Target game: Urban Chaos ([US]?) Toolz: SICE, W32Dasm, Notepad+ with wordwrap on! Level: 1 Protection: CD-Check Background info: I dunno whether the original had SafeDisc or Securom or any other protection, but the one I had didn't (dunno if it was unwrapped already). Nah.. seems to be a typical cd-check.. I think we should be able to handle this Let's use a common approach, BPX GetDriveTypeA. We'll get here * Reference To: KERNEL32.GetDriveTypeA, Ord:0000h | :004C9671 8B1D64804E00 mov ebx, dword ptr [004E8064] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004C96E1(U) | :004C9677 8A442410 mov al, byte ptr [esp+10] <-- save available drives to al? :004C967B 8D742410 lea esi, dword ptr [esp+10] <-- same thing, but save to esi? :004C967F 84C0 test al, al <-- test results :004C9681 744C je 004C96CF <-- if equal, jump to CD not found * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004C96CD(C) | :004C9683 56 push esi :004C9684 FFD3 call ebx <-- Call GetDriveTypeA routine :004C9686 83F805 cmp eax, 00000005 <-- 5 for CD-ROM, you should be here too :004C9689 752C jne 004C96B7 <-- jump if no CD-ROM :004C968B 56 push esi :004C968C 8D8C2414010000 lea ecx, dword ptr [esp+00000114] * Possible StringData Ref from Data Obj ->"%sclumps\mib.txc" <-- Look for this file on CD | :004C9693 682C8F4F00 push 004F8F2C <-- Push the file it's looking for (mib.txc) :004C9698 51 push ecx :004C9699 E802760000 call 004D0CA0 <-- Define the CD-Drive where to look (not sure) :004C969E 8D94241C010000 lea edx, dword ptr [esp+0000011C] * Possible StringData Ref from Data Obj ->"rb" <-- read binary? | :004C96A5 6844D84E00 push 004ED844 :004C96AA 52 push edx :004C96AB E8D07C0000 call 004D1380 <-- Seek for the CD :004C96B0 83C414 add esp, 00000014 <-- Balance stack? :004C96B3 85C0 test eax, eax <-- Test results :004C96B5 752C jne 004C96E3 <-- Jump if not equal, -> jump if cd found * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004C9689(C) | :004C96B7 8BFE mov edi, esi :004C96B9 83C9FF or ecx, FFFFFFFF :004C96BC 33C0 xor eax, eax :004C96BE F2 repnz :004C96BF AE scasb :004C96C0 F7D1 not ecx :004C96C2 49 dec ecx :004C96C3 8A440E01 mov al, byte ptr [esi+ecx+01] <-- Look for remaining CD-drives :004C96C7 8D740E01 lea esi, dword ptr [esi+ecx+01] <-- Move the current CD-drive to esi :004C96CB 84C0 test al, al <-- test if all CD-drives done :004C96CD 75B4 jne 004C9683 <-- nope, loop back to start (getdrivetypea) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004C9681(C) | :004C96CF 6A15 push 00000015 :004C96D1 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Cannot locate Urban Chaos CD-ROM" | :004C96D3 68088F4F00 push 004F8F08 :004C96D8 6A00 push 00000000 :004C96DA FFD5 call ebp <-- Call GetDriveTypeA routine Mm.. that should explain somehow this routine.. I might've made some mistakes but I think it goes pretty much like this. Take a look at :004C96AB, can you see the call there? and the notes? Yes.. I think so too.. this was rather weird check.. no cd and the EAX gets value of 0, CD found and EAX is (on my comp) 4FA88. so.. mov eax, 00000001 won't do, but mov eax, 0004FA88 will do. There's your patch :) So if addresses match on your comp do the following modification E8D07C0000 -> B888FA0400 and you're done. Final words: That's it for this tute. I was little surprised as I first tried to do mov eax, 00000001 for the call only to find out it crashes. I tried -1 and 0 too but crashes as well. Then I finally inserted the bloody CD to see the returned EAX and it's 4FA88!! Oh well.. again you live and learn. I dunno why I didnt trace the call to see why it returned 4FA88 in EAX, so I advise you to trace it!! It may be there is a getfilesize check or something.. you figure it out and tell me, ok? :) -C_DKnight, btw.. even thou I do lots of cd-check tutes my name does not refer to CD-checks ;) or.. should I change my name to CD_Knight (like E_BLiss credits in VIPer .txt file )? Yah.. I wanna greet all those fine ppl I've been lucky to meet at #Cracking4Newbies & #CDRinfo I bet you know who you are ;).. still in s3.exe? see anything u like?