Cecil Strikes again... bringing you a new tut =)


Target game: Anno 1602 (english)

Some things that may come handy:
Hiew 6.04
Soft-Ice 3.2x
W32Dasm89
No drink this time... I just didn't happen to have any...=)

I assume you have the proggies I mentioned... Let's go!
I installed the game with minimum install (you know my HD space...). After the installation 
throw the cd away from the drive and start the game. Everything seems to be fine until you press 
"New Game" and select scenario or "Continue game". An annoying message box tells us something 
like: "Please insert the original cd...". 
Memorize this message and load 1602.w32 on W32Dasm (you made those backups, didn't you?). 

After the procedure is finished we (of course) try to find that message. 
But no matter how hard we try, we just can't find it... what now?... What to do? 
Hmm... How about this?... Start the game again and goto New game menu. 
Before you choose any scenario Ctrl-D to Soft-Ice and set a breakpoint: "bpx messageboxa". 
Now F5 back to game and choose any scenario. As you press mouse button on any scenario
Soft-Ice grabs you in it. Don't mind this... just press F11... Now you should be back in 
the game with an error message box complaining about the cd. Just press Retry and *BAM*...
back in Soft-Ice. Only thing you have to do is take the hex number where we landed 
(in my case it's 015F:4961BB)... in fact we only need 4961BB... that's enough for us.

Clear the breakpoint in Soft-Ice (bc*) and exit Soft-Ice. Now load 1602.w32 back on W32Dasm89 
(in case you exited it earlier). Press "Goto code location" button and enter 4961BB.
This is how it should look like:

:00496194 E817CEFFFF           call 00492FB0   <--- The message box
:00496199 85C0                 test eax, eax
:0049619B 7530                 jne 004961CD

* Reference To: USER32.MessageBoxA, Ord:0195h
                                  |
:0049619D 8B3570E24900         mov esi, dword ptr [0049E270]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004961CB(C)
|
:004961A3 8B1538AC4A00         mov edx, dword ptr [004AAC38]
:004961A9 A134AC4A00           mov eax, dword ptr [004AAC34]
:004961AE 8B0D30565600         mov ecx, dword ptr [00565630]
:004961B4 6A05                 push 00000005 
:004961B6 52                   push edx
:004961B7 50                   push eax
:004961B8 51                   push ecx
:004961B9 FFD6                 call esi
:004961BB 83F804               cmp eax, 00000004
:004961BE 0F85A1060000         jne 00496865
:004961C4 E8E7CDFFFF           call 00492FB0  <--- The check
:004961C9 85C0                 test eax, eax
:004961CB 74D6                 je 004961A3

It should be quite clear what can we do to the calls. Yes... let's just nop them.
Write down the @offset codes. Then exit W32Dasm89 and load 1602.exe to Hiew.
Use "decode mode" and "goto line" commands and enter 95594. 
And nop the call by typing F3 and enter 9090909090 (five times 90):

E8E7CDFFFF  ->  9090909090

Do the same thing to another call at 955C4.

Note! There are two of these calls left. We nopped the calls at 4961C4 & 496194. 
The two other calls are at 49607E & 496052... Just nop them out too. 

Easy, huh?... Yes... when finished, exit Hiew and start the game. 
Select any scenario in New game menu or try to Continue Game and no error messages and the 
game goes on! Yes.. we did it!! Enjoy this fine game!

 -C_DKnight

Greetz to: Same persons as last time (too lazy to write their names) and tKC

If you have any questions or comments contact me via e-m@il c_dknight@iobox.com 
or find me at Kiss' chat (www.kiss.fi/chatropol/town/playstation)

If you happen to have any problems with my crack, please let me know.

Written 26th of May 1999