Target: Sid Meier's Alpha Centauri (updated 4.0!!!) [UK] Toolz: W32Dasm, SICE, Hex-Editor, NotePad+ with Wordwrap ON Level: 1 Protection: cd-check kinda.. Background info: I love Sid Meier games and as I haven't cracked this yet this was an obvious choice for a subject of this tute.. but enuff bla bla.. let's get on the business btw.. if I'm not totally wrong it is possible to play this game without a CD present but there's this nag we wanna remove (thou I'd recommend playing with the CD).. oh.. also.. it seems like the unpatched version has Securom (which I don't care coz I have the ORIGINAL!) but patched version doesn't... leet.. :) Again a common approach, BPX GetDriveTypeA and you'll land here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:005E896E(C) | :005E8912 8D542410 lea edx, dword ptr [esp+10] :005E8916 52 push edx * Reference To: KERNEL32.GetDriveTypeA, Ord:0104h | :005E8917 FF1540B16400 Call dword ptr [0064B140] :005E891D 83F805 cmp eax, 00000005 -- u are here, and u know this one already :005E8920 753E jne 005E8960 -- as u do also this one.. :005E8922 8D442410 lea eax, dword ptr [esp+10] <-- move current drive letter to eax :005E8926 881DB8DD9700 mov byte ptr [0097DDB8], bl :005E892C 50 push eax :005E892D 68B8DD9700 push 0097DDB8 :005E8932 E819FA0300 call 00628350 <-- uhm..get the path for the movie to play? :005E8937 8B8C2468020000 mov ecx, dword ptr [esp+00000268] <-- move the path to ecx :005E893E 51 push ecx <-- push the path :005E893F 68B8DD9700 push 0097DDB8 :005E8944 E807FA0300 call 00628350 <-- same call as above :005E8949 83C410 add esp, 00000010 <-- tidy up the stack :005E894C 8D94241C010000 lea edx, dword ptr [esp+0000011C] <-- same as above, but move to edx :005E8953 52 push edx <-- push the path :005E8954 68B8DD9700 push 0097DDB8 :005E8959 FFD5 call ebp <-- call to FindFirstFileA :005E895B 83F8FF cmp eax, FFFFFFFF <-- compare results :005E895E 756B jne 005E89CB <-- jump if not equal... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:005E8920(C) | :005E8960 8A542410 mov dl, byte ptr [esp+10] <-- mov current drive letter to dl :005E8964 FEC2 inc dl <-- increase counter :005E8966 46 inc esi <-- increase counter :005E8967 83FE1A cmp esi, 0000001A <-- compare if all drives done :005E896A 88542410 mov byte ptr [esp+10], dl :005E896E 7CA2 jl 005E8912 <-- jump if not, (loop getdrivetype routine until all done) :005E8970 399C2464020000 cmp dword ptr [esp+00000264], ebx :005E8977 7572 jne 005E89EB :005E8979 53 push ebx :005E897A 53 push ebx :005E897B 53 push ebx :005E897C 6AFF push FFFFFFFF * Possible StringData Ref from Data Obj ->"FILEFIND_NOCD" <-- this tells pretty much... ok.. i prolly made some mistakes but I think the routine consists of checks like i've described.. but i may be wrong.. but anyways I do already know where to path.. ;) do you? prolly not.. lemme clear it out for ye.. so the above routine is indeed a failed routine for cd-check, well in fact it checks if all cd-drives done and loops back to start when all done.. it does nothing more i believe.. but again.. i may be wrong but the point of interest is the call to FindFirstFileA ..it is in fact the cd-check, urh.. but i cant really remember what it does.. heh.. wait a sec.. I'll re-trace it ;) (and eat sumfin in the while).. w00p.. uhm, heh.. i'm still not quite sure but I'd say it seeks for the movie path/file and if its found on the target drive (CD) return value is the search handle used in a subsequent call. So the return value changes depending on the drive the file is found on. eg. the return value for my drive G:\ -> BF0304, might differ on your comp and coz of this kinda procedure its safer to change the following jump instead of comparing or nopping out the whole call, so lets do like this: :005E895E 756B jne 005E89CB -> :005E895E 746B je 005E89CB or -> :005E895E EB6B jmp 005E89CB I'm sure you can do the modification on your own so I won't explain it.. if your having problems plz read some of my earlier tutes or someone else's tutes but anywayz if u did like i showed you shouldnt have any nags left when u start the game. i dunno if you can play it now without a cd in the drive coz i was too lazy to test it. but i dont really care coz the main intention in this tute (and in all my other cd-check tutes!!) is just to disable the cd-check, whether it renders the game playable or not.. but enuff crap already... whats done is done, cd-check destroyed! Heh.. might I also add that if u look terran.exe with ProcDump you can see something like Selfmod or similar .. self-modifying? kinda i'd say.. when I first patched this file in Hiew it changed the opcodes to something way of cmp & jne that were supposed to be there... but its no use if u type the offset straightly so that it takes u straight on the jne code, then its safe to patch. -C_DKnight well ok.. C_D can stand for Compact Disc if u really want.. its kinda leet in that way too.. heh.. since almost every tute of mine are about cd-check defeating.. so I'm a valiant knight who protects poor games from evil CD-Check wizards!! Huuh.. I thrust with my dark sword and see Wizards eventually perishing.. ;) Haha.. well lets proceed onto greetings, shall we? #Cracking4Newbies, you guys I respect and greet: (not in any order) AB4DS, r!SC, Dead-Mike, NrOC, Warezpup, Hutch, [yAtEs], [E_BLiss], [LaZaRuS], Doufas, SeKt0r, nchanta, Icecream (your radio r0xs0rs!! :)), |Xmen|, LordOfLA, F0dder, Predator, aCiDHaC, ACiD BuRN, X-Calibre, DnNuke, noos, nu, Thesmurf, defiler, Sinn0r, ^tCM^, Norika, cTT, Weazel, MisterE, Dawai, RevX, Maybird, BlackBird, DarkLord and all the others at #c4n I forgot plus these individuals: Tailz, F0ley, MR-B, Mathras, Makis