آموزش کرک و قفل شکنی ( انگلیسی ) از بهترین کرکرهای روس و ...

[Morteza_SOS]

Frogger - CD Crack by Static Vengeance

Requirements:
Hex Editor and Full install

Frogger has be revamped and "3D'ed" but like most games now a days has some annoying CD check
somewhere. That's unacteptable to me, I want to play the game; not go searching for the CD it came on.
So as usual we'll be disassembling this game and looking for the routines responsible for the CD check.
Once we find those routines we'll look for a way to defeat it so we end up with a cracked version on
the old hard drive. The first thing to do is to run W32Dasm on the frogger.exe and when it's done go
up to the title bar and select "Refs" from the menu and drop down to "String data references" from there
grab the slider bar and scroll down to the string "Please insert the Frogger CD" Double clicking this
string puts us in the middle of CD check routine. Aren't all my tutorials beginning to sound the same?
Anyways here's that code:

* Referenced by a CALL at Addresses:
|:00403681 , :004038DC
|
:004037E0 81EC00010000 sub esp, 00000100
:004037E6 C6059458490000 mov byte ptr [00495894], 00

* Possible StringData Ref from Data Obj ->"FROGGER"
|
:004037ED 68ECE24600 push 0046E2EC
:004037F2 E8A9660400 call 00449EA0 <-- Gets drive type & volume
:004037F7 83C404 add esp, 00000004
:004037FA A294584900 mov byte ptr [00495894], al
:004037FF 84C0 test al, al
:00403801 7509 jne 0040380C
:00403803 33C0 xor eax, eax
:00403805 81C400010000 add esp, 00000100
:0040380B C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403801(C)
|
:0040380C A294584900 mov byte ptr [00495894], al
:00403811 84C0 test al, al
:00403813 744E je 00403863
:00403815 8D4C2400 lea ecx, dword ptr [esp]

* Possible StringData Ref from Data Obj ->":\video\intro.rpl" <-- Intro off the CD
|
:00403819 68D8E24600 push 0046E2D8
:0040381E 0FBEC0 movsx eax, al
:00403821 50 push eax

* Possible StringData Ref from Data Obj ->"%c%s"
|
:00403822 68D0E24600 push 0046E2D0
:00403827 51 push ecx
:00403828 E853F80500 call 00463080
:0040382D 8D4C2410 lea ecx, dword ptr [esp+10]
:00403831 83C410 add esp, 00000010
:00403834 6800800000 push 00008000
:00403839 51 push ecx
:0040383A E8716B0600 call 0046A3B0
:0040383F 83C408 add esp, 00000008
:00403842 83F8FF cmp eax, FFFFFFFF
:00403845 7415 je 0040385C
:00403847 50 push eax
:00403848 E8B3560600 call 00468F00
:0040384D 83C404 add esp, 00000004
:00403850 B801000000 mov eax, 00000001
:00403855 81C400010000 add esp, 00000100
:0040385B C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403845(C)
|
:0040385C C6059458490000 mov byte ptr [00495894], 00

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403813(C)
|
:00403863 33C0 xor eax, eax
:00403865 81C400010000 add esp, 00000100
:0040386B C3 ret


:0040386C CC int 03
:0040386D CC int 03
:0040386E CC int 03
:0040386F CC int 03
:00403870 81EC00010000 sub esp, 00000100
:00403876 53 push ebx

* Reference To: KERNEL32.GetUserDefaultLCID, Ord:0148h
|
:00403877 FF15E4944A00 Call dword ptr [004A94E4]
:0040387D 6625FF03 and ax, 03FF
:00403881 8B8C240C010000 mov ecx, dword ptr [esp+0000010C]
:00403888 81F910010000 cmp ecx, 00000110
:0040388E 742B je 004038BB
:00403890 81F911010000 cmp ecx, 00000111
:00403896 740C je 004038A4
:00403898 33C0 xor eax, eax
:0040389A 5B pop ebx
:0040389B 81C400010000 add esp, 00000100
:004038A1 C21000 ret 0010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403896(C)
|
:004038A4 8B8C2410010000 mov ecx, dword ptr [esp+00000110]
:004038AB 81E1FFFF0000 and ecx, 0000FFFF
:004038B1 83F901 cmp ecx, 00000001
:004038B4 7426 je 004038DC
:004038B6 83F902 cmp ecx, 00000002
:004038B9 744A je 00403905

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040388E(C)
|

* Possible Reference to String Resource ID=00041: "Please insert the Frogger CD" <-- need explaination?
|
:004038BB B929000000 mov ecx, 00000029
:004038C0 25FFFF0000 and eax, 0000FFFF
:004038C5 83E807 sub eax, 00000007
:004038C8 83F809 cmp eax, 00000009
:004038CB 776E ja 0040393B
:004038CD 33D2 xor edx, edx
:004038CF 8A9090394000 mov dl, byte ptr [eax+00403990]
:004038D5 FF24957C394000 jmp dword ptr [4*edx+0040397C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004038B4(C)
|
:004038DC E8FFFEFFFF call 004037E0
:004038E1 83F801 cmp eax, 00000001
:004038E4 7510 jne 004038F6
:004038E6 8B842408010000 mov eax, dword ptr [esp+00000108]
:004038ED 6A01 push 00000001
:004038EF 50 push eax

* Reference To: USER32.EndDialog, Ord:00B4h
|
:004038F0 FF1558954A00 Call dword ptr [004A9558]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004038E4(C)
|
:004038F6 B801000000 mov eax, 00000001
:004038FB 5B pop ebx
:004038FC 81C400010000 add esp, 00000100
:00403902 C21000 ret 0010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004038B9(C)
|
:00403905 8B842408010000 mov eax, dword ptr [esp+00000108]
:0040390C 6A00 push 00000000
:0040390E 50 push eax

* Reference To: USER32.EndDialog, Ord:00B4h
|
:0040390F FF1558954A00 Call dword ptr [004A9558]
:00403915 33C0 xor eax, eax
:00403917 5B pop ebx
:00403918 81C400010000 add esp, 00000100
:0040391E C21000 ret 0010

* Possible Reference to String Resource ID=00045: "Bitte die Frogger-CD einlegen" <-- die, frog, die
| <-- hahahahahaha
:00403921 B92D000000 mov ecx, 0000002D
:00403926 EB13 jmp 0040393B

* Possible Reference to String Resource ID=00042: "Inserte el CD Frogger"
|
:00403928 B92A000000 mov ecx, 0000002A
:0040392D EB0C jmp 0040393B

* Possible Reference to String Resource ID=00044: "Veuillez insérer le CD Frogger"
|
:0040392F B92C000000 mov ecx, 0000002C
:00403934 EB05 jmp 0040393B

* Possible Reference to String Resource ID=00043: "Inserire il CD Frogger"
|
:00403936 B92B000000 mov ecx, 0000002B

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004038CB(C), :00403926(U), :0040392D(U), :00403934(U)
|
:0040393B 8D442404 lea eax, dword ptr [esp+04]
:0040393F 6800010000 push 00000100
:00403944 50 push eax
:00403945 51 push ecx
:00403946 8B0D5C284800 mov ecx, dword ptr [0048285C]
:0040394C 8B11 mov edx, dword ptr [ecx]
:0040394E 52 push edx

* Reference To: USER32.LoadStringA, Ord:0183h
|
:0040394F FF155C954A00 Call dword ptr [004A955C]
:00403955 8D4C2404 lea ecx, dword ptr [esp+04]
:00403959 8B942408010000 mov edx, dword ptr [esp+00000108]
:00403960 51 push ecx

* Possible Reference to Dialog: DialogID_0078, CONTROL_ID:0409, ""
|
:00403961 6809040000 push 00000409
:00403966 52 push edx

* Reference To: USER32.SetDlgItemTextA, Ord:01F1h
|
:00403967 FF1554954A00 Call dword ptr [004A9554]
:0040396D B801000000 mov eax, 00000001
:00403972 5B pop ebx
:00403973 81C400010000 add esp, 00000100
:00403979 C21000 ret 0010

After running through some calls and tracing jumps I went back up to the beginning and traced
backwards to calling routines.

* Referenced by a CALL at Addresses:
|:00402EC1 , :00406731
|
:00403680 53 push ebx
:00403681 E85A010000 call 004037E0 <-- Find Frogger CD
:00403686 85C0 test eax, eax
:00403688 7524 jne 004036AE
:0040368A 6A00 push 00000000
:0040368C A15C284800 mov eax, dword ptr [0048285C]
:00403691 6870384000 push 00403870
:00403696 90 nop
:00403697 8B10 mov edx, dword ptr [eax]
:00403699 8B4804 mov ecx, dword ptr [eax+04]
:0040369C 51 push ecx

* Possible Reference to Dialog: DialogID_0078
|
:0040369D 6A78 push 00000078
:0040369F 52 push edx

* Reference To: USER32.DialogBoxParamA, Ord:008Eh
|
:004036A0 FF1514954A00 Call dword ptr [004A9514]
:004036A6 85C0 test eax, eax
:004036A8 7504 jne 004036AE <-- remember the mov eax, 00000001
:004036AA 33C0 xor eax, eax <-- from the above routine?
:004036AC 5B pop ebx
:004036AD C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403688(C), :004036A8(C)
|
:004036AE B801000000 mov eax, 00000001
:004036B3 5B pop ebx
:004036B4 C3 ret

Okay, let's back trace it to the calling routines (from 402EC1 & 406731) and check
it out there.

