ÉÍÍ» ÉËË» ÉÍ» / º \ ÉÍ» ÉËË» ÉÍÍ» º²ÛÌÍÍ» ÉÍÍ» ÉμºÌÍͼÉλ °ÉÍÎÍ»° ÉλÈÍ͹ºÈλ ÉÍÍ» ÉÍ͹۲º º±ÉÎÍËÎͼ±°ÈÍÊÎͼº²±°Èμ۲±ºÉÊ»º±²ÛÈμ°±²ºÈÍÎÊͼ°±ÈÍÎËÍλ±º ÉÍ» º°ºººÈ» ² ÉÍ˼ °ºÛ ÈÍÍÍÍʼ²ÈÊÍÍÍͼ Ûº° ÈËÍ» ² ɼººº°º ÉÍ» ÉÍÎÍÎÍÎËμÜȻȻÛÉÊÍÊÍÍͼ±° ²±² ÜÜ °Ü° ÜÜ ²±² °±ÈÍÍÍÊÍÊ»ÛɼɼÜÈÎËÎÍÎÍÎÍ» ÉÍÎͼÜÈÍÎʼ۲ÛÈÍÊͼ Í °±²Û ±°± ßß ²ß² ßß ±°± Û²±° Í ÈÍÊͼ۲ÛÈÊÎͼÜÈÍÎÍ» ºº±Û Û±ºÜß±°±ßÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ° ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜß±°±ßܺ±Û Û±ºº È͹²°ß°²ºÛ ² Ü ßÜ Üß ² Ûº²°ß°²Ìͼ ºÛÉÍÍÍ¼Û ÜÛÛÛÜ Ü ÜÛÜ ß Ü ÛÈÍÍͻۺ ºÝºÜßßß ²ÛÛ²ßÛÛ° ÜÛ°ßݱÛÎÛ±Ý ÜÛÛÝ °ÜÛÛÜ° ßßßܺݺ /±º²ºÛ ±ÛÛ± ²ÛÛ ±ÛÛ² ßÛß ÝÛ²Û° °Ûݱ²ÝÛ° Ûº²º±\ ° ²ºÛºÛ Ý°Û۰ݱÛÛÝÛÛ± ±Û±Û± ÜÜ°°ÜÛÛÜ |±Ûݲ±ÝÛ±| ÛºÛº² ° ÜÛÜɼ°È»ßÜ Ý°ÛÛ°Ý°ÛÛ²ÛÛ°Ý ÜÛÜ Üßß°Ûßß۱ݱ۲±Ûß±²ÝÜßÝ Ý²ßÜÜß²| Üßɼ°È»ÜÛÜ ßÛßÈ»°É¼Üß ±Û۱ݱÛÛ°ÛÛ°Ý ±ÛÞ۱ݰÛÜÜÛ°ÜÜß °Û°Ý°ÛÛÛ° |²Üßßܲ| ßÜÈ»°É¼ßÛß ° ²ºÛºÛ ²ÛÛ² ²ÛÛ²ÛÛ± Ý°Û±Û°Ý ±Û±Û± ±Û²Û± |±Û°Ý²±Û±| ÛºÛº² ° \±º²ºÛ ßÜÜÛß ÛÛÝÛÛ² ±Û°Û± ÝÛ²ÛÝ ÝÛ±ÛÝ °Û±²Ý°Û° Ûº²º±/ ºÝºßÜÜÜ ß ßÛÛßÞ ßÜß ßÛß ßÛß °ßÛÛß° ÜÜÜߺݺ ºÛÈÍÍÍ»Û Ü ÜÜÜÜÜÜÜÜÜÜÜÛÛÛßß Ü ßßÛÛÛÜÜÜÜÜÜÜÜÜÜÜ Ü ÛÉÍÍͼۺ É͹²°Ü°²ºÛ Û ßßßßßßßßß8rtin-!!CSA-Üß ßÜ-ASC!!-nitr8ßßßßßßßßß Û Ûº²°Ü°²ÌÍ» ºº±Û Û±ºßܱ°ß ßßßßßßßßßßßßßßßßßßßß ° ßßßßßßßßßßßßßßßßßßßß ß°±Üߺ±Û Û±ºº ÈÍÎÍ»ßÉÍÎ˻۲ÛÉÍËÍ» Í °±²Û ±°± ÜÜ ²Ü² ÜÜ ±°± Û²±° Í ÉÍËÛ»Û²ÛÉËÎÍ»ßÉÍÎͼ ÈÍÎÍÎÍÎÊλßɼɼÛÈËÍËÍÍÍ»±° ²±² ßß °ß° ßß ²±² °±ÉÍÍÍËÍ˼ÛȻȻßÉÎÊÎÍÎÍÎͼ Èͼ º°ºººÉ¼ ² ÈÍÊ» °ºÛ ÉÍÍÍÍË»²ÉËÍÍÍÍ» Ûº° ÉÊÍÛ ² È»ººº°º Èͼ º±ÈÎÍÊÎÍ»±°ÉÍËÎÍ»º²±°Éλ۲±ºÈ˼º±²ÛÉλ°±²ºÉÍÎËÍ»°±ÉÍÎÊÍμ±º º²ÛÌÍͼ ÈÍͼ ÈλºÌÍÍ»Èμ °ÈÍÎͼ° ÈμÉÍ͹ºÉμ ÈÍͼ ÈÍ͹۲º ÈÍͼ ÈÊʼ Èͼ \ º / Èͼ ÈÊʼ ÈÍͼ Written: [07/12/2002]  Cracking Tutorial #4 What we want to crack: Comanche 4 v1.0.0.8 What we need, to crack the Game: - W32DASM - Safedisc 2 Cleaner v1.0.3 - Windows InstallShield Decompiler - Any Hexeditor (HIEW/QIEW/Hex Workshop...) Why i wrote this tutorial: Cause there aren't new Tutorials to new games on the web. Skill: () I'm too young to die | (X) Hurt me plenty | () Nightmare Ready to roll? OK, let's go... First we need to copy the complete C4 CD to our hard drive. It needs to look like on the CD. -> The starting directory is "*:\" - NOT "*:\***\". So, if you finished copying, try installing Comanche 4 - If you want to install it, you'll see: "Enter Product Key found on the sticker...", click OK and a message will turn up, telling us "Invalid Product...". And that's all, we need to know. Now take the Windows InstallShield Decompiler and decompile the SETUP.INS in \C4SETUP\. As you maybe know, the hole InstallShield Routine depends on this one file. So if it finished decompiling, enter "VALID" in the empty field above the code or search for "INVALID" in the String Data References - you will see "INVALID_PKEY" there. Click on this entry, and we will be here: 00001267: 0112 LoadInternalString ("","INVALID_PKEY",StrLocal[0004]) 0000127E: 002A MessageBox (StrLocal[0004],INFORMATION) 00001288: 002C Goto (LABEL_0010) REF: 00001259 | 00001291: 0079 CopyBytes (StrLocal[0003],00000000,StrVar[0026],00000000,0000003F) 000012A8: 00B4 MYDLL.MydllCallByRef (NumLocal[0002],StrLocal[0003]) 000012B3: 