home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Game Cracker (Expanded Edition)
/
Game Cracker (Expanded Edition).iso
/
cracks
/
SV_DDUNG.ZIP
/
Deathtrap Dungeon.txt
< prev
next >
Wrap
Text File
|
1998-08-22
|
16KB
|
334 lines
Free Information Xchange '98 presents:
Deathtrap Dungeon - CD crack by Static Vengeance
Requirements:
Hex editor and full game install
W32Dasm if you wish to follow along
Deathtrap Dungeon is a great action adventure game much like Tomb Raider in game play. However
there is a little bug in the game that needs to be FiX'ed. The bug I'm speaking of is the CD check that
is run before and during the game. So we will be removing the CD checks so the game can be run completly
from the hard drive. The first thing that's needs to be done, is to do a full install and look at the
files that were copied to the hard drive in the install directory. I saw ddconfig.exe, ddstart.exe and
a DLL called dungeon.dll with other files and a subdirectory called asylum. However, the three files I
mentioned by name are the most interesting to us now. The first file I disassembled was ddstart.exe to
see what it did and to see if there were any CD checks in that file. Sure enough. there is a CD check in
there, however the exe program then runs the dd_cd.exe file from x:\asylum\ off the CD, "x" being your CD
drive letter. Well I figured as long as it's going to get run, why not copy it to the install directory
and run it as the startup program for Deathtrap Dungeon. Well it worked, except for the CD check. So
I disassembled the file, looking for the CD check, and found this:
* Referenced by a CALL at Addresses:
|:004011A5 , :004011D7 <-- Called twice
|
:00401220 53 push ebx
* Possible StringData Ref from Data Obj ->"X:\" <-- Drive letter
|
:00401221 6820614000 push 00406120
:00401226 8A5C240C mov bl, byte ptr [esp+0C]
:0040122A 881D20614000 mov byte ptr [00406120], bl
* Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh <-- Commonly used in CD checks
|
:00401230 FF1598914000 Call dword ptr [00409198]
:00401236 83F805 cmp eax, 00000005 <-- Value for a CD rom drive
:00401239 752C jne 00401267 <-- Failed checks goto 401267
* Possible StringData Ref from Data Obj ->"rb" <-- Read Binary
|
:0040123B 6808614000 push 00406108
:00401240 881D0C614000 mov byte ptr [0040610C], bl
* Possible StringData Ref from Data Obj ->"X:\Asylum\DD_CD.EXE" <-- Check for this file
|
:00401246 680C614000 push 0040610C
:0040124B E8F0000000 call 00401340
:00401250 83C408 add esp, 00000008
:00401253 85C0 test eax, eax
:00401255 7410 je 00401267
:00401257 50 push eax
:00401258 E843000000 call 004012A0
:0040125D 83C404 add esp, 00000004
:00401260 B801000000 mov eax, 00000001 <-- Set return value for passed CD check
:00401265 5B pop ebx
:00401266 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401239(C), :00401255(C)
|
:00401267 33C0 xor eax, eax <-- Zero out eax for a failed CD check
:00401269 5B pop ebx
:0040126A C3 ret
Well that's the code that checks for dd_cd.exe file on the CD. So now it's time to check the
code that calls the above routine:
:004011A5 E876000000 call 00401220 <-- Do the CD check
:004011AA 83C404 add esp, 00000004
:004011AD 85C0 test eax, eax <-- Test the results
:004011AF 7416 je 004011C7 <-- Take this jump on fail (eax=zero)
The other section of code that calls the CD check looks like this:
:004011D7 E844000000 call 00401220 <-- Do the CD check
:004011DC 83C404 add esp, 00000004
:004011DF 85C0 test eax, eax <-- Test the results
:004011E1 7512 jne 004011F5 <-- Take this jump on pass (eax not equal to zero)
The file dd_cd.exe is very small and uses calls to the dungeon.dll to run the game. This
can be seen by checking the import module section of the disassembly text. Like this:
Import Module 004: Dungeon.dll <-- Module name
Addr:000092CA hint(0001) Name: Config_Set_CD_Drive <-- Set the CD drive
Addr:000092E0 hint(0003) Name: Read_Default_Values_From_Config_File <-- You get the idea!
Addr:0000927C hint(0005) Name: _W95_Serve_Message@16
Addr:00009294 hint(0004) Name: W95_Set_Message_Loop_Caller
Addr:000092B2 hint(0002) Name: Play_Win32_Deathtrap <-- Play the game!
