DRC Forum » Gaming Forums » Quake & QuakeLive Forum » HATRED OWNS ViTALiTY (Cracking war) » Page 1 of 1

[|DRC| Messiah]

PROPER NOTES:

Well, well... STALKER got released as clone from Unleashed (who
have had their own share of problems lately) and only a few hours
later ViTALiTY managed to release the ISO. Impressive, almost too
good to be true... and guess what... it was...

First of all we want to stress that we dont like to proper
because the whole NFO-wars is really not helping the scene. We
have tolerated much from ViTALiTY... First they did some SecuROM
cracks where all the essential hard-to-rebuild code was not
reconstructed but rather just stolen from an executable with a
weaker protection (Battlestations.Midway-ViTALiTY) and later we
witness a giant 8 MB executable that was UPXed and PE-Sections
renamed to hide this embarrassing fact. We really had to restrain
ourselves to witness them label this as a fully rebuilt crack
(Supreme.Commander.Update.1.0.3217-ViTALiTY). We reacted to none
of these insults in public. But this time ViTALiTY has gone too
far.

We all know that STALKER is a major title and it came as a
surprise to us how weak a flavor of SecuROM is on it. In fact
there is only 1 spot where SecuROM have molested the original
code, otherwise its a simple matter of dumping + fixing entry
point (which is a task any baboon can manage). We like to keep an
eye on the competition so we examined this crack from ViTALiTY,
and we were shocked at the low-quality of cracking ViTALiTY is now
ready to release.

Lets have a look shall we?

The single SecuROM modification that i speak of is located here:

004acb80 (03) 81ec 40030000 SUB ESP, 0x340
004acb86 (05) e9 32639000 JMP 0xdb2ebd

As some of you may know this SUB ESP, 0x340 is a typical routine
header instruction and following it is a jump redirecting to the
artem section (one added by SecuROM). This is what we call a
partially relocated routine where SecuROM relocates part of a
routine so that if the SecuROM modules are removed the code will
fail. The relocated code in the SecuROM section is this:

