Free Information Xchange presents: Speedboat Attack - CD crack by Static Vengeance - Nov 4th, 1998 Requirements: hex editor and full install W32Dasm if you want to follow along Speedboat Attack (SBA) sounds like it would be a great game. You race around courses and pick up powerups and weapons, waste other players. Sounds like a great idea and with 3Dfx graphics you have the makings for an awesome game. A couple of things come up that needs to be FiX'ed. One I can help you with, while the others will need to fixed by programers. The first bug I'm talking about is the need for the CD to in your CD Rom drive when you go to play the game, that we can fix! The other problems are no support for Win98 or for non Voodoo1 3Dfx chipsets. Also there are K6-2 3DNow! optimized versions for the DirectDraw and 3Dfx versions. However you cannot get the patch to run under Win95 OSR2 or later including Win98. Again these problems needs to be addressed by the publisher/programmer. Anyways, let's get down to business and crack this game. First thing you'll need to do is to dis- assemble the game with W32Dasm. Then do the usual trick, go up to the menu bar and select Refs and then String Data Refs from the drop down menu. When pop-up box comes up, grab the slider bar and scroll down to "Please, insert Speedboat Attack " and double click it to put you in the middle of the CD check: * Referenced by a CALL at Addresses: |:00426680 , :0046D82E <-- Called twice | :0040D740 56 push esi * Reference To: USER32.MessageBoxA, Ord:0195h <-- Do a normal pop-up dialog box | :0040D741 8B35A0BC7000 mov esi, dword ptr [0070BCA0] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040D774(C) | :0040D747 E8F4FDFFFF call 0040D540 <-- Eventually ends up going thru a routine @ 40D650 <-- and makes a KERNEL32.GetDiskFreeSpaceA call to <-- to check for the game CD :0040D74C 8B0D20996F00 mov ecx, dword ptr [006F9920] * Possible StringData Ref from Data Obj ->"Speedboat Attack" | :0040D752 8B15F4EB4900 mov edx, dword ptr [0049EBF4] :0040D758 A318B54900 mov dword ptr [0049B518], eax :0040D75D 85C0 test eax, eax :0040D75F 7515 jne 0040D776 :0040D761 6A15 push 00000015 :0040D763 52 push edx * Possible StringData Ref from Data Obj ->"Please, insert Speedboat Attack " <-- What lead us here ->"CD into CD drive." | :0040D764 6850B54900 push 0049B550 :0040D769 51 push ecx :0040D76A FFD6 call esi :0040D76C 83F804 cmp eax, 00000004 :0040D76F A118B54900 mov eax, dword ptr [0049B518] :0040D774 74D1 je 0040D747 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040D75F(C) | :0040D776 5E pop esi :0040D777 A318B54900 mov dword ptr [0049B518], eax :0040D77C C3 ret That's the routine that tells the user to put in the CD if it's not already online. The call to 40D540 will eventually go through a routine at 40D650 which will make a call through KERNEL32 and checks the free space (GetDiskFreeSpaceA). On a CD there is NO free space so that's how the copy protection "figures" out if the disk drive is a CD or not. Alright, now that you know the basics of the copy protection used, let's check out the two sections of SBA that calls the CD check. The first one is at 426680 and the surounding code looks like this: -- Program code -- :0042666C 6A01 push 00000001 :0042666E E8DDD3FFFF call 00423A50 :00426673 83C404 add esp, 00000004 :00426676 A17C996F00 mov eax, dword ptr [006F997C] :0042667B 83F803 cmp eax, 00000003 :0042667E 7D15 jge 00426695 :00426680 E8BB70FEFF call 0040D740 <-- Check for the CD & ask user for CD if needed :00426685 85C0 test eax, eax <-- eax=00000001 for a good CD check :00426687 750C jne 00426695 <-- Need to take this jump :00426689 33C0 xor eax, eax <-- You hit cancel, so set up to quit to Win95 :0042668B 5F pop edi :0042668C 5E pop esi :0042668D 5B pop ebx :0042668E 81C41C020000 add esp, 0000021C :00426694 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0042667E(C), :00426687(C) | * Possible StringData Ref from Data Obj ->"explode.ini" | :00426695 6830C14900 push 0049C130 :0042669A 68D8944A00 push 004A94D8 :0042669F FFD7 call edi :004266A1 68D8944A00 push 004A94D8 :004266A6 E8D5DAFFFF call 00424180 :004266AB 83C404 add esp, 00000004 :004266AE 85C0 test eax, eax -- Continuing program code -- Just change the call 0040D740 to mov eax, 00000001 and you have killed the first call to the CD check. That way no CD check is not ever made the returned value for a good CD check is inplanted "in line." Now let's look at the other call at 46D82E and the surounding code: -- Program code -- :0046D81D E8FE0A0000 call 0046E320 :0046D822 8B4510 mov eax, dword ptr [ebp+10] :0046D825 50 push eax :0046D826 E8C50A0000 call 0046E2F0 :0046D82B 83C404 add esp, 00000004 :0046D82E E80DFFF9FF call 0040D740 <-- Do the CD check and ask CD if needed :0046D833 85C0 test eax, eax <-- eax=00000001 for a good CD check :0046D835 0F8507000000 jne 0046D842 <-- Need to take this jump :0046D83B 33C0 xor eax, eax :0046D83D E982020000 jmp 0046DAC4 <-- You hit cancel, so quit to Win95 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046D835(C) | :0046D842 E8790A0000 call 0046E2C0 :0046D847 A358D04900 mov dword ptr [0049D058], eax :0046D84C 6A00 push 00000000 * Reference To: ole32.CoInitialize, Ord:0025h | :0046D84E FF1518BD7000 Call dword ptr [0070BD18] :0046D854 C705E4636C00D0EC4900 mov dword ptr [006C63E4], 0049ECD0 :0046D85E 8B4514 mov eax, dword ptr [ebp+14] :0046D861 50 push eax -- Continuing program code -- Once again, changing the call to a mov eax, 00000001 kills the CD check and allows SBA to continue. Killing both calls allows you to play the game without having the Speedboat Attack CD online. Make the edits you have cracked SBA, there is a normal DirectDraw version and a native 3Dfx version on the game CD. Included is the crack for either version. 1. Do a full install of the game 2. Make the following edit by version: Edit sboat.exe (725k D3D version off the CD) ============================================= Search for: E8 BB 70 FE FF at offset 154,240 Change to : B8 01 00 00 00 Search for: E8 0D FF F9 FF at offset 445,486 Change to : B8 01 00 00 00 Edit sboat.exe Force Feedback D3D off the net ============================================= Search for: E8 5D 87 02 00 at offset 120,238 Change to : B8 01 00 00 00 Search for: E8 9B 8B 00 00 at offset 250,224 Change to : B8 01 00 00 00 Edit sboat.exe (940K 3Dfx version off the CD) ============================================= Search for: E8 29 43 03 00 at offset 342,622 Change to : B8 01 00 00 00 Search for: E8 3D 5B 00 00 at offset 533,066 Change to : B8 01 00 00 00 Edit sboat.exe Force Feedback 3Dfx off the net ============================================= Search for: E8 4F 21 F9 FF at offset 457,854 Change to : B8 01 00 00 00 Search for: E8 15 53 F5 FF at offset 707,256 Change to : B8 01 00 00 00 Edit sboat.exe Voodoo2 update off the net ============================================= Search for: E8 0D 95 FF FF at offset 175,130 Change to : B8 01 00 00 00 Search for: E8 79 35 F8 FF at offset 658,350 Change to : B8 01 00 00 00 3. Play the game without the CD in your CD Rom drive Enjoy playing the cracked version of SBA becuase it's been FiX'ed Static Vengeance - FiX