Assembler
Roger Wilco
It's fun to go back in time to look at things I've done. 10 Years ago I discovered Roger Wilco, a voice chat application aimed at gamers that would run in the background and work like a walkie-talkie, adding voice communication capabilities to any game. It was quite revolutionary at the time.
The other application that provided similar functionality was BattleCom, which was eventually acquired by Microsoft and rebranded as Game Voice as part of the SideWinder product line.
Anyway, Roger Wilco, developed by a company called Resounding Technology, Inc. was still at an early beta stage. Roger Wilco was free, but you had to register for a "license key" to unlock its full functionality. Otherwise Roger Wilco would operate in a "demo mode" which restricted usage to 15 minutes spent on a single session, and then disconnect from the server. Registration was free, though. It essentially just required sending an email in order to receive a key.
Bored as I was I poked around the code using W32DASM (a Windows disassembler), patched the two timer checks to disable the 15 minute limitation, and for good measure allowed any license key to register the program. Then I put together a small executable and registry file to simplify the process. Everything together probably took 4 hours out of my afternoon and was just an educational exercise to see if I could do it. I never released any of the code until now.
Today, the code below is irrelevant since it only applied to that particular 0.22 beta version. Roger Wilco was acquired by GameSpy in 2001, and the last version (1.4.1.6) was released July 8, 2003. Besides, there are much better applications for voice chat out there today: TeamSpeak, TeamSound, and Ventrilo come to mind.
; Patch for Roger Wilco v0.22 beta. ; ; This utility will patch two files ; ROGER.EXE and NETWORK.DLL to remove the timer. ; ; ROGER.EXE needs changes at offset 282Ah (75h), ; at offset 401Fh (66h, 33h, 0C0h, 90h), ; and at offset 4144h (75h). ; ; NETWORK.DLL needs to be patched at 64EDh ; (33h, 0C0h, 0E9h, 0B6h, 00h, 00h, 00h, 90h, 90h, 90h, 90h). ; ; Compiles with TASM5.0, did not test with any other compilers. .model tiny .code .486 org 100h ; jumps ; start of the program. make sure ds is set to the code segment. main: push cs ; save the code segment on the stack pop ds ; and pop as data segment ; display copyright message. mov ah, 09h ; Print string lea dx, [cpyright] ; Point to the string int 21h ; call DOS to do it ; look for the first file to patch lea dx, [EXE_FILE] ; roger.exe call OPEN_RW ; open the file jc FILENF ; Exit if an error (CF is set) occured ; PATCH 1 xor cx, cx ; clear cx mov dx, 282Ah ; seek to position call SEEK_TO lea dx, [FIL_SIZE] ; point to error message jc FILENF ; if an error, assume wrong file size mov ax, 4000h ; write to file using handle mov cx, 0001h ; write one byte lead dx, [PATCH_1A] ; point to the patch buffer int 21h ; call DOS to write it lea dx, [FIL_WERR] ; file write error jc FILENF ; PATCH 2 xor cx, cx ; clear cx mov dx, 401Fh ; Seek to position call SEEK_TO lea dx, [FIL_SIZE] ; point to error message jc FILENF mov ax, 4000h ; write to the file mov cx, 0004h ; write four bytes lea dx, [PATCH_1B] ; point to the patch buffer int 21h ; call DOS to write it lea dx, [FIL_WERR] ; file write error jc FILENF ; PATCH 3 xor cx, cx ; clear mov dx, 4144h ; seek to position call SEEK_TO lea dx, [FIL_SIZE] ; point to error message jc FILENF mov ax, 4000h ; write to the file mov cx, 0001h ; write four bytes lea dx, [PATCH_1C] ; point to the patch buffer int 21h ; call DOS to write it lea dx, [FIL_WERR] ; file write error jc FILENF ; ROGER.EXE is patched now, close it. mov ax, 3e00h ; close file int 21h ; call DOS to do it ; not checking for errors. ; look for the second file to patch lea dx, [DLL_FILE] call OPEN_RW jc FILEENF ; Exit if (CF is set) an error occured ; PATCH 4 xor cx, cx ; clear mov dx, 64EDh ; seek to position call SEEK_TO lea dx, [FIL_SIZE] ; point to error message jc FILENF mov ax, 4000h ; write to the file mov cx, 0011h ; write four bytes lea dx, [PATCH_2A] ; point to the patch buffer int 21h ; call DOS to write it lea dx, [FIL_WERR] ; file write error jc FILENF ; METWORK.DLL is patched now, too. close it. mov ax, 3E00h ; close file using handle int 21h ; call DOS to do it ; throw out a success message, and that's it mov ah, 09h ; print string lea dx, [DON_PTCH] ; done patching int 21h ; call DOS to do it jmp exit FILENF: push dx ; safe pointer to the filename mov ah, 09h ; print string lea dx, [ERROR_1A] ; first part of the error message int 21h ; print pop dx ; get filename back int 21h ; print it lea dx, [ERROR_1B] ; Second part of the error message int 21h ; print second part mov al, 1 ; set error code 1 ; set AL before jumping here to fine your error code EXIT: mov ah, 4Ch ; return to dos, errocode = AL int 21h OPEN_RW proc mov ax, 3D02h ; open for read/write int 21h ; call DOS to do it xchg ax, bx ; store handle in BX retn OPEN_RW endp SEEK_TO proc mov ax, 4200h ; seek proc int 21h ; seek retn SEEK_TO endp ; 1 byte PATCH_1A db 75h ; 4 bytes PATCH_1B db 66h, 33h, 0C0h, 90h ; 1 byte PATCH_1C db 75h ; 11 bytes PATCH_2A db 33h, 0C0h, 0E9h, 0B6h, 00h, 00h, 00h, 90h, 90h, 90h, 90h CPYRIGHT db 'Roger Wilco v0.22 *crack* written by SysRequest on 03/27/99.', 0Dh, 0Ah, '$' FIL_WERR db 'the file. Failed to apply patch.$' FIL_SIZE db 'the file at the patch position.', 13d, 10d, 'Maybe wrong size/version?$' ERROR_1A db 'unable to access $' ERROR_1B db 13d, 10d, 'Attempt to patch FAILED!', 13d, 10d, '$' EXE_FILE db 'roger.exe', 0, '$' DLL_FILE db 'network.dll', 0, '$' DON_PTCH db 'Patch SUCCESSFULLY applied!', 13d, 10d, 'Have fun', 13d, 10d, 10d db 'P.S.: Do not forget to run SYSRW022.REG to register the program.', 13d, 10d, '$' end main
Posted: April 23rd, 2009 under Development.
Tags: assembler, programming