How To Crack Doc Checks
~~~~~~~~~~~~~~~~~~~~~~~

Equip Needed
~~~~~~~~~~~~
o ASSMEBLY EXPERIENCE !!!   - Familiar with CALL, MOV, CMP, OR, XOR, INT etc
o 386SX or higher processor - So Soft-ICE can run
o Soft-ICE v2.62 or higher  - The GOD of debuggers
o FED v1.51 or higher       - Fastest Hex editor and searcher
o UNP v3.11 or higher       - For decompressing/decrypting everything!
o Scientific calculator     - For decimal to hex conversions and stuff
o LOTS of paper             - For writting offsets and segments
o Pen or pencil             - For writing with
o Patience                  - You need a lot of this

Now what ?
~~~~~~~~~~
Right you should find a file in this archive called SETUP.EXE, this is the
setup program for a game called The Lost Vikings and holds the copy protection
for the game. If you answer the question right it will setup the game for you.

This game was cracked by The Dream Team's Hard Core but this file is the
unprotected version, the crack is very easy and is a good example of a Doc
check.

How to crack it
~~~~~~~~~~~~~~~
Load up Soft-ICE (SI from now on) and run SETUP to see what happens. Now
think about when you should pounce on the program with SI. I usually go in
just before the protection so run the program and jump in when the screen
changes to the setup screen. Now go through the code until you find you
end up with the background changing, now note down the segment and offset
and continue until you hit the doc check.

Here is a run down of the program code. (10CB bit will be diff on your PC)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
10CB:1CB3 - Main CALL to protection
          |-----------------------------------------------------------------
          | 10CB:0C68 - Check if setup has run before
          | 10CB:0C6C - If the first time run goto protection (10CB:D39)
          | 10CB:0C6E - Protection run before, bypass this time
          |------------ 
          | 10CB:0D39 - Draw Doc Check box and question
          | 10CB:0D78 - Check if key has been pressed
          |------------ 
          | 10CB:0DB0 - Check if key was an ENTER
          | 10CB:0DCC - Check answer given to correct answer
          | 10CB:0DD0 - If not right answer goto (10CB:0DE4)
          | 10CB:0DD2 - Protection correct
          |------------ 
          | 10CB:0DE4 - Increase variable that holds number times ques asked
          | 10CB:0DEA - Check if the question has been asked 3 times
          | 10CB:0DED - If less than three goto (10CB:0E02)
          |------------ 
          | 10CB:0E02 - Print Incorrect Answer

Now this is how I write down the code on paper, it helps you trace your steps
if you fuck it up half way through. Now from what we can see above we can
crack the code in 3 different ways.

A) Patch out the call in the main loop
B) Fix the setup check at the start of the call
C) Fix the answer check after asking the user for a word

Now it just so happens that the way it appears above is in order of preference.
The best thing to do is remove the check completely, the next best thing to do
is to patch the setup check so the user doesnt need to input any data, the
third or least effective method is to patch the check on the answer, sometimes
if time is important a quick answer check patch will do but if you have enuf
time (30 mins) then removing the whole call is better. Of course some games
& programs require you to run the protection and patch the check as a variable
is changed and checked later in the program. Well lets say we decide to patch
the main call (10CB:1CB3) then you would exit the program, run it again but
make Soft-ICE put a break point on it, or just Go to it. (G 10cb:1cb3)
now write down the bytes around it.

10CB:1CB0 - 90       - NOP
10CB:1CB1 - 90       - NOP
10CB:1CB2 - 90       - NOP
10CB:1CB3 - E8-A6-EF - CALL 0C5C   <-- Protection bit
10CB:1CB6 - E8-59-E6 - CALL 0312
10CB:1CB9 - E8-03-04 - CALL 20BF

So we write down 90-90-90-E8-A6-EF-E8-59-E6 (9 bytes is ok most of the time).
And now we use FED to search SETUP.EXE for the above string, when we find it
we patch it, what to though ??!!??

10CB:1CB0 - 90       - NOP
10CB:1CB1 - 90       - NOP
10CB:1CB2 - 90       - NOP
10CB:1CB3 - 90-90-90 -             <-- Protection bit zapped
10CB:1CB6 - E8-59-E6 - CALL 0312
10CB:1CB9 - E8-03-04 - CALL 20BF

Well we'll NOP it out so three 90's will do. So we do this :

SEARCH > 90-90-90-E8-A6-EF-E8-59-E6
PATCH  > 90-90-90-90-90-90-E8-59-E6
                  ^^ ^^ ^^
Now we have a search string and a patch string. Now patch the file and run it
and see what happens.

Well it should flash then display "Setup Complete!", well what a waste you
may be thinking, the program just flashes and returns to DOS. Well in the
actual game SETUP would look for a 1.4 mb data file, and check it, if it
was Ok it would continue to ask you what hardware you had THEN the doc check
I decided to remove that as I would have needed to have included the 1.4mb
data file and it would be a pain up the ass. Well at least youve cracked a
real game's protection, The Lost Vikings from InterPlay. Now using your
newly found knowledge go and crack something else. I mainly hack/register
shareware programs but I've cracked the following games cos I had them in
their protected state. I've listed how easy they are to crack for you also.

