How to crack Rainbow Six 2 - Rogue Spear by DJ Fortune. ************************************************************ Wellcome to my first tutorial.Sorry about my grammatical errors. Hope you will enjoy this..... Ok.Try to launch roguespear.exe .... hmmm strange no errors keep going single player.new campaign.... still nothing how strange well go through every phase until the game asks you to continue to action phase.the if we continue it says the magic ugly word "RogueSpear CD..." so make a copy of your roguespear.exe and disassemble it (make coffee take a nap cos this takes some time...). Now itīs Disassembled. the error message we saw cant be in string data references cos it had a graphical interface (it really could be there but just this time it isnt. believe me).Well we still have another choice search text getdrivetypea (can be searched through another place but this is much faster).You should land soon in here: * Referenced by a CALL at Addresses: |:0041DC9C , :00482B45 , :00482E04 , :004B61D6 , :004E7291 |:004F06C3 | :0040CE20 81EC10060000 sub esp, 00000610 <--------- It all begins here... :0040CE26 8D84240C020000 lea eax, dword ptr [esp+0000020C] :0040CE2D 53 push ebx :0040CE2E 55 push ebp :0040CE2F 56 push esi :0040CE30 57 push edi :0040CE31 50 push eax :0040CE32 6800040000 push 00000400 * Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:011Eh <----- List the drives you got in you computer | :0040CE37 FF1598F07500 Call dword ptr [0075F098] :0040CE3D 8BD8 mov ebx, eax :0040CE3F 85DB test ebx, ebx :0040CE41 750A jne 0040CE4D * Possible StringData Ref from Data Obj ->"GAME: Could not get drives installed " <--- in case you dont have a cd drive. ->"in the system" | :0040CE43 684CEF7A00 push 007AEF4C :0040CE48 E982000000 jmp 0040CECF * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040CE41(C) | :0040CE4D 33F6 xor esi, esi :0040CE4F 85DB test ebx, ebx :0040CE51 7E77 jle 0040CECA * Reference To: KERNEL32.GetDriveTypeA, Ord:0104h <------------- This got us here (usual cd checker) | :0040CE53 8B2DA8F07500 mov ebp, dword ptr [0075F0A8] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040CEC8(C) | :0040CE59 8DBC341C020000 lea edi, dword ptr [esp+esi+0000021C] :0040CE60 57 push edi :0040CE61 FFD5 call ebp :0040CE63 83F805 cmp eax, 00000005 <----------- Is the drive a cd drive? :0040CE66 7548 jne 0040CEB0 :0040CE68 8D8C241C010000 lea ecx, dword ptr [esp+0000011C] :0040CE6F 6800010000 push 00000100 :0040CE74 8D54241C lea edx, dword ptr [esp+1C] :0040CE78 51 push ecx :0040CE79 8D44241C lea eax, dword ptr [esp+1C] :0040CE7D 52 push edx :0040CE7E 8D4C241C lea ecx, dword ptr [esp+1C] :0040CE82 50 push eax :0040CE83 51 push ecx :0040CE84 8D542430 lea edx, dword ptr [esp+30] :0040CE88 6800010000 push 00000100 :0040CE8D 52 push edx :0040CE8E 57 push edi * Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h | :0040CE8F FF15ACF07500 Call dword ptr [0075F0AC] :0040CE95 83F801 cmp eax, 00000001 :0040CE98 7516 jne 0040CEB0 :0040CE9A 8D44241C lea eax, dword ptr [esp+1C] * Possible StringData Ref from Data Obj ->"ROGUESPR" <--------- Our CD Volume Label. | :0040CE9E 6840EF7A00 push 007AEF40 :0040CEA3 50 push eax :0040CEA4 E837FE2800 call 0069CCE0 :0040CEA9 83C408 add esp, 00000008 :0040CEAC 85C0 test eax, eax :0040CEAE 7455 je 0040CF05 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040CE66(C), :0040CE98(C) | :0040CEB0 803F00 cmp byte ptr [edi], 00 :0040CEB3 7410 je 0040CEC5 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040CEC3(C) | :0040CEB5 3BF3 cmp esi, ebx :0040CEB7 7D0C jge 0040CEC5 :0040CEB9 8A84341D020000 mov al, byte ptr [esp+esi+0000021D] :0040CEC0 46 inc esi :0040CEC1 84C0 test al, al :0040CEC3 75F0 jne 0040CEB5 You may find many places here where to patch but lets see the code a little deeper. as you can see the place where all calls to this place will land is right above the getdrivetypea and many other checks like volume type and is there a cd drive at all. so after few "seconds" of thinking you might have an idea of pathing something.but before you will patch anything think "What if you would not let the program even see the checkers or touch them but still you would allow it to enter here and leave with a succesfull check. Sounds weird doesnt it?Well it isnt cos every one of those call to this place just wants to know what is the code in eax. is it 01 or 00? So start Hacker View or any other good hex-editor and seek for @Offset 0000CE20h there now you are at the beginning of the "CD Check routine" try to change the code like this mov eax,001 pop eax retn after this the game would move eax to 001 push it to eax and come back from the call. at hiew press F3 and enter "6A0158C3" save and test it. ..... ..... Yahoo!!! it worked. Now this thing works on Rainbow Six 2 Patch v2.04 too so ill let you find the place all by yourself. Special Greetz to: Static Vengeange, Fravia, +HCU and of course to +ORC Any suggestions or anykind of feedback can be mailed to djfortune@usa.netup for a failed CD check. Changing this to mov ebx, 00000000 will result in a