The Crack: Ok,
so you've applied the new patch and you tried to run the game without
the CD in the Drive and got the message 'Please Insert Special Ops II
to CD-ROM'
With Softice (SI) present, start the game again
through the symbol loader and place a breakpoint on MessageBoxA.
This is the function called to display the warning message. Type 'bpx
messageboxa' followed by Enter then F5 to
run the game. After the drives are checked you will be popped back into
SI. Now press F12 once to see the message appear then press Enter to get
rid of it and you will be back in SI. But which exe has called the routine..............none,
you will now be in SO MENU.
Type 'mod so menu' folled by Enter and you will see the location of this
file. It is a DLL file in the \menu folder in the game path.
OK then, load this 13MB file into WDASM, it doesn't take long as most
of the file is data rather than code. Search for the message string.......we
need to work backwards to avoid the bad call so read from the bottom:
:1001BE31 E8F25BFEFF call 10001A28
:1001BE36 85C0 test eax, eax
:1001BE38 EB42 jmp 1001BE7C
-------------------------------------------------------------------->
Change this to JMP to avoid the message
:1001BE3A 8B0D48790B10 mov ecx, dword ptr [100B7948]
:1001BE40 3BCF cmp ecx, edi
:1001BE42 7513 jne 1001BE57 ---------------------------------------------------------------------->
Traced back to here, keep tracing back to avoid
being here also
:1001BE44 8D542444 lea edx, dword ptr [esp+44]
:1001BE48 6868390A10 push 100A3968
:1001BE4D 52 push edx
:1001BE4E 897C244C mov dword ptr [esp+4C], edi
:1001BE52 E8E3ED0100 call 1003AC3A
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:1001BE42(C)
---> Trace this call back as we do not want to
be here
* Possible Reference
to String Resource ID=00001: "Inventory"
:1001BE57 6A01 push 00000001
:1001BE59 E88F5FFEFF call 10001DED
:1001BE5E 57 push edi
* Possible StringData
Ref from Data Obj ->"SpecOps II US Army
Green Berets"
:1001BE5F 68FCF70A10
push 100AF7FC
* Possible StringData
Ref from Data Obj ->"Please insert SpecOps
II CD to CD-ROM" ----> Here's our string
:1001BE64 68CCF70A10 push 100AF7CC
:1001BE69 8BCD mov ecx, ebp
:1001BE6B E8A0710400 call 10063010 -------------------> Call the MessageBoxA
routine
:1001BE70 83F801 cmp eax, 00000001
:1001BE73 7507 jne 1001BE7C
:1001BE75 57 push edi
* Reference To: USER32.PostQuitMessage,
Ord:01E0h
:1001BE76 FF1598660C10 Call dword ptr [100C6698]
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
:1001BE38(U), :1001BE73(C)
:1001BE7C 393D00110C10 cmp dword ptr [100C1100],
edi --------------------> Good jump ends up here avoiding CD message
:1001BE82 0F84AD010000 je 1001C035
Another place you will have to look is at the code below becasue the function
GetDriveTypeA is called to determine which type of drive is being checked.
:1002B9A6 684C0F0B10 push 100B0F4C
:1002B9AB 51 push ecx
:1002B9AC E8DE060100 call 1003C08F
:1002B9B1 83C410 add esp, 00000010
:1002B9B4 8D54240C lea edx, dword ptr [esp+0C]
:1002B9B8 52 push edx
:1002B9B9 FFD7 call edi ----------------------------------------->
Function is called form here
:1002B9BB 83F805 cmp eax, 00000005 ----------------------> Is it a
CD-ROM ?
:1002B9BE EB12 jmp 1002B9D2 ------------------------------> We place
JMP here to jump anyway
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:1002B996(C)
:1002B9C0 46 inc esi
:1002B9C1 83FE1A cmp esi, 0000001A
:1002B9C4 7EC5 jle 1002B98B
:1002B9C6 5F pop edi
:1002B9C7 5E pop esi
:1002B9C8 33C0 xor eax, eax
:1002B9CA 5B pop ebx
:1002B9CB 81C408010000 add esp, 00000108
:1002B9D1 C3 ret
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:1002B9BE(U)|
:1002B9D2 83C640 add esi, 00000040 -------------------> We jump over
to here
:1002B9D5 56 push esi
To crack the game open the So Menu.dll into a hexeditor and change the
following bytes:
Change the byte at offset 1BE38 to
EB
Change the byte as offset 2B9BE to EB
Thats' it............another one bites the dust....
|