
                    
                              
                         
                     
        e       v       o       l       u       t      i      o       n
        
        
 HOW TO CRACK TOM CLANCY'S RAINBOW SIX 1.04 :       STEP BY STEP TUTORIAL !!!
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~       ~~~~~~~~~~~~~~~~~~~~~~~~~

 German version: killing C-DILLA protection, CD-check and enabling BLOOD !!!
 English version: killing CD-check
 

 by   B u g H U N T E R
 
 

 Things you will need:
 
 Rainbow Six CD (I use 1.03 ger, but any other will do it too)
 Rainbow Six Update to 1.02 english or any other addon with an english exe
 Rainbow Six Update to 1.04 english
 Rainbow Six Update to 1.04 german
 Win32DASM
 HEX-Editor (Hedit, Ultraedit, or others)
 Windows Commander (recommended)
 
 
 Well, lets start:
 
 (If this tutor is to awful to read it is because of my poor english but I can
  also write in German if ya want to. But I thought all people should have the
  chance to understand it - at least the main ideas !!!)
 First of all I got this nice game called Rainbow Six from a friend of mine.
 But it had a bug in it. Every time it starts up it wants to have the RB6-CD
 in drive! I decided I have to do something against it.
 The german version is C-DILLA protected so you can not crack it (I can not,
 if anyone out there can do the job please mail me!!). There is a crack from
 Pedro [Laxity] that enables you playing with a burned copy of the game.
 But that is not what I wanted to have. I want to run the game entirely from
 harddisk. The English version has no such copy protection. WHO CAN TELL ME 
 WHY? Are they afraid of us? I have seen lots of German and European games
 that  were protected much better than English ones with SECUROM for example.
 Perhapse they forget the protection in their updates I thought, cos I saw one
 to update ALL versions of RB6 to 1.04. So I downloaded and tested it. Shit!
 does not do its job on my german ver. Perhapse an English executable could
 work with my german ver? No, it does not - different versions (1.02 & 1.03).
 I had only one chance left: update both versions to 1.04 and then exchange
 the RainbowSix.exe. By the way, the 1.02 exe english is needed for the 1.04
 patch-update! TADA, it works!
 All we have left is the CD check from the English version.


 Cracking RainbowSix.exe v1.04 English:

 For quick solution:
 Make a FULL installation and no crack is needed. You can delete the data\video
 dir if you want. If you do this you have to hit esc twice on startup cos
 proggy virtually plays the video files! or you could use my SMK dummy files.
 that was it.

 If you want to learn something about cracking:
 Make a standard install.
 Upgrade to v1.04. Copy RainbowSix.exe from the english 1.04 ver to your RB6
 dir and overwrite german vesion exe. Delete RainbowSix.ICD and Clockspl.EXE
  - they are for C-DILLA (so we won`t need them anymore).
 Start RB6. Hmm, error box popped up showing 'Bitte legen Sie die Rainbow
 Six-CD in Laufwerk'. Rembember that message !!!
 So open RainbowSix.exe in Windows Commander to take a closer look at it.
 Search for the error message. Hmm, not found - must be somewhere else.
 If you look at your RB6 dir you will notice several .TXT files containing
 text strings. Conclusion: error message is also in a .txt file.
 ==> search for a file *.TXT containing 'Bitte legen Sie'.
 found at data\text\interface\german\DialogueCD.txt
 So lets look where the exe calls the msg-txt.
 Copy RainbowSix.exe to RainbowSix.W32 (as backup).
 Open RainbowSix.w32 in W32DASM. This could take a while! (25min on my PII)
 Search for 'DialogueCD.TXT'
 You should see the following
  :0040AFBD 90                      nop
  :0040AFBE 90                      nop
  :0040AFBF 90                      nop
  
  * Referenced by a CALL at Address:
  |:0040A193                                     <-- reference to this check
  |                                                  routine
  :0040AFC0 55                      push ebp
  :0040AFC1 8BEC                    mov ebp, esp
      ..                                ..
      ..                                ..
  :0040B0A0 8D4DD4                  lea ecx, dword ptr [ebp-2C]
  :0040B0A3 50                      push eax
  :0040B0A4 E8D7A00100              call 00425180
  
  * Possible StringData Ref from Data Obj ->"dialogueCD.txt"  <-- our MESSAGE
                                    |
  :0040B0A9 68C0858900              push 008985C0
  :0040B0AE 8D4DA0                  lea ecx, dword ptr [ebp-60]
  :0040B0B1 E81AA60100              call 004256D0
  :0040B0B6 8D4DA0                  lea ecx, dword ptr [ebp-60]
  :0040B0B9 C645FC07                mov [ebp-04], 07

 So lets trace the call on 0040A193 back (Goto - Goto Code Location - 0040A193)

  :0040A18D 84C0                    test al, al
  :0040A18F 740F                    je 0040A1A0
  :0040A191 8BCE                    mov ecx, esi
  :0040A193 E8280E0000              call 0040AFC0
  :0040A198 84C0                    test al, al
  :0040A19A 0F8452030000            je 0040A4F2

  * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  |:0040A18F(C)

 Hmm, after the call a value is returned in AL. If check is bad then AL=0 and
 then goodbye! 
 In case we don`t want this call to be executed we can NOP it (set No OPeration
 on it), but we have so set AL=1 to continue as if nothing has happened.
 Get the offset of the call at 0040A193 (it is displayed in the bottom line,
 call must be highlighted) and start your hex edit.
 Load RainbowSix.EXE and goto 9593h in this case.
 Replace E8 28 0E 00 00
 with    90 90 90 B0 01    90=NOP       B0 01 = Set AL register=1
                            save it and it`s done !!!

 Now you can delete the data\video dir if you want. If you do this you have to
 hit esc twice on startup cos proggy virtually plays the video files! or you
 could use my SMK dummy files.
 that was all. Now start RB6 and play it. Hmm, someting seems to be different.
 Hey these guys are bleeding, kewl !!
 You enabled BLOOD in the GERMAN HD version !! (this is because Enlish ver
 always runs with blood)

End of my first tutorial, hope you liked it

 Watch out for my secont tutorial..     always huntig for new 'bugs' to remove


for comments or questions mail 2 BugHUNTER@gmx.net

greets to german cracking force - C64 lives !!

