HOW TO CRACK:
Special Ops II

Introduction: Follow up to Special Ops !...What more do you want to know? Apart from........it's another game full of bugs that plays really badly with a very poor interface ! Personally I think the games is far from finished and would recommend you take it back to where you bought it from for a refund - like I did.

The Protection: Protected with the new veresion of Safedisc/C-Dilla. Need the original CD in the drive to play it.............or do we??. How about checking out the Zombie web/ftp site...there you will find the official patched exes that are already unwrapped and therefore you can burn them back to the CD and copy it as normal. You still need the Cd in to play the game though - that's where we come in.....

First of all get the 2.3MB v1.1.1 patch from.........ftp://ftp.zombie.com/pub/specops2/specopsiipatchinstaller.exe

Tools needed: WDASM. Hex-Editor, Soft-ice

The Crack: Ok, so you've applied the new patch and you tried to run the game without the CD in the Drive and got the message 'Please Insert Special Ops II to CD-ROM'

With Softice (SI) present, start the game again through the symbol loader and place a breakpoint on MessageBoxA. This is the function called to display the warning message. Type 'bpx messageboxa' followed by Enter then F5 to run the game. After the drives are checked you will be popped back into SI. Now press F12 once to see the message appear then press Enter to get rid of it and you will be back in SI. But which exe has called the routine..............none, you will now be in SO MENU.
Type 'mod so menu' folled by Enter and you will see the location of this file. It is a DLL file in the \menu folder in the game path.

OK then, load this 13MB file into WDASM, it doesn't take long as most of the file is data rather than code. Search for the message string.......we need to work backwards to avoid the bad call so read from the bottom:


:1001BE31 E8F25BFEFF call 10001A28
:1001BE36 85C0 test eax, eax
:1001BE38 EB42 jmp 1001BE7C --------------------------------------------------------------------> Change this to JMP to avoid the message
:1001BE3A 8B0D48790B10 mov ecx, dword ptr [100B7948]
:1001BE40 3BCF cmp ecx, edi
:1001BE42 7513 jne 1001BE57 ----------------------------------------------------------------------> Traced back to here, keep tracing back to avoid being here also
:1001BE44 8D542444 lea edx, dword ptr [esp+44]
:1001BE48 6868390A10 push 100A3968
:1001BE4D 52 push edx
:1001BE4E 897C244C mov dword ptr [esp+4C], edi
:1001BE52 E8E3ED0100 call 1003AC3A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:1001BE42(C) ---> Trace this call back as we do not want to be here
* Possible Reference to String Resource ID=00001: "Inventory"
:1001BE57 6A01 push 00000001
:1001BE59 E88F5FFEFF call 10001DED
:1001BE5E 57 push edi
* Possible StringData Ref from Data Obj ->"SpecOps II US Army Green Berets"
:1001BE5F 68FCF70A10 push 100AF7FC
* Possible StringData Ref from Data Obj ->"Please insert SpecOps II CD to CD-ROM" ----> Here's our string
:1001BE64 68CCF70A10 push 100AF7CC
:1001BE69 8BCD mov ecx, ebp
:1001BE6B E8A0710400 call 10063010 -------------------> Call the MessageBoxA routine
:1001BE70 83F801 cmp eax, 00000001
:1001BE73 7507 jne 1001BE7C
:1001BE75 57 push edi
* Reference To: USER32.PostQuitMessage, Ord:01E0h
:1001BE76 FF1598660C10 Call dword ptr [100C6698]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
:1001BE38(U), :1001BE73(C)
:1001BE7C 393D00110C10 cmp dword ptr [100C1100], edi --------------------> Good jump ends up here avoiding CD message
:1001BE82 0F84AD010000 je 1001C035


Another place you will have to look is at the code below becasue the function GetDriveTypeA is called to determine which type of drive is being checked.

:1002B9A6 684C0F0B10 push 100B0F4C
:1002B9AB 51 push ecx
:1002B9AC E8DE060100 call 1003C08F
:1002B9B1 83C410 add esp, 00000010
:1002B9B4 8D54240C lea edx, dword ptr [esp+0C]
:1002B9B8 52 push edx
:1002B9B9 FFD7 call edi -----------------------------------------> Function is called form here
:1002B9BB 83F805 cmp eax, 00000005 ----------------------> Is it a CD-ROM ?
:1002B9BE EB12 jmp 1002B9D2 ------------------------------> We place JMP here to jump anyway
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1002B996(C)
:1002B9C0 46 inc esi
:1002B9C1 83FE1A cmp esi, 0000001A
:1002B9C4 7EC5 jle 1002B98B
:1002B9C6 5F pop edi
:1002B9C7 5E pop esi
:1002B9C8 33C0 xor eax, eax
:1002B9CA 5B pop ebx
:1002B9CB 81C408010000 add esp, 00000108
:1002B9D1 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1002B9BE(U)|
:1002B9D2 83C640 add esi, 00000040 -------------------> We jump over to here
:1002B9D5 56 push esi


To crack the game open the So Menu.dll into a hexeditor and change the following bytes:

Change the byte at offset 1BE38 to EB
Change the byte as offset 2B9BE to EB

Thats' it............another one bites the dust....

FFFFFF"> Under the registry