
Free Information Xchange presents:

Half Life Version 1.0 - CD crack by R!SC - 06/01/99

REQUIREMENTS:
Hex editor
W32Dasm 8.9x

  Heh, I cracked version 1.0.0.6 first, because there were already enough cracks for version 1.0,
in the readme file for 1.0.0.6, sierra stated this "We've disabled the portion of the CD
authentication that checked for the music tracks since it was tripping up legitimate customers",
thinking this would be more of a challenge, I ditched v1.0.0.6 and did a fresh install. I now had
Half Life installed with ALL the CD checks enabled!

  First off, make a copy of hl.exe, load this into W32Dasm. I didn't really know where to start, I
know for normal CD checks you look for GetDriveTypeA(like I did with v1.0.0.6) but I never cracked
a game that checked for music tracks so we begin by looking through the string references for
something interesting 

i.e. "a:\","c:\","Please insert the Half Life CD"

After a few minutes scrolling through the list, I found "valve.ico", an icon file that is on the CD
and in the install directory, so double click this. Double clicking again reveals that this is the
only reference to it. 

* Referenced by a CALL at Addresses:
|:0041CC5E   , :0041CC9D
|
:0043AC80 B818120000              mov eax, 00001218
:0043AC85 E866C20300              call 00476EF0       <-- ??? take a look and see if you can figure it out ;)
:0043AC8A C744240407000000        mov [esp+04], 00000007
:0043AC92 53                      push ebx
:0043AC93 56                      push esi
:0043AC94 57                      push edi
:0043AC95 55                      push ebp
:0043AC96 E8B5020000              call 0043AF50       <-- Routine to check CD audio??
:0043AC9B 8D442410                lea eax, dword ptr [esp+10]
:0043AC9F 6866120000              push 00001266
:0043ACA4 C744241400000000        mov [esp+14], 00000000

* Possible StringData Ref from Data Obj ->"valve.ico" <-- ref that brought us here
                                  |
:0043ACAC 68B8E84B00              push 004BE8B8
:0043ACB1 50                      push eax
:0043ACB2 E8E9FEFFFF              call 0043ABA0       <-- Routine to check file on CD
:0043ACB7 8A44241C                mov al, byte ptr [esp+1C]
:0043ACBB 83C40C                  add esp, 0000000C
:0043ACBE 3A0548C14B00            cmp al, byte ptr [004BC148]
:0043ACC4 750D                    jne 0043ACD3        <-- If we found the first file, Jump to check next file on CD 
:0043ACC6 33C0                    xor eax, eax        <-- Otherwise, setup for a failed CD check
:0043ACC8 5D                      pop ebp
:0043ACC9 5F                      pop edi
:0043ACCA 5E                      pop esi
:0043ACCB 5B                      pop ebx
:0043ACCC 81C418120000            add esp, 00001218
:0043ACD2 C3                      ret


  Highlight the first call "call 00476EF0", and press cursor right to take a look at what this
call does, nothing interesting really, push cursor left to return. Scroll down to the next call
"call 0043AF50", push cursor right. Brings us here...

* Referenced by a CALL at Address:
|:0043AC96                                            <-- Only one caller to this little check !)
|
:0043AF50 83EC20                  sub esp, 00000020
:0043AF53 833D90044D0000          cmp dword ptr [004D0490], 00000000
:0043AF5A 53                      push ebx
:0043AF5B 56                      push esi
:0043AF5C 57                      push edi
:0043AF5D 55                      push ebp
:0043AF5E 7438                    je 0043AF98         <-- I missed this bit out, but its practically the same
:0043AF60 8D44241C                lea eax, dword ptr [esp+1C]

* Reference To: WINMM.mciSendCommandA, Ord:0032h      <-- Windoze multimedia library command
                                  |                   <-- probably used quite often in CD checks, but i have never seen it
:0043AF64 8B35008F4E00            mov esi, dword ptr [004E8F00]

* Possible StringData Ref from Data Obj ->"cdaudio"   <-- Clue to whats going off...
                                  |
:0043AF6A C744242498E84B00        mov [esp+24], 004BE898
:0043AF72 50                      push eax
:0043AF73 6800210000              push 00002100
:0043AF78 6803080000              push 00000803
:0043AF7D 6A00                    push 00000000
:0043AF7F FFD6                    call esi
:0043AF81 85C0                    test eax, eax
:0043AF83 740D                    je 0043AF92
:0043AF85 B8FFFFFFFF              mov eax, FFFFFFFF   <-- Don't really care about the return value
:0043AF8A 5D                      pop ebp              -- this is one of three possible exit values
:0043AF8B 5F                      pop edi              -- I don't know where they are checked either!
:0043AF8C 5E                      pop esi
:0043AF8D 5B                      pop ebx
:0043AF8E 83C420                  add esp, 00000020
:0043AF91 C3                      ret

  OK, probably the CD audio authentication. Push cursor left to return us to where we came from,
scroll down to the next call "call 0043ABA0" and take this one by pushing cursor right.

