========================== How to crack Bryce 3D v3.1 ========================== In this tutorial u'll see how to get the full version of Bryce 3D v3.1 for free. Used Tools ========== SoftICE v3.2 (http://protools.cjb.net) InstallShield File Compressor ('icomp.exe') (http://www.pbdatacom.se/empire/files/files.htm) Target ====== Bryce 3D is a gfx program, which u can use to create fine and realistic landscapes. Its protection consists of a serial number check and u have to insert the CD-ROM when u want to start the program. How to get Bryce v3.1 ===================== (of course u can skip this passage if u already have it) 1) to build up your own Bryce 3D full version u have to download the following files: ftp.metacreations.com /pub/Applications/Bryce/demo/win/ bryce3d_demo.arj bryce3d_demo.a01 bryce3d_demo.a02 bryce3d_demo.a03 bryce3d_demo.a04 bryce3d_demo.a05 OR b3d_demo_win_full.zip AND ftp.metacreations.com /pub/Applications/Bryce/update/win/ b3d-31.zip Probably u've got the demo (about 28 MB) somewhere on a CD-ROM of PC magazine, so that u don't have to download it. In the demo version some important features r disabled, but there r all(?) texture, template,... files. With replacing the program files with the program files of the update package u get the full version of the program. 2) Extract the file 'data.1' from the demo package to a temporary directory (for example: c:\bryce ). 3) Extract the files from 'data.1' using 'icomp.exe': icomp data.1 *.* -d -i (BTW: U can unpack all programs packaged with InstallShield with this program. This could be useful if an installation requires a password in order to proceed with install. But this method does not work with so many programs, because often registry modifications, made by IS, r needed to start the program.) 4) Unpack 'b3d-31.zip', start a file-manager and start the B3D update program. Wait for the first message ('Welcome to the Bryce 3D Updater Program ...') and switch to the filemanager ([ALT]+[TAB]). Now go to the windows-temp dir- ectory (for example 'c:\windows\temp\') and find out where to the updater has extrackted its files to (maybe 'c:\windows\temp\~exb0000\'). Copy 'data.1' (around 7 MB) to 'c:\bryce' -or whatever- replacing the old 'data.1'. Close the setup program. 5) Unpack 'data.1' using 'icomp.exe': icomp data.1 *.* -d -i 6) The files r extrackted to the subdirectory 'update31'. Copy all files from this directory to the bryce-demo directory (for example: 'xcopy c:\bryce\update31\*.* c:\bryce\prog /e /r'). That's it. U can delete the temporary dirs now and copy all files from 'c:\bryce\prog\' to a dir of your choice ('c:\program files\bryce31'). How to patch it =============== Now the more interesting part 1) SoftIce should be loaded and the common changes in 'winice.dat' should be done. 2) Start Bryce. A box appears, which asks u to give name, company and a serial. When u enter something (for example 'NiTEHAWK/-/1234567890') and press ok, a message tells u that the program checks as first if the Bryce-CD-ROM is inserted. 3) A common function used by cd-rom checks is 'GetDriveTypeA'. So switch to SI ([Ctrl]+[D]) and type 'bpx getdrivetypea', to make SI break when this function is called. 4) Switch back to B3D and push ok again. SI breaks and u r in the 'getdrivetypea'-function. So press [F12] to get out of it. :0051C839 56 push esi * Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh | :0051C83A FF15A0EB6600 Call dword ptr [0066EBA0] :0051C840 83F805 cmp eax, 00000005 << After 1x [F12] :0051C843 7565 jne 0051C8AA * Possible StringData Ref from Data Obj ->".psd" | :0051C845 6878D46500 push 0065D478 * Possible StringData Ref from Data Obj ->"serial" | :0051C84A 6838D46500 push 0065D438 Now u r in the 'cdrom-check-function' of the program, u suppose. To find out, if this is true, disable the breakpoint (bd *) and press [F12] again. :004E44E8 84D2 test dl, dl :004E44EA 0F8402020000 je 004E46F2 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E44DE(C) | :004E44F0 8B8BB0000000 mov ecx, dword ptr [ebx+000000B0] :004E44F6 E8E5810300 call 0051C6E0 :004E44FB 85C0 test eax, eax << After 1x [F12] :004E44FD 7425 je 004E4524 << ! :004E44FF 8B939C000000 mov edx, dword ptr [ebx+0000009C] :004E4505 6A01 push 00000001 :004E4507 6A01 push 00000001 :004E4509 52 push edx :004E450A E821150400 call 00525A30 U can see that u were right in your speculation. It seems, that the call at address :004E44F6 calls a serial&cdrom check function. There r several possibilities how to patch: u can manipulate the jump at 004E44FD or the function itself or ... Let's try the first posibility: - u r in SI. type 'e 4E44FD' - change '74' to 'EB' ('je' to 'jmp') - press return - switch back to B3D - and it worx, now u've got the registered version of B3D! (There is no need for a permanent patch, cause the program creates a file in the B3D-directory which shows that it is registered ('MetaImage.dll').) Notice: There could be different memory addresses on your system. Remarks? Write me the_nitehawk@hotmail.comM, and to tweak my Win95, and only to load the game I need 40 seconds.