=============================================================================================================== Title : HEROES OF MIGHT AND MAGIC 3 : THE SHADOW OF DEAD (GAME) Version : (should work with any) Protection : Safedisc, Cd Check Producer : http://www.3DO.com/ Cracker : Zaks (scorpion121@gmx.net) Tools : Unsafedisc, W32Dasm, Hiew, Softice Difficulty : Moderate (safedisc is very hard protection but with unsafedisc it is not a problem) Tutorial No. : 11 Font : Courier New (8) =============================================================================================================== 1) Install HOMM 3 : The Shadow Of Dead. It does not matter if you install it over Armageddon's Blade or not. Go to the dir where you installed it and look around. You notice files called clokspl.exe and heroes3.icd . This two files remind you that the game is protected by Safedisc (the real exe file is heroes3.icd). You run Unsafedisc (should be in this package) and quickly remove the Safedisc protection. Now erase heroes3.exe and rename testme.exe (created with Unsafedisc) to heroes3.exe. Back up heroes3.exe (heroes3.bak will be fine). Now test heroes3.exe (with cd) to see if it works. For me it works fine so I suspect it will work for you too. CTRL+D and you are in Softice. Put a breakpoint on getdrivetypea (bpx getdrivetypea) and run the game with the cd. Softice breaks, you press F12 to return to the caller, and you are in the middle of the check routine showed below: Disassembled part of heroes3.exe : * Referenced by a CALL at Address: |:004EDC16 | :0050C430 55 push ebp :0050C431 8BEC mov ebp, esp :0050C433 81EC3C020000 sub esp, 0000023C :0050C439 53 push ebx :0050C43A 56 push esi :0050C43B 57 push edi * Possible StringData Ref from Data Obj ->"DATA\H3BITMAP.LOD" | :0050C43C BF5C0F6800 mov edi, 00680F5C :0050C441 83C9FF or ecx, FFFFFFFF :0050C444 33C0 xor eax, eax :0050C446 F2 repnz :0050C447 AE scasb :0050C448 F7D1 not ecx :0050C44A 2BF9 sub edi, ecx * Possible Reference to Dialog: DialogID_0067, CONTROL_ID:8000, "Heroes of Might and Magic III: The Shado" | :0050C44C 6800800000 push 00008000 :0050C451 8BC1 mov eax, ecx :0050C453 8BF7 mov esi, edi :0050C455 BF28846900 mov edi, 00698428 :0050C45A 6828846900 push 00698428 :0050C45F C1E902 shr ecx, 02 :0050C462 F3 repz :0050C463 A5 movsd :0050C464 8BC8 mov ecx, eax :0050C466 83E103 and ecx, 00000003 :0050C469 F3 repz :0050C46A A4 movsb :0050C46B E86DE31000 call 0061A7DD :0050C470 83C408 add esp, 00000008 :0050C473 83F8FF cmp eax, FFFFFFFF :0050C476 7541 jne 0050C4B9 :0050C478 6814966900 push 00699614 :0050C47D E8AEDC1000 call 0061A130 :0050C482 83C404 add esp, 00000004 :0050C485 83F8FF cmp eax, FFFFFFFF :0050C488 750C jne 0050C496 :0050C48A 5F pop edi :0050C48B 5E pop esi :0050C48C B803000000 mov eax, 00000003 :0050C491 5B pop ebx :0050C492 8BE5 mov esp, ebp :0050C494 5D pop ebp :0050C495 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0050C488(C) | * Possible Reference to Dialog: DialogID_0067, CONTROL_ID:8000, "Heroes of Might and Magic III: The Shado" | :0050C496 6800800000 push 00008000 :0050C49B 6828846900 push 00698428 :0050C4A0 E838E31000 call 0061A7DD :0050C4A5 83C408 add esp, 00000008 :0050C4A8 83F8FF cmp eax, FFFFFFFF :0050C4AB 750C jne 0050C4B9 :0050C4AD 5F pop edi :0050C4AE 5E pop esi :0050C4AF B804000000 mov eax, 00000004 :0050C4B4 5B pop ebx :0050C4B5 8BE5 mov esp, ebp :0050C4B7 5D pop ebp :0050C4B8 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0050C476(C), :0050C4AB(C) | :0050C4B9 50 push eax :0050C4BA E83EE21000 call 0061A6FD :0050C4BF 83C404 add esp, 00000004 * Reference To: KeRNeL32.GetLogicalDrives, Ord:0000h | :0050C4C2 FF15D8B06300 Call dword ptr [0063B0D8] :0050C4C8 8BF0 mov esi, eax :0050C4CA BF88986900 mov edi, 00699888 :0050C4CF 83C9FF or ecx, FFFFFFFF :0050C4D2 33C0 xor eax, eax :0050C4D4 F2 repnz :0050C4D5 AE scasb :0050C4D6 F7D1 not ecx :0050C4D8 49 dec ecx :0050C4D9 0F849C000000 je 0050C57B :0050C4DF A088986900 mov al, byte ptr [00699888] :0050C4E4 0FBEC8 movsx ecx, al :0050C4E7 51 push ecx :0050C4E8 A2004A6800 mov byte ptr [00684A00], al :0050C4ED E8CDD21000 call 006197BF :0050C4F2 83E841 sub eax, 00000041 :0050C4F5 BA01000000 mov edx, 