Rating is for a beginner to cracking not a pro or an experienced cracker.
And not for just fixing the game to accept ANY input but actually removing
the whole copy protection so the user doesnt see anything on screen or has
to type anything to enter the game. Thats whats meant by a 100% crack.
All the games I crack I try to make 100% cracked and so far I've managed to
do that with them all. Most of the games are EASY to fix but to removal
all traces of protection is the hard bit and the challenge I enjoy most.

Name Of Game                     Crack Rating Out Of Ten
--------------------------------------------------------
Creepers                                              3
Super Tetris                                          3
The Incredible Machine Deluxe                         6
The Lost Vikings                                      3
Stunt Island                                          7
Bart v Space Mutants                                  8
Wing Commander Part One                               5
Vette!                                                7
F-117A Stealth Fighter 2.0 Ver .02                    4
PGA Tour Golf                                         4
F-117A Stealth Fighter 2.0 Ver .03                    4
Fiendish Freddy                                       3
Golden Axe (100% Crack)                               9
F-19 Stealth Fighter                                  9
Turtles (Arcade Game)                                 3
Ski Or Die                                            8
Gun Boat                                              5
Oh No More Lemmings                                   4
Pit Fighter                                           3
Jimmy Whites Whirlwind Snooker                        4
Indianapolis 500                                      3
D/Generation                                          5
Sango                                                 6
Alone In The Dark                                     6
Skate Or Die                                          4

(That was the order I cracked them, from being a game cracking virgin at
(Creepers onwards ...)

Alone In The Dark
~~~~~~~~~~~~~~~~~
Had to patch this in two places, START NEW GAME code and the RESTORE GAME
code, had to write a loader because of the ridiculous way InfoGrames pack
their game files. 

Bart v Space Mutants
~~~~~~~~~~~~~~~~~~~~
Ouch! this took me a while cos I missed the protection bit and kept on tracing
It took the length of the Blues movie CROSSROADS to crack, but when the film
finished I figured out that I had fucked up and crack it in about 5 mins.
This is NOT a good game to crack if you are inexperienced.

Creepers
~~~~~~~~
Being a Psygnosis game I expected this to be hard, very easy. Good for
beginners.

D/Generation
~~~~~~~~~~~~
Incredibly easy to remove key diskette protection system.

F-117a Ver .02
~~~~~~~~~~~~~~
Another normal crack but it may take the beginner a while.

F-117a Ver .03
~~~~~~~~~~~~~~
Another normal crack but it may take the beginner a while. Update disk crack.

F-19
~~~~
I couldnt find an easy patch to remove the whole protection as there were
too many variables changed so I patched out the graphic calls and the input
checks, so technically its a 100% crack.

Fiendish Freddy
~~~~~~~~~~~~~~~
A laughable protection system, 5 secs for a whole removal.

Golden Axe
~~~~~~~~~~
Easy to patch the answer check but to remove the whole doc check took ages.
This is a toughy, I aint even heard of a full crack for this game, apart from
the one I wrote.

Gun Boat
~~~~~~~~
Removed the whole check, quite simple as its only one FAR CALL.

Indianapolis 500
~~~~~~~~~~~~~~~~
Quite easy, just traced down the program until hit the protection then
NOP'ed the call out.

Jimmy White Snooker
~~~~~~~~~~~~~~~~~~~
Quite easy, game checked if you had answered the doc check before showing
the menu screen so if you just patched the answer check every time you
accessed the menu you'd have to press ENTER to get rid of the check.
Patched the CHK to FIX and then replaced a JZ with a JMP so it wont appear
again and the changing of the CHK to FIX is in case the game checks the
variable again later in the game for some reason.

Oh No More Lemmings
~~~~~~~~~~~~~~~~~~~
Rather simple as the game was coded in assembler, straight calls do things.
Author must have thought PKLITE PRO was good enuf.

Pit Fighter
~~~~~~~~~~~
I believe the protection was copylock, well just patched one CALL and the
disk check was gone (the 1st ever key disk crack I've made).

PGA Tour Golf
~~~~~~~~~~~~~
Looked hard but another once CALL patch.

Sango
~~~~~
Tough because EXE is encrypted and had to write a loader, but the check was
easy enough to bypass.

SkateOr Die
~~~~~~~~~~~
Easier than Ski Or Die probably because its older, uses the same protection
but no varibles so a little easier.

Ski Or Die
~~~~~~~~~~
Quite hard as it checks two variables in memory and the protection is in the
main game code, finally got it cracked though.

