лллпллл ллл ллл лллпллл ллл ллл ллл пплллпп ллл лллпллл лллпллл лллмллл ллл ллл ллл ллл ллл ллл ллл ллл ллл ллл ллл ллл ллл ммм плл ллп ллл ллл ллл ллл ллл ллл ллл ллл ллл ллл ллл ллл лллмллл ллмлл лллмллл лллмллл лллмллл ллл ллл лллмллл ллл ллл e v o l u t i o n HOW TO CRACK TOM CLANCY'S RAINBOW SIX 1.04 : STEP BY STEP TUTORIAL !!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~ German version: killing C-DILLA protection, CD-check and enabling BLOOD !!! English version: killing CD-check by B u g H U N T E R Things you will need: Rainbow Six CD (I use 1.03 ger, but any other will do it too) Rainbow Six Update to 1.02 english or any other addon with an english exe Rainbow Six Update to 1.04 english Rainbow Six Update to 1.04 german Win32DASM HEX-Editor (Hedit, Ultraedit, or others) Windows Commander (recommended) Well, lets start: (If this tutor is to awful to read it is because of my poor english but I can also write in German if ya want to. But I thought all people should have the chance to understand it - at least the main ideas !!!) First of all I got this nice game called Rainbow Six from a friend of mine. But it had a bug in it. Every time it starts up it wants to have the RB6-CD in drive! I decided I have to do something against it. The german version is C-DILLA protected so you can not crack it (I can not, if anyone out there can do the job please mail me!!). There is a crack from Pedro [Laxity] that enables you playing with a burned copy of the game. But that is not what I wanted to have. I want to run the game entirely from harddisk. The English version has no such copy protection. WHO CAN TELL ME WHY? Are they afraid of us? I have seen lots of German and European games that were protected much better than English ones with SECUROM for example. Perhapse they forget the protection in their updates I thought, cos I saw one to update ALL versions of RB6 to 1.04. So I downloaded and tested it. Shit! does not do its job on my german ver. Perhapse an English executable could work with my german ver? No, it does not - different versions (1.02 & 1.03). I had only one chance left: update both versions to 1.04 and then exchange the RainbowSix.exe. By the way, the 1.02 exe english is needed for the 1.04 patch-update! TADA, it works! All we have left is the CD check from the English version. Cracking RainbowSix.exe v1.04 English: For quick solution: Make a FULL installation and no crack is needed. You can delete the data\video dir if you want. If you do this you have to hit esc twice on startup cos proggy virtually plays the video files! or you could use my SMK dummy files. that was it. If you want to learn something about cracking: Make a standard install. Upgrade to v1.04. Copy RainbowSix.exe from the english 1.04 ver to your RB6 dir and overwrite german vesion exe. Delete RainbowSix.ICD and Clockspl.EXE - they are for C-DILLA (so we won`t need them anymore). Start RB6. Hmm, error box popped up showing 'Bitte legen Sie die Rainbow Six-CD in Laufwerk'. Rembember that message !!! So open RainbowSix.exe in Windows Commander to take a closer look at it. Search for the error message. Hmm, not found - must be somewhere else. If you look at your RB6 dir you will notice several .TXT files containing text strings. Conclusion: error message is also in a .txt file. ==> search for a file *.TXT containing 'Bitte legen Sie'. found at data\text\interface\german\DialogueCD.txt So lets look where the exe calls the msg-txt. Copy RainbowSix.exe to RainbowSix.W32 (as backup). Open RainbowSix.w32 in W32DASM. This could take a while! (25min on my PII) Search for 'DialogueCD.TXT' You should see the following :0040AFBD 90 nop :0040AFBE 90 nop :0040AFBF 90 nop * Referenced by a CALL at Address: |:0040A193 <-- reference to this check | routine :0040AFC0 55 push ebp :0040AFC1 8BEC mov ebp, esp .. .. .. .. :0040B0A0 8D4DD4 lea ecx, dword ptr [ebp-2C] :0040B0A3 50 push eax :0040B0A4 E8D7A00100 call 00425180 * Possible StringData Ref from Data Obj ->"dialogueCD.txt" <-- our MESSAGE | :0040B0A9 68C0858900 push 008985C0 :0040B0AE 8D4DA0 lea ecx, dword ptr [ebp-60] :0040B0B1 E81AA60100 call 004256D0 :0040B0B6 8D4DA0 lea ecx, dword ptr [ebp-60] :0040B0B9 C645FC07 mov [ebp-04], 07 So lets trace the call on 0040A193 back (Goto - Goto Code Location - 0040A193) :0040A18D 84C0 test al, al :0040A18F 740F je 0040A1A0 :0040A191 8BCE mov ecx, esi :0040A193 E8280E0000 call 0040AFC0 :0040A198 84C0 test al, al :0040A19A 0F8452030000 je 0040A4F2 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040A18F(C) Hmm, after the call a value is returned in AL. If check is bad then AL=0 and then goodbye! In case we don`t want this call to be executed we can NOP it (set No OPeration on it), but we have so set AL=1 to continue as if nothing has happened. Get the offset of the call at 0040A193 (it is displayed in the bottom line, call must be highlighted) and start your hex edit. Load RainbowSix.EXE and goto 9593h in this case. Replace E8 28 0E 00 00 with 90 90 90 B0 01 90=NOP B0 01 = Set AL register=1 save it and it`s done !!! Now you can delete the data\video dir if you want. If you do this you have to hit esc twice on startup cos proggy virtually plays the video files! or you could use my SMK dummy files. that was all. Now start RB6 and play it. Hmm, someting seems to be different. Hey these guys are bleeding, kewl !! You enabled BLOOD in the GERMAN HD version !! (this is because Enlish ver always runs with blood) End of my first tutorial, hope you liked it Watch out for my secont tutorial.. always huntig for new 'bugs' to remove for comments or questions mail 2 BugHUNTER@gmx.net greets to german cracking force - C64 lives !!