Introduction:

Well, it's yet another 3D shooter - but it uses the half-life engine (albeit close enough) so it cannot be that bad can it? And it isn't bad at all. You need the CD in the drive to play the movies but we can fix that can't we. It's up to you really, if you don't mind playing them from the CD then don't crack it - but if you have plenty room on your HD then just copy the \movies folder from the CD into the \media folder in the install path. This game came to me like this on CD so I don't know if anyone else has tampered with it first. There are 3 main exe files for various video card support - let's look at cracking the 3dfx.exe.

One interesting thing here is that if you open the file into borland's resource workshop you will find all the menu and dialog boxes for the editor that created the game. Don't know if it can be activated though.

The Protection: As mentioned above, you need to have the CD in the drive to play the movies otherwise you get a message 'Insert the Requiem: Avenging Angel CD and then restart the game......'

Tools needed:WDASM & a hex editor.

The Crack: Load the 3dfx.exe into wdasm and wait a while. We want to see if the CD warning message is here somewhere. So search for 'insert'. We find it on line 101977 and the surrounding code is below. Let's take a closer look at it.

        
         * Referenced by a CALL at Address:
         

:004F59E4   
:00433610 55                      push ebp
:00433611 8BEC                    mov ebp, esp
:00433613 83EC08                  sub esp, 00000008
:00433616 8955F8                  mov dword ptr [ebp-08], edx
:00433619 894DFC                  mov dword ptr [ebp-04], ecx
:0043361C 33C0                    xor eax, eax
:0043361E A030DC5F00              mov al, byte ptr [005FDC30] ----> either 0 or 1
:00433623 85C0                    test eax, eax ------------------> 0=bad   1=good
:00433625 7516                    jne 0043363D -------------------> jump if eax=1=good
:00433627 33D2                    xor edx, edx -------------------> continue with warning message

* Possible Reference to String Resource ID=01852: "Insert the Requiem: Avenging Angel CD and then restart the game"

:00433629 B93C070000 mov ecx, 0000073C
:0043362E E8BDD80C00 call 00500EF0

* Possible Ref to Menu: URX_MAIN, Item: "New"

:00433633 C70500A9680001000000 mov dword ptr [0068A900], 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00433625(C)

:0043363D 8B4D08 mov ecx, dword ptr [ebp+08] ----------------------------> good jump lands here bypassing warning message.
:00433640 51 push ecx

As you can see at address 433623 a test is made on eax being zero, if it isn't then the CD is in the drive. So if it is zero then the CD is missing and the warning is displayed. The value is placed in eax at address 43361E so there are 2 ways in which to crack this protection test.
[1] We can place a value of 1 in eax before the test is made or
[2] We can force the program to jumps over the warning message after the test is made.
I prefer to method [1]. So in order to do this we need to know the instruction to do so. How about 'mov eax, 1' that will do it. The hex code for this is 'b801000000' which fits nicely in place at address 43361E.
Check the offset of this instruction in wdasm and load the 3dfx.exe into you hexeditor and goto to that offset and replace A030DC5F00 with B801000000 and save the file under a different name. Now, as mentioned earlier, copy the \movies folder from the CD into the \media folder in the install path on the hard drive then remove the CD from the drive and run you cracked file. Hey look, no more warning message and the movies play from the hard drive. Try this with the other 2 exe files (software and d3d and you'll see that thy're almost identical to crack.

That's it really...........