===============================================================================================================
       Title : Hellfire (GAME)
     Version : 1.01 (should work with any)
  Protection : Cd Check (hidden in storm.dll)
    Producer : http://www.sierra.com
     Cracker : Zaks (tntpcclub@hotmail.com)
       Tools : W32Dasm, Hiew, Softice
  Difficulty : Moderate
Tutorial No. : 8
	Font : Courier New (8)
===============================================================================================================


1) Install Hellfire. Try running it without cd and you get "Please insert diablo cd-rom ...". Open your Hellfire disk. Copy diabdat.mpq (main diablo library file) into your Hellfire directory. Create backups of hellfire.exe and storm.dll . Disassemble hellfire.bak (your hellfire.exe backup) with W32dasm. Search for getdrivetypea. Below is the interesting part. So try doing usual crack. Return to the call and try to fix it .. or try to fix the whole check routine below. Do not waste your time like me. This way does not seem to work.

Dissasembled part of HELLFIRE.EXE :

* Referenced by a CALL at Address:
|:0041DBB9   
|
:0041DBF7 55                      push ebp
:0041DBF8 8BEC                    mov ebp, esp			
:0041DBFA 81EC08010000            sub esp, 00000108
:0041DC00 53                      push ebx
:0041DC01 56                      push esi
:0041DC02 8D85F8FEFFFF            lea eax, dword ptr [ebp+FFFFFEF8]
:0041DC08 57                      push edi
:0041DC09 BE04010000              mov esi, 00000104
:0041DC0E 50                      push eax
:0041DC0F 8BFA                    mov edi, edx
:0041DC11 894DFC                  mov dword ptr [ebp-04], ecx
:0041DC14 56                      push esi

* Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00F8h
                                  |
:0041DC15 FF15A8904800            Call dword ptr [004890A8]
:0041DC1B 85C0                    test eax, eax
:0041DC1D 745F                    je 0041DC7E		<- Badguy		
:0041DC1F 3BC6                    cmp eax, esi
:0041DC21 775B                    ja 0041DC7E		<- Badguy

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041DC29(U)
|
:0041DC23 803F5C                  cmp byte ptr [edi], 5C
:0041DC26 7503                    jne 0041DC2B
:0041DC28 47                      inc edi
:0041DC29 EBF8                    jmp 0041DC23

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041DC26(C)
|
:0041DC2B 80BDF8FEFFFF00          cmp byte ptr [ebp+FFFFFEF8], 00
:0041DC32 8DB5F8FEFFFF            lea esi, dword ptr [ebp+FFFFFEF8]
:0041DC38 7444                    je 0041DC7E		<-Badguy

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041DC7C(C)
|
:0041DC3A 8BDE                    mov ebx, esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041DC41(C)
|
:0041DC3C 8A06                    mov al, byte ptr [esi]
:0041DC3E 46                      inc esi
:0041DC3F 84C0                    test al, al
:0041DC41 75F9                    jne 0041DC3C
:0041DC43 53                      push ebx

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh
                                  |
:0041DC44 FF15A4904800            Call dword ptr [004890A4]	<- GetDriveTypeA is called
:0041DC4A 83F805                  cmp eax, 00000005		<- Compares returned eax with 5 (for Cd-roms)
:0041DC4D 752A                    jne 0041DC79		 <- If not Cd make loop to check for other drives
:0041DC4F 53                      push ebx
:0041DC50 FF75FC                  push [ebp-04]
:0041DC53 E8D8C00500              call 00479D30
:0041DC58 59                      pop ecx
:0041DC59 59                      pop ecx
:0041DC5A 57                      push edi
:0041DC5B FF75FC                  push [ebp-04]
:0041DC5E E8DDC00500              call 00479D40
:0041DC63 59                      pop ecx
:0041DC64 59                      pop ecx
:0041DC65 FF750C                  push [ebp+0C]
:0041DC68 6A01                    push 00000001
:0041DC6A FF7508                  push [ebp+08]
:0041DC6D FF75FC                  push [ebp-04]

