Free Information Xchange presents: WCW Nitro - CD crack by Static Vengeance - Dec 28th, 1998 The idea of a wrestling game & D3D together is a good one! However, this is a poor attempt at this concept. The game is slow even with a fast CPU and a voodoo2 card. The controls are poorly thought out and the response to those are too slow to be fun. I've played simular games on the Play Station which were very fast and responsive with better graphics!?! I don't know what the developers where thinking with port but it sucks. Not only is the game crappy, but there is a CD check as well. Well we can FiX that part of this game. You could actually watch Nitro and get better sound clips to use in the game... but the graphics are so poor it's not worth the effort. Anyways, let's cracked this one. After disassembling the nitro.exe and looking for Data string references you'll find "The WCW Nitro PC CD must be in " Just double click this and you'll be in the middle of this routine: -- Program code -- :00405BA4 33C0 xor eax, eax :00405BA6 5B pop ebx :00405BA7 81C4AC000000 add esp, 000000AC :00405BAD C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00405B8F(C) <-- Gets here normally, but needed | :00405BB0 E86B110000 call 00406D20 <-- Stores all kinds of values in memory :00405BB5 E8A60A0000 call 00406660 <-- Get current dir and set to "Source Dir" :00405BBA 85C0 test eax, eax <-- from the registry string :00405BBC 0F84A6010000 je 00405D68 :00405BC2 E879090000 call 00406540 <-- Check for the CD - look for "LAUNCHER.EXE" :00405BC7 85C0 test eax, eax <-- Test flag value in eax :00405BC9 7521 jne 00405BEC <-- Take this jump for CD "found" :00405BCB 53 push ebx * Possible StringData Ref from Data Obj ->"Error" <-- Otherwise tell "evil" user the news | :00405BCC 68C8744300 push 004374C8 * Possible StringData Ref from Data Obj ->"The WCW Nitro PC CD must be in " <-- Never want to see this! ->"the drive to play." | :00405BD1 68DC944300 push 004394DC :00405BD6 53 push ebx * Reference To: USER32.MessageBoxA, Ord:01BEh | :00405BD7 FF1570314300 Call dword ptr [00433170] :00405BDD 5F pop edi :00405BDE 5E pop esi :00405BDF 5D pop ebp :00405BE0 33C0 xor eax, eax :00405BE2 5B pop ebx :00405BE3 81C4AC000000 add esp, 000000AC :00405BE9 C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00405BC9(C) <-- Must get here to continue | :00405BEC E8AF090000 call 004065A0 :00405BF1 85C0 test eax, eax :00405BF3 751F jne 00405C14 :00405BF5 53 push ebx :00405BF6 6A01 push 00000001 :00405BF8 E863F3FFFF call 00404F60 :00405BFD 83C408 add esp, 00000008 :00405C00 E80BF4FFFF call 00405010 :00405C05 5F pop edi :00405C06 5E pop esi :00405C07 5D pop ebp :00405C08 33C0 xor eax, eax :00405C0A 5B pop ebx :00405C0B 81C4AC000000 add esp, 000000AC :00405C11 C21000 ret 0010 -- Continuing program code & various routines -- All you need to do is to kill the call to the CD check by overwriting with mov eax, 00000001 This will force the jne at 405BC9 to always be taken, which in turns allows the program to continue. With this edit the game will continue as though the CD where in the drive. So let's take a quick look at how the CD is checked for, first setting up the right directory from the code at 406660: * Referenced by a CALL at Address: |:00405BB5 <-- Called once from above routine | :00406660 6AFF push FFFFFFFF :00406662 6848294300 push 00432948 :00406667 64A100000000 mov eax, dword ptr fs:[00000000] :0040666D 50 push eax :0040666E 64892500000000 mov dword ptr fs:[00000000], esp :00406675 83EC08 sub esp, 00000008 :00406678 56 push esi :00406679 8D4C2404 lea ecx, dword ptr [esp+04] :0040667D E8BED30000 call 00413A40 * Possible StringData Ref from Data Obj ->"Software\THQ\WCW Nitro PC\1.0" <-- Registry key to open | :00406682 6838954300 push 00439538 :00406687 6802000080 push 80000002 :0040668C 8D4C240C lea ecx, dword ptr [esp+0C] :00406690 C744241C00000000 mov [esp+1C], 00000000 :00406698 E8B3D30000 call 00413A50 :0040669D 85C0 test eax, eax :0040669F 7523 jne 004066C4 :004066A1 8D4C2404 lea ecx, dword ptr [esp+04] :004066A5 C7442414FFFFFFFF mov [esp+14], FFFFFFFF :004066AD E8BEA9FFFF call 00401070 :004066B2 33C0 xor eax, eax :004066B4 5E pop esi :004066B5 8B4C2408 mov ecx, dword ptr [esp+08] :004066B9 64890D00000000 mov dword ptr fs:[00000000], ecx :004066C0 83C414 add esp, 00000014 :004066C3 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040669F(C) | :004066C4 689C1B4500 push 00451B9C * Possible StringData Ref from Data Obj ->"Source Dir" <-- Where the game was installed from | :004066C9 682C954300 push 0043952C :004066CE 8D4C240C lea ecx, dword ptr [esp+0C] :004066D2 E849D40000 call 00413B20 * Reference To: KERNEL32.GetCurrentDirectoryA, Ord:00F5h <-- What's the directory now | :004066D7 8B35C8304300 mov esi, dword ptr [004330C8] :004066DD 85C0 test eax, eax :004066DF 750C jne 004066ED :004066E1 689C1B4500 push 00451B9C :004066E6 68FF000000 push 