---------------------------------------------------
These informations are for educative purpose only!|
---------------------------------------------------

                                       
                                     /   \                           
                                                                     
                                                                     
                                                                       
                                                                           
                                                                           
                                                                         
                                                                             
                                                                           
     Ý                      Ý     Ý       Ý                              Ý 
  /                                   Ý                       Ý  Ý          \
            Ý    Ý   Ý                                     |  Ý  Ý  |         
            Ý    Ý       Ý                    Ý        Ý  Ý Ý      |           
                 Ý       Ý     Þ  Ý                Ý        |      |           
                            Ý     Ý                        |   Ý    |         
  \                  Ý                Ý   Ý      Ý   Ý          Ý           /
     Ý                  Þ                                                Ý 
                                                                           
                         8rtin-!!CSA-     -ASC!!-nitr8                       
                                                                         
                                                                           
                                                                           
                                                                       
                                                                     
                                                                     
                                     \   /                           

Written: [07/12/2002]                                       

Cracking Tutorial #4

What we want to crack: Comanche 4 v1.0.0.8

What we need, to crack the Game: - W32DASM
                                 - Safedisc 2 Cleaner v1.0.3
                                 - Windows InstallShield Decompiler
                                 - Any Hexeditor (HIEW/QIEW/Hex Workshop...)

Why i wrote this tutorial: Cause there aren't new Tutorials to new games on the
web.

Skill: () I'm too young to die | (X) Hurt me plenty | () Nightmare

Ready to roll? OK, let's go...

First we need to copy the complete C4 CD to our hard drive. It needs to look
like on the CD. -> The starting directory is "*:\" - NOT "*:\***\". So, if you
finished copying, try installing Comanche 4 - If you want to install it,
you'll see: "Enter Product Key found on the sticker...", click OK and a message
will turn up, telling us "Invalid Product...". And that's all, we need
to know.

Now take the Windows InstallShield Decompiler and decompile the SETUP.INS in
\C4SETUP\. As you maybe know, the hole InstallShield Routine depends on this
one file. So if it finished decompiling, enter "VALID" in the empty field above
the code or search for "INVALID" in the String Data References - you will see
"INVALID_PKEY" there. Click on this entry, and we will be here:

00001267: 0112   LoadInternalString ("","INVALID_PKEY",StrLocal[0004])
0000127E: 002A   MessageBox (StrLocal[0004],INFORMATION)
00001288: 002C   Goto (LABEL_0010)

 REF: 00001259 
  |
00001291: 0079   CopyBytes (StrLocal[0003],00000000,StrVar[0026],00000000,0000003F)
000012A8: 00B4   MYDLL.MydllCallByRef (NumLocal[0002],StrLocal[0003])
000012B3: 0021   NumLocal[0001] = LAST_RESULT
000012BB: 0128   NumLocal[0003] = NumLocal[0002] != 00000001
000012CD: 0022   IF NumLocal[0003] = 00000000 THEN GOTO LABEL_0016
000012DB: 0112   LoadInternalString ("","INVALID_PKEY",StrLocal[0004])
000012F2: 002A   MessageBox (StrLocal[0004],INFORMATION)
000012FC: 002C   Goto (LABEL_0010)

 REF: 000012CD 

Now, as you see, this InstallShield Routine seems to check the Serial, if it's
valid, or not. Let's have a look at the second "INVALID_PKEY" entry. It says,
that the NumLocal Function 0003 needs to be "00000000", to get to the next
piece of code. So the only thing we need to do, is changing the following file

000012BB: 0128   NumLocal[0003] = NumLocal[0002] != 00000001

into this:

000012BB: 0128   NumLocal[0003] = NumLocal[0002] = 00000001

and we can do this, by doing the following thing: doubleclick on the != then
rightclick on it and select "Change to..." - "=". Now after you did this,
close the Windows InstallShield Decompiler. You'll be asked, if you want to do
a CRC Correction. Click "YES". After CRC Correction is done, restart Setup
from your HD and click on "NEXT", then "NEXT" again. Wow, we don't need any
Serial. Cool.

OK, that was the Serial Protection. Now let's install Comanche 4. After
Installation is done, take Safedisc 2 Cleaner and clean the file C4.EXE.
Select creating a smaller file by Safedisc 2 Cleaner. When it has been
created, rename the new "SD2cleaned.exe" to "C4.EXE" and start Comanche 4
(using the NEW EXE file), hit ESC (we don't need the Intro Movie). As you'll
see now, the "Single Player" and "Multiplayer" Button are both greyed.

