=============================================================================================================== Title : Hellfire (GAME) Version : 1.01 (should work with any) Protection : Cd Check (hidden in storm.dll) Producer : http://www.sierra.com Cracker : Zaks (tntpcclub@hotmail.com) Tools : W32Dasm, Hiew, Softice Difficulty : Moderate Tutorial No. : 8 Font : Courier New (8) =============================================================================================================== 1) Install Hellfire. Try running it without cd and you get "Please insert diablo cd-rom ...". Open your Hellfire disk. Copy diabdat.mpq (main diablo library file) into your Hellfire directory. Create backups of hellfire.exe and storm.dll . Disassemble hellfire.bak (your hellfire.exe backup) with W32dasm. Search for getdrivetypea. Below is the interesting part. So try doing usual crack. Return to the call and try to fix it .. or try to fix the whole check routine below. Do not waste your time like me. This way does not seem to work. Dissasembled part of HELLFIRE.EXE : * Referenced by a CALL at Address: |:0041DBB9 | :0041DBF7 55 push ebp :0041DBF8 8BEC mov ebp, esp :0041DBFA 81EC08010000 sub esp, 00000108 :0041DC00 53 push ebx :0041DC01 56 push esi :0041DC02 8D85F8FEFFFF lea eax, dword ptr [ebp+FFFFFEF8] :0041DC08 57 push edi :0041DC09 BE04010000 mov esi, 00000104 :0041DC0E 50 push eax :0041DC0F 8BFA mov edi, edx :0041DC11 894DFC mov dword ptr [ebp-04], ecx :0041DC14 56 push esi * Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00F8h | :0041DC15 FF15A8904800 Call dword ptr [004890A8] :0041DC1B 85C0 test eax, eax :0041DC1D 745F je 0041DC7E <- Badguy :0041DC1F 3BC6 cmp eax, esi :0041DC21 775B ja 0041DC7E <- Badguy * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041DC29(U) | :0041DC23 803F5C cmp byte ptr [edi], 5C :0041DC26 7503 jne 0041DC2B :0041DC28 47 inc edi :0041DC29 EBF8 jmp 0041DC23 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041DC26(C) | :0041DC2B 80BDF8FEFFFF00 cmp byte ptr [ebp+FFFFFEF8], 00 :0041DC32 8DB5F8FEFFFF lea esi, dword ptr [ebp+FFFFFEF8] :0041DC38 7444 je 0041DC7E <-Badguy * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041DC7C(C) | :0041DC3A 8BDE mov ebx, esi * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041DC41(C) | :0041DC3C 8A06 mov al, byte ptr [esi] :0041DC3E 46 inc esi :0041DC3F 84C0 test al, al :0041DC41 75F9 jne 0041DC3C :0041DC43 53 push ebx * Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh | :0041DC44 FF15A4904800 Call dword ptr [004890A4] <- GetDriveTypeA is called :0041DC4A 83F805 cmp eax, 00000005 <- Compares returned eax with 5 (for Cd-roms) :0041DC4D 752A jne 0041DC79 <- If not Cd make loop to check for other drives :0041DC4F 53 push ebx :0041DC50 FF75FC push [ebp-04] :0041DC53 E8D8C00500 call 00479D30 :0041DC58 59 pop ecx :0041DC59 59 pop ecx :0041DC5A 57 push edi :0041DC5B FF75FC push [ebp-04] :0041DC5E E8DDC00500 call 00479D40 :0041DC63 59 pop ecx :0041DC64 59 pop ecx :0041DC65 FF750C push [ebp+0C] :0041DC68 6A01 push 00000001 :0041DC6A FF7508 push [ebp+08] :0041DC6D FF75FC push [ebp-04] * Reference To: storm.storm:NoName0018, Ord:010Ah | :0041DC70 E82BAE0600 Call 00488AA0 <- in S-ice I saw it is a call to storm.dll where <- the real check for the cd is done :0041DC75 85C0 test eax, eax <- was cd found? :0041DC77 750E jne 0041DC87 <- Then jump to GoodGuy * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041DC4D(C) | :0041DC79 803E00 cmp byte ptr [esi], 00 :0041DC7C 75BC jne 0041DC3A * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0041DC1D(C), :0041DC21(C), :0041DC38(C) | :0041DC7E 33C0 xor eax, eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041DC8A(U) | :0041DC80 5F pop edi :0041DC81 5E pop esi :0041DC82 5B pop ebx :0041DC83 C9 leave :0041DC84 C20800 ret 0008 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041DC77(C) | :0041DC87 6A01 push 00000001 :0041DC89 58 pop eax :0041DC8A EBF4 jmp 0041DC80 2) So CTRL-D and we are in Softice, where we bpx on getdrivetypea (bpx getdrivetypea) and launch hellfire with cd in. First be sure to press your num-lock so the num lock light is on. Well start hellfire.exe. Num Lock light is off so we know we are in Softice ... but we do not see anything .. the screen is completely black. Shit, press F5 many times untill you get out of Softice and the game intro begins and we are at start menu. Press start new game. Softice breaks and this time it is vissible .. thanks to high heavens. So press F12 and we are back to see what is calling getdrivetypea .. What is this? .. We see that we are in file called storm. .. There is only one file with name storm and it is