Target game: Imperialism 2

Progs:

Hiew 6.04
W32Dasm v8.93
(Soft-Ice 3.24) <-- not necessary


Ready?...ok... here we go

Step 1.	Of course start with the installation and when it's done, backup imperialism II.exe 
(.bak & .w32). Ok... now we're ready to test what kind of protection does this game have. 
Start Imperialism II, click on "Start new game" or "Tutorial". "Please place Imperialism II cd.."
always the same sentence... just a bit modified =). So it's a bloody ingame message, which uses 
GetDriveTypeA to access cd-rom (try to breakpoint with SI on it if u want). 

Step 2.	Load Imperialism II.w32 on W32Dasm... it takes awhile to disassemble since the file 
is almost 4 megs. As soon as it's ready, use search to find string "getdrivetypea". 
Ignore the first and second string it finds and you should get here on the third string:

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh <-- (Almost) every games uses this
                                  |
:006761CC FF15D8817600            Call dword ptr [007681D8]
:006761D2 33C9                    xor ecx, ecx
:006761D4 83F805                  cmp eax, 00000005 <-- check against cd, 05 means cd
:006761D7 0F94C1                  sete cl
:006761DA 84C9                    test cl, cl
:006761DC 0F84D1000000            je 006762B3
:006761E2 8D4C2410                lea ecx, dword ptr [esp+10]
:006761E6 E84BDA0200              call 006A3C36
:006761EB 8B1D80F57400            mov ebx, dword ptr [0074F580]
:006761F1 6A01                    push 00000001
:006761F3 C744243400000000        mov [esp+34], 00000000
:006761FB FFD6                    call esi
:006761FD 80C341                  add bl, 41
:00676200 6A01                    push 00000001
:00676202 53                      push ebx
:00676203 8D4C241C                lea ecx, dword ptr [esp+1C]
:00676207 8BF8                    mov edi, eax
:00676209 E829780200              call 0069DA37

Possible StringData Ref from Data Obj ->":\"

It took me awhile to discover what's happening and I figured out this is not the right place...
I scrolled up a bit and came here:


* Possible StringData Ref from Data Obj ->"0160"
                                  |
:00676181 68BCF57400              push 0074F5BC
:00676186 50                      push eax
:00676187 E8D4870000              call 0067E960
:0067618C 83C408                  add esp, 00000008
:0067618F F7D8                    neg eax
:00676191 1BC0                    sbb eax, eax
:00676193 F7D8                    neg eax
:00676195 84C0                    test al, al <-- Is the cd in the drive?
:00676197 0F844B020000            je 006763E8 <-- Yes... go ahead and jump
:0067619D A180F57400              mov eax, dword ptr [0074F580]

* Reference To: KERNEL32.SetErrorMode, Ord:0213h    <--This is also often used...
                                  |
:006761A2 8B35E8817600            mov esi, dword ptr [007681E8]

* Reference To: KERNEL32.GetVolumeInformationA, Ord:014Fh   <-- ...like this one too
                                  |
:006761A8 8B2DEC817600            mov ebp, dword ptr [007681EC]
:006761AE 83F8FF                  cmp eax, FFFFFFFF
:006761B1 0F8406010000            je 006762BD
:006761B7 8B0DB8F57400            mov ecx, dword ptr [0074F5B8]
:006761BD 8D542418                lea edx, dword ptr [esp+18]
:006761C1 0441                    add al, 41
:006761C3 894C2418                mov dword ptr [esp+18], ecx
:006761C7 52                      push edx
:006761C8 8844241C                mov byte ptr [esp+1C], al


Cracking this shouldn't be a problem. Just change the jump "je 006763E8" --> "jne 006763E8" 
and you're done. This example was pretty easy, huh? =)... As it usually is... the cracking 
itself is usually quite easy, but finding the right place for the crack is the hardest part =)

Greetz: Friends, tKC, Pedro of Laxity and to every cracker on earth (or on moon or whatever)

-C_DKnight
contact me at c_dknight@iobox.com

Written on 27th June 1999

