Fifa 07 TNTANAL no-CD patch does not apply to Reloaded's crack

[DABhand]

Find out what address is used before the conditional jumps and change it there, so you dont have to change jump ops.

[Muji-FightR]

Or change the setting of the byte which is always the best
Often it's
Call IsCDInserted
Test EAX, EAX
Blah Blah

You can just patch the "CALL IsCD" into "MOV EAX, 1"
which a) perfectly works (unless there's an additional check based on booleans -> bytes)
and b ) eliminates the CD check phyisically, hence it starts earlier than normal as it doesnt need to search for drives, checks etc.

[TippeX]

if you can patch the call to the proc, then you can also patch the proc it calls, which is a LOT better.. esp. if the proc is indirectly xreffed later on, then your work is in vain.. patch the proc, then its more probable it will work...
and sometimes its weird, patching mov eax,1 does not work, however patching xor eax,eax.. inc eax does (most likely due to flags), so thats also worth paying attention to...

[Joe Forster/STA]

Quote:

Originally Posted by Muji-FightR

Call IsCDInserted
Test EAX, EAX
Blah Blah

You can just patch the "CALL IsCD" into "MOV EAX, 1"

You gotta be careful with this one! There may be some relocation (or whatever; Hacker's View greys it out) on the address of the call. If you replace the call with something completely different, the bytes of that instruction (or its operands) will be changed by the relocator (or whatever) in the memory, before the program is started, and the code will crash. I've run into this a few times and now I'm not doing this anymore...

[TippeX]

naw, relocs are only applicable to dlls, in exe, it will load at the base address specified in the pe header.. so exe's don't need reloc's

hiew had a bug in the older versions where for e8 calls it always added on the base address and screwed things up.. that could be the reason for the grayed output..

relocs are only applicable for certain situations and e8 calls are not one of them.. the e8 call is relative to the va its called from e8 xx xx xx xx -> va+ xxxxxxxx +5..

relocs apply to such things like

ff 15 xx xx xx xx (where only the xx xx xx xx will be updated by adding on the 'new runtime base)

ff 25 xx xx xx xx, ff 35 xx xx xx xx

and code like

mov eax,[12345678]
mov [12345678], eax

etc, where only the 12345678 part is updated.. if in doubt, process the reloc table and double check your patch area

[Joe Forster/STA]

Yup, FF 15, that's the one! I rather change it to a neutral 90 B8 (NOP; MOV EAX, <call address>) instead or jump over it (if there's enough room in front of it).

[TippeX]

90 E8 i hope ;p. considering mov eax,<call address> will never actually call the function and/or screw the stack if the proc uses params.. regardless though, ff 15 in an exe shouldn't matter really for reloc's, as the exe loads at the base address from the pe header, only dlls get relocated

[Joe Forster/STA]

No, I mean, the CD check (or whatever) is completely skipped this way! Ehhh, never mind me...