
Free Information Xchange '97 presents:

WarGods from GT Interactive Software CD crack by Static Vengeance

Requirements
Hex Editor and Full install
W32Dasm if you want to follow along

	Once again we set out to remove a CD check from a Win95 game.  The whole idea behind
a "Full install" is you will not need the CD, right?  So why do "they" make us get out the
original CD just for check... oh.. there is the music tracks... it is a CD right...  Well I
can do without the music (I have a radio card in my PC, anyways) so I don't want to have to
hunt through my CD's for the WarGod CD.  So I set out to fix that BUG in this otherwise decent
fighter game.  First you will need to disassemble the wargods.exe to see what's going on within
the program.  As usual, the perferred weapon is W32Dasm with it's usefull menu choices.  Once
you have disassembled the executable (wargods.exe) go up to the title bar and select "Refs"
from the menu and drop down to "String data references" from there grab the slider bar and
scroll down to the string "To play War Gods you must close" which is part of the string that
tells you 'To play War Gods you must close all other CD applications and insert the game CD.'
Double clicking this string will put you in the middle of the CD check routine.  That routine
looks like this:

* Referenced by a CALL at Address:
|:00416F30   
|
:00416C20 56                      push esi
:00416C21 33C0                    xor eax, eax
:00416C23 57                      push edi
:00416C24 A31C9F4A00              mov dword ptr [004A9F1C], eax

* Reference To: USER32.MessageBoxA, Ord:0195h
                                  |
:00416C29 8B3D4C2A9F00            mov edi, dword ptr [009F2A4C]
:00416C2F A3189F4A00              mov dword ptr [004A9F18], eax
:00416C34 A3149F4A00              mov dword ptr [004A9F14], eax
:00416C39 A3109F4A00              mov dword ptr [004A9F10], eax
:00416C3E A3209F4A00              mov dword ptr [004A9F20], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00416C74(C)
|
:00416C43 E888FCFFFF              call 004168D0     <-- Goes through WINMM.mci to see if
:00416C48 8BF0                    mov esi, eax      <-- there is "cdaudio media present"
:00416C4A E881670100              call 0042D3D0     <-- does "set cdaudio time format tmsf"
:00416C4F A158D64A00              mov eax, dword ptr [004AD658]
:00416C54 8A0D88D64A00            mov cl, byte ptr [004AD688]
:00416C5A 85F6                    test esi, esi
:00416C5C 7404                    je 00416C62
:00416C5E 84C9                    test cl, cl
:00416C60 7514                    jne 00416C76

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00416C5C(C)
|
:00416C62 6A35                    push 00000035

* Possible StringData Ref from Data Obj ->"War Gods Notice"
                                  |
:00416C64 6834A04A00              push 004AA034

* Possible StringData Ref from Data Obj ->"To play War Gods you must close "  <-- Don't want to
                                        ->"all other CD applications and "    <-- see this stuff
                                        ->"insert the game CD."               <-- pop up, right?
                                  |
:00416C69 68E09F4A00              push 004A9FE0
:00416C6E 50                      push eax
:00416C6F FFD7                    call edi
:00416C71 83F802                  cmp eax, 00000002
:00416C74 75CD                    jne 00416C43

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00416C60(C)
|
:00416C76 5F                      pop edi
:00416C77 5E                      pop esi
:00416C78 C3                      ret

	Well that was the routine that prints the "insert the game CD" and waits for
your response.  If you hit cancel the game goes into a demo mode and locks out user
response except to quit the game.  That's not what we want... so let's check out the
routine that calls the above section of code:

* Referenced by a CALL at Address:
|:0047471A   
|
:00416F30 E8EBFCFFFF              call 00416C20
:00416F35 E976FFFFFF              jmp 00416EB0

	Now we might as well see what 416EB0 does... so here is that code:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00416F35(U)
|
:00416EB0 33C0                    xor eax, eax
:00416EB2 A32C9F4A00              mov dword ptr [004A9F2C], eax
:00416EB7 A3289F4A00              mov dword ptr [004A9F28], eax
:00416EBC A3249F4A00              mov dword ptr [004A9F24], eax
:00416EC1 A3309F4A00              mov dword ptr [004A9F30], eax
:00416EC6 C3                      ret

	If you NOP out the call to 416C20 at 416F30 and let the program fall through to
416F35 which jumps to 416EB0 (still with me?) the program acts like you hit cancel from
the "insert the game CD" routine.  This just wont do, we want to play the game so it
should be clear we need to prevent both calls from being made.  There is a single call
to that section from 47471A so it's back to more code snooping.. let's go check it out:

* Referenced by a CALL at Address:
|:00473A99   
|
:00474710 E8BB9AFFFF              call 0046E1D0
:00474715 E89606FAFF              call 00414DB0
:0047471A E81128FAFF              call 00416F30          <-- Call the CD check routine
:0047471F E8EC18FAFF              call 00416010
:00474724 E8C710FAFF              call 004157F0
:00474729 E9B2C9F8FF              jmp 004010E0

	There you see at 47471A is the single call to the CD check and there's no type
of check for any returned value.  So search the wargods.exe file for the call and NOP
it out and give it a try.  And it does remove the copy protection.  The only thing left
is to make the edit to file.  BTW: This edit works for both EXE files on the CD, one is
called hi.exe and the other is lo.exe.  During installation whichever file is copied,
based on user input, is then renamed to wargods.exe

Edit wargods.exe at offset 473,882
==================================
Search for: E8 11 28 FA FF E8 EC
Change to : 90 90 90 90 90 -- --

	That takes care of Wargod's CD check!  Now go watch Pagan shake her ... well you
know...  Once again we ventured into the world of copy protect and came out with a new
example of how to defeat it.  One thing I learned from the old'en days of piracy... if
it can be loaded into the machine it can be cracked by someone.  Copy protection only stops
the average person and just slows down a cracker.  And that's how you get WarGods FiX'ed

Static Vengeance