* Referenced by a CALL at Address:
|:0043ACB2   <-- hi there
|
:0043ABA0 81EC04010000            sub esp, 00000104
:0043ABA6 33C0                    xor eax, eax
:0043ABA8 B940000000              mov ecx, 00000040
:0043ABAD 53                      push ebx
:0043ABAE 56                      push esi
:0043ABAF 57                      push edi
:0043ABB0 8D7C2410                lea edi, dword ptr [esp+10]
:0043ABB4 55                      push ebp
:0043ABB5 F3                      repz
:0043ABB6 AB                      stosd
:0043ABB7 50                      push eax

* Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00F7h <-- commonly used in CD checks
                                  |
:0043ABB8 8B3D848B4E00            mov edi, dword ptr [004E8B84]
:0043ABBE 50                      push eax
:0043ABBF FFD7                    call edi
  __________________
   snip boring code
  ------------------

:0043AC0C 8D7801                  lea edi, dword ptr [eax+01]
:0043AC0F 57                      push edi

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh
                                  |
:0043AC10 FF15988B4E00            Call dword ptr [004E8B98]
:0043AC16 83F805                  cmp eax, 00000005         <-- well, we know '5' means CD-ROM
:0043AC19 75E1                    jne 0043ABFC               -- so this is deffinatly our CD check

  After having a look around, we know this is our CD check routine, push cursor left to take us back
to our first piece of code. This if referenced to by two callers, if your using W32Dasm 8.93,
double right click the first number, otherwise, press shift+F12 and type in the first number.

* Referenced by a CALL at Addresses:
|:0041CC5E   , :0041CC9D  <-- this one is part of this routine aswell
  ^^ <-- the first number
  
  Doing this brings us to this piece of code...
  
:0041CC5E E81DE00100              call 0043AC80  <-- The call to the two? CD checks
:0041CC63 85C0                    test eax, eax  <-- Check return value
:0041CC65 7572                    jne 0041CCD9   <-- jump if not equal to the end of the routine
:0041CC67 68027F0000              push 00007F02   -- otherwise do some other stuff 

* Reference To: USER32.LoadCursorA, Ord:0172h
                                  |
:0041CC6C 8B1D448E4E00            mov ebx, dword ptr [004E8E44]
:0041CC72 6A00                    push 00000000
:0041CC74 FFD3                    call ebx

  Normally, in most cases I have seen, when there's a call to a CD check, a test and a conditional
jump afterwards, the protection can be bypassed by either forcing the jump, or not taking it at all.
Well, I edited the jne 0041CCD9 after the call to the CD check to a jmp 0041CCD9, saved the file,
ran halflife and i could play the game without the CD! 

StaticVengeance likes to remove the CD check altogether if possible,
"Well, if it's going to fail the check, whats the point in taking it at all" he probably said
(don't quote me on this, its probably true though)

so i changed the jmp back to a jne, edited the call to a mov eax, 0001E01D by changing the
E81DE00100 to a B81DE00100, This stops the call from existing, so the cd check is never taken, it also
puts a none zero value into eax, so the 'jne 0041CCD9' after the 'test eax, eax' is always taken.

THankyou for listening, half life is now cracked (FiX'ed) 


" btw, internet gaming probably wont work, it doesn't work with cracked version of half life 
1.0.0.6, i was informed of this problem by a couple of guys e-mailing me and moaning about it,
i never play games over the internet so i never new about this problem, i had a look through
the exe but cant figure out if its possible to fix this. " (sORRY)


 Another tutorial comes to an end and another game has been FiX'ed!
 
happy cracking love R!SC -- risc_1@hotmail.com



for v1.0 - edit hl.exe (offsets are in hex)
===========================================================
Search for: E8 1D E0 01 00    at offset 1C05E
Change to : B8 -- -- -- --


for v1.0.0.6 - edit hl.exe (offsets are in hex)
===========================================================
Search for: E8 62 FF FD FF    at offset 3E2A9
Change to : B8 -- -- -- --



