Target: Battlezone II [US] Toolz: SICE, W32Dasm, Hex-Editor Level: 1 Protection: CD-Checks Background: I bet you all know this game.. very simple protection that is damn too easy to defeat ;) I wonder if some other version of Bzone2 has C-Dilla but this one hadnt, so I guess its US version, thou I can't tell for sure.. someone should write a program that determines whether the game is US, UK, GERMAN or some other country.. hehe.. that'd be nice :) Let's roll on.. for a change we use GetDriveTypeA (surprised?) mmm...lets instead hold on a sec.. my disassembly aint finished yet..(2.8 meg exe!) ok.. done NOTE! Let the game run before placing the BPX, or disable it before the nag tells you to insert the CD. Otherwise you'll get into some crap code we're not after... * Reference To: KERNEL32.GetDriveTypeA, Ord:0104h | :005ACBC6 FF1508316600 Call dword ptr [00663108] :005ACBCC 83F805 cmp eax, 00000005 <-- if u dunno what this does, your screwed ;) :005ACBCF 0F85CA000000 jne 005ACC9F <-- same goes for this one :005ACBD5 33C0 xor eax, eax :005ACBD7 8A4C2438 mov cl, byte ptr [esp+38] <-- move the drive letter to cl :005ACBDB 89442410 mov dword ptr [esp+10], eax :005ACBDF 8D542428 lea edx, dword ptr [esp+28] :005ACBE3 89442414 mov dword ptr [esp+14], eax :005ACBE7 884C2428 mov byte ptr [esp+28], cl :005ACBEB 89442418 mov dword ptr [esp+18], eax :005ACBEF C744241804020000 mov [esp+18], 00000204 :005ACBF7 8944241C mov dword ptr [esp+1C], eax :005ACBFB C64424293A mov [esp+29], 3A :005ACC00 89442420 mov dword ptr [esp+20], eax :005ACC04 8844242A mov byte ptr [esp+2A], al :005ACC08 8D442410 lea eax, dword ptr [esp+10] :005ACC0C 896C2420 mov dword ptr [esp+20], ebp :005ACC10 50 push eax :005ACC11 6802330000 push 00003302 :005ACC16 6803080000 push 00000803 :005ACC1B 55 push ebp :005ACC1C 8954242C mov dword ptr [esp+2C], edx :005ACC20 896C2420 mov dword ptr [esp+20], ebp :005ACC24 896C2424 mov dword ptr [esp+24], ebp :005ACC28 FFD7 call edi :005ACC2A 85C0 test eax, eax :005ACC2C 7571 jne 005ACC9F :005ACC2E 8B542414 mov edx, dword ptr [esp+14] * Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03E8, "" | :005ACC32 68E8030000 push 000003E8 :005ACC37 8D8C2440030000 lea ecx, dword ptr [esp+00000340] :005ACC3E E88D000000 call 005ACCD0 <-- C00l.. the first check, dont have to worry about it thou :005ACC43 8BF0 mov esi, eax :005ACC45 8B4C2414 mov ecx, dword ptr [esp+14] :005ACC49 55 push ebp :005ACC4A 6A02 push 00000002 :005ACC4C 6808080000 push 00000808 :005ACC51 51 push ecx :005ACC52 FFD7 call edi :005ACC54 8B542414 mov edx, dword ptr [esp+14] :005ACC58 55 push ebp :005ACC59 55 push ebp :005ACC5A 6804080000 push 00000804 :005ACC5F 52 push edx :005ACC60 FFD7 call edi <-- check :005ACC62 3BF5 cmp esi, ebp <-- compare :005ACC64 7539 jne 005ACC9F <-- jump if failure (has to be 0) :005ACC66 8B94243C030000 mov edx, dword ptr [esp+0000033C] :005ACC6D 8B84243C010000 mov eax, dword ptr [esp+0000013C] :005ACC74 3BD0 cmp edx, eax <-- another compare :005ACC76 7527 jne 005ACC9F <-- jump again if check was failure (has to be 0) :005ACC78 B802000000 mov eax, 00000002 :005ACC7D 3BD0 cmp edx, eax <-- another... :005ACC7F 7E1A jle 005ACC9B <-- this one passes :005ACC81 33C9 xor ecx, ecx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:005ACC99(C) | :005ACC83 8BB40C44030000 mov esi, dword ptr [esp+ecx+00000344] :005ACC8A 3BB40C44010000 cmp esi, dword ptr [esp+ecx+00000144] :005ACC91 7508 jne 005ACC9B :005ACC93 40 inc eax <-- increase counter :005ACC94 83C104 add ecx, 00000004 <-- tidy up stack :005ACC97 3BC2 cmp eax, edx <-- compare until these match :005ACC99 7CE8 jl 005ACC83 <-- loop if not * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:005ACC7F(C), :005ACC91(C) | :005ACC9B 3BC2 cmp eax, edx <-- the last compare.. :005ACC9D 7417 je 005ACCB6 <-- the last check, must jump whoops.. quite a long piece of code again.. ok.. I run thru the routine cpl of times and place my patches and it works :) supposedly I should tell you where and why to patch.. ok.. look at my code snippets.. done? we have to patch three spots, three cond. jumps.. not a big problem.. just reverse them or make them always jump and your done :005ACC64 7539 jne 005ACC9F :005ACC76 7527 jne 005ACC9F :005ACC9D 7417 je 005ACCB6 All you need to do is to reverse these jumps or nop 'em (excluding the last which must Jump) Final Notes: Blah.. I was hoping some tuffer protection but damn, i guess not :) You would thought the developers had have developed a tuffer protection for a game like this.. but mebbe it was my version again, mebbe some other version has C-Dilla... but thx to crackers like r!SC, Black Check, [yAtEs], Tola, AnthaXerXes, Acid Burn and all others who've written C-Dilla tutes C-dilla can be defeated fairly easy !? :) -C_DKnight aloha aloha ;) find my other tutes at http://cdchecks.cjb.net, updated more often than my homepage..back to proggie. Enter true serial & have phun ! ³