Category : Unprotects for Games and Such
Archive   : CW_UNP.ZIP
Filename : CW.UNP

CRIME WAVE Unprotection Scheme Written by the ROGUE MODULATOR
------------------------------

Are you tired of looking up words, codes, or other nonsense in a manual to play
that new game you just bought? If you are, here is a simple routine to fix
that annoying copy protection scheme. This unprotection routine is for Crime
Wave from Access Software. To unprotect Crime Wave, we will use the program
DEBUG that came with your DOS package. If you are unfamiliar with DEBUG, or
cannot figure out my directions, find a hacker to do this for you.

(Working on the hard-drive copy, NEVER use your original -- only a backup.)


C>RENAME CW.EXE CW.XXX (We cannot DEBUG an EXE file directly)

C>DEBUG CW.XXX (You must have DEBUG in your path or current directory)


We are now editing the Crime Wave file that has the protection scheme in it.
Now we will use the DEBUG "S" (Search) command to locate the bytes we wish to
change.


-S CS:100 FFFF C6 06 E5 0C 00 A1 E6 0C


DEBUG will respond with a line similar to the following. Remember the value
(in DEBUG hexadecimal) that DEBUG returns where I have placed the "xxxx" below.
We will need this number later on, so replace any more "xxxx" with that number.


xxxx:0FCA


Now unassemble the code at this address with the "U" (Unassemble) command.


-U xxxx:0FCA


DEBUG responds with:


xxxx:0FCA C606E50C00 MOV BYTE PTR [0CE5],00
xxxx:0FCF A1E60C MOV AX,[0CE6]
xxxx:0FD2 D1E0 SHL AX,1
xxxx:0FD4 8BD8 MOV BX,AX
xxxx:0FD6 1E PUSH DS
xxxx:0FD7 07 POP ES
xxxx:0FD8 BF5109 MOV DI,0951
xxxx:0FDB B91500 MOV CX,0015
xxxx:0FDE B020 MOV AL,20
xxxx:0FE0 F3 REPZ
xxxx:0FE1 AA STOSB
xxxx:0FE2 8B87BF0A MOV AX,[BX+0ABF]
xxxx:0FE6 A3DD0C MOV [0CDD],AX
xxxx:0FE9 BF2409 MOV DI,0924


Here we can see that in the first instruction in our listing, CW.EXE is placing
the value "00" in memory at the address 0CE5. I have determined that this is
sort of a "status" register for the copy protection scheme. Later in the code,
upon the entry of a correct password, the CW.EXE changes this value to a "1"
and returns to the section that called this subroutine. We, instead, will
prematurely place a "1" in that location to start with and then immediately
return, effectively bypassing the entire scheme. We will change the code using
the "E" (Enter) command.


-E xxxx:0FCA


DEBUG will now ask us for our new values to be placed in memory. The current
values are shown, followed by a period. Enter the new values as follows;
separate the bytes by pressing the space bar. Be sure that the results look
just as follows:


43CB:0FCA C6.C6 06.06 E5.E5 0C.0C 00.01 A1.C3
43CB:0FD0 E6.90 0C.90


Now we will use the "W" (Write) command to write our hacked program back to
disk.


-W
Writing 1BC7 bytes


Now use the "Q" (Quit) command to return to DOS.


-Q


That takes care of that! Now rename the file back to the original name.


C>RENAME CW.XXX CW.EXE


There are many other ways to unprotect Crime Wave. We could make the program
accept any input. We could overwrite the passwords with ASCII 0 characters.
We could blank the entire routine out of the program. I feel that the above
routine is the best alternative, and besides -- if you were unfamiliar with
DEBUG, you just received some powerful hands-on experience. Enjoy your new
freedom! [prh]