hex dump          Command                                  Comments
004654CA  |. /74 08         JZ SHORT 004654D4

that also needs to be patched. Replace that with a NOP and the XOR EAX,EAX by a MOV AL,1. The program should now be cracked. Save your new DLL file in the installation directory and you should play with no problems at all 🙂

I’ll also start to post my own cracks.. Here it is the first one(debug mine and check my changes with yours. There are different methods to do this 🙂 ).

Agricultural simulator 2013- CRACK -> https://mega.co.nz/#!RBdVyYID!Vpn71k10emNn6SKv_Ljy_E8aHXMHmHDiZRfhorC3qZg

 

Anúncios

Posted on 22 de Agosto de 2013, in Sem categoria. Bookmark the permalink. Deixe um comentário.

Deixe uma Resposta

Preencha os seus detalhes abaixo ou clique num ícone para iniciar sessão:

Logótipo da WordPress.com

Está a comentar usando a sua conta WordPress.com Terminar Sessão / Alterar )

Imagem do Twitter

Está a comentar usando a sua conta Twitter Terminar Sessão / Alterar )

Facebook photo

Está a comentar usando a sua conta Facebook Terminar Sessão / Alterar )

Google+ photo

Está a comentar usando a sua conta Google+ Terminar Sessão / Alterar )

Connecting to %s

%d bloggers like this: