Welcome Guest | RSS

Official Site Of The Xakep 4T english version

Saturday, 2017-08-19, 8:25 AM
Main » 2011 » April » 29 » Casual hack: Hacking the NevoSoft games
1:19 PM
Casual hack: Hacking the NevoSoft games

Casual game is a kind of computer game designed for a wide range of users. The term "casual" is derived from the Latin word "casualis", which means "incidental". Thus, casual game is a game that is played from time to time, often just to kill some time. Creations of the NevoSoft company are just like that. The company gives an opportunity to play only for an hour and then ask you to pay money. Today we'll deal with that!

Some theory

Generally, casual games are suitable for virtually any category of computer users as for the level of complexity. As a rule, such games pass down is pretty poor, that’s why they are well suited for those people who just cannot concern oneself with playing a game for a long time. NevoSoft Company is one of the leading casual game developers in the whole world and particularly in Russia. One would think that such a major company should pay a great attention to its software protection and it should require a lot of time and efforts to hack their soft. Today, we will refute that fact and show how to unlearn them begging for our hard-earned money. NevoSoft Company developers keep a thousand games under their supervision and give their users a chance to try a game within one hour only. 60 minutes later, when a person has just only got excited with playing, there appears a pop-up window with a "pay-some-money” notice. It happened so that Russian people just don’t like paying money for software, but sometimes game developers just don’t leave any choice. It may take hours to find an appropriate game crack, but if the game is a new one the chances to find a crack are almost reduced to zero.

Operating table preparation

To break that NevoSoft’s "bad habit” I’ve chosen the "Peacecraft" game as an experimental object. I did it because it was the one which gave me the idea to study the NevoSoft’s games protection system. Later, it became clear that their protection system is absolutely identical for all game products.

It happened so that I had no hack software on deck at the time of my study - no disassembler or debugger. There was only a set of standard programs that almost every user has on ones computer: "Total Commander” and "Task Manager". That is the whole applications set we will use for our studying. One would think – "What you can really do with these applications?” It was found that the mix of inquisitive mind and a bit of attentiveness is enough to make the game start with no demo time limit. I’ve chosen Delphi 7 as a platform for writing the crack. Now, when all instruments are placed on the operating table and the patient is tightly bounded it is time to start the study. Let’s take everything to pieces one after another...

Scalpel, swab, spirit, more spirit, lemon ... Substitution!

Install and run the game. Now we see a beautiful window which shows up the time remaining to test it. Feel easily and press the "play" button and start watching on what is happening in the system. Minimize the game window for a while and browse the "Task Manager". There is an unknown process with *.tmp extension. Well, let's take a closer look on what kind of fruit is it and how did it get here. Watch the process properties and read the given information. File location shows us that we’re on the right way. Open the folder with the file and rename it to *.exe (by the way, the file has a "hidden” attribute, so do not forget to tick the "show hidden files" in appropriate Windows properties). Start it and you will see a beautiful picture - the game starts with no registration pop-up windows. It would seem that the ends of our experiment are already achieved. The game no longer requires registration and works without time limit. But this method is too tedious and inconvenient. Therefore, we will try to find a way to simplify these steps.


An autopsy showed that the patient had died from an autopsy

Our main objective is to learn how to make the NevoSoft games not to take the money in two clicks. So now we should try to make out the origin of that file with the *. tmp extension. Don’t worry you won’t have to read tons of manuals. The main thing is to have a little patience and a bit of attention. Search process won’t take long because a folder with a *.tmp file also contains a strange nsgame.dat file, which exactly coincides the size of our game file within a single byte. We can assume that the launcher simply renames the nsgame.dat file into *.tmp and launches it. But the result of our hypothesis test process will disappoint you. You will be told that the application is not an executable file.

Do not be upset, but instead take a bigger and a sharper shovel and begin to dig deeper. The first thing that comes to mind is to compare these two files and see what actually the difference between them is. Open Total Commander and use an in-built files comparing tool. I’d say results are pretty interesting. We can oversee a byte equality and inequality with a 2 byte interval. No doubt the file is encrypted. Now, how to reverse it if we decided to give up using debuggers and disassemblers? The answer is simple - we have to mind the encryption algorithms. One of the most easiest and effective (if used properly) cryptographic algorithms is the so-called XOR-encryption. This method lies in a byte Boolean XOR operating. The first variable is an encryption byte, and the second one is the key. But now there comes another question – "Where to get the decryption key?” The answer is simple – "Mind the Boolean algebra and you’ll get an open access to it.”

