TUTORIAL NUMBA 1
				~~~~~~~~~~~~~~~~
Date: 04/14/2000
~~~~~
App/Game: Soldier of Fortune V1.03 UK
~~~~~~~~~

Hiyah and welcome to my first tut!

Don't start laughing if you read it, I'm still new at cracking ;).
K! lets start with a kind of toc:

1.) Kinda preface ;)
2.) Tools
3.) Attack the check *g*
4.) Final words


1.) K! This tut is about the UK-Version of Soldier of Fortune and it's my first cracked cd-check so don't laugh! Search and destroy the cd-check, cause we want to play without a cd in da drive ;). There's only a check for the right cd, no encrypters or packers were used (my luck, else there wouldn't be tut now ;)  ). K, that's all first, going to the tools now.

2.) The used tools are:
	SoftIce 4.0 (or another version)
	W32Dasm 8.93
	A hex-editor (I'll use WinHex 8.8 for searchin 
		      and Hackers View to change asm code)
	Sof installed
	Pen & Paper
	Some Time

goto http://protools.cjb.net you'll find them here I think (except sof, pen, paper and time ;) ).

3.) I think you allready installed da game, if not do it now. K, start the game, play it, if you have the original CD in da drive it'll run. If you've copied it and you've ripped something, cause you didn't want to use a 80 mins CD, it'll not run anymore (hehe). That's the check for the original cd (of course). If you take a look on the CD you'll see that there're two traks on it, the first one is a data track and the second one is an audio track. The audio track is just a fool, if you want to listen to it, you'll hear some, hmm.. dunno what to call this, but it's no music. So why don't rip it and use an 74 mins CD? The CD check looks for the audio track and I think it looks whether it still start at the right sectors or something like that. So now we know that there's no real music and we don't need it. Now exit the game if you're still playing. Take the cd out of the drive and start again. It runs, but start playing, after some time loading, after 4 or 5 bullets, it says "Won Error, Please insert the original CD and try again". K, what to do now, crack it of course. Fire up SoftIce and set a breakpoint on GetDriveTypeA (bpx getdrivetypea). Try playin again, SI pops up at the 4th or 5th bullet and you'll see somethin like that:

0177:BFF7791B	57		PUSH	EDI   <= Here we're
0177:BFF7791B	6A21		PUSH	21
0177:BFF7791B	2BD2		SUB	EDX, EDX
0177:BFF7791B	681F19FABF	PUSH	BFFA191F
0177:BFF7791B	64FF32		PUSH	DWORD PTR : [EDX]
0177:BFF7791B	648922		MOV	FS : [EDX], ESP
0177:BFF7791B	8B7C2414	MOV	EDI [ESP + 14]
0177:BFF7791B	0BFF		OR	EDI, EDI

Don't ya? Then you did somethin wrong I think ;)
So now we look how often SI pops up if you press F5 and write it down! 1,2,3...,26 and "Won Error ... blah blah". K, now we know that SI pops 26 times up until the error msg comes. Start again and let SI pop up for 26 times, so know it should look like this:

0177:BFF7791B	57		PUSH	EDI   <= Here we're
0177:BFF7791B	6A21		PUSH	21
0177:BFF7791B	2BD2		SUB	EDX, EDX
0177:BFF7791B	681F19FABF	PUSH	BFFA191F
0177:BFF7791B	64FF32		PUSH	DWORD PTR : [EDX]
0177:BFF7791B	648922		MOV	FS : [EDX], ESP
0177:BFF7791B	8B7C2414	MOV	EDI [ESP + 14]
0177:BFF7791B	0BFF		OR	EDI, EDI

Hey, the same as above ;), if you looked at the code by every time you pressed F5 you recognized that the code is everytime the same.
So know we still don't know where it checks the CD. But look at the bottom of your code window, there is a module name, "KERNEL32!_FREQASM+6916", but we need to be in sof.exe, what to do, let's press F12 one time, and ta ta, we're in sof.exe (SOF!.text+0006AEC9) and it should look so:

0177:2006BECB	83F805		CMP	EAX, EAX     <== Here we're!
0177:2006BECE	0F85CF000000	JNZ	2006BFA3
0177:2006BED4	33C0		XOR	EAX, EAX
0177:2006BED6	8A4C2440	MOV	CL, [ESP + 40]
0177:2006BEDA	89442414	MOV	[ESP + 14], EAX
0177:2006BEDE	8D542430	LEA	EDX, [ESP + 30]
0177:2006BEE2	89442418	MOV	[ESP + 18], EAX
0177:2006BEE6	884C2430	MOV	[ESP + 30], CL
0177:2006BEEA	8944241C	MOV	[ESP + 1C], EAX

That's enough to know where you should be ;)
Now press F10 until you see this:

0177:2006BFB8	33C0		XOR	EAX, EAX
0177:2006BFBA	5B		POP	EBX
0177:2006BFBB 	81C434050000	ADD	ESP, 00000534
0177:2006BFC1 	C3		RET		        <==Return out of the call we're in
0177:2006BFC2	5F		POP	EDI
0177:2006BFC3 	5E		POP	ESI
0177:2006BFC4	5D		POP	EBP
0177:2006BFC5	B801000000	MOV	EAX, 00000001
0177:2006BFCA	5B		POP	EBX
0177:2006BFCB	81C434050000	ADD	ESP, 00000534