* Referenced by a CALL at Address:
|:00463406
|
:00402EB0 83EC10 sub esp, 00000010
:00402EB3 53 push ebx
:00402EB4 56 push esi
:00402EB5 E806080000 call 004036C0
:00402EBA C6059458490000 mov byte ptr [00495894], 00
:00402EC1 E8BA070000 call 00403680 <-- Call to play into & CD check
:00402EC6 85C0 test eax, eax
:00402EC8 750F jne 00402ED9 <-- Need to take this to continue
:00402ECA E8A1080000 call 00403770
:00402ECF 33C0 xor eax, eax
:00402ED1 5E pop esi
:00402ED2 5B pop ebx
:00402ED3 83C410 add esp, 00000010
:00402ED6 C21000 ret 0010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402EC8(C)
|
:00402ED9 A094584900 mov al, byte ptr [00495894] <-- Set up to continue the game
:00402EDE 50 push eax
:00402EDF E82C090400 call 00443810
:00402EE4 8B442420 mov eax, dword ptr [esp+20]
:00402EE8 83C404 add esp, 00000004
:00402EEB 6A00 push 00000000
:00402EED 50 push eax
:00402EEE 68E0354000 push 004035E0
:00402EF3 E8E8670400 call 004496E0
:00402EF8 83C40C add esp, 0000000C
:00402EFB 85C0 test eax, eax
:00402EFD 750F jne 00402F0E
:00402EFF E86C080000 call 00403770
:00402F04 33C0 xor eax, eax
:00402F06 5E pop esi
:00402F07 5B pop ebx
:00402F08 83C410 add esp, 00000010
:00402F0B C21000 ret 0010

So if you NOP the call to the CD check and change the conditional jump to jump always you have
half of the copy protection removed. Ok, now let's check the other call:

* Referenced by a CALL at Address:

|:0043CBC4
|
:00406730 56 push esi
:00406731 E84ACFFFFF call 00403680 <-- Check for the CD
:00406736 85C0 test eax, eax
:00406738 750C jne 00406746 <-- Need to take this one
:0040673A C70550BB4800FFFFFFFF mov dword ptr [0048BB50], FFFFFFFF <-- sets up "quit to win95"
:00406744 5E pop esi
:00406745 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406738(C)
|
:00406746 E8B5C90000 call 00413100 <-- Continue with the game
:0040674B 85C0 test eax, eax
:0040674D 7420 je 0040676F
:0040674F C705904A490001000000 mov dword ptr [00494A90], 00000001
:00406759 C70500E2460000000000 mov dword ptr [0046E200], 00000000
:00406763 C70504E24600FFFFFFFF mov dword ptr [0046E204], FFFFFFFF
:0040676D EB0A jmp 00406779

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040674D(C)
|
:0040676F C705904A490000000000 mov dword ptr [00494A90], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040676D(U)
|
:00406779 C7055854490000000000 mov dword ptr [00495458], 00000000
:00406783 A1984A4900 mov eax, dword ptr [00494A98]
:00406788 C1E002 shl eax, 02

-- the rest of the game program --

Changing this call to NOP's and chaning the conditional jump to jump always will completely
remove the CD checks and allow you to play Frogger from your hard drive without having to insert the
Frogger CD. One nice side effect is you skip the hasbro into video at the start of the game and the
short intro in the "attract" mode of the game. However you loose the ending and the credits video when
you complete the game. None of these videos are copied to your hard drive during installation. when
the program needs them it goes through a routine that plays the right video at 401FD0:

* Referenced by a CALL at Addresses:
|:0042BC70 , :0043C49C , :0043C4DC , :0043F030
|
:00401FD0 81EC40010000 sub esp, 00000140
:00401FD6 53 push ebx
:00401FD7 56 push esi
:00401FD8 57 push edi
:00401FD9 6A00 push 00000000

* Reference To: USER32.ShowCursor, Ord:0228h
|
:00401FDB FF1508954A00 Call dword ptr [004A9508]
:00401FE1 C7051CC2460001000000 mov dword ptr [0046C21C], 00000001

* Possible StringData Ref from Data Obj ->"Starting to Play Stream."
|
:00401FEB 68BCC54600 push 0046C5BC
:00401FF0 BF94584900 mov edi, 00495894
:00401FF5 E8A6050000 call 004025A0
-- snip --
:00402030 F3 repz
:00402031 A4 movsb

* Possible StringData Ref from Data Obj ->":\video\" <-- pull it off CD
|
:00402032 BFB0C54600 mov edi, 0046C5B0
:00402037 B9FFFFFFFF mov ecx, FFFFFFFF
:0040203C 2BC0 sub eax, eax
:0040203E F2 repnz
-- snip --

* Possible StringData Ref from Data Obj ->"InitMovie." <-- get ready to play it
|
:00402094 68A4C54600 push 0046C5A4
:00402099 83E103 and ecx, 00000003
:0040209C F3 repz
:0040209D A4 movsb
:0040209E E8FD040000 call 004025A0
:004020A3 8D442420 lea eax, dword ptr [esp+20]
:004020A7 83C404 add esp, 00000004
:004020AA 6800004000 push 00400000
:004020AF 50 push eax
:004020B0 6A00 push 00000000
:004020B2 6A00 push 00000000
:004020B4 68F8C14600 push 0046C1F8

* Reference To: winplay.Player_InitMovie, Ord:002Dh
|
:004020B9 E8BC160400 Call 0044377A
:004020BE 83C414 add esp, 00000014
:004020C1 8BF0 mov esi, eax
:004020C3 85F6 test esi, esi
:004020C5 740C je 004020D3
:004020C7 33C0 xor eax, eax
:004020C9 5F pop edi
:004020CA 5E pop esi
:004020CB 5B pop ebx
:004020CC 81C440010000 add esp, 00000140
:004020D2 C3 ret

Anyways, if you kill the two calls I talked about, you end up with a cracked version of Frogger
and it will not ask for the Frogger CD when you start. The program has never come up and asked for the CD
when trying to play the video clips. Watching the original version run, it would go through the demo a
couple of times, then play the short intro video. The cracked program goes through the same steps but never
plays the video or "complains" about not being able to load it in... So you just need to make the edits to
the frogger.exe file, make your edit by version: v1.001 is off the CD, v1.1e is the froggerpatch1.exe off the
net. Frogger v3.0e (and 3.0u) are off the net from the file froggerpatch3.exe

For V1.001 from the CD edit Frogger.exe
================================================== ====
Search for: E8 BA 07 00 00 85 C0 75 0F (offset 8,833)
Change to : 90 90 90 90 90 -- -- EB --

Search for: E8 2A D0 FF FF 85 C0 75 0C (offset 23,057)
Change to : 90 90 90 90 90 -- -- EB --


For V1.1e from the net edit Frogger.exe
================================================== ====
Search for: E8 BA 07 00 00 85 C0 75 0F (offset 8,897)
Change to : 90 90 90 90 90 -- -- EB --

Search for: E8 4A CF FF FF 85 C0 75 0C (offset 23,345)
Change to : 90 90 90 90 90 -- -- EB --


For V3.0e from the net edit Frogger.exe
================================================== ====
Search for: E8 1A 08 00 00 85 C0 75 0F (offset 140,785)
Change to : 90 90 90 90 90 -- -- EB --

Search for: E8 2F 38 FF FF 85 C0 75 0D (offset 194,012)
Change to : 90 90 90 90 90 -- -- EB --


For V3.0u from the net edit Frogger.exe
================================================== ====
Search for: E8 1A 08 00 00 85 C0 75 0F (offset 9,009)
Change to : 90 90 90 90 90 -- -- EB --

Search for: E8 3F CF FF FF 85 C0 75 0D (offset 91,122)
Change to : 90 90 90 90 90 -- -- EB --

[Morteza_SOS]

================================================== ================================================== ===========
Title : HEROES OF MIGHT AND MAGIC 3 : THE SHADOW OF DEAD (GAME)
Version : (should work with any)
Protection : Safedisc, Cd Check
Producer :

کد:

برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید

Cracker : Zaks (scorpion121@gmx.net)
Tools : Unsafedisc, W32Dasm, Hiew, Softice
Difficulty : Moderate (safedisc is very hard protection but with unsafedisc it is not a problem)
Tutorial No. : 11
Font : Courier New (8)
================================================== ================================================== ===========

1) Install HOMM 3 : The Shadow Of Dead. It does not matter if you install it over Armageddon's Blade or not. Go to the dir where you installed it and look around. You notice files called clokspl.exe and heroes3.icd . This two files remind you that the game is protected by Safedisc (the real exe file is heroes3.icd). You run Unsafedisc (should be in this package) and quickly remove the Safedisc protection. Now erase heroes3.exe and rename testme.exe (created with Unsafedisc) to heroes3.exe. Back up heroes3.exe (heroes3.bak will be fine). Now test heroes3.exe (with cd) to see if it works. For me it works fine so I suspect it will work for you too. CTRL+D and you are in Softice. Put a breakpoint on getdrivetypea (bpx getdrivetypea) and run the game with the cd. Softice breaks, you press F12 to return to the caller, and you are in the middle of the check routine showed below:


Disassembled part of heroes3.exe :

* Referenced by a CALL at Address:
|:004EDC16
|
:0050C430 55 push ebp
:0050C431 8BEC mov ebp, esp
:0050C433 81EC3C020000 sub esp, 0000023C
:0050C439 53 push ebx
:0050C43A 56 push esi
:0050C43B 57 push edi

* Possible StringData Ref from Data Obj ->"DATA\H3BITMAP.LOD"
|
:0050C43C BF5C0F6800 mov edi, 00680F5C
:0050C441 83C9FF or ecx, FFFFFFFF
:0050C444 33C0 xor eax, eax
:0050C446 F2 repnz
:0050C447 AE scasb
:0050C448 F7D1 not ecx
:0050C44A 2BF9 sub edi, ecx

* Possible Reference to Dialog: DialogID_0067, CONTROL_ID:8000, "Heroes of Might and Magic III: The Shado"
|
:0050C44C 6800800000 push 00008000
:0050C451 8BC1 mov eax, ecx
:0050C453 8BF7 mov esi, edi
:0050C455 BF28846900 mov edi, 00698428
:0050C45A 6828846900 push 00698428
:0050C45F C1E902 shr ecx, 02
:0050C462 F3 repz
:0050C463 A5 movsd
:0050C464 8BC8 mov ecx, eax
:0050C466 83E103 and ecx, 00000003
:0050C469 F3 repz
:0050C46A A4 movsb
:0050C46B E86DE31000 call 0061A7DD
:0050C470 83C408 add esp, 00000008
:0050C473 83F8FF cmp eax, FFFFFFFF
:0050C476 7541 jne 0050C4B9
:0050C478 6814966900 push 00699614
:0050C47D E8AEDC1000 call 0061A130
:0050C482 83C404 add esp, 00000004
:0050C485 83F8FF cmp eax, FFFFFFFF
:0050C488 750C jne 0050C496
:0050C48A 5F pop edi
:0050C48B 5E pop esi
:0050C48C B803000000 mov eax, 00000003
:0050C491 5B pop ebx
:0050C492 8BE5 mov esp, ebp
:0050C494 5D pop ebp
:0050C495 C3 ret



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050C488(C)
|

* Possible Reference to Dialog: DialogID_0067, CONTROL_ID:8000, "Heroes of Might and Magic III: The Shado"
|
:0050C496 6800800000 push 00008000
:0050C49B 6828846900 push 00698428
:0050C4A0 E838E31000 call 0061A7DD
:0050C4A5 83C408 add esp, 00000008
:0050C4A8 83F8FF cmp eax, FFFFFFFF
:0050C4AB 750C jne 0050C4B9
:0050C4AD 5F pop edi
:0050C4AE 5E pop esi
:0050C4AF B804000000 mov eax, 00000004
:0050C4B4 5B pop ebx
:0050C4B5 8BE5 mov esp, ebp
:0050C4B7 5D pop ebp
:0050C4B8 C3 ret



* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0050C476(C), :0050C4AB(C)
|
:0050C4B9 50 push eax
:0050C4BA E83EE21000 call 0061A6FD
:0050C4BF 83C404 add esp, 00000004

* Reference To: KeRNeL32.GetLogicalDrives, Ord:0000h
|
:0050C4C2 FF15D8B06300 Call dword ptr [0063B0D8]
:0050C4C8 8BF0 mov esi, eax
:0050C4CA BF88986900 mov edi, 00699888
:0050C4CF 83C9FF or ecx, FFFFFFFF
:0050C4D2 33C0 xor eax, eax
:0050C4D4 F2 repnz
:0050C4D5 AE scasb
:0050C4D6 F7D1 not ecx
:0050C4D8 49 dec ecx
:0050C4D9 0F849C000000 je 0050C57B
:0050C4DF A088986900 mov al, byte ptr [00699888]
:0050C4E4 0FBEC8 movsx ecx, al
:0050C4E7 51 push ecx
:0050C4E8 A2004A6800 mov byte ptr [00684A00], al
:0050C4ED E8CDD21000 call 006197BF
:0050C4F2 83E841 sub eax, 00000041
:0050C4F5 BA01000000 mov edx, 00000001
:0050C4FA 8BC8 mov ecx, eax
:0050C4FC 83C404 add esp, 00000004
:0050C4FF D3E2 shl edx, cl
:0050C501 85D6 test esi, edx
:0050C503 7476 je 0050C57B
:0050C505 0441 add al, 41

* Possible StringData Ref from Data Obj ->"A:\"
|
:0050C507 68E00B6800 push 00680BE0
:0050C50C A2E00B6800 mov byte ptr [00680BE0], al

* Reference To: KeRNeL32.GetDriveTypeA, Ord:0000h
|
:0050C511 FF15D4B06300 Call dword ptr [0063B0D4] // Softice breaks here
:0050C517 83F805 cmp eax, 00000005 // cmp eax,5 = you are at the right place
:0050C51A 755F jne 0050C57B
:0050C51C 8D4DE0 lea ecx, dword ptr [ebp-20]
:0050C51F E8FCC30800 call 00598920
:0050C524 8B4004 mov eax, dword ptr [eax+04]
:0050C527 85C0 test eax, eax
:0050C529 7505 jne 0050C530
:0050C52B B808B66300 mov eax, 0063B608

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050C529(C)
|

* Possible Reference to Dialog: DialogID_0067, CONTROL_ID:8000, "Heroes of Might and Magic III: The Shado"
|
:0050C530 6800800000 push 00008000
:0050C535 50 push eax
:0050C536 E8A2E21000 call 0061A7DD
:0050C53B 8BF8 mov edi, eax
:0050C53D 8B45E4 mov eax, dword ptr [ebp-1C]
:0050C540 83C408 add esp, 00000008
:0050C543 85C0 test eax, eax
:0050C545 741D je 0050C564
:0050C547 8D48FF lea ecx, dword ptr [eax-01]
:0050C54A 8A40FF mov al, byte ptr [eax-01]
:0050C54D 84C0 test al, al
:0050C54F 740A je 0050C55B
:0050C551 3CFF cmp al, FF
:0050C553 7406 je 0050C55B
:0050C555 FEC8 dec al
:0050C557 8801 mov byte ptr [ecx], al
:0050C559 EB09 jmp 0050C564

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0050C54F(C), :0050C553(C)
|
:0050C55B 51 push ecx
:0050C55C E82FF20F00 call 0060B790
:0050C561 83C404 add esp, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0050C545(C), :0050C559(U)
|
:0050C564 83FFFF cmp edi, FFFFFFFF
:0050C567 7412 je 0050C57B
:0050C569 57 push edi
:0050C56A E88EE11000 call 0061A6FD
:0050C56F 83C404 add esp, 00000004
:0050C572 33C0 xor eax, eax
:0050C574 5F pop edi
:0050C575 5E pop esi
:0050C576 5B pop ebx
:0050C577 8BE5 mov esp, ebp
:0050C579 5D pop ebp
:0050C57A C3 ret


2) Trace with F10 (long trace) until you reach ret and before execute it, see the values of eax and ebx (? eax and ? ebx). With cd in eax is 0 ebx is 1. Press F5 until the game starts and quit. Now run the game without the cd. Once again Softice breaks, you press F12 then trace (F10) until you are on line with ret and get the values of eax and ebx. Without cd eax is 2 ebx is 1 (again). You see ebx value is not important here (it is the same with cd in and out). You dissasemble heroes3.bak with W32Dasm, go to the check routine (shown above) and note the offset of line

:0050C430 55 push ebp // Here the check begins

which is 10c430 for me.

3) Now you will make this check (well it will not be a check any more) always to return eax 0. Open heroes3.exe with Hiew. F4-decode, F5-goto 10c430, F3-edit, F2-asm and write mov eax,0 ENTER ret ENTER. ESC-exit edit, F9-update, ESC-exit. Run heroes3.exe. The game runs and there is a message that the game found Heroes 3 Restoration Of Erathia cd and you can not play Shadow Of Dead with this cd. This message must not dissapoint you. It just show you that you are on the right way. Quit the game and change eax to 1 (do it with hiew as shown above) then run the game. The message this time is that SOD cd rom was not found. Well quit and change eax to 3 (remember that eax 2 means the cd is not found too) and run the game. Hmm a startup error message, nevermind change eax to 4 and run it again. Another startup error, nevermind change eax to 5 and run it again. This time it runs and once again the message says that the game found Heroes 3 Restoration Of Erathia cd. Hmm boring, quit, change eax to 6 and run it again. Phew, this time it says that Armageddon's Blade cd was found. Quit and change eax to 7 (I am sure you are getting close) run the game again. Super, no evil messages so the game thinks that SOD cd is in. Enjoy the game.

[Morteza_SOS]

Target game: Indy Jones 3D
Toolz: SICE (Wdasm)
Level: 1
Protection: CD-Check(s)

Some thoughts about the target

MM.. it was few years (FEW) since I last played any Indy Jones game (The Last
Crusade btw)
and I thought it rocked! And now I got this new Indy game which I thought had
to be cool
too.. but I was wrong. Since I never liked any Tomb Raider I dont like Indy
Jones 3d
either..