And a little snippet from the dd_cd.exe disassembly would show you this:
--- Code ---
:004010CA 52 push edx
:004010CB 50 push eax
:004010CC 51 push ecx
* Reference To: Dungeon.Play_Win32_Deathtrap, Ord:0002h <-- Says it all right here
|
:004010CD E8A6010000 Call 00401278
:004010D2 83C414 add esp, 00000014
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010AF(C)
|
:004010D5 33C0 xor eax, eax <-- Getting here means you quit the game
:004010D7 81C4D8010000 add esp, 000001D8
:004010DD C3 ret
Well, now simply delete the old ddstart.exe file and then rename dd_cd.exe to ddstart.exe and
your set, right? Well... actualy no. There are more CD checks, eight to be exact, but these are
made from within the dungeon.dll itself and can be found by searching for the string "Insert the
Deathtrap Dungeon CD into drive %c:" from the Data String References. This would put you into the
middle of code simular to this:
:1000F3DA E821100300 call 10040400 <-- Minor utility call used a LOT!
:1000F3DF 85C0 test eax, eax <-- Test eax for a value
:1000F3E1 0F852C010000 jne 1000F513 <-- Take this jump to bypass the CD check
* Possible StringData Ref from Data Obj ->"-:\A.DAT" <-- File on the CD to check for
|
:1000F3E7 8B0DE08A0F10 mov ecx, dword ptr [100F8AE0]
:1000F3ED 33FF xor edi, edi
:1000F3EF A0F08A0F10 mov al, byte ptr [100F8AF0]
:1000F3F4 8801 mov byte ptr [ecx], al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000F50D(C)
|
* Possible StringData Ref from Data Obj ->"rb" <-- Read Binary
|
:1000F3F6 6894D00B10 push 100BD094
* Possible StringData Ref from Data Obj ->"-:\A.DAT" <-- The file (pointer to it)
|
:1000F3FB A1E08A0F10 mov eax, dword ptr [100F8AE0]
:1000F400 50 push eax
:1000F401 E8BAC30900 call 100AB7C0
:1000F406 83C408 add esp, 00000008
:1000F409 8BE8 mov ebp, eax
:1000F40B 85ED test ebp, ebp
:1000F40D 742B je 1000F43A
:1000F40F 53 push ebx
:1000F410 6800C07326 push 2673C000
:1000F415 55 push ebp
:1000F416 E875C50900 call 100AB990
:1000F41B 83C40C add esp, 0000000C
:1000F41E 55 push ebp
:1000F41F E82CC50900 call 100AB950
:1000F424 83C404 add esp, 00000004
:1000F427 83F84A cmp eax, 0000004A
:1000F42A 7505 jne 1000F431
:1000F42C BF01000000 mov edi, 00000001 <-- Set the flag for pass/fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000F42A(C)
|
:1000F431 55 push ebp
:1000F432 E8A9C20900 call 100AB6E0
:1000F437 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000F40D(C)
|
:1000F43A 85FF test edi, edi <-- if edi is 00000001 the CD check passed
:1000F43C 0F85D1000000 jne 1000F513 <-- Take this jump for passed CD check
* Possible StringData Ref from Data Obj ->"Insert the Deathtrap Dungeon CD " <-- Why we're doing this
->"into drive %c:"
|
:1000F442 8B0DF48A0F10 mov ecx, dword ptr [100F8AF4]
:1000F448 8D542414 lea edx, dword ptr [esp+14]
:1000F44C 0FBE05F08A0F10 movsx eax, byte ptr [100F8AF0]
:1000F453 50 push eax
:1000F454 51 push ecx
:1000F455 52 push edx
:1000F456 E855C40900 call 100AB8B0
:1000F45B 83C40C add esp, 0000000C
:1000F45E 8B2D848C0F10 mov ebp, dword ptr [100F8C84]
:1000F464 C70550DC0D1001000000 mov dword ptr [100DDC50], 00000001
:1000F46E 85ED test ebp, ebp
:1000F470 7405 je 1000F477
:1000F472 E8E9110700 call 10080660
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000F470(C)
|
:1000F477 E8442F0700 call 100823C0
:1000F47C 53 push ebx
:1000F47D A134DC0D10 mov eax, dword ptr [100DDC34]
:1000F482 50 push eax
* Reference To: USER32.ShowWindow, Ord:022Ch
|
:1000F483 FF153C253510 Call dword ptr [1035253C]
:1000F489 68007F0000 push 00007F00
:1000F48E 53 push ebx
* Reference To: KERNEL32.GetModuleHandleA, Ord:00FDh
|
:1000F48F FF15E8243510 Call dword ptr [103524E8]
:1000F495 50 push eax
* Reference To: USER32.LoadCursorA, Ord:0172h
|
:1000F496 FF1570253510 Call dword ptr [10352570]
:1000F49C 50 push eax
* Reference To: USER32.SetCursor, Ord:01EBh
|
:1000F49D FF1520253510 Call dword ptr [10352520]
:1000F4A3 6A01 push 00000001
* Reference To: USER32.ShowCursor, Ord:0228h
|
:1000F4A5 FF1518253510 Call dword ptr [10352518]
