Free Information Xchange presents: HEDZ - CD crack by Static Vengeance - Dec 8th, 1998 Requirements: Full game install Hex editor & W32Dasm HEDZ is an interesting idea for a game! Aliens have collected heads for different people all over the world and throughout time. Each head has some special powers assosiated with it. Then you pick the heads you want to use and go into combat in an arena. Sounds like fun to me! However there is one thing I don't think is fun or funny. This is having to have the original CD in the CD-Rom drive to play the game. Most of the time I only have a minute or two to play around so I don't like wasting it search for the game CD. So it's time to FiX HEDZ so you can play it without the CD. First, we'll disassemble the game file with W32Dasm and look into what's going on. When you get to the refs pop-up box, grab the slider and scroll down looking for interesting things. Hhmmmm, to direct referece to inserting the CD text. However there is the ref "A:\" which is commonly used in CD checks, along with "C:\" These string are usually right before a KERNEL32.GetDriveTypeA call. This KERNEL32.dll call checks the disk drive and returns values for each type of drive, like floppies, hard drives, CD-Roms, unknown... ect. Anyways, to continue, if you double click that ref you'll be in the middle of this routine: * Referenced by a CALL at Addresses: |:004685CC , :00468606 , :0046EBC2 , :0046EC85 , :0046FEF3 <-- Called 5 times | :0046E030 55 push ebp :0046E031 8BEC mov ebp, esp :0046E033 B8AC010000 mov eax, 000001AC :0046E038 E8D3F20300 call 004AD310 :0046E03D 8D85F8FEFFFF lea eax, dword ptr [ebp+FFFFFEF8] * Possible StringData Ref from Data Obj ->"A:\" <-- Start with A:\ drive | :0046E043 6820074D00 push 004D0720 :0046E048 50 push eax :0046E049 E8B2FB0300 call 004ADC00 :0046E04E 8A0DE0615D00 mov cl, byte ptr [005D61E0] :0046E054 83C408 add esp, 00000008 :0046E057 8D95F8FEFFFF lea edx, dword ptr [ebp+FFFFFEF8] :0046E05D 888DF8FEFFFF mov byte ptr [ebp+FFFFFEF8], cl :0046E063 52 push edx * Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh <-- Get the type of drive | :0046E064 FF15A4004C00 Call dword ptr [004C00A4] :0046E06A 83F805 cmp eax, 00000005 <-- 05 is the value for a CD Rom :0046E06D 7406 je 0046E075 <-- Take this jump if we found a CD Rom :0046E06F B003 mov al, 03 <-- Else, move error code into al :0046E071 8BE5 mov esp, ebp :0046E073 5D pop ebp :0046E074 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: <-- Got here via a conditional jump |:0046E06D(C) | :0046E075 E8A6FFFFFF call 0046E020 :0046E07A 84C0 test al, al :0046E07C 7579 jne 0046E0F7 :0046E07E 8D8554FEFFFF lea eax, dword ptr [ebp+FFFFFE54] :0046E084 C78554FEFFFF94000000 mov dword ptr [ebp+FFFFFE54], 00000094 :0046E08E 50 push eax * Reference To: KERNEL32.GetVersionExA, Ord:014Dh | :0046E08F FF15E4004C00 Call dword ptr [004C00E4] :0046E095 83BD64FEFFFF01 cmp dword ptr [ebp+FFFFFE64], 00000001 :0046E09C 7559 jne 0046E0F7 :0046E09E 6681BD60FEFFFFE803 cmp word ptr [ebp+FFFFFE60], 03E8 :0046E0A7 764E jbe 0046E0F7 * Possible StringData Ref from Data Obj ->"KERNEL32" | :0046E0A9 6864074D00 push 004D0764 * Reference To: KERNEL32.LoadLibraryA, Ord:0190h | :0046E0AE FF15E0004C00 Call dword ptr [004C00E0] * Possible StringData Ref from Data Obj ->"GetDiskFreeSpaceEx" <-- Check for free space on CD Rom | :0046E0B4 6870074D00 push 004D0770 :0046E0B9 50 push eax * Reference To: KERNEL32.GetProcAddress, Ord:0116h | :0046E0BA