ÉÍÍ» ÉËË» ÉÍ» / º \ ÉÍ» ÉËË» ÉÍÍ» º²ÛÌÍÍ» ÉÍÍ» ÉμºÌÍͼÉλ °ÉÍÎÍ»° ÉλÈÍ͹ºÈλ ÉÍÍ» ÉÍ͹۲º º±ÉÎÍËÎͼ±°ÈÍÊÎͼº²±°Èμ۲±ºÉÊ»º±²ÛÈμ°±²ºÈÍÎÊͼ°±ÈÍÎËÍλ±º ÉÍ» º°ºººÈ» ² ÉÍ˼ °ºÛ ÈÍÍÍÍʼ²ÈÊÍÍÍͼ Ûº° ÈËÍ» ² ɼººº°º ÉÍ» ÉÍÎÍÎÍÎËμÜȻȻÛÉÊÍÊÍÍͼ±° ²±² ÜÜ °Ü° ÜÜ ²±² °±ÈÍÍÍÊÍÊ»ÛɼɼÜÈÎËÎÍÎÍÎÍ» ÉÍÎͼÜÈÍÎʼ۲ÛÈÍÊͼ Í °±²Û ±°± ßß ²ß² ßß ±°± Û²±° Í ÈÍÊͼ۲ÛÈÊÎͼÜÈÍÎÍ» ºº±Û Û±ºÜß±°±ßÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ° ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜß±°±ßܺ±Û Û±ºº È͹²°ß°²ºÛ ² Ü ßÜ Üß ² Ûº²°ß°²Ìͼ ºÛÉÍÍÍ¼Û ÜÛÛÛÜ Ü ÜÛÜ ß Ü ÛÈÍÍͻۺ ºÝºÜßßß ²ÛÛ²ßÛÛ° ÜÛ°ßݱÛÎÛ±Ý ÜÛÛÝ °ÜÛÛܰ ßßßܺݺ /±º²ºÛ ±ÛÛ± ²ÛÛ ±ÛÛ² ßÛß ÝÛ²Û° °Ûݱ²ÝÛ° Ûº²º±\ ° ²ºÛºÛ ݰÛ۰ݱÛÛÝÛÛ± ±Û±Û± Üܰ°ÜÛÛÜ |±Ûݲ±ÝÛ±| ÛºÛº² ° ÜÛÜɼ°È»ßÜ Ý°Û۰ݰÛÛ²ÛÛ°Ý ÜÛÜ Üßß°Ûßß۱ݱ۲±Ûß±²ÝÜßÝ Ý²ßÜÜß²| Üßɼ°È»ÜÛÜ ßÛßÈ»°É¼Üß ±Û۱ݱÛÛ°ÛÛ°Ý ±ÛÞ۱ݰÛÜÜÛ°ÜÜß °Û°Ý°ÛÛÛ° |²Üßßܲ| ßÜÈ»°É¼ßÛß ° ²ºÛºÛ ²ÛÛ² ²ÛÛ²ÛÛ± Ý°Û±Û°Ý ±Û±Û± ±Û²Û± |±Û°Ý²±Û±| ÛºÛº² ° \±º²ºÛ ßÜÜÛß ÛÛÝÛÛ² ±Û°Û± ÝÛ²ÛÝ ÝÛ±ÛÝ °Û±²Ý°Û° Ûº²º±/ ºÝºßÜÜÜ ß ßÛÛßÞ ßÜß ßÛß ßÛß °ßÛÛß° ÜÜÜߺݺ ºÛÈÍÍÍ»Û Ü ÜÜÜÜÜÜÜÜÜÜÜÛÛÛßß Ü ßßÛÛÛÜÜÜÜÜÜÜÜÜÜÜ Ü ÛÉÍÍͼۺ É͹²°Ü°²ºÛ Û ßßßßßßßßß8rtin-!!CSA-Üß ßÜ-ASC!!-nitr8ßßßßßßßßß Û Ûº²°Ü°²ÌÍ» ºº±Û Û±ºßܱ°ß ßßßßßßßßßßßßßßßßßßßß ° ßßßßßßßßßßßßßßßßßßßß ß°±Üߺ±Û Û±ºº ÈÍÎÍ»ßÉÍÎ˻۲ÛÉÍËÍ» Í °±²Û ±°± ÜÜ ²Ü² ÜÜ ±°± Û²±° Í ÉÍËÛ»Û²ÛÉËÎÍ»ßÉÍÎͼ ÈÍÎÍÎÍÎÊλßɼɼÛÈËÍËÍÍÍ»±° ²±² ßß °ß° ßß ²±² °±ÉÍÍÍËÍ˼ÛȻȻßÉÎÊÎÍÎÍÎͼ Èͼ º°ºººÉ¼ ² ÈÍÊ» °ºÛ ÉÍÍÍÍË»²ÉËÍÍÍÍ» Ûº° ÉÊÍÛ ² È»ººº°º Èͼ º±ÈÎÍÊÎÍ»±°ÉÍËÎÍ»º²±°Éλ۲±ºÈ˼º±²ÛÉλ°±²ºÉÍÎËÍ»°±ÉÍÎÊÍμ±º º²ÛÌÍͼ ÈÍͼ ÈλºÌÍÍ»Èμ °ÈÍÎͼ° ÈμÉÍ͹ºÉμ ÈÍͼ ÈÍ͹۲º ÈÍͼ ÈÊʼ Èͼ \ º / Èͼ ÈÊʼ ÈÍͼ Written: [07/06/2002]  Cracking Tutorial #3 What we want to crack: Return to Castle Wolfenstein What we need, to crack the Game: - W32DASM - Any Hexeditor (HIEW/QIEW/Hex Workshop...) Why i wrote this tutorial: Cause there aren't new Tutorials to new games on the web. Skill: (X) I'm too young to die | () Hurt me plenty | () Nightmare Ready to roll? OK, let's go... First we need to copy the complete RTCW CD to our hard drive. It needs to look like on the CD. -> The starting directory is "*:\" - NOT "*:\***\". This would cause another error in the Setup Routine, that says it can't find a DLL file. So, if you finished copying, try to install RTCW - If you want to install it, you'll see: "Please enter your CD Key." And that's all, we need to know. Now take W32DASM and disassemble the KeyCheckDLL.dll (It's the DLL, that checks the CD key). We even don't need, to look for the SETUP.EXE, if it has the CD Key check, cause the name "KeyCheckDLL.dll" (Key-Check-DLL) is clear. If this is done, open the String Data References and search for the error message. As you see, you can't find it. But you can find another thing, if you look very hardly into the String Data References, you'll see: "KeyCheck.txt". Now you'll ask yourself "what's so interesting in the KeyCheck.txt?". Look in the "KeyCheck.txt" of your RTCW CD directory "*:\Setup\KeyCheck.txt". You will see the following text: Please enter your CD Key The CD Key is located on your jewel case. Press OK to verify your Key. The CD Key you entered was not valid. Please re-enter. The CD Key you entered appears to be valid. id Software or Activision will never ask you for your CD key. Don't tell it to anyone! Don't lose your CD Key! You'll see, that this is the text, from the Key Check message. OK, back to W32DASM and doubleclick onto the "KeyCheck.txt" entry in the String Data References. W32DASM