The cracking of "Age of Empires"
(with a general digression about CD-based copy protections of most Windows95 games)

by TWD

(28 December 1997, poorly edited by reverser+)

Courtesy of reverser's page of reverse engineering
Well, it was about time! If all anti-micro$oft crackers would really put their reversing capabilities where their mouths are, Micro$oft would already be bankrupt... unfortunately we keep looking for interesting protection schemes, and there is really nothing much interesting in whatever these incredibly incapable bunch of commercial evil programmers do... yet, once more, this kind of cracking is VERY IMPORTANT! Age of empires is a (strategically crippled) 'megabucks' troyan horse... one of those -mostly pathetical- "Micro$oft sponsored" games that are pushed like few others in order to compel people to use windoze... look at the specs for Age of Empires, only very incapable programmers could compel such a config!
- Windoze95 or WindozeNT 4.0 with ServicePackBugCorrect 3 Why? Are they really so uncapable programmers that they have to target a single operating system or have they been bought by Micro$oft's banes to say this?;
- 24 Megabytes ram... why? There are magical graphical programs that squeeze vectors and graphics inside 8 (eight) megabytes... and this poor simple game needs 24!;
- 80 MB of available harddisk PLUS 50 Megabytes of swapping space... why? are they really uncapable to squeeze graphic? Do they really need 130 (read: onehundredand thirty) megabytes to have some catapults roll on board?;
- Quad-speed CD-ROM drive A typical request by incapable programmers...

It's disgusting: man I could myself squeeze this crap into less than one half of these specs in a couple of hours! It's a shame! "One of the most ambitious games we've ever seen..."? One of the most overbloated games we've ever seen!

