Free Information Xchange presents: Tempest 2000 - CD crack by Static Vengeance - Nov 14th, 1998 Requirements: Hex Editor and Full Install W32Dasm if you want to follow along Tempest 2000, in theory, should be a great game. I have always loved the original Tempest from way back in the olden days in the arcades. So when I found a copy of Tempest 2000 laying around I wanted to try it. I found a few problems with the game. First there is no native support for the Win95 version, which seems odd as almost ALL Win95 users have mice. What was the thinking here? Didn't the programers know how to access the mouse from Win95? Even the MS Arcade version (for Win 3.1) has mouse support! Anyways there's the CD check that comes up during the game. That can easily be FiX'ed. Too bad Electronic Arts really did a poor job on this game. I was looking for new version of Tempest that would be fun and fast to play, no such luck here. But I will at least show you how to crack this one. First disassemble the tempest.exe and go up to the menu bar and select Refs and then select String Data Refs from there. When the pop-up box appears, grab the slider bar and scroll down until you see Cannot find TEMPEST CD" Now double click this ref and W32Dasm will put you in the middle of this routine: -- Program Code -- :00404AB0 FF1518B44300 Call dword ptr [0043B418] :00404AB6 66C705F09243003C00 mov word ptr [004392F0], 003C :00404ABF 66C705F49243002800 mov word ptr [004392F4], 0028 :00404AC8 66893504934300 mov word ptr [00439304], si * Reference To: USER32.MessageBoxA, Ord:0188h | :00404ACF 8B35ACB34300 mov esi, dword ptr [0043B3AC] :00404AD5 66893D74914300 mov word ptr [00439174], di * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404AFC(C) | :00404ADC E81FC5FFFF call 00401000 <-- Do the CD check :00404AE1 85C0 test eax, eax <-- Test the returned value in eax :00404AE3 A1A0904100 mov eax, dword ptr [004190A0] :00404AE8 7520 jne 00404B0A <-- Take this jump to continue :00404AEA 6A11 push 00000011 * Possible StringData Ref from Data Obj ->"TEMPEST 2000" | :00404AEC 6870A84100 push 0041A870 * Possible StringData Ref from Data Obj ->"Cannot find TEMPEST CD" <-- What got us here | :00404AF1 6838A84100 push 0041A838 :00404AF6 50 push eax :00404AF7 FFD6 call esi :00404AF9 83F801 cmp eax, 00000001 <-- 01 means you hit retry :00404AFC 74DE je 00404ADC :00404AFE 33C0 xor eax, eax <-- Set up for quit to Win95 :00404B00 5D pop ebp :00404B01 5F pop edi :00404B02 5E pop esi :00404B03 5B pop ebx :00404B04 83C41C add esp, 0000001C :00404B07 C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404AE8(C) <-- Want to get here | :00404B0A E8A1D2FFFF call 00401DB0 :00404B0F 85C0 test eax, eax :00404B11 750C jne 00404B1F :00404B13 33C0 xor eax, eax -- Continuing program code -- Alright, that's the section of code that'll ask for the CD if it's not in the drive when you start the game. So let's check out the CD check routine at 401000 and see what it does: :00401000 81EC48040000 sub esp, 00000448 :00401006 8D442440 lea eax, dword ptr [esp+40] :0040100A 53 push ebx :0040100B 56 push esi :0040100C 57 push edi :0040100D 55 push ebp :0040100E 50 push eax :0040100F 6805040000 push 00000405 * Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00E5h | :00401014 FF1558B34300 Call dword ptr [0043B358] :0040101A 8BE8 mov ebp, eax :0040101C 85ED test ebp, ebp :0040101E 7510 jne 00401030 <-- Take this jump to do the actual CD check :00401020 B801000000 mov eax, 00000001 :00401025 5D pop ebp :00401026 5F pop edi :00401027 5E pop esi :00401028 5B pop ebx :00401029 81C448040000 add esp, 00000448 :0040102F C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040101E(C) | :00401030 32DB xor bl, bl :00401032 85ED test ebp, ebp :00401034 0F849C000000 je 004010D6 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004010D0(C) | :0040103A 33C0 xor eax, eax :0040103C 8AC3 mov al, bl :0040103E 8D7C0450 lea edi, dword ptr [esp+eax+50] :00401042 57 push edi * Reference To: KERNEL32.GetDriveTypeA, Ord:00CEh <-- Commonly used in CD checks | :00401043 FF1554B34300 Call dword ptr [0043B354] :00401049 85C0 test eax, eax :0040104B 7405 je 00401052 :0040104D 83F805 cmp eax, 00000005 <-- 05 is the value for a CD Rom drive :00401050 7575 jne 004010C7 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040104B(C) | :00401052 B9FFFFFFFF mov ecx, FFFFFFFF :00401057 2BC0 sub eax, eax :00401059 F2 repnz :0040105A AE scasb :0040105B F7D1 not ecx :0040105D 2BF9 sub edi, ecx :0040105F 8BC1 mov eax, ecx :00401061 C1E902 shr ecx, 02 :00401064 8BF7 mov esi, edi :00401066 8D7C2410 lea edi, dword ptr [esp+10] :0040106A 6A00 