blah blah blah . boring q3 cd check . . reversed? hah, i make myself laugh (i do, i really do)


wdasm quake3.exe . . search for imports \ getdrivetypea . . say hello to the cd check 


:004400C0 81EC84000000            sub esp, 00000084
:004400C6 56                      push esi

* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
                                  |
:004400C7 8B3590104B00            mov esi, dword ptr [004B1090]
:004400CD C64424053A              mov [esp+05], 3A      ; ':'
:004400D2 C64424065C              mov [esp+06], 5C      ; '\'
:004400D7 C644240700              mov [esp+07], 00      ;)
:004400DC C644240463              mov [esp+04], 63      ; at this point, [esp+4] == 'c:\',0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00440141(C)
|
:004400E1 8D442404                lea eax, dword ptr [esp+04]
:004400E5 50                      push eax          ; push 'c:\',0
:004400E6 FFD6                    call esi          ; call getdrivetypea
:004400E8 83F805                  cmp eax, 00000005 ; was it a cd rom?
:004400EB 7548                    jne 00440135      ; nope, cycle thought drive letters..
                                                    ; else....
* Possible StringData Ref from Data Obj ->"quake3"
                                  |
:004400ED 68A81A4C00              push 004C1AA8     ; push 'quake3',0
:004400F2 8D4C2408                lea ecx, dword ptr [esp+08]
:004400F6 51                      push ecx          ; push 'c:\',0 
                                                    ; or whatever drive letter your cd-rom is
* Possible StringData Ref from Data Obj ->"%s%s"    ; used in string formatting . string/string
                                  |
:004400F7 68088B4B00              push 004B8B08
:004400FC 68F0895C00              push 005C89F0
:00440101 E899EE0500              call 0049EF9F     ; after this, we have 'c:\quake3',0 ?

* Possible StringData Ref from Data Obj ->"quake3.exe"
                                  |
:00440106 689C1A4C00              push 004C1A9C     ; push 'quake3.exe',0
:0044010B 68F0895C00              push 005C89F0
:00440110 8D542420                lea edx, dword ptr [esp+20]   ; our previous formatted string?

* Possible StringData Ref from Data Obj ->"%s\%s"   ; string '\' string
                                  |
:00440114 68941A4C00              push 004C1A94
:00440119 52                      push edx
:0044011A E880EE0500              call 0049EF9F     ; after this, 'c:\quake3\quake3.exe',0 ?
:0044011F 8D442428                lea eax, dword ptr [esp+28]

* Possible StringData Ref from Data Obj ->"r"       ; read \ readonly .. ..
                                  |
:00440123 68901A4C00              push 004C1A90
:00440128 50                      push eax
:00440129 E877F90500              call 0049FAA5     ; read \ load \ do sth with the file
:0044012E 83C428                  add esp, 00000028 ; fix stack from all string formatting pushes
:00440131 85C0                    test eax, eax     ; eax!=0 == good boy
:00440133 7518                    jne 0044014D


quake3 is a bit bitchy . . and theirs two of these checks.. its the next check that it executed
first, but its 100% identical to this one . ..if we force it to think it loaded quake3.exe . 
we get a pagefault \ crash at 49fa00 or something . so . so . lets let it load \ open quake3.exe

first off . . .where it sets up the drive letter 'c:\',0 . and checks it for a cd-rom, lets
set up current dir. and stop it checking if its a cd-rom ..

'.\',0,0 . . :d

edit the first part of code to look like this.. (and the other cd check code, @00440170)


:004400C7 8B3590104B00            mov esi, dword ptr [004B1090]
:004400CD C64424055C              mov [esp+05], 5C      ; '\'
:004400D2 C644240600              mov [esp+06], 00
:004400D7 C644240700              mov [esp+07], 00
:004400DC C64424042E              mov [esp+04], 2E      ; at this point, [esp+4] == '.\',0,0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00440141(C)
|
:004400E1 8D442404                lea eax, dword ptr [esp+04]
:004400E5 50                      push eax          ; push '.\',0,0
:004400E6 FFD6                    call esi          ; call getdrivetypea
:004400E8 83F805                  cmp eax, 00000005 ; it wasnt a cd rom . but we dont care
:004400EB 7500                    jne 004401ED      ; killed the jump, effectively nopping it


then we fuck with the string formatting code . we dont want the dir '.\quake3' do we?

just kill that nasty call..

:004400ED 68A81A4C00              push 004C1AA8     ; push 'quake3',0
:004400F2 8D4C2408                lea ecx, dword ptr [esp+08]
:004400F6 51                      push ecx          ; push '.\',0,0
                                                    
* Possible StringData Ref from Data Obj ->"%s%s"    ; used in string formatting . string/string
                                  |
:004400F7 68088B4B00              push 004B8B08
:004400FC 68F0895C00              push 005C89F0
:00440101 B899EE0500              mov eax, 0005EE99 ; cruel way to kill a call . B8 it ..
                                                    ; but at least we dont have '.\quake3',0 now


okay, 90% fixed. now the next string formatting part . . the formatter is '%s\%s' and if this 
gets executed, we will end up with '.\\quake3.exe',0 . .. an extra '\' which is bad . .

text search for '%s\%s',0 in quake3.exe . . turns up twice . but one of these is very close to
'quake3' & 'quake3.exe' . thus, we kinda guess that thats the correct one . .. 'zen cracking'

%s\%s...quake3.exe..quake3.. yaddayaddayadda .   change that to '%s%s',0 . . i.e. kill the '\' .

excellent . now .. weve fucked this code (and its mirror..)

* Possible StringData Ref from Data Obj ->"quake3.exe"
                                  |
:00440106 689C1A4C00              push 004C1A9C     ; push 'quake3.exe',0
:0044010B 68F0895C00              push 005C89F0
:00440110 8D542420                lea edx, dword ptr [esp+20]   ; our previous formatted string?
                                                                ; '.\',0  hehehe
* Possible StringData Ref from Data Obj ->"%s%s"   ; stringstring
                                  |
:00440114 68941A4C00              push 004C1A94
:00440119 52                      push edx
:0044011A E880EE0500              call 0049EF9F     ; after this, '.\quake3.exe',0

boom! haha . dumb tutorial . but quake3 runs with no cd now! (if you patched both checks . .. )

so what did we learn? lame q3 checks for its own exe on the cd rom .. .

'x:\quake3\quake3.exe',0

if we kill the cd check, it crashes . thus, we have to make it look on our harddrive for this
'important' file . .  so we patch it here and their to make it look for '.\quake3.exe',0 which
it can find quite easily, cause if it wasnt installed, and in the current directory, you
wouldnt be trying to play it!

r!sc .. http://csir.cjb.net

eVC/dVN rtl 2k !