But anywayz.. should we look at protection now..?..alrighty

I admit I had some troubles finding the correct breakpoint and with the first
few
tries I was also going after wrong .EXE. Surprisingly the check was found in
the
loader! But thx to [yAtEs] for giving me the correct breakpoint

You might want to disasm Jones3D.w32 (or whatever) on Wdasm but thats not
necessary
(thou it's easier to find the offset in Wdasm). But since this for newbies
we'll use
Wdasm.. and ur prolly dying to know the breakpoint..or u already know it? Nope.
Its not
GetDriveTypeA...its GetVolumeInformationA (I cant believe how could I've missed
it!)
I also spared u the effort of finding the correct return codes for
passed/failed checks
(If ur not sure which return code is for passed check, insert the original CD,
breakpoint
and check the EAX, usually 1 is for passed and 0 for failed)


* Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h
|
:00403D67 FF1554C04000 Call dword ptr [0040C054]
:00403D6D 85C0 test eax, eax <-- The inital (1 for passed, 0
for failed)
:00403D6F 7473 je 00403DE4 <-- check for the correct CD
:00403D71 8B4DEC mov ecx, dword ptr [ebp-14]
:00403D74 3BCB cmp ecx, ebx
:00403D76 7405 je 00403D7D
:00403D78 8B41F0 mov eax, dword ptr [ecx-10]
:00403D7B EB02 jmp 00403D7F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403D76(C)
|
:00403D7D 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403D7B(U)
|
:00403D7F 3BCB cmp ecx, ebx
:00403D81 889C05E0FEFFFF mov byte ptr [ebp+eax-00000120], bl
:00403D88 7405 je 00403D8F
:00403D8A 8B49FC mov ecx, dword ptr [ecx-04]
:00403D8D EB02 jmp 00403D91

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403D88(C)
|
:00403D8F 8BCF mov ecx, edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403D8D(U)
|
:00403D91 8D85E0FEFFFF lea eax, dword ptr [ebp+FFFFFEE0]
:00403D97 50 push eax
:00403D98 51 push ecx

* Reference To: KERNEL32.lstrcmpiA, Ord:02FFh
|
:00403D99 FF15A8C04000 Call dword ptr [0040C0A8]
:00403D9F 85C0 test eax, eax <-- The other
:00403DA1 7541 jne 00403DE4 <-- check

Ok.. reverse the jumps to make the check passed.. or do as I did.. (its not
that different)

:403D6D 85C0 -> 4090 (INC EAX, NOP) <- Sets EAX always 1, thus pass the check
:403D9F 85C0 -> 4090 .. same thing here (if I dont remember wrong..)

Thats all.. or not.. I found out that disabling this check WONT let u play Indy
Jones.. and
I was too lazy to see why does the game exit to Windoze every time (after the
line's
been drawn on the map).. but anywayz this is just another cd-check tut amongst
the others
so I dont care .. find out yourself or buy the game ( I guess the game
couldnt find the
file(s) for the first level.. see error.txt)

(note for r!SC: YES! This game was original, Full version, but I did NOT buy it
)

[Morteza_SOS]

CDilla Cracking:

MidTown Madness French version : Another approach on cdilla

Tutorial by ACiD BuRN [Immortal Descendants]
(October 6th, 1999)




Tools needed : * Original CD of Midtown madness
* Soft ice 3.23
* soft ice tool to patch sice (used to dump sections)
* Hexwork shop
* Frog ice (to hide soft ice)
* Procdump (for PE Editor)
* Exescope



Introduction:

hello all , i know there is already a tutor on Midtown madness by black check
but the way to crack it is not the same than him , and i will explain more things
than he did about pasting our new dumped sections in cracked exe
i also assume you read this tut , and you know some things about PE file format...





let's kick cdilla 's ass :


After installing your little game , PE edit the ".icd" files with procdump.
(Fire up procdump , click on PE Editor , Browse to your ".icd" file , there it is
Midtown.icd ...
now , you must see :

- Entry Point : 00166C10
- Image Base : 00400000

ok, we will need the OEP (original Entry point) later , so to have it just addition
the Image base and the entry poing you get in procdump : 00400000 + 00166C10 = 566C10

now , click on the "sections" Button , to see all sections of the file :


you will only need to have the Virtual Offset , Raw Size , and Raw Offset values!


- for the ".text" section :


Virtual Offset: 00001000
Raw Size: 18D78F
Raw Offset: 600


- for the ".Rdata" section :


Virtual Offset: 0018F000
Raw Size: 14C99
Raw Offset: 18DE00



- for the ".data" section :


Virtual Offset: 001A4000
Raw Size: 3D8A4
Raw Offset: 1A2C00



- for the ".data1" section :


Virtual Offset: 00314000
Raw Size: 20
Raw Offset: 1E0600


- for the ".rsrc" section :


Virtual Offset: 00315000
Raw Size: CB3
Raw Offset: 1E0800


Now , we will dump all the sections of the ".icd" file , except the ".Rdata" , you will
later why....
btw , you need to add the image base to the virtual Offset of all sections:

.text : 400000 + 00001000 = 00401000
.rdata : 400000 + 0018F000 = 0058F000
.data : 400000 + 001A4000 = 005A4000
.data1 : 400000 + 00314000 = 00714000
.rsrc : 400000 + 00315000 = 00715000


ok , now we gonna dump all this sections (except the .rdata)
For this, we will need to but a breakpoint on the EOP (566C10 for us)
btw , i assume you read the black check tutor , and you patched your Frog ice to
hidde your soft ice , else go and read the nice tut before...
Fire up your patched Frog ice , and run your original game.
you will see a little video , at this time , make soft ice appears (ctrl+D) , and set
a bpx on the OEP: Bpx 56CC10 for this game!
Press F5 to make the game runing again and close it after...
now , Run it , and it normally breaks on 56CC10 , if it doesn't , look if you set the bpx
to the good place (bl: you must get something like this: #025F:56CC10)
i assume it breaked , now u must can dump all the sections.
Before dumping , disable all your bpx , we don't want shits in our dumped sections...
the pagein command works like this :

pagein "address to dump start" "size" "file name"
so, just type this in soft ice:


pagein 401000 18D78F c:\text.bin
pagein 5A4000 3D8A4 c:\data.bin
pagein 714000 20 c:\data1.bin
pagein 715000 CB3 c:\rsrc.bin

ok, this dumped the section to our hard disk!!

now , we have to do the "nice" part !! dumping our rdata sections , but it is not
like the others !!
first of all , you have to get the real address of the fuction , so we will trace into
the call to our rdata section.

After breaking , we land here:


00566C10 PUSH EBP <-- we break here , on entry point
00566C11 MOV EBP,ESP
00566C13 PUSH FF
00566C15 PUSH 005968D0
00566C1A PUSH 00566724
00566C1F MOV EAX,FS:[00000000]
00566C25 PUSH EAX
00566C26 MOV FS:[00000000],ESP
00566C2D ADD ESP, -5C
00566C30 PUSH EBX
00566C31 PUSH ESI
00566C32 PUSH EDI
00566C33 MOV [EBP-18],ESP
00566C36 CALL [0058F14C] <-- this is the call in our rdata section , trace it (F8)


in this call , we land here :

009A6485 pushad
009A6486 push 00000031
009A6488 push 00000000 ---> 0 mean kernels , it will be 1 for users...
009A6490 call [9A64A6] --> get the real address of the function (9A64A6)
009A6496 add esp, 8
009A6499 popad
....... jmp [XXXXXXXX]


trace this code , and you see the jmp [XXXXXXXX] becoming jmp [KERNEL32!GetVersion]...
ok , it is good , you are on the good way
we are near done about starting to code te call fixer!!
anyway , we need to know how many Kernels and users imports there is in this game!!
Ok , to do this , there is severals way , you can dessassemble the ".icd" with wdasm
and count them , you can trace in soft ice too , but i used a tool called EXESCOPE
to see how many imports it got...
anyway , in my midtown.icd , i got :

- 127 kernels import
- 042 users import

ok , but we need to have this number in hexadecimal , coz soft ice use only hexa value =)
127 = 7Fh
42 = 2Ah

my favourite part come now !! coding the call fixer.
first of all , we don't have writte access (read only access) to the Rdata section , so
we will move the rdata section to the data section place..
For coding the call fixer , i start to code at EOP place , so enable your bpx on it , and
run the game again , wait until we break...
now , we have to move rdata section in data section place in memory.
To do this , just type :

m "virtual offset of data section + image base" l "rdata size" "data virtual offset"
NOTE: For the data virtual offset , use a biger number , it is better...
5A4000 is our normal virtual offset , i used 5B0000 (bigger like i said)

so , just type this :

m 58F000 l 14C99 5B0000

ok, now time code !!

you are at the line : 566C10 PUSH EBP

we will code something looking like this :

00 pushad
01 push ebx
02 push 0
04 call [XXXXXXXX]
0A add esp,8
0D mov edx, XXXXXX
12 cmp eax,[edx]
14 je 20
16 inc edx
17 cmp edx, XXXXXX + XXXXX
1D jne 12
1F int 03
20 mov [edx],ecx
22 popad
23 inc ebx
24 cmp ebx, XX
2A jne 00
2C int 03

so , let's go :