00000001 :0050C4FA 8BC8 mov ecx, eax :0050C4FC 83C404 add esp, 00000004 :0050C4FF D3E2 shl edx, cl :0050C501 85D6 test esi, edx :0050C503 7476 je 0050C57B :0050C505 0441 add al, 41 * Possible StringData Ref from Data Obj ->"A:\" | :0050C507 68E00B6800 push 00680BE0 :0050C50C A2E00B6800 mov byte ptr [00680BE0], al * Reference To: KeRNeL32.GetDriveTypeA, Ord:0000h | :0050C511 FF15D4B06300 Call dword ptr [0063B0D4] // Softice breaks here :0050C517 83F805 cmp eax, 00000005 // cmp eax,5 = you are at the right place :0050C51A 755F jne 0050C57B :0050C51C 8D4DE0 lea ecx, dword ptr [ebp-20] :0050C51F E8FCC30800 call 00598920 :0050C524 8B4004 mov eax, dword ptr [eax+04] :0050C527 85C0 test eax, eax :0050C529 7505 jne 0050C530 :0050C52B B808B66300 mov eax, 0063B608 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0050C529(C) | * Possible Reference to Dialog: DialogID_0067, CONTROL_ID:8000, "Heroes of Might and Magic III: The Shado" | :0050C530 6800800000 push 00008000 :0050C535 50 push eax :0050C536 E8A2E21000 call 0061A7DD :0050C53B 8BF8 mov edi, eax :0050C53D 8B45E4 mov eax, dword ptr [ebp-1C] :0050C540 83C408 add esp, 00000008 :0050C543 85C0 test eax, eax :0050C545 741D je 0050C564 :0050C547 8D48FF lea ecx, dword ptr [eax-01] :0050C54A 8A40FF mov al, byte ptr [eax-01] :0050C54D 84C0 test al, al :0050C54F 740A je 0050C55B :0050C551 3CFF cmp al, FF :0050C553 7406 je 0050C55B :0050C555 FEC8 dec al :0050C557 8801 mov byte ptr [ecx], al :0050C559 EB09 jmp 0050C564 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0050C54F(C), :0050C553(C) | :0050C55B 51 push ecx :0050C55C E82FF20F00 call 0060B790 :0050C561 83C404 add esp, 00000004 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0050C545(C), :0050C559(U) | :0050C564 83FFFF cmp edi, FFFFFFFF :0050C567 7412 je 0050C57B :0050C569 57 push edi :0050C56A E88EE11000 call 0061A6FD :0050C56F 83C404 add esp, 00000004 :0050C572 33C0 xor eax, eax :0050C574 5F pop edi :0050C575 5E pop esi :0050C576 5B pop ebx :0050C577 8BE5 mov esp, ebp :0050C579 5D pop ebp :0050C57A C3 ret 2) Trace with F10 (long trace) until you reach ret and before execute it, see the values of eax and ebx (? eax and ? ebx). With cd in eax is 0 ebx is 1. Press F5 until the game starts and quit. Now run the game without the cd. Once again Softice breaks, you press F12 then trace (F10) until you are on line with ret and get the values of eax and ebx. Without cd eax is 2 ebx is 1 (again). You see ebx value is not important here (it is the same with cd in and out). You dissasemble heroes3.bak with W32Dasm, go to the check routine (shown above) and note the offset of line :0050C430 55 push ebp // Here the check begins which is 10c430 for me. 3) Now you will make this check (well it will not be a check any more) always to return eax 0. Open heroes3.exe with Hiew. F4-decode, F5-goto 10c430, F3-edit, F2-asm and write mov eax,0 ENTER ret ENTER. ESC-exit edit, F9-update, ESC-exit. Run heroes3.exe. The game runs and there is a message that the game found Heroes 3 Restoration Of Erathia cd and you can not play Shadow Of Dead with this cd. This message must not dissapoint you. It just show you that you are on the right way. Quit the game and change eax to 1 (do it with hiew as shown above) then run the game. The message this time is that SOD cd rom was not found. Well quit and change eax to 3 (remember that eax 2 means the cd is not found too) and run the game. Hmm a startup error message, nevermind change eax to 4 and run it again. Another startup error, nevermind change eax to 5 and run it again. This time it runs and once again the message says that the game found Heroes 3 Restoration Of Erathia cd. Hmm boring, quit, change eax to 6 and run it again. Phew, this time it says that Armageddon's Blade cd was found. Quit and change eax to 7 (I am sure you are getting close) run the game again. Super, no evil messages so the game thinks that SOD cd is in. Enjoy the game. =============================================================================================================== You can find all my tutorials on the following sites : http://zarea.cjb.net http://go.to/zzone http://kickme.to/dbc 11.05.2000 Written by Zaks test edi, edi