ÉÍÍ»          ÉËË»  ÉÍ»    / º \    ÉÍ»  ÉËË»          ÉÍÍ»
          º²ÛÌÍÍ» ÉÍÍ» ÉμºÌÍͼÉλ  °ÉÍÎÍ»°  ÉλÈÍ͹ºÈλ ÉÍÍ» ÉÍ͹۲º
          º±ÉÎÍËÎͼ±°ÈÍÊÎͼº²±°Èμ۲±ºÉÊ»º±²ÛÈμ°±²ºÈÍÎÊͼ°±ÈÍÎËÍλ±º
      ÉÍ» º°ºººÈ» ² ÉÍ˼ °ºÛ   ÈÍÍÍÍʼ²ÈÊÍÍÍͼ   Ûº° ÈËÍ» ² ɼººº°º ÉÍ»
    ÉÍÎÍÎÍÎËμÜȻȻÛÉÊÍÊÍÍͼ±° ²±² ÜÜ °Ü° ÜÜ ²±² °±ÈÍÍÍÊÍÊ»ÛɼɼÜÈÎËÎÍÎÍÎÍ»
  ÉÍÎͼÜÈÍÎʼ۲ÛÈÍÊͼ Í °±²Û  ±°± ßß ²ß² ßß ±°±  Û²±° Í ÈÍÊͼ۲ÛÈÊÎͼÜÈÍÎÍ»
  ºº±ÛÛ±ºÜß±°±ßÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ  °  ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜß±°±ßܺ±ÛÛ±ºº
  È͹²°ß°²ºÛ  ² Ü                    ßÜ Üß                      ²  Ûº²°ß°²Ìͼ
    ºÛÉÍÍÍ¼Û  ÜÛÛÛÜ       Ü   ÜÛÜ      ß Ü                         ÛÈÍÍͻۺ
    ºÝºÜßßß  ²ÛÛ²ßÛÛ°   ÜÛ°ßݱÛÎÛ±Ý    ÜÛÛÝ                  °ÜÛÛÜ° ßßßܺݺ
  /±º²ºÛ     ±ÛÛ± ²ÛÛ ±ÛÛ²    ßÛß     ÝÛ²Û°                 °Ûݱ²ÝÛ°   Ûº²º±\
 ° ²ºÛºÛ    Ý°Û۰ݱÛÛÝÛÛ±             ±Û±Û±      ÜÜ°°ÜÛÛÜ  |±Ûݲ±ÝÛ±|  ÛºÛº² °
ÜÛÜɼ°È»ßÜ  Ý°ÛÛ°Ý°ÛÛ²ÛÛ°Ý    ÜÛÜ    Üßß°Ûßß۱ݱ۲±Ûß±²ÝÜßÝ Ý²ßÜÜß²| Üßɼ°È»ÜÛÜ
ßÛßÈ»°É¼Üß   ±Û۱ݱÛÛ°ÛÛ°Ý   ±ÛÞ۱ݰÛÜÜÛ°ÜÜß    °Û°Ý°ÛÛÛ°   |²Üßßܲ| ßÜÈ»°É¼ßÛß
 ° ²ºÛºÛ     ²ÛÛ² ²ÛÛ²ÛÛ±   Ý°Û±Û°Ý   ±Û±Û±      ±Û²Û±     |±Û°Ý²±Û±|  ÛºÛº² °
  \±º²ºÛ   ßÜÜÛß   ÛÛÝÛÛ²    ±Û°Û±    ÝÛ²ÛÝ      ÝÛ±ÛÝ      °Û±²Ý°Û°   Ûº²º±/
    ºÝºßÜÜÜ  ß      ßÛÛßÞ     ßÜß      ßÛß        ßÛß        °ßÛÛß° ÜÜÜߺݺ
    ºÛÈÍÍÍ»Û   Ü      ÜÜÜÜÜÜÜÜÜÜÜÛÛÛßß Ü ßßÛÛÛÜÜÜÜÜÜÜÜÜÜÜ      Ü   ÛÉÍÍͼۺ
  É͹²°Ü°²ºÛ  Û ßßßßßßßßß8rtin-!!CSA-Üß ßÜ-ASC!!-nitr8ßßßßßßßßß Û  Ûº²°Ü°²ÌÍ»
  ºº±ÛÛ±ºßܱ°ß ßßßßßßßßßßßßßßßßßßßß  °  ßßßßßßßßßßßßßßßßßßßß ß°±Üߺ±ÛÛ±ºº
  ÈÍÎÍ»ßÉÍÎ˻۲ÛÉÍËÍ» Í °±²Û  ±°± ÜÜ ²Ü² ÜÜ ±°±  Û²±° Í ÉÍËÛ»Û²ÛÉËÎÍ»ßÉÍÎͼ
    ÈÍÎÍÎÍÎÊλßɼɼÛÈËÍËÍÍÍ»±° ²±² ßß °ß° ßß ²±² °±ÉÍÍÍËÍ˼ÛȻȻßÉÎÊÎÍÎÍÎͼ
      Èͼ º°ºººÉ¼ ² ÈÍÊ» °ºÛ   ÉÍÍÍÍË»²ÉËÍÍÍÍ»   Ûº° ÉÊÍÛ ² È»ººº°º Èͼ
          º±ÈÎÍÊÎÍ»±°ÉÍËÎÍ»º²±°Éλ۲±ºÈ˼º±²ÛÉλ°±²ºÉÍÎËÍ»°±ÉÍÎÊÍμ±º
          º²ÛÌÍͼ ÈÍͼ ÈλºÌÍÍ»Èμ  °ÈÍÎͼ°  ÈμÉÍ͹ºÉμ ÈÍͼ ÈÍ͹۲º
          ÈÍͼ          ÈÊʼ  Èͼ    \ º /    Èͼ  ÈÊʼ          ÈÍͼ