Type in soft ice: A "press enter"

and code :

566C10 pushad
566C11 push ebx
566C12 push 0
566C14 call [009A64A6] <-- real address , we found this when we traced in the call
566C1A add esp,8
566C1D mov edx, 5B0000 <-- address where we copied our .rdata section in
566C22 cmp eax,[edx]
566C24 je 566C40
566C26 inc edx
566C27 cmp edx, 5B0000 + 14C99 <-- adress where we copied our .rdata in + rdata size
566C3D jne 566C22
566C3F int 03 <-- safty, if it found no match, break here.
566C40 mov [edx],ecx
566C42 popad
566C43 inc ebx
566C44 cmp ebx, 7F <-- number of api to fix
566C4A jne 566C10
566C4C int 03


Now set ebx to 0 (R ebx 0) , set your eip to line 0 (line 0 = 566C10 here , so R EIP 566C10)
type "i3here on" and press F5 to run it, normaly u should break on 566C4C...
Now set your ebx back to 0, change line 02 (56CC12 here) to "push 1" and change line 24 to
'cmp ebx, user_import_number' (2A for us) and set the eip back line 0 (R EIP 566C10).
run it again.Normaly , all is ok now , it should break on 566C4C again...
now , we can dump our rdata section safely:

pagein 5B0000 14C99 c:\rdata.bin


hehe !! now we just have to rebuild a working executable file.
i tried Procdump to import sections , but this bitch didn't change anything , so i
imported manually my sections , i will show you all
In first , do a copy of the ".icd" file , for us : Midtown.icd , and rename it with the
name you want , but with ".exe" extension. ex: damnit.exe

Now , fire up hexworkshop , open "Damnit.exe" , and open the 1st section we dumped.
it was : c:\text.bin...

it is now , you need the Raw offset of each section , i written them in 1st of the tut
but i will rewritte them here , to help you understanding this crap :p


for the ".text" section : Raw Offset: 600 size : 18D78F
for the ".Rdata" section : Raw Offset: 18DE00 size : 14C99
for the ".data" section : Raw Offset: 1A2C00 size : 3D8A4
for the ".data1" section : Raw Offset: 1E0600 size : 20
for the ".rsrc" section : Raw Offset: 1E0800 size : CB3


ok , you got all shits here !! we want to do the 1st section ".text" so :

In hexworkshop , press alt+f5 , enter the Raw offset of the section you want to paste
here : 600 , and click on ok. now go in the edit menu , and click on "select block"
enter the size of the section , here : 18D78F...
now , look at the other opened file (text.bin) , and press 'ctrl+a' to select all..
now , go back to the main executable windown in hexworkshop , and paste the byte u just
copied into the clipboard , do : 'ctrl+v' or edit menu , and paste...
save your file , GOOD !! u just updated the '.text' section with our dumped section !!

ok , i do another section import with you , and you will do the others using the same way !

2nd section : Rdata!

you can close the window 'text.bin' , and open with hexworkshop the file : 'rdata.bin'
click on the main exe window , press 'alt+f5' , enter the size of the Raw Offset of
the rdata section : 18DE00. Click on ok, go in edit menu , then "select block" , enter the
rdata size section : 14C99...
look the window of rdata.bin , press 'ctrl+a' to selection all bytes , and go back in
main executable (damnit.exe) window in hexworkshop... now , just paste them with 'ctrl+c'
or with paste in the edit menu..

[Morteza_SOS]

Incoming - CD crack by Static Vengeance

Requirements:
Hex Editor and Full Install
W32Dasm if you want to follow along

NOTE: I'm using the bundled version of Incoming that came with my CL Voodoo2 card. The retail
version MAY be slightly different and I don't know if edits listed will work with any other version
of Incoming. However, the SAME process will work for "all" other versions of Incoming.

Incoming a great little game the really shows off my Voodoo2 card. Great graphics and effects
makes for a great game. However there is a little bug I have run into with Incoming, a bug that must
be FiX'ed before I can fully enjoy the game. The bug I'm talking about is the CD check (actually it
has multiply CD checks) you run into before you can play a game. So I loaded up W32Dasm from RUSoft
and disassembled Incoming to remove the CD checks. When you run the game without the CD present you
get a little Win95 pop up dialog that says "CD not present." and you're dumped back to Win95. So I
went up to the menu bar and selected "Refs" then selected "String data references" from the drop down
menu. Once the string refs box came up I grabbed the slider bar and scrolled down to "CD not present"
and double clicked on it. This put me in middle of this section of code:

:0042675E E84FABFDFF call 004012B2
:00426763 85C0 test eax, eax
:00426765 0F8457030000 je 00426AC2
:0042676B 8B0DE01F6700 mov ecx, dword ptr [00671FE0]
:00426771 E893AEFDFF call 00401609 <-- Some type of check for the CD?
:00426776 85C0 test eax, eax <-- Test the result returned in eax
:00426778 750D jne 00426787 <-- Take this to jump over the "bad" code

* Possible StringData Ref from Data Obj ->"CD not present." <-- One thing we don't want to see pop up
|
:0042677A 68544B4800 push 00484B54
:0042677F E896ACFDFF call 0040141A
:00426784 83C404 add esp, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00426778(C)
|
:00426787 8B4D10 mov ecx, dword ptr [ebp+10] <-- Continue with the game
:0042678A E8A1040000 call 00426C30
:0042678F 85C0 test eax, eax
:00426791 0F842B030000 je 00426AC2
:00426797 897D98 mov dword ptr [ebp-68], edi
:0042679A 8B15E01F6700 mov edx, dword ptr [00671FE0]
:004267A0 8BCE mov ecx, esi
:004267A2 E8CAAAFDFF call 00401271

Having a call, a test and a conditional jump right before it prints the "CD not present." string
means we need to check out the call to 401609. At 401609 you see it just jumps to 427960. So let's check
out that section of code and see what it does:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401609(U)
|
:00427960 83EC2C sub esp, 0000002C
:00427963 56 push esi

* Reference To: WINMM.mciSendCommandA, Ord:0032h <-- This is all I need to see
|
:00427964 8B35A0B9B300 mov esi, dword ptr [00B3B9A0]
:0042796A 57 push edi
:0042796B 8D442420 lea eax, dword ptr [esp+20]
:0042796F 50 push eax
:00427970 6802300000 push 00003002
:00427975 890DA04E6700 mov dword ptr [00674EA0], ecx
:0042797B 890D984A6700 mov dword ptr [00674A98], ecx
-- More code to this routine --

You can see Incoming checks for the CD via calls through the Windows Multi-Media (WINMM) DLL. As
long as there is no special value returned we can overwrite the call 401609 (E8 93 AE FD FF) with
mov eax, 00000001 (B8 01 00 00 00). This will force the conditional jump to always be taken and prevent
Incoming from checking for the CD through the code at 427960. So I ran Incoming and it started loading...
loading further but up pops the "CD not present" warning. So there is another call to the CD check or
a second routine that checks for the CD. Back to the disassembled listing and backing to looking for more
clues. Listing through the imported DLL list you see the KERNEL32 calls. Scrolling down the list you'll
see the GetDriveTypeA call being used. The most common place I have seen that call used is in CD checks.
Using the "Find Text" function of W32Dasm I searched for GetDriveTypeA and was rewarded with this:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004016D6(U)
|
:0043E220 A19C805400 mov eax, dword ptr [0054809C] <-- Load some kind of flag value
:0043E225 85C0 test eax, eax <-- Test it
:0043E227 56 push esi <-- If we push it we HAVE to pull it!
:0043E228 0F85AE000000 jne 0043E2DC <-- Jump if not zero to a return
:0043E22E 803DB8C548005A cmp byte ptr [0048C5B8], 5A
:0043E235 C7059C80540001000000 mov dword ptr [0054809C], 00000001 <-- Setting the flag to 00000001
:0043E23F 744F je 0043E290 <-- We'll make use of this jump

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh <-- Text string that got us here
|
:0043E241 8B3514B8B300 mov esi, dword ptr [00B3B814]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043E283(U)
|

* Possible StringData Ref from Data Obj ->"D:\" <-- Start with D drive as CD rom
|
:0043E247 68B8C54800 push 0048C5B8
:0043E24C FFD6 call esi
:0043E24E 83F805 cmp eax, 00000005 <-- 05 is the value for CD Rom drives
:0043E251 7520 jne 0043E273
:0043E253 A0B8C54800 mov al, byte ptr [0048C5B8]

* Possible StringData Ref from Data Obj ->"r" <-- Set up for a read
|
:0043E258 6824194900 push 00491924

* Possible StringData Ref from Data Obj ->"D:\rage.ico" <-- The file on the CD to check for
|
:0043E25D 68C0C54800 push 0048C5C0
:0043E262 A2C0C54800 mov byte ptr [0048C5C0], al
:0043E267 E8D4BD0200 call 0046A040
:0043E26C 83C408 add esp, 00000008
:0043E26F 85C0 test eax, eax
:0043E271 7512 jne 0043E285 <-- Take this jump for a GOOD CD check

