Program Name: |
Rainbow Six : Rogue Spear
|
Date: |
02 - January - 2000 |
Objective: |
Run without CD |
- Heya! welcome to my
first Y2K tut :), i'm gonna take you through removing the
check
- from Rogue Spear,
please execuse my grammer,spelling mistakes as i only
- got a D in english ;)
- Ok first lets see what
we got, insert your CD and do a full installation, now
- run the config program
and set it all up which i guess you've probably already
done,
- now remove the CD and
store safely, run the program and select a new game etc..
- go through all those
boxes until you get to the execute one, now it will say
- Please insert the CD,
eEk!, now if you have a 3DFX card you'll probably notice
- that now when u press
Ctrl+D SoftICE is invisable when u use your card, umm
- this could be a
problem.
-
- Ok so softice doesn't
pop up, well it does, a good trick to tell if SoftICE is
- active is to turn your
Num Lock on while your OUT of SoftICE and now when you
- enter softice the
NumLock light will go off, thats how i know i'm in
SoftICE,
- anyway we can't work
without seeing SoftICE can we? well we can but its
anonying
- and u need to use logs
blah blah, so i just solved the problem by in the
configure
- selecting my Orignal
GFX card, a matrox MGA thingy.
-
- Now select your card,
if u have a voodoo3 built in thing, then Umm shit, try
selecting
- software rendered, even
though it says software rendered on a voodoo 3 don't work
- with this game, well i
can tell u i found no prob on my bro's comp with this,
- anyway.. now run the
game and at the title screen check to see u can see
SoftICE by activating it etc.. see it? good, if u don't
your pooped mail me for tips ;).
-
- ZZzz ok now goto the
noCD error box, now what are we gonna do? heres a
- list of breakpoints and
there roles in CD cracking.
-
- CreateFileA - Check to see if a file is
being opened
- GetDriveType - Gets the CDROM letter for
use with open a file from there later maybe.
- GetVolumeInformationA - Used to get the Volume
name of the CD, used in name checks
- GetFileAttributesA - Return information on a
directory/file
- umm theres probably a
lot more, but thats all i really use, ok so where do we
- start?, first lets
check if the program is trying to open a file from the CD
- enter SI type BPX
CreateFileA DO "D esp->4" when a file is opened it
will Dump
- the stack pointer which
will contain the filename, ok now click execute the
- noCD error pops up
again but no break...its not opening a file then, so lets
- try the next check
which for me would be checking volumenames.
-
- Ok back to the execute
button, open SoftICE and clear breakpoints, BC* now
- lets set our volume
check api, BPX GetVolumeInformationA and exit SoftICE
- now click execute, the
program breaks into SoftICE exit SI now with F5, then
- it pops up again, exit
SI again and you get the noCD error hmm two breaks,
- you may only get 1
break as i have 2 CD drives, so anyway ok on the msg box
- and click execute
again, when it breaks press F12, now we see this code :-
Reference
To: KERNEL32.GetVolumeInformationA, Ord:0177h
:0040CE8F FF15ACF07500 Call dword ptr [0075F0AC]
:0040CE95 83F801 cmp eax, 00000001
:0040CE98 7516 jne 0040CEB0
:0040CE9A 8D44241C lea eax, dword ptr [esp+1C]
:0040CE9E 6840EF7A00 push 007AEF40
:0040CEA3 50 push eax
:0040CEA4 E837FE2800 call 0069CCE0
:0040CEA9 83C408 add esp, 00000008
:0040CEAC 85C0 test eax, eax
:0040CEAE 7455 je 0040CF05
:0040CEB0 803F00 cmp byte ptr [edi], 00
:0040CEB3 7410 je 0040CEC5