:1000F4AB 8D442414 lea eax, dword ptr [esp+14]
:1000F4AF 6835200000 push 00002035
* Possible StringData Ref from Data Obj ->"Deathtrap Dungeon"
|
:1000F4B4 6878F80B10 push 100BF878
:1000F4B9 50 push eax
:1000F4BA 53 push ebx
* Reference To: USER32.MessageBoxA, Ord:0195h
|
:1000F4BB FF1538253510 Call dword ptr [10352538]
:1000F4C1 83F802 cmp eax, 00000002 <-- 02 means you hit cancel
:1000F4C4 750E jne 1000F4D4
* Possible StringData Ref from Data Obj ->"Original CD not found" <-- Bad news for the user
|
:1000F4C6 A1F88A0F10 mov eax, dword ptr [100F8AF8]
:1000F4CB 50 push eax
:1000F4CC E85FC60100 call 1002BB30
:1000F4D1 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000F4C4(C)
|
:1000F4D4 6A03 push 00000003
:1000F4D6 A134DC0D10 mov eax, dword ptr [100DDC34]
:1000F4DB 50 push eax
:1000F4DC 891D50DC0D10 mov dword ptr [100DDC50], ebx
* Reference To: USER32.ShowWindow, Ord:022Ch
|
:1000F4E2 FF153C253510 Call dword ptr [1035253C]
:1000F4E8 E8030D0700 call 100801F0
:1000F4ED 85ED test ebp, ebp
:1000F4EF 7405 je 1000F4F6
:1000F4F1 E84A110700 call 10080640
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000F4EF(C)
|
:1000F4F6 6A01 push 00000001
:1000F4F8 53 push ebx
:1000F4F9 68E0010000 push 000001E0
:1000F4FE 6880020000 push 00000280
:1000F503 E8A88A0400 call 10057FB0
:1000F508 83C410 add esp, 00000010
:1000F50B 85FF test edi, edi
:1000F50D 0F84E3FEFFFF je 1000F3F6 <-- Go back up and try again
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000F3E1(C), :1000F43C(C) <-- Two possible ways to get here
|
:1000F513 E8A83A0000 call 10012FC0 <-- Getting here continues the game
:1000F518 E8B3070700 call 1007FCD0
:1000F51D 85C0 test eax, eax
:1000F51F 740A je 1000F52B
:1000F521 C644241101 mov [esp+11], 01
:1000F526 E947030000 jmp 1000F872
Alright, there you have it. There are 4 files on the CD called a.dat, b.dat, c.dat and d.dat
each takes up 615 megs. Basicly each file takes up the whole CD and you would not copy 2460 megs to
your hard drive to run the game. So the easiest way to defeat this check is force the conditional
jump at 1000F3E1 to always be taken. This way the check for the file is never even run and the program
jumps right down to the continue section. I wanted to make a single patch in the 10040400 routine, but
it is called so many times by other routines I didn't know what kind of impact a patch there would make.
So we'll need to change the call 10040400 at 1000F3DA to mov eax, 00000001. Now when run, the code will
always take the jne at 1000F3E1 and the game will continue to play. You'll also need to the same thing
for the other 7 checks during the game. I made the edits and played the game for bit without problems.
Everything seems to work, like setting options, loading and saving of games. So this one is done.
The entire process to crack Deathtrap Dungeon is:
1. Do a full install including the "Full Motion Videos"
2. Copy dd_cd.exe to the Deathtrap driectory
3. Delete ddstart.exe
4. Rename dd_cd.exe to ddstart.exe
5. Make the following edits:
Edit ddstart.exe (was dd_cd.exe)
===========================================
Search for: E8 76 00 00 00 at offset 1,445
Change to : B8 01 00 00 00
Search for: E8 44 00 00 00 at offset 1,495
Chagne to : B8 01 00 00 00
Edit dungeon.dll
=============================================
Search for: E8 21 10 03 00 at offset 59,354
Change to : B8 01 00 00 00
Search for: E8 DA 04 03 00 at offset 62,241
Change to : B8 01 00 00 00
Search for: E8 87 FE 02 00 at offset 63,860
Change to : B8 01 00 00 00
Search for: E8 D6 C4 02 00 at offset 78,629
Change to : B8 01 00 00 00
Search for: E8 FE BE 02 00 at offset 80,125
Change to : B8 01 00 00 00
Search for: E8 B8 12 FC FF at offset 517,443
Change to : B8 01 00 00 00
Search for: E8 A1 08 FC FF at offset 520,026
Change to : B8 01 00 00 00
Search for: E8 8A FC FB FF at offset 523,121
Change to : B8 01 00 00 00
While the CD checking was a bit more involved, Deathtrap Dungeon is now FiX'ed
Static Vengeance
