Cracking 3D Mark 99 MAX

Hi to all! This is my first tutorial on cracking (well, that's my first tutorial at

all), so I hope that you can understand what I'm writing (I'm italian, and my
english is not very good). In this tutorial I'll show you one of the two ways that
you can crack 3D Mark 99 MAX. The two ways are: 1) Patching the code, 2) Making a
keygen. Here we'll discuss the first metod: Patching the code. The second metod
will be discussed (hopefully :) in another tutorial. So, are you ready? (answer yes
:)))
Let's start!
Tools:
1) W32Dasm 8.9 (The BEST disassembler I've ever seen)
2) SoftICE 3.24 (Well, without SoftICE you can't do much, so... get it!)
3) Hiew 6.11 (a MUST have, the best hex editor in the universe)
4) 3DMark 99 MAX

Ok, this will be a step-by-step tutorial, but is not for totally newbies, you
should know some assembler and you should know how to use SoftICE.

So, let's analyze 3DMark, start the program, go in the register box and enter a
name and a stupid code (something like 666 :)), now press ok, what's happen? Well
the program tell you that the code is invalid.
Well now it's time to SoftICE'ing (:), press control-d and type in SoftICE: bpx
GetDlgItem, exit SoftICE, press Ok again and... boom! you're back in SoftICE!! Now
press F5, then F11 and finally press F10 until you end up here:

:0040B86A 8B4F64 mov ecx, dword ptr [edi+64] <-- Put in ecx the
name you entered
:0040B86D 8B41F8 mov eax, dword ptr [ecx-08] <-- Put in eax the
length of the name
:0040B870 85C0 test eax, eax <-- Length = 0?
:0040B872 747E je 0040B8F2 <-- If so jump
:0040B874 8B5760 mov edx, dword ptr [edi+60] <-- Put in edx the
key
:0040B877 8B42F8 mov eax, dword ptr [edx-08] <-- Put in eax the
length of the key
:0040B87A 85C0 test eax, eax <-- Length = 0?
:0040B87C 7474 je 0040B8F2 <-- If so jump
:0040B87E 83F811 cmp eax, 00000011 <-- Is key lenght = 17? (you
will see why the key length must be 17)
:0040B881 741B je 0040B89E <-- If so jump to registration
process, else the code is incorrect

Ok, the code above is only for some controls, we don't need it. Ok, now enter a key
of 17 characters, put a bpx on GetDlgItem, repeat the same step (press F5, F11,
F10, ecc), the jump at :0040B881 will be executed and you will end in the
registration process:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:0040B881(C)
|
:0040B89E E88DE50500 call 00469E30 <-- Not important
:0040B8A3 3C01 cmp al, 01 <-- Not important
:0040B8A5 75DC jne 0040B883 <-- Not important
:0040B8A7 8B4F64 mov ecx, dword ptr [edi+64] <-- Not important
:0040B8AA 53 push ebx <-- Not important
:0040B8AB 56 push esi <-- Not important
:0040B8AC 8B7760 mov esi, dword ptr [edi+60] <-- esi = key
:0040B8AF E8CCE50500 call 00469E80 <-- Call the key generation routine
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B8D6(C)
|
:0040B8B4 8A10 mov dl, byte ptr [eax] <-- Good code
:0040B8B6 8A1E mov bl, byte ptr [esi] <-- Bad code

Ok, now you know that the call at address 0040B8Af calls the registration routine,
now you will ask: "Why you will not make a keygen?", and I answer: "I'll show you a
funny metod...". :)

Now, let's trace into the call (press F8 in SoftICE) what you will get??? The key
generation routine!!!!
Here it is:

:00469E80 83EC40 sub esp, 00000040 <-- Take 64 bytes from the
stack
:00469E83 53 push ebx
:00469E84 55 push ebp
:00469E85 56 push esi
:00469E86 8BF1 mov esi, ecx <-- Now esi is the name you entered
:00469E88 83C9FF or ecx, FFFFFFFF
:00469E8B 57 push edi
:00469E8C 33C0 xor eax, eax
:00469E8E 8BFE mov edi, esi
:00469E90 F2 repnz
:00469E91 AE scasb
:00469E92 F7D1 not ecx
:00469E94 49 dec ecx <-- ECX = name length
:00469E95 8BD1 mov edx, ecx
:00469E97 8BCE mov ecx, esi
:00469E99 E852FFFFFF call 00469DF0 <-- This is the interesting call
:00469E9E 8BF0 mov esi, eax

Ok, now come the funny part, the call at address 00469E99 will make some
manipulation on each single char in the name, what will happen if we remove the
call???
Let's do that, now it's time to use W32Dasm, open W32Dasm, and load the file
3dmark.exe, go to the address of the call and look in the bottom of the screen you
will see a @Offset 00069E99, that's the offset of the istruction, now open up the
file with Hiew go in disassembler mode, press F5 and then enter the offset, you
will be at the call, now press F3 and then press enter, now enter the following
assembler istruction:

jmp 00469E9E

now press esc and save the code by pressing F9, close Hiew and back to 3DMark.
Got to the registration box enter a name and a code and press Ok, now you will say:
"What's that? The program it's still giving me the error!!! You're are a stupid
cracker :))", well try to enter the code CCCCC-CCCCC-CCCCC, boom!!! You're a
registered user of the program, now every name you enter the code will be everytime
CCCCC-CCCCC-CCCCC (as you can see there is 17 character in the key), and also if
you enter the correct (for example you've buy the program before) code the program
will not believe that's correct, becose the correct is CCCCC-CCCCC-CCCCC. That's
really funny (at least for me it's funny).
Ok, that's all for now, the next tutorial (hopefully:) will be on making a keygen
for 3DMark 99 MAX.
Bye!!!

Quake2