Geez...Back again Target game: Age of Empires v1.0b (updated)...I know BuL-LeT has already shown you how this is done, but I'm not sure if he cracked the updated version and even if he did, I'll show u my way to defeat the check. Tools include: Hiew 6.x W32Dasm v8.93 (Soft-Ice) not necessary if u know what to look for So... here we go Step 1. For this example I had the ripped game (not sure by which group since there were no .nfos ...but the size was about 70 megs) but I assume this will do for the full version also. Ok... u start the game and try single player and the check strikes again. At this point if u know what to look for goto Step 2. But those who don't I'll explain. Enter Soft-Ice and put a breakpoint on GetDriveTypeA (I assume u know how to use Soft-Ice). Click the single player and if Soft-Ice breaks...u're in the right place... and in this case, it breaks. Step 2. Now it's time to make the backups (if u haven't done them earlier), so make those two backs (.bak &.w32). Then load Empires.w32 onto W32Dasm. After disassembling use the search to find "GetDriveTypeA". Did you get here? * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E9040(C) | * Possible StringData Ref from Data Obj ->"CDPath" | :004E9049 687C525600 push 0056527C :004E904E 8B8EAC010000 mov ecx, dword ptr [esi+000001AC] :004E9054 6A00 push 00000000 :004E9056 E815C4F3FF call 00425470 :004E905B 8BF8 mov edi, eax :004E905D 85FF test edi, edi :004E905F 7504 jne 004E9065 :004E9061 33C0 xor eax, eax :004E9063 EB63 jmp 004E90C8 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E905F(C) | :004E9065 57 push edi * Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh <-- This is what u searched for | :004E9066 FF1580167E00 Call dword ptr [007E1680] :004E906C 83F805 cmp eax, 00000005 <-- 05 means cd drive :004E906F 7404 je 004E9075 :004E9071 33C0 xor eax, eax :004E9073 EB53 jmp 004E90C8 A usual way to access the cd-rom... usually there's always some sort of "cd-check" if u scroll a bit up. Like in this case... u can see the text "CDPath". If you aren't a dumb-ass (hah=) u should at least guess that it has something to do with cd-detection. So follow the referenced jump to 4E9040 (scroll a tiny bit up). :004E9040 7407 je 004E9049 <-- the check :004E9042 B801000000 mov eax, 00000001 <--set flag 01 for passed check :004E9047 EB7F jmp 004E90C8 <-- yeah... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E9040(C) | * Possible StringData Ref from Data Obj ->"CDPath" At this point, grab the @offset number and goto Hiew. Find that spot and u can either nop the jump or reverse it...anyway u want. But either way you choose, the check is passed!!! C0nGrAtZ (to tell u the truth I really hate that kind of "W4r3z language"... Greetz shall land to following people: Friends IRL, tKC, KangZ Prod 99 (or Zf.. whatever) for the Bleem! crack, Beowulf and all crackaz (I hate that =) in da werld...(I know I know) Written on 11th of July by -C_DKnight ...contact me via c_dknight@iobox.com408A5E. Desable all previsious breakpoints