Target: Descent 3 v1.20 (c) Outrage Entertainment, Inc This is my very first CD crack and I want to give you the tutorial. Descent 3 is the target and after I have read the many good tutorials on how to defeat the protection schemes in todays games, I felt that I could do it too. So I had some games at home and I took Descent 3 down from the shells and Installed it. Then I tried to go without the CD in. You actually start Descent 3 with a Loader that provides you with some different choises. You can update your game via one button, you can do the setup again, you can play on the net from here and some more functions. But the main program is actually the MAIN.EXE file so the first thing you do is to use W32Dasm to disasmemble the MAIN.EXE file. But hey, now we forgot something very important. Do the regular backup. Ok done that. Now what do the MessageBox say when you dont have the CD in place? "Please insert Descent 3 CD 1" Ok, fine. Now try to find that string in the StrRef in W32Dasm. How careful you might look, you can't find it. So whats the next step? Yes we have the Imports. Much of todays game use the API GetDriveTypeA to check if the CD is present in the drive. So open the Imports and go to KERNEL32.GetDriveTypeA and doubleclick it one time. So what do we have here. * Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h <-- could be used too | :004FF061 8B3DE4105900 mov edi, dword ptr [005910E4] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004FF0C7(C) | :004FF067 68A0E62C01 push 012CE6A0 * Reference To: KERNEL32.GetDriveTypeA, Ord:0104h <-- What get us here. | :004FF06C FF15E0105900 Call dword ptr [005910E0] :004FF072 83F805 cmp eax, 00000005 <-- 5 means CD :004FF075 753E jne 004FF0B5 <-- jump if not 5 :004FF077 8D442418 lea eax, dword ptr [esp+18] :004FF07B 6A1E push 0000001E :004FF07D 8D4C2414 lea ecx, dword ptr [esp+14] :004FF081 50 push eax :004FF082 8D54241C lea edx, dword ptr [esp+1C] :004FF086 51 push ecx :004FF087 8D442418 lea eax, dword ptr [esp+18] :004FF08B 52 push edx :004FF08C 50 push eax :004FF08D 8D4C244C lea ecx, dword ptr [esp+4C] :004FF091 6804010000 push 00000104 :004FF096 51 push ecx :004FF097 68A0E62C01 push 012CE6A0 :004FF09C C644245800 mov [esp+58], 00 :004FF0A1 FFD7 call edi :004FF0A3 8D542438 lea edx, dword ptr [esp+38] :004FF0A7 56 push esi :004FF0A8 52 push edx :004FF0A9 E822610700 call 005751D0 :004FF0AE 83C408 add esp, 00000008 :004FF0B1 85C0 test eax, eax :004FF0B3 741B je 004FF0D0 <-- this jump takes us clear! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004FF075(C) | :004FF0B5 8A15A0E62C01 mov dl, byte ptr [012CE6A0] <-- jump to here :004FF0BB FEC2 inc dl :004FF0BD 45 inc ebp :004FF0BE 83FD1A cmp ebp, 0000001A :004FF0C1 8815A0E62C01 mov byte ptr [012CE6A0], dl :004FF0C7 7E9E jle 004FF067 <-- go back up :004FF0C9 C605A0E62C0100 mov byte ptr [012CE6A0], 00 <-- this loop inc the drive * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004FF0B3(C) | :004FF0D0 5F pop edi <-- here is the place we wanna be! :004FF0D1 5E pop esi :004FF0D2 B8A0E62C01 mov eax, 012CE6A0 :004FF0D7 5D pop ebp :004FF0D8 81C430010000 add esp, 00000130 :004FF0DE C3 ret Ok, so how do we cheat this? Well first of all we dont wanna spin around in that loop that searches for the correct letter for our CD drive. So, we must do something about that jump there. You could edit it so it jump directly down to the FF0D0 place but I dont like to disturp any addresses. So I prefer to NOP'ing this jump, but in a nice way. Like this: :004FF075 753E jne 004FF0B5 to :004FF075 40 inc eax :004FF076 48 dec eax in the end we have done nothing. So it will continue as usual. The next thing we must do here is to edit the jump at 004FF0B3. :004FF0B3 741B je 004FF0D0 We must be sure that it will always jump down. So we edit this be a JMP. :004FF0B3 EB1B jmp 004FF0D0 Now we can test this, and yes it works! Cool, another game is FIX'ed. Expect more Game tutorials from me, this was kinda fun! ;) AlpHaz