=============================================================================================================== Title : WARCRAFT 2 BATTLE NET EDITION(GAME) Version : 2.0 Description : RTS (C&C CLONE) Protection : CD CHECK (in storm.dll again) Producer : http://www.blizzard.com Cracker : Zaks (scorpion121@gmx.net) Tools : Softice Difficulty : Very Easy (The same protection as in Starcraft or Diablo) Tutorial No. : 13 Font : Courier New (8) =============================================================================================================== 1) Install Warcraft 2 BNE. Copy install.exe from the cd to your war2 directory. Remove the CD from the drive. Set a breakpoint on getdrivetypea (bpx getdrivetypea) in Softice and run Warcraft 2 BNE. Softice breaks in kernell32 and you press F12 to return back and you are in file storm!. The only file named storm is storm.dll. Well, I have already explained how to crack this stupied protection in Starcraft and Diablo tutorials. So once again very briefly : //Part of storm.dll * Reference To: KERNEL32.GetDriveTypeA, Ord:0104h | :1501151E FF157CB10215 Call dword ptr [1502B17C] :15011524 8D942430010000 lea edx, dword ptr [esp+00000130] :1501152B 6804010000 push 00000104 :15011530 52 push edx :15011531 8BF0 mov esi, eax :15011533 896C241C mov dword ptr [esp+1C], ebp * Reference To: Storm.ExpFn0223() | :15011537 E8C4670000 call 15017D00 :1501153C 8D842430010000 lea eax, dword ptr [esp+00000130] :15011543 6804010000 push 00000104 :15011548 8D4C2418 lea ecx, dword ptr [esp+18] :1501154C 50 push eax :1501154D 51 push ecx :1501154E 55 push ebp :1501154F 55 push ebp :15011550 55 push ebp :15011551 8D542428 lea edx, dword ptr [esp+28] :15011555 55 push ebp :15011556 52 push edx * Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h | :15011557 FF1580B10215 Call dword ptr [1502B180] :1501155D 85C0 test eax, eax :1501155F 7506 jne 15011567 :15011561 896C2414 mov dword ptr [esp+14], ebp :15011565 EB78 jmp 150115DF * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:1501155F(C) | :15011567 8D44241C lea eax, dword ptr [esp+1C] :1501156B 8D4C2424 lea ecx, dword ptr [esp+24] :1501156F 50 push eax :15011570 8D54241C lea edx, dword ptr [esp+1C] :15011574 51 push ecx :15011575 8D442428 lea eax, dword ptr [esp+28] :15011579 52 push edx :1501157A 8D4C241C lea ecx, dword ptr [esp+1C] :1501157E 50 push eax :1501157F 51 push ecx :15011580 896C2434 mov dword ptr [esp+34], ebp :15011584 896C242C mov dword ptr [esp+2C], ebp :15011588 896C2438 mov dword ptr [esp+38], ebp :1501158C 896C2430 mov dword ptr [esp+30], ebp * Reference To: KERNEL32.GetDiskFreeSpaceA, Ord:0100h | :15011590 FF1584B10215 Call dword ptr [1502B184] :15011596 85C0 test eax, eax :15011598 7506 jne 150115A0 :1501159A 896C2414 mov dword ptr [esp+14], ebp :1501159E EB3F jmp 150115DF * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:15011598(C) | :150115A0 8B442414 mov eax, dword ptr [esp+14] :150115A4 8B942430010000 mov edx, dword ptr [esp+00000130] :150115AB 8B4C2424 mov ecx, dword ptr [esp+24] :150115AF 8B5C2418 mov ebx, dword ptr [esp+18] :150115B3 83E004 and eax, 00000004 :150115B6 33C2 xor eax, edx :150115B8 33C1 xor eax, ecx :150115BA 33C3 xor eax, ebx :150115BC 33C6 xor eax, esi :150115BE 8BC8 mov ecx, eax :150115C0 C1E910 shr ecx, 10 :150115C3 33C8 xor ecx, eax :150115C5 6681F9001F cmp cx, 1F00 :150115CA 740B je 150115D7 // never saw this jump to be taken :150115CC 6681F90508 cmp cx, 0805 :150115D1 896C2414 mov dword ptr [esp+14], ebp :150115D5 7508 jne 150115DF * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:150115CA(C) | :150115D7 C744241401000000 mov [esp+14], 00000001 // here is the good guy * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:15011565(U), :1501159E(U), :150115D5(C) | :150115DF 8BBC2440020000 mov edi, dword ptr [esp+00000240] :150115E6 8BC7 mov eax, edi :150115E8 83E001 and eax, 00000001 :150115EB 8944241C mov dword ptr [esp+1C], eax :150115EF 740A je 150115FB :150115F1 396C2414 cmp dword ptr [esp+14], ebp :150115F5 0F84CF040000 je 15011ACA 2) You need to make the program to go to line : 150115D7 C744241401000000 mov [esp+14], 00000001 There are many ways to do this. One of them is to nop the previous line : 150115D5 7508 jne 150115DF Write down the offset of the line above. For me it was 115D5. Open storm.dll with your favourite hex editor. Go to this offset and change 7508 to 9090 (NOPNOP). Run the game. It does not work. 3)Quickly do Start->Run->regedit-OK and search the registry for word "warcraft". Search until you reach the following class : HKEY_LOCAL_MACHINE\Software\Blizzard Entertainment\Warcraft II BNE There you find War2CD. Double click on it and change the drive letter with installed path on your HDD. Quit regedit and run the game again. It works. =============================================================================================================== You can find all my tutorials on the following sites : http://zarea.cjb.net http://go.to/zzone http://kickme.to/dbc 12.28.2000 Written by Zakse closed". So there is something that I had to do at first and not wasting my time. I suggest you try this every time with this kind of protections. Go at the beginning of the check routine :