The official edition of Age of Empires Collector's Edition on DVD uses online cracks.

The first parts of the game Age of Empires have long become a sort of classic. This game still has a lot of fans. In 2007, the official collector's edition of the game came out, which includes the first and second parts with additions. And in all countries except the USA, it was released on one DVD instead of four CDs. Then I was already doing a bit of reverse-engineering of this game and I knew that the original versions of executable files would not want to work with one common disk, because checking the label of the corresponding disk is protected in the code of each part and their additions. Obviously, one DVD cannot have four different labels at once, and after buying a Russian DVD edition, I expected to see versions of files recompiled by developers with a modified disk check code or without it. But everything turned out to be much more interesting.

All in the worst traditions of pirate anthologies:

all stylized (original) installers with beautiful graphics are replaced with standard ones;
part of the original music lies on the DVD in the form of an inaccurate rip with the file names of the form “01-AudioTrack 01.wav”;
during the game we don’t hear the original music - nobody told the game that the music should be taken from wav files and not from the Audio CD, as it was in the original version;
after installing the latest official updates from the Microsoft website, the game does not recognize the DVD as native and refuses to run.

Nobody was involved in adapting the game for the DVD edition!

Lost the source code? Did not find a suitable developer for a couple of minor edits and compilation of a new executable file? Or maybe a terrible bureaucracy at Microsoft, because of which even minor and easily fixable errors are simply declared a feature of the application architecture?

All executable files are installed in decrypted form without SafeDisc (copy protection), which was used on the original CD. Ok, the publisher may well have the decrypted versions of executable files. But then what about the disc label verification code?

As it turned out, the whole thing is in the crack!

Yes, all the facts indicate that the hacked versions of the executable files for this edition were taken from the Internet and ... a little bit edited, perhaps to hide this fact.
')
Consider this on the example of Age of Empires II: The Conquerors 1.0c. Take the original encrypted executable file age2_x1.icd - the entire structure of the PE file is perfectly visible, and only some parts of the machine code are encrypted. Using the well-known SafeDisc removal methods, we get the decrypted file age2_x1.exe . Now we have a reference file. Further, for research, we take the well-known NoCD network for this version of the game, apparently created in the depths of the already non-existent Berserkers clan based on the Myth patch at the end of 2001 ( age2_x1_bsk.exe ). Also, from the DVD of the collector's edition, install the English version of The Conquerors (/AOE2CONQ/EN/setup.exe) and take the installed executable file of the game ( age2_x1_dvd.exe ).

So let's get down to research.

Compare files with each other. The first is the difference in the description of the sections of the exe file:

0001e0

As you know, the section names do not affect the execution of the program and are for informational purposes only. However, usually compilers give all sections familiar names like ".code", ".data", etc. But in the original executable file, some sections have atypical names "THIS_COD", "THIS_DAT" and "Inf32Dat". Most likely, such specific section names are associated with the use of SafeDisc. In the DVD file, these sections are renamed to the more familiar “.code”, “.data2” and “.idata”, and it is obvious that manually - the extra characters are filled with spaces (code 20h ), not zeros. That is, clearly someone opened the executable file in the HEX editor and manually corrected the section names. It is possible to make the executable file more typical.

We also see that BSK left some service information for SafeDisc from the encrypted file age2_x1.icd before the start of the first section:

000fc0

And at the end of the file:

292ff0

This information is stored in insignificant parts of the file and is not used by the game. As you can see, there is no service information in the DVD version, indicating that the file was previously protected by SafeDisc. But at the end of each section there is one small lead:

228fe8

After the SafeDisc decoder is working, a label appears in the form of a sequence of bytes 00 05 43 1F at the end of each section. In the source icd file there are zeros. Since this is the end of the section, it also means nothing to the main program. In the version of the file from BSK, we see that no one deleted them (they do not interfere - well, okay). In the DVD version, we see that they also have not gone away.

Well, the most interesting thing is to compare the machine code.

Immediately we find a section of machine code that is responsible for checking for the presence of a CD:

0486b8

This function starts with an offset of 485A0h and I already talked about it in an article about modifying this game . It describes a rather complicated logic for checking the presence of a disk, but as a result, the function simply returns 0 in case of failure and 1 in case of success. I suggested for the patch to replace the code of all this healthy function with a simple sequence, always returning 1:

 xor eax, eax inc eax retn 4

But BSK approached the case with a soul. A trained eye and without disassembling sees that they replaced a pair of conditional transitions jz (74h) and jnz (75h) with unconditional jmp (EBh) and many more :) And if you disassemble this section, you can trace a small miscalculation of the cracker from BSK - if the registry will not write to the drive letter where the game is installed from - the code will return 0, and the game will require you to insert a disk.

And now the most important thing is that in the executable file installed from the official DVD collection, the entire machine code is up to the byte version from BSK, including (a surprise for AoC fans) several other strange code patches, which seem to be not related to the disk check in general ( this has yet to be resolved):

0ff230

That is, there is no doubt that the patched file from BSK was based on the executable file for the collector's edition. Speaking strictly, it simply removed the remnants of service information for SafeDisc and changed the names of the sections.

And finally

I want to note that I have only the official Russian edition from “New Disc” in my hands. But there is every reason to believe that in other collection editions the problem of incompatibility of games with DVD is solved in a similar way.

With this post, I just wanted to emphasize the whole comic situation, when even the official publisher is forced to use the cracks created as “bad uncles” for “bad purposes”.
By the way, yes, all files are provided for informational purposes. After studying them you must remove them.

Thanks for attention.

Source: https://habr.com/ru/post/168269/

All Articles