Target game: Imperialism 2 Progs: Hiew 6.04 W32Dasm v8.93 (Soft-Ice 3.24) <-- not necessary Ready?...ok... here we go Step 1. Of course start with the installation and when it's done, backup imperialism II.exe (.bak & .w32). Ok... now we're ready to test what kind of protection does this game have. Start Imperialism II, click on "Start new game" or "Tutorial". "Please place Imperialism II cd.." always the same sentence... just a bit modified =). So it's a bloody ingame message, which uses GetDriveTypeA to access cd-rom (try to breakpoint with SI on it if u want). Step 2. Load Imperialism II.w32 on W32Dasm... it takes awhile to disassemble since the file is almost 4 megs. As soon as it's ready, use search to find string "getdrivetypea". Ignore the first and second string it finds and you should get here on the third string: * Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh <-- (Almost) every games uses this | :006761CC FF15D8817600 Call dword ptr [007681D8] :006761D2 33C9 xor ecx, ecx :006761D4 83F805 cmp eax, 00000005 <-- check against cd, 05 means cd :006761D7 0F94C1 sete cl :006761DA 84C9 test cl, cl :006761DC 0F84D1000000 je 006762B3 :006761E2 8D4C2410 lea ecx, dword ptr [esp+10] :006761E6 E84BDA0200 call 006A3C36 :006761EB 8B1D80F57400 mov ebx, dword ptr [0074F580] :006761F1 6A01 push 00000001 :006761F3 C744243400000000 mov [esp+34], 00000000 :006761FB FFD6 call esi :006761FD 80C341 add bl, 41 :00676200 6A01 push 00000001 :00676202 53 push ebx :00676203 8D4C241C lea ecx, dword ptr [esp+1C] :00676207 8BF8 mov edi, eax :00676209 E829780200 call 0069DA37 Possible StringData Ref from Data Obj ->":\" It took me awhile to discover what's happening and I figured out this is not the right place... I scrolled up a bit and came here: * Possible StringData Ref from Data Obj ->"0160" | :00676181 68BCF57400 push 0074F5BC :00676186 50 push eax :00676187 E8D4870000 call 0067E960 :0067618C 83C408 add esp, 00000008 :0067618F F7D8 neg eax :00676191 1BC0 sbb eax, eax :00676193 F7D8 neg eax :00676195 84C0 test al, al <-- Is the cd in the drive? :00676197 0F844B020000 je 006763E8 <-- Yes... go ahead and jump :0067619D A180F57400 mov eax, dword ptr [0074F580] * Reference To: KERNEL32.SetErrorMode, Ord:0213h <--This is also often used... | :006761A2 8B35E8817600 mov esi, dword ptr [007681E8] * Reference To: KERNEL32.GetVolumeInformationA, Ord:014Fh <-- ...like this one too | :006761A8 8B2DEC817600 mov ebp, dword ptr [007681EC] :006761AE 83F8FF cmp eax, FFFFFFFF :006761B1 0F8406010000 je 006762BD :006761B7 8B0DB8F57400 mov ecx, dword ptr [0074F5B8] :006761BD 8D542418 lea edx, dword ptr [esp+18] :006761C1 0441 add al, 41 :006761C3 894C2418 mov dword ptr [esp+18], ecx :006761C7 52 push edx :006761C8 8844241C mov byte ptr [esp+1C], al Cracking this shouldn't be a problem. Just change the jump "je 006763E8" --> "jne 006763E8" and you're done. This example was pretty easy, huh? =)... As it usually is... the cracking itself is usually quite easy, but finding the right place for the crack is the hardest part =) Greetz: Friends, tKC, Pedro of Laxity and to every cracker on earth (or on moon or whatever) -C_DKnight contact me at c_dknight@iobox.com Written on 27th June 1999