Free Information Xchange presents: Wipeout XL - CD crack by Static Vengeance - Dec 5th, 1998 Requirements: Full game install and Hex editor W32Dasm if you want to follow along WipeoutXL is an updated version of Wipeout2097, which is a futuristic racing game where you can shoot opponents and collect power-ups. This newer version has full support for Direct3D and PowerVR (sgl) native version. Not bad as far as futuristic racers go, I guess but there is one little problem that bothers me. This little "problem" is more of a program BUG. The bug I'm speaking of is the need to have the game CD in the CD-ROM drive when you play the game. As you know, bugs like this can be patched. So get out W32Dasm and disassmble wipeout2.exe From there just go up to the menu bar and select REFS then data string refereneces from the drop down menu. When the pop-up box apears, grab the slider bar and scroll down until you see "Make sure Wipeout XL CD is in " double click this and you're right in the middle of the CD check, which looks like this: * Referenced by a CALL at Address: |:0045EA1D <-- Called only once | :00430C3A 55 push ebp :00430C3B 8BEC mov ebp, esp :00430C3D 83EC04 sub esp, 00000004 :00430C40 53 push ebx :00430C41 56 push esi :00430C42 57 push edi :00430C43 E851FCFFFF call 00430899 <-- Check for CD through WINMM.dll calls * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00430CA8(U) | :00430C48 0FBF05DCDC4800 movsx eax, word ptr [0048DCDC] :00430C4F 83F801 cmp eax, 00000001 :00430C52 0F8555000000 jne 00430CAD <-- Take this jump for CD found :00430C58 C7057029490001000000 mov dword ptr [00492970], 00000001 :00430C62 6841200000 push 00002041 * Possible StringData Ref from Data Obj ->"Wipeout XL CD Validator" | :00430C67 688CF74800 push 0048F78C * Possible StringData Ref from Data Obj ->"Make sure Wipeout XL CD is in " <-- What brought us here ->"the CD drive." | :00430C6C 68A4F74800 push 0048F7A4 :00430C71 A13C244A00 mov eax, dword ptr [004A243C] :00430C76 50 push eax * Reference To: USER32.MessageBoxA, Ord:0195h | :00430C77 FF15F814BD00 Call dword ptr [00BD14F8] :00430C7D 8945FC mov dword ptr [ebp-04], eax :00430C80 C7057029490000000000 mov dword ptr [00492970], 00000000 :00430C8A 837DFC01 cmp dword ptr [ebp-04], 00000001 :00430C8E 0F850A000000 jne 00430C9E <-- Take this jump for "retry" :00430C94 E800FCFFFF call 00430899 <-- Check for CD again :00430C99 E90A000000 jmp 00430CA8 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00430C8E(C) | :00430C9E 6AFF push FFFFFFFF :00430CA0 E87B390400 call 00474620 :00430CA5 83C404 add esp, 00000004 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00430C99(U) | :00430CA8 E99BFFFFFF jmp 00430C48 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00430C52(C) <-- Getting here exits CD check | :00430CAD 684072A600 push 00A67240 :00430CB2 6A01 push 00000001 :00430CB4 E88EF7FFFF call 00430447 :00430CB9 83C408 add esp, 00000008 :00430CBC A344C4A600 mov dword ptr [00A6C444], eax :00430CC1 5F pop edi :00430CC2 5E pop esi :00430CC3 5B pop ebx :00430CC4 C9 leave :00430CC5 C3 ret A small self enclosed routine. This routine doesn't return any special pass/fail value. The calls to 430899 check for the CD and check for specific track information. A brief look at this code and you'll see whats going on. I cut out most of the code but will show you the general flow of the code. Here, it's not the important you understand each instruction but "read" the general flow: * Referenced by a CALL at Addresses: |:00430C43 , :00430C94 <-- Called twice from above | :00430899 55 push ebp :0043089A 8BEC mov ebp, esp :0043089C 81EC70020000 sub esp, 00000270 :004308A2 53 push ebx :004308A3 56 push esi -- SNIP non essential code -- :00430966 680D080000 push 0000080D :0043096B A1FCE29100 mov eax, dword ptr [0091E2FC] :00430970 50 push eax * Reference To: WINMM.mciSendCommandA, Ord:0032h <-- Check for CD using WINMM.dll calls | :00430971 FF152C15BD00 Call dword ptr [00BD152C] :00430977 898590FDFFFF mov dword ptr [ebp+FFFFFD90], eax :0043097D 83BD90FDFFFF00 cmp dword ptr [ebp+FFFFFD90], 00000000 :00430984 0F8433000000 je 004309BD :0043098A 66C705DCDC48000100 mov word ptr [0048DCDC], 0001 :00430993 6A00 push 00000000 :00430995 6A00 push 00000000 :00430997 6804080000 push 00000804 :0043099C A1FCE29100 mov eax, dword ptr [0091E2FC] :004309A1 50 push eax * Reference To: WINMM.mciSendCommandA, Ord:0032h | :004309A2 FF152C15BD00 Call dword ptr [00BD152C] :004309A8 81BD90FDFFFF01010000 cmp dword ptr [ebp+FFFFFD90], 00000101 :004309B2 0F8505000000 