Target: Descent 3  v1.20  (c) Outrage Entertainment, Inc

This is my very first CD crack and I want to give you the tutorial.
Descent 3 is the target and after I have read the many good tutorials
on how to defeat the protection schemes in todays games, I felt that
I could do it too. So I had some games at home and I took Descent 3 down
from the shells and Installed it. Then I tried to go without the CD in.
You actually start Descent 3 with a Loader that provides you with some
different choises. You can update your game via one button, you can do
the setup again, you can play on the net from here and some more functions.

But the main program is actually the MAIN.EXE file so the first thing you do
is to use W32Dasm to disasmemble the MAIN.EXE file. But hey, now we forgot
something very important. Do the regular backup. Ok done that.

Now what do the MessageBox say when you dont have the CD in place?
"Please insert Descent 3 CD 1"
Ok, fine. Now try to find that string in the StrRef in W32Dasm.
How careful you might look, you can't find it. So whats the next step?

Yes we have the Imports. Much of todays game use the API GetDriveTypeA
to check if the CD is present in the drive. So open the Imports and go to
KERNEL32.GetDriveTypeA  and doubleclick it one time. So what do we have here.


* Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h  <-- could be used too
                                  |
:004FF061 8B3DE4105900            mov edi, dword ptr [005910E4]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FF0C7(C)
|
:004FF067 68A0E62C01              push 012CE6A0

* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h   <-- What get us here.
                                  |
:004FF06C FF15E0105900            Call dword ptr [005910E0]
:004FF072 83F805                  cmp eax, 00000005   <-- 5 means CD
:004FF075 753E                    jne 004FF0B5   <-- jump if not 5
:004FF077 8D442418                lea eax, dword ptr [esp+18]
:004FF07B 6A1E                    push 0000001E
:004FF07D 8D4C2414                lea ecx, dword ptr [esp+14]
:004FF081 50                      push eax
:004FF082 8D54241C                lea edx, dword ptr [esp+1C]
:004FF086 51                      push ecx
:004FF087 8D442418                lea eax, dword ptr [esp+18]
:004FF08B 52                      push edx
:004FF08C 50                      push eax
:004FF08D 8D4C244C                lea ecx, dword ptr [esp+4C]
:004FF091 6804010000              push 00000104
:004FF096 51                      push ecx
:004FF097 68A0E62C01              push 012CE6A0
:004FF09C C644245800              mov [esp+58], 00
:004FF0A1 FFD7                    call edi
:004FF0A3 8D542438                lea edx, dword ptr [esp+38]
:004FF0A7 56                      push esi
:004FF0A8 52                      push edx
:004FF0A9 E822610700              call 005751D0
:004FF0AE 83C408                  add esp, 00000008
:004FF0B1 85C0                    test eax, eax
:004FF0B3 741B                    je 004FF0D0  <-- this jump takes us clear!

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FF075(C)
|
:004FF0B5 8A15A0E62C01            mov dl, byte ptr [012CE6A0]   <-- jump to here
:004FF0BB FEC2                    inc dl
:004FF0BD 45                      inc ebp
:004FF0BE 83FD1A                  cmp ebp, 0000001A
:004FF0C1 8815A0E62C01            mov byte ptr [012CE6A0], dl
:004FF0C7 7E9E                    jle 004FF067   <-- go back up
:004FF0C9 C605A0E62C0100          mov byte ptr [012CE6A0], 00  <-- this loop inc the drive

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FF0B3(C)
|
:004FF0D0 5F                      pop edi   <-- here is the place we wanna be!
:004FF0D1 5E                      pop esi
:004FF0D2 B8A0E62C01              mov eax, 012CE6A0
:004FF0D7 5D                      pop ebp
:004FF0D8 81C430010000            add esp, 00000130
:004FF0DE C3                      ret



Ok, so how do we cheat this? Well first of all we dont wanna spin around in that
loop that searches for the correct letter for our CD drive. So, we must do
something about that jump there. You could edit it so it jump directly down
to the FF0D0 place but I dont like to disturp any addresses. So I prefer to
NOP'ing this jump, but in a nice way. Like this:

:004FF075 753E                    jne 004FF0B5

to

:004FF075 40                      inc eax
:004FF076 48                      dec eax

in the end we have done nothing. So it will continue as usual.
The next thing we must do here is to edit the jump at 004FF0B3.

:004FF0B3 741B                    je 004FF0D0

We must be sure that it will always jump down. So we edit this be a JMP.

:004FF0B3 EB1B                    jmp 004FF0D0


Now we can test this, and yes it works! Cool, another game is FIX'ed.

Expect more Game tutorials from me, this was kinda fun!  ;)

AlpHaz