The cracking of "Age of Empires"
(with a general digression about CD-based copy
protections of most Windows95 games)
(28 December 1997, poorly edited by reverser+)
Courtesy of reverser's page
of reverse engineering
Well, it was about time! If all anti-micro$oft crackers would really put their
reversing capabilities where their mouths are, Micro$oft would already be bankrupt... unfortunately
we keep looking for interesting protection schemes, and there is really nothing
much interesting in whatever these incredibly incapable bunch of commercial
evil programmers do... yet, once more, this kind of cracking
is VERY IMPORTANT! Age of empires is a (strategically crippled) 'megabucks' troyan
horse... one of those -mostly pathetical- "Micro$oft sponsored" games that are pushed like
few others in order to compel people to use windoze... look at the specs for Age of Empires,
only very incapable programmers could compel such a config!
- Windoze95 or
WindozeNT 4.0 with ServicePackBugCorrect 3 Why? Are they really so uncapable
programmers that they have to target a single operating system or have they been bought
by Micro$oft's banes to say this?;
- 24 Megabytes ram...
why? There are magical
graphical programs that squeeze vectors and graphics inside 8 (eight) megabytes...
poor simple game needs 24!;
- 80 MB of available
harddisk PLUS 50 Megabytes of swapping space... why? are they
really uncapable to
squeeze graphic? Do they really need 130 (read: onehundredand thirty) megabytes
to have some catapults roll on board?;
- Quad-speed CD-ROM drive
A typical request by incapable programmers...
It's disgusting: man
I could myself squeeze this crap into less than one half of these specs in a couple of
hours! It's a shame! "One of the most ambitious games we've ever
seen..."? One of the most overbloated games we've ever seen!
The cracking of "Age of Empires"
(a general digression about CD-based copy
protections of most Windows95 games)
Hi back again,
it's going to be Christmas and the whole world is going to shop.
Advertising is legalized lying, said someone.
Remember this, especially every time it's Christmas.
Examining a game from big brother Micro$oft (of course we have
bought it: part NO: X03-44492 :-) we have noticed a bug that may
annoy all the poor boys (and girls) all over the (poor) world,
whose's (poor) father and mothers, for instance, have lost their
(poor) jobs thanks to Micro$oft's (poor) society.
See: this reversing is a present for those who won't get no
presents at all during these merry (poor) holidays, poor chaps,
yet would need so much to evaluate (fully) this interesting
(if overbloated) historical game... so let's crack it!
And anyway I need my own cd-drive free from my own bought CD-games
in order to hear my own music CD... something against this? :-)
Age of Empires comes on one CD-ROM; the CD-ROM can be taken
out after the game is running.
I think that this tells us, that there is only one check for the CD at
the beginning, when Age of Empires starts.
Little (important) digression
Let's say something general about copy protections of Windows95 games.
They are nearly all the same, and they aren't really copy protections.
They all work something like this :
(1) put "c:\" in a variable, let's say "xrom"
(2) test if "xrom" is the CD-Drive, by using "GetDriveTypeA"
(3) if result = 5 then continue at step 5
(4) else increment the drive letter and go back to (2)
(5) use the letter in "xrom" to complete all path names.
(6) if it will never find a CD-Drive, a error message appears
A lot of games are doing it like this.
How to crack this ??? Nothing easier like this. Don't put "c:\" in the
variable, but the desired CD-drive letter. Then remove the
"GetDriveTypeA" call and write something like "mov eax, 00000005".
Sometimes a "GetVolumeInformationA" follows, but it's no problem
to avoid the program to exit by this.
Example games for this kind of protection :
- Beasts and Bumpkins
- Descent ][
- Panzer General IIID
- and many more
End of digression
On the "Most stupid protections" +HCU's project is said that the
more commercial a product is, the more stupid it's protection
This is sure confirmed if you take a look at "Age of Empires".
The path to the CD is stored in the registry and only needed to find
the oversized AVI philez.
Set a breakpoint on "GetDriveTypeA" and start "Age of Empires".
SoftIce pops up a few times in the "LinkInfo" module, nut this is not
Sometime later, SoftIce pops up in the "Empire" module at
:004D65F5 57 push edi <-- the CD path
:004D65F6 FF1554267000 Call KERNEL32.GetDriveTypeA <-- SoftIce pops up here
:004D65FC 83F805 cmp eax, 00000005 <-- Is it the CD-ROM ???
:004D65FF 7404 je 004D6605 <-- Yes ? --> jump !