00db2ebd (05) 68 bbcb4a00 PUSH 0x4acbbb
00db2ec2 (05) e8 598ba4ff CALL 0x7fba20
00db2ec7 (01) 90 NOP
00db2ec8 (01) 50 PUSH EAX
00db2ec9 (01) 9c PUSHF
00db2eca (01) 53 PUSH EBX
00db2ecb (01) 9c PUSHF
00db2ecc (06) 8b1d 202ddb00 MOV EBX, 0xdb2d20
00db2ed2 (01) 51 PUSH ECX
00db2ed3 (06) 8b0d 58014000 MOV ECX, 0x400158
00db2ed9 (02) d3c3 ROL EBX, CL
00db2edb (01) 59 POP ECX
00db2edc (01) 9d POPF
00db2edd (03) 871c24 XCHG ESP, EBX
00db2ee0 (01) 90 NOP
00db2ee1 (01) 54 PUSH ESP
00db2ee2 (05) 68 702cdb00 PUSH 0xdb2c70
00db2ee7 (05) b8 b983dae8 MOV EAX, 0xe8da83b9
00db2eec (01) 90 NOP
00db2eed (05) 35 590a82e8 XOR EAX, 0xe8820a59
00db2ef2 (01) 90 NOP
00db2ef3 (01) eb DB 0xeb
00db2ef4 (02) ffd0 CALL EAX
00db2ef6 (01) 57 PUSH EDI
00db2ef7 (04) 8b7c24 04 MOV EDI, ESP+0x4
00db2efb (02) 03c7 ADD EAX, EDI
00db2efd (04) 894424 04 MOV ESP+0x4, EAX
00db2f01 (01) 5f POP EDI
00db2f02 (01) 90 NOP
00db2f03 (01) 58 POP EAX
00db2f04 (03) c1e9 00 SHR ECX, 0x0
00db2f07 (01) 9d POPF
00db2f08 (03) 870424 XCHG ESP, EAX
00db2f0b (02) 6a 00 PUSH 0x0
00db2f0d (04) 8d4424 08 LEA EAX, ESP+0x8
00db2f11 (01) 50 PUSH EAX
00db2f12 (03) ff51 0c CALL ECX+0xc
00db2f15 (03) 8d1424 LEA EDX, ESP
00db2f18 (01) 52 PUSH EDX
00db2f19 (08) c74424 04 40000000 MOV DWORD ESP+0x4, 0x40
00db2f21 (05) 68 8bcb4a00 PUSH 0x4acb8b
00db2f26 (01) 90 NOP
00db2f27 (01) 90 NOP
00db2f28 (05) 68 674ca66e PUSH 0x6ea64c67
00db2f2d (01) 9c PUSHF
00db2f2e (08) 817424 04 47f6d96e XOR DWORD ESP+0x4, 0x6ed9f647
00db2f36 (01) 90 NOP
00db2f37 (01) 9d POPF
00db2f38 (01) 58 POP EAX
00db2f39 (02) ffd0 CALL EAX
00db2f3b (02) 85c0 TEST EAX, EAX
00db2f3d (02) 74 5a JZ 0xdb2f99
00db2f3f (04) 8b4424 08 MOV EAX, ESP+0x8
00db2f43 (04) 8b4c24 0c MOV ECX, ESP+0xc
00db2f47 (04) 0facc8 14 SHRD EAX, ECX, 0x14
00db2f4b (03) c1e9 14 SHR ECX, 0x14
00db2f4e (01) 50 PUSH EAX
00db2f4f (01) 50 PUSH EAX
00db2f50 (02) 8bff MOV EDI, EDI
00db2f52 (05) b8 f09d5800 MOV EAX, 0x589df0
00db2f57 (03) c1e5 00 SHL EBP, 0x0
00db2f5a (01) 54 PUSH ESP
00db2f5b (05) 68 9f2cdb00 PUSH 0xdb2c9f
00db2f60 (02) ffd0 CALL EAX
00db2f62 (02) 8d00 LEA EAX, EAX
00db2f64 (04) 394424 04 CMP ESP+0x4, EAX
00db2f68 (01) 58 POP EAX
00db2f69 (01) 58 POP EAX
00db2f6a (02) 76 3e JBE 0xdb2faa
00db2f6c (04) 8b5424 18 MOV EDX, ESP+0x18
00db2f70 (04) 8b4c24 1c MOV ECX, ESP+0x1c
00db2f74 (04) 0facca 14 SHRD EDX, ECX, 0x14
00db2f78 (05) 68 cbcb4a00 PUSH 0x4acbcb
00db2f7d (05) e8 9e8aa4ff CALL 0x7fba20
00db2f82 (03) c1e9 14 SHR ECX, 0x14
00db2f85 (01) 50 PUSH EAX
00db2f86 (05) b8 e0895800 MOV EAX, 0x5889e0
00db2f8b (01) 54 PUSH ESP
00db2f8c (01) 90 NOP
00db2f8d (05) 68 c92cdb00 PUSH 0xdb2cc9
00db2f92 (02) ffd0 CALL EAX
00db2f94 (02) 3bd0 CMP EDX, EAX
00db2f96 (01) 58 POP EAX
00db2f97 (02) 76 11 JBE 0xdb2faa
00db2f99 (05) 68 dbcb4a00 PUSH 0x4acbdb
00db2f9e (05) e8 7d8aa4ff CALL 0x7fba20
00db2fa3 (06) 81c4 40030000 ADD ESP, 0x340
00db2fa9 (01) c3 RET
00db2faa (01) 56 PUSH ESI
00db2fab (01) 57 PUSH EDI
00db2fac (01) 50 PUSH EAX
00db2fad (01) 9c PUSHF
00db2fae (03) 8d6d 00 LEA EBP, EBP+0x0
00db2fb1 (05) b8 908b5800 MOV EAX, 0x588b90
00db2fb6 (01) 54 PUSH ESP
00db2fb7 (05) 68 242ddb00 PUSH 0xdb2d24
00db2fbc (02) ffd0 CALL EAX
00db2fbe (01) 9d POPF
00db2fbf (03) c1ef 00 SHR EDI, 0x0
00db2fc2 (03) 870424 XCHG ESP, EAX