storm.dll. Quickly clear our breakpoints (bc*) and disassemble the file storm.bak (backup copy of storm.dll) with W32Dasm. Search for getdrivetypea and here we are : Dissasembled part of STORM.DLL : * Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh | :1500D731 FF15A0240215 Call dword ptr [150224A0] //Call to getdrivetypea :1500D737 8BF0 mov esi, eax :1500D739 B941000000 mov ecx, 00000041 :1500D73E 33C0 xor eax, eax //eax becomes 0 :1500D740 8DBC2430010000 lea edi, dword ptr [esp+00000130] :1500D747 F3 repz :1500D748 AB stosd :1500D749 8D8C2430010000 lea ecx, dword ptr [esp+00000130] :1500D750 6804010000 push 00000104 :1500D755 8D542424 lea edx, dword ptr [esp+24] :1500D759 33DB xor ebx, ebx //ebx is 0 here :1500D75B 51 push ecx :1500D75C 52 push edx :1500D75D 53 push ebx :1500D75E 53 push ebx :1500D75F 53 push ebx :1500D760 8D442428 lea eax, dword ptr [esp+28] :1500D764 53 push ebx :1500D765 50 push eax :1500D766 895C2440 mov dword ptr [esp+40], ebx * Reference To: KERNEL32.GetVolumeInformationA, Ord:014Fh | :1500D76A FF1598240215 Call dword ptr [15022498] //call to getvolumeinfo.. :1500D770 85C0 test eax, eax //was there the right volume label :1500D772 746F je 1500D7E3 //in S-ice we do not jump here :1500D774 8D4C2424 lea ecx, dword ptr [esp+24] :1500D778 8D54241C lea edx, dword ptr [esp+1C] :1500D77C 51 push ecx :1500D77D 8D44241C lea eax, dword ptr [esp+1C] :1500D781 52 push edx :1500D782 8D4C2430 lea ecx, dword ptr [esp+30] :1500D786 50 push eax :1500D787 8D54241C lea edx, dword ptr [esp+1C] :1500D78B 51 push ecx :1500D78C 52 push edx :1500D78D 895C243C mov dword ptr [esp+3C], ebx :1500D791 895C242C mov dword ptr [esp+2C], ebx :1500D795 895C2430 mov dword ptr [esp+30], ebx :1500D799 895C2438 mov dword ptr [esp+38], ebx * Reference To: KERNEL32.GetDiskFreeSpaceA, Ord:00DBh | :1500D79D FF1594240215 Call dword ptr [15022494] //call to getdiskfreespace :1500D7A3 85C0 test eax, eax :1500D7A5 743C je 1500D7E3 //in S-ice we do not jump here :1500D7A7 8B442420 mov eax, dword ptr [esp+20] :1500D7AB 8B54241C mov edx, dword ptr [esp+1C] :1500D7AF 8B4C2418 mov ecx, dword ptr [esp+18] :1500D7B3 8BAC2430010000 mov ebp, dword ptr [esp+00000130] :1500D7BA 83E004 and eax, 00000004 :1500D7BD 33C2 xor eax, edx :1500D7BF 33C1 xor eax, ecx :1500D7C1 33C5 xor eax, ebp :1500D7C3 33C6 xor eax, esi :1500D7C5 8BC8 mov ecx, eax :1500D7C7 C1E910 shr ecx, 10 :1500D7CA 33C8 xor ecx, eax :1500D7CC 6681F9001F cmp cx, 1F00 :1500D7D1 740B je 1500D7DE //this jump here will make eax 1 :1500D7D3 6681F90508 cmp cx, 0805 :1500D7D8 7404 je 1500D7DE :1500D7DA 33C0 xor eax, eax :1500D7DC EB05 jmp 1500D7E3 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:1500D7D1(C), :1500D7D8(C) | :1500D7DE B801000000 mov eax, 00000001 //this looks very interesting * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:1500D772(C), :1500D7A5(C), :1500D7DC(U) | :1500D7E3 8B8C2440020000 mov ecx, dword ptr [esp+00000240] :1500D7EA 89442410 mov dword ptr [esp+10], eax :1500D7EE 3BCB cmp ecx, ebx :1500D7F0 741A je 1500D80C //in S-ice we jump here :1500D7F2 3BC3 cmp eax, ebx :1500D7F4 7516 jne 1500D80C :1500D7F6 6A0F push 0000000F * Reference To: storm.ExpFn0161() | :1500D7F8 E8D3D2FFFF call 1500AAD0 :1500D7FD 33C0 xor eax, eax :1500D7FF 5F pop edi :1500D800 5E pop esi :1500D801 5D pop ebp :1500D802 5B pop ebx :1500D803 81C424020000 add esp, 00000224 :1500D809 C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:1500D7F0(C), :1500D7F4(C) | :1500D80C 53 push ebx :1500D80D 53 push ebx :1500D80E 6A03 push 00000003 :1500D810 53 push ebx :1500D811 6A01 push 00000001 :1500D813 8D442440 lea eax, dword ptr [esp+40] :1500D817 6800000080 push 80000000 :1500D81C 50 push eax * Reference To: KERNEL32.CreateFileA, Ord:0031h | :1500D81D FF1564250215 Call dword ptr [15022564] :1500D823 8BD8 mov ebx, eax :1500D825 83FBFF cmp ebx, FFFFFFFF :1500D828 895C2418 mov dword ptr [esp+18], ebx :1500D82C 750F jne 1500D83D :1500D82E 33C0 xor eax, eax :1500D830 5F pop edi :1500D831 5E pop esi :1500D832 5D pop ebp :1500D833 5B pop ebx :1500D834 81C424020000 add esp, 00000224 :1500D83A C21000 ret 0010 3) So lets try to reverse this jump and see if it will work : :1500D7D1 740B je 1500D7DE //this jump here will make eax 1 Open storm.dll with hiew. Go to cbd1 (offset for the upper line) and change je to jne (74 to 75). Save and exit. Run Hellfire without cd and ... it works. If the cd is in, the game will not run so we better change 75 (jne) to EB (jmp) and it will always jump no matter if cd is in or out. =============================================================================================================== 10.11.2000 Written by Zaksnop