Hexen II and GL Hexen II tutor... by Xcellent for TrickSoft - "Software made free by us" Hiya! Welcome to my tutor, this time we stop and think to the Hexen II protection, easy, but it's good to read this essay. Let's start! Tools needed: W32Dasm 8.93 (www.crackstore.com) Any hexadecimal editor (www.crackstore.com have many!) Hexen II tutor: Run Hexen II and..."You need to have the Hexen 2 CD in order to play!" Ok now don't panic, relax and run W32Dasm, open the h2.exe file located in the Hexen 2 directory. When disassembling is done, click in String Data References, a window will popup with the strings of the game, so now you'll do the usual, search for the message. Once you find it, double click on it, then you'll see something similar: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0043F887(C) | * Possible StringData Ref from Data Obj ->"You need to have the Hexen 2 CD " ->"in order to play!" | :0043F8FF C7058010480040DC4800 mov dword ptr [00481080], 0048DC40 :0043F909 C70530E0470000000000 mov dword ptr [0047E030], 00000000 Now you may have thought that just noping the jump for this message the game will run successfully but, no. I've tried and haven't worked, just keep on following this tutor to find the right way to crack it. Getting back, we see that the message it's called from the address 43F887, so press SHIFT + F12 (Go to location), type 43F887 and press enter or click ok. Now you will see: * Referenced by a CALL at Address: |:004014EE <- from where it's called | :0043F850 81EC140A0000 sub esp, 00000A14 :0043F856 8D842414020000 lea eax, dword ptr [esp+00000214] :0043F85D 53 push ebx :0043F85E 56 push esi :0043F85F 57 push edi :0043F860 55 push ebp :0043F861 50 push eax :0043F862 6800080000 push 00000800 * Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00F7h | :0043F867 FF15E8C45700 Call dword ptr [0057C4E8] :0043F86D 8DAC2424020000 lea ebp, dword ptr [esp+00000224] :0043F874 8DBC2424020000 lea edi, dword ptr [esp+00000224] :0043F87B B9FFFFFFFF mov ecx, FFFFFFFF :0043F880 2BC0 sub eax, eax :0043F882 F2 repnz :0043F883 AE scasb :0043F884 F7D1 not ecx :0043F886 49 dec ecx :0043F887 7476 je 0043F8FF <- jump to error msg if no CD. * Reference To: KERNEL32.GetVolumeInformationA, Ord:014Eh | :0043F889 8B35E4C45700 mov esi, dword ptr [0057C4E4] * Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh | :0043F88F 8B1DE0C45700 mov ebx, dword ptr [0057C4E0] Look that the game check the CD in several ways. What we'll do is go to where this check is called, the address 4014EE. Press SHIFT + F12 again, type 4014EE and press enter. Now you should see: :004014EE E85DE30300 call 0043F850 <- call cd-check :004014F3 5F pop edi :004014F4 5E pop esi :004014F5 5B pop ebx :004014F6 81C4BC010000 add esp, 000001BC :004014FC C3 ret <- return to game if everything's ok The thing we gonna change is that call to the cd-check, so now look at the bottom of the screen and you will see the offset: @Offset: 000008EEh. Ok the offset is 8EE. Launch your hexadecimal editor and open h2.exe, search for the 8EE offset and change E85DE30300 for 9090909090. Done? Save the file. Run the game and...Phew!!! We made it!! Follow now the GL Hexen II solution: Run GL Hexen II and..."You need to have the Hexen 2 CD in order to play!" Run W32Dasm and open glh2.exe, once disassembling is done, click on String Data References and search for the message, when you find it, double click it. You will see something like this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404782(C) <- where it's called from | * Possible StringData Ref from Data Obj ->"You need to have the Hexen 2 CD " ->"in order to play!" | :004047FA C705D8D2460038C94500 mov dword ptr [0046D2D8], 0045C938 :00404804 C70548AF460000000000 mov dword ptr [0046AF48], 00000000 We see that this message is called from the address 404782. To go there, press SHIFT + F12, type 404782 and press enter. Now you will see: * Referenced by a CALL at Address: |:004382DE <- where it's called from | :00404750 81EC140A0000 sub esp, 00000A14 :00404756 8D842414020000 lea eax, dword ptr [esp+00000214] :0040475D 53 push ebx :0040475E 56 push esi :0040475F 57 push edi :00404760 55 push ebp :00404761 50 push eax :00404762 6800080000 push 00000800 * Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00F7h | :00404767 FF15A0B5E000 Call dword ptr [00E0B5A0] :0040476D 8DB42424020000 lea esi, dword ptr [esp+00000224] :00404774 B9FFFFFFFF mov ecx, FFFFFFFF :00404779 8BFE mov edi, esi :0040477B 2BC0 sub eax, eax :0040477D F2 repnz :0040477E AE scasb :0040477F F7D1 not ecx :00404781 49 dec ecx :00404782 7476 je 004047FA <- jump to error msg if no CD. * Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh | :00404784 8B1D9CB5E000 mov ebx, dword ptr [00E0B59C] * Reference To: KERNEL32.GetVolumeInformationA, Ord:014Eh | :0040478A 8B2D84B5E000 mov ebp, dword ptr [00E0B584] Well, you can see it's the same thing as in the non-gl version of the game, so, we will just nop that call and the game will work successfully, but we must know the offset, so press SHIFT + F12, type 4832DE and press enter. Now you should see if you typed it right: :004382DE E86DC4FCFF call 00404750 <- call cd-check :004382E3 5F pop edi :004382E4 5E pop esi :004382E5 5B pop ebx :004382E6 81C4BC010000 add esp, 000001BC :004382EC C3 ret <- procced with game if everything's ok Just nop that call and the game will be FiX'Ed (Hello Static Vengeance!!). As the green bar is already in the call, just take a look at the offset: 376DE. Run your hexadecimal editor, open glh2.exe and search for the offset 376DE. Once you find it, change E86DC4FCFF to 9090909090 and save the file. Run the game and...YES!! Again it's cracked!! Thanx for you patience and, as always, if you got any question or anything just send me a e-mail. I will be happy to serve you!! Xcellent - The Brazillian crack3r xcellent@bol.com.br www.tricksoft.net