Target game: Urban Chaos ([US]?)
 Toolz: SICE, W32Dasm, Notepad+ with wordwrap on!
 Level: 1
 Protection: CD-Check

 Background info:
 I dunno whether the original had SafeDisc or Securom or any other protection, but the
 one I had didn't (dunno if it was unwrapped already). 
 Nah.. seems to be a typical cd-check.. I think we should be able to handle this
 
 Let's use a common approach, BPX GetDriveTypeA. We'll get here
 

 * Reference To: KERNEL32.GetDriveTypeA, Ord:0000h
                                  |
 :004C9671 8B1D64804E00            mov ebx, dword ptr [004E8064]
 
 * Referenced by a (U)nconditional or (C)onditional Jump at Address:
 |:004C96E1(U)
 |
 :004C9677 8A442410                mov al, byte ptr [esp+10] <-- save available drives to al?
 :004C967B 8D742410                lea esi, dword ptr [esp+10] <-- same thing, but save to esi?
 :004C967F 84C0                    test al, al <-- test results
 :004C9681 744C                    je 004C96CF <-- if equal, jump to CD not found
 
 * Referenced by a (U)nconditional or (C)onditional Jump at Address:
 |:004C96CD(C)
 |
 :004C9683 56                      push esi
 :004C9684 FFD3                    call ebx <-- Call GetDriveTypeA routine
 :004C9686 83F805                  cmp eax, 00000005 <-- 5 for CD-ROM, you should be here too
 :004C9689 752C                    jne 004C96B7 <-- jump if no CD-ROM
 :004C968B 56                      push esi
 :004C968C 8D8C2414010000          lea ecx, dword ptr [esp+00000114]
 
 * Possible StringData Ref from Data Obj ->"%sclumps\mib.txc" <-- Look for this file on CD
                                   |
 :004C9693 682C8F4F00              push 004F8F2C <-- Push the file it's looking for (mib.txc)
 :004C9698 51                      push ecx
 :004C9699 E802760000              call 004D0CA0 <-- Define the CD-Drive where to look (not sure)
 :004C969E 8D94241C010000          lea edx, dword ptr [esp+0000011C] 
 
 * Possible StringData Ref from Data Obj ->"rb" <-- read binary?
                                   |
 :004C96A5 6844D84E00              push 004ED844
 :004C96AA 52                      push edx
 :004C96AB E8D07C0000              call 004D1380 <-- Seek for the CD
 :004C96B0 83C414                  add esp, 00000014 <-- Balance stack?
 :004C96B3 85C0                    test eax, eax <-- Test results
 :004C96B5 752C                    jne 004C96E3 <-- Jump if not equal, -> jump if cd found
 
 * Referenced by a (U)nconditional or (C)onditional Jump at Address:
 |:004C9689(C)
 |
 :004C96B7 8BFE                    mov edi, esi
 :004C96B9 83C9FF                  or ecx, FFFFFFFF
 :004C96BC 33C0                    xor eax, eax
 :004C96BE F2                      repnz
 :004C96BF AE                      scasb
 :004C96C0 F7D1                    not ecx
 :004C96C2 49                      dec ecx
 :004C96C3 8A440E01                mov al, byte ptr [esi+ecx+01] <-- Look for remaining CD-drives
 :004C96C7 8D740E01                lea esi, dword ptr [esi+ecx+01] <-- Move the current CD-drive to esi
 :004C96CB 84C0                    test al, al <-- test if all CD-drives done
 :004C96CD 75B4                    jne 004C9683 <-- nope, loop back to start (getdrivetypea)
 
 * Referenced by a (U)nconditional or (C)onditional Jump at Address:
 |:004C9681(C)
 |
 :004C96CF 6A15                    push 00000015
 :004C96D1 6A00                    push 00000000
 
 * Possible StringData Ref from Data Obj ->"Cannot locate Urban Chaos CD-ROM"
                                   |
 :004C96D3 68088F4F00              push 004F8F08
 :004C96D8 6A00                    push 00000000
 :004C96DA FFD5                    call ebp <-- Call GetDriveTypeA routine

 Mm.. that should explain somehow this routine.. I might've made some mistakes but I think it goes pretty
 much like this. Take a look at :004C96AB, can you see the call there? and the notes? Yes.. I think so too..
 this was rather weird check.. no cd and the EAX gets value of 0, CD found and EAX is (on my comp) 4FA88.
 so.. mov eax, 00000001 won't do, but mov eax, 0004FA88 will do. There's your patch :) 

 So if addresses match on your comp do the following modification

 E8D07C0000 -> B888FA0400 and you're done.

 Final words: That's it for this tute. I was little surprised as I first tried to do mov eax, 00000001 for
 the call only to find out it crashes. I tried -1 and 0 too but crashes as well. Then I finally inserted the
 bloody CD to see the returned EAX and it's 4FA88!! Oh well.. again you live and learn. I dunno why I didnt
 trace the call to see why it returned 4FA88 in EAX, so I advise you to trace it!! It may be there is a 
 getfilesize check or something.. you figure it out and tell me, ok? :)

 -C_DKnight, btw.. even thou I do lots of cd-check tutes my name does not refer to CD-checks ;)
             or.. should I change my name to CD_Knight (like E_BLiss credits in VIPer .txt file )?

 Yah.. I wanna greet all those fine ppl I've been lucky to meet at #Cracking4Newbies & #CDRinfo
 I bet you know who you are ;).. still in s3.exe? see anything u like?