For your help it should be 13 times.
On the "RET" (Return) you get straight outta a call, the call we're right in now. So step over it and wow, a whole new section ;). Now it should look like this here:

0177:2000B10A	8BF0		MOV	ESI, EAX
0177:2000B10C	892D58022E20	MOV	[202E0258], EBP
0177:2000B112	E8990B0600	CALL	2006BCB0	<==Our call!
0177:2000B117   89442414	MOV	[ESP + 14], EAX <==Now we're here
0177:2000B11B	6A02		PUSH	02
0177:2000B11D	DB442418	FILD	DWORD PTR [ESP + 18]
0177:2000B121	DC0D08F71720	FMUL	REAL8 PTR [2017F708]
0177:2000B127	D91D70712520	FSTP	REAL4 PTR [20257170]
0177:2000B12D	E88EA30100	CALL	200254C0
0177:2000B132	D90570712520	FLD	REAL4 PTR [20257170]

and so on. So now write down the code from "8BF0" to "6A02" and disable all breakpoints (bd *).
Shut the game down and fire up WDasm. Load sof.exe and do somethin usefull while it loads. An hour later, so it's disassembled now, now fire up your hexeditor, in my case winhex. Now search for the hexvalues you've written down. Find it, k! The call starts at the offset "0000B112", now shut Winhex down and go to WDasm. Press on "Go to start code" (it's the 5th button, read from left to right). There's the first adress, 20001000, if you doubleklick on it, that's highlighted, WDasm says you where the offset from this line is, on the bottom of the program window, it's 00001000 so logicaly the offset "0000B112" should be called "2000B112". So klick on "Go to code location (it's the 8th button, read left to right) and type "2000B112" and hey, that's the call we were in just a min ago. So if the call is highlighted you can execute the call in WDasm by pressin the "Call" button (the 11th button). After you've executed it you're on line "2006BCB0", here the call is doin some stuff and I think would you move the value "1" into eax here the value should be present at the check, and if we want that sof thinks that cd is in da drive we need the value "1" in eax, but there's a "SUB  ESP, 00000534",  so now we can do 3 things, the first two are nearly the same change the code that it moves "1" into eax and the other one is that we look from where this procedure was called from and try "noping" the calls out. So let's try out which one will work that you need no cd. First make a copy of your sof.exe and call it what ever u want. Then look what we have on the line 2006BCB0, it's 81EC34050000 so fire up Hackers View and open your copy! of sof.exe, now press F4 (mode) and change to "Decode" now "goto" (F5) to ".2006BCB0" and it should look like this:

.2006BCAE: 59		 POP	 ECX
.2006BCAF: C3		 RETN
.2006BCB0: 81EC34050000  SUB	 ESP,000000534	<= We're here
.2006BCB6: 53		 PUSH	 EBX

Now press F3 (edit) and then F2 (asm) and change the "SUB ESP,000000534" into "MOV EAX, 00000001" (move the value "1" into eax). Then the next line changed automatically into "005355 ADD [EBX] [00055], DL" change this into "RET" now press escape and then F9 (update) then exit HView. Before you try runing it exit WDasm and rename the original sof.exe into any other name and rename your cracked file into sof.exe, then take the cd out of your drive and start. If you did anything I said before it should run now. The other way to move "1" into eax would be to change the ".2006BCB0: 81EC34050000  SUB	 ESP,000000534" into "XOR EAX, EAX" to delete everything in the register and then the next line would be atomatically called "XOR AL, 005" change it into "INC EAX" (increment eax) that will add the value "1" to the register and then the next line would be "ADD EAX, 055530000" change it into "RET" to return back out of the call and the next two lines you change into "NOP" then it should work too. Both ways work fine as I tested it, now the last way, noping out the calls. Back in WDasm on the line "2006BCB0" you see the "SUB  ESP,000000534" and if you look one line over it you see from where this procedure was called, 

Referenced by a CALL at Addresses:
| :2000AF0C	, :2000AFC6	, :2000B112

now press the button "goto code location" and type these adresses in there, write the offsets down, they're "0000AF0C, 0000AFC6, 0000B112"
now open another copy of your original sof.exe with your hexeditor and goto this locations, change the first one, E89F0D0600 into 9090909090, do it the same with the other calls and save the file. Change the name to sof.exe and start the game. Hey, it worx too. So choose the way to crack this game on your own, they all work.


That wasn't so difficult eh? naw that was easy. If every protection would be so easy..., reading more tuts will help a bit for learning the other protections too!

Greetin's:
Of course yAtEs, thx for a lot of help, t.u.g and for answering my stupid questions, tKC for his tuts, gizmo for the crackme tip, eax, anticmos40, _tARG0N, sat0r, all the tut writers, all I forgot and u ;)

Any requests to:
tha_godfatha@hotmail.com

Cya maybe in da next tut :)
Tha Godfathaeen up, toggle over to