blah blah blah . boring q3 cd check . . reversed? hah, i make myself laugh (i do, i really do) wdasm quake3.exe . . search for imports \ getdrivetypea . . say hello to the cd check :004400C0 81EC84000000 sub esp, 00000084 :004400C6 56 push esi * Reference To: KERNEL32.GetDriveTypeA, Ord:0104h | :004400C7 8B3590104B00 mov esi, dword ptr [004B1090] :004400CD C64424053A mov [esp+05], 3A ; ':' :004400D2 C64424065C mov [esp+06], 5C ; '\' :004400D7 C644240700 mov [esp+07], 00 ;) :004400DC C644240463 mov [esp+04], 63 ; at this point, [esp+4] == 'c:\',0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00440141(C) | :004400E1 8D442404 lea eax, dword ptr [esp+04] :004400E5 50 push eax ; push 'c:\',0 :004400E6 FFD6 call esi ; call getdrivetypea :004400E8 83F805 cmp eax, 00000005 ; was it a cd rom? :004400EB 7548 jne 00440135 ; nope, cycle thought drive letters.. ; else.... * Possible StringData Ref from Data Obj ->"quake3" | :004400ED 68A81A4C00 push 004C1AA8 ; push 'quake3',0 :004400F2 8D4C2408 lea ecx, dword ptr [esp+08] :004400F6 51 push ecx ; push 'c:\',0 ; or whatever drive letter your cd-rom is * Possible StringData Ref from Data Obj ->"%s%s" ; used in string formatting . string/string | :004400F7 68088B4B00 push 004B8B08 :004400FC 68F0895C00 push 005C89F0 :00440101 E899EE0500 call 0049EF9F ; after this, we have 'c:\quake3',0 ? * Possible StringData Ref from Data Obj ->"quake3.exe" | :00440106 689C1A4C00 push 004C1A9C ; push 'quake3.exe',0 :0044010B 68F0895C00 push 005C89F0 :00440110 8D542420 lea edx, dword ptr [esp+20] ; our previous formatted string? * Possible StringData Ref from Data Obj ->"%s\%s" ; string '\' string | :00440114 68941A4C00 push 004C1A94 :00440119 52 push edx :0044011A E880EE0500 call 0049EF9F ; after this, 'c:\quake3\quake3.exe',0 ? :0044011F 8D442428 lea eax, dword ptr [esp+28] * Possible StringData Ref from Data Obj ->"r" ; read \ readonly .. .. | :00440123 68901A4C00 push 004C1A90 :00440128 50 push eax :00440129 E877F90500 call 0049FAA5 ; read \ load \ do sth with the file :0044012E 83C428 add esp, 00000028 ; fix stack from all string formatting pushes :00440131 85C0 test eax, eax ; eax!=0 == good boy :00440133 7518 jne 0044014D quake3 is a bit bitchy . . and theirs two of these checks.. its the next check that it executed first, but its 100% identical to this one . ..if we force it to think it loaded quake3.exe . we get a pagefault \ crash at 49fa00 or something . so . so . lets let it load \ open quake3.exe first off . . .where it sets up the drive letter 'c:\',0 . and checks it for a cd-rom, lets set up current dir. and stop it checking if its a cd-rom .. '.\',0,0 . . :d edit the first part of code to look like this.. (and the other cd check code, @00440170) :004400C7 8B3590104B00 mov esi, dword ptr [004B1090] :004400CD C64424055C mov [esp+05], 5C ; '\' :004400D2 C644240600 mov [esp+06], 00 :004400D7 C644240700 mov [esp+07], 00 :004400DC C64424042E mov [esp+04], 2E ; at this point, [esp+4] == '.\',0,0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00440141(C) | :004400E1 8D442404 lea eax, dword ptr [esp+04] :004400E5 50 push eax ; push '.\',0,0 :004400E6 FFD6 call esi ; call getdrivetypea :004400E8 83F805 cmp eax, 00000005 ; it wasnt a cd rom . but we dont care :004400EB 7500 jne 004401ED ; killed the jump, effectively nopping it then we fuck with the string formatting code . we dont want the dir '.\quake3' do we? just kill that nasty call.. :004400ED 68A81A4C00 push 004C1AA8 ; push 'quake3',0 :004400F2 8D4C2408 lea ecx, dword ptr [esp+08] :004400F6 51 push ecx ; push '.\',0,0 * Possible StringData Ref from Data Obj ->"%s%s" ; used in string formatting . string/string | :004400F7 68088B4B00 push 004B8B08 :004400FC 68F0895C00 push 005C89F0 :00440101 B899EE0500 mov eax, 0005EE99 ; cruel way to kill a call . B8 it .. ; but at least we dont have '.\quake3',0 now okay, 90% fixed. now the next string formatting part . . the formatter is '%s\%s' and if this gets executed, we will end up with '.\\quake3.exe',0 . .. an extra '\' which is bad . . text search for '%s\%s',0 in quake3.exe . . turns up twice . but one of these is very close to 'quake3' & 'quake3.exe' . thus, we kinda guess that thats the correct one . .. 'zen cracking' %s\%s...quake3.exe..quake3.. yaddayaddayadda . change that to '%s%s',0 . . i.e. kill the '\' . excellent . now .. weve fucked this code (and its mirror..) * Possible StringData Ref from Data Obj ->"quake3.exe" | :00440106 689C1A4C00 push 004C1A9C ; push 'quake3.exe',0 :0044010B 68F0895C00 push 005C89F0 :00440110 8D542420 lea edx, dword ptr [esp+20] ; our previous formatted string? ; '.\',0 hehehe * Possible StringData Ref from Data Obj ->"%s%s" ; stringstring | :00440114 68941A4C00 push 004C1A94 :00440119 52 push edx :0044011A E880EE0500 call 0049EF9F ; after this, '.\quake3.exe',0 boom! haha . dumb tutorial . but quake3 runs with no cd now! (if you patched both checks . .. ) so what did we learn? lame q3 checks for its own exe on the cd rom .. . 'x:\quake3\quake3.exe',0 if we kill the cd check, it crashes . thus, we have to make it look on our harddrive for this 'important' file . . so we patch it here and their to make it look for '.\quake3.exe',0 which it can find quite easily, cause if it wasnt installed, and in the current directory, you wouldnt be trying to play it! r!sc .. http://csir.cjb.net eVC/dVN rtl 2k !