:0040CEC3(C)
:0040CEB5 3BF3 cmp esi, ebx
:0040CEB7 7D0C jge 0040CEC5
:0040CEB9 8A84341D020000 mov al, byte ptr [esp+esi+0000021D]
:0040CEC0 46 inc esi
:0040CEC1 84C0 test al, al
:0040CEC3 75F0 jne 0040CEB5
:0040CEC5 46 inc esi
:0040CEC6 3BF3 cmp esi, ebx
:0040CEC8 7C8F jl 0040CE59
:0040CECF B9CC9E8000 mov ecx, 00809ECC
:0040CED4 E82BDA2800 call 0069A904
:0040CED9 68A0164000 push 004016A0
:0040CEDE 6A0A push 0000000A
:0040CEE0 8BC8 mov ecx, eax
:0040CEE2 E8D6D82800 call 0069A7BD
:0040CEE7 8BC8 mov ecx, eax
:0040CEE9 E89247FFFF call 00401680
:0040CEEE B9C09E8000 mov ecx, 00809EC0
:0040CEF3 E848050200 call 0042D440
:0040CEF8 5F pop edi
:0040CEF9 5E pop esi
:0040CEFA 5D pop ebp
:0040CEFB 3280 xor al, al
:0040CEFD 5B pop ebx
:0040CEFE 81C410060000 add esp, 00000610
:0040CF04 C3 ret
- Hmm so i guess as
normal in CD checks if you've read my previous tuts, we
have to
- exit this call, if we
are in one, then we will be return from this call
- to a jump i *guess* as
99% of the time we are in a CDCheck call and after it
will
- be some kind of jump,
so start pressing F10 until you hit a RET
- did u notice that call
near the end which retuned the line GAME: CD NOT found,
- spooky eh? :)
ok so you hit a ret now what
do we see
:00482E04 E817A0F8FF call
0040CE20
:00482E09 84C0 test al, al
:00482E0B 7422 JZ blah
- as you can see theres
the call and jump, try reversing that jump, place your
- grey bar over and
change the EIP to the next line, press F5 and w00t it
works,
- so lets patch that jump
eh?, load ya fave hex ed and goto 0x82E0B and change 7422
- save and run, now once
you have your GFX settings back the game will run fine,
- but what other checks?
well there are some as u will find you'll be asked for
the
- CD still at different
time, for e.g at the main menu goto training and try
that,
- ..eEk! error msg again,
hmm so load up softice again, bpx getvolumeinformationA
- when it breaks press
F12 and proceed to the ret, and you will set a Call test
and
- jump again, HMMmm what
we gonna do? patch the jump? naw this is not the way as u
can
- see there are many
checks, but hey! look thats the same call.
-
- So we need to change
this bitch CD check call, from what we know, the Cd check
- is called then there is
a test on AL then a jump, whats that mean? any ideas?
- well if AL IS 0 then u
do a test on if a flag is set then the jump below will
- jump, if AL is NOT 0
then u do a test the flag isn't set and the jump will not
jump
- , so...in the Call we
need to find something which may be setting AL to 0, how
- do u set a register to
0? you xor it by its self, e.g XOR AL AL, so find XOR
AL,AL
- near the end of the RET
see it?
:0040CEF9 5E pop esi
:0040CEFA 5D pop ebp
:0040CEFB
3280 xor al, al
:0040CEFD 5B pop ebx
:0040CEFE 81C410060000 add esp, 00000610
:0040CF04 C3 ret
- ok so what should we
change this to? how about MOV AL, 1 that would work
- so place your grey bar
over the XOR in SoftICE and type A then MOV AL,1 then
- press enter twice it
will change and fit perfectly :), ok u see its changed
- from 3280 to B001, go
and change that in your hex ed, @ 0xCEFB 3280 to B001
- now save and run, W00T
the game should run perfect now!! yay another CD check
- defected.
-
laters [yAtEs]
http://cdchecks.cjb.net
http://yates.cjb.net
- This
was a bit rushes at the end and may not be that great to
understand for newbies
- if you
get stuck just email me JamesLuton@hotmail.com.
Finial
gREETz to all me mates and friends, u know who u are.
-
-
-
-
-
-