Diablo
Title : Diablo (GAME)
Version : 1.08 (should work with any)
Protection : Cd Check (hidden in storm.dll)
Producer : http://www.blizzard.com
Tools : W32Dasm, Hiew
Difficulty : Very Easy (It is the same check routine as in Hellfire)
1) Well, this tutorial will be very brief because the check routine here is exactly the same as it was in Hellfire. If there is anything unclear please download and read tutorial number 8. So we begin by installing Diablo. Patch it with 1.08 update. Copy file diabdat.mpq to your install dir. Make backup of your strom.dll and open it (the backup) with W32DAsm. Search for GetDriveTypeA and here we are :
* Reference To: KERNEL32.GetDriveTypeA, Ord:0117h
|
:15017DDE FF156C110315 Call dword ptr [1503116C]
:15017DE4 8D942430010000 lea edx, dword ptr [esp+00000130]
:15017DEB 6804010000 push 00000104
:15017DF0 52 push edx
:15017DF1 8BF0 mov esi, eax
:15017DF3 895C2424 mov dword ptr [esp+24], ebx
* Reference To: storm.ExpFn0230()
|
:15017DF7 E8F4550000 call 1501D3F0
:15017DFC 8D842430010000 lea eax, dword ptr [esp+00000130]
:15017E03 6804010000 push 00000104
:15017E08 8D4C2420 lea ecx, dword ptr [esp+20]
:15017E0C 50 push eax
:15017E0D 51 push ecx
:15017E0E 53 push ebx
:15017E0F 53 push ebx
:15017E10 53 push ebx
:15017E11 8D542428 lea edx, dword ptr [esp+28]
:15017E15 53 push ebx
:15017E16 52 push edx
* Reference To: KERNEL32.GetVolumeInformationA, Ord:0191h
|
:15017E17 FF1570110315 Call dword ptr [15031170]
:15017E1D 85C0 test eax, eax
:15017E1F 7506 jne 15017E27
:15017E21 895C2410 mov dword ptr [esp+10], ebx
:15017E25 EB78 jmp 15017E9F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:15017E1F(C)
|
:15017E27 8D442420 lea eax, dword ptr [esp+20]
:15017E2B 8D4C2418 lea ecx, dword ptr [esp+18]
:15017E2F 50 push eax
:15017E30 8D542418 lea edx, dword ptr [esp+18]
:15017E34 51 push ecx
:15017E35 8D44242C lea eax, dword ptr [esp+2C]
:15017E39 52 push edx
:15017E3A 8D4C241C lea ecx, dword ptr [esp+1C]
:15017E3E 50 push eax
:15017E3F 51 push ecx
:15017E40 895C2438 mov dword ptr [esp+38], ebx
:15017E44 895C2428 mov dword ptr [esp+28], ebx
:15017E48 895C242C mov dword ptr [esp+2C], ebx
:15017E4C 895C2434 mov dword ptr [esp+34], ebx
* Reference To: KERNEL32.GetDiskFreeSpaceA, Ord:0113h
|
:15017E50 FF1574110315 Call dword ptr [15031174]
:15017E56 85C0 test eax, eax
:15017E58 7506 jne 15017E60
:15017E5A 895C2410 mov dword ptr [esp+10], ebx
:15017E5E EB3F jmp 15017E9F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:15017E58(C)
|
:15017E60 8B44241C mov eax, dword ptr [esp+1C]
:15017E64 8B942430010000 mov edx, dword ptr [esp+00000130]
:15017E6B 8B4C2418 mov ecx, dword ptr [esp+18]
:15017E6F 8B6C2414 mov ebp, dword ptr [esp+14]
:15017E73 83E004 and eax, 00000004
:15017E76 33C2 xor eax, edx
:15017E78 33C1 xor eax, ecx
:15017E7A 33C5 xor eax, ebp
:15017E7C 33C6 xor eax, esi
:15017E7E 8BC8 mov ecx, eax
:15017E80 C1E910 shr ecx, 10
:15017E83 33C8 xor ecx, eax
:15017E85 6681F9001F cmp cx, 1F00
:15017E8A 740B je 15017E97 //This is the jump we will reverse or make EB
:15017E8C 6681F90508 cmp cx, 0805
:15017E91 895C2410 mov dword ptr [esp+10], ebx
:15017E95 7508 jne 15017E9F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:15017E8A(C)
|
:15017E97 C744241001000000 mov [esp+10], 00000001 //Goodguy is here
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:15017E25(U), :15017E5E(U), :15017E95(C)
|
:15017E9F 8BAC2440020000 mov ebp, dword ptr [esp+00000240]
:15017EA6 8BC5 mov eax, ebp
:15017EA8 83E001 and eax, 00000001
:15017EAB 8944241C mov dword ptr [esp+1C], eax
:15017EAF 7427 je 15017ED8
:15017EB1 395C2410 cmp dword ptr [esp+10], ebx
:15017EB5 7521 jne 15017ED8
:15017EB7 6A0F push 0000000F
* Reference To: storm.ExpFn0203()
|
:15017EB9 E832B4FFFF call 150132F0
:15017EBE 6858640315 push 15036458
* Reference To: KERNEL32.LeaveCriticalSection, Ord:01DEh
|
:15017EC3 FF15E4110315 Call dword ptr [150311E4]
:15017EC9 5F pop edi
:15017ECA 5E pop esi
:15017ECB 5D pop ebp
:15017ECC 33C0 xor eax, eax
:15017ECE 5B pop ebx
:15017ECF 81C424020000 add esp, 00000224
:15017ED5 C21000 ret 0010
2) Well the same routine as it was in Hellfire. So open storm.dll with hiew. F4-decode, F5-go to 17E8A (the offset for je 15017E97), F3-edit and change 74 (je) with EB (jmp). So the program will always jump to Goodguy.
I released this tutorial just to keep the tradition to release all my works with logs (tutorials).