home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Game Cracker (Expanded Edition)
/
Game Cracker (Expanded Edition).iso
/
cracks
/
SV_STCC.ZIP
/
Sega Touring Car.txt
< prev
next >
Wrap
Text File
|
1998-05-04
|
17KB
|
336 lines
Free Information Xchange '98 presents:
SEGA Touring Car Championship - CD crack by Static Vengeance
Requirements:
hex editor and full install
Being a big fan of racing games I have yet another cracking tutorial for a Sega game. Sega Touring
Car Champoinship is somewhat like Sega Rally Championship in that it has the same types of problems like:
it needs a Direct3D patch to take advantage of 3D hardware like a Voodoo based card or a PowerVR card.
This would add far more realism and increase the frame rates making either game that much more entertaining
to play. Touring Car Championship also shares a common problem with all Sega games, and that is the CD check
that occurs when you run the game. This "bug" needs to be FiX'ed! So it's time to load up W32Dasm and
disassemble the file stcc.exe so we can FiX that minor bug.
NOTE: Sega has released a Direct3D patch for the SEGA Touring Car Championship!
I'm sure you're getting tired of hearing it, but it works like a charm... so here it goes: Using my
favorite method: Go up to the menu bar and select "Refs" and then select "String data references" from the
drop down menu. From there, grab the slider bar and scroll down checking for strings like "Insert..." or
"Please insert.." and eventually you'll see "Please insert The SEGA Touring Car Championship CD." double
clicking on this string will put you in the middle of the routine that checks for the CD. That routine looks
like this:
* Referenced by a CALL at Addresses:
|:0040B3A2 , :00436294 <-- Where the check is called from
|
:00438640 E8BBFEFFFF call 00438500 <-- Check for the CD
:00438645 83F8FF cmp eax, FFFFFFFF <-- What was the result of CD check
:00438648 A338735600 mov dword ptr [00567338], eax
:0043864D 7528 jne 00438677 <-- Take this jump for passed CD check
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00438675(C)
|
:0043864F 6A35 push 00000035
* Possible StringData Ref from Data Obj ->"SEGA Touring Car Championship "
->"for PC"
|
:00438651 68947F4B00 push 004B7F94
* Possible StringData Ref from Data Obj ->"Please insert The SEGA Touring " <-- Ask for the CD
->"Car Championship CD."
|
:00438656 68607F4B00 push 004B7F60
:0043865B E880FDFFFF call 004383E0 <-- Pop dialog box routine
:00438660 83C40C add esp, 0000000C
:00438663 83F802 cmp eax, 00000002 <-- Hit cancel from dialog box
:00438666 7415 je 0043867D <-- Take this jump to fail and quit
:00438668 E893FEFFFF call 00438500 <-- Check for the CD again
:0043866D 83F8FF cmp eax, FFFFFFFF <-- Check the result of the CD check
:00438670 A338735600 mov dword ptr [00567338], eax
:00438675 74D8 je 0043864F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043864D(C)
|
:00438677 B801000000 mov eax, 00000001 <-- Found the CD in the drive
:0043867C C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00438666(C)
|
:0043867D 33C0 xor eax, eax <-- No CD found, failed the check
:0043867F C3 ret
Although we have enough information to check out the routines that call the above listed
code, let's look at the code that checks for the CD rom. Again this will give you an idea of what
the routines that check for CD's look like. So let's list the code at 438500:
* Referenced by a CALL at Addresses:
|:00438640 , :00438668 <-- Called twice from the above code section
|
:00438500 81EC08020000 sub esp, 00000208
:00438506 53 push ebx
:00438507 55 push ebp
:00438508 56 push esi
:00438509 57 push edi
* Reference To: KERNEL32.GetLogicalDrives, Ord:00FAh <-- Common text string to search for
|
:0043850A FF15AC981401 Call dword ptr [011498AC]
* Reference To: KERNEL32.lstrcatA, Ord:0292h
|
:00438510 8B1DB0981401 mov ebx, dword ptr [011498B0]
* Reference To: KERNEL32._lopen, Ord:028Eh
|
:00438516 8B2D049A1401 mov ebp, dword ptr [01149A04]
:0043851C 33F6 xor esi, esi <-- Zero out times through CD check
:0043851E 89442414 mov dword ptr [esp+14], eax
:00438522 89742410 mov dword ptr [esp+10], esi <-- Temp storage for number of times we
<-- tried to read the file off the CD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00438603(C)
|
:00438526 B801000000 mov eax, 00000001
:0043852B 8BCE mov ecx, esi
:0043852D D3E0 shl eax, cl
:0043852F 8B4C2414 mov ecx, dword ptr [esp+14]
:00438533 85C1 test ecx, eax
