Yo again.. Target game: Age of Wonders v1.2 [US] (updated) Toolz: Soft-Ice 4.01, W32Dasm Level: 1, easy In order to get the greatest pleasure out of this crack, you'll need these too: The new Sentenced Album - Crimson, and the song from there, Killing Me Killing You. Then you'll need earphones and plug them into your ear, connect them to your CD-Player and R0CK IT BABY!!! Protection: CD-Check.. kinda different thou..(not the check I mean..u'll see) Alrighty.. if ur ready.. we can start So.. I made the usual backups and noted down the "Please insert CD" message. C'tued with WDasm disasming AoW.exe and searched for the message.. none found.. another point of interest was GetDriveTypeA which I searched for. Yea.. I found something: * Reference To: kernel32.GetDriveTypeA, Ord:0000h | :0041ECFC E8CF26FEFF Call 004013D0 :0041ED01 83F804 cmp eax, 00000004 <-- But this isnt check for CD-ROM!? :0041ED04 741F je 0041ED25 :0041ED06 6A00 push 00000000 :0041ED08 6A00 push 00000000 :0041ED0A 8D45F4 lea eax, dword ptr [ebp-0C] Huh?.. at the very first moment I thought this was not the right place..hmmh.. guess we gotta do some SICing. CTRL-D to SI and BPX GetDriveTypeA. CTRL-D back to windoze and ready to start AoW.exe. D-click on the .EXE and after a moment SI breaks!... but where?.. something like aowepack.. ?.. ok.. I exit SI and check AoW dir for any aowepacks.. and I'm succesful :).. Aowepack.Dpl. So.. lets disasm aowepack.w32 (its backup)... this will take awhile.. ................................................ ................................................................................... .........................................................................Done?..No? ................................................................................... K.. should be done now.. ;) Let's search for getdrivetypea.. mm.. disregard the first string, and check this one: * Reference To: kernel32.GetDriveTypeA, Ord:0000h | :5570629F E8C8B1FFFF Call 5570146C :557062A4 83F805 cmp eax, 00000005 <-- Aah.. check for CD-ROM :557062A7 7554 jne 557062FD <-- CD not found, jump :557062A9 8D45F4 lea eax, dword ptr [ebp-0C] :557062AC 8A55FF mov dl, byte ptr [ebp-01] Lets scroll up and see if we come across any caller or other interesting stuff.. c00l.. I found this: * Referenced by a CALL at Address: |:55706388 | Exported fn(): AoWReg.ValidAoWCD@BF94463D - Ord:0005h <-- Looks pretty interesting.. huh? :) Trace back the Call and u'll get here: * Reference To: kernel32.GetLogicalDrives, Ord:0000h | :55706368 E80FB1FFFF Call 5570147C :5570636D 8BF8 mov edi, eax :5570636F EB24 jmp 55706395 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:5570639C(C) | :55706371 8BCE mov ecx, esi :55706373 B801000000 mov eax, 00000001 :55706378 D3E0 shl eax, cl :5570637A 85F8 test eax, edi :5570637C 7416 je 55706394 <-- Jump to loop :5570637E 8BC6 mov eax, esi :55706380 0461 add al, 61 :55706382 880424 mov byte ptr [esp], al :55706385 8A0424 mov al, byte ptr [esp] * Reference To: AoWEPACK.AoWReg.ValidAoWCD@BF94463D | :55706388 E8D3FEFFFF call 55706260 <-- This call to GetDriveTypeA, u should be here :5570638D 84C0 test al, al <-- Test results :5570638F 7403 je 55706394 <-- Jump if they match :55706391 8A1C24 mov bl, byte ptr [esp] * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:5570637C(C), :5570638F(C) | :55706394 46 inc esi * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:5570636F(U) | :55706395 84DB test bl, bl :55706397 7505 jne 5570639E :55706399 83FE1A cmp esi, 0000001A <-- Compare drive letters :5570639C 75D3 jne 55706371 <-- Loop this until all letters done Hmm... if u still scroll a tiny bit up at GetLogicalDrives you'll see this: * Referenced by a CALL at Address: |:557063D9 <-- Another caller.. if u want u can trace back there | Exported fn(): AoWReg.AoWCDInserted@82678C4D - Ord:0004h <-- If this isnt interesting, what is? :55706360 53 push ebx :55706361 56 push esi :55706362 57 push edi :55706363 51 push ecx :55706364 33DB xor ebx, ebx :55706366 33F6 xor esi, esi I was too lazy to chase the routine in SI since I was almost sure how to pass the check.. So.. I know at least two ways for sure to pass the check at this point 1. Change call @ 55706388 -> mov eax, 0000000001 2. Or trace back to 557063D9 and mov eax, 0000000001 the call there Do whichever the choice u like, I took out the call to GetDriveTypeA (55706388) and the game works. Due to fact that this game is very good, I'll recommend u not to crack it, but buy the game from the STORE, LIKE I DID! This is just another tute to show you how to disable CD-Check... they all work the same..(almost..) Newbies should aim for these due to their easyness. -C_DKnight <- c_dknight@iobox.com, IRC #Cracking4Newbies Greetings that I shall pass to my friends: AB4DS, Lazarus, Sinn0r, Hades', Dead-Mike, R!SC, Eternal Bliss, [yAtEs], cTT!!!!, TheSmurf and all the others I forgot :) Plus Tailz, F0ley, Mathras, MR-B, Makis, LM555