
Free Information Xchange '98 presents:

Unreal - CD crack by Static Vengeance

Requirements:
Hex Editor and Full Install
W32Dasm if you want to follow along

	Unreal like it's name is just that as far as graphics for first person shooters!  It's awesome
on my Voodoo2 card.  Just one little problem that needs to be FiX'ed and that is the CD check that
comes up before you can play the game.  So I started up my favorite cracking program for Win95 exe files
by the name of W32Dasm by RUSoft.  I started out by disassembling the unreal.exe... but had no luck, so
I thought I would check out some of the game DLL's.  I first started with the engine.dll but had no luck
there either.  Next (with some sort of logical progression) I tried window.dll.  Sure enough I checked
for a reference for "Please insert.." and came upon this little bit of code:

--  Program code  --
* Reference To: Core.?appSprintf@@YAHPADPBDZZ, Ord:033Eh
                                  |
:10B1C3CC FF150CB6B310            Call dword ptr [10B3B60C]
:10B1C3D2 83C40C                  add esp, 0000000C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10B1C405(C), :10B1C41B(U)                                          <-- 2 conditional jumps to here
|
:10B1C3D5 A114B7B310              mov eax, dword ptr [10B3B714]
:10B1C3DA 833800                  cmp dword ptr [eax], 00000000
:10B1C3DD 753E                    jne 10B1C41D                       <-- Use this conditional jump to
:10B1C3DF 8D8DE4F9FFFF            lea ecx, dword ptr [ebp+FFFFF9E4]  <--  jump over the pop up dialog
:10B1C3E5 51                      push ecx
:10B1C3E6 FFD3                    call ebx                           <-- Actual CD check
:10B1C3E8 83C404                  add esp, 00000004
:10B1C3EB 85C0                    test eax, eax                      <-- Test eax for the result
:10B1C3ED 7F2E                    jg 10B1C41D                        <-- Take this jump for passed CD check
:10B1C3EF 6801200000              push 00002001

* Possible StringData Ref from Data Obj ->"Cd Required At Startup"            <-- Header to pop up dialog
                                  |
:10B1C3F4 68089DB310              push 10B39D08

* Possible StringData Ref from Data Obj ->"Please insert the Unreal CD-Rom "  <-- What got us here
                                        ->"into your drive and press OK to "
                                        ->"continue, or Cancel to exit."
                                  |
:10B1C3F9 68989CB310              push 10B39C98
:10B1C3FE 6A00                    push 00000000
:10B1C400 FFD6                    call esi
:10B1C402 83F802                  cmp eax, 00000002                <-- Did you hit cancel
:10B1C405 75CE                    jne 10B1C3D5                     <-- No, then check again

* Reference To: Core.?GIsCriticalError@@3HA, Ord:018Eh
                                  |
:10B1C407 8B1560B7B310            mov edx, dword ptr [10B3B760]
:10B1C40D 6A00                    push 00000000
:10B1C40F C70201000000            mov dword ptr [edx], 00000001

* Reference To: KERNEL32.ExitProcess, Ord:006Bh                    <-- Says it all, right?
                                  |
:10B1C415 FF1580B8B310            Call dword ptr [10B3B880]
:10B1C41B EBB8                    jmp 10B1C3D5                     <-- Jump back up and check again

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10B1C3DD(C), :10B1C3ED(C)
|
:10B1C41D A114B7B310              mov eax, dword ptr [10B3B714]    <-- Getting here continues the game!
:10B1C422 833800                  cmp dword ptr [eax], 00000000
:10B1C425 7518                    jne 10B1C43F

* Reference To: Engine.?StaticClass@UGameEngine@@2PAVUClass@@A, Ord:04CDh
                                  |
:10B1C427 8B0DF4B7B310            mov ecx, dword ptr [10B3B7F4]
:10B1C42D 6A00                    push 00000000
:10B1C42F 6A05                    push 00000005
:10B1C431 6A00                    push 00000000
:10B1C433 8B11                    mov edx, dword ptr [ecx]

* Possible StringData Ref from Data Obj ->"ini:Engine.Engine.GameEngine"
                                  |
:10B1C435 68749CB310              push 10B39C74
:10B1C43A 6A00                    push 00000000
:10B1C43C 52                      push edx
:10B1C43D EB44                    jmp 10B1C483
  -- Continuing game code --

