Home > Game Hacking, General x86, Programming, Reverse Engineering > Analyzing Product Key Authentication (2/2)

Analyzing Product Key Authentication (2/2)

This post picks up where the other previous one concluded and wraps up the bypass in the product authentication algorithm in Age of Mythology. The previous post left off with the code showing the “Invalid Product Key” popup at the call to 0x0040F880.

0040D258 | E8 23 26 00 00             | call ebu4df6.40F880
0040D25D | 83 C4 0C                   | add esp,C
0040D260 | 89 5C 24 10                | mov dword ptr ss:[esp+10],ebx
0040D264 | 56                         | push esi
0040D265 | FF 15 E8 62 46 00          | call dword ptr ds:[<&FreeLibrary>]
0040D26B | 8B 44 24 10                | mov eax,dword ptr ss:[esp+10]
0040D26F | 5F                         | pop edi
0040D270 | 5E                         | pop esi
0040D271 | 5D                         | pop ebp
0040D272 | 5B                         | pop ebx
0040D273 | 81 C4 58 03 00 00          | add esp, 358
0040D279 | C3                         | ret

The function at 0x0040F880 just passes in the string along with a few other parameters and calls another function to invoke the popup to appear.

0040F880 | 8B 4C 24 0C                | mov ecx,dword ptr ss:[esp+C]                     |
0040F884 | 8B 54 24 08                | mov edx,dword ptr ss:[esp+8]                     | [esp+8]:"Invalid Product Key"
0040F888 | 8D 44 24 10                | lea eax,dword ptr ss:[esp+10]                    |
0040F88C | 50                         | push eax                                         |
0040F88D | 8B 44 24 08                | mov eax,dword ptr ss:[esp+8]                     | [esp+8]:"Invalid Product Key"
0040F891 | 51                         | push ecx                                         | ecx:"Invalid Product Key"
0040F892 | 52                         | push edx                                         |
0040F893 | 50                         | push eax                                         |
0040F894 | E8 07 00 00 00             | call ebu4df6.40F8A0                              |
0040F899 | 83 C4 10                   | add esp,10                                       |
0040F89C | C3                         | ret                                              |

Stepping back to the original function, the return value — contained in EAX — is set to [ESP + 0x10]. Prior to this instruction executing, EAX is 1. On the failure case, [ESP + 0x8] contains 0, which subsequently gets assigned to EAX and returned to the caller. Attaching a debugger and dynamically changing EAX to 1 shows that the value is accepted and the installation process continues. To make it permanent, there are two simple options: NOP out the instruction altogether since the correct value is in EAX prior to execution, or change the instruction to mov eax, 1 to force the correct value into the register. During my test session, I just decided to NOP out the instruction.

Replacing the 4-byte instruction at 0x0040D26B

0040D26B | 8B 44 24 10                | mov eax,dword ptr ss:[esp+10]

with NOPs

0040D26B | 90                         | nop
0040D26C | 90                         | nop
0040D26D | 90                         | nop
0040D26E | 90                         | nop

allows for the product authentication process to continue and the game to be installed. Fortunately it turned out to be pretty simple: this authentication function simply returns a boolean value that the caller accepts without any other considerations. Forcing a return of true was good enough to continue along in the process.

Thanks for reading and follow on Twitter for more updates.

  1. No comments yet.
  1. No trackbacks yet.