-----------------------------------------------------+
These informations are for educational purposes only!|
-----------------------------------------------------+

Cheerio again...=)

Target game: Warhammer: Dark Omen

Tools (I used):

Hiew 6.04
W32Dasm v8.93
(Soft-Ice 3.24... not necessary)
Nothing else...


Ok... here we go!

Step 1.	Install. Make sure you do full install. After it's done, remove the cd from the 
drive and start Warhammer. When trying to start a new game the game (surprisingly) asks for 
the cd. We won't allow this to happen, so we're gonna have to remove that check. 
Make the backups of Engrel.exe (if you chose english language)... (.w32 &.bak). 
Load Engrel.w32 on W32Dasm. It doesn't take long to disassemble, so let's move on...  
I'm quite sure the check is done by GetDriveTypeA (u can try to set a breakpoint on it in SI 
if u want), so let's search for it (or find it from Imp Fn...imported functions). 
Found it?.. Good

* Referenced by a CALL at Address:
|:0048A5E0   <-- This looks familiar...
|
:0048A600 81EC04010000         sub esp, 00000104
:0048A606 53                   push ebx
:0048A607 56                   push esi
:0048A608 8BB42410010000       mov esi, dword ptr [esp+00000110]
:0048A60F 57                   push edi
:0048A610 55                   push ebp
:0048A611 56                   push esi

Reference To: KERNEL32.GetDriveTypeA, Ord:00Deh

It seems like this is the cd-check routine... let's go back to the call... scroll a bit up

:0048A5E0 E81B000000           call 0048A600  <-- call for the cd-check (@offset 899E0)
:0048A5E5 83C418               add esp, 00000018
:0048A5E8 5D                   pop ebp
:0048A5E9 5F                   pop edi
:0048A5EA 5E                   pop esi
:0048A5EB 5B                   pop ebx
:0048A5EC 81C464020000         add esp, 00000264
:0048A5F2 C3                   ret

Now we should disable that call... let's use Hiew to do that. So load Engrel.exe on Hiew... 
using decode (F4)  mode and goto line (F5) commands u should be able to find the correct 
place easily. Let's do a followin modification:

E81B000000 --> B801000000 ... so the call 0048A600 changes to mov, eax 00000001

Succeeded?... Good... start Warhammer and try new campaign and voíla... no checks =)

If you'd like a little bit of depth to Warhammer, copy the "movies" file from the original cd 
(which you bought, like I did) to anywhere you want on your HD 
(eg. C:\games\darkomen\movies). Then edit registry and use find command and search for 
"darkomen" (don't include quotation marks). Go on until you get to "paths" area. 
Change the "Movies" path to corresponding one (eg. C:\games\darkomen\movies or 
wherever you threw the movie files). Although the movies take about 180 megs they're worth it.

Greets to: Friends (IRL & chat), tKC + every cracker on earth (and elsewhere =)

Contact me at c_dknight@iobox.com

-C_DKnight