Casual hack: Hacking the NevoSoft games

Casual game is a kind of computer game designed for a wide range of users.
The term "casual" is derived from the Latin word "casualis", which means "incidental".
Thus, casual game is a game that is played from time to time, often just to kill
some time. Creations of the NevoSoft company are just like that. The company
gives an opportunity to play only for an hour and then ask you to pay money.
Today we'll deal with that!

Some theory

Generally, casual games are suitable for virtually any category of computer
users as for the level of complexity. As a rule, such games pass down is pretty
poor, that’s why they are well suited for those people who just cannot concern
oneself with playing a game for a long time. NevoSoft Company is one of the
leading casual game developers in the whole world and particularly in Russia.
One would think that such a major company should pay a great attention to its
software protection and it should require a lot of time and efforts to hack
their soft. Today, we will refute that fact and show how to unlearn them begging
for our hard-earned money. NevoSoft Company developers keep a thousand games
under their supervision and give their users a chance to try a game within one
hour only. 60 minutes later, when a person has just only got excited with
playing, there appears a pop-up window with a “pay-some-money” notice. It
happened so that Russian people just don’t like paying money for software, but
sometimes game developers just don’t leave any choice. It may take hours to find
an appropriate game crack, but if the game is a new one the chances to find a
crack are almost reduced to zero.

Operating table preparation

To break that NevoSoft’s “bad habit” I’ve chosen the "Peacecraft" game as an
experimental object. I did it because it was the one which gave me the idea to
study the NevoSoft’s games protection system. Later, it became clear that their
protection system is absolutely identical for all game products.

It happened so that I had no hack software on deck at the time of my study -
no disassembler or debugger. There was only a set of standard programs that
almost every user has on ones computer: “Total Commander” and "Task Manager".
That is the whole applications set we will use for our studying. One would think
– “What you can really do with these applications?” It was found that the mix of
inquisitive mind and a bit of attentiveness is enough to make the game start
with no demo time limit. I’ve chosen Delphi 7 as a platform for writing the
crack. Now, when all instruments are placed on the operating table and the
patient is tightly bounded it is time to start the study. Let’s take everything
to pieces one after another...

Scalpel, swab, spirit, more spirit, lemon ... Substitution!

Install and run the game. Now we see a beautiful window which shows up the
time remaining to test it. Feel easily and press the "play" button and start
watching on what is happening in the system. Minimize the game window for a
while and browse the "Task Manager". There is an unknown process with *.tmp
extension. Well, let's take a closer look on what kind of fruit is it and how
did it get here. Watch the process properties and read the given information.
File location shows us that we’re on the right way. Open the folder with the
file and rename it to *.exe (by the way, the file has a “hidden” attribute, so
do not forget to tick the "show hidden files" in appropriate Windows properties).
Start it and you will see a beautiful picture - the game starts with no
registration pop-up windows. It would seem that the ends of our experiment are
already achieved. The game no longer requires registration and works without
time limit. But this method is too tedious and inconvenient. Therefore, we will
try to find a way to simplify these steps.

An autopsy showed that the patient had died from an autopsy

Our main objective is to learn how to make the NevoSoft games not to take the
money in two clicks. So now we should try to make out the origin of that file
with the *. tmp extension. Don’t worry you won’t have to read tons of manuals.
The main thing is to have a little patience and a bit of attention. Search
process won’t take long because a folder with a *.tmp file also contains a
strange nsgame.dat file, which exactly coincides the size of our game file
within a single byte. We can assume that the launcher simply renames the
nsgame.dat file into *.tmp and launches it. But the result of our hypothesis
test process will disappoint you. You will be told that the application is not
an executable file.

Do not be upset, but instead take a bigger and a sharper shovel and begin to
dig deeper. The first thing that comes to mind is to compare these two files and
see what actually the difference between them is. Open Total Commander and use
an in-built files comparing tool. I’d say results are pretty interesting. We can
oversee a byte equality and inequality with a 2 byte interval. No doubt the file
is encrypted. Now, how to reverse it if we decided to give up using debuggers
and disassemblers? The answer is simple - we have to mind the encryption
algorithms. One of the most easiest and effective (if used properly)
cryptographic algorithms is the so-called XOR-encryption. This method lies in a
byte Boolean XOR operating. The first variable is an encryption byte, and the
second one is the key. But now there comes another question – “Where to get the
decryption key?” The answer is simple – “Mind the Boolean algebra and you’ll get
an open access to it.”

