Program Name: Rainbow Six : Rogue Spear

 

Date: 02 - January - 2000
Objective: Run without CD

Written by [yAtEs] - REaP - Reverse Engineering aND Programming - Http://reap.tsx.org / to contact me email , Jamesluton@hotmail.com

Heya! welcome to my first Y2K tut :), i'm gonna take you through removing the check
from Rogue Spear, please execuse my grammer,spelling mistakes as i only
got a D in english ;)

 

Ok first lets see what we got, insert your CD and do a full installation, now
run the config program and set it all up which i guess you've probably already done,
now remove the CD and store safely, run the program and select a new game etc..
go through all those boxes until you get to the execute one, now it will say
Please insert the CD, eEk!, now if you have a 3DFX card you'll probably notice
that now when u press Ctrl+D SoftICE is invisable when u use your card, umm
this could be a problem.
 
Ok so softice doesn't pop up, well it does, a good trick to tell if SoftICE is
active is to turn your Num Lock on while your OUT of SoftICE and now when you
enter softice the NumLock light will go off, thats how i know i'm in SoftICE,
anyway we can't work without seeing SoftICE can we? well we can but its anonying
and u need to use logs blah blah, so i just solved the problem by in the configure
selecting my Orignal GFX card, a matrox MGA thingy.
 
Now select your card, if u have a voodoo3 built in thing, then Umm shit, try selecting
software rendered, even though it says software rendered on a voodoo 3 don't work
with this game, well i can tell u i found no prob on my bro's comp with this,
anyway.. now run the game and at the title screen check to see u can see SoftICE by activating it etc.. see it? good, if u don't your pooped mail me for tips ;).
 
ZZzz ok now goto the noCD error box, now what are we gonna do? heres a
list of breakpoints and there roles in CD cracking.
 
CreateFileA - Check to see if a file is being opened
GetDriveType - Gets the CDROM letter for use with open a file from there later maybe.
GetVolumeInformationA - Used to get the Volume name of the CD, used in name checks
GetFileAttributesA - Return information on a directory/file
umm theres probably a lot more, but thats all i really use, ok so where do we
start?, first lets check if the program is trying to open a file from the CD
enter SI type BPX CreateFileA DO "D esp->4" when a file is opened it will Dump
the stack pointer which will contain the filename, ok now click execute the
noCD error pops up again but no break...its not opening a file then, so lets
try the next check which for me would be checking volumenames.
 
Ok back to the execute button, open SoftICE and clear breakpoints, BC* now
lets set our volume check api, BPX GetVolumeInformationA and exit SoftICE
now click execute, the program breaks into SoftICE exit SI now with F5, then
it pops up again, exit SI again and you get the noCD error hmm two breaks,
you may only get 1 break as i have 2 CD drives, so anyway ok on the msg box
and click execute again, when it breaks press F12, now we see this code :-

 

Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h
:0040CE8F FF15ACF07500 Call dword ptr [0075F0AC]
:0040CE95 83F801 cmp eax, 00000001
:0040CE98 7516 jne 0040CEB0
:0040CE9A 8D44241C lea eax, dword ptr [esp+1C]
:0040CE9E 6840EF7A00 push 007AEF40
:0040CEA3 50 push eax
:0040CEA4 E837FE2800 call 0069CCE0
:0040CEA9 83C408 add esp, 00000008
:0040CEAC 85C0 test eax, eax
:0040CEAE 7455 je 0040CF05
:0040CEB0 803F00 cmp byte ptr [edi], 00
:0040CEB3 7410 je 0040CEC5
:0040CEC3(C)
:0040CEB5 3BF3 cmp esi, ebx
:0040CEB7 7D0C jge 0040CEC5
:0040CEB9 8A84341D020000 mov al, byte ptr [esp+esi+0000021D]
:0040CEC0 46 inc esi
:0040CEC1 84C0 test al, al
:0040CEC3 75F0 jne 0040CEB5
:0040CEC5 46 inc esi
:0040CEC6 3BF3 cmp esi, ebx
:0040CEC8 7C8F jl 0040CE59
:0040CECF B9CC9E8000 mov ecx, 00809ECC
:0040CED4 E82BDA2800 call 0069A904
:0040CED9 68A0164000 push 004016A0
:0040CEDE 6A0A push 0000000A
:0040CEE0 8BC8 mov ecx, eax
:0040CEE2 E8D6D82800 call 0069A7BD
:0040CEE7 8BC8 mov ecx, eax
:0040CEE9 E89247FFFF call 00401680
:0040CEEE B9C09E8000 mov ecx, 00809EC0
:0040CEF3 E848050200 call 0042D440
:0040CEF8 5F pop edi
:0040CEF9 5E pop esi
:0040CEFA 5D pop ebp
:0040CEFB 3280 xor al, al
:0040CEFD 5B pop ebx
:0040CEFE 81C410060000 add esp, 00000610
:0040CF04 C3 ret

Hmm so i guess as normal in CD checks if you've read my previous tuts, we have to
exit this call, if we are in one, then we will be return from this call
to a jump i *guess* as 99% of the time we are in a CDCheck call and after it will
be some kind of jump, so start pressing F10 until you hit a RET
did u notice that call near the end which retuned the line GAME: CD NOT found,
spooky eh? :)

ok so you hit a ret now what do we see

 

:00482E04 E817A0F8FF call 0040CE20
:00482E09 84C0 test al, al
:00482E0B 7422 JZ blah

as you can see theres the call and jump, try reversing that jump, place your
grey bar over and change the EIP to the next line, press F5 and w00t it works,
so lets patch that jump eh?, load ya fave hex ed and goto 0x82E0B and change 7422
save and run, now once you have your GFX settings back the game will run fine,
but what other checks? well there are some as u will find you'll be asked for the
CD still at different time, for e.g at the main menu goto training and try that,
..eEk! error msg again, hmm so load up softice again, bpx getvolumeinformationA
when it breaks press F12 and proceed to the ret, and you will set a Call test and
jump again, HMMmm what we gonna do? patch the jump? naw this is not the way as u can
see there are many checks, but hey! look thats the same call.
 
So we need to change this bitch CD check call, from what we know, the Cd check
is called then there is a test on AL then a jump, whats that mean? any ideas?
well if AL IS 0 then u do a test on if a flag is set then the jump below will
jump, if AL is NOT 0 then u do a test the flag isn't set and the jump will not jump
, so...in the Call we need to find something which may be setting AL to 0, how
do u set a register to 0? you xor it by its self, e.g XOR AL AL, so find XOR AL,AL
near the end of the RET see it?

 

:0040CEF9 5E pop esi
:0040CEFA 5D pop ebp
:0040CEFB 3280 xor al, al
:0040CEFD 5B pop ebx
:0040CEFE 81C410060000 add esp, 00000610
:0040CF04 C3 ret

 

ok so what should we change this to? how about MOV AL, 1 that would work
so place your grey bar over the XOR in SoftICE and type A then MOV AL,1 then
press enter twice it will change and fit perfectly :), ok u see its changed
from 3280 to B001, go and change that in your hex ed, @ 0xCEFB 3280 to B001
now save and run, W00T the game should run perfect now!! yay another CD check
defected.
 

laters [yAtEs]

http://cdchecks.cjb.net

http://yates.cjb.net

 

This was a bit rushes at the end and may not be that great to understand for newbies
if you get stuck just email me JamesLuton@hotmail.com.

Finial gREETz to all me mates and friends, u know who u are.