Age of Empires 2 Cracking Tutorial
                                                             
         
                              =======================================
                              |   This ZIP file should include :    |
                              |                                     |
                              |   1) AOE2TUT.TXT ( This File ) ;    | 
                              |   2) AOE2-CRK.EXE ( The CRACK ) .   |
                              =======================================   
           
          
Difficulty : Easy

For this tut , you need :

1) Age of Empires 2 ( Of Course );
2) WDasm 32 ( I used WDasm 32 8.93 );
3) An Hex Editor ( I used UltraEdit and Hiew );
4) A working BRAIN .

So , here we are . First , install the game with any kind installation you want and try to play
without the CD . What happens ? When you reach the game menu and press the SINGLE PLAYER button ,
a stupid window pops up telling ya that the game CD is needed . What now ? Simple : CRACK IT !
Let's start. Fire up WDasm and disassemble the file EMPIRES2.EXE . This can take a while , so be
patient. OK,it finished. First , look for the message shown by the CD CHECK window.
Click on REFS and then on STRING DATA REFERENCE . But... FUCK !!! There's no message 
like the one we seek ! OK , dont panic , there is another way ...
Click on FUNCTIONS and then on IMPORTS. In the windows that pops up , look for :
KERNEL32.GetDriveTypeA and double click on it .
So you can see this piece of code :


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041F176(C)
|
:0041F183 56                      push esi

* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h     <-------- WE LAND HERE
                                  |
:0041F184 FF159CC16100            Call dword ptr [0061C19C]
:0041F18A 83F805                  cmp eax, 00000005
:0041F18D 740D                    je 0041F19C
:0041F18F 5E                      pop esi
:0041F190 33C0                    xor eax, eax
:0041F192 5B                      pop ebx
:0041F193 81C40C020000            add esp, 0000020C
:0041F199 C20400                  ret 0004


So , we see that this code is called by a conditional jump at 0041F176 , so let's go there.
Click on GOTO and then GOTO CODE LOCATION , write 0041F176 and press ENTER . 
You should see this piece of code :

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041F14E(C)
|
:0041F160 8B8BD4010000            mov ecx, dword ptr [ebx+000001D4]

* Possible StringData Ref from Data Obj ->"CDPath"   <------ THIS TELLS US THAT THE WAY WE HAVE 
                                  |                          CHOOSEN IS PROBABLY THE RIGHT ONE 
:0041F166 683CD86400              push 0064D83C
:0041F16B 6A00                    push 00000000
:0041F16D E89EEE0900              call 004BE010
:0041F172 8BF0                    mov esi, eax
:0041F174 85F6                    test esi, esi
:0041F176 750B                    jne 0041F183
:0041F178 5E                      pop esi
:0041F179 5B                      pop ebx
:0041F17A 81C40C020000            add esp, 0000020C
:0041F180 C20400                  ret 0004


This is similar to the code above and called by another jump at 0041F14E.
Do like the first jump until you reach this piece of code :


* Referenced by a CALL at Addresses:
|:0041BFF2   , :004F00D7   , :004F0169   , :004F4715   , :004F473A   
|:004F7097   , :004F7193   , :004F8594   , :004F85B9   , :004F9D21   
|:004F9F93   , :004FA549   , :004FE41E   
|
:0041F0C0 81EC0C020000            sub esp, 0000020C
:0041F0C6 53                      push ebx
:0041F0C7 8BD9                    mov ebx, ecx
:0041F0C9 56                      push esi
:0041F0CA 8B4324                  mov eax, dword ptr [ebx+24]
:0041F0CD 8B8808040000            mov ecx, dword ptr [eax+00000408]
:0041F0D3 85C9                    test ecx, ecx
:0041F0D5 7510                    jne 0041F0E7        <----- THIS IS OUR JUMP
:0041F0D7 5E                      pop esi
:0041F0D8 B801000000              mov eax, 00000001
:0041F0DD 5B                      pop ebx
:0041F0DE 81C40C020000            add esp, 0000020C
:0041F0E4 C20400                  ret 0004


Now we see that this code is called by 13 CALLS , it means that the game seeks the CD 13 times .
But... wait a minute ! We see a conditional jump at 0041F0D5 after a suspicious check...
This means that the program looks in ECX and , if ECX is equal to 0 , the jump won't be executed
and the game will run... So , if the CD is in the drive ECX is equal to 0 , and if it is not ,
ECX is different from 0 .
So , what ? We could change the JNE ( Jump If Not Equal ) to JE ( Jump If Equal ) ,
but in this way , if we insert the CD the game won't work and we will be asked for the CD .
So , the best thing to do is to erase the jump completely .
Make a backup copy of EMPIRES2.EXE and start HIEW .
Open the backup copy of the file , press F4 and select DECODE .
Press F5 and type the OFFSET CODE of the jump . You can find it in WDasm , 
at the bottom of the screen .
Now you must change the JNE in two NOPs .
Put the cursor over the line   0041F0D5    7510    jne 0041F0E7 .
Press F3 and write down 90 twice . 90 is the HEX value for a NOP .
OK , now press F9 to save the file and F10 to exit .
Close WDasm , run the backup copy of the file and ... THE GAME WORKS WITHOUT THE CD !!!!!
Great , you've just cracked Age Of Empires 2 . It was quite easy .
I hope you anderstood everything I wrote , coz this is my first tut .

A TIP : If you change a jump to his opposite , a game won't work if the CD is in the drive !!! 
                               
Si Vis Pacem , Para Bellum .

Seeya in the next tut .

 ----====( ShadowMan )====----

      - 18 November 2000 -