* Reference To: storm.storm:NoName0018, Ord:010Ah		
                                  |
:0041DC70 E82BAE0600              Call 00488AA0		<- in S-ice I saw it is a call to storm.dll where 							<- the real check for the cd is done
:0041DC75 85C0                    test eax, eax		<- was cd found?
:0041DC77 750E                    jne 0041DC87		<- Then jump to GoodGuy

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041DC4D(C)
|
:0041DC79 803E00                  cmp byte ptr [esi], 00
:0041DC7C 75BC                    jne 0041DC3A

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041DC1D(C), :0041DC21(C), :0041DC38(C)
|
:0041DC7E 33C0                    xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041DC8A(U)
|
:0041DC80 5F                      pop edi
:0041DC81 5E                      pop esi
:0041DC82 5B                      pop ebx
:0041DC83 C9                      leave
:0041DC84 C20800                  ret 0008



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041DC77(C)
|
:0041DC87 6A01                    push 00000001
:0041DC89 58                      pop eax
:0041DC8A EBF4                    jmp 0041DC80


2) So CTRL-D and we are in Softice, where we bpx on getdrivetypea (bpx getdrivetypea) and launch hellfire with cd in. First be sure to press your num-lock so the num lock light is on. Well start  hellfire.exe. Num Lock light is off so we know we are in Softice ... but we do not see anything .. the screen is completely black. Shit, press F5 many times untill you get out of Softice and the game intro begins and we are at start menu. Press start new game. Softice breaks and this time it is vissible .. thanks to high heavens. So press F12 and we are back to see what is calling getdrivetypea .. What is this? .. We see that we are in file called storm. .. There is only one file with name storm and it is storm.dll. Quickly clear our breakpoints (bc*) and disassemble the file storm.bak (backup copy of storm.dll) with W32Dasm. Search for getdrivetypea and here we are :


Dissasembled part of STORM.DLL :

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh
                                  |
:1500D731 FF15A0240215            Call dword ptr [150224A0]	//Call to getdrivetypea
:1500D737 8BF0                    mov esi, eax			
:1500D739 B941000000              mov ecx, 00000041
:1500D73E 33C0                    xor eax, eax			//eax becomes 0	
:1500D740 8DBC2430010000          lea edi, dword ptr [esp+00000130]
:1500D747 F3                      repz
:1500D748 AB                      stosd
:1500D749 8D8C2430010000          lea ecx, dword ptr [esp+00000130]
:1500D750 6804010000              push 00000104
:1500D755 8D542424                lea edx, dword ptr [esp+24]
:1500D759 33DB                    xor ebx, ebx			//ebx is 0 here
:1500D75B 51                      push ecx
:1500D75C 52                      push edx
:1500D75D 53                      push ebx
:1500D75E 53                      push ebx
:1500D75F 53                      push ebx
:1500D760 8D442428                lea eax, dword ptr [esp+28]
:1500D764 53                      push ebx
:1500D765 50                      push eax
:1500D766 895C2440                mov dword ptr [esp+40], ebx

* Reference To: KERNEL32.GetVolumeInformationA, Ord:014Fh
                                  |
:1500D76A FF1598240215            Call dword ptr [15022498]	//call to getvolumeinfo..
:1500D770 85C0                    test eax, eax			//was there the right volume label
:1500D772 746F                    je 1500D7E3			//in S-ice we do not jump here
:1500D774 8D4C2424                lea ecx, dword ptr [esp+24]
:1500D778 8D54241C                lea edx, dword ptr [esp+1C]
:1500D77C 51                      push ecx
:1500D77D 8D44241C                lea eax, dword ptr [esp+1C]
:1500D781 52                      push edx
:1500D782 8D4C2430                lea ecx, dword ptr [esp+30]
:1500D786 50                      push eax
:1500D787 8D54241C                lea edx, dword ptr [esp+1C]
:1500D78B 51                      push ecx
:1500D78C 52                      push edx
:1500D78D 895C243C                mov dword ptr [esp+3C], ebx
:1500D791 895C242C                mov dword ptr [esp+2C], ebx
:1500D795 895C2430                mov dword ptr [esp+30], ebx
:1500D799 895C2438                mov dword ptr [esp+38], ebx