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043E251(C)
|
:0043E273 A0B8C54800 mov al, byte ptr [0048C5B8]
:0043E278 FEC0 inc al
:0043E27A 3C5A cmp al, 5A <-- Check up to 5Ah times
:0043E27C A2B8C54800 mov byte ptr [0048C5B8], al
:0043E281 740D je 0043E290 <-- Failed too many times
:0043E283 EBC2 jmp 0043E247 <-- Go back up and try again

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043E271(C)
|
:0043E285 50 push eax <-- Getting here is good CD check
:0043E286 E8C5BB0200 call 00469E50
:0043E28B 83C404 add esp, 00000004
:0043E28E 5E pop esi <-- We NEED to get here from our jump!!
:0043E28F C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: <-- Getting here means CD check failed
|:0043E23F(C), :0043E281(C)
|
:0043E290 8B0DF85B4A00 mov ecx, dword ptr [004A5BF8]
:0043E296 51 push ecx

* Possible StringData Ref from Data Obj ->"%s"
|
:0043E297 6898224800 push 00482298
:0043E29C 6898164A00 push 004A1698

* Reference To: USER32.wsprintfA, Ord:0264h
|
:0043E2A1 FF158CB8B300 Call dword ptr [00B3B88C]
:0043E2A7 83C40C add esp, 0000000C
:0043E2AA E8D837FCFF call 00401A87
:0043E2AF 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Incoming Error Report." <-- Header for No CD present
|
:0043E2B1 68545E4800 push 00485E54
:0043E2B6 6898164A00 push 004A1698
:0043E2BB 6A00 push 00000000

* Reference To: USER32.MessageBoxA, Ord:0195h
|
:0043E2BD FF15F8B8B300 Call dword ptr [00B3B8F8]
:0043E2C3 8B15E01F6700 mov edx, dword ptr [00671FE0]
:0043E2C9 6A00 push 00000000
:0043E2CB 68439C0000 push 00009C43
:0043E2D0 6811010000 push 00000111
:0043E2D5 52 push edx

* Reference To: USER32.SendMessageA, Ord:01DAh
|
:0043E2D6 FF1548B9B300 Call dword ptr [00B3B948]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043E228(C)
|
:0043E2DC 5E pop esi
:0043E2DD C3 ret <-- Finally return

The best way I can see to bypass this routine would be to kill the call to the above section of
code. I traced back and found jump to jump to jump with no easy way to kill the call to this CD check.
Instead I thought I would use the conditional jump at 43E23F to get us down to where we need to be.
Because the code does a push esi we need to get to the line that does the pop esi. The conditional jump
I chose actually jumps two (2) bytes beyond the place we want to get to. Changing this to a standard
jump with the right offset would be a simple crack for this one. The whole reason I chose the second
conditional jump and not the jne long (0F 85 AE 00 00 00) at 43E228 was the code checks a flag then turns
around and sets the flag. Why not let the code set the flag for us and then bypass the rest of the code!
You never know when some other part of the game will also check that flag value for 00000001. Anyways,
to contine there is another exact copy of the above CD check at 43EAC0 and the same type of edit will
bypass it as well. I installed the different language versions of Incoming and all seem to be using the
same exe file so I only need to give one set of edits for all the different language installs. The only
thing left to do is to make the actual edits to the file:

Edit incoming.exe
=============================================
Search for: E8 93 AE FD FF at offset 154,481
Change to : B8 01 00 00 00

At offset 251,455 -AND- offset 253,663

Search for: 74 4F 8B 35 14
Change to : EB 4D -- -- --

It was a little bit more work than the average CD check, but Incoming is now FiX'ed

[Morteza_SOS]

Name : Need for Speed 3

Target : nfs3.exe

Tools : W32Dasm
Hiew
Brain

Cracker : LW2000

Tutorial : No.30




---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---



1. Ok, install the full Installation of NFS3. Try to play without
the CD. *BOOM* error message. Note the text and caption.
Then disassemble nfs3.exe with W32Dasm. Click on the SDR Button
and search for our text. Text not found?
Then search for the caption of the window.


Possible StringData Ref from Data Obj ->"Need for Speed 3"

004B637A 683CFE5300 push 0053FE3C
004B637F 8B5485DC mov edx, dword ptr [ebp+4*eax-24]
004B6383 52 push edx
004B6384 6A00 push 00000000

Reference To: USER32.MessageBoxA, Ord:001Fh

004B6368 2EFF1564475300 call dword ptr cs:[00534764]
004B638D 31C0 xor eax, eax
004B638F E870990200 call 004DFD04

Reference by a (U)nconditional or (C)onditional Jump at Adress:
004B6362(C)

004B6394 E807FFFFFF call 004B62A0
004B6399 85C0 test eax, eax
004B639B 755A jne 004B63F7
004B639D 31D2 xor edx, edx
004B639F EB19 jmp 004B63BA

Reference by a (U)nconditional or (C)onditional Jump at Adress:
004B63C3(C)

004B63A1 88D0 mov al, dl
004B63A3 0441 add al, 41
004B63A5 8845F4 mov byte ptr [ebp-0C], al
004B63A8 8D45F4 lea eax, dword ptr [ebp-0C]
04B63AB E8809F0300 call 004F0330 <<-- cd check call
004B63B0 85C0 test eax, eax <<-- check
004B63B2 7543 jne 004B63F7 <<-- bad boy !!!


Reference by a (U)nconditional or (C)onditional Jump at Adress:
004B63C5(U)

004B63B4 42 inc edx
004B63B5 83FA1A cmp edx, 0000001A
004B63B8 7D0D jge 004B63C7

Reference by a (U)nconditional or (C)onditional Jump at Adress:
004B639F(U)

004B63BA 89DO mov eax, edx
004B63BC E84F300400 call 004F9410
004B63C1 85C0 test eax, eax
004B63C3 75DC jne 004B63A1
004B63C5 EBED jmp 004B63B4

Reference by a (U)nconditional or (C)onditional Jump at Adress:
004B63B8(C)

004B63C7 B906000000 mov ecx, 00000006
004B63CC 8D7DC4 lea edi, dword ptr [ebp-3C]
004B63CF BEAC564B00 mov esi, 004B56AC
004B63D4 6A30 push 00000030
004B63D6 A1503A7A00 mov eax, dword ptr [007A3A50]
004B63DB F3 repz
004B63DC A5 movsd

Possible StringData Ref from Data Obj ->"Need for Speed 3"
004B63DD 683CFE5300 push 0053FE3C
004B63E2 E84F300400 mov ecx, dword ptr [ebp+4*eax-3c]
004B63E6 85C0 push ecx
004B63E7 75DC push 00000000

Reference To: USER32.MessageBoxA, Ord:001Fh

004B63E9 2EFF1564475300 call dword ptr cs:[00534764]
004B63F0 31C0 xor eax, eax
004B63F2 E80D990200 call 004DFD04 <<-- fine ...


Reference by a (U)nconditional or (C)onditional Jump at Adress:
004B639B(C), :004B63B2(C)

004B63F7 89EC mov esp, ebp <<-- here we go if the cd is inside
004B63F9 5D pop ebp
004B63FA 5F pop edi
004B63FB 5E pop esi
004B63FC 5A pop edx
004B63FD 59 pop ecx
004B63FE 5B pop ebx
004B63FF C3 ret

2. Take a close look at all jumps.

mhmm, 004B63B2 7543 jne let's change the jne to jmp.

I think this should be no real problem for you...

Open the exe with hiew and change the 7543 to EB43.
(EB is for JMP).

The CD Check is beaten, but what's this shit?


Abort message:
openhandlea-OPEN FAILED ON D:\GameData\Audio\pc\show(x).map
(x is any number)

No prob, we copy this folder into our nfs3 folder. Copy the files
from the CD Folder GameData\Audio into your
local folder on your HD.

Then open insatll.win (it insiede the nfs3 dir) and change
the path's like this:

.\GameData\
.\GameData\Tracks\
.\GameData\Tracks\Tutor\
.\GameData\CarModel\
.\GameData\Render\pc\
.\GameData\DashHud\
.\GameData\Audio\pc\
.\GameData\Audio\SFX\
.\GameData\Audio\Speech\English\
.\GameData\Audio\Speech\German\
.\GameData\Audio\Speech\French\
.\GameData\Audio\Speech\Spanish\
.\GameData\Audio\Speech\Italian\
.\FeData\art\
.\FeData\text\
.\FeData\text\
.\FeData\save\
.\FeData\stats\
.\FeData\config\
.\FeData\audio\
.\FeData\Art\Slides\
.\FeData\Art\Track\
.\FeData\Art\Showcase\
.\FeData\movies\
.\FeData\stats\prh\

Save your work and try NFS3 without CD.

[Morteza_SOS]

به نام خدا
این آموزش حرف نداره چون کرکر آموزش ساخت پچ (کرک) را نیز توسط دلفی داده !