Crypted = uncrypted XOR key;
Key = crypted XOR uncrypted

So, let's try to get that precious key. To do this, run the byte XOR operation between the executable file and temporary file. The idea is that in the end we will get a decryption key, which will let to hack any NovaSoft’s game. We will perform XOR operation only for the first 256 bytes, because very few companies use the keys of greater length nowadays.

var
i, o: TFileStream;
bi, bo:byte;
x, ii, cc:integer;
begin
if open.Execute then
begin
SetCurrentDir('C:\Игры от NevoSoft\Peacecraft\
game');
// Enter the game folder
if not(fileexists('nsgame.dat')) then exit;
i:=TFileStream.Create('nsgame.dat', fmOpenRead);
o:=TFileStream.Create(open.FileName, fmOpenRead);
x:=0; ii:=0; cc:=0;
// Look over 256 bytes
for x:=0 to 255 do
begin
i.read(bi,1);
o.read(bo,1);
key.Caption:=format('%s %x', [key.Caption, (bi
xor bo)]);
inc(cc);
if cc mod 8 =0 then key.Caption:=key.
Caption+#13#10;
end;
i.Free;
o.Free;
end;

As it turned out, the encryption key is pretty short and remains only 4 bytes long. Looking ahead, I will say that there’s a unique encryption key for each NovaSoft’s game. How to figure it out?

Going deeper into the jungle is not worth it. In fact, everything is very simple. In order to get the key, you should take the first 2 bytes of the PE-header signature and perform the XOR operation. Many people might ask me a question – "Why to perform the XOR operation only for 2 bytes if the full key length is 4 bytes?” The answer is simple - the third and fourth key bytes are always equal to $00.

const
ckey = #77#90; //PE-file signature
begin
i:=TFileStream.Create(FileName, fmOpenRead);
for x:=1 to 2 do
begin
i.Read(tmp,1);
tmp:=ord(ckey[x]) xor tmp;
key:=key+chr(tmp);
end;
key:=key+#0#0;

Now you have the sesame-mount and you can safely start writing the crack.

Closer to the edge

Now we already have enough information to create a universal crack. Well, let's not waste our time. Let’s do it…

procedure wrap(filename:string);
var
i, o: TFileStream;
bi, bo, tmp:byte;
x, ii:integer;
key:string[4];
buffer:TMemoryStream;
const
ckey = #77#90;// PE-header signature
begin
if not(fileexists(filename)) then exit; // Some checking never hurts =)
i:=TFileStream.Create(filename, fmOpenRead); // Open the file for reading
o:=TFileStream.Create(ChangeFileExt(filename,
'.exe'), fmCreate); // Writing a new file
buffer:=TMemoryStream.Create;
for x:=1 to 2 do // Calculating the encryption key
begin
i.Read(tmp,1);
tmp:=ord(ckey[x]) xor tmp;
key:=key+chr(tmp);
end;
key:=key+#0#0;
i.Seek(0,soFromBeginning);
x:=0; ii:=0;
while i.Position<i.Size do // Decrypting the file with the specified key
begin
inc(ii);
i.Read(bi, 1);
bo:=bi xor ord(key[ii]);
buffer.Write(bo,1);
inc(x);
if ii=4 then ii:=0;
end;
o.Write(Buffer.Memory^, Buffer.size);
i.Free;
o.Free;
buffer.Free;
showmessage('Wrapping done');
end;

Drum-roll sounds - running the decrypted file ... But wait… For some reason, we are proposed to pay the fee again. What, where and when did we miss? After all, we did everything right! Let's not upset. With picking up another can of beer we’ll continue studying our experimental subject and try to find the blunder. Open the "Total Commander” and compare the normal game file with the file we got after decrypting. At first glance, the files are identical to within one byte. But as soon as you use "find the first difference" option, Total Commander will report that files do not match starting from the $ 43000 shift.

Consequently, we can assume that not the whole file is encrypted but only its first $43000 bytes. Therefore, we take a hammer and a chisel and fix the errors in our code forcing it to decrypt the first $43000 bytes only.

while i.Position<i.Size do
begin
inc(ii);
i.Read(bi, 1);
if x<$43000 then
begin
bo:=bi xor ord(key[ii]);
buffer.Write(bo,1);
end
else
buffer.Write(bi,1);
inc(x);
if ii=4 then ii:=0;
end;

Now run the "crack" (incidentally, these actions can hardly be called cracking, because we do not modify any byte which is directly related to the game, but only restore the original application by the decryption). Now wait a couple of seconds and start the game. Hurray! The game is absolutely independent from NevoSoft launcher to beg money from us. Now you can relax, lean back in a chair and enjoy your favorite game.

Conclusion

The difference between a hacker and an ordinary man is not only a high-level knowledge of IT-technologies, but also a presence of curiosity and ability to find an unconventional approach to ones routine problems. The study we have made really proves the fact that hacking is not always sitting for hours with debugger and looking for cherished bytes that are need to be fixed. Sometimes you can do it with those programs that are always at your hand. So now I say goodbye and wish you always maintain the art. 272-274 of the Criminal Code and you will have a good luck! :)

Views: 21686 | Added by: XakepNews | Rating: 5.0/1
Total comments: 0
Name *:
Email *:
Code *: