home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Game Cracker (Expanded Edition)
/
Game Cracker (Expanded Edition).iso
/
cracks
/
SV_DYTNA.ZIP
/
Daytona.txt
< prev
next >
Wrap
Text File
|
1998-06-10
|
12KB
|
243 lines
Free Information Xchange '97 presents:
Daytona USA - CD Crack by Static Vengeance
Requirements:
Hex Editor and Full game install
I'm going to show you how I cracked this game from SEGA Entertainment with W32Dasm from URSoft. The first thing to do
is to disassemble daytona.exe... Now Select Refs from the menu bar and choose 'String data references'. Grab the slider bar
and scroll down a bit looking for the CD volume name (Daytona usa) and/or something like "insert..." or "please insert.."
Eventually you come down to "Please insert DAYTONA USA CD." Now double click on this and W32Dasm will take you to the
place in the program listing that references that string. Now of course you have to have "some" knowlegde of assembly code. I
got mine from the 6502 & 65816 processors and I have been able to adapt quickly to some of the x86 op-codes, anyways here is
what you see:
* Referenced by a CALL at Addresses:
|:00405067 , :004050A5 , :00405275 , :004052A2 , :004054AE
|:00416007 , :0043F207
|
:00422420 53 push ebx
:00422421 E8FA83FFFF call 0041A820
:00422426 6A05 push 00000005
* Possible StringData Ref from Data Obj ->"DAYTONA USA"
|
:00422428 A1B8AB4800 mov eax, dword ptr [0048ABB8]
:0042242D 50 push eax
:0042242E 8B0D8884C500 mov ecx, dword ptr [00C58488]
* Possible StringData Ref from Data Obj ->"Please insert DAYTONA USA CD." <-- String that got us here
|
:00422434 68CC624800 push 004862CC
:00422439 51 push ecx
* Reference To: USER32.MessageBoxA, Ord:0197h
|
:0042243A FF15A0841D01 Call dword ptr [011D84A0]
:00422440 83F804 cmp eax, 00000004
:00422443 7405 je 0042244A
:00422445 E8263D0200 call 00446170
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422443(C)
|
:0042244A 5B pop ebx
:0042244B C3 ret
Well, here is the text and the pop dialog header. Now the fun begins, you need to go back and look through the reference
calls. Well to make a long story shorter... I didn't find what I was looking for in any of those places... I traced forwards and
backwards looking for clues... I started "NOP'ing" calls out and it had no effect at all... Two things could be the problem.. I don't
know enough OR there's a second reference to the 'insert CD" string.. so I double click the string once to get to the above, then I
double clicked again and here is what I found:
* Referenced by a CALL at Address:
|:004382BD
|
:0043A740 56 push esi
* Reference To: USER32.MessageBoxA, Ord:0197h
|
:0043A741 8B35A0841D01 mov esi, dword ptr [011D84A0]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043A76A(C)
|
:0043A747 E854FFFFFF call 0043A6A0 <-- The actual code that checks for the CD
:0043A74C A37CAB4800 mov dword ptr [0048AB7C], eax
:0043A751 83F8FF cmp eax, FFFFFFFF
* Possible StringData Ref from Data Obj ->"DAYTONA USA"
|
:0043A754 A1B8AB4800 mov eax, dword ptr [0048ABB8]
:0043A759 7515 jne 0043A770
:0043A75B 6A35 push 00000035
:0043A75D 50 push eax
* Possible StringData Ref from Data Obj ->"Please insert DAYTONA USA CD." <-- String that got us here
|
:0043A75E 68CC624800 push 004862CC
:0043A763 6A00 push 00000000
:0043A765 FFD6 call esi
:0043A767 83F802 cmp eax, 00000002 <-- Hit cancel from dialog box
:0043A76A 75DB jne 0043A747 <-- Otherwise loop up and check again
:0043A76C 33C0 xor eax, eax <-- Set up to quit back to Win95
:0043A76E 5E pop esi
:0043A76F C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043A759(C)
|
:0043A770 B801000000 mov eax, 00000001 <-- The CD check passed!