=-=-=-=-=-=-=
The Cracking Answer 2000
------------------------

Author : Bug Error
------------------

Target : Quake 3 Arena 3.14 => Removes CD Check
------------------------------------------------



- Tools That you'll need
-------------------------

- Soft-Ice 3.23 or higher
- W32dasm 8.93
- Hiew 6 or higher


Initial notes
--------------

- First, install the full game and apply Patch 3.14
- Then, be sure that Soft-ice is loaded in autoexec.bat
=> C:\PROGRA~1\SOFTIC~1\WINICE.EXE
- Make sure that the cd isn't on your drive )


First approach with Soft-Ice
----------------------------

- Run the game
- When you're in the game choose Single Player
- Then, choose a map
- Click on Fight
- Press CTRL + D to go in soft-ice
- In soft-ice pormpt command, type : BPX GetDriveTypeA
- Press enter key
- Press CTRL + D to go back on Q3A
- Click on Fight, and surprise, you're back in Soft-Ice )
- Why ? Cause you've putted a breakpoint to Kernel32!GetDriveTypeA!
- OK, in Soft-Ice, press F11 to get the GetDriveTypeA's caller
- Aha, you should see that now :


0177:00440CD8 CMP EAX,05 => You're here )
0177:00440CDB JNZ 00440D25
0177:00440CDD PUSH 004C4070
0177:00440CE2 LEA ECX,[ESP+08]
0177:00440CE6 PUSH ECX
0177:00440CE7 PUSH 004BACC4
0177:00440CEC PUSH 0059BC00
0177:00440CF1 CALL 004A0DAF
0177:00440CF6 PUSH 004C4064
0177:00440CFB PUSH 0059BC00
0177:00440D00 LEA EDX,[ESP+20]
0177:00440D04 PUSH 004C405C


- Note 00440CD8, you'll need this



Disassembling File with W32dasm
-------------------------------

- Load W32dasm and open "quake3.exe"
- After a few time, the file'll be disassemble
- Now, click on "goto" in the menu
- Click on "Goto Code Location"
- Type 00440CD8 (normally, you've wrote this adress)
- You must see that now :


* Referenced by a CALL at Address:
|:0042E7BD => Hihaaaaaa, double right click on it
|
:00440CB0 81EC84000000 sub esp, 00000084
:00440CB6 56 push esi

* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:00440CB7 8B3590304B00 mov esi, dword ptr [004B3090]
:00440CBD C64424053A mov [esp+05], 3A
:00440CC2 C64424065C mov [esp+06], 5C
:00440CC7 C644240700 mov [esp+07], 00
:00440CCC C644240463 mov [esp+04], 63

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00440D31(C)
|
:00440CD1 8D442404 lea eax, dword ptr [esp+04]
:00440CD5 50 push eax
:00440CD6 FFD6 call esi
:00440CD8 83F805 cmp eax, 00000005 => Héhé, you're here
:00440CDB 7548 jne 00440D25


- After double right click on 0042E7BD, you must see this :

:0042E7A3 6834834B00 push 004B8334
:0042E7A8 E803E9FEFF call 0041D0B0
:0042E7AD D81D58334B00 fcomp dword ptr [004B3358]
:0042E7B3 83C404 add esp, 00000004
:0042E7B6 DFE0 fstsw ax
:0042E7B8 F6C440 test ah, 40
:0042E7BB 7418 je 0042E7D5
:0042E7BD E8EE240100 call 00440CB0 => You're here (The fucking cd-check routine)
:0042E7C2 85C0 test eax, eax
:0042E7C4 750F jne 0042E7D5

* Possible StringData Ref from Data Obj ->"Game CD not in drive" => Hm, i don't want to see this
|
:0042E7C6 6854084C00 push 004C0854
:0042E7CB 6A03 push 00000003
:0042E7CD E8FEB9FEFF call 0041A1D0
:0042E7D2 83C408 add esp, 00000008


- Place you on 0042E7C4 and click on the "Jump To" button, you must see this :

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042E7BB(C), :0042E7C4(C)
|
:0042E7D5 A15CAB5900 mov eax, dword ptr [0059AB5C] => You're here
:0042E7DA 85C0 test eax, eax
:0042E7DC 7409 je 0042E7E7
:0042E7DE 50 push eax
:0042E7DF E85CC3FEFF call 0041AB40
:0042E7E4 83C404 add esp, 00000004


- Did you see, if JNE if execute, it bypass the cd-check and run
- Oki, click on the "Ret Jump" Button
- You're back here :

:0042E7A3 6834834B00 push 004B8334
:0042E7A8 E803E9FEFF call 0041D0B0
:0042E7AD D81D58334B00 fcomp dword ptr [004B3358]
:0042E7B3 83C404 add esp, 00000004
:0042E7B6 DFE0 fstsw ax
:0042E7B8 F6C440 test ah, 40
:0042E7BB 7418 je 0042E7D5
:0042E7BD E8EE240100 call 00440CB0
:0042E7C2 85C0 test eax, eax
:0042E7C4 750F jne 0042E7D5 => You're back here

- Place you on 0042E7BD and take a look at the bottom to see the offset
- The offset is 0002E7BD
- Write this offset, you'll need this



- Cracking the EXE file
------------------------

- Open Hiew, and load "quake3.exe"
- Press F4 and choose "decode"
- Press F5, and enter the offset, here it is 0002E7BD
- Press F4 and choose "Hex"
- Press F3 to edit and type 9090909090
- Press F9 to update the EXE

- Why 90 ??
------------

- You saw that the 0042E7BD calls the cd-check routine, then, we must "delete it"
- 90 means nope in assembler language, that means to do nothing
- But why 5x 90 ?
- Cause the code of the caller is E8EE240100, this takes 5 bytes, then, 5 bytes to 90



- Big surprise
---------------

- Run the game
- What's happening ?!????!!!!???
- The game runs without CD )


Héhé, you've cracked Quake 3 Arena, enjoy )


- Crack Source
---------------

- If you want to make a crack.exe and distribute it on internet, you must make a prog that can be
- change the 5 original bytes to 5 nope
- So, i included my source code made with delphi 5, it works also with 1,2,3 or 4



Const
FileN : String = 'quake3.exe'; {name of file to patch}
BytesToChange : Integer = 5; {5 bytes to patch}
FileS : LongInt = 876601; {size if the exe, to check the version}
A : Array[1..5] of Record
A : Longint;
B : Byte;
End =

((A:$2e7bd;B:$90), {offset to modify + code to replace}
(A:$2e7be;B:$90),
(A:$2e7bf;B:$90),
(A:$2e7c0;B:$90),
(A:$2e7c1;B:$90));

Var
F : File;
Ch : Char;
I : LongInt;

Begin
fichier.filename := '*.exe'; {i've put an OpenDialog and name it "fichier"}
fichier.filter := FileN;
if fichier.execute then
begin
AssignFile(F, fichier.filename);
Reset(F,1);
If FileSize(F)<>FileS then
begin
ShowMessage('File is incorrect size');
halt(1);
end
else
begin
end;
For I := 1 to BytesToChange do
begin
Seek(F,A[I].A);
Ch:=Char(A[I].B);
Blockwrite(F,Ch,1);
end;
ShowMessage ('File successfully cracked');
end;
end;
end.

[Morteza_SOS]

ساخت Pacher در دلفی ....... خوراک دلفی کارا

Crack Source
---------------

- If you want to make a crack.exe and distribute it on internet, you must make a prog that can be
- change the 5 original bytes to 5 nope
- So, i included my source code made with delphi 5, it works also with 1,2,3 or 4



Const
FileN : String = 'quake3.exe'; {name of file to patch}
BytesToChange : Integer = 5; {5 bytes to patch}
FileS : LongInt = 876601; {size if the exe, to check the version}
A : Array[1..5] of Record
A : Longint;
B : Byte;
End =

((A:$2e7bd;B:$90), {offset to modify + code to replace}
(A:$2e7be;B:$90),
(A:$2e7bf;B:$90),
(A:$2e7c0;B:$90),
(A:$2e7c1;B:$90));

Var
F : File;
Ch : Char;
I : LongInt;

Begin
fichier.filename := '*.exe'; {i've put an OpenDialog and name it "fichier"}
fichier.filter := FileN;
if fichier.execute then
begin
AssignFile(F, fichier.filename);
Reset(F,1);
If FileSize(F)<>FileS then
begin
ShowMessage('File is incorrect size');
halt(1);
end
else
begin
end;
For I := 1 to BytesToChange do
begin
Seek(F,A[I].A);
Ch:=Char(A[I].B);
Blockwrite(F,Ch,1);
end;
ShowMessage ('File successfully cracked');
end;
end;
end.

[Morteza_SOS]

How to crack Rainbow Six 2 - Rogue Spear by DJ Fortune.
************************************************** **********

Wellcome to my first tutorial.Sorry about my grammatical errors.
Hope you will enjoy this.....

