
=======================================================
= How to patch Unreal so you dont need the CD to play =
=======================================================

Programs Needed:
Unreal (duh!)
WDasm 8.9
HexEditor

OK, Unreal is a pretty good game but unfortunatly you need the CD to start the game.
Try to start the game without the CD inserted and a little annoying window will appear
that asks you for the CD, dont worry, we´ll fix that :)
Remember the message in the window (Please insert the Unreal CD-Rom...) and press Cancel.

Now, we want to patch the program so that message doesnt appear. To do that we have to
find where the check is made (in what file), a good guess is always to start with the
main program file (in this case its Unreal.exe). Lets disassemble it and have a look
around...hmm...this doesnt seems to be the right file, its to small and our message
isnt anywhere in the "String References" list. The check must be done in one of the other
13 .dll files. But we dont have to disassemble all of them to find which one it is:
Press F3 to bring up the search-window for Windows and search for the text "Please 
insert the Unreal CD-Rom".
Yes! Window.dll is where the check takes place (at least thats where the message we
want to remove is), disassemble it!

We now know in what file the check is made, now we have to get the right location too.
Press "String References" and have a look...there it is! Double-click to get to that
location, you should now be looking at this piece of code:

:10B1C3D5 A114B7B310              mov eax, dword ptr [10B3B714]
:10B1C3DA 833800                  cmp dword ptr [eax], 00000000
:10B1C3DD 753E                    jne 10B1C41D
:10B1C3DF 8D8DE4F9FFFF            lea ecx, dword ptr [ebp+FFFFF9E4]
:10B1C3E5 51                      push ecx
:10B1C3E6 FFD3                    call ebx
:10B1C3E8 83C404                  add esp, 00000004
:10B1C3EB 85C0                    test eax, eax
:10B1C3ED 7F2E                    jg 10B1C41D
:10B1C3EF 6801200000              push 00002001

* Possible StringData Ref from Data Obj ->"Cd Required At Startup"
                                  |
:10B1C3F4 68089DB310              push 10B39D08

* Possible StringData Ref from Data Obj ->"Please insert the Unreal CD-Rom "
                                        ->"into your drive and press OK to "
                                        ->"continue, or Cancel to exit."
                                  |
:10B1C3F9 68989CB310              push 10B39C98
:10B1C3FE 6A00                    push 00000000
:10B1C400 FFD6                    call esi
:10B1C402 83F802                  cmp eax, 00000002
:10B1C405 75CE                    jne 10B1C3D5

As you can see (if you know your Assembly) there is a "Jump if Greater" function
right before our message, if the check is good we jump over the message so it
doesnt appear.
Are you beginning to understand? How about changing that "Jump if Greater" to a
"Jump" so i always jumps over the message, then the message whould disappear...

NOTE:
I strongly recommend that you make copy of Window.dll and place it somewhere safe.
In case you mess up badly when using your hexeditor you always have a copy left...

We now know enough to crack this program, load Window.dll in a hexeditor and goto
that location where the "Jump if Greater" function is (if you dont know where it
is you can have a look at the status-bar in WDasm, mine says "@Offset 0001B7EDh").
As you can see it says '7F' and that means "Jump if Greater" on that address.
What we have to do is to change that byte so it says "Jump", and the right byte
for that function is 'EB'. If you make that change the program will ALWAYS jump
to 10B1C41D and not proceed down to the message.

Save your work and try to start Unreal (of course without the CD)... Yes!!
There are no messages or anything, the game starts just as usual, its cracked!

Bye...