Close Comanche 4 and fire up W32DASM and disassemble the new C4.EXE. As you
know, there is no direct CD-Check and no error message. So it seems, that the
Game is searching for the CD, but won't start, if: a file hasn't been found, a
specific Volume Name can't be found and so on... . I found out, that it's the
Volume Name, a directory name and the Intro Movie, the game is looking for. So
if you disassembled "C4.EXE", go into the Imported Functions and doubleclick
on "Kernel32.GetVolumeInformationA". W32DASM leads us here:

* Reference To: KERNEL32.GetVolumeInformationA, Ord:0000h
                                  |
:0045CB49 FF15DC105500            Call dword ptr [005510DC]
:0045CB4F 6A08                    push 00000008
:0045CB51 8D8554FEFFFF            lea eax, dword ptr [ebp+FFFFFE54]

* Possible StringData Ref from Data Obj ->"COMANCHE4"
                                  |
:0045CB57 6844C85500              push 0055C844
:0045CB5C 50                      push eax
:0045CB5D E89E8F0C00              call 00525B00
:0045CB62 83C40C                  add esp, 0000000C
:0045CB65 85C0                    test eax, eax
:0045CB67 7548                    jne 0045CBB1
:0045CB69 53                      push ebx

OK, this isn't interesting for us. Now use your "PAGEDN" key of our keyboard,
and you'll see much more, even something strange like this:

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045CB7D(C), :0045CB8D(C)
|
:0045CB9D 1BC0                    sbb eax, eax
:0045CB9F 83D8FF                  sbb eax, FFFFFFFF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045CB9B(U)
|
:0045CBA2 85C0                    test eax, eax
:0045CBA4 5B                      pop ebx
:0045CBA5 750A                    jne 0045CBB1
:0045CBA7 C705905CA70001000000    mov dword ptr [00A75C90], 00000001

Wow, what the hell... The game seems to test, if the needed CD is in drive
and then it will jump to the error message, if it's not in the drive (JNE).
Also it seems to move the command to the needed position, if the correct CD
is in the drive. So let's see, where this check is coming from. Use the
"PAGEUP" button of your keyboard, and you'll get here: 
Note: "JNE" means (J)ump if (N)ot (E)qual

* Referenced by a CALL at Address:
|:0045D257   
|
:0045CA90 55                      push ebp
:0045CA91 8BEC                    mov ebp, esp
:0045CA93 81ECAC020000            sub esp, 000002AC
:0045CA99 56                      push esi

* Possible StringData Ref from Data Obj ->"C4INTRO.BIK"
                                  |
:0045CA9A 68809C5500              push 00559C80 

Let's see, what the Code Location 0045D257 does. Open "Goto" - "Goto Code
Location" in W32DASM and enter "0045D257" there. Click OK and you'll be
here:

:0045D252 E8F9FBFFFF              call 0045CE50
:0045D257 E834F8FFFF              call 0045CA90
:0045D25C E85FFCFFFF              call 0045CEC0

Now it seems, that the following line is part of the CD-Check:

:0045D257 E834F8FFFF              call 0045CA90

It calls the start of the CD-Check Routine. We need to know, that we're
only able to get the "Single Player" and "Multiplayer" button working, if
the game has being started with the correct CD in the drive. And if so,
the game will MOVE the required information into the right place and give
both buttons free for clicking. This thing gave me the idea. We replace
the start of the CALL Address with the MOVE function, so the CD-Check will
get unusable and the game always thinks, that the CD is in the drive.

Go onto the following line to mark it and grab the Offset:

:0045CBA7 C705905CA70001000000    mov dword ptr [00A75C90], 00000001

The Offset of this line is "0005CBA7". Fire up Hex Workshop now, load the
cleaned C4.EXE into it, select "Edit" - "Goto...", click on "Hex" and enter
"5CBA7" there (we don't need the complete Offset). Click "Go". Now take the
following HEX CODE of the MOVE function (you're directly in front of the
MOVE function's code):

C705 905C A700 0100 0000

Go back to W32DASM and mark the following line and grab the Offset:

:0045CA90 55                      push ebp

The Offset of this line is "0005CA90". Once again in Hex Workshop, goto
"Edit" - "Goto..." and enter "5CA90" there. Click on "Go" and on this
position, where you're currently in front of, replace the existing code
with the one, we got from Offset "5CBA7" (C705 905C A700 0100 0000). After
you did this, add directly behind the last changed entry the following
codes:

C390 9090 90.

This means, that we don't need the Intro Movie - we replace
the movie file check with C390 9090 90 (ret, nop, nop, nop, nop). OK, let's
just save the file, before Windows may crash or something bad happens.
Note: "RET" means (RET)urn
Note: "NOP" means (N)o (OP)eration

Now let's restart Comanche 4, using the cleaned and patched EXE.

Wow, we cracked Comanche 4 and now no CD is needed anymore.

Enjoy your game.

This Tutorial has been written by the mighty <-=nitr8=->.