will lead us here: * Possible StringData Ref from Data Obj ->"rt" | :1000140F 6800710110 push 10017100 * Possible StringData Ref from Data Obj ->"KeyCheck.txt" | :10001414 68F0700110 push 100170F0 :10001419 E85B110000 call 10002579 :1000141E 8BF8 mov edi, eax :10001420 83C408 add esp, 00000008 :10001423 85FF test edi, edi :10001425 0F8482000000 je 100014AD :1000142B 57 push edi :1000142C 8D44240C lea eax, dword ptr [esp+0C] :10001430 68FF000000 push 000000FF :10001435 50 push eax :10001436 E8AB100000 call 100024E6 :1000143B 83C40C add esp, 0000000C :1000143E 8D4C2408 lea ecx, dword ptr [esp+08] :10001442 51 push ecx :10001443 8D4E74 lea ecx, dword ptr [esi+74] OK, this isn't interesting for us. Now use your "PAGEUP" key of our keyboard, and you'll see much more, even something strange like this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:100013C8(C) | :100013E7 8B5378 mov edx, dword ptr [ebx+78] :100013EA 8BCB mov ecx, ebx :100013EC 52 push edx :100013ED E87EB00000 call 1000C470 :100013F2 5F pop edi :100013F3 5E pop esi :100013F4 5B pop ebx :100013F5 C3 ret What does this mean? Well this is being called by some other code. So let's check out, what the code location "100013C8" does. Go to the W32DASM menu and click on "Goto" - "Goto Code Location" and there, enter "100013C8". Hit ENTER and you'll be here: :100013C8 741D je 100013E7 || <- we are here now :100013CA 8B4B7C mov ecx, dword ptr [ebx+7C] :100013CD 51 push ecx :100013CE 8BCB mov ecx, ebx :100013D0 E89BB00000 call 1000C470 :100013D5 8BCB mov ecx, ebx :100013D7 E8C7950000 call 1000A9A3 :100013DC 8BCB mov ecx, ebx :100013DE E8C0950000 call 1000A9A3 :100013E3 5F pop edi :100013E4 5E pop esi :100013E5 5B pop ebx :100013E6 C3 ret And here we can see the Key Check. It's the following line, we are already on: :100013C8 741D je 100013E7 All we need to do now, is to change "JE" into "JNE". Note: "JNE" means (J)ump if (N)ot (E)qual Note: "JE" means (J)ump if (E)qual This means, that the Setup Routine will jump to the Key Check, if it needs to. If we changed it to "JNE", it won't jump to the Key Check. Now it's time, to get out the Offset of this code. Just stay on the line, you're on, and W32DASM says the Offset directly in the lowest W32DASM window: Line: ****** Pg **** of **** Code Data @:******** @Offset 000013C8h in File:KEYCHECKDLL.DLL (The * aren't neccessary) We are just interested in the "@Offset". We see "000013C8h". We don't need the complete Offset, so we only take "013C8". Close W32DASM. Now take your Hex Editor (HIEW/QIEW/Hex Workshop). I took Hex Workshop, to do this. Open the file "KeyCheckDLL.dll" Then go to "Edit -> Goto...". A new window will open. There, click on "Hex" and enter the Offset you got (013C8). Now click on "Go" and the Hex Editor leads us to the correct position, where the "JE" Function is. Now you will see some strange shit and you don't know, what to do. Just change the number you're in front of (74) into "75". In W32DASM it will turn "JE" into "JNE". Save the file and close Hex Workshop. Test it and launch the Setup Routine of the game again. Wow, the Key Check accepts now ANY SERIAL. Cool we just cracked the Key Check. Note: You cracked the Key Check, but you're not able, to play the game Online. Enjoy your game. This Tutorial has been written by the mighty <-=nitr8=->.damage the exe