Bug Error 2000
---------------

The Cracking Answer
--------------------


Soldier of Fortune 1.0 NO CD
-----------------------------


Tools That you'll need
-----------------------

- Soft-Ice
- W32dasm 8.93
- Hiew 6 or higher


Initial notes
--------------

- First, install the full game
- Make sure that the cd isn't on your drive :))




Trace the CD check routine
---------------------------

- Run the game
- Click on GAME
- Choose a name and click on Start
- Type CTRL + D to open Soft-Ice
- Put a breakpoint on the GetDriveTypeA process by taping : BPX GetDriveTypeA
- Press F5 to go back on the game
- Choose level difficulty
- Hop, you're back in Soft-Ice due to the breakpoint
- Press F11 to get the caller, and you'll see this :

Break due to BPX KERNEL32!GetDriveTypeA  (ET=5.12 seconds)
Break due to G (ET=365.06 microseconds)

0167:2006BEC9  CALL      EBP
0167:2006BECB  CMP       EAX,05 => Hh Int 05 means CD-ROM ;)
0167:2006BECE  JNZ       2006BFA3
0167:2006BED4  XOR       EAX,EAX
0167:2006BED6  MOV       CL,[ESP+40]
0167:2006BEDA  MOV       [ESP+14],EAX
0167:2006BEDE  LEA       EDX,[ESP+30]
0167:2006BEE2  MOV       [ESP+18],EAX
0167:2006BEE6  MOV       [ESP+30],CL



- Note the 2006BECB, you'll need this




Disassembling File with W32dasm
-------------------------------

- Load W32dasm and open "SoF.exe"
- After a few time, the file'll be disassemble
- Now, click on "goto" in the menu
- Click on "Goto Code Location"
- Type 2006BECB
- You must see that now :


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:2006BFAF(C)
|
:2006BEAB 8A4C2410                mov cl, byte ptr [esp+10]
:2006BEAF 8D542440                lea edx, dword ptr [esp+40]
:2006BEB3 80C141                  add cl, 41
:2006BEB6 52                      push edx
:2006BEB7 884C2444                mov byte ptr [esp+44], cl
:2006BEBB C64424453A              mov [esp+45], 3A
:2006BEC0 C64424465C              mov [esp+46], 5C
:2006BEC5 885C2447                mov byte ptr [esp+47], bl
:2006BEC9 FFD5                    call ebp
:2006BECB 83F805                  cmp eax, 00000005 => You're here
:2006BECE 0F85CF000000            jne 2006BFA3


- Now, we'll gonna find the cd-check caller, scroll up till you see this :

* Referenced by a CALL at Addresses:
|:2000AF0C   , :2000AFC6   , :2000B112  => We found it ;) 
|
:2006BCB0 81EC34050000            sub esp, 00000534
:2006BCB6 53                      push ebx
:2006BCB7 55                      push ebp
:2006BCB8 56                      push esi
:2006BCB9 57                      push edi
:2006BCBA 6A3A                    push 0000003A


- Now, we're gonna take the offset 
- Double-right-click on :2000AF0C and you'll see this :

:2000AF0C E89F0D0600              call 2006BCB0

- Take a look at the bottom, and you'll see the offset, here, it is 0000AF0C
- Note it, you'll need it
- Now, click on the call button, and you'll go back at this

* Referenced by a CALL at Addresses:
|:2000AF0C   , :2000AFC6   , :2000B112  =>  
|
:2006BCB0 81EC34050000            sub esp, 00000534
:2006BCB6 53                      push ebx
:2006BCB7 55                      push ebp
:2006BCB8 56                      push esi
:2006BCB9 57                      push edi
:2006BCBA 6A3A                    push 0000003A

- Take the offset of the two others call, here, it's 0000AFC6 and 0000B112



Crack the "SoF.exe" file
-------------------------

- To do this, you'll need Hiew
- Launch Hiew, and load "SoF.exe"
- Press F4  and choose "decode"
- Press F5, and enter the offset, here it is 0000AF0C
- Press F4 and choose "Hex"
- Press F3 to edit and type B8
- Press F9 to update the EXE

- Press F4  and choose "decode"
- Press F5, and enter the offset, here it is 0000AFC6
- Press F4 and choose "Hex"
- Press F3 to edit and type B8
- Press F9 to update the EXE

- Press F4  and choose "decode"
- Press F5, and enter the offset, here it is 0000B112
- Press F4 and choose "Hex"
- Press F3 to edit and type B8
- Press F9 to update the EXE

- Run the game, and, Hiiiiiiiihaaaaaaaaa, you cracked Soldier of Fortune 1.0 ;)



Cracking source code
---------------------

- I also include the crack source code made with delphi if you want to disturb your crack
  through internet ;)



Greetz to all TCA Members, all guys in Gamecopyworld and all crackers over the world ;)
Also a big greetz to my lovely bitch Kobold666 and TiVe ;) You rocks guys ;)

Note : I'll be very happy if someone could convert my delphi source crack on C or C++ language,
       cause i'm a lamer about coding ;)
       

Contact me by e-mail at bugerror@hotmail.com