FF1598004C00 Call dword ptr [004C0098] :0046E0C0 8D8DE8FEFFFF lea ecx, dword ptr [ebp+FFFFFEE8] :0046E0C6 8D55F8 lea edx, dword ptr [ebp-08] :0046E0C9 51 push ecx :0046E0CA 8D85F0FEFFFF lea eax, dword ptr [ebp+FFFFFEF0] :0046E0D0 52 push edx :0046E0D1 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8] :0046E0D7 50 push eax :0046E0D8 51 push ecx * Reference To: KERNEL32.GetDiskFreeSpaceExA, Ord:00DCh | :0046E0D9 FF1594004C00 Call dword ptr [004C0094] :0046E0DF 8B45FC mov eax, dword ptr [ebp-04] :0046E0E2 85C0 test eax, eax :0046E0E4 7711 ja 0046E0F7 :0046E0E6 7209 jb 0046E0F1 :0046E0E8 817DF800CD5627 cmp dword ptr [ebp-08], 2756CD00 :0046E0EF 7306 jnb 0046E0F7 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046E0E6(C) | :0046E0F1 B003 mov al, 03 <-- Move error code into al for error #3 :0046E0F3 8BE5 mov esp, ebp :0046E0F5 5D pop ebp :0046E0F6 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0046E07C(C), :0046E09C(C), :0046E0A7(C), :0046E0E4(C), :0046E0EF(C) | :0046E0F7 8D95F8FEFFFF lea edx, dword ptr [ebp+FFFFFEF8] :0046E0FD 68E0615D00 push 005D61E0 :0046E102 52 push edx :0046E103 E8F8FA0300 call 004ADC00 :0046E108 83C408 add esp, 00000008 :0046E10B 8D85F8FEFFFF lea eax, dword ptr [ebp+FFFFFEF8] * Possible StringData Ref from Data Obj ->"test" <-- File name to "test" | :0046E111 68C8074D00 push 004D07C8 :0046E116 50 push eax :0046E117 E8F4FA0300 call 004ADC10 :0046E11C 83C408 add esp, 00000008 :0046E11F 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8] * Possible StringData Ref from Data Obj ->"wb" <-- Try to Write Binary (wb) to CD | :0046E125 68D0074D00 push 004D07D0 :0046E12A 51 push ecx :0046E12B E830FE0300 call 004ADF60 :0046E130 83C408 add esp, 00000008 :0046E133 85C0 test eax, eax :0046E135 740F je 0046E146 :0046E137 50 push eax :0046E138 E8B3FB0300 call 004ADCF0 :0046E13D 83C404 add esp, 00000004 :0046E140 B001 mov al, 01 <-- Move error code into al for error #1 :0046E142 8BE5 mov esp, ebp :0046E144 5D pop ebp :0046E145 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046E135(C) | :0046E146 8D95F8FEFFFF lea edx, dword ptr [ebp+FFFFFEF8] :0046E14C 68E0615D00 push 005D61E0 :0046E151 52 push edx :0046E152 E8A9FA0300 call 004ADC00 :0046E157 83C408 add esp, 00000008 :0046E15A 8D85F8FEFFFF lea eax, dword ptr [ebp+FFFFFEF8] * Possible StringData Ref from Data Obj ->"Music\" <-- Partial path name on CD | :0046E160 6818084D00 push 004D0818 :0046E165 50 push eax :0046E166 E8A5FA0300 call 004ADC10 :0046E16B 83C408 add esp, 00000008 :0046E16E 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8] * Possible StringData Ref from Data Obj ->"1" <-- Name of the .mus file to check | :0046E174 6820084D00 push 004D0820 :0046E179 51 push ecx :0046E17A E891FA0300 call 004ADC10 :0046E17F 83C408 add esp, 00000008 :0046E182 8D95F8FEFFFF lea edx, dword ptr [ebp+FFFFFEF8] * Possible StringData Ref from Data Obj ->".MUS" <-- Look for this type of file | :0046E188 6824084D00 push 004D0824 :0046E18D 52 push edx :0046E18E E87DFA0300 call 004ADC10 :0046E193 83C408 add esp, 00000008 :0046E196 8D85F8FEFFFF lea eax, dword ptr [ebp+FFFFFEF8] :0046E19C 6861066503 push 03650661 :0046E1A1 50 push eax :0046E1A2 E819FEFFFF call 0046DFC0 :0046E1A7 83C408 add esp, 00000008 :0046E1AA 84C0 test al, al :0046E1AC 7506 jne 0046E1B4 :0046E1AE B002 mov al, 02 <-- Move error code into al for error #2 :0046E1B0 8BE5 mov esp, ebp :0046E1B2 5D pop ebp :0046E1B3 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046E1AC(C) | :0046E1B4 