Quake 2 CD-Check tutorial...

	by Xcellent for TrickSoft - "Software made free by us"

We going really fast these days!! This is a old game, sorry but I have no
money to buy new games and no time!! But I still have some time to write
tutorials, but that's ok. This protection is very easy, and u will have
no probs cracking this one.

Tools nedeed:
W32Dasm 8.9 (www.crackstore.com)
Any hex editor (www.crackstore.com have many)

Run Quake 2 and, hmm..... it seems to be working...but click Game, easy
and...."You must have the Quake2 CD in the drive to play." Ok,
that's no prob, run W32Dasm and open quake2.exe, click on String
Data References and search for the message then double click on
it. Now you will see:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B21E(C) <- THIS is what we're searching for....
|
:0042B235 8A442404              mov al, byte ptr [esp+04]
:0042B239 FEC0                  inc al
:0042B23B 3C7A                  cmp al, 7A
:0042B23D 88442404              mov byte ptr [esp+04], al
:0042B241 0F8E6AFFFFFF          jle 0042B1B1

* Possible StringData Ref from Data Obj ->"You must have the Quake2 CD in "
                                        ->"the drive to play."
                                |
:0042B247 6864474400            push 00444764
...
Did you see a reference jump at :0042B21E?? Ok, that's the way, press
Shift + F12, type 42B21E and press enter. Now you should see:
* Possible StringData Ref from Data Obj ->".\quake2.exe" <- get file on CD
                                |
:0042B1FC 6898474400            push 00444798
:0042B201 52                    push edx
:0042B202 E839430000            call 0042F540
:0042B207 83C40C                add esp, 0000000C
:0042B20A 8D442408              lea eax, dword ptr [esp+08]

* Possible StringData Ref from Data Obj ->"r" <- hmm...means "READ FILE"
                                |
:0042B20E 68A8474400            push 004447A8
:0042B213 50                    push eax
:0042B214 E897250000            call 0042D7B0
:0042B219 83C408                add esp, 00000008
:0042B21C 85C0                  test eax, eax <- compare results
:0042B21E 7415                  je 0042B235   <- if no cd then jump
:0042B220 50                    push eax      <- else continue
:0042B221 E86A200000            call 0042D290
:0042B226 83C404                add esp, 00000004
:0042B229 8D4C2404              lea ecx, dword ptr [esp+04]
:0042B22D 51                    push ecx
:0042B22E FFD6                  call esi
:0042B230 83F805                cmp eax, 00000005
:0042B233 7421                  je 0042B256  <- run the game
...
What we'll change it's the je 0042B235 to nop, but we must know the offset,
so move the bar till the address :0042B21E and look at the bottom of screen
and you will see @Offset 0002A61Eh. Now we know the offset that is 2A61E.
So run your hexadecimal editor, open quake2.exe and search for the offset
2A61E, then change 7415 to 9090 and save. Run the game and....!!No CD!!
That was simple, I will try to find a game harder to crack..
That's all and I hope you enjoyed this little tutor.

Xcellent - The Brazillian crack3r
xcellen@bol.com.br
www.tricksoft.net