How to remove the TRIBES2 CDCHECK

Requirements:
1: The game(ISO RELEASE)
2:
Softice
3: HEX EDITOR

 

Info...
Target:
Tribes2 for PC
Author: ThrawN
Group : DiSTiNCT
Level : Intermediate

Note:
Piss easy CD CHECK TUTORIAL for ya

Introduction:

Tribes 2 is a great game that i 'v only just been able to experience due to my system upgrades. However it has a anoying bug that keeps asking for the cd on startup. Lets fix...


Getting Started:

First of all I 'll asume you have the iso version of tribes 2 with the unwraped exe allready. I dont know if its even protected with a comercial protection cause iv just got a cracked iso version. But the CDCHECK is still in tack :)

The usal quick BP 's to use didnt work for me at first so puzzled, I alt-tabbed back into windows and loaded filemon.
Went back into the game and click OK. When it failed the cd check again i went into filemon, stoped its monitoring and had a look at what tribes 2 was doing. Here we find this interesting bit of information:

12:10:12 AM Tribes2 Ioctl A: NOTREADY Subfunction: 0Dh
12:10:13 AM Tribes2 Ioctl C: SUCCESS Subfunction: 0Dh
12:10:13 AM Tribes2 FindOpen C:\*.* SUCCESS CRK
12:10:13 AM Tribes2 FindClose C:\*.* SUCCESS
12:10:13 AM Tribes2 Ioctl D: SUCCESS Subfunction: 0Dh
12:10:13 AM Tribes2 FindOpen D:\*.* SUCCESS D
12:10:13 AM Tribes2 FindClose D:\*.* SUCCESS
12:10:13 AM Tribes2 Ioctl E: GENFAILURE Subfunction: 0Dh
12:10:13 AM Tribes2 Ioctl F: GENFAILURE Subfunction: 0Dh

CRK is my C:\ label and D is my D:\ label. So from this we can see there is a label check. If you check out the Tribes 2 cd you will noticed its label is 'T2 INSTALL '. You could either set your harddrive label to this to bypass the check or check out the EXE itself :)
Get back into the game and in softice type: 'bpx getvolumeinformationa '. Now Click the OK button again and sice should popup. Your now looking at this code:

:0054A97E FF15A0E67A00 Call GetVolumeInformation
:0054A984 85C0 test eax, eax
:0054A986 0F8484000000 je 0054AA10 < -If there is no label JUMP
:0054A98C 8D85A8FCFFFF lea eax, dword ptr [ebp+FFFFFCA8]
:0054A992 50 push eax < -Put this HARDDRIVES label into EAX (does each drive)
:0054A993 FF750C push [ebp+0C]
:0054A996 E865530000 call 0054FD00 < -Label Check. If you trace into here and into another call you will see the comparision is a simple HEX compair. We wont go into it because its easy enough to understand anyway. If the check is successfull EAX will equal NILL.
:0054A99B 85C0 test eax, eax
:0054A99D 59 pop ecx
:0054A99E 59 pop ecx
:0054A99F 756F jne 0054AA10 < -Bad jump
:0054A9A1 837D1000 cmp dword ptr [ebp+10], 00000000
:0054A9A5 740E je 0054A9B5 < -Jump is check succeeds
:0054A9A7 8B85A4FAFFFF mov eax, dword ptr [ebp+FFFFFAA4]
:0054A9AD 3B85A8FEFFFF cmp eax, dword ptr [ebp+FFFFFEA8]
:0054A9B3 755B jne 0054AA10

There is another check that checks the CD for the location of Tribes2.exe. If it doesnt find it it gathers your not using the CD. Set a breakpoint on FindFirstFileA. When sice breaks you will see this short code:

:0054A9FB FF158CE67A00 Call FindFirstFileA
:0054AA01 83F8FF cmp eax, FFFFFFFF < -FF means it didnt find the exe
:0054AA04 740A je 0054AA10 < -Bad jump
:0054AA06 8D65F4 lea esp, dword ptr [ebp-0C]
:0054AA09 B001 mov al, 01
:0054AA0B 5F pop edi
:0054AA0C 5E pop esi
:0054AA0D 5B pop ebx
:0054AA0E 5D pop ebp
:0054AA0F C3 ret


Conclusion:

So this sums up the tutorial. Tribes 2 CDCHECK is piss easy. Nop the jump at 0054A99F and make the jump at 0054A9A5 non-conditional (EB). Try not to patch jump, rather experiment with moving values into the registers :). And at the file check simply change the cmp value from FF to EF. That way its never going to jump :). You can probely tell this tutorial is rushed, its currently 1am and im dying to get to bed ;)
ThrawN out......

Any questions? Mail me: thrawnc@hotmail.com
Visit my Home Page

Greetings fly out to:
y0ke (Thanks for letting me use this template) , iSTiNCT, DiSTiNCT, eMINENCE, R!SC, M_, MrFrost, SP33D, Seifer666, Warezpup, BuLLeT, Carpathia, and the rest i couldnt be boffered inserting here.


ur final good jump
:005F1314 80FB7A cmp bl, 7A
:005F1317 7423 je 005F133C < -bad
:005F1319 E954FFFFFF jmp 005F1272 < -Loop the cdcheck again
:005F131E 5F pop edi
:005F131F FECB dec bl
:005F1321 5E pop esi
:005F1322 881DE8DEB400 mov byte ptr [00B4DEE8], bl
:005F1328 C6056478C60001 mov byte ptr [00C67864], 01
:005F132F B801000000 mov eax, 00000001 < -The magic CDINDRIVE value
:005F1334 5B pop ebx
:005F1335 81C410020000 add esp, 00000210
:005F133B C3 ret < -exit the cdcheck call WITH eax=1 so cd is in drive ;)

This check checks that the file system on the drive with the BNW label is CDFS (a cd). If its not it asumes there is no cd so it loops the check endlessly. The operation at 005F132F is the boolean op that tells the game the cd is in the drive, 0=false 1=true. So all we need to do is make sure eax contains 1 when the call is exited. Lets divert the first jump..
:005F12B4 751C jne 005F12D2
Change to
:005F12B4 EB68 jmp 005F131E

So now thus 1 is moved into eax always and the call exit 's, the game thinks in return the cd is in the drive and continue 's to run normaly. If you dont know how to patch the game to make these changes then read another tutorial to understand. If your too lazy to calculate the offset of the jump we need to change its 1F12B4.



Conclusion:

So this sums up another CDCHECK in a new(ish) game. Iv attualy had the game for ages and not boffered to look at it, thought it might be usefull for others and write this tutorial. It was brought to my attention recently the amount of tutorial sites closing down and the amount of outdated sites. I will try to keep writing these exams and put out new tutorials regularly. Other crackers, please feel free to email your new tutorials and i will only be too happy to post your tut.
ThrawN out......

Any questions? Mail me: thrawnc@hotmail.com
Visit my Home Page

Greetings fly out to:
y0ke (Thanks for letting me use this template) , iNSTiNCT, DiSTiNCT, eMINENCE, R!SC, M_, MrFrost, SP33D, Seifer666, Warezpup, BuLLeT, Carpathia, [Froost], DVS, PhANt0m, MeTaL, b00m, BlackEvil, ChiLar163, crackie, SeL, Dogsmack, iNFiNiTY, Issvar, LadyWarez, Lag00rs, LordOfLA, Meyitzo, Mindphzer, MrJezus, n]-[va, NeTsurFer, OutCast3k, philius, Point-X, redback, Shiva, Spacenett, stripper, sutek, tE!, The_Morph, TheScream, TheSilent, TheVirus, TiVe, zelkor and the rest cause i ran outa names ;).


call 004244E0