Ok.Try to launch roguespear.exe .... hmmm strange no errors keep going
single player.new campaign.... still nothing how strange well go through
every phase until the game asks you to continue to action phase.the if
we continue it says the magic ugly word "RogueSpear CD..." so make a
copy of your roguespear.exe and disassemble it (make coffee take a nap
cos this takes some time...).
Now it´s Disassembled. the error message we saw cant be in string data
references cos it had a graphical interface (it really could be there
but just this time it isnt. believe me).Well we still have another choice
search text getdrivetypea (can be searched through another place but this is
much faster).You should land soon in here:

* Referenced by a CALL at Addresses:
|:0041DC9C , :00482B45 , :00482E04 , :004B61D6 , :004E7291
|:004F06C3
|
:0040CE20 81EC10060000 sub esp, 00000610 <--------- It all begins here...
:0040CE26 8D84240C020000 lea eax, dword ptr [esp+0000020C]
:0040CE2D 53 push ebx
:0040CE2E 55 push ebp
:0040CE2F 56 push esi
:0040CE30 57 push edi
:0040CE31 50 push eax
:0040CE32 6800040000 push 00000400

* Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:011Eh <----- List the drives you got in you computer
|
:0040CE37 FF1598F07500 Call dword ptr [0075F098]
:0040CE3D 8BD8 mov ebx, eax
:0040CE3F 85DB test ebx, ebx
:0040CE41 750A jne 0040CE4D

* Possible StringData Ref from Data Obj ->"GAME: Could not get drives installed " <--- in case you dont have a cd drive.
->"in the system"
|
:0040CE43 684CEF7A00 push 007AEF4C
:0040CE48 E982000000 jmp 0040CECF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CE41(C)
|
:0040CE4D 33F6 xor esi, esi
:0040CE4F 85DB test ebx, ebx
:0040CE51 7E77 jle 0040CECA

* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h <------------- This got us here (usual cd checker)
|
:0040CE53 8B2DA8F07500 mov ebp, dword ptr [0075F0A8]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CEC8(C)
|
:0040CE59 8DBC341C020000 lea edi, dword ptr [esp+esi+0000021C]
:0040CE60 57 push edi
:0040CE61 FFD5 call ebp
:0040CE63 83F805 cmp eax, 00000005 <----------- Is the drive a cd drive?
:0040CE66 7548 jne 0040CEB0
:0040CE68 8D8C241C010000 lea ecx, dword ptr [esp+0000011C]
:0040CE6F 6800010000 push 00000100
:0040CE74 8D54241C lea edx, dword ptr [esp+1C]
:0040CE78 51 push ecx
:0040CE79 8D44241C lea eax, dword ptr [esp+1C]
:0040CE7D 52 push edx
:0040CE7E 8D4C241C lea ecx, dword ptr [esp+1C]
:0040CE82 50 push eax
:0040CE83 51 push ecx
:0040CE84 8D542430 lea edx, dword ptr [esp+30]
:0040CE88 6800010000 push 00000100
:0040CE8D 52 push edx
:0040CE8E 57 push edi

* Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h
|
:0040CE8F FF15ACF07500 Call dword ptr [0075F0AC]
:0040CE95 83F801 cmp eax, 00000001
:0040CE98 7516 jne 0040CEB0
:0040CE9A 8D44241C lea eax, dword ptr [esp+1C]

* Possible StringData Ref from Data Obj ->"ROGUESPR" <--------- Our CD Volume Label.
|
:0040CE9E 6840EF7A00 push 007AEF40
:0040CEA3 50 push eax
:0040CEA4 E837FE2800 call 0069CCE0
:0040CEA9 83C408 add esp, 00000008
:0040CEAC 85C0 test eax, eax
:0040CEAE 7455 je 0040CF05

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040CE66(C), :0040CE98(C)
|
:0040CEB0 803F00 cmp byte ptr [edi], 00
:0040CEB3 7410 je 0040CEC5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CEC3(C)
|
:0040CEB5 3BF3 cmp esi, ebx
:0040CEB7 7D0C jge 0040CEC5
:0040CEB9 8A84341D020000 mov al, byte ptr [esp+esi+0000021D]
:0040CEC0 46 inc esi
:0040CEC1 84C0 test al, al
:0040CEC3 75F0 jne 0040CEB5


You may find many places here where to patch but lets see the code a little deeper.
as you can see the place where all calls to this place will land is right above the
getdrivetypea and many other checks like volume type and is there a cd drive at all.
so after few "seconds" of thinking you might have an idea of pathing something.but before
you will patch anything think "What if you would not let the program even see the checkers
or touch them but still you would allow it to enter here and leave with a succesfull check.
Sounds weird doesnt it?Well it isnt cos every one of those call to this place just wants to
know what is the code in eax. is it 01 or 00?

So start Hacker View or any other good hex-editor and seek for
@Offset 0000CE20h

there now you are at the beginning of the "CD Check routine" try to change the code like this

mov eax,001
pop eax
retn

after this the game would move eax to 001 push it to eax and come back from the call.
at hiew press F3 and enter "6A0158C3" save and test it.
.....
.....

Yahoo!!! it worked. Now this thing works on Rainbow Six 2 Patch v2.04 too so ill let you find the
place all by yourself.

[Morteza_SOS]

Heya i've got nothing to do so i'll write this tut for removing the CD check on S.O.T.E

There are a few types of CD protections around, some hardcore
some not, this happens to be a simple check. Most commercial
software will allow you to install the whole game to
your harddrive and let you run it from there, but they usally
always ask for the CD, this is so you don't go installing on your
mates computer, i find this annoying so i remove the check
for my own purpose anyway.
Ok install the game with its maxium install option and wait about
20 mins if you have a 4x CD-ROM drive like me but i doubt you do ,
anyways once the installation has finished remove your CD and place
it on the floor or when ever you store your CDs. Now run the program
and you will see this message.


Ok this time set a breakpoint on messageboxa like so- Ctrl+D to activate
SoftICE then type BPX MESSAGEBOXA now exit SoftICE, rerun the program,
SoftICE will break just before the messagebox now press F12 to return to
the line after the API was called in the main exe code.
There are several ways to beat a standard check, you could trace on from
the message box until you hit a RET and find the CD check call or you
could use wd32asm to find where the msg box was called from a change
a jump.
K, we'll just use SoftICE. anyway once you have returned from that API
you will see the following code :-
00463D1F CALL [USER32!MessageBoxA]
00463D25 Push 01 <-- We are here
00463D27 CALL 004AA560
00463D2C ADD ESP,04
00463D2F POP EDI
00463D30 POP ESI
00463D31 RET


The theory is that we keep tracing(F10) until we hit a ret and are
returned to a line below a CALL,.. the CD-Check call, some times
this can be toally noped out or a jump above will determine to jump
it or not, blah blah
So lets keep tracing until we hit the RET....dum de dum da dum de dum
hey! when we hit the CALL 004AA560 the program ends :P , hum looks
like the program has called a exit procedure to stop the rest of the
code carrying on :P. ok lets rerun the program and when we get to the
call line, so that our little grey bar thing is over 00463D27 CALL 004AA560
lets try and skip this line...what ya mean how? :P well if you look at the
top right of the SoftICE screen its says EIP=00463D27 this is the next line
to execute..our exit call =:0->-< , so click up there and change it to
EIP=00463D2C, or if your unprivenged and have no working mouse or think
having a mouse is stupid in SoftICE you will have to type R EIP then
enter the number, anyway press F5 to exit SoftICE, and wang bang lalal
the game runs!
Ok now its time to patch the game, so how would we go about doing this?
well we could nop out that Call 004AA560 which calls the exit routine,
but naw that would be stupid because it would call a error msg box then
run the game, so lets trace out the call and see what we can see ,
So when you get to that call that exits, um.. Call 004AA560, set the EIP
to jump over it like before and keeping tracing(F10) until we hit the RET
and return from the 'CD Check' call, now you should see.
0048FF09 CALL 00463C70
0048FF0E XOR EDI,EDI <- We are here
0048FF10 CALL [008C44C4]
0048FF16 CMP EDI,EAX
Now you can see we have returned from the call above which was the 'CD check
error you haven't the cd thingy' so now we can simply nop out that call, OR!
or? or scroll up abit, make sure your not half through typing anything then
click in the code window and scroll up a few lines, or press Pgup/PgDwn then
go setup your mouse for SI , anyway now you will see:-


0048FEF5 JNZ 0048FF0E <- Hey a Jump to ----
0048FEF7 PUSH 0073B5A8
0048FEFC PUSH 006F35A0
0048FF01 CALL 004AA350
0048FF06 ADD ESP,08
0048FF09 CALL 00463C70
0048FF0E XOR EDI,EDI <- We are here / -----
0048FF10 CALL [008C44C4]
0048FF16 CMP EDI,EAX
Now can you see two ways to kill the check?, well we know that if CALL 463C70
is executed then we get a NO CD error and exit, so we can either NOP out that
call or we can change the JNZ 0048FF0E to JMP 0048FF0E , because that will jump
straight over the nasty call, hmm about time i brought this tut to an end, its
too big , SOOoo lets patch that JNZ because its quick for me :P, we need
the file offset so use a program like ICZ's Adress->file offset thing from

کد:

برای مشاهده محتوا ، لطفا وارد شوید یا ثبت نام کنید

or search for the bytes in a hex ed, make sure you have
CODE ON in SI to view the bytes, i'm just gonna search for em, its


0048FEF5 7517 ......JNZ 0048FF0E <- Hey a Jump to ----
0048FEF7 68A8B57300 PUSH 0073B5A8
so with a hex ed search for '751768A8', oh yer i forgot to mention
which file :P, hehe, um its not SOTE.exe you know why? good i'm off then,
i mean, go back into SoftICE to the JNZ and you will see in the SoftICE window