:00438535 0F84C0000000 je 004385FB
:0043853B 8D5641 lea edx, dword ptr [esi+41]
:0043853E 8D842418010000 lea eax, dword ptr [esp+00000118]
:00438545 52 push edx
* Possible StringData Ref from Data Obj ->"%c:\" <-- Common refs string to double click
|
:00438546 68587F4B00 push 004B7F58
:0043854B 50 push eax
* Reference To: USER32.wsprintfA, Ord:026Fh
|
:0043854C FF154C9C1401 Call dword ptr [01149C4C]
:00438552 83C40C add esp, 0000000C
:00438555 8D8C2418010000 lea ecx, dword ptr [esp+00000118]
:0043855C 51 push ecx
* Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh <-- Another common text string to search for
|
:0043855D FF15B4981401 Call dword ptr [011498B4]
:00438563 83F805 cmp eax, 00000005 <-- 05 is the value for a CD-ROM drive
:00438566 0F858F000000 jne 004385FB
:0043856C 8DBC2418010000 lea edi, dword ptr [esp+00000118]
:00438573 83C9FF or ecx, FFFFFFFF
:00438576 33C0 xor eax, eax
:00438578 8D542418 lea edx, dword ptr [esp+18]
:0043857C F2 repnz
:0043857D AE scasb
:0043857E F7D1 not ecx
:00438580 2BF9 sub edi, ecx
* Possible StringData Ref from Data Obj ->"stcc\stcc.exe" <-- Check for this file on the CD
| <-- includes CD volume (path) name
:00438582 68907E4B00 push 004B7E90
:00438587 8BC1 mov eax, ecx
:00438589 8BF7 mov esi, edi
:0043858B 8BFA mov edi, edx
:0043858D C1E902 shr ecx, 02
:00438590 F3 repz
:00438591 A5 movsd
:00438592 8BC8 mov ecx, eax
:00438594 83E103 and ecx, 00000003
:00438597 F3 repz
:00438598 A4 movsb
:00438599 8D4C241C lea ecx, dword ptr [esp+1C]
:0043859D 51 push ecx
:0043859E FFD3 call ebx
:004385A0 8D542418 lea edx, dword ptr [esp+18]
:004385A4 6A00 push 00000000
:004385A6 52 push edx
:004385A7 FFD5 call ebp
:004385A9 83F8FF cmp eax, FFFFFFFF
:004385AC 7449 je 004385F7
:004385AE 50 push eax
* Reference To: KERNEL32._lclose, Ord:028Bh
|
:004385AF FF15009A1401 Call dword ptr [01149A00]
:004385B5 8DBC2418010000 lea edi, dword ptr [esp+00000118]
:004385BC 83C9FF or ecx, FFFFFFFF
:004385BF 33C0 xor eax, eax
:004385C1 8D542418 lea edx, dword ptr [esp+18]
:004385C5 F2 repnz
:004385C6 AE scasb
:004385C7 F7D1 not ecx
:004385C9 2BF9 sub edi, ecx
* Possible StringData Ref from Data Obj ->"stcc\data\bg\sky.bmp" <-- Another file on the CD to check
|
:004385CB 68A07E4B00 push 004B7EA0
:004385D0 8BC1 mov eax, ecx
:004385D2 8BF7 mov esi, edi
:004385D4 8BFA mov edi, edx
:004385D6 C1E902 shr ecx, 02
:004385D9 F3 repz
:004385DA A5 movsd
:004385DB 8BC8 mov ecx, eax
:004385DD 83E103 and ecx, 00000003
:004385E0 F3 repz
:004385E1 A4 movsb
:004385E2 8D4C241C lea ecx, dword ptr [esp+1C]
:004385E6 51 push ecx
:004385E7 FFD3 call ebx
:004385E9 8D542418 lea edx, dword ptr [esp+18]
:004385ED 6A00 push 00000000
:004385EF 52 push edx
:004385F0 FFD5 call ebp
:004385F2 83F8FF cmp eax, FFFFFFFF
:004385F5 7514 jne 0043860B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004385AC(C)
|
:004385F7 8B742410 mov esi, dword ptr [esp+10] <-- Temp storage of number of tries
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00438535(C), :00438566(C)
|
:004385FB 46 inc esi <-- Inc number of tries to read the file
:004385FC 83FE20 cmp esi, 00000020 <-- Try to read file up to 32 times
:004385FF 89742410 mov dword ptr [esp+10], esi <-- Update temp storage with total tries
:00438603 0F8C1DFFFFFF jl 00438526 <-- Loop back up and try again
:00438609 EB0B jmp 00438616 <-- 32 tries and STILL no CD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004385F5(C)
|
:0043860B 50 push eax
* Reference To: KERNEL32._lclose, Ord:028Bh
|
:0043860C FF15009A1401 Call dword ptr [01149A00]
:00438612 8B742410 mov esi, dword ptr [esp+10]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00438609(U)
|
:00438616 83FE20 cmp esi, 00000020 <-- Did we try all 32 times
:00438619 750E jne 00438629 <-- Take this jump for a passed CD check
:0043861B 83C8FF or eax, FFFFFFFF <-- Same as mov eax,FFFFFFFF (failed)
:0043861E 5F pop edi
:0043861F 5E pop esi
:00438620 5D pop ebp
:00438621 5B pop ebx
:00438622 81C408020000 add esp, 00000208
:00438628 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00438619(C)
|
:00438629 8BC6 mov eax, esi <-- Anything but FFFFFFFF means passed check
:0043862B 5F pop edi
:0043862C 5E pop esi
:0043862D 5D pop ebp
:0043862E 5B pop ebx
:0043862F 81C408020000 add esp, 00000208
:00438635 C3 ret
That was the actual routine that checks for the CD in your CD-ROM drive. Now, going back to the
first section of code, lets look at the two places (40B3A2 and 436294) that call the CD checking routine.