0021 NumLocal[0001] = LAST_RESULT 000012BB: 0128 NumLocal[0003] = NumLocal[0002] != 00000001 000012CD: 0022 IF NumLocal[0003] = 00000000 THEN GOTO LABEL_0016 000012DB: 0112 LoadInternalString ("","INVALID_PKEY",StrLocal[0004]) 000012F2: 002A MessageBox (StrLocal[0004],INFORMATION) 000012FC: 002C Goto (LABEL_0010) REF: 000012CD Now, as you see, this InstallShield Routine seems to check the Serial, if it's valid, or not. Let's have a look at the second "INVALID_PKEY" entry. It says, that the NumLocal Function 0003 needs to be "00000000", to get to the next piece of code. So the only thing we need to do, is changing the following file 000012BB: 0128 NumLocal[0003] = NumLocal[0002] != 00000001 into this: 000012BB: 0128 NumLocal[0003] = NumLocal[0002] = 00000001 and we can do this, by doing the following thing: doubleclick on the != then rightclick on it and select "Change to..." - "=". Now after you did this, close the Windows InstallShield Decompiler. You'll be asked, if you want to do a CRC Correction. Click "YES". After CRC Correction is done, restart Setup from your HD and click on "NEXT", then "NEXT" again. Wow, we don't need any Serial. Cool. OK, that was the Serial Protection. Now let's install Comanche 4. After Installation is done, take Safedisc 2 Cleaner and clean the file C4.EXE. Select creating a smaller file by Safedisc 2 Cleaner. When it has been created, rename the new "SD2cleaned.exe" to "C4.EXE" and start Comanche 4 (using the NEW EXE file), hit ESC (we don't need the Intro Movie). As you'll see now, the "Single Player" and "Multiplayer" Button are both greyed. Close Comanche 4 and fire up W32DASM and disassemble the new C4.EXE. As you know, there is no direct CD-Check and no error message. So it seems, that the Game is searching for the CD, but won't start, if: a file hasn't been found, a specific Volume Name can't be found and so on... . I found out, that it's the Volume Name, a directory name and the Intro Movie, the game is looking for. So if you disassembled "C4.EXE", go into the Imported Functions and doubleclick on "Kernel32.GetVolumeInformationA". W32DASM leads us here: * Reference To: KERNEL32.GetVolumeInformationA, Ord:0000h | :0045CB49 FF15DC105500 Call dword ptr [005510DC] :0045CB4F 6A08 push 00000008 :0045CB51 8D8554FEFFFF lea eax, dword ptr [ebp+FFFFFE54] * Possible StringData Ref from Data Obj ->"COMANCHE4" | :0045CB57 6844C85500 push 0055C844 :0045CB5C 50 push eax :0045CB5D E89E8F0C00 call 00525B00 :0045CB62 83C40C add esp, 0000000C :0045CB65 85C0 test eax, eax :0045CB67 7548 jne 0045CBB1 :0045CB69 53 push ebx OK, this isn't interesting for us. Now use your "PAGEDN" key of our keyboard, and you'll see much more, even something strange like this: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0045CB7D(C), :0045CB8D(C) | :0045CB9D 1BC0 sbb eax, eax :0045CB9F 83D8FF sbb eax, FFFFFFFF * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045CB9B(U) | :0045CBA2 85C0 test eax, eax :0045CBA4 5B pop ebx :0045CBA5 750A jne 