Written: [07/06/2002]                                       

Cracking Tutorial #3

What we want to crack: Return to Castle Wolfenstein

What we need, to crack the Game: - W32DASM
                                 - Any Hexeditor (HIEW/QIEW/Hex Workshop...)

Why i wrote this tutorial: Cause there aren't new Tutorials to new games on the
web.

Skill: (X) I'm too young to die | () Hurt me plenty | () Nightmare

Ready to roll? OK, let's go...

First we need to copy the complete RTCW CD to our hard drive. It needs to look
like on the CD. -> The starting directory is "*:\" - NOT "*:\***\". This would
cause another error in the Setup Routine, that says it can't find a DLL file.
So, if you finished copying, try to install RTCW - If you want to install it,
you'll see: "Please enter your CD Key." And that's all, we need to know.

Now take W32DASM and disassemble the KeyCheckDLL.dll (It's the DLL, that checks
the CD key). We even don't need, to look for the SETUP.EXE, if it has the CD
Key check, cause the name "KeyCheckDLL.dll" (Key-Check-DLL) is clear. If this
is done, open the String Data References and search for the error message.
As you see, you can't find it. But you can find another thing, if you look very
hardly into the String Data References, you'll see: "KeyCheck.txt". Now you'll
ask yourself "what's so interesting in the KeyCheck.txt?". Look in the
"KeyCheck.txt" of your RTCW CD directory "*:\Setup\KeyCheck.txt". You will see
the following text:

Please enter your CD Key
The CD Key is located on your jewel case.  Press OK to verify your Key.
The CD Key you entered was not valid.  Please re-enter.
The CD Key you entered appears to be valid.  id Software or Activision will
never ask you for your CD key.  Don't tell it to anyone!  Don't lose your CD
Key!