00db2fc5 (05) 68 9bcb4a00 PUSH 0x4acb9b
00db2fca (01) 9c PUSHF
00db2fcb (06) 8d05 70a8a749 LEA EAX, 0x49a7a870
00db2fd1 (05) 35 5012d849 XOR EAX, 0x49d81250
00db2fd6 (01) 9d POPF
00db2fd7 (02) ffd0 CALL EAX
00db2fd9 (05) 68 ebcb4a00 PUSH 0x4acbeb
00db2fde (05) e8 3d8aa4ff CALL 0x7fba20
00db2fe3 (05) 68 00010000 PUSH 0x100
00db2fe8 (04) 8d5424 4c LEA EDX, ESP+0x4c
00db2fec (01) 52 PUSH EDX
00db2fed (05) 68 fbcb4a00 PUSH 0x4acbfb
00db2ff2 (05) e8 298aa4ff CALL 0x7fba20
00db2ff7 (05) 68 17080000 PUSH 0x817
00db2ffc (01) 56 PUSH ESI
00db2ffd (02) ffd7 CALL EDI
00db2fff (02) 85c0 TEST EAX, EAX
00db3001 (02) 74 7e JZ 0xdb3081
00db3003 (01) 50 PUSH EAX
00db3004 (01) 9c PUSHF
00db3005 (05) 68 4ae4ec07 PUSH 0x7ece44a
00db300a (03) 8d6d 00 LEA EBP, EBP+0x0
00db300d (03) 83ec 04 SUB ESP, 0x4
00db3010 (07) c70424 55a96d10 MOV DWORD ESP, 0x106da955
00db3017 (05) 68 f55ced5a PUSH 0x5aed5cf5
00db301c (01) 54 PUSH ESP
00db301d (05) 68 512ddb00 PUSH 0xdb2d51
00db3022 (03) c1ee 00 SHR ESI, 0x0
00db3025 (05) 68 d81fa724 PUSH 0x24a71fd8
00db302a (07) 813424 3896ff24 XOR DWORD ESP, 0x24ff9638
00db3031 (01) 58 POP EAX
00db3032 (01) 90 NOP
00db3033 (02) ffd0 CALL EAX
00db3035 (01) 90 NOP
00db3036 (03) c1e9 00 SHR ECX, 0x0
00db3039 (01) 51 PUSH ECX
00db303a (03) c1fa 00 SAR EDX, 0x0
00db303d (04) 8b4c24 04 MOV ECX, ESP+0x4
00db3041 (02) 2bc1 SUB EAX, ECX
00db3043 (02) 8bc8 MOV ECX, EAX
00db3045 (01) 56 PUSH ESI
00db3046 (04) 8b7424 0c MOV ESI, ESP+0xc
00db304a (03) c1fb 00 SAR EBX, 0x0
00db304d (02) 33ce XOR ECX, ESI
00db304f (02) 8bf1 MOV ESI, ECX
00db3051 (01) 52 PUSH EDX
00db3052 (04) 8b5424 14 MOV EDX, ESP+0x14
00db3056 (02) 03f2 ADD ESI, EDX
00db3058 (01) 90 NOP
00db3059 (04) 897424 14 MOV ESP+0x14, ESI
00db305d (01) 5a POP EDX
00db305e (03) c1e9 00 SHR ECX, 0x0
00db3061 (01) 5e POP ESI
00db3062 (01) 59 POP ECX
00db3063 (03) c1ea 00 SHR EDX, 0x0
00db3066 (01) 58 POP EAX
00db3067 (01) 58 POP EAX
00db3068 (01) 58 POP EAX
00db3069 (01) 9d POPF
00db306a (03) 870424 XCHG ESP, EAX
00db306d (07) 8d8424 4c010000 LEA EAX, ESP+0x14c
00db3074 (01) 50 PUSH EAX
00db3075 (05) 68 18080000 PUSH 0x818
00db307a (01) 56 PUSH ESI
00db307b (02) ffd7 CALL EDI
00db307d (02) 85c0 TEST EAX, EAX
00db307f (02) 75 13 JNZ 0xdb3094
00db3081 (01) 5f POP EDI
00db3082 (05) 68 0bcc4a00 PUSH 0x4acc0b
00db3087 (05) e8 9489a4ff CALL 0x7fba20
00db308c (01) 5e POP ESI
00db308d (06) 81c4 40030000 ADD ESP, 0x340
00db3093 (01) c3 RET
00db3094 (01) 50 PUSH EAX
00db3095 (01) 90 NOP
00db3096 (01) 9c PUSHF
00db3097 (05) b8 ec3b9718 MOV EAX, 0x18973bec
00db309c (01) 54 PUSH ESP
00db309d (01) 90 NOP
00db309e (05) 68 7f2ddb00 PUSH 0xdb2d7f
00db30a3 (05) 35 1ca6cf18 XOR EAX, 0x18cfa61c
00db30a8 (03) c1e8 00 SHR EAX, 0x0
00db30ab (02) ffd0 CALL EAX
00db30ad (01) 9d POPF
00db30ae (03) 870424 XCHG ESP, EAX
00db30b1 (04) 8d4c24 4c LEA ECX, ESP+0x4c
00db30b5 (01) 51 PUSH ECX
00db30b6 (07) 8d9424 50010000 LEA EDX, ESP+0x150
00db30bd (01) 52 PUSH EDX
00db30be (02) 6a 00 PUSH 0x0
00db30c0 (05) 68 abcb4a00 PUSH 0x4acbab
00db30c5 (01) 9c PUSHF
00db30c6 (05) b8 d7eb166a MOV EAX, 0x6a16ebd7
00db30cb (05) 35 f751696a XOR EAX, 0x6a6951f7
00db30d0 (01) 9d POPF
00db30d1 (01) eb DB 0xeb
00db30d2 (02) ffd0 CALL EAX
00db30d4 (05) e9 909b6fff JMP 0x4acc69