Crypted = uncrypted XOR key;
Key = crypted XOR uncrypted

So, let's try to get that precious key. To do this, run the byte XOR
operation between the executable file and temporary file. The idea is that in
the end we will get a decryption key, which will let to hack any NovaSoft’s game.
We will perform XOR operation only for the first 256 bytes, because very few
companies use the keys of greater length nowadays.

var
i, o: TFileStream;
bi, bo:byte;
x, ii, cc:integer;
begin
if open.Execute then
begin
SetCurrentDir('C:\Игры от NevoSoft\Peacecraft\
game');
// Enter the game folder
if not(fileexists('nsgame.dat')) then exit;
i:=TFileStream.Create('nsgame.dat', fmOpenRead);
o:=TFileStream.Create(open.FileName, fmOpenRead);
x:=0; ii:=0; cc:=0;
// Look over 256 bytes
for x:=0 to 255 do
begin
i.read(bi,1);
o.read(bo,1);
key.Caption:=format('%s %x', [key.Caption, (bi
xor bo)]);
inc(cc);
if cc mod 8 =0 then key.Caption:=key.
Caption+#13#10;
end;
i.Free;
o.Free;
end;

As it turned out, the encryption key is pretty short and remains only 4 bytes
long. Looking ahead, I will say that there’s a unique encryption key for each
NovaSoft’s game. How to figure it out?

Going deeper into the jungle is not worth it. In fact, everything is very
simple. In order to get the key, you should take the first 2 bytes of the
PE-header signature and perform the XOR operation. Many people might ask me a
question – “Why to perform the XOR operation only for 2 bytes if the full key
length is 4 bytes?” The answer is simple - the third and fourth key bytes are
always equal to $00.

const
ckey = #77#90; //PE-file signature
begin
i:=TFileStream.Create(FileName, fmOpenRead);
for x:=1 to 2 do
begin
i.Read(tmp,1);
tmp:=ord(ckey[x]) xor tmp;
key:=key+chr(tmp);
end;
key:=key+#0#0;

Now you have the sesame-mount and you can safely start writing the crack.

Closer to the edge

Now we already have enough information to create a universal crack. Well,
let's not waste our time. Let’s do it…

procedure wrap(filename:string);
var
i, o: TFileStream;
bi, bo, tmp:byte;
x, ii:integer;
key:string[4];
buffer:TMemoryStream;
const
ckey = #77#90;// PE-header signature
begin
if not(fileexists(filename)) then exit; // Some checking never hurts =)
i:=TFileStream.Create(filename, fmOpenRead); // Open the file for reading
o:=TFileStream.Create(ChangeFileExt(filename,
'.exe'), fmCreate); // Writing a new file
buffer:=TMemoryStream.Create;
for x:=1 to 2 do // Calculating the encryption key
begin
i.Read(tmp,1);
tmp:=ord(ckey[x]) xor tmp;
key:=key+chr(tmp);
end;
key:=key+#0#0;
i.Seek(0,soFromBeginning);
x:=0; ii:=0;
while i.Position<i.Size do // Decrypting the file with the specified key
begin
inc(ii);
i.Read(bi, 1);
bo:=bi xor ord(key[ii]);
buffer.Write(bo,1);
inc(x);
if ii=4 then ii:=0;
end;
o.Write(Buffer.Memory^, Buffer.size);
i.Free;
o.Free;
buffer.Free;
showmessage('Wrapping done');
end;

Drum-roll sounds - running the decrypted file ... But wait… For some reason,
we are proposed to pay the fee again. What, where and when did we miss? After
all, we did everything right! Let's not upset. With picking up another can of
beer we’ll continue studying our experimental subject and try to find the
blunder. Open the “Total Commander” and compare the normal game file with the
file we got after decrypting. At first glance, the files are identical to within
one byte. But as soon as you use "find the first difference" option, Total
Commander will report that files do not match starting from the $ 43000 shift.

Consequently, we can assume that not the whole file is encrypted but only its
first $43000 bytes. Therefore, we take a hammer and a chisel and fix the errors
in our code forcing it to decrypt the first $43000 bytes only.

while i.Position<i.Size do
begin
inc(ii);
i.Read(bi, 1);
if x<$43000 then
begin
bo:=bi xor ord(key[ii]);
buffer.Write(bo,1);
end
else
buffer.Write(bi,1);
inc(x);
if ii=4 then ii:=0;
end;

Now run the "crack" (incidentally, these actions can hardly be called
cracking, because we do not modify any byte which is directly related to the
game, but only restore the original application by the decryption). Now wait a
couple of seconds and start the game. Hurray! The game is absolutely independent
from NevoSoft launcher to beg money from us. Now you can relax, lean back in a
chair and enjoy your favorite game.

Conclusion

The difference between a hacker and an ordinary man is not only a high-level
knowledge of IT-technologies, but also a presence of curiosity and ability to
find an unconventional approach to ones routine problems. The study we have made
really proves the fact that hacking is not always sitting for hours with
debugger and looking for cherished bytes that are need to be fixed. Sometimes
you can do it with those programs that are always at your hand. So now I say
goodbye and wish you always maintain the art. 272-274 of the Criminal Code and
you will have a good luck! 🙂