How to remove the Black & White CDCHECK |
Requirements:
| Info... | Note: CD CHECK TUTORIAL for ya |
Introduction:
Once was popular, now dead boring game
Getting Started:
First lets presume you have the FAIRLIGHT version of Black & white (cd contains a crack). Why you need this is because its protected with CDILLA2. Since this isnt a unwraping tutorial and i dont own a origenal copy, we wont discuse cdilla. If you dont, you can goto www.gamecopyworld.com and obtain a *FIXED* exe, just make sure its not a nocd.
If you run black & white without the cd in the drive, you will quickly notice your staring at a black screen doing nothing. The cdcheck can be found in GetVolumeInformationA.
And the call to the cdcheck is a typical boolean check that we see so much of today.
So while your staring at the wonderfull blackscreen, jump into softice and put a breakpoint on getvolumeinformationa ( 'bpx getvolumeinformationa ') then jump out. Sice should popup and your looking in kernel32.dll (the house for getvolumeinformationa). Press F12 once to get inside runblack.exe 's code. Notice how the call was in the form of CALL EDI. Also if you were to additionaly check the import table it doesnt have the refrences to user32 or kernel. The game fixes the import table as it goes along. You should now be looking at this code:
:005F12A1 FFD7 call edi < -The call to getvolumeinformationa
:005F12A3 FEC3 inc bl
:005F12A5 BEEC22B200 mov esi, 00B222EC < -look in B222EC ( 'd b222ec ') and you will notice 'BNW '. Ironicly its the volume label of the b&w cd :)
:005F12AA 8D44241C lea eax, dword ptr [esp+1C]
:005F12AE 8A10 mov dl, byte ptr [eax]
:005F12B0 8ACA mov cl, dl
:005F12B2 3A16 cmp dl, byte ptr [esi] < -This will compair your drive labels with 'BNW ' character by character.
:005F12B4 751C jne 005F12D2 < -Jump if doesnt match (bad)
:005F12B6 84C9 test cl, cl
:005F12B8 7414 je 005F12CE < -Jump if no more letters left on YOUR drives
:005F12BA 8A5001 mov dl, byte ptr [eax+01]
:005F12BD 8ACA mov cl, dl
:005F12BF 3A5601 cmp dl, byte ptr [esi+01] < -Compair the next characters
:005F12C2 750E jne 005F12D2 < -Jump if doesnt match (bad)
:005F12C4 83C002 add eax, 00000002
:005F12C7 83C602 add esi, 00000002
:005F12CA 84C9 test cl, cl < -Have we finished comparing your labels?
:005F12CC 75E0 jne 005F12AE < -If not then jump (loop)
:005F12CE 33C0 xor eax, eax < -We prefer not to hit this but no matter
:005F12D0 EB05 jmp 005F12D7 < -Go! Go! Go!
Here we can see the basics of the first cdcheck. Very clearly it simply checks your drive 's labels with what the label should be ( 'BNW '). To cheekly defeat this you could change your drive label to BNW, but we dont need to. Lets trace on..
:005F12D7 85C0 test eax, eax < -If we hit the XOR EAX, EAX above or the compair failed then
:005F12D9 7539 jne 005F1314 < -This badass jump will jump
:005F12DB BEE422B200 mov esi, 00B222E4 < -look in B222E4 ( 'd b222e4 ') and you will notice 'CDFS '. This is the typical file system for a cd. Your harddrive is most likly FAT32
:005F12E0 8D84241C010000 lea eax, dword ptr [esp+0000011C]
:005F12E7 8A10 mov dl, byte ptr [eax]
:005F12E9 8ACA mov cl, dl
:005F12EB 3A16 cmp dl, byte ptr [esi] < -The same compair method as above, character check except for file system:)
:005F12ED 751C jne 005F130B < -One mismatch and this bad jump does just that
:005F12EF 84C9 test cl, cl
:005F12F1 7414 je 005F1307 < -Jump if we ran outa your drive file system letters
:005F12F3 8A5001 mov dl, byte ptr [eax+01]
:005F12F6 8ACA mov cl, dl
:005F12F8 3A5601 cmp dl, byte ptr [esi+01] < -Compair the next letter
:005F12FB 750E jne 005F130B < -If it doesnt match then jump
:005F12FD 83C002 add eax, 00000002
:005F1300 83C602 add esi, 00000002
:005F1303 84C9 test cl, cl < -Have we more letters to check?
:005F1305 75E0 jne 005F12E7 < -if so then jump (loop)
:005F1307 33C0 xor eax, eax
:005F1309 EB05 jmp 005F1310 < -good jump for us
:005F130B 1BC0 sbb eax, eax
:005F130D 83D8FF sbb eax, FFFFFFFF
:005F1310 85C0 test eax, eax < -EAX needs to be 0
:005F1312 740A je 005F131E < -Then this is our final good jump
:005F1314 80FB7A cmp bl, 7A
:005F1317 7423 je 005F133C < -bad
:005F1319 E954FFFFFF jmp 005F1272 < -Loop the cdcheck again
:005F131E 5F pop edi
:005F131F FECB dec bl
:005F1321 5E pop esi
:005F1322 881DE8DEB400 mov byte ptr [00B4DEE8], bl
:005F1328 C6056478C60001 mov byte ptr [00C67864], 01
:005F132F B801000000 mov eax, 00000001 < -The magic CDINDRIVE value
:005F1334 5B pop ebx
:005F1335 81C410020000 add esp, 00000210
:005F133B C3 ret < -exit the cdcheck call WITH eax=1 so cd is in drive ;)
This check checks that the file system on the drive with the BNW label is CDFS (a cd). If its not it asumes there is no cd so it loops the check endlessly. The operation at 005F132F is the boolean op that tells the game the cd is in the drive, 0=false 1=true. So all we need to do is make sure eax contains 1 when the call is exited. Lets divert the first jump..
:005F12B4 751C jne 005F12D2
Change to
:005F12B4 EB68 jmp 005F131E
So now thus 1 is moved into eax always and the call exit 's, the game thinks in return the cd is in the drive and continue 's to run normaly. If you dont know how to patch the game to make these changes then read another tutorial to understand. If your too lazy to calculate the offset of the jump we need to change its 1F12B4.
Conclusion:
So this sums up another CDCHECK in a new(ish) game. Iv attualy had the game for ages and not boffered to look at it, thought it might be usefull for others and write this tutorial. It was brought to my attention recently the amount of tutorial sites closing down and the amount of outdated sites. I will try to keep writing these exams and put out new tutorials regularly. Other crackers, please feel free to email your new tutorials and i will only be too happy to post your tut.
ThrawN out......
Any questions? Mail me: thrawnc@hotmail.com
Visit my Home Page
Greetings fly out to:
y0ke (Thanks for letting me use this template) , iNSTiNCT, DiSTiNCT, eMINENCE, R!SC, M_, MrFrost, SP33D, Seifer666, Warezpup, BuLLeT, Carpathia, [Froost], DVS, PhANt0m, MeTaL, b00m, BlackEvil, ChiLar163, crackie, SeL, Dogsmack, iNFiNiTY, Issvar, LadyWarez, Lag00rs, LordOfLA, Meyitzo, Mindphzer, MrJezus, n]-[va, NeTsurFer, OutCast3k, philius, Point-X, redback, Shiva, Spacenett, stripper, sutek, tE!, The_Morph, TheScream, TheSilent, TheVirus, TiVe, zelkor and the rest cause i ran outa names ;).
call 004244E0