Yo 'gain leetoz! Target game: Sid Meier's Gettysburg Tools: W32Dasm, Soft-Ice if u want to trace thru the routine Level: 1, newbies only! Other: Nuffing this time.. gonna make it quick and then goto sleep ;) Ok.. the game uses the typical GetDriveTypeA routine thats easy to follow and even more easy to crack. I got this after disasming lee.w32 (backup!) Huh?.. *ZZZZZZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzzzz*ZZZZZZZZZZZZZ*ZZZZZZZZZZZZZ* ............................................................................. ............................................................................. ... erhmm.... g'morning.. :).. seems like I had fallen asleep.. heheh.. oh well. NOTE! Cracking isnt this exhausting!.. I just had had a loonng day.. ;) Okayz.. lets finish this piece of crap. Does this look familiar? * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004666F7(C) | :0046669D 8D45E4 lea eax, dword ptr [ebp-1C] :004666A0 50 push eax * Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh <-- i wonder.. | :004666A1 FF1500655A00 Call dword ptr [005A6500] :004666A7 83F805 cmp eax, 00000005 <-- check for CD-ROM :004666AA 753F jne 004666EB <-- not found -> jump :004666AC 68A0055A00 push 005A05A0 :004666B1 E85A020000 call 00466910 :004666B6 83C404 add esp, 00000004 :004666B9 8D45E4 lea eax, dword ptr [ebp-1C] :004666BC 50 push eax :004666BD 68A0055A00 push 005A05A0 :004666C2 E859020000 call 00466920 :004666C7 83C408 add esp, 00000008 :004666CA 56 push esi :004666CB 68A0055A00 push 005A05A0 :004666D0 E84B020000 call 00466920 :004666D5 83C408 add esp, 00000008 :004666D8 8D85A4FDFFFF lea eax, dword ptr [ebp+FFFFFDA4] :004666DE 50 push eax :004666DF 68A0055A00 push 005A05A0 :004666E4 FFD7 call edi :004666E6 83F8FF cmp eax, FFFFFFFF <-- CD found? :004666E9 757D jne 00466768 <-- Nope, jump *Reverse This* * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004666AA(C) | :004666EB 8A45E4 mov al, byte ptr [ebp-1C] :004666EE 43 inc ebx :004666EF FEC0 inc al :004666F1 83FB1A cmp ebx, 0000001A <-- check drive letters :004666F4 8845E4 mov byte ptr [ebp-1C], al :004666F7 7CA4 jl 0046669D <-- jump if not all done :004666F9 8B450C mov eax, dword ptr [ebp+0C] :004666FC 85C0 test eax, eax <-- check if all done and CD found :004666FE 0F859C000000 jne 004667A0 <-- Not found -> Jump, found -> go on :00466704 6A00 push 00000000 :00466706 8D8D98E0FFFF lea ecx, dword ptr [ebp+FFFFE098] :0046670C 6A00 push 00000000 :0046670E 6AFF push FFFFFFFF Sorry guys.. I could prolly give u more detailed infos if I had traced thru this in SI.. but since I didnt.. I'll just make a "lucky guess"..haha.. not really a lucky guess, coz this protection doesnt differ that much its easy to find the correct patching spot without tracing. Like I already pointed out in the code bit above, u should reverse the jump over there. That was my "lucky guess" and it turned out to be a right guess :) Next time I'll be in touch with SI again to give u more detailed and more specified info (I just hope it wont be getdrivetypea again..). :04666E9 757D -> 747D .. and you're done! all scenarios all playable and there wont be "CD not found" at the beginning. Congratz! -C_DKnight <- c_dknight@iobox.com, IRC #Cracking4Newbies (EFnet) Greetz: AB4DS, [LaZaRuS], TheSmurf, Sinn0r!!!, cTT!!!, R!SC, Dead-Mike and all the other unfortunates I mayhaps forgot :) plus Tailz, F0ley, Mathras, Makis, LM555, MR-B Cracking tut #xx