===============================================================================================================
       Title : Starcraft - Brood War (GAME)
     Version : 1.07 (should work with any)
  Protection : Cd Check (hidden in storm.dll)
    Producer : http://www.blizzard.com
     Cracker : Zaks (tntpcclub@hotmail.com)
       Tools : W32Dasm, Hiew, Softice
  Difficulty : Very Easy (It is the same check routine as in Hellfire and Diablo .. see tutorials 8,9)
Tutorial No. : 10
	Font : Courier New (8)
===============================================================================================================

1) Well, after cracking Diablo and Hellfire I had a very strong feeling that other Blizzard games would have the same Cd protection. I decided to try the best rts strategy ever created : Starcraft-BroodWar ... and I was right. Install Starcraft, install Brood War over it (Note: the same routine should be followed also if you only have Starcraft), patch it with 1.07 patch. Copy the file install.exe from the Cd to the installed dir, remove the Cd from the Cd-drive. GTRL-D and we are in Softice. Set breakpoint on getdrivetypea (bpx getdrivetypea) and run BroodWar (starcraft.exe). Softice breaks and we press F12 to return to the place where getdrivetypea was called. We are at 150128A5 in storm.dll and tracing with F10 will just prove my feeling that the Cd Check here is just the same as the check in Diablo and Hellfire.

disassembled part of storm.dll :


* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
                                  |
:1501289F FF1580A10215            Call dword ptr [1502A180] //getdrivetypea is called
:150128A5 8BF0                    mov esi, eax		    //the returned result is copied to esi (5 for Cd)	
:150128A7 8D842430010000          lea eax, dword ptr [esp+00000130]
:150128AE 6804010000              push 00000104
:150128B3 50                      push eax
:150128B4 896C241C                mov dword ptr [esp+1C], ebp
* Reference To: storm.ExpFn0218()
                                  |
:150128B8 E873500000              call 15017930
:150128BD 8D8C2430010000          lea ecx, dword ptr [esp+00000130]
:150128C4 6804010000              push 00000104
:150128C9 8D542418                lea edx, dword ptr [esp+18]
:150128CD 51                      push ecx
:150128CE 52                      push edx
:150128CF 55                      push ebp
:150128D0 55                      push ebp
:150128D1 55                      push ebp
:150128D2 8D442428                lea eax, dword ptr [esp+28]
:150128D6 55                      push ebp
:150128D7 50                      push eax

* Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h
                                  |
:150128D8 FF151CA10215            Call dword ptr [1502A11C]
:150128DE 85C0                    test eax, eax
:150128E0 7506                    jne 150128E8
:150128E2 896C2414                mov dword ptr [esp+14], ebp
:150128E6 EB78                    jmp 15012960

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:150128E0(C)
|
:150128E8 8D4C2424                lea ecx, dword ptr [esp+24]
:150128EC 8D542420                lea edx, dword ptr [esp+20]
:150128F0 51                      push ecx
:150128F1 8D44241C                lea eax, dword ptr [esp+1C]
:150128F5 52                      push edx
:150128F6 8D4C2424                lea ecx, dword ptr [esp+24]
:150128FA 50                      push eax
:150128FB 8D54241C                lea edx, dword ptr [esp+1C]
:150128FF 51                      push ecx
:15012900 52                      push edx
:15012901 896C2430                mov dword ptr [esp+30], ebp
:15012905 896C242C                mov dword ptr [esp+2C], ebp
:15012909 896C2434                mov dword ptr [esp+34], ebp
:1501290D 896C2438                mov dword ptr [esp+38], ebp

* Reference To: KERNEL32.GetDiskFreeSpaceA, Ord:0100h
                                  |
:15012911 FF1518A10215            Call dword ptr [1502A118]
:15012917 85C0                    test eax, eax
:15012919 7506                    jne 15012921
:1501291B 896C2414                mov dword ptr [esp+14], ebp
:1501291F EB3F                    jmp 15012960

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:15012919(C)
|
:15012921 8B442414                mov eax, dword ptr [esp+14]
:15012925 8B942430010000          mov edx, dword ptr [esp+00000130]
:1501292C 8B4C2420                mov ecx, dword ptr [esp+20]
:15012930 8B5C2418                mov ebx, dword ptr [esp+18]
:15012934 83E004                  and eax, 00000004
:15012937 33C2                    xor eax, edx
:15012939 33C1                    xor eax, ecx
:1501293B 33C3                    xor eax, ebx
:1501293D 33C6                    xor eax, esi
:1501293F 8BC8                    mov ecx, eax
:15012941 C1E910                  shr ecx, 10
:15012944 33C8                    xor ecx, eax
:15012946 6681F9001F              cmp cx, 1F00	//we know this part below
:1501294B 740B                    je 15012958	//shall we make a jump to GoodGuy
:1501294D 6681F90508              cmp cx, 0805
:15012952 896C2414                mov dword ptr [esp+14], ebp
:15012956 7508                    jne 15012960	//or we can nop this one and we will fall directly down

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1501294B(C)
|
:15012958 C744241401000000        mov [esp+14], 00000001	//here is the GoodGuy

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:150128E6(U), :1501291F(U), :15012956(C)
|
:15012960 39AC2440020000          cmp dword ptr [esp+00000240], ebp
:15012967 740A                    je 15012973
:15012969 396C2414                cmp dword ptr [esp+14], ebp
:1501296D 0F8420040000            je 15012D93


2) We can make the same patch as to the other games (Note: the offset of je 15012958 is 1294B and of jne 15012960 is 12956). Open storm.dll with hiew and just change 74 (je) bytes with EB (jmp). This is the old good way we know from tutorials 8 and 9. Or shall we try something new? What if we just NOP the jne 15012960. If the game does not take the previous jump (which lead to the GoodGuy) it will just fall directly to the GoodGuy. So open storm.dll with hiew and change 7508 (jne 15012960) to 9090 (NOPNOP). Well, it runs just fine and another game is patched.

NOTE : I use install.exe from ripped copy of the game. It is only 23MB and both Starcraft and Brood War work with it. I advise you to find this install.exe or you will not be able to run Starcraft and Brood War in the same session ... you know you have to quit then copy install.exe from Starcraft cd ... then again from Brood War cd ...

===============================================================================================================
10.20.2000
Written by Zaks