push 00000000 :0040106C F3 repz :0040106D A5 movsd :0040106E 8BC8 mov ecx, eax :00401070 6880000000 push 00000080 :00401075 83E103 and ecx, 00000003 :00401078 6A03 push 00000003 :0040107A F3 repz :0040107B A4 movsb * Possible StringData Ref from Data Obj ->"TEMPEST.EXE" <-- File the CD check is looking for | :0040107C BFD0A44100 mov edi, 0041A4D0 :00401081 B9FFFFFFFF mov ecx, FFFFFFFF :00401086 2BC0 sub eax, eax :00401088 6A00 push 00000000 :0040108A F2 repnz :0040108B AE scasb :0040108C F7D1 not ecx :0040108E 2BF9 sub edi, ecx :00401090 8BD1 mov edx, ecx :00401092 8BF7 mov esi, edi :00401094 B9FFFFFFFF mov ecx, FFFFFFFF :00401099 8D7C2420 lea edi, dword ptr [esp+20] :0040109D 2BC0 sub eax, eax :0040109F F2 repnz :004010A0 AE scasb :004010A1 4F dec edi :004010A2 8BCA mov ecx, edx :004010A4 C1E902 shr ecx, 02 :004010A7 6A01 push 00000001 :004010A9 F3 repz :004010AA A5 movsd :004010AB 8BCA mov ecx, edx :004010AD 6800000080 push 80000000 :004010B2 83E103 and ecx, 00000003 :004010B5 F3 repz :004010B6 A4 movsb :004010B7 8D442428 lea eax, dword ptr [esp+28] :004010BB 50 push eax * Reference To: KERNEL32.CreateFileA, Ord:002Bh <-- Try to create a file on the CD | :004010BC FF1550B34300 Call dword ptr [0043B350] :004010C2 83F8FF cmp eax, FFFFFFFF :004010C5 751C jne 004010E3 <-- Take this jump to continue * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401050(C) | :004010C7 80C304 add bl, 04 :004010CA 33C0 xor eax, eax :004010CC 8AC3 mov al, bl :004010CE 3BC5 cmp eax, ebp :004010D0 0F8264FFFFFF jb 0040103A * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401034(C) | :004010D6 33C0 xor eax, eax <-- Zero out eax for a failed CD check :004010D8 5D pop ebp :004010D9 5F pop edi :004010DA 5E pop esi :004010DB 5B pop ebx :004010DC 81C448040000 add esp, 00000448 :004010E2 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004010C5(C) | :004010E3 50 push eax * Reference To: KERNEL32.CloseHandle, Ord:0016h | :004010E4 FF1560B34300 Call dword ptr [0043B360] :004010EA B801000000 mov eax, 00000001 <-- 01 means the CD check passed :004010EF 5D pop ebp :004010F0 5F pop edi :004010F1 5E pop esi :004010F2 5B pop ebx :004010F3 81C448040000 add esp, 00000448 :004010F9 C3 ret That's the entire section of code that checks for the CD rom. Changing the call 00401000 to mov eax, 00000001 will make the jne at 404AE8 always good. This will allow Tempest 2000 to continue so you can play the with or without the CD online. The last thing you'll need to do is to kill the calls to the online registration. This can be found by a text search for "register" this will lead you to this section of code: :00404A34 68F8924300 push 004392F8 :00404A39 A1A0904100 mov eax, dword ptr [004190A0] :00404A3E 6828934300 push 00439328 :00404A43 6A05 push 00000005 :00404A45 6A01 push 00000001 :00404A47 6A00 push 00000000 :00404A49 50 push eax <-- Push needed information on stack * Reference To: EREGREG2._RegCard_Register, Ord:0002h | :00404A4A E803270100 Call 00417152 <-- Make the EREG dll call :00404A4F 83C418 add esp, 00000018 <-- Fix the stack for the pushed values :00404A52 A3D4924300 mov dword ptr [004392D4], eax :00404A57 A1A0904100 mov eax, dword ptr [004190A0] :00404A5C 50 push eax :00404A5D E85ECEFFFF call 004018C0 :00404A62 83C404 add esp, 00000004 :00404A65 85C0 test eax, eax :00404A67 750C jne 00404A75 :00404A69 33C0 xor eax, eax :00404A6B 5D pop ebp :00404A6C 5F pop edi :00404A6D 5E pop esi :00404A6E 5B pop ebx :00404A6F 83C41C add esp, 0000001C :00404A72 C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404A67(C) | :00404A75 E8A6F7FFFF call 00404220 :00404A7A 85C0 test eax, eax :00404A7C 750C jne 00404A8A :00404A7E 33C0 xor eax, eax :00404A80 5D pop ebp :00404A81 5F pop edi :00404A82 5E pop esi :00404A83 5B pop ebx :00404A84 83C41C add esp, 0000001C :00404A87 C21000 ret 0010 Kill the call to the EREG by changing the call to a mov eax, 00000001. There is a second call to the EREG dll you also need to kill. This can be found by searching for any other calls to 417152. You'll find two, the one listed above and one that's linked to "Register" on the file menu of Tempest 2000. The same type of edit will also work for the second call. After making the three patches you'll end up with a cracked Tempest 2000. Edit tempest.exe ============================================ Search for: E8 CD 37 01 00 at offset 11,648 Change to : B8 01 00 00 00 Search for: E8 03 27 01 00 at offset 15,946 Chagne to : B8 01 00 00 00 Search for: E8 1F C5 FF FF at offset 16,092 Change to : B8 01 00 00 00 A favorite game of mine wasted, oh well... at least it's been FiX'ed Static Vengeance - FiX