=============================================================================================================== Title : ECSTATICA 2 (GAME) Version : 1.0 (should work with all versions) Protection : Cd Check Producer : http://www.psygnosis.com Cracker : Zaks (zakssim@geocities.com) Tools : None Difficulty : Easy Tutorial No. : 4 Font : Courier New =============================================================================================================== 1) Install Ecstatica 2. Remove the cd from your cd drive. Run the game "You must have Ecstatica cd in your...". Remember or better write down the message. Now make backup of e2win95.exe and look for a moment at your install dir (exmpl c:\games\ecst2). You quickly notice a file called : cdpath . Looks interesting. Lets open it (notepad should work just fine). Hmm we just have there our cd drive letter (to me it was E:). Ok lets try to change it to our install dir (exmpl c:\games\ecst2). Now copy all yor cd into your install dir. You should have four new directories : Code, Hires, Music, Views. Everything is about 586 MB. Run the game. Same error message. Shit. 2) Open your backuped exe (exmpl e2win95.bak) in W32dasm. First look for getdrivetypea. Could not find it. So do I. Now lets search for our error message. At the end of String data references you find "You must have ECSTATICA CD". Perfect. Double click on this message. We are here : * Possible StringData Ref from Data Obj ->"%sCODE\ECSTATIC.FAN" | :00410844 6870034700 push 00470370 :00410849 8D842494010000 lea eax, dword ptr [esp+00000194] :00410850 31FF xor edi, edi :00410852 50 push eax :00410853 893DE49D4700 mov dword ptr [00479DE4], edi :00410859 E823E60400 call 0045EE81 :0041085E 83C40C add esp, 0000000C :00410861 31D2 xor edx, edx :00410863 8D84248C010000 lea eax, dword ptr [esp+0000018C] :0041086A E8894A0300 call 004452F8 <- This looks very familiar :0041086F 85C0 test eax, eax <- Exact check routine :00410871 0F8583000000 jne 004108FA <- Good Boy :00410877 8B2D9C9D4700 mov ebp, dword ptr [00479D9C] :0041087D 83FD03 cmp ebp, 00000003 :00410880 750D jne 0041088F :00410882 8B159CAE5E00 mov edx, dword ptr [005EAE9C] :00410888 A198AE5E00 mov eax, dword ptr [005EAE98] :0041088D EB5C jmp 004108EB * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00410880(C) | :0041088F 83FD01 cmp ebp, 00000001 :00410892 753C jne 004108D0 :00410894 68DF000000 push 000000DF * Possible StringData Ref from Data Obj ->"Die ECSTATICA CD mu%c sich in " ->"Ihrem CD-ROM Laufwerk" | :00410899 6884034700 push 00470384 :0041089E 8D442408 lea eax, dword ptr [esp+08] :004108A2 50 push eax :004108A3 E8D9E50400 call 0045EE81 :004108A8 83C40C add esp, 0000000C :004108AB 68F6000000 push 000000F6 * Possible StringData Ref from Data Obj ->"befinden, wenn Sie das Spiel spielen " ->"m%cchten." | :004108B0 68B8034700 push 004703B8 :004108B5 8D8424D8000000 lea eax, dword ptr [esp+000000D8] :004108BC 50 push eax :004108BD E8BFE50400 call 0045EE81 :004108C2 83C40C add esp, 0000000C :004108C5 8D9424D0000000 lea edx, dword ptr [esp+000000D0] :004108CC 89E0 mov eax, esp :004108CE EB1B jmp 004108EB * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00410892(C) | :004108D0 83FD02 cmp ebp, 00000002 :004108D3 750C jne 004108E1 * Possible StringData Ref from Data Obj ->"votre lecteur CD-ROM pour jouer " ->"au jeu." | :004108D5 BAE8034700 mov edx, 004703E8 * Possible StringData Ref from Data Obj ->"Vous devez avoir le compact disque " ->"ECSTATICA dans" | :004108DA B810044700 mov eax, 00470410 :004108DF EB0A jmp 004108EB * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004108D3(C) | * Possible StringData Ref from Data Obj ->"drive to play the game." | :004108E1 BA44044700 mov edx, 00470444 * Possible StringData Ref from Data Obj ->"You must have the ECSTATICA CD " <- Here we are 3) So look at : :0041086A E8894A0300 call 004452F8 <- This looks very familiar :0041086F 85C0 test eax, eax <- Exact check routine :00410871 0F8583000000 jne 004108FA <- Good Boy We know what to do. Just change jne (85 - in this case) to je (84) or you even can make a jump but it is more difficult. So we do this and run the game.... The cd error is passed but what the hell is this. There is another error and as I see it is conected to a file (so the game can not find a file and can not run without it). Hmm I thought for a minute or two and just returned to our file cdpath. 4) Copy back your original e2win95.exe. Now let us copy thouse directories (Code, Hires, Music, Views to our root directory (exmpl c:\). Open your cdpath file and change E: (in my case) with c: . Run the game. Shit, it says the game can not find graphics or something like this. Copy directory called graphics to your root (c:\). Run the game. Excelent. It works. 5) Wait a minute. Although the game runs this way I do not like to have this directories in my root. So I installed the game in directory c:\Ecst2. Then in this directory I created a dir called Gamedata and copied thouse directories (Code, Hires, Music, Views and Graphics) in it. Then I wrote in cdpath this: c:\ecst2\gamedata . And it works. I also found that your cdpath will work if : A) The path is not the same as installed path (exmpl if your installed dir is c:\ecst2 and in cdpath is written c:\ecst2 the game will not run) B) The level of directories in cdpath do not exceed 2 (this mean that you can not write in your cdpath c:\games\ecst2\gamedata - this is level 3 directories) I do not know why the cdpath runs in this way ... There must be some kind of check I think. But the game runs perfectly in c:\Ecst2 and your Code, Hires, Music, Views, Graphics directories in Gamedata and cdpath changed to c:\ecst2\gamedata. Ohh I almost forgot. You can delete your dir called graphics (in c:\ecst2) because you have it in gamedata. =============================================================================================================== 09.18.2000 Written by Zaks [DBC]e CD