How to crack MythII using W32Dasm and HIEW ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Killer_3K ~~~~~~~~~~~~ Ok, what we have here is one of the common commercial cd checks (witch r VERY ez to beat), these kind of cd checks is used in many games like: Mdk, F/A-16 and MANY others... We will crack this lil game using W32Dasm and HIEW. 1) Install Myth2 (full installion, takes 500mb...) 2) Run W32dasm&disassemble Myth2 (btw, b4 u start disassembling it, clear about 100mb on c:, cause this game is really fat, and although it won't be enaugh for full disassemble of the file, it will include the cd-checks part..) 3) Goto Functions, then select Import and look for Kernel32.GetDriveTypeA now you should arrive to here: * Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh :004272D3 FF1520F95A00 Call dword ptr [005AF920] :004272D9 83F805 cmp eax, 00000005 :004272DC 0F858F000000 jne 00427371 :004272E2 6A00 push 00000000 ......some other stuff. that's the begining of one of the cd checks... will come back to that part abit later... go back to Functions Import and double-click on kernel32.GetDriveTypeA again... u will arrive here: * Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh :00485F00 FF1520F95A00 Call dword ptr [005AF920] :00485F06 83F805 cmp eax, 00000005 <-- 05 means cd-rom drive :00485F09 0F858C000000 jne 00485F9B :00485F0F 8A0D881C5500 mov cl, byte ptr [00551C88] 4) allrighty, we want it to read from the hdd right? so we need to change it to 03, run hiew, goto hex mode and goto the offset (85306) and change 83F805 to 83F803 now scroll abit down till u reach: * Reference To: KERNEL32.GetVolumeInformationA, Ord:014Fh :00485F42 FF151CF95A00 Call dword ptr [005AF91C] :00485F48 85C0 test eax, eax :00485F4A 7447 je 00485F93 <-- if it isn't possible to get volume infromation (cd not present etc) then jump to badboy :00485F4C 8D4C2418 lea ecx, dword ptr [esp+18] and more stuff... 5) u *CAN* nop this part, but it's not necessary, since it will be reading the data from the hdd, and it can always retrive the volume name from the hdd.. ok now scroll abit down till u reach: :00485F5D 8D842418010000 lea eax, dword ptr [esp+00000118] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00485F82(C) | :00485F64 8A10 mov dl, byte ptr [eax] :00485F66 8ACA mov cl, dl :00485F68 3A16 cmp dl, byte ptr [esi] :00485F6A 751C jne 00485F88 <--- badboy :00485F6C 84C9 test cl, cl :00485F6E 7414 je 00485F84 <-- goodboy :00485F70 8A5001 mov dl, byte ptr [eax+01] 6) ok so what we have here is the classical badboy goodboy.. allrighty, load hiew and goto offset 8536A (badboy) and nop it then goto 8536E and change it to jmp (7414 --> EB14) ok, now run mythII... yea!! it works!! now press the `new game` button... hmmm... it flys right back to winblows... hmm... what is wrong? remeber that cd check we skipped earlier? go back to it...: * Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh :004272D3 FF1520F95A00 Call dword ptr [005AF920] :004272D9 83F805 cmp eax, 00000005 <-- read from cd drive, change the 05 to 03... :004272DC 0F858F000000 jne 00427371 :004272E2 6A00 push 00000000 :004272E4 8D44241C lea eax, dword ptr [esp+1C] 7) ok, now scroll down till u reach: :00427320 8A10 mov dl, byte ptr [eax] :00427322 8ACA mov cl, dl :00427324 3A16 cmp dl, byte ptr [esi] :00427326 751C jne 00427344 <-- badboy :00427328 84C9 test cl, cl :0042732A 7414 je 00427340 <---goodboy :0042732C 8A5001 mov dl, byte ptr [eax+01] 9) now patch it the same way we patched the first cd check... close w32dasm after u finished patching.... 10) ok now run mythII, press on newgame.. yea!! it works!! u just cracked mythII!! :) btw, a small comment, if myth2 will still fly back to winblows during the loading then clear up some space on c:... about 80mb (free on c:) should do it... that game is fat :) -Killer_3K