Free Information Xchange presents: Sega Smash Pack - CD crack by Static Vengeance - May 19th, 1999 REQUIREMENTS: Full game install W32Dasm & Hex editor This game let's you play 8 classic games from Sega (the genesis console game I think). The games include: Altered Beast, Columns, Golden Axe, Outrun, Phantasy Star 2, Super Shinobi & VectorMan The games and graphics aren't that good but they have been done in a Windows 95/98 format so you can play them. The game also has one other problem with it. A problem we can FiX by removing a little program bug left in by the programers. The bug I'm speaking of is the CD check that is made before you can play any of the games. Sega should have spent more time on updating the graphics (256 colors, what a waste of todays video cards) at the very least. Anyways let's crack this one for "practice" ok. First thing you do is to install the game and try to run it without the CD in the drive. Bingo up pops a little Windows dialog saying we need the CD in the drive. Same old method as used so many times before. Disassemble the smash.exe and go up to the menu bar and select refs. Then select "String data references" from the drop down menu. From there, grab the slider bar on the refs box and scroll down until you see "Please insert the Sega Smash Pack CD-ROM in your" text. What, no text to double click on? How can that be?, well here's a clue: +++++++++++++++++ DIALOG INFORMATION ++++++++++++++++++ Number of Dialogs = 2 (decimal) Name: DialogID_0065, # of Controls=003, Caption:"No DirectSound Hardware Driver.", ClassName:"" 001 - ControlID:03E9, Control Class:"BUTTON" Control Text:"Disable Sound" 002 - ControlID:03E8, Control Class:"BUTTON" Control Text:"Use Emulation" 003 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Your Sound Hardware is not supported by DirectSound." Name: DialogID_0070, # of Controls=003, Caption:"CD-ROM Not Found.", ClassName:"" 001 - ControlID:0001, Control Class:"BUTTON" Control Text:"OK" 002 - ControlID:0002, Control Class:"BUTTON" Control Text:"Cancel" 003 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Please insert the Sega Smash Pack CD-ROM in your CD-ROM Drive." Sega is using a dialog ID and controls to build the pop-up dialog box. Which means we'll have to used the next best thing. Do a text search for "getdrivetypea" which is a KERNEL32.DLL call that is commonly used in CD checks. Doing so will lead you to this bit of code: * Referenced by a CALL at Address: |:004047F3 <-- Called only once | :00401060 81EC04020000 sub esp, 00000204 :00401066 53 push ebx :00401067 55 push ebp * Reference To: KERNEL32.GetFileAttributesA, Ord:010Dh | :00401068 8B2D40C04300 mov ebp, dword ptr [0043C040] :0040106E 56 push esi :0040106F 57 push edi * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401293(U) | :00401070 8D842494010000 lea eax, dword ptr [esp+00000194] :00401077 8D9C2494010000 lea ebx, dword ptr [esp+00000194] :0040107E 50 push eax :0040107F 6880000000 push 00000080 * Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:011Eh | :00401084 FF153CC04300 Call dword ptr [0043C03C] :0040108A 85C0 test eax, eax :0040108C 0F8448020000 je 004012DA <-- Jump down to CD check failed & exit :00401092 6A01 push 00000001 * Reference To: KERNEL32.SetErrorMode, Ord:0264h | :00401094 FF152CC04300 Call dword ptr [0043C02C] :0040109A 8A842494010000 mov al, byte ptr [esp+00000194] :004010A1 84C0 test al, al :004010A3 0F84C5010000 je 0040126E * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401268(C) | :004010A9 53 push ebx * Reference To: KERNEL32.GetDriveTypeA, Ord:0104h <-- Text string we searched for | :004010AA FF1520C04300 Call dword ptr [0043C020] :004010B0 83F805 cmp eax, 00000005 <-- 05 is the