=============================================================================================================== Title : Starshiptroopers (GAME) Protection : Cd Check Producer : Hasbro Cracker : shadowze (shadowze@yahoo.com) Tools : W32Dasm, Ultraedit Difficulty : Beginner Tutorial No. : 1 =============================================================================================================== 1) Install starshiptroopers. Make full install. It is around 546MB. Run the game without the cd. Ah we get a standard windows message box telling us "Please insert Starship Troopers CD and retry. Remember this for later. 2) OK first make a copy of starshiptroopers.exe to somewhere safe (desktop) , then disassemble the original starshiptroopers.exe into W32Dasm. Goto Refs Menu and select string Data Refs search through the list until you find the above failed message. Click on the message and in the main dissassembly window you will see this: :004013C2 68C4005600 push 005600C4 * Possible StringData Ref from Data Obj ->"Please insert Starship Troopers " ->"CD and retry" | :004013C7 6894005600 push 00560094 :004013CC 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:01BEh | :004013CE FF15FCC15500 Call dword ptr [0055C1FC] :004013D4 C3 ret This where the message box routine is called from after the CD check has failed. 3) OK so now we know where the fail message comes from now lets back track to find out where this was called from...... Use up arrow to scroll backward through the code until you come to here. * Referenced by a CALL at Address: |:00401AAA <= This is the line we are interested in , it tells use where this routine was called from. | :004013C0 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Failed to find Starship Troopers " ->"CD" | :004013C2 68C4005600 push 005600C4 Select Goto code location and enter (00401AAA ) this take us to the routine that called the fail message routine: 4) Here is the dissassembled code: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401A8E(C) | :00401A99 E812F8FFFF call 004012B0 <= This is the call to the CD check routine :00401A9E 85C0 test eax, eax <= CD in ? :00401AA0 751B jne 00401ABD <= OK then start the game :00401AA2 393D50525B00 cmp dword ptr [005B5250], edi <= Another check ? :00401AA8 7513 jne 00401ABD <= Call to start the game :00401AAA E811F9FFFF call 004013C0 <= The call that sent us to the fail routine when no CD was found :00401AAF 5F pop edi :00401AB0 5E pop esi :00401AB1 33C0 xor eax, eax :00401AB3 5B pop ebx :00401AB4 81C42C030000 add esp, 0000032C :00401ABA C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00401AA0(C), :00401AA8(C) | :00401ABD E80EF7FFFF call 004011D0 <= Normal game startup :00401AC2 E879F7FFFF call 00401240 :00401AC7 E894F6FFFF call 00401160 :00401ACC 8B84243C030000 mov eax, dword ptr [esp+0000033C] 5) The easiest way get the game to play without the CD is to change the :00401AA0 751B jne 00401ABD Line to a jmp ( short EB ) which will always run the start code. :00401AA0 EB1B jmp 00401ABD To do this select the line and note the file off-set in the very bottom line of W32Dasm it is: 00001AA0h Exit windasm and open the startshiptroopers.exe in your favorite hex editer ( Ulatredit for me) Move down to above offset : 00001AA0h: 75 1B .. ....... This is the data we are interested in from the dissassembly change the 75 to an EB and save the file. Now run the game without the CD ! Thats it shadowze@yahoo.com