Starcraft: Brood War
Title : Starcraft - Brood War (GAME)
Version : 1.07 (should work with any)
Protection : Cd Check (hidden in storm.dll)
Producer : http://www.blizzard.com
Tools : W32Dasm, Hiew, Softice
Difficulty : Very Easy (It is the same check routine as in Hellfire and Diablo )
1) Well, after cracking Diablo and Hellfire I had a very strong feeling that other Blizzard games would have the same Cd protection. I decided to try the best rts strategy ever created : Starcraft-BroodWar ... and I was right. Install Starcraft, install Brood War over it (Note: the same routine should be followed also if you only have Starcraft), patch it with 1.07 patch. Copy the file install.exe from the Cd to the installed dir, remove the Cd from the Cd-drive. GTRL-D and we are in Softice. Set breakpoint on getdrivetypea (bpx getdrivetypea) and run BroodWar (starcraft.exe). Softice breaks and we press F12 to return to the place where getdrivetypea was called. We are at 150128A5 in storm.dll and tracing with F10 will just prove my feeling that the Cd Check here is just the same as the check in Diablo and Hellfire.
disassembled part of storm.dll :
* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:1501289F FF1580A10215 Call dword ptr [1502A180] //getdrivetypea is called
:150128A5 8BF0 mov esi, eax //the returned result is copied to esi (5 for Cd)
:150128A7 8D842430010000 lea eax, dword ptr [esp+00000130]
:150128AE 6804010000 push 00000104
:150128B3 50 push eax
:150128B4 896C241C mov dword ptr [esp+1C], ebp
* Reference To: storm.ExpFn0218()
|
:150128B8 E873500000 call 15017930
:150128BD 8D8C2430010000 lea ecx, dword ptr [esp+00000130]
:150128C4 6804010000 push 00000104
:150128C9 8D542418 lea edx, dword ptr [esp+18]
:150128CD 51 push ecx
:150128CE 52 push edx
:150128CF 55 push ebp
:150128D0 55 push ebp
:150128D1 55 push ebp
:150128D2 8D442428 lea eax, dword ptr [esp+28]
:150128D6 55 push ebp
:150128D7 50 push eax
* Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h
|
:150128D8 FF151CA10215 Call dword ptr [1502A11C]
:150128DE 85C0 test eax, eax
:150128E0 7506 jne 150128E8
:150128E2 896C2414 mov dword ptr [esp+14], ebp
:150128E6 EB78 jmp 15012960
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:150128E0(C)
|
:150128E8 8D4C2424 lea ecx, dword ptr [esp+24]
:150128EC 8D542420 lea edx, dword ptr [esp+20]
:150128F0 51 push ecx
:150128F1 8D44241C lea eax, dword ptr [esp+1C]
:150128F5 52 push edx
:150128F6 8D4C2424 lea ecx, dword ptr [esp+24]
:150128FA 50 push eax
:150128FB 8D54241C lea edx, dword ptr [esp+1C]
:150128FF 51 push ecx
:15012900 52 push edx
:15012901 896C2430 mov dword ptr [esp+30], ebp
:15012905 896C242C mov dword ptr [esp+2C], ebp
:15012909 896C2434 mov dword ptr [esp+34], ebp
:1501290D 896C2438 mov dword ptr [esp+38], ebp
* Reference To: KERNEL32.GetDiskFreeSpaceA, Ord:0100h
|
:15012911 FF1518A10215 Call dword ptr [1502A118]
:15012917 85C0 test eax, eax
:15012919 7506 jne 15012921
:1501291B 896C2414 mov dword ptr [esp+14], ebp
:1501291F EB3F jmp 15012960
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:15012919(C)
|
:15012921 8B442414 mov eax, dword ptr [esp+14]
:15012925 8B942430010000 mov edx, dword ptr [esp+00000130]
:1501292C 8B4C2420 mov ecx, dword ptr [esp+20]
:15012930 8B5C2418 mov ebx, dword ptr [esp+18]
:15012934 83E004 and eax, 00000004
:15012937 33C2 xor eax, edx
:15012939 33C1 xor eax, ecx
:1501293B 33C3 xor eax, ebx
:1501293D 33C6 xor eax, esi
:1501293F 8BC8 mov ecx, eax
:15012941 C1E910 shr ecx, 10
:15012944 33C8 xor ecx, eax
:15012946 6681F9001F cmp cx, 1F00 //we know this part below
:1501294B 740B je 15012958 //shall we make a jump to GoodGuy
:1501294D 6681F90508 cmp cx, 0805
:15012952 896C2414 mov dword ptr [esp+14], ebp
:15012956 7508 jne 15012960 //or we can nop this one and we will fall directly down
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1501294B(C)
|
:15012958 C744241401000000 mov [esp+14], 00000001 //here is the GoodGuy
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:150128E6(U), :1501291F(U), :15012956(C)
|
:15012960 39AC2440020000 cmp dword ptr [esp+00000240], ebp
:15012967 740A je 15012973
:15012969 396C2414 cmp dword ptr [esp+14], ebp
:1501296D 0F8420040000 je 15012D93
2) We can make the same patch as to the other games (Note: the offset of je 15012958 is 1294B and of jne 15012960 is 12956). Open storm.dll with hiew and just change 74 (je) bytes with EB (jmp). This is the old good way we know from tutorials 8 and 9. Or shall we try something new? What if we just NOP the jne 15012960. If the game does not take the previous jump (which lead to the GoodGuy) it will just fall directly to the GoodGuy. So open storm.dll with hiew and change 7508 (jne 15012960) to 9090 (NOPNOP). Well, it runs just fine and another game is patched.
NOTE : I use install.exe from ripped copy of the game. It is only 23MB and both Starcraft and Brood War work with it. I advise you to find this install.exe or you will not be able to run Starcraft and Brood War in the same session ... you know you have to quit then copy install.exe from Starcraft cd ... then again from Brood War cd ...