---==[ Comandos cD-RoM cHECK ]==---

[yAtEs][ECL`99] / 31/Aug/`99 /

SoftICE,Hex_Workshop,WD32asm.

I'm going to explain how to copy the game comandos and get it

up and running Note: you should only do this if your backing up

YOUR orignal.

 

Ok first we need to create a copy of the CD, you've probably

tried this already but found you can't because there are 4

huge filez, these are BBVN.AFP BTBW.AFP ETAO.AFP TBTP.AFP , so

what are these? answer big files :), i'd be interested if

anyone has anyknowledge on how windoze is tricked into thinking

their that size, anyway simply don't copy the four files to your CD.

Now we have a copy, pop your cd in the drive and do a full

installation onto your harddrive. Now when you run the game you

may notice it doesn't run ;) doh!, i guess those four filez were

important so throw away your cd and start agai...only joking :p,

now if we think hard we can guess that the game is doing

a check for these files so lets make the program think

everything is ok :D

Disassemble Comandos.exe with WD32asm, it takes a long time........

now when its finished goto the search menu and select find, enter

AFP in the find box and click Find.

You'll now see this code, this looks like the section that checks to see if the

four files are present, if we scroll on down you'll see the other references to

the other AFP files, lets focus on this one at the top first, 99% of the time in

these cases the first jump is the jump which jumps depending if the file exists or

not, so we should obivously reverse this? well try it.....infact don't i tried it

already and it will crash your computer, hmmmm so now what? well if we think about

it, if this jump is the files there or not jump then we should go into SoftICE and

follow it, then we would eventually be returned from a call which will most likey to

followed by a good or bad jump :). You see programmers tend to write a procedures

which do certain tasks rather than lots of code all in a main loop, its most likely

the programmer wrote a Check_CD-ROM procedure and after this there would a bad or

good jump so we need to trace from this jump until we hit a RET a return

from this deadly cd check call :)

We need to set a breakpoint before the jump, so lets set one on 0044CB1C, load up Numega

SoftICE Symbol Loader, then goto the file menu and select Open Module and select your

Comandos.exe now goto the Module menu and select Load click yes to the error about symbol translation, now we can set our breakpoint by typing BPX 0044CB1C now exit from SoftICE by pressing Ctrl+D Comandos will continue to load, now select New game then Single Player

during the cD-cHECK SoftICE will kick in and break now press F10 and when we get to that

jump at 0044CB2D we see that we jump to the following code

This looks like the second of the files, as we F10 through this code we eventually

reach the jmp at the bottom then goto this code

This is the third file, if we keep F10ing we will notice we skip the jump until

we reach the jmp again, wonder were we go next :)

Now we are at the fourth file of course you don't really know this as you are

steping through the code, its only when you take note of which jumps you

jump at and then look back in WD32asm for reference. As we press F10 again

through the code we reach the jmp which takes us to

WooHoo! :) we see a RET maybe a return from a Is_The_Stupid_Cd_In_The_Drive procedure

proceed on through the code with F10 until we hit the ret, now we return to

Now we have returned from this call lets clear all breakpoints by typing BC * and double

click the Call 0044CAF0 it should noew be highlighted, now if we press Ctrl+D to exit

SoftICE the Insert CD screen will appear click (R)etry and SoftICE will break in at

that call we set, just after this call is a jump press F10 until you are over this jump, we

can now see that this jump does jump so lets skip it by altering our EIP, the EIP

is the 32bit instruction pointer this tells us what line the next instruction is at,

if you look at the top right of your SoftICE screen it will say EIP=0044801C click

this and change to EIP=0044801E now the cursor will jump over this jump command,

press Crtl+D and Wow! the comandos game continues to load perfectly :)), we can now

patch this 7418 to 9090, usually i would explain how to patch the program and get

offsets but i feel if your attemping to crack this then you should already know :),

my work is done here :) till next time.

gREETz tO:- AB4DS, ACiD_BuRN, Appbusta, Axion, Bjanes, ByteBurn, Craftyhac, Carpathia, Dezm, ^InFeRnO^, medivh, Nitrus, NeutralN, Smaegle, _tARG0N, thorny, The_Corpse, Tornado, Zoltan, _y and all other dUDes i know :)