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8] :0046E1BA 68E0615D00 push 005D61E0 :0046E1BF 51 push ecx :0046E1C0 E83BFA0300 call 004ADC00 :0046E1C5 83C408 add esp, 00000008 :0046E1C8 8D95F8FEFFFF lea edx, dword ptr [ebp+FFFFFEF8] * Possible StringData Ref from Data Obj ->"Music\" | :0046E1CE 682C084D00 push 004D082C :0046E1D3 52 push edx -- SNIP code: use near identical code to check for files 2.mus through 6.mus -- :0046E3D2 7506 jne 0046E3DA :0046E3D4 B002 mov al, 02 :0046E3D6 8BE5 mov esp, ebp :0046E3D8 5D pop ebp :0046E3D9 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046E3D2(C) | :0046E3DA 8D95F8FEFFFF lea edx, dword ptr [ebp+FFFFFEF8] :0046E3E0 68E0615D00 push 005D61E0 :0046E3E5 52 push edx :0046E3E6 E815F80300 call 004ADC00 :0046E3EB 83C408 add esp, 00000008 :0046E3EE 8D85F8FEFFFF lea eax, dword ptr [ebp+FFFFFEF8] * Possible StringData Ref from Data Obj ->"Music\" | :0046E3F4 6890084D00 push 004D0890 :0046E3F9 50 push eax :0046E3FA E811F80300 call 004ADC10 :0046E3FF 83C408 add esp, 00000008 :0046E402 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8] * Possible StringData Ref from Data Obj ->"7" | :0046E408 6898084D00 push 004D0898 :0046E40D 51 push ecx :0046E40E E8FDF70300 call 004ADC10 :0046E413 83C408 add esp, 00000008 :0046E416 8D95F8FEFFFF lea edx, dword ptr [ebp+FFFFFEF8] * Possible StringData Ref from Data Obj ->".MUS" <-- Check for 7.mus file | :0046E41C 689C084D00 push 004D089C :0046E421 52 push edx :0046E422 E8E9F70300 call 004ADC10 :0046E427 83C408 add esp, 00000008 :0046E42A 8D85F8FEFFFF lea eax, dword ptr [ebp+FFFFFEF8] :0046E430 685D5A3202 push 02325A5D :0046E435 50 push eax :0046E436 E885FBFFFF call 0046DFC0 :0046E43B 83C408 add esp, 00000008 :0046E43E F6D8 neg al <-- Invert returned value :0046E440 1AC0 sbb al, al :0046E442 24FE and al, FE <-- If al=00, then al=FE / if al=FF then al=02 :0046E444 0402 add al, 02 <-- FE+02 equals zero with carry bit set :0046E446 8BE5 mov esp, ebp :0046E448 5D pop ebp :0046E449 C3 ret Well there you have the whole routine to check for the CD. First the routine makes sure it's checking a CD-Rom via a getdrivetype call. Once found it proceeds to check for seven music files. Like if you didn't find the first one you wouldn't find the other six? Anyways, if EVERYTHING is found this routine returns a zero in al. When I look at how I want to defeat this routine I look back at this: :0046E06D 7406 je 0046E075 <-- Take this jump if we found a CD Rom :0046E06F B003 mov al, 03 <-- Else, move error code into al If you zero out the displacement in the conditional jump, then load a zero (istead of 03) into al the following instuctions just returns to the caller. This is a quick and dirty way to kill this CD check. Now the CD check will make the getdrivetype, but then not jump anyway and al is loaded with a zero to simulate actually finding the CD on line. Changing both the 06 and 03 to zeros will kill the CD check and allow you to play HEDZ without the CD in your CD-Rom drive. To crack this one just: 1. Do a full game install 2. Make the following edits by version: For the CD version edit HEDZ.exe ========================================== Search for: 74 06 B0 03 at offset 447,597 Change to : -- 00 -- 00 For updated "old win95" version edit HEDZ.exe ========================================== Search for: 74 06 B0 03 at offset 447,517 Change to : -- 00 -- 00 That's it for HEDZ, becuase it's been FiX'ed. Static Vengeance - FiX