Target game: King of Dragon Pass
 Toolz: SICE, Wdasm
 Level: 1, an ordinary cd-check (well.. pretty ordinary anywayz)

 Info about target:

 What's King of Dragon Pass? Does the whole game even sound familiar?.. mebbe..
or mebbe not.
 In fact I havent seen this game in any stores thou its been over a month or so
when it was
 published, but luckily my friend managed to buy it from somewhere in Sweden
(thx mate!)
 King of Dragon Pass is a really good rpg/strategy like game..it combines the
both good sides of
 strategy and rpgish gamestyle. The result is astonishing!! Our local magazine
rated this game
 94/100, so it can't and won't be bad ;) *An Excellent Game* - Buy it now!!

 About the protection:

 The game follows quite a typical GetDriveTypeA routine with some minor
modifications on it..

 Let's start with it then... since I'm no asm guru as some other crackers...
this wont be 
 very detailed patch.. sorry

 (I assume u already installed it.. and whoa! The game is playable directly from
CD!!! or if u 
  really wanna (in this case u have to) install it to HD it takes only about 40
megs or so!!)

 I've Wdasmed the routine for u so it'll be (hopefully) more easier to follow.. 
 (and at this point r!SC matey.. if ya reading.. good fight, good night :))

 * Referenced by a CALL at Address:
 |:00401340   <-- ya wanna trace back there i guess..
 |
 :00401240 81EC0C010000            sub esp, 0000010C
 :00401246 53                      push ebx
 
 * Reference To: KERNEL32.SetErrorMode, Ord:0264h
                                   |
 :00401247 8B1D2C704000            mov ebx, dword ptr [0040702C]
 :0040124D 55                      push ebp
 :0040124E 56                      push esi
 :0040124F 57                      push edi
 :00401250 6A01                    push 00000001
 :00401252 C644241720              mov [esp+17], 20
 :00401257 FFD3                    call ebx
 :00401259 6A00                    push 00000000
 :0040125B 89442418                mov dword ptr [esp+18], eax
 :0040125F FFD3                    call ebx
 
 * Reference To: KERNEL32.GetDriveTypeA, Ord:0104h <-- Here's the thingy
                                   |
 :00401261 8B2D28704000            mov ebp, dword ptr [00407028]

 * Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h <-- another checking
type..
                                   |
 :00401267 8B3D30704000            mov edi, dword ptr [00407030]
 :0040126D C6055880400041          mov byte ptr [00408058], 41
 
 * Referenced by a (U)nconditional or (C)onditional Jump at Address:
 |:004012FF(C)
 |
 
 * Possible StringData Ref from Data Obj ->"C:\"
                                   |
 :00401274 6858804000              push 00408058
 :00401279 FFD5                    call ebp
 :0040127B 83F805                  cmp eax, 00000005 <-- Here's the CD-ROM
comparison
 :0040127E 7571                    jne 004012F1 <-- Jump if no CD-ROM
 :00401280 6A00                    push 00000000
 :00401282 6A00                    push 00000000
 :00401284 6A00                    push 00000000
 :00401286 6A00                    push 00000000
 :00401288 6A00                    push 00000000
 :0040128A 8D44242C                lea eax, dword ptr [esp+2C]
 :0040128E 6804010000              push 00000104
 :00401293 50                      push eax
 
 * Possible StringData Ref from Data Obj ->"C:\"
                                   |
 :00401294 6858804000              push 00408058 <-- push error message on stack
 :00401299 FFD7                    call edi
 :0040129B 85C0                    test eax, eax
 :0040129D 7452                    je 004012F1 <-- this jump takes u to drive
comparison..
 
 I've again spared u the effort of tracing thru this (but in order to learn
sumthing i suggest
 u do trace this in SICE!) and pointed u the location where to trace back
to..(the caller!)

 * Referenced by a (U)nconditional or (C)onditional Jump at Address:
 |:0040136E(C)
 |
 :00401340 E8FBFEFFFF              call 00401240 <-- this call to the routine
above
 :00401345 3C20                    cmp al, 20
 :00401347 A231804000              mov byte ptr [00408031], al
 :0040134C 752B                    jne 00401379 <-- CD not found
 :0040134E A138AE4000              mov eax, dword ptr [0040AE38]
 :00401353 6A01                    push 00000001
 
 * Possible StringData Ref from Data Obj ->"CD-ROM Not Found"
                                   |
 :00401355 6890804000              push 00408090
 
 * Possible StringData Ref from Data Obj ->"Please insert "King of Dragon " <--
u could've 
                                        ->"Pass" in CD/DVD drive" <-- searched
this too..

 Alrighty.. we've come to the end (or start..) of this routine..now we wanna
make our patch
 U should already know where to patch, but if u dont, trace thru these
routines..

 I spotted two patching places, the other being "cleaner" and the other
"dirtier" 

 :00401340 E9FBFEFFFF -> B801000000 - Cleaner, removes the messagebox and loads
the game
 :0040134C 752B -> 742B - Dirtier, leaves the messagebox but disables the check
and loads up..

 Awck... this patch was done in a bit of a hurry.. so u might want to revise it
yourself or
 whatsoever.. I dont guarantee the game will work (Installation 42 megs, CD size
over 400 megs!)
 due to small installation.. some files could be (and possibly are) missing..
but remember!
 I'm not showing how to crack games to make them playable (in some cases they
are) from HD, but
 to show how to disable the initial check!..

 -C_DKnight <- c_dknight@iobox.com

 the obligatory greets of corze.. all guys and girlies i know at
#Cracking4Newbies.. 
 AB4DS, r!SC, Dead-Mike, Zoltan, [LaZaRuS], [yAtEs], cTT, Sinnny, Thesmurf and
all the others
 i forgot in this rush..
 ah.. plus Tailz, F0ley, Mathras, Makis, LM555           push 00000104