value for CD-Rom drive :004010B3 0F859E010000 jne 00401257 :004010B9 8BFB mov edi, ebx :004010BB 83C9FF or ecx, FFFFFFFF :004010BE 33C0 xor eax, eax :004010C0 8D942490000000 lea edx, dword ptr [esp+00000090] :004010C7 F2 repnz :004010C8 AE scasb :004010C9 F7D1 not ecx :004010CB 2BF9 sub edi, ecx :004010CD 8BC1 mov eax, ecx :004010CF 8BF7 mov esi, edi :004010D1 8BFA mov edi, edx :004010D3 8D942490000000 lea edx, dword ptr [esp+00000090] :004010DA C1E902 shr ecx, 02 :004010DD F3 repz :004010DE A5 movsd :004010DF 8BC8 mov ecx, eax :004010E1 33C0 xor eax, eax :004010E3 83E103 and ecx, 00000003 :004010E6 F3 repz :004010E7 A4 movsb * Possible StringData Ref from Data Obj ->"autorun.inf" <-- Look for this file in the root dir | :004010E8 BF88D04700 mov edi, 0047D088 :004010ED 83C9FF or ecx, FFFFFFFF :004010F0 F2 repnz :004010F1 AE scasb :004010F2 F7D1 not ecx :004010F4 2BF9 sub edi, ecx :004010F6 8BF7 mov esi, edi :004010F8 8BFA mov edi, edx :004010FA 8BD1 mov edx, ecx :004010FC 83C9FF or ecx, FFFFFFFF :004010FF F2 repnz :00401100 AE scasb :00401101 8BCA mov ecx, edx :00401103 4F dec edi :00401104 C1E902 shr ecx, 02 :00401107 F3 repz :00401108 A5 movsd :00401109 8BCA mov ecx, edx :0040110B 8D842490000000 lea eax, dword ptr [esp+00000090] :00401112 83E103 and ecx, 00000003 :00401115 50 push eax :00401116 F3 repz :00401117 A4 movsb :00401118 FFD5 call ebp :0040111A 83F8FF cmp eax, FFFFFFFF :0040111D 0F8434010000 je 00401257 :00401123 8D8C2490000000 lea ecx, dword ptr [esp+00000090] * Possible StringData Ref from Data Obj ->"rt" <-- "Read Text" | :0040112A 6884D04700 push 0047D084 :0040112F 51 push ecx :00401130 E8CE5B0300 call 00436D03 :00401135 8BF0 mov esi, eax :00401137 8D542418 lea edx, dword ptr [esp+18] :0040113B 56 push esi :0040113C 6A40 push 00000040 :0040113E 52 push edx :0040113F E8485B0300 call 00436C8C :00401144 8D442424 lea eax, dword ptr [esp+24] * Possible StringData Ref from Data Obj ->"[autorun]" <-- Look for this text string | :00401148 6878D04700 push 0047D078 :0040114D 50 push eax :0040114E E8AD5A0300 call 00436C00 :00401153 83C41C add esp, 0000001C :00401156 85C0 test eax, eax :00401158 56 push esi :00401159 0F85F0000000 jne 0040124F :0040115F 8D4C2414 lea ecx, dword ptr [esp+14] :00401163 6A40 push 00000040 :00401165 51 push ecx :00401166 E8215B0300 call 00436C8C :0040116B 8D54241C lea edx, dword ptr [esp+1C] * Possible StringData Ref from Data Obj ->"open=Smash.exe" <-- Then find this text string | :0040116F 6868D04700 push 0047D068 :00401174 52 push edx :00401175 E8865A0300 call 00436C00 :0040117A 83C414 add esp, 00000014 :0040117D 85C0 test eax, eax :0040117F 56 push esi :00401180 0F85C9000000 jne 0040124F :00401186 E8135A0300 call 00436B9E :0040118B 8BFB mov edi, ebx :0040118D 83C9FF or ecx, FFFFFFFF :00401190 33C0 xor eax, eax :00401192 83C404 add esp, 00000004 :00401195 F2 repnz :00401196 AE scasb :00401197 F7D1 not ecx :00401199 2BF9 sub edi, ecx :0040119B 8D942490000000 lea edx, dword ptr [esp+00000090] :004011A2 8BC1 mov eax, ecx :004011A4 8BF7 mov esi, edi :004011A6 8BFA mov edi, edx :004011A8 8D942490000000 lea edx, dword ptr [esp+00000090] :004011AF C1E902 shr ecx, 02 :004011B2 F3 repz :004011B3 A5 movsd :004011B4 8BC8 mov ecx, eax :004011B6 33C0 xor eax, eax :004011B8 83E103 and ecx, 00000003 :004011BB F3 repz :004011BC A4 movsb * Possible StringData Ref from Data Obj ->"Setup\Setup.ini" <-- Next, look for this file | :004011BD BF58D04700 mov edi, 0047D058 :004011C2 83C9FF or ecx, FFFFFFFF :004011C5 F2 repnz :004011C6 AE scasb :004011C7 F7D1 not ecx :004011C9 2BF9 sub edi, ecx :004011CB 8BF7 mov esi, edi :004011CD 8BFA mov edi, edx :004011CF 8BD1 mov edx, ecx :004011D1 83C9FF or ecx, FFFFFFFF :004011D4 F2 repnz :004011D5 AE scasb :004011D6 8BCA mov ecx, edx :004011D8 4F dec edi :004011D9 C1E902 shr ecx, 02 :004011DC F3 repz :004011DD A5 movsd :004011DE 8BCA mov ecx, edx :004011E0 8D842490000000 lea eax, dword ptr [esp+00000090] :004011E7 83E103 and ecx, 00000003 :004011EA 50 push eax :004011EB F3 repz :004011EC A4 movsb :004011ED FFD5 call ebp :004011EF 83F8FF cmp eax, FFFFFFFF :004011F2 7463 je 00401257 :004011F4 8D8C2490000000 lea ecx, dword ptr [esp+00000090] * Possible StringData Ref from Data Obj ->"rt" <-- Another Read Text command | :004011FB 6884D04700 push 0047D084 :00401200 51 push ecx :00401201 E8FD5A0300 call 00436D03 :00401206 8BF0 mov esi, eax :00401208 8D542418 lea edx, dword ptr [esp+18] :0040120C 56 push esi :0040120D 6A40 push 00000040 :0040120F 52 push edx :00401210 E8775A0300 call 00436C8C :00401215 8D442424 lea eax, dword ptr [esp+24] * Possible StringData Ref from Data Obj ->"[startup]" <-- Look for this string of text | :00401219 684CD04700 push 0047D04C :0040121E 50 push eax :0040121F E8DC590300 call 00436C00 :00401224 83C41C add esp, 0000001C :00401227 85C0 test eax, eax :00401229 56 push esi :0040122A 7523 jne 0040124F :0040122C 8D4C2414 lea ecx, dword ptr [esp+14] :00401230 6A40 push 00000040 :00401232 51 push ecx :00401233 E8545A0300 call 00436C8C :00401238 8D54241C lea edx, dword ptr [esp+1C] * Possible StringData Ref from Data Obj ->"appname=sega smash pack" <-- Now find this string | :0040123C 6830D04700 push 0047D030 :00401241 52 push edx :00401242 E8B9590300 call 00436C00 :00401247 83C414 add esp, 00000014 :0040124A 85C0 test eax, eax :0040124C 56 push esi :0040124D 7449 je 00401298 <-- Everything is good, CD check passed & exit * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00401159(C), :00401180(C), :0040122A(C) | :0040124F E84A590300 call 00436B9E :00401254 83C404 add esp, 00000004 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004010B3(C), :0040111D(C), :004011F2(C) | :00401257 8A03 mov al, byte ptr [ebx] :00401259 43 inc ebx :0040125A 84C0 test al, al :0040125C 7407 je 00401265 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401263(C) | :0040125E 8A0B mov cl, byte ptr [ebx] :00401260 43 inc ebx :00401261 84C9 test cl, cl :00401263 75F9 jne 0040125E * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040125C(C) | :00401265 803B00 cmp byte ptr [ebx], 00 :00401268 0F853BFEFFFF jne 004010A9 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004010A3(C) | :0040126E 6A00 push 00000000 * Reference To: KERNEL32.SetErrorMode, Ord:0264h | :00401270 FF152CC04300 Call dword ptr [0043C02C] :00401276 8B1584F05A00 mov edx, dword ptr [005AF084] :0040127C 6A00 push 00000000 :0040127E 6800104000 push 00401000 :00401283 6A00 push 00000000 * Possible Reference to Dialog: DialogID_0070 <-- Set info for CD request dialog box | :00401285 6A70 push 00000070 :00401287 52 push edx * Reference To: USER32.DialogBoxParamA, Ord:0093h <-- Do it the pop-up box & ask for the CD | :00401288 FF15FCC04300 Call dword ptr [0043C0FC] :0040128E 83F801 cmp eax, 00000001 <-- 01 means you hit cancel to abort the game :00401291 7447 je 004012DA <-- Take this to cancel and return as failed :00401293 E9D8FDFFFF jmp 00401070 <-- Jump back up and retry * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040124D(C) | :00401298 E801590300 call 00436B9E :0040129D 8BFB mov edi, ebx :0040129F 83C9FF or ecx, FFFFFFFF :004012A2 33C0 xor eax, eax :004012A4 83C404 add esp, 00000004 :004012A7 F2 repnz :004012A8 AE scasb :004012A9 F7D1 not ecx :004012AB 2BF9 sub edi, ecx :004012AD 6A00 push 00000000 :004012AF 8BC1 mov eax, ecx :004012B1 8BF7 mov esi, edi :004012B3 BF90E64D00 mov edi, 004DE690 :004012B8 C1E902 shr ecx, 02 :004012BB F3 repz :004012BC A5 movsd :004012BD 8BC8 mov