Introduction: Well, what can I say? Microprose have done it again.......another superb flight sim. I remember playing this continuously on the Atari ST, going into south east asia on hazardous duties and getting shot to shit by the arabs. But it was worth the CMOH and the Purple Heart that came with wasting half your life glued to the portable TV and being late for school again.
The best thing about this new version is that you can play it multiplayer with a friend being the pilot and yourself being the gunner...yeah, it's great fun shouting across the room at him when your getting blasted from all angles and your weapons systems have filed and the tail rotor's been shot off!


The Protection: Let's see, there's a new version of Safedisc and a CD-check. So it's slightly more complicated. Do a full install of the game before continuing.

Tools needed: Unsafedisc, wdasm, hex-editor. Get Unsafedic from www.csir.cjb.net.

The Crack: First of all we need to unwrap the encrypted ICD file with unsafedisc. This is THE safedisc unwrapper at the moment. Copy the dplayerx.dll, gunship.exe and gunship.icd files to a temp folder and run unsafedisc and select the gunship.icd file when prompted. This will generate an unwrapped 'testme.exe' that you need run from your <Gamedir>

Running the newly created file without the in the CD in the drive will generate a message box request for a CD to be placed in the drive.

So, once again load the 'testme.exe' into Wdasm and search for the string 'insert' . Take a look at the section below.

:00497C71 E805F20000 call 004A6E7B -----------------------------> Find 'gunship.ico' file
:00497C76 83C424 add esp, 00000024
:00497C79 85C0 test eax, eax -----------------------------------------> Was it found ?
:00497C7B 7C0C jl 00497C89 -----------------------------------------> If not then try another drive
:00497C7D 8D542410 lea edx, dword ptr [esp+10]
:00497C81 52 push edx
:00497C82 FFD5 call ebp -------------------------------------------------> Test drive
:00497C84 83F805 cmp eax, 00000005 -------------------------------> Is it a CD-ROM?
:00497C87 741D je 00497CA6 ------------------------------------------> If it is then OK, carry on as normal
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00497C7B(C)
:00497C89 46 inc esi
:00497C8A 83FE5A cmp esi, 0000005A
:00497C8D 7EB2 jle 00497C41

:00497C8F 6A41 push 00000041 ------------------------------------------------> We do not want to land here.
* Possible StringData Ref from Data Obj ->"Gunship!"
:00497C91 6848935200 push 00529348
* Possible StringData Ref from Data Obj ->"Please insert the Gunship! CD-ROM" ---------> Our string search
:00497C96 6824935200 push 00529324
:00497C9B 6A00 push 00000000
:00497C9D FFD3 call ebx -------------------------------------> Display messagebox error

:00497C9F 83F801 cmp eax, 00000001
:00497CA2 7536 jne 00497CDA
:00497CA4 EB96 jmp 00497C3C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00497C87(C)
:00497CA6 8D7C2410 lea edi, dword ptr [esp+10] -----------------> Successful CD-check lands here
:00497CAA 83C9FF or ecx, FFFFFFFF
:00497CAD 33C0 xor eax, eax

The file 'Gunship.ico' is searched for on a drive. If it is found on the CD-Drive then the game will accept this as being correct and will then continue as normal. Therefore we need to ignore the first test for it being found then force the game to always jump passed the error message.

At 497C7B we can use NOP,NOP in place of JL. And at 497C87 we need to use JMP in place of JE.

So load the 'testme.exe' into the hex-editor;
goto offset h97C7B and enter 9090 in place of 7C0C
goto ofset h97C87 and enter EB in place of 74.

Save the exe and run it. No more cd-check.

Next............