0045CBB1 :0045CBA7 C705905CA70001000000 mov dword ptr [00A75C90], 00000001 Wow, what the hell... The game seems to test, if the needed CD is in drive and then it will jump to the error message, if it's not in the drive (JNE). Also it seems to move the command to the needed position, if the correct CD is in the drive. So let's see, where this check is coming from. Use the "PAGEUP" button of your keyboard, and you'll get here: Note: "JNE" means (J)ump if (N)ot (E)qual * Referenced by a CALL at Address: |:0045D257 | :0045CA90 55 push ebp :0045CA91 8BEC mov ebp, esp :0045CA93 81ECAC020000 sub esp, 000002AC :0045CA99 56 push esi * Possible StringData Ref from Data Obj ->"C4INTRO.BIK" | :0045CA9A 68809C5500 push 00559C80 Let's see, what the Code Location 0045D257 does. Open "Goto" - "Goto Code Location" in W32DASM and enter "0045D257" there. Click OK and you'll be here: :0045D252 E8F9FBFFFF call 0045CE50 :0045D257 E834F8FFFF call 0045CA90 :0045D25C E85FFCFFFF call 0045CEC0 Now it seems, that the following line is part of the CD-Check: :0045D257 E834F8FFFF call 0045CA90 It calls the start of the CD-Check Routine. We need to know, that we're only able to get the "Single Player" and "Multiplayer" button working, if the game has being started with the correct CD in the drive. And if so, the game will MOVE the required information into the right place and give both buttons free for clicking. This thing gave me the idea. We replace the start of the CALL Address with the MOVE function, so the CD-Check will get unusable and the game always thinks, that the CD is in the drive. Go onto the following line to mark it and grab the Offset: :0045CBA7 C705905CA70001000000 mov dword ptr [00A75C90], 00000001 The Offset of this line is "0005CBA7". Fire up Hex Workshop now, load the cleaned C4.EXE into it, select "Edit" - "Goto...", click on "Hex" and enter "5CBA7" there (we don't need the complete Offset). Click "Go". Now take the following HEX CODE of the MOVE function (you're directly in front of the MOVE function's code): C705 905C A700 0100 0000 Go back to W32DASM and mark the following line and grab the Offset: :0045CA90 55 push ebp The Offset of this line is "0005CA90". Once again in Hex Workshop, goto "Edit" - "Goto..." and enter "5CA90" there. Click on "Go" and on this position, where you're currently in front of, replace the existing code with the one, we got from Offset "5CBA7" (C705 905C A700 0100 0000). After you did this, add directly behind the last changed entry the following codes: C390 9090 90. This means, that we don't need the Intro Movie - we replace the movie file check with C390 9090 90 (ret, nop, nop, nop, nop). OK, let's just save the file, before Windows may crash or something bad happens. Note: "RET" means (RET)urn Note: "NOP" means (N)o (OP)eration Now let's restart Comanche 4, using the cleaned and patched EXE. Wow, we cracked Comanche 4 and now no CD is needed anymore. Enjoy your game. This Tutorial has been written by the mighty <-=nitr8=->.