:0043A775 5E pop esi
:0043A776 C3 ret
Now, let's check out the code the actually does check for the CD:
* Referenced by a CALL at Address:
|:0043A747 <-- Who called us (called only once)
|
:0043A6A0 83EC50 sub esp, 00000050
:0043A6A3 53 push ebx
:0043A6A4 56 push esi
:0043A6A5 57 push edi
:0043A6A6 33DB xor ebx, ebx <-- Initialize times through the CD check
:0043A6A8 55 push ebp
* Reference To: KERNEL32.GetLogicalDrives, Ord:00E7h <-- Commonly used in CD checks
| <-- Search for this call VIA a text search
:0043A6A9 FF15E4831D01 Call dword ptr [011D83E4]
:0043A6AF 8BE8 mov ebp, eax
* Reference To: KERNEL32._lopen, Ord:0262h
|
:0043A6B1 8B35E8831D01 mov esi, dword ptr [011D83E8]
* Reference To: KERNEL32.GetDriveTypeA, Ord:00CEh <-- Also commonly used call in CD checks
| <-- Search for this call VIA a text search
:0043A6B7 8B3DEC831D01 mov edi, dword ptr [011D83EC]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043A70F(C)
|
:0043A6BD B801000000 mov eax, 00000001
:0043A6C2 8ACB mov cl, bl
:0043A6C4 D3E0 shl eax, cl
:0043A6C6 85C5 test ebp, eax
:0043A6C8 7441 je 0043A70B
:0043A6CA 8D4341 lea eax, dword ptr [ebx+41]
:0043A6CD 8D4C2410 lea ecx, dword ptr [esp+10]
:0043A6D1 50 push eax
* Possible StringData Ref from Data Obj ->"%c:\" <-- Commonly used REF in CD checks
|
:0043A6D2 6834AF4800 push 0048AF34
:0043A6D7 51 push ecx
* Reference To: USER32.wsprintfA, Ord:026Ch
|
:0043A6D8 FF15F8841D01 Call dword ptr [011D84F8]
:0043A6DE 8D4C241C lea ecx, dword ptr [esp+1C]
:0043A6E2 83C40C add esp, 0000000C
:0043A6E5 51 push ecx
:0043A6E6 FFD7 call edi
:0043A6E8 83F805 cmp eax, 00000005
:0043A6EB 751E jne 0043A70B
:0043A6ED 8D442410 lea eax, dword ptr [esp+10]
* Possible StringData Ref from Data Obj ->"GAME\MINI\DAYTONA.EXE" <-- Checking for the game file on the CD
|
:0043A6F1 681CAF4800 push 0048AF1C
:0043A6F6 50 push eax
* Reference To: KERNEL32.lstrcatA, Ord:0266h
|
:0043A6F7 FF1518841D01 Call dword ptr [011D8418]
:0043A6FD 8D442410 lea eax, dword ptr [esp+10]
:0043A701 6A00 push 00000000
:0043A703 50 push eax
:0043A704 FFD6 call esi
:0043A706 83F8FF cmp eax, FFFFFFFF
:0043A709 7508 jne 0043A713
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0043A6C8(C), :0043A6EB(C)
|
:0043A70B 43 inc ebx <-- Increase the count through the CD check
:0043A70C 83FB20 cmp ebx, 00000020 <-- Allow for 32 checks to fail
:0043A70F 7CAC jl 0043A6BD
:0043A711 EB11 jmp 0043A724
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043A709(C)
|
:0043A713 8A4C2410 mov cl, byte ptr [esp+10]
:0043A717 50 push eax
:0043A718 880D04524D00 mov byte ptr [004D5204], cl
* Reference To: KERNEL32._lclose, Ord:025Fh
|
:0043A71E FF15F0831D01 Call dword ptr [011D83F0]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043A711(U)
|
:0043A724 B8FFFFFFFF mov eax, FFFFFFFF <-- Set up for a good CD check (IE: it passed)
:0043A729 83FB20 cmp ebx, 00000020
:0043A72C 7402 je 0043A730 <-- MUST take this jump for a good CD check
:0043A72E 8BC3 mov eax, ebx <-- Forces the CD check to fail
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043A72C(C)
|
:0043A730 5D pop ebp
:0043A731 5F pop edi
:0043A732 5E pop esi
:0043A733 5B pop ebx
:0043A734 83C450 add esp, 00000050
:0043A737 C3 ret
Now we have gone through the whole copy protection and I showed you the basic workings of the code that does the CD
check. We also saw the values for a pass and a failed CD check. So the only thing left is to go back to the calling routine
at 4382BD and disable it.. and that looks like this:
:004382BD E87E240000 call 0043A740 <-- Call to check for the CD
:004382C2 85C0 test eax, eax <-- Check if it came back 0 or 1
:004382C4 7507 jne 004382CD <-- Need to take this for the game to work
:004382C6 33C0 xor eax, eax
:004382C8 E97F020000 jmp 0043854C <-- Say "goodnight" (quit to Win95)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004382C4(C)
|
:004382CD E8CE390200 call 0045BCA0
:004382D2 8B5D14 mov ebx, dword ptr [ebp+14]
:004382D5 53 push ebx
:004382D6 57 push edi
:004382D7 E814FDFFFF call 00437FF0
:004382DC 83C408 add esp, 00000008
:004382DF 85C0 test eax, eax
:004382E1 750C jne 004382EF
:004382E3 E8D8FAFFFF call 00437DC0
:004382E8 33C0 xor eax, eax
:004382EA E95D020000 jmp 0043854C
So now we have the info it takes to crack this game. Well we don't want to have to have the CD present just to play a
game or two, so simply overwrite the call 0043A740 with mov eax, 00000001 (B8 01 00 00 00) and this will force the conditional
jump to always be taken. This way the actual CD check code is never run and the game will continue even if you don't have the
CD in your CD-ROM drive. The actual edit would be as follows:
Edit DAYTONA.exe at offset 227,005
==================================
Search for:E8 7E 24 00 00
Change to :B8 01 00 00 00
or search for: 85 C0 75 07 33 C0 E9 and back up 5 bytes (to the 'E8') and make the above change. Now you wont need to insert the
CD to play Daytona USA Hope you learned something here... I know I did... Now Daytona USA is FiX'ed
Static Vengeance