* Reference To: KERNEL32.GetDiskFreeSpaceA, Ord:00DBh
                                  |
:1500D79D FF1594240215            Call dword ptr [15022494]	//call to getdiskfreespace
:1500D7A3 85C0                    test eax, eax			
:1500D7A5 743C                    je 1500D7E3			//in S-ice we do not jump here
:1500D7A7 8B442420                mov eax, dword ptr [esp+20]
:1500D7AB 8B54241C                mov edx, dword ptr [esp+1C]
:1500D7AF 8B4C2418                mov ecx, dword ptr [esp+18]
:1500D7B3 8BAC2430010000          mov ebp, dword ptr [esp+00000130]
:1500D7BA 83E004                  and eax, 00000004
:1500D7BD 33C2                    xor eax, edx
:1500D7BF 33C1                    xor eax, ecx
:1500D7C1 33C5                    xor eax, ebp
:1500D7C3 33C6                    xor eax, esi
:1500D7C5 8BC8                    mov ecx, eax
:1500D7C7 C1E910                  shr ecx, 10
:1500D7CA 33C8                    xor ecx, eax
:1500D7CC 6681F9001F              cmp cx, 1F00
:1500D7D1 740B                    je 1500D7DE			//this jump here will make eax 1
:1500D7D3 6681F90508              cmp cx, 0805
:1500D7D8 7404                    je 1500D7DE
:1500D7DA 33C0                    xor eax, eax
:1500D7DC EB05                    jmp 1500D7E3

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1500D7D1(C), :1500D7D8(C)
|
:1500D7DE B801000000              mov eax, 00000001		//this looks very interesting

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1500D772(C), :1500D7A5(C), :1500D7DC(U)
|
:1500D7E3 8B8C2440020000          mov ecx, dword ptr [esp+00000240]
:1500D7EA 89442410                mov dword ptr [esp+10], eax
:1500D7EE 3BCB                    cmp ecx, ebx
:1500D7F0 741A                    je 1500D80C			//in S-ice we jump here
:1500D7F2 3BC3                    cmp eax, ebx
:1500D7F4 7516                    jne 1500D80C
:1500D7F6 6A0F                    push 0000000F
* Reference To: storm.ExpFn0161()
                                  |
:1500D7F8 E8D3D2FFFF              call 1500AAD0
:1500D7FD 33C0                    xor eax, eax
:1500D7FF 5F                      pop edi
:1500D800 5E                      pop esi
:1500D801 5D                      pop ebp
:1500D802 5B                      pop ebx
:1500D803 81C424020000            add esp, 00000224
:1500D809 C21000                  ret 0010



* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1500D7F0(C), :1500D7F4(C)
|
:1500D80C 53                      push ebx
:1500D80D 53                      push ebx
:1500D80E 6A03                    push 00000003
:1500D810 53                      push ebx
:1500D811 6A01                    push 00000001
:1500D813 8D442440                lea eax, dword ptr [esp+40]
:1500D817 6800000080              push 80000000
:1500D81C 50                      push eax

* Reference To: KERNEL32.CreateFileA, Ord:0031h
                                  |
:1500D81D FF1564250215            Call dword ptr [15022564]
:1500D823 8BD8                    mov ebx, eax			
:1500D825 83FBFF                  cmp ebx, FFFFFFFF		
:1500D828 895C2418                mov dword ptr [esp+18], ebx
:1500D82C 750F                    jne 1500D83D		
:1500D82E 33C0                    xor eax, eax
:1500D830 5F                      pop edi
:1500D831 5E                      pop esi
:1500D832 5D                      pop ebp
:1500D833 5B                      pop ebx
:1500D834 81C424020000            add esp, 00000224
:1500D83A C21000                  ret 0010

3) So lets try to reverse this jump and see if it will work :

:1500D7D1 740B                    je 1500D7DE			//this jump here will make eax 1

Open storm.dll with hiew. Go to cbd1 (offset for the upper line) and change je to jne (74 to 75). Save and exit. Run Hellfire without cd and ... it works. If the cd is in, the game will not run so we better change 75 (jne) to EB (jmp) and it will always jump no matter if cd is in or out.

===============================================================================================================
10.11.2000
Written by Zaks