You'll see, that this is the text, from the Key Check message. OK, back to
W32DASM and doubleclick onto the "KeyCheck.txt" entry in the String Data
References. W32DASM will lead us here:

* Possible StringData Ref from Data Obj ->"rt"
                                  |
:1000140F 6800710110              push 10017100

* Possible StringData Ref from Data Obj ->"KeyCheck.txt"
                                  |
:10001414 68F0700110              push 100170F0
:10001419 E85B110000              call 10002579
:1000141E 8BF8                    mov edi, eax
:10001420 83C408                  add esp, 00000008
:10001423 85FF                    test edi, edi
:10001425 0F8482000000            je 100014AD
:1000142B 57                      push edi
:1000142C 8D44240C                lea eax, dword ptr [esp+0C]
:10001430 68FF000000              push 000000FF
:10001435 50                      push eax
:10001436 E8AB100000              call 100024E6
:1000143B 83C40C                  add esp, 0000000C
:1000143E 8D4C2408                lea ecx, dword ptr [esp+08]
:10001442 51                      push ecx
:10001443 8D4E74                  lea ecx, dword ptr [esi+74]

OK, this isn't interesting for us. Now use your "PAGEUP" key of our keyboard,
and you'll see much more, even something strange like this:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100013C8(C)
|
:100013E7 8B5378                  mov edx, dword ptr [ebx+78]
:100013EA 8BCB                    mov ecx, ebx
:100013EC 52                      push edx
:100013ED E87EB00000              call 1000C470
:100013F2 5F                      pop edi
:100013F3 5E                      pop esi
:100013F4 5B                      pop ebx
:100013F5 C3                      ret

What does this mean? Well this is being called by some other code. So let's
check out, what the code location "100013C8" does. Go to the W32DASM menu
and click on "Goto" - "Goto Code Location" and there, enter "100013C8". Hit
ENTER and you'll be here: 

:100013C8 741D                    je 100013E7      ||    <- we are here now
:100013CA 8B4B7C                  mov ecx, dword ptr [ebx+7C]
:100013CD 51                      push ecx
:100013CE 8BCB                    mov ecx, ebx
:100013D0 E89BB00000              call 1000C470
:100013D5 8BCB                    mov ecx, ebx
:100013D7 E8C7950000              call 1000A9A3
:100013DC 8BCB                    mov ecx, ebx
:100013DE E8C0950000              call 1000A9A3
:100013E3 5F                      pop edi
:100013E4 5E                      pop esi
:100013E5 5B                      pop ebx
:100013E6 C3                      ret

And here we can see the Key Check. It's the following line, we are already
on:

:100013C8 741D                    je 100013E7

All we need to do now, is to change "JE" into "JNE".
Note: "JNE" means (J)ump if (N)ot (E)qual
Note: "JE" means (J)ump if (E)qual

This means, that the Setup Routine will jump to the Key Check, if it needs
to. If we changed it to "JNE", it won't jump to the Key Check.

Now it's time, to get out the Offset of this code. Just stay on the line,
you're on, and W32DASM says the Offset directly in the lowest W32DASM window:

Line: ****** Pg **** of ****  Code Data @:******** @Offset 000013C8h in
File:KEYCHECKDLL.DLL

(The * aren't neccessary)

We are just interested in the "@Offset". We see "000013C8h". We don't need the
complete Offset, so we only take "013C8". Close W32DASM.

Now take your Hex Editor (HIEW/QIEW/Hex Workshop). I took Hex Workshop, to do
this. Open the file "KeyCheckDLL.dll" Then go to "Edit -> Goto...". A new
window will open. There, click on "Hex" and enter the Offset you got (013C8).
Now click on "Go" and the Hex Editor leads us to the correct position, where
the "JE" Function is. Now you will see some strange shit and you don't know,
what to do. Just change the number you're in front of (74) into "75". In
W32DASM it will turn "JE" into "JNE". Save the file and close Hex Workshop.

Test it and launch the Setup Routine of the game again.
Wow, the Key Check accepts now ANY SERIAL.

Cool we just cracked the Key Check.
Note: You cracked the Key Check, but you're not able, to play the game Online.

Enjoy your game.

This Tutorial has been written by the mighty <-=nitr8=->.damage the exe