	The same code, but from the Cyrix beta 2.02 and the Rush beta 2.03:

  --  Program code  --
* Reference To: Core.?appSprintf@@YAHPADPBDZZ, Ord:033Fh
                                  |
:10B1C485 FF1514B6B310            Call dword ptr [10B3B614]
:10B1C48B 83C40C                  add esp, 0000000C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10B1C4D1(C), :10B1C4E6(U)                                          <-- 2 conditional jumps to here
|
:10B1C48E A11CB7B310              mov eax, dword ptr [10B3B71C]
:10B1C493 833800                  cmp dword ptr [eax], 00000000
:10B1C496 7550                    jne 10B1C4E8                       <-- Use this conditional jump for the crack
* Reference To: Core.?GIsClient@@3HA, Ord:018Ch
                                  |
:10B1C498 8B0D48B6B310            mov ecx, dword ptr [10B3B648]
:10B1C49E 833900                  cmp dword ptr [ecx], 00000000
:10B1C4A1 7445                    je 10B1C4E8                        <-- Take this jump for a passed CD check
:10B1C4A3 8D95E4F9FFFF            lea edx, dword ptr [ebp+FFFFF9E4]
:10B1C4A9 52                      push edx

* Reference To: Core.?appFSize@@YAHPBD@Z, Ord:0312h                  <-- Call used in the CD check
                                  |
:10B1C4AA FF15E4B6B310            Call dword ptr [10B3B6E4]
:10B1C4B0 83C404                  add esp, 00000004
:10B1C4B3 85C0                    test eax, eax
:10B1C4B5 7F31                    jg 10B1C4E8
:10B1C4B7 6801200000              push 00002001

* Possible StringData Ref from Data Obj ->"Cd Required At Startup"            <-- Header to pop up dialog
                                  |
:10B1C4BC 68089DB310              push 10B39D08

* Possible StringData Ref from Data Obj ->"Please insert the Unreal CD-Rom "  <-- What got us here
                                        ->"into your drive and press OK to "
                                        ->"continue, or Cancel to exit."
                                  |
:10B1C4C1 68989CB310              push 10B39C98
:10B1C4C6 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:0195h
                                  |
:10B1C4C8 FF1568B9B310            Call dword ptr [10B3B968]
:10B1C4CE 83F802                  cmp eax, 00000002                <-- Did you hit cancel
:10B1C4D1 75BB                    jne 10B1C48E                     <-- No, then check again
:10B1C4D3 A170B7B310              mov eax, dword ptr [10B3B770]
:10B1C4D8 6A00                    push 00000000
:10B1C4DA C70001000000            mov dword ptr [eax], 00000001

* Reference To: KERNEL32.ExitProcess, Ord:006Bh                    <-- Says it all, right?
                                  |
:10B1C4E0 FF1590B8B310            Call dword ptr [10B3B890]
:10B1C4E6 EBA6                    jmp 10B1C48E                     <-- Jump back up and check again

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10B1C496(C), :10B1C4A1(C), :10B1C4B5(C)
|

* Reference To: Core.?GIsEditor@@3HA, Ord:018Eh
                                  |
:10B1C4E8 8B0D1CB7B310            mov ecx, dword ptr [10B3B71C]    <-- Getting here continues the game!
:10B1C4EE 833900                  cmp dword ptr [ecx], 00000000
:10B1C4F1 7518                    jne 10B1C50B

* Reference To: Engine.?StaticClass@UGameEngine@@2PAVUClass@@A, Ord:04CDh
                                  |
:10B1C4F3 8B1504B8B310            mov edx, dword ptr [10B3B804]
:10B1C4F9 6A00                    push 00000000
:10B1C4FB 6A05                    push 00000005
:10B1C4FD 6A00                    push 00000000
:10B1C4FF 8B02                    mov eax, dword ptr [edx]

* Possible StringData Ref from Data Obj ->"ini:Engine.Engine.GameEngine"
                                  |
:10B1C501 68749CB310              push 10B39C74
:10B1C506 6A00                    push 00000000
:10B1C508 50                      push eax
:10B1C509 EB44                    jmp 10B1C54F
  -- Continuing game code --

	For the latest betas, the code has changed a bit and has been placed inside the Unreal
exe file, it looks like this:

  --  Program code  --
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10902870(C), :10902886(U)
|

* Reference To: Core.?GIsEditor@@3HA, Ord:01F7h
                                  |
:10902810 8B0D28619010            mov ecx, dword ptr [10906128]
:10902816 833900                  cmp dword ptr [ecx], 00000000
:10902819 757B                    jne 10902896

* Reference To: Core.?GIsClient@@3HA, Ord:01F5h
                                  |
:1090281B 8B1524619010            mov edx, dword ptr [10906124]
:10902821 833A00                  cmp dword ptr [edx], 00000000
:10902824 7470                    je 10902896
:10902826 8D8560FAFFFF            lea eax, dword ptr [ebp+FFFFFA60]
:1090282C 50                      push eax

* Reference To: Core.?appFSize@@YAHPBD@Z, Ord:03CDh
                                  |
:1090282D FF15E8609010            Call dword ptr [109060E8]
:10902833 83C404                  add esp, 00000004
:10902836 85C0                    test eax, eax
:10902838 7F5C                    jg 10902896                    <-- This is the jump we'll force
:1090283A 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"Window"
                                  |
:1090283C 68ECA39010              push 1090A3EC

* Possible StringData Ref from Data Obj ->"InsertCdTitle"        <-- How hard was it to find?
                                  |
:10902841 68E8A19010              push 1090A1E8
:10902846 FFD7                    call edi
:10902848 83C40C                  add esp, 0000000C
:1090284B 8BF0                    mov esi, eax
:1090284D 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"Window"
                                  |
:1090284F 68ECA39010              push 1090A3EC

* Possible StringData Ref from Data Obj ->"InsertCdText"         <-- Slight "give away" with this ref
                                  |
:10902854 68D8A19010              push 1090A1D8
:10902859 FFD7                    call edi
:1090285B 83C40C                  add esp, 0000000C
:1090285E 6801200000              push 00002001
:10902863 56                      push esi
:10902864 50                      push eax
:10902865 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BEh
                                  |
:10902867 FF1504629010            Call dword ptr [10906204]
:1090286D 83F802                  cmp eax, 00000002
:10902870 759E                    jne 10902810

* Reference To: Core.?GIsCriticalError@@3HA, Ord:01F6h
                                  |
:10902872 8B0DF0609010            mov ecx, dword ptr [109060F0]
:10902878 6A00                    push 00000000
:1090287A C70101000000            mov dword ptr [ecx], 00000001

* Reference To: KERNEL32.ExitProcess, Ord:007Dh
                                  |
:10902880 FF1598619010            Call dword ptr [10906198]
:10902886 EB88                    jmp 10902810

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:  <-- Getting here continues the game!
|:109025BC(C), :109025E6(C), :1090262B(C), :1090267F(C), :109026CF(C)
|
:10902888 8B45D8                  mov eax, dword ptr [ebp-28]
:1090288B 40                      inc eax
:1090288C 8945D8                  mov dword ptr [ebp-28], eax
  -- Continuing game code --

	That's it, the routine that will stop you if you don't have the CD in the drive when you start up
Unreal.  If you change that conditional jump I pointed out to jump (always) then the program will start
up with or without the CD present.  For the first two beta upgrades, one called the CyrixBeta202.exe and
the other called RushBeta203.zip, released on the net.  The CD check is almost the same, but just different
enough to through off the search for bytes.  However, starting with beta version 2.09 the copy protection
has moved to the actual Unreal execution file (unreal.exe) and has been changed.  Although the change does
eleminate the direct text refs, it now has ref like "InsertCdText"  Still jast as easy to find.  Figure out
which version of Unreal you are running and go into the "Unreal\System\" directory and make the following
edits by version:

For the version off the CD edit window.dll
===========================================
Search for: 75 3E 8D 8D   at offset 112,605
Change to : EB -- -- --

For beta versions 2.02 & 203 edit window.dll
============================================
Search for: 75 50 8B 0D   at offset 112,790
Change to : EB -- -- --

For beta version 2.09 edit Unreal.exe
=====================================
Search for: 7F 4E     at offset 5,214
Change to : EB 4E

For beta version 2.16 edit Unreal.exe
=====================================
Search for: 7F 5C    at offset 10,296
Chagne to : EB 5C

	That's all it takes to FiX Unreal!

Static Vengeance