Stunt Island
~~~~~~~~~~~~
This is a big game and is quite hard to crack as there is a lot of shit
happnin at the same time, GFX sound effects and music but once you pass
all that its quite easy to hack.

Super Tetris
~~~~~~~~~~~~
Quite easy to crack as in patch the answer check but if you want a clean
crack you have to patch 3 routines, not very hard.

The Incredible Machine Deluxe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This I expected to be a killer because :

A) Its a Sierra game (shudder)
B) It was a graphical doc check (click on 3 items in order)
C) It had music & SFX going all the time

But it was actually quite easy, although again not for the beginner.

Turtles (Arcade)
~~~~~~~~~~~~~~~~
Protection was right at the start and was easily taken out.

The Lost Vikings
~~~~~~~~~~~~~~~~
The easiest crackable Doc Check Award Winner 1993, ask Hard Core of TDT !

Vette!
~~~~~~
Fuck, Cunt, Shit! This is an annoying game, if you fuck the doc check up
it lets you play but when you try to drive it prints "YOU ARE DRIVING A STOLEN
VETTE!" and hangs, bummer, got it cracked though. Took a while.

Wing Commander Part One
~~~~~~~~~~~~~~~~~~~~~~~
An average crack this, didnt take long to do at all.


My advice is to crack the games in the following order :

(Easy -- Moderate)
Name                                             Rating     Size in K
---------------------------------------------------------------------
The Lost Vikings                                      3          1440
Fiendish Freddy                                       3           400
Turtles (Arcade)                                      3           500
Creepers                                              3           600
Super Tetris                                          3           600
Oh No More Lemmings                                   4           500
Skate Or Die                                          4           400
F-117A Stealth Fighter 2.0 Ver .2                     4          1400
F-117A Stealth Fighter 2.0 Ver .3                     4          1400
PGA Tour Golf                                         4           250
D/Generation                                          5          1100
Pit Fighter                                           5           550
Wing Commander Part One                               5          2200
Gun Boat                                              5           500
Jimmy White Snooker                                   5           150
Indianapolis 500                                      6           500
Sango                                                 6          2200
The Incredible Machine Deluxe                         6           600
Stunt Island                                          7         13000 (big)
Vette!                                                7           200
Alone In The Dark                                     7          6000


(Tough bastards)
---------------------------------------------------------------------
Ski Or Die                                            8           500
Bart v Space Mutants                                  8          1300
Golden Axe                                            9           600
F-19 Stealth Fighter                                  9           700


(Real Tough Bastards That I Gave Up On)
---------------------------------------------------------------------
Killing Cloud (Uses one loop to do everything)       10           600
Monkey Island 1                                      10          1600

(Size in K is apprx when ZIPPed up)

If someone can help me with games that use the one loop to do everything.
Like :

  BACK: MOV BX,CS:[1234]
        ....
        ....
        CALL    BX+90
        JMP     BACK

This happens in Monkey Island and also Killing Cloud.

I was going to include SIMCITY here but the crack I made was really big
as there are a lot of variables to be patched etc and if you just NOP the
call the game doesnt hang but your city does (stays at present month for
ever).

Also in Bart v Space Mutants Soft-ICE behaves funny and doesnt always stop
on break points. Weird.

Well I hope you can use this text file, if you see I'm on a board you call in
USA and you want a hand or one of these uncracked games to try just drop me
a note and also ask the sysop if its Ok for me to upload an "Old Ware" I'm
sure he wont mind as its for a good cause. You could also asked him if he
would mind setting up a cracking area and I could help the users on his BBS
learn how to crack as well. Remember, if I have access to a modem I'll be
calling USA all the time as it doesnt cost me anything to call.

Remember I've only just turned 15 and have only been programming in assembly
for 6 months and cracking games for 2 weeks, you should have NO PROBLEMS !!

Hint - When cracking a game disable all music and sound effects as you
wont have to trace through the sound routines and it also speeds up the
game whilst debugging.

   -=-=-=-=-> The 1st rule of cracking, patience is the key ! <-=-=-=-=-

                           -<-[ Z-N0TE (Aged 15) ]->-

   L00K out for Z-DOCLDR.ZIP coming to a BBS near you S00N !!!
   Teaches you how to write loaders so you dont have to decompress/decrypt
   the EXE file !!! Also takes you to step two of doc check cracking with
   the game : Jimmy Whites Whirlwind Snooker.

PS: I have included a program called TEST.COM and its assembler source code.
    This demonstrates how modern doc checks work, instead of having the
    passwords sitting in the EXE file in ASCII or encrypted it is CRC or
    checksummed (all the bytes added together to make a total) and check
    against the checksum of the text you enter. Since I walked you through
    SETUP.EXE you can try TEST.COM yourself and it your stuck read TEST.CRK
    for some help.

    The words for the doc check are in the file MANUAL.TXT.
    The file is the first 10 lines of page 96 of NEWNES MS-DOS Pocket Book
    by Ian Sinclair. Just incase you wanted to know ;)
