hi, (very) quick guide to cracking HalfLife v1.0.0.6

need w32dasm8.9(3) & hex editor

run the game without CD, click game/new/easy. it asks for the CD 3 times then says failed authentication.
load hl.exe into wdasm32. no win95 dialog box to ask for the CD, so we check functions/imports 
for GetDriveTypeA, double click it and up pops this little snippet...

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh
|
:0041EA5D FF15A88B4E00            Call dword ptr [004E8BA8]
:0041EA63 83F805                  cmp eax, 00000005  <--05 = check for cd-rom
:0041EA66 740C                    je 0041EA74
:0041EA68 8BC6                    mov eax, esi

scroll up a bit to find out the caller(s)

* Referenced by a CALL at Addresses:
|:0041EDAD   , :0041EF93   

goto the first caller 41EDAD, this drops us in the middle of the the cd-check routine,

* Referenced by a CALL at Address:
|:0041EE42       <-- this is the important bit, boring bits of code have been cut out
|
:0041ED30 81EC04010000            sub esp, 00000104
:0041ED36 33C0                    xor eax, eax

snip

:0041ED47 50                      push eax

* Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00F7h
                                  |
:0041ED48 8B3DA08B4E00            mov edi, dword ptr [004E8BA0]
:0041ED4E 50                      push eax
:0041ED4F FFD7                    call edi
:0041ED51 8BF0                    mov esi, eax

snip

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh
                                  |
:0041EDA0 FF15A88B4E00            Call dword ptr [004E8BA8]
:0041EDA6 83F805                  cmp eax, 00000005  <-- yeah, CD-ROM
:0041EDA9 75E1                    jne 0041ED8C
:0041EDAB 55                      push ebp
:0041EDAC 57                      push edi
:0041EDAD E83EFCFFFF              call 0041E9F0   <---the call to the first routine we found
:0041EDB2 83C408                  add esp, 00000008
:0041EDB5 83F807                  cmp eax, 00000007

O.K. lets go to the caller to this bit then, 41EE42

* Referenced by a CALL at Addresses:
|:0043EEA9   , :0043EEE8   <-- this bit called twice, have a look here if you like
|
:0041EE10 B818120000              mov eax, 00001218
:0041EE15 E806990500              call 00478720
:0041EE1A C744240407000000        mov [esp+04], 00000007
:0041EE22 53                      push ebx
:0041EE23 56                      push esi
:0041EE24 57                      push edi
:0041EE25 55                      push ebp
:0041EE26 E8B5020000              call 0041F0E0
:0041EE2B 8D442410                lea eax, dword ptr [esp+10]
:0041EE2F 6866120000              push 00001266
:0041EE34 C744241400000000        mov [esp+14], 00000000

* Possible StringData Ref from Data Obj ->"valve.ico" <-- search for this on the CD
                                  |
:0041EE3C 68F4D24B00              push 004BD2F4
:0041EE41 50                      push eax
:0041EE42 E8E9FEFFFF              call 0041ED30   <-- call first cd-check routine that calls the
:0041EE47 8A44241C                mov al, byte ptr [esp+1C]  -- second cd check routine
:0041EE4B 83C40C                  add esp, 0000000C
:0041EE4E 3A054CC14B00            cmp al, byte ptr [004BC14C]  <-- do some check
:0041EE54 750D                    jne 0041EE63    <-- jump to next bit which checks another file on the CD
:0041EE56 33C0                    xor eax, eax    <-- otherwise fail CD-Check
:0041EE58 5D                      pop ebp
:0041EE59 5F                      pop edi
:0041EE5A 5E                      pop esi
:0041EE5B 5B                      pop ebx
:0041EE5C 81C418120000            add esp, 00001218
:0041EE62 C3                      ret

right then, the code that calles this bit checks eax, jne to play the game, so we make it return
not equal all the time. (or patch the code that checks the return value, but thats boring...)

:0041EE54 750D                    jne 0041EE63 <-- change this to xor eax,eax (33C0)
:0041EE56 33C0                    xor eax, eax <-- change this to inc eax ; nop (4090)

patch offset 1E254 in hl.exe, change the 750D33C0 to 33C04090

or be boring and patch the check after the call to this bit.

:0043EEA9 E862FFFDFF              call 0041EE10 <-- call to routine above...
:0043EEAE 85C0                    test eax, eax
:0043EEB0 7572                    jne 0043EF24 <-- change this to jmp 0043EF24 (EB72)

patch offset 3E2B0 in hl.exe, change the 7572 to EB72

OK, it was a bit harder than this but I'm telling you the proper way to crack it, I tried patching
the actual checks that check the cd is readonly, has no free space, that the file sizes are correct,
but there was just too much to follow, i gave up, tried again and after about half an hour, came
up with this, yeah, I did it the boring way by patching the both the jne's after the calls at
0043EEA9 & 0043EEE8, realised that if the first one was a jmp, the second one would never be reached.
screw the check for how many times the cd-check was run, because it passes first time anyway.

love R!SC

risc@notme.com