This is the code as it looks after SecuROM has molested it. This
was once a real routine in the virgin executable and clearly plays
some sort of role as a part of the game code. Partially relocated
routines is a common SecuROM feature and you will see it have been
fixed in several previous hatred releases. We were impressed that
ViTALiTY was able to crack an executable with this feature so we
decided to take a closer look.

OH MY GOD!

004ACB80 B8 00000000 MOV EAX,0
004ACB85 C3 RETN

What a sophisticated fix. Seems ViTALiTY have decided that this
routine is not important and since they were unable to rebuild the
original code they simply inserted a MOV EAX,0 RETN which means
that the entire routine is now disabled. It is not for us to judge
whether this routine is an essential part of the game code. If the
ViTALiTY crack appears to run flawlessly then it probably isnt
but the fact remains that this code was in the original executable
and therefore it should also be in the cracked executable. This is
an undeniable fact and any unbiased cracker you ask will agree.

I mean come on ViTALiTY... This game had only one single SecuROM
modification and you couldnt even manage to fix that, and even if
you want to replace an entire routine with one that returns 0 you
could have at least saved a few bytes by doing XOR EAX,EAX
RETN. )

What ViTALiTY should have done (but cant) was to rebuild the
routine so that the original code was restored like this:

004acb80 (03) 81ec 40030000 SUB ESP, 0x340
004acb86 (05) e9 75f40c00 JMP 0x57c000

