Quake 2 CD-Check tutorial

	by Xcellent

We going really fast these days!! Almost every week i'm
putting new tutors on the road (Thanx shadowRUNNER)!! Yeah, just to
bring you the knowledge. This is a old game, sorry but I have no
money to buy new games and no time!! But I still have some time to write
tutorials, but that's ok. This protection is very easy, and if you had read
my others tutors you will understand it easy.

Tools nedeed:
W32Dasm 8.9 (www.crackstore.com)
Any hex editor (www.crackstore.com have many)

Run Quake 2 and, hmm..... it seems to be working...but click Game, easy
and...."You must have the Quake2 CD in the drive to play." Ok,
that's no prob, run W32Dasm and open quake2.exe, click on String
Data References and search for the message then double click on
it. Now you will see:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B21E(C) <- THIS is what we're searching for....
|
:0042B235 8A442404                    mov al, byte ptr [esp+04]
:0042B239 FEC0                        inc al
:0042B23B 3C7A                        cmp al, 7A
:0042B23D 88442404                    mov byte ptr [esp+04], al
:0042B241 0F8E6AFFFFFF                jle 0042B1B1

* Possible StringData Ref from Data Obj ->"You must have the Quake2 CD in "
                                        ->"the drive to play."
                                      |
:0042B247 6864474400                  push 00444764
...
Did you see a reference jump at :0042B21E?? Ok, that's the way, press
Shift + F12, type 42B21E and press enter. Now you should see:
* Possible StringData Ref from Data Obj ->".\quake2.exe" <- get file on CD
                                      |
:0042B1FC 6898474400                  push 00444798
:0042B201 52                          push edx
:0042B202 E839430000                  call 0042F540
:0042B207 83C40C                      add esp, 0000000C
:0042B20A 8D442408                    lea eax, dword ptr [esp+08]

* Possible StringData Ref from Data Obj ->"r"
                                      |
:0042B20E 68A8474400                  push 004447A8
:0042B213 50                          push eax
:0042B214 E897250000                  call 0042D7B0 <- call cd check routine
:0042B219 83C408                      add esp, 00000008
:0042B21C 85C0                        test eax, eax <- compare results
:0042B21E 7415                        je 0042B235   <- if no cd then jump
:0042B220 50                          push eax      <- else continue
:0042B221 E86A200000                  call 0042D290
:0042B226 83C404                      add esp, 00000004
:0042B229 8D4C2404                    lea ecx, dword ptr [esp+04]
:0042B22D 51                          push ecx
:0042B22E FFD6                        call esi
:0042B230 83F805                      cmp eax, 00000005
:0042B233 7421                        je 0042B256  <- run the game
...
What we'll change it's the je 0042B235 to nop, but we must know the offset,
so move the bar till the address :0042B21E and look at the bottom of screen
and you will see @Offset 0002A61Eh. Now we know the offset that is 2A61E.
So run your hexadecimal editor, open quake2.exe and search for the offset
2A61E, then change 7415 to 9090 and save. Run the game and....!!No CD!!
That was simple, I will try to find a game more harder to crack..
Tha'ts all and I hope you enjoyed this little tutor.

Xcellent - The Brazillian crack3er
xcellen@bol.com.br - ICQ#83507510
