hi, (very) quick guide to cracking HalfLife v1.0.0.6 need w32dasm8.9(3) & hex editor run the game without CD, click game/new/easy. it asks for the CD 3 times then says failed authentication. load hl.exe into wdasm32. no win95 dialog box to ask for the CD, so we check functions/imports for GetDriveTypeA, double click it and up pops this little snippet... * Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh | :0041EA5D FF15A88B4E00 Call dword ptr [004E8BA8] :0041EA63 83F805 cmp eax, 00000005 <--05 = check for cd-rom :0041EA66 740C je 0041EA74 :0041EA68 8BC6 mov eax, esi scroll up a bit to find out the caller(s) * Referenced by a CALL at Addresses: |:0041EDAD , :0041EF93 goto the first caller 41EDAD, this drops us in the middle of the the cd-check routine, * Referenced by a CALL at Address: |:0041EE42 <-- this is the important bit, boring bits of code have been cut out | :0041ED30 81EC04010000 sub esp, 00000104 :0041ED36 33C0 xor eax, eax snip :0041ED47 50 push eax * Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00F7h | :0041ED48 8B3DA08B4E00 mov edi, dword ptr [004E8BA0] :0041ED4E 50 push eax :0041ED4F FFD7 call edi :0041ED51 8BF0 mov esi, eax snip * Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh | :0041EDA0 FF15A88B4E00 Call dword ptr [004E8BA8] :0041EDA6 83F805 cmp eax, 00000005 <-- yeah, CD-ROM :0041EDA9 75E1 jne 0041ED8C :0041EDAB 55 push ebp :0041EDAC 57 push edi :0041EDAD E83EFCFFFF call 0041E9F0 <---the call to the first routine we found :0041EDB2 83C408 add esp, 00000008 :0041EDB5 83F807 cmp eax, 00000007 O.K. lets go to the caller to this bit then, 41EE42 * Referenced by a CALL at Addresses: |:0043EEA9 , :0043EEE8 <-- this bit called twice, have a look here if you like | :0041EE10 B818120000 mov eax, 00001218 :0041EE15 E806990500 call 00478720 :0041EE1A C744240407000000 mov [esp+04], 00000007 :0041EE22 53 push ebx :0041EE23 56 push esi :0041EE24 57 push edi :0041EE25 55 push ebp :0041EE26 E8B5020000 call 0041F0E0 :0041EE2B 8D442410 lea eax, dword ptr [esp+10] :0041EE2F 6866120000 push 00001266 :0041EE34 C744241400000000 mov [esp+14], 00000000 * Possible StringData Ref from Data Obj ->"valve.ico" <-- search for this on the CD | :0041EE3C 68F4D24B00 push 004BD2F4 :0041EE41 50 push eax :0041EE42 E8E9FEFFFF call 0041ED30 <-- call first cd-check routine that calls the :0041EE47 8A44241C mov al, byte ptr [esp+1C] -- second cd check routine :0041EE4B 83C40C add esp, 0000000C :0041EE4E 3A054CC14B00 cmp al, byte ptr [004BC14C] <-- do some check :0041EE54 750D jne 0041EE63 <-- jump to next bit which checks another file on the CD :0041EE56 33C0 xor eax, eax <-- otherwise fail CD-Check :0041EE58 5D pop ebp :0041EE59 5F pop edi :0041EE5A 5E pop esi :0041EE5B 5B pop ebx :0041EE5C 81C418120000 add esp, 00001218 :0041EE62 C3 ret right then, the code that calles this bit checks eax, jne to play the game, so we make it return not equal all the time. (or patch the code that checks the return value, but thats boring...) :0041EE54 750D jne 0041EE63 <-- change this to xor eax,eax (33C0) :0041EE56 33C0 xor eax, eax <-- change this to inc eax ; nop (4090) patch offset 1E254 in hl.exe, change the 750D33C0 to 33C04090 or be boring and patch the check after the call to this bit. :0043EEA9 E862FFFDFF call 0041EE10 <-- call to routine above... :0043EEAE 85C0 test eax, eax :0043EEB0 7572 jne 0043EF24 <-- change this to jmp 0043EF24 (EB72) patch offset 3E2B0 in hl.exe, change the 7572 to EB72 OK, it was a bit harder than this but I'm telling you the proper way to crack it, I tried patching the actual checks that check the cd is readonly, has no free space, that the file sizes are correct, but there was just too much to follow, i gave up, tried again and after about half an hour, came up with this, yeah, I did it the boring way by patching the both the jne's after the calls at 0043EEA9 & 0043EEE8, realised that if the first one was a jmp, the second one would never be reached. screw the check for how many times the cd-check was run, because it passes first time anyway. love R!SC risc@notme.com