:004D6601 33C0 xor eax, eax <-- No ? --> stay !
:004D6603 EB53 jmp 004D6658
In edi is the pointer to the CD path. The result of GetDriveTypeA
is "00000005" if the checked drive is a CD drive. If the given drive
is a CD drive, the program continues below :
:004D662B 57 push edi <-- the CD path
:004D662C FF1558267000 Call KERNEL32.GetVolumeInformationA
:004D6632 85C0 test eax, eax
:004D6634 B800000000 mov eax, 00000000
:004D6639 741D je 004D6658
:004D663B 8B460C mov eax, dword ptr [esi+0C]
:004D663E 8D4C241C lea ecx, dword ptr [esp+1C]
:004D6642 05FD020000 add eax, 000002FD
:004D6647 50 push eax
:004D6648 51 push ecx
:004D6649 E802D60500 call 00533C50 <-- strcmpi
:004D664E 83C408 add esp, 00000008
:004D6651 83F801 cmp eax, 00000001
:004D6654 1BC0 sbb eax, eax
:004D6656 F7D8 neg eax
As you can see, not only the type of drive is checked, but also the name
of the drive.
In ecx is the pointer to the name of the CD currently in your CD-ROM, in
eax is the pointer to the expected name : "AOE"
If the compare succeeded, the result of the complete function is "01",
else it is zero.
To patch "Age of Empires", this function has to return "01" every time
it is called. No problem for us, of course: let's look at the top of
the function :
:004D6550 81EC0C020000 sub esp, 0000020C
:004D6556 53 push ebx
:004D6557 56 push esi
:004D6558 8B410C mov eax, dword ptr [ecx+0C]
:004D655B 57 push edi
:004D655C 55 push ebp
:004D655D 8BF1 mov esi, ecx
:004D655F 8B8808040000 mov ecx, dword ptr [eax+00000408]
:004D6565 85C9 test ecx, ecx
:004D6567 750A jne 004D6573 <--blast this one
:004D6569 B801000000 mov eax, 00000001
:004D656E E9E5000000 jmp 004D6658 <--jump to the end
As we can see from the small piece of code above, the only thing which
is to do, is to blast the jne at 004d6567. If this is done, the function
will always return "eax = 01".
After I nopped out some bytes (in my essay about W32Dasm 8.7) I was mildly
criticized by reverser+, now I learned and I prefer to use this sequence :
41 inc ecx
49 dec ecx
This one is doing nothing as good as two nops would do, but it can not
be detected by some protection algorithms.
"Age of Empires" was as silly and easy to cheat as most of the time trial
versions, created by Micro$oft. The patch can be reduced to a single "jne
blasting out", this should, normally, be too easy to be true, yet most of
these games compel in such a silly way legitime users to occupy their own
CD-drive with a CD-ROM they have NOT chosen to have there!
After patching the program, it is even possible to delete all the
x-tra large avi phileZ, cause they waste nearly 100 megz of space.
Time to pay respect
Last but not least,
there are two people I want pay respect to :
- First reverser+ who hosts one of the most interesting pages on
the whole net. If you want to find any knowledge about cracking
(or computers in a more general way), pay a visit to
- Second to Quine who had cracked IDA in a very special way.
Disassembling with IDA is much more satisfying, than doing it
with good old W32Dasm, just try it.
I have to say that I was nearly as far with cracking IDA, but
my 'working target' kept always crashing, because no mem was
reserved. Respects to Quine!
This was our Micro$oft cracking for today, questions can -as usual-
be asked at :
mailto:firstname.lastname@example.org?subject=I've got a question about Micro$oftcracking...
Bye (till next time)
(c) TWD All rights reversed
Of course you should BUY this overbloated game (you better buy a Pentium 200 first, tough) and
you should NOT come to the idea of using only one Age of empires CD-ROM (if ever...
you could of course find the razor distributed copy on the web for free, if you seek) in order to
'seed' this game, as cracked above by TWD, in all your friends and friends'
friends and friends' friends' friends computers. This would
be un-ethical, I'm afraid, since Micro$oft and their overbloated programmers slaves
would risk loosing some money thattaway. So don't do it, you scoundrels! I did'nt, I bought
my own copy: 0897 Part No. 92681: "Simply fill in the card, choose your local Micro$oft
office from the leaflet..." :-)
You are deep inside reverser's page of reverse engineering,
choose your way out:
Back to Project 9 (M$-bashing)
Back to Project 4 (CD-Rom)
Is reverse engineering legal?