* Referenced by a CALL at Addresses:
|:0041B13D , :0041F2F9 , :00463D70
|
:0040B3A0 56 push esi
:0040B3A1 57 push edi
:0040B3A2 E899D20200 call 00438640 <-- Check for the CD
:0040B3A7 85C0 test eax, eax <-- 00 = failed, 01 = passed
:0040B3A9 750A jne 0040B3B5 <-- Take this jump to continue the game
:0040B3AB 6A01 push 00000001
:0040B3AD E8FE810500 call 004635B0
:0040B3B2 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B3A9(C)
|
:0040B3B5 8B442410 mov eax, dword ptr [esp+10] <-- Continue with the program
:0040B3B9 8B4C240C mov ecx, dword ptr [esp+0C]
:0040B3BD 50 push eax
:0040B3BE 51 push ecx
:0040B3BF E84C000000 call 0040B410
Here, you would want to NOP the call and force the conditional jump to allow the game
to always continue. That's what we trying to do, right? Now lets look at the other section
from the caller at 436294:
* Possible StringData Ref from Data Obj ->"SEGA"
|
:0043627F 68907D4B00 push 004B7D90
:00436284 8BCE mov ecx, esi
:00436286 E890C70500 call 00492A1B
* Possible Reference to Dialog: DialogID_009A, CONTROL_ID:0004, "L÷schen"
|
:0043628B 6A04 push 00000004
:0043628D 8BCE mov ecx, esi
:0043628F E82EBF0500 call 004921C2
:00436294 E8A7230000 call 00438640 <-- Check for the CD
:00436299 85C0 test eax, eax <-- Anything but zero means passed
:0043629B 7513 jne 004362B0 <-- Take this jump to continue the game
:0043629D 8B4C2438 mov ecx, dword ptr [esp+38]
:004362A1 64890D00000000 mov dword ptr fs:[00000000], ecx
:004362A8 5F pop edi
:004362A9 5E pop esi
:004362AA 5D pop ebp
:004362AB 5B pop ebx
:004362AC 83C434 add esp, 00000034
:004362AF C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043629B(C)
|
:004362B0 E83B020000 call 004364F0 <-- Continue with the game
:004362B5 85C0 test eax, eax
:004362B7 7513 jne 004362CC
:004362B9 8B4C2438 mov ecx, dword ptr [esp+38]
:004362BD 64890D00000000 mov dword ptr fs:[00000000], ecx
:004362C4 5F pop edi
:004362C5 5E pop esi
:004362C6 5D pop ebp
:004362C7 5B pop ebx
:004362C8 83C434 add esp, 00000034
:004362CB C3 ret
Again, basicly stop the call to the CD checking routine and force the code to continue. To do
that, chagne the call 00438640 (at 436294) to mov eax, 00000001 (B8 01 00 00 00). This will overwrite
the actual call to the CD check routine (we don't need to run it if it'll fail!) and also forces the
conditional jump to be taken. This results in working cracked version of Sega Touring Car Championship.
After taking a second look at the copy protection I thought it would be easier to disable the
call to the CD check at 438640 by overwriting the call (E8 BB FE FF FF) with xor eax, eax and 3 nop's.
This way there is only one edit to made and the same edit in a different location will work for the
original version and the newly released Direct3D patch. Search your stcc.exe file for this string:
E8 BB FE FF FF 83 F8 FF and when you find it change make the same patch as listed below. The actual
edits to stcc.exe by version would be:
Edit stcc.exe off the CD
===========================================
Search for: E8 BB FE FF FF (Offset 227,904)
Change to : 31 C0 90 90 90
Edit stcc.exe v1.02 D3D patch off the net
===========================================
Search for: E8 BB FE FF FF (Offset 241,648)
Change to : 31 C0 90 90 90
There you have it, yet another Sega racing game FiX'ed
Static Vengeance