0057c000 (06) 8b0d 7c744c00 MOV ECX, 0x4c747c
0057c006 (02) 6a 40 PUSH 0x40
0057c008 (02) 6a 00 PUSH 0x0
0057c00a (04) 8d4424 08 LEA EAX, ESP+0x8
0057c00e (01) 50 PUSH EAX
0057c00f (03) ff51 0c CALL ECX+0xc
0057c012 (03) 8d1424 LEA EDX, ESP
0057c015 (01) 52 PUSH EDX
0057c016 (08) c74424 04 40000000 MOV DWORD ESP+0x4, 0x40
0057c01e (06) ff15 8c704c00 CALL 0x4c708c
0057c024 (02) 85c0 TEST EAX, EAX
0057c026 (02) 74 2f JZ 0x57c057
0057c028 (04) 8b4424 08 MOV EAX, ESP+0x8
0057c02c (04) 8b4c24 0c MOV ECX, ESP+0xc
0057c030 (04) 0facc8 14 SHRD EAX, ECX, 0x14
0057c034 (03) c1e9 14 SHR ECX, 0x14
0057c037 (05) 3d f4010000 CMP EAX, 0x1f4
0057c03c (02) 76 22 JBE 0x57c060
0057c03e (04) 8b5424 18 MOV EDX, ESP+0x18
0057c042 (04) 8b4c24 1c MOV ECX, ESP+0x1c
0057c046 (04) 0facca 14 SHRD EDX, ECX, 0x14
0057c04a (02) 03d0 ADD EDX, EAX
0057c04c (03) c1e9 14 SHR ECX, 0x14
0057c04f (06) 81fa c4090000 CMP EDX, 0x9c4
0057c055 (02) 76 09 JBE 0x57c060
0057c057 (02) 33c0 XOR EAX, EAX
0057c059 (06) 81c4 40030000 ADD ESP, 0x340
0057c05f (01) c3 RET
0057c060 (01) 56 PUSH ESI
0057c061 (01) 57 PUSH EDI
0057c062 (02) 6a 00 PUSH 0x0
0057c064 (06) ff15 90704c00 CALL 0x4c7090
0057c06a (06) 8b3d 50724c00 MOV EDI, 0x4c7250
0057c070 (05) 68 00010000 PUSH 0x100
0057c075 (04) 8d5424 4c LEA EDX, ESP+0x4c
0057c079 (01) 52 PUSH EDX
0057c07a (02) 8bf0 MOV ESI, EAX
0057c07c (05) 68 17080000 PUSH 0x817
0057c081 (01) 56 PUSH ESI
0057c082 (02) ffd7 CALL EDI
0057c084 (02) 85c0 TEST EAX, EAX
0057c086 (02) 74 19 JZ 0x57c0a1
0057c088 (05) 68 00020000 PUSH 0x200
0057c08d (07) 8d8424 4c010000 LEA EAX, ESP+0x14c
0057c094 (01) 50 PUSH EAX
0057c095 (05) 68 18080000 PUSH 0x818
0057c09a (01) 56 PUSH ESI
0057c09b (02) ffd7 CALL EDI
0057c09d (02) 85c0 TEST EAX, EAX
0057c09f (02) 75 0b JNZ 0x57c0ac
0057c0a1 (01) 5f POP EDI
0057c0a2 (02) 33c0 XOR EAX, EAX
0057c0a4 (01) 5e POP ESI
0057c0a5 (06) 81c4 40030000 ADD ESP, 0x340
0057c0ab (01) c3 RET
0057c0ac (02) 6a 10 PUSH 0x10
0057c0ae (04) 8d4c24 4c LEA ECX, ESP+0x4c
0057c0b2 (01) 51 PUSH ECX
0057c0b3 (07) 8d9424 50010000 LEA EDX, ESP+0x150
0057c0ba (01) 52 PUSH EDX
0057c0bb (02) 6a 00 PUSH 0x0
0057c0bd (06) ff15 b0724c00 CALL 0x4c72b0
0057c0c3 (05) e9 a10bf3ff JMP 0x4acc69

This is what a rebuilt routine looks like ViTALiTY, take a close
look as you might learn something.

Like we stated earlier we dont like to proper unless there is a
good reason, but ViTALiTY has really been pushing trying to see
what sorts of crap they could get away with and it seems ViTALiTY
themselves have not been hesitating to proper RELOADED for
screw-ups much smaller than this.

Well we hope you have all learned something and STALKER is really
too big a title to let the world only have the improper crack. The
last thing we want is to escalate a silly NFO-war in the scene but
ViTALiTY is really insulting all hardworking crackers in the scene
by releasing such crap as if it was proper work. I promise you
anyone who knows even a tiny bit about cracking will understand
that this is a completely amateurish and unacceptable
cracking-technique to simply disable a routine instead of
rebuilding it. If their executable runs reliably it is PURE LUCK!
So please ViTALiTY take a little time to research, develop your
techniques and then start releasing again.

Long story short: ViTALiTY doesnt know how to fix partially
relocated routines therefore they choose to completely disable
that routine since they didnt know how to fix it. This routine
was present in the original executable and therefore it should
also be in the crack. This is a bad crack, and we bring you the
proper one.

Enjoy )

1. Unpack.
2. Install.
3. Copy Crack.
4. Enjoy!

HATRED does not condone in selling warez of any kind.

HATRED does not respect any p2p networks, NFOrce or
anything to make the scene more public.

HATRED does not believe in using DEMO executables to
circumvent a protection. To clarify for those groups
who are confused, a demo executable isnt a crack.

We greet the respectable groups like:

SOULDRINKER - GENESIS - FAIRLIGHT
DEVIANCE - RAZOR1911 - iMMERSiON

ascii art by bariumSAC

*copy/pasted from: http://thepiratebay.org/tor/3642088/S.T.A.L.K.E.R_Shadow_of_Chernobyl_PROPER-HATRED
_________________

[Sponsored Ad]