CrackerMate v2.01 Copyright (C) by ChanWaiKwong Wilfred December, 1992 All rights reserved v1.00: original release in August, 1992 v2.00: 1) added DESQview check 2) added CPU type check 3) slightly improved on Data Analysis so that even fructuating data can also be found, and a default of 'Decrease' has been assumed if input is not 'i' or 'I' 4) the input segment and offset in Hardware breakpoint option has been modified so that only 4-digit-input will be accepted to avoid unnecessary errors 5) built-in debugger is added so that no external debugger is needed, CrackerMate become a standalone program 6) compability to Tseng Labs vedio card added 7) bugs in instruction fetch of hardware breakpoint fixed 8) bugs in interrupt handling fixed 9) uninstall option added 10) better display, borderline added v2.01: 1) some bugs in finding empty vector table slots in installing fixed Introduction --------------- CrackerMate is a game cracking program. It provides the ability to crack the 'life' as well as the password in a game, especially the password appears in the middle of a game. It is designed to run with any debugger to provide the game cracking features. CrackerMate occupies less than 14.5K of base memory only, using no expanded nor extended memory. It is purely written in assembly lan- guage. Since the memory usage is so small, it does not restore the screen completely in graphic mode. Anyway, the screen will still look alright in graphic mode and do not affect game cracking. Current version of CrackerMate does not popup in Dos when Dos is busy. One reason for this implementation is to save memory usage. Another reason is that there is no point to popup inside Dos itself in respect to cracking a game (the code cannot be inside Dos!). System Requirement --------------------- 1) 386+ machine 2) VGA display 3) Dos 3+ About the new built-in debugger ---------------------------------- The built-in debugger provides all compabilities of the debugger provided in Dos package except a few options. Anyway, the function avail- able is more than enough in the purpose of cracking a game. You can just press '?' to see the commands available. With the built-in debugger, CrackerMate no longer needs an external debugger. Thus the new version is more reliable and stable. Furthermore, it will save up more memory as the built-in debugger occupies much less memory than the external one. If there are any breakpoint errors, error message 'BP Error' will be shown on screen where BP means BreakPoint (not a register error!). Currently maximum of 10 breakpoints can be set. Usage ------- 1) Data analysis: Just enter two temporary filenames in first analysis. In the next analysis, user is required to input Increase or Decrease which mean the current data is supposed to be an increase or decrease compared to the previous data analysed. 2) Start another analysis: Whenever you want to start over the Data analysis, you can use this option. 3) List address: This option let you know what is the address found by the Data Analysis option. 4) Hardware breakpoint: Whenever you get the address from List address, you can set a hardware breakpoint on the address. Usually the breakpoint is 'write memory' kind since the life is overwritten by the game to a lesser value. You can then immediately find the code in next 'life decrease'. You can modify the code to your like by next option Return to debugger (you should have some knowlege in assembly language at this point). The cracking life procedure is finished. Note that when inputing the addresses, all the four digits must be entered, e.g. 0011 instead of 11. 5) Uninstall: When you want to free CrackerMate from memory, you can use this option. 6) Return to debugger: This option will allow you to return control to debugger. Thus allow you to debug the game. 7) Return to game: If you have returned to debugger, this option will allow you to return from debugger back to game. Make sure you 'run' (the G command in Dos debugger) the game before you popup CrackerMate and use this option, otherwise the game will hang and you will need to reboot. Procedure of cracking 'life' ----------------------------- Run the game, then popup CrackerMate. 1) Choose Data analysis, choose Decrease as life is decreasing. Enter the temporary filenames. 2) Press Esc to return to game. 3) When your life decrease, popup CrackerMate again and choose Data analysis. This time you are not required to input but wait for the analysis. My 386 machine take about 15 seconds for the longest one. Then press Esc to return to game. 4) After several analysis, choose List address to find the possible addresses of the 'life' data. If the life decrease in the order 3-2-1, you may want to look at the address with 3-2-1 data. Note the data closest to the address is the most recent value, so you may see the display like: 4000:0011 01 02 03 5) After knowing the address, set a Hardware breakpoint on it. Since the address is overwritten by the game, choose the Write memory option. From step 4, the segment is 4000 and offset is 0011. Make sure you entered all the four digits, i.e. 0011 instead of 11. After setting up a breakpoint, press Esc to return to game. CrackerMate will popup when finding the code address, you can see the break address by choosing the Hardware breakpoint option again. Then you can press R to return to debugger to see the code in the address and modify the code to your like. Notice the break address is the address immediately after the actual code modifying the data. So if you find the break address is 1234:5678, you may look at the code before the address, e.g.,1234:5675, (depends on the code). (For the Instruction fetch, the break address will be exactly the same as the code located, a little bit different from Read/Write memory breadkpoint.) 6) After modifying the code, you can type g to continue executing the game if in Dos debugger. Then popup CrackerMate again, press Esc and the screen of the game will be restored, then you can continue playing the game (Note it is necessary to continue executing the game before popup CrackerMate again, otherwise you may never continue to play the game). You can also record down the code and modify the code directly in the game file so that the cracking become 'permanent' not 'temporary'. Procedure of cracking password -------------------------------- When prompting for a password, you can popup CrackerMate and return to debugger. Then you can debug the game to crack the password. Note that the Hotkey is NumLock or Pause as their scan code are the same. * Note that CrackerMate has conflicts with EMM386.EXE device driver, so it is necessary to remove EMM386.EXE (if any) in config.sys. Any comments are welcome, the e-mail address of the writer are h9109253@hkuxa.hku.hk