000000FF :004066EB FFD6 call esi * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004066DF(C) | :004066ED 6844194500 push 00451944 * Possible StringData Ref from Data Obj ->"Path" <-- Directory path where the game is installed | :004066F2 6824954300 push 00439524 :004066F7 8D4C240C lea ecx, dword ptr [esp+0C] :004066FB E820D40000 call 00413B20 :00406700 85C0 test eax, eax :00406702 750C jne 00406710 :00406704 6844194500 push 00451944 :00406709 68FF000000 push 000000FF :0040670E FFD6 call esi * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00406702(C) | :00406710 57 push edi :00406711 6844194500 push 00451944 * Reference To: KERNEL32.SetCurrentDirectoryA, Ord:025Dh <-- Set it for the CD/file check | :00406716 FF15CC304300 Call dword ptr [004330CC] :0040671C 83CEFF or esi, FFFFFFFF :0040671F BF9C1B4500 mov edi, 00451B9C :00406724 8BCE mov ecx, esi :00406726 33C0 xor eax, eax :00406728 F2 repnz :00406729 AE scasb :0040672A F7D1 not ecx :0040672C 49 dec ecx :0040672D B05C mov al, 5C :0040672F 5F pop edi :00406730 38819B1B4500 cmp byte ptr [ecx+00451B9B], al :00406736 740D je 00406745 :00406738 88819C1B4500 mov byte ptr [ecx+00451B9C], al :0040673E C6819D1B450000 mov byte ptr [ecx+00451B9D], 00 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00406736(C) | :00406745 8D4C2404 lea ecx, dword ptr [esp+04] :00406749 E8F2D40000 call 00413C40 :0040674E 85C0 test eax, eax :00406750 750A jne 0040675C :00406752 C705301D450001000000 mov dword ptr [00451D30], 00000001 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00406750(C) | :0040675C 8D4C2404 lea ecx, dword ptr [esp+04] :00406760 E84BD30000 call 00413AB0 :00406765 85C0 test eax, eax :00406767 89742414 mov dword ptr [esp+14], esi :0040676B 8D4C2404 lea ecx, dword ptr [esp+04] :0040676F 7517 jne 00406788 <-- Need to take this to continue :00406771 E8FAA8FFFF call 00401070 :00406776 33C0 xor eax, eax :00406778 5E pop esi :00406779 8B4C2408 mov ecx, dword ptr [esp+08] :0040677D 64890D00000000 mov dword ptr fs:[00000000], ecx :00406784 83C414 add esp, 00000014 :00406787 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040676F(C) | :00406788 E8E3A8FFFF call 00401070 :0040678D 8B4C240C mov ecx, dword ptr [esp+0C] :00406791 B801000000 mov eax, 00000001 :00406796 5E pop esi :00406797 64890D00000000 mov dword ptr fs:[00000000], ecx :0040679E 83C414 add esp, 00000014 :004067A1 C3 ret Now a look at the short code that checks for the file on the CD: * Referenced by a CALL at Address: |:00405BC2 <-- Called only once from the first section of code shown | :00406540 81EC00010000 sub esp, 00000100 :00406546 8D442400 lea eax, dword ptr [esp] :0040654A 56 push esi :0040654B 689C1B4500 push 00451B9C :00406550 50 push eax :00406551 BE01000000 mov esi, 00000001 * Reference To: KERNEL32.lstrcpyA, Ord:0302h | :00406556 FF1508314300 Call dword ptr [00433108] :0040655C 8D4C2404 lea ecx, dword ptr [esp+04] * Possible StringData Ref from Data Obj ->"LAUNCHER.EXE" <-- Check for this file | :00406560 6814954300 push 00439514 :00406565 51 push ecx * Reference To: KERNEL32.lstrcatA, Ord:02F9h | :00406566 FF15D0304300 Call dword ptr [004330D0] :0040656C 8D542404 lea edx, dword ptr [esp+04] * Possible StringData Ref from Data Obj ->"r" <-- Read the file | :00406570 6810954300 push 00439510 :00406575 52 push edx :00406576 E82E4D0200 call 0042B2A9 :0040657B 83C408 add esp, 00000008 :0040657E 85C0 test eax, eax :00406580 7508 jne 0040658A :00406582 5E pop esi :00406583 81C400010000 add esp, 00000100 :00406589 C3 ret With the forementioned edit you have a copy of WCW Nitro on your hard drive. The only difference is the movies will not be played. If you really want the movies and have an extra 180 megs for them you can copy the "\movies" subdirectory to the WCW Nitro game directory. Then, to allow nitro.exe to find the the newly copied movies, run regedit.exe (in your windows directory) and go to and open the following key: HKEY_LOCAL_MACHINE\Software\THQ\WCW Nitro PC\1.0 then change the "Source Dir" to the same directory string found in "Path" If you do that, you'll have a 100% working copy on WCW Nitro on your hard drive. Except this version doesn't care where the original CD is. All the steps in order: 1. Install the game 2. Make the following edit Edit nitro.exe at offset 23,490 ================================ Search for: E8 79 09 00 00 Change to : B8 01 00 00 00 For wcwpatch1216 off the net Edit nitro.exe at offset 23,566 ================================ Search for: E8 6D 09 00 00 Change to : B8 01 00 00 00 3. Enjoy the game (if you can) Optional: 4. Copy the "\Movies" directory to the game directory 5. Run regedit.exe and open the following key: HKEY_LOCAL_MACHINE\Software\THQ\WCW Nitro PC\1.0 6. Change "Source Dir" to match "Path" Once again, another game has been FiX'ed! With or without the movies you still wont need the original CD in the CD Rom drive. Static Vengeance