The Cracking Answer 2000 ------------------------ Author : Bug Error ------------------ Target : Quake 3 Arena 3.14 => Removes CD Check ------------------------------------------------ - Tools That you'll need ------------------------- - Soft-Ice 3.23 or higher - W32dasm 8.93 - Hiew 6 or higher Initial notes -------------- - First, install the full game and apply Patch 3.14 - Then, be sure that Soft-ice is loaded in autoexec.bat => C:\PROGRA~1\SOFTIC~1\WINICE.EXE - Make sure that the cd isn't on your drive :)) First approach with Soft-Ice ---------------------------- - Run the game - When you're in the game choose Single Player - Then, choose a map - Click on Fight - Press CTRL + D to go in soft-ice - In soft-ice pormpt command, type : BPX GetDriveTypeA - Press enter key - Press CTRL + D to go back on Q3A - Click on Fight, and surprise, you're back in Soft-Ice :)) - Why ? Cause you've putted a breakpoint to Kernel32!GetDriveTypeA! - OK, in Soft-Ice, press F11 to get the GetDriveTypeA's caller - Aha, you should see that now : 0177:00440CD8 CMP EAX,05 => You're here :)) 0177:00440CDB JNZ 00440D25 0177:00440CDD PUSH 004C4070 0177:00440CE2 LEA ECX,[ESP+08] 0177:00440CE6 PUSH ECX 0177:00440CE7 PUSH 004BACC4 0177:00440CEC PUSH 0059BC00 0177:00440CF1 CALL 004A0DAF 0177:00440CF6 PUSH 004C4064 0177:00440CFB PUSH 0059BC00 0177:00440D00 LEA EDX,[ESP+20] 0177:00440D04 PUSH 004C405C - Note 00440CD8, you'll need this Disassembling File with W32dasm ------------------------------- - Load W32dasm and open "quake3.exe" - After a few time, the file'll be disassemble - Now, click on "goto" in the menu - Click on "Goto Code Location" - Type 00440CD8 (normally, you've wrote this adress) - You must see that now : * Referenced by a CALL at Address: |:0042E7BD => Hihaaaaaa, double right click on it ;) | :00440CB0 81EC84000000 sub esp, 00000084 :00440CB6 56 push esi * Reference To: KERNEL32.GetDriveTypeA, Ord:0104h | :00440CB7 8B3590304B00 mov esi, dword ptr [004B3090] :00440CBD C64424053A mov [esp+05], 3A :00440CC2 C64424065C mov [esp+06], 5C :00440CC7 C644240700 mov [esp+07], 00 :00440CCC C644240463 mov [esp+04], 63 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00440D31(C) | :00440CD1 8D442404 lea eax, dword ptr [esp+04] :00440CD5 50 push eax :00440CD6 FFD6 call esi :00440CD8 83F805 cmp eax, 00000005 => Héhé, you're here :00440CDB 7548 jne 00440D25 - After double right click on 0042E7BD, you must see this : :0042E7A3 6834834B00 push 004B8334 :0042E7A8 E803E9FEFF call 0041D0B0 :0042E7AD D81D58334B00 fcomp dword ptr [004B3358] :0042E7B3 83C404 add esp, 00000004 :0042E7B6 DFE0 fstsw ax :0042E7B8 F6C440 test ah, 40 :0042E7BB 7418 je 0042E7D5 :0042E7BD E8EE240100 call 00440CB0 => You're here (The fucking cd-check routine) :0042E7C2 85C0 test eax, eax :0042E7C4 750F jne 0042E7D5 * Possible StringData Ref from Data Obj ->"Game CD not in drive" => Hm, i don't want to see this ;) | :0042E7C6 6854084C00 push 004C0854 :0042E7CB 6A03 push 00000003 :0042E7CD E8FEB9FEFF call 0041A1D0 :0042E7D2 83C408 add esp, 00000008 - Place you on 0042E7C4 and click on the "Jump To" button, you must see this : * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0042E7BB(C), :0042E7C4(C) | :0042E7D5 A15CAB5900 mov eax, dword ptr [0059AB5C] => You're here :0042E7DA 85C0 test eax, eax :0042E7DC 7409 je 0042E7E7 :0042E7DE 50 push eax :0042E7DF E85CC3FEFF call 0041AB40 :0042E7E4 83C404 add esp, 00000004 - Did you see, if JNE if execute, it bypass the cd-check and run ;) - Oki, click on the "Ret Jump" Button - You're back here : :0042E7A3 6834834B00 push 004B8334 :0042E7A8 E803E9FEFF call 0041D0B0 :0042E7AD D81D58334B00 fcomp dword ptr [004B3358] :0042E7B3 83C404 add esp, 00000004 :0042E7B6 DFE0 fstsw ax :0042E7B8 F6C440 test ah, 40 :0042E7BB 7418 je 0042E7D5 :0042E7BD E8EE240100 call 00440CB0 :0042E7C2 85C0 test eax, eax :0042E7C4 750F jne 0042E7D5 => You're back here - Place you on 0042E7BD and take a look at the bottom to see the offset - The offset is 0002E7BD - Write this offset, you'll need this - Cracking the EXE file ------------------------ - Open Hiew, and load "quake3.exe" - Press F4 and choose "decode" - Press F5, and enter the offset, here it is 0002E7BD - Press F4 and choose "Hex" - Press F3 to edit and type 9090909090 - Press F9 to update the EXE - Why 90 ?? ------------ - You saw that the 0042E7BD calls the cd-check routine, then, we must "delete it" - 90 means nope in assembler language, that means to do nothing - But why 5x 90 ? - Cause the code of the caller is E8EE240100, this takes 5 bytes, then, 5 bytes to 90 ;) - Big surprise --------------- - Run the game - What's happening ?!????!!!!??? - The game runs without CD :)) Héhé, you've cracked Quake 3 Arena, enjoy :)) - Crack Source --------------- - If you want to make a crack.exe and distribute it on internet, you must make a prog that can be - change the 5 original bytes to 5 nope - So, i included my source code made with delphi 5, it works also with 1,2,3 or 4 ;) Const FileN : String = 'quake3.exe'; {name of file to patch} BytesToChange : Integer = 5; {5 bytes to patch} FileS : LongInt = 876601; {size if the exe, to check the version} A : Array[1..5] of Record A : Longint; B : Byte; End = ((A:$2e7bd;B:$90), {offset to modify + code to replace} (A:$2e7be;B:$90), (A:$2e7bf;B:$90), (A:$2e7c0;B:$90), (A:$2e7c1;B:$90)); Var F : File; Ch : Char; I : LongInt; Begin fichier.filename := '*.exe'; {i've put an OpenDialog and name it "fichier"} fichier.filter := FileN; if fichier.execute then begin AssignFile(F, fichier.filename); Reset(F,1); If FileSize(F)<>FileS then begin ShowMessage('File is incorrect size'); halt(1); end else begin end; For I := 1 to BytesToChange do begin Seek(F,A[I].A); Ch:=Char(A[I].B); Blockwrite(F,Ch,1); end; ShowMessage ('File successfully cracked'); end; end; end.