CD Checks Return
to Main Index© 1998, 1999 CrackZ. 28th September 1999.
Dune 2000 from CLS and the update from WestWood (do a FTPSearch).
Hackers View (Hiew).
SoftICE.
W32Dasm.
Patch for Dune 2000 : d2k106uk.zip
This game was/is (being) played a lot in the world, and no wonder because this game is from one of the best companies in the whole world, WestWood. Yeah that's right, the same company that made the smash hit's back in 94-95 if I remember rightly, Command & Conquer and Command & Conquer 2: Red Alert. Dune 2000 was released to the public and has been available for download on the net since then.
I did some work for you and discovered that Dune2000 isn't the main .exe but Dune2000.dat however is the real one, so we start off by running the game, run (Dune2000.exe). What happens? A MessageBox pops up telling us to insert the CD. Let's fix that bug so we can run it without the CD in. I personally don't like this kind of protection, mainly because you can't play over a network with your friends (with one CD) and you can't listen to music when you play.
Alright load up the (.dat) in W32Dasm, now look at the API imports and see if you can see any CD-check related API's like GetDriveTypeA, GetVolumeInformationA, I have cracked this before so I will be mainly showing you stuff from W32Dasm, but you can follow in SoftICE if you like.
* Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh <-- Very common in CD-checks. :004826EA MOV EBP, DWORD PTR [008CF548] * Reference To: KERNEL32.GetVolumeInformationA, Ord:014Fh <-- Another very common API. :004826F0 MOV EDI, DWORD PTR [008CF558] * Reference To: KERNEL32.Sleep, Ord:023Fh :004826F6 MOV EBX, DWORD PTR [008CF4E8] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0048275A(C) :004826FC LEA ECX, DWORD PTR [ESP+10] <-- [ESP+10] holds drive being checked. :00482700 PUSH ECX :00482701 CALL EBP <-- GetDriveTypeA - HD EAX=3, CD EAX=5. :00482703 CMP EAX, 00000005 <-- Check if the drive we are checking is a CD drive. :00482706 JNZ 0048274E <-- Jump if not. :00482708 PUSH 00000000 :0048270A PUSH 00000000 :0048270C PUSH 00000000 :0048270E PUSH 00000000 :00482710 PUSH 00000000 :00482712 LEA EDX, DWORD PTR [ESP+28] :00482716 PUSH 00000064 :00482718 LEA EAX, DWORD PTR [ESP+28] :0048271C PUSH EDX :0048271D PUSH ECX :0048271E CALL EDI <-- CALL GetVolumeInformationA. :00482720 TEST EAX, EAX :00482722 JZ 0048274E <-- Jump if no label found. * Possible Reference to String Resource ID=00001: "Dummy for list box " :00482724 PUSH 00000001 * Possible StringData Ref from Data Obj ->"Dune2000CDLabel" <-- Dune 2000 CD label. :00482726 PUSH 004E8BCC :0048272B CALL 0048DC10 :00482730 ADD ESP, 00000004 :00482733 PUSH EAX :00482734 CALL 0048DCC0 :00482739 ADD ESP, 00000008 :0048273C LEA ECX, DWORD PTR [ESP+14] :0048274A TEST EAX, EAX :0048274C JZ 00482766 <-- Jump if it's the same label. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00482706(C), :00482722(C) :0048274E PUSH 000001F4 :00482753 CALL EBX <-- Sleep. :0048275C XOR AL, AL <-- XOR AL, AL = bad cracker, go away!. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0048274C(C) :00482766 MOV AL, 01 <-- MOV AL,01 = continue!.
OK, lets make some changes :
:00482703 CMP EAX, 00000005 <-- Check if the drive is a CD drive. -----> :00482703 CMP EAX, 00000003 <-- Get the HD. :00482722 JE 0048274E -----> :00482722 NOP, NOP <-- No operation. :0048274C JE 00482766 <-- Jump if it's the same label. -----> :0048274C JMP 00482766 <-- Jump no matter what :).
OK, we've made it with the CD-check routine and label check ... lets try and make the changes permanent with Hiew and run the game. What happen, yes a MessageBox popping up telling us "Oh No! can't open movies". Al right, run it again but this time put a bpx on MessageBoxA, when it breaks you just backtrace the CALL and simply NOP it, because you are inside the movie playing routine. So now it won't even look for the movie's, it will just go past the whole nag. Also I must add, I don't know whether there are any other protections in the original game.
The Movie Routine CALL (read the text below before trying to understand it) :
:0048D92C MOV BYTE PTR [005178B8], 01 :0048D933 CALL 00403460 <-- Here it is. :0048D938 ADD ESP, 00000004 Change : :0048D933 CALL 00403460 -----> :0048D933 90 90 90 90 90 <-- NOP.
CD Checks Return
to Main Index