ecx, eax :004012BF 83E103 and ecx, 00000003 :004012C2 F3 repz :004012C3 A4 movsb * Reference To: KERNEL32.SetErrorMode, Ord:0264h | :004012C4 FF152CC04300 Call dword ptr [0043C02C] :004012CA 5F pop edi <-- Could redirect code here from 40108C :004012CB 5E pop esi :004012CC 5D pop ebp :004012CD B801000000 mov eax, 00000001 :004012D2 5B pop ebx :004012D3 81C404020000 add esp, 00000204 :004012D9 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: <-- failed check comes here |:0040108C(C), :00401291(C) | :004012DA 5F pop edi :004012DB 5E pop esi :004012DC 5D pop ebp :004012DD 33C0 xor eax, eax <-- A zero in eax means no CD found :004012DF 5B pop ebx :004012E0 81C404020000 add esp, 00000204 :004012E6 C3 ret That was the CD checking routine. It simply checks for the autorun.inf file on the CD and then opens it and reads the text strings. Then compares against what's on an original Smash Pack CD. Then the code opens the setup.ini and reads some text strings and compares it as well. If everything works out then the code comes down to 401298, does a few things and eventualy loads eax with 01 to signify that the CD rom was found. If not, the code jumps down to 4012DA and load eax with a zero for a failed CD check. A quick crack would be to use the je at 40108C and change it to a non-conditional jump down to 4012CA. This redirect would send the code right down the section the sets up for a passed CD check and exit. That way 95% of the CD check isn't run and the correct value would be returned in eax. The actual edit for that would be: Edit smash.exe at 4,236 ============================= Search for: 0F 84 48 02 00 00 Change to : 90 E9 38 -- -- -- However, I like to stick to my normal methods and kill the CD check from the caller. So let's check the code that calls this routine to see what needs to be done to crack this game. The code surounding 004047F3: -- Program code -- :004047DF 57 push edi * Reference To: USER32.CreateWindowExA, Ord:0059h | :004047E0 FF1520C14300 Call dword ptr [0043C120] :004047E6 3BC7 cmp eax, edi :004047E8 A388F05A00 mov dword ptr [005AF088], eax :004047ED 0F8491010000 je 00404984 :004047F3 E868C8FFFF call 00401060 <-- Do the CD check :004047F8 85C0 test eax, eax <-- Test eax for pass/fail :004047FA 0F8484010000 je 00404984 <-- eax=zero means failed - do not take! :00404800 A188F05A00 mov eax, dword ptr [005AF088] <-- Getting this far continues the game :00404805 6A05 push 00000005 :00404807 50 push eax * Reference To: USER32.ShowWindow, Ord:026Ah | :00404808 FF152CC14300 Call dword ptr [0043C12C] :0040480E 8B0D88F05A00 mov ecx, dword ptr [005AF088] :00404814 51 push ecx -- The rest of the game code -- That's it, all you need to do is stop the check from being made and make sure you don't take the je jump at 004047FA. The easiest way I can think of to do that would be to change the call to the CD check to mov eax, 00000001. That way the CD check is never run and eax is loaded with 01 which makes the je fail. This of course allows the game to run even though the CD isn't in the CD Rom drive. There you have it, cracked and fully palyable from your hard drive. 1. Do a full game install 2. Make the following edit Edit smash.exe at 18,419 ========================== Search for: E8 68 C8 FF FF Change to : B8 01 00 00 00 3. Try to enjoy it Save yourself a few bucks and download Mame (or Mame32) and grab the ~1,300 ROM sets it runs. It'll look as good or better and run so many more games, plus it's free. Just takes some time and effort to download all those roms. -+- Don't ask where to get it, just go to: www.arcadeathome.com Two ways to crack this one, either way you choose to do it, this one is done becuase we FiX'ed it! Static Vengeance - FiX