Free Information Xchange '97 presents: WarGods from GT Interactive Software CD crack by Static Vengeance Requirements Hex Editor and Full install W32Dasm if you want to follow along Once again we set out to remove a CD check from a Win95 game. The whole idea behind a "Full install" is you will not need the CD, right? So why do "they" make us get out the original CD just for check... oh.. there is the music tracks... it is a CD right... Well I can do without the music (I have a radio card in my PC, anyways) so I don't want to have to hunt through my CD's for the WarGod CD. So I set out to fix that BUG in this otherwise decent fighter game. First you will need to disassemble the wargods.exe to see what's going on within the program. As usual, the perferred weapon is W32Dasm with it's usefull menu choices. Once you have disassembled the executable (wargods.exe) go up to the title bar and select "Refs" from the menu and drop down to "String data references" from there grab the slider bar and scroll down to the string "To play War Gods you must close" which is part of the string that tells you 'To play War Gods you must close all other CD applications and insert the game CD.' Double clicking this string will put you in the middle of the CD check routine. That routine looks like this: * Referenced by a CALL at Address: |:00416F30 | :00416C20 56 push esi :00416C21 33C0 xor eax, eax :00416C23 57 push edi :00416C24 A31C9F4A00 mov dword ptr [004A9F1C], eax * Reference To: USER32.MessageBoxA, Ord:0195h | :00416C29 8B3D4C2A9F00 mov edi, dword ptr [009F2A4C] :00416C2F A3189F4A00 mov dword ptr [004A9F18], eax :00416C34 A3149F4A00 mov dword ptr [004A9F14], eax :00416C39 A3109F4A00 mov dword ptr [004A9F10], eax :00416C3E A3209F4A00 mov dword ptr [004A9F20], eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00416C74(C) | :00416C43 E888FCFFFF call 004168D0 <-- Goes through WINMM.mci to see if :00416C48 8BF0 mov esi, eax <-- there is "cdaudio media present" :00416C4A E881670100 call 0042D3D0 <-- does "set cdaudio time format tmsf" :00416C4F A158D64A00 mov eax, dword ptr [004AD658] :00416C54 8A0D88D64A00 mov cl, byte ptr [004AD688] :00416C5A 85F6 test esi, esi :00416C5C 7404 je 00416C62 :00416C5E 84C9 test cl, cl :00416C60 7514 jne 00416C76 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00416C5C(C) | :00416C62 6A35 push 00000035 * Possible StringData Ref from Data Obj ->"War Gods Notice" | :00416C64 6834A04A00 push 004AA034 * Possible StringData Ref from Data Obj ->"To play War Gods you must close " <-- Don't want to ->"all other CD applications and " <-- see this stuff ->"insert the game CD." <-- pop up, right? | :00416C69 68E09F4A00 push 004A9FE0 :00416C6E 50 push eax :00416C6F FFD7 call edi :00416C71 83F802 cmp eax, 00000002 :00416C74 75CD jne 00416C43 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00416C60(C) | :00416C76 5F pop edi :00416C77 5E pop esi :00416C78 C3 ret Well that was the routine that prints the "insert the game CD" and waits for your response. If you hit cancel the game goes into a demo mode and locks out user response except to quit the game. That's not what we want... so let's check out the routine that calls the above section of code: * Referenced by a CALL at Address: |:0047471A | :00416F30 E8EBFCFFFF call 00416C20 :00416F35 E976FFFFFF jmp 00416EB0 Now we might as well see what 416EB0 does... so here is that code: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00416F35(U) | :00416EB0 33C0 xor eax, eax :00416EB2 A32C9F4A00 mov dword ptr [004A9F2C], eax :00416EB7 A3289F4A00 mov dword ptr [004A9F28], eax :00416EBC A3249F4A00 mov dword ptr [004A9F24], eax :00416EC1 A3309F4A00 mov dword ptr [004A9F30], eax :00416EC6 C3 ret If you NOP out the call to 416C20 at 416F30 and let the program fall through to 416F35 which jumps to 416EB0 (still with me?) the program acts like you hit cancel from the "insert the game CD" routine. This just wont do, we want to play the game so it should be clear we need to prevent both calls from being made. There is a single call to that section from 47471A so it's back to more code snooping.. let's go check it out: * Referenced by a CALL at Address: |:00473A99 | :00474710 E8BB9AFFFF call 0046E1D0 :00474715 E89606FAFF call 00414DB0 :0047471A E81128FAFF call 00416F30 <-- Call the CD check routine :0047471F E8EC18FAFF call 00416010 :00474724 E8C710FAFF call 004157F0 :00474729 E9B2C9F8FF jmp 004010E0 There you see at 47471A is the single call to the CD check and there's no type of check for any returned value. So search the wargods.exe file for the call and NOP it out and give it a try. And it does remove the copy protection. The only thing left is to make the edit to file. BTW: This edit works for both EXE files on the CD, one is called hi.exe and the other is lo.exe. During installation whichever file is copied, based on user input, is then renamed to wargods.exe Edit wargods.exe at offset 473,882 ================================== Search for: E8 11 28 FA FF E8 EC Change to : 90 90 90 90 90 -- -- That takes care of Wargod's CD check! Now go watch Pagan shake her ... well you know... Once again we ventured into the world of copy protect and came out with a new example of how to defeat it. One thing I learned from the old'en days of piracy... if it can be loaded into the machine it can be cracked by someone. Copy protection only stops the average person and just slows down a cracker. And that's how you get WarGods FiX'ed Static Vengeance