jne 004309BD :004309B8 E8F3F9FFFF call 004303B0 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00430984(C), :004309B2(C) | :004309BD C745F803000000 mov [ebp-08], 00000003 :004309C4 8D45F0 lea eax, dword ptr [ebp-10] :004309C7 50 push eax :004309C8 6800010000 push 00000100 :004309CD 6814080000 push 00000814 :004309D2 A1FCE29100 mov eax, dword ptr [0091E2FC] :004309D7 50 push eax * Reference To: WINMM.mciSendCommandA, Ord:0032h | :004309D8 FF152C15BD00 Call dword ptr [00BD152C] :004309DE 898590FDFFFF mov dword ptr [ebp+FFFFFD90], eax -- SNIP non essential code -- :00430A4D 6810010000 push 00000110 :00430A52 6814080000 push 00000814 :00430A57 A1FCE29100 mov eax, dword ptr [0091E2FC] :00430A5C 50 push eax * Reference To: WINMM.mciSendCommandA, Ord:0032h <-- More WINMM calls | :00430A5D FF152C15BD00 Call dword ptr [00BD152C] :00430A63 898590FDFFFF mov dword ptr [ebp+FFFFFD90], eax :00430A69 83BD90FDFFFF00 cmp dword ptr [ebp+FFFFFD90], 00000000 :00430A70 0F840E000000 je 00430A84 -- SNIP non essential code -- :00430AA0 50 push eax :00430AA1 8B8598FDFFFF mov eax, dword ptr [ebp+FFFFFD98] :00430AA7 50 push eax * Possible StringData Ref from Data Obj ->"Track %2d - %02d:%02d:%02d" <-- This cought my eye! | :00430AA8 6870F74800 push 0048F770 :00430AAD 8D45AC lea eax, dword ptr [ebp-54] :00430AB0 50 push eax * Reference To: USER32.wsprintfA, Ord:0262h | :00430AB1 FF156014BD00 Call dword ptr [00BD1460] :00430AB7 83C418 add esp, 00000018 :00430ABA 8D45AC lea eax, dword ptr [ebp-54] :00430ABD 50 push eax :00430ABE 8D859CFDFFFF lea eax, dword ptr [ebp+FFFFFD9C] :00430AC4 50 push eax * Reference To: KERNEL32.lstrcatA, Ord:028Dh <-- Compares string bytes | :00430AC5 FF157413BD00 Call dword ptr [00BD1374] :00430ACB 33C0 xor eax, eax -- SNIP non essential code -- :00430C2E 33C0 xor eax, eax :00430C30 E900000000 jmp 00430C35 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00430C30(U) | :00430C35 5F pop edi <-- The end of this routine! :00430C36 5E pop esi :00430C37 5B pop ebx :00430C38 C9 leave :00430C39 C3 ret * Referenced by a CALL at Address: |:0045EA1D <-- Beginning of first code section I showed you | :00430C3A 55 push ebp :00430C3B 8BEC mov ebp, esp :00430C3D 83EC04 sub esp, 00000004 So as long as you can get the general idea of what's going all you'll be fine. I can tell that the code is using the WINMM (Windows MultiMedia) dll to check for the CD. I would say the line that says "Track %2d - %02d:%02d:%02d" means the routine is checking for specific info on a certain CD track. The you have the string function calls shortly after that. All this is saying is "look for track x @ time hour:min:sec" and compare bytes against what we know should be there. Hey, maybe I'm not 100% right, but I do know it IS a CD check. When looking at the first section of code I showed, you'll see that it doesn't return any value. So a quick look at the code surounding the caller is in order, just to be sure: -- Program code -- :0045E9F1 8B0D3C244A00 mov ecx, dword ptr [004A243C] :0045E9F7 51 push ecx * Reference To: USER32.UpdateWindow, Ord:024Fh | :0045E9F8 FF15A814BD00 Call dword ptr [00BD14A8] :0045E9FE C705E8E29100B0E29100 mov dword ptr [0091E2E8], 0091E2B0 :0045EA08 C605B6E2910001 mov byte ptr [0091E2B6], 01 :0045EA0F 53 push ebx :0045EA10 684072A600 push 00A67240 :0045EA15 E8A6A6FAFF call 004090C0 :0045EA1A 83C408 add esp, 00000008 :0045EA1D E81822FDFF call 00430C3A <-- Do the CD check, no special value returned :0045EA22 68D0AB4B00 push 004BABD0 :0045EA27 E8640FFDFF call 0042F990 -- Continuing program code -- To crack this one, just stop the call to CD check from being made. The easiest way to do that is to overwrite the call with mov eax, 00000001. Same amount of bytes and it harmlessly loads eax with one. Make the patch to the exe file and you can race WipeoutXL without the CD in your CD rom drive! The exact same technique will work for the PowerVR version. Both edits are listed below. To make a cracked copy of this one and run it from your hard drive follow these steps: 1. Do a full game install 2. Make the following patch by version: For the D3D version edit wipeout2.exe ============================================= Search for: E8 18 22 FD FF at offset 384,541 Change to : B8 01 00 00 00 For the PowerVR version edit wipeout2.exe ============================================= Search for: E8 48 BF 03 00 at offset 88,989 Change to : B8 01 00 00 00 3. Enjoy the game without the need for the CD! Yet another minor programming bug has been FiX'ed Static Vengeance - FiX