Micro$oft bashing ~~~~~~~~~~~~~~~~~ The cracking of "Age of Empires" ================================ (a general digression about CD-based copy protections of most Windows95 games) by TWD
Hi back again, it's going to be Christmas and the whole world is going to shop. Advertising is legalized lying, said someone. Remember this, especially every time it's Christmas. Examining a game from big brother Micro$oft (of course we have bought it: part NO: X03-44492 :-) we have noticed a bug that may annoy all the poor boys (and girls) all over the (poor) world, whose's (poor) father and mothers, for instance, have lost their (poor) jobs thanks to Micro$oft's (poor) society. See: this reversing is a present for those who won't get no presents at all during these merry (poor) holidays, poor chaps, yet would need so much to evaluate (fully) this interesting (if overbloated) historical game... so let's crack it! And anyway I need my own cd-drive free from my own bought CD-games in order to hear my own music CD... something against this? :-) Age of Empires comes on one CD-ROM; the CD-ROM can be taken out after the game is running. I think that this tells us, that there is only one check for the CD at the beginning, when Age of Empires starts.
Little (important) digression ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Let's say something general about copy protections of Windows95 games. They are nearly all the same, and they aren't really copy protections. They all work something like this : (1) put "c:\" in a variable, let's say "xrom" (2) test if "xrom" is the CD-Drive, by using "GetDriveTypeA" (3) if result = 5 then continue at step 5 (4) else increment the drive letter and go back to (2) (5) use the letter in "xrom" to complete all path names. (6) if it will never find a CD-Drive, a error message appears A lot of games are doing it like this. How to crack this ??? Nothing easier like this. Don't put "c:\" in the variable, but the desired CD-drive letter. Then remove the "GetDriveTypeA" call and write something like "mov eax, 00000005". Sometimes a "GetVolumeInformationA" follows, but it's no problem to avoid the program to exit by this. Example games for this kind of protection : - Beasts and Bumpkins - Descent ][ - Diablo - Panzer General IIID - and many more End of digression ~~~~~~~~~~~~~~~~~
On the "Most stupid protections" +HCU's project is said that the more commercial a product is, the more stupid it's protection will be. This is sure confirmed if you take a look at "Age of Empires". The path to the CD is stored in the registry and only needed to find the oversized AVI philez. Set a breakpoint on "GetDriveTypeA" and start "Age of Empires". SoftIce pops up a few times in the "LinkInfo" module, nut this is not interesting. Sometime later, SoftIce pops up in the "Empire" module at this position: :004D65F5 57 push edi <-- the CD path :004D65F6 FF1554267000 Call KERNEL32.GetDriveTypeA <-- SoftIce pops up here :004D65FC 83F805 cmp eax, 00000005 <-- Is it the CD-ROM ??? :004D65FF 7404 je 004D6605 <-- Yes ? --> jump ! :004D6601 33C0 xor eax, eax <-- No ? --> stay ! :004D6603 EB53 jmp 004D6658 In edi is the pointer to the CD path. The result of GetDriveTypeA is "00000005" if the checked drive is a CD drive. If the given drive is a CD drive, the program continues below : ... :004D662B 57 push edi <-- the CD path :004D662C FF1558267000 Call KERNEL32.GetVolumeInformationA :004D6632 85C0 test eax, eax :004D6634 B800000000 mov eax, 00000000 :004D6639 741D je 004D6658 :004D663B 8B460C mov eax, dword ptr [esi+0C] :004D663E 8D4C241C lea ecx, dword ptr [esp+1C] :004D6642 05FD020000 add eax, 000002FD :004D6647 50 push eax :004D6648 51 push ecx :004D6649 E802D60500 call 00533C50 <-- strcmpi :004D664E 83C408 add esp, 00000008 :004D6651 83F801 cmp eax, 00000001 :004D6654 1BC0 sbb eax, eax :004D6656 F7D8 neg eax As you can see, not only the type of drive is checked, but also the name of the drive. In ecx is the pointer to the name of the CD currently in your CD-ROM, in eax is the pointer to the expected name : "AOE" If the compare succeeded, the result of the complete function is "01", else it is zero. To patch "Age of Empires", this function has to return "01" every time it is called. No problem for us, of course: let's look at the top of the function : :004D6550 81EC0C020000 sub esp, 0000020C :004D6556 53 push ebx :004D6557 56 push esi :004D6558 8B410C mov eax, dword ptr [ecx+0C] :004D655B 57 push edi :004D655C 55 push ebp :004D655D 8BF1 mov esi, ecx :004D655F 8B8808040000 mov ecx, dword ptr [eax+00000408] :004D6565 85C9 test ecx, ecx :004D6567 750A jne 004D6573 <--blast this one :004D6569 B801000000 mov eax, 00000001 :004D656E E9E5000000 jmp 004D6658 <--jump to the end As we can see from the small piece of code above, the only thing which is to do, is to blast the jne at 004d6567. If this is done, the function will always return "eax = 01". After I nopped out some bytes (in my essay about W32Dasm 8.7) I was mildly criticized by reverser+, now I learned and I prefer to use this sequence : 41 inc ecx 49 dec ecx This one is doing nothing as good as two nops would do, but it can not be detected by some protection algorithms. Summary ~~~~~~~ "Age of Empires" was as silly and easy to cheat as most of the time trial versions, created by Micro$oft. The patch can be reduced to a single "jne blasting out", this should, normally, be too easy to be true, yet most of these games compel in such a silly way legitime users to occupy their own CD-drive with a CD-ROM they have NOT chosen to have there! After patching the program, it is even possible to delete all the x-tra large avi phileZ, cause they waste nearly 100 megz of space. Time to pay respect ~~~~~~~~~~~~~~~~~~~ Last but not least, there are two people I want pay respect to : - First reverser+ who hosts one of the most interesting pages on the whole net. If you want to find any knowledge about cracking (or computers in a more general way), pay a visit to - Second to Quine who had cracked IDA in a very special way. Disassembling with IDA is much more satisfying, than doing it with good old W32Dasm, just try it. I have to say that I was nearly as far with cracking IDA, but my 'working target' kept always crashing, because no mem was reserved. Respects to Quine! This was our Micro$oft cracking for today, questions can -as usual- be asked at :'ve got a question about Micro$oftcracking... Bye (till next time) TWD

(c) TWD All rights reversed
Of course you should BUY this overbloated game (you better buy a Pentium 200 first, tough) and you should NOT come to the idea of using only one Age of empires CD-ROM (if ever... you could of course find the razor distributed copy on the web for free, if you seek) in order to 'seed' this game, as cracked above by TWD, in all your friends and friends' friends and friends' friends' friends computers. This would be un-ethical, I'm afraid, since Micro$oft and their overbloated programmers slaves would risk loosing some money thattaway. So don't do it, you scoundrels! I did'nt, I bought my own copy: 0897 Part No. 92681: "Simply fill in the card, choose your local Micro$oft office from the leaflet..." :-)

You are deep inside reverser's page of reverse engineering, choose your way out:

redBack to Project 9 (M$-bashing) redBack to Project 4 (CD-Rom)
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?