home *** CD-ROM | disk | FTP | other *** search
/ Game Cracker (Expanded Edition) / Game Cracker (Expanded Edition).iso / cracks / SV_PBOAT.ZIP / Powerboat Racing.txt < prev    next >
Encoding:
Text File  |  1998-10-12  |  11.1 KB  |  242 lines
  1.  
  2. Free Information Xchange '98 presents:
  3.  
  4. Powerboat Racing - CD crack by Static Vengeance
  5.  
  6. Requirements:
  7. Full game install and hex editor
  8. W32Dasm if you want to follow along
  9.  
  10.     When I started this crack, the first thing I did was to install the program and run it without
  11. the CD in the drive to see how the program reacted.  When I started up Powerboat Racing (PBR) it would
  12. come up but only have a few things to do from the main menu.  One of the choises lacking on the main
  13. menu was starting a new game.  Well, no pop up dialog box this time so things were going to be a little
  14. bit more involved then just double clicking on a "Insert CD..." string.  The first plan of attack is to
  15. do a text string search for "GetDriveTypeA" which is a KERNEL32 call to get the type of drive to work
  16. with.  The first occurrance didn't seem to have anything to do with the CD check, so I searched for the
  17. next occurrance and found this routine:
  18.  
  19. * Referenced by a CALL at Addresses:
  20. |:0040AD1E   , :0042B524   , :004531C8   , :0046D35A        <-- Called from 4 different places
  21. |
  22. :0040C454 53                      push ebx
  23. :0040C455 51                      push ecx
  24. :0040C456 52                      push edx
  25. :0040C457 56                      push esi
  26. :0040C458 57                      push edi
  27. :0040C459 55                      push ebp
  28. :0040C45A 81EC18010000            sub esp, 00000118
  29. :0040C460 8D842414010000          lea eax, dword ptr [esp+00000114]
  30. :0040C467 50                      push eax
  31. :0040C468 683F000F00              push 000F003F
  32. :0040C46D 6A00                    push 00000000
  33.  
  34. * Possible StringData Ref from Data Obj ->"Software\Promethean Designs\Powerboat "
  35.                                         ->"Racing"
  36.                                   |
  37. :0040C46F 6834CB4900              push 0049CB34
  38. :0040C474 6802000080              push 80000002
  39.  
  40. * Reference To: ADVAPI32.RegOpenKeyExA, Ord:0005h                      <-- Getting info from the registry
  41.                                   |
  42. :0040C479 2EFF1568014F00          Call dword ptr cs:[004F0168]
  43. :0040C480 85C0                    test eax, eax
  44. :0040C482 0F8526010000            jne 0040C5AE
  45. :0040C488 8D84240C010000          lea eax, dword ptr [esp+0000010C]
  46. :0040C48F 50                      push eax
  47. :0040C490 8D842418010000          lea eax, dword ptr [esp+00000118]
  48. :0040C497 50                      push eax
  49. :0040C498 6A00                    push 00000000
  50. :0040C49A 683F000F00              push 000F003F
  51. :0040C49F 6A00                    push 00000000
  52. :0040C4A1 68C4BD4900              push 0049BDC4
  53. :0040C4A6 6A00                    push 00000000
  54.  
  55. * Possible StringData Ref from Data Obj ->"Software\Promethean Designs\Powerboat "
  56.                                         ->"Racing"
  57.                                   |
  58. :0040C4A8 6864CB4900              push 0049CB64
  59. :0040C4AD 6802000080              push 80000002
  60.  
  61. * Reference To: ADVAPI32.RegCreateKeyExA, Ord:0003h
  62.                                   |
  63. :0040C4B2 2EFF1560014F00          Call dword ptr cs:[004F0160]
  64. :0040C4B9 85C0                    test eax, eax
  65. :0040C4BB 0F85ED000000            jne 0040C5AE
  66. :0040C4C1 8D842410010000          lea eax, dword ptr [esp+00000110]
  67. :0040C4C8 50                      push eax
  68. :0040C4C9 8D442404                lea eax, dword ptr [esp+04]
  69. :0040C4CD 50                      push eax
  70. :0040C4CE 8D842410010000          lea eax, dword ptr [esp+00000110]
  71. :0040C4D5 50                      push eax
  72. :0040C4D6 6A00                    push 00000000
  73.  
  74. * Possible StringData Ref from Data Obj ->"Installed From"       <-- the registry key for the CD drive letter
  75.                                   |
  76. :0040C4D8 68D8CA4900              push 0049CAD8
  77. :0040C4DD 8B9C2428010000          mov ebx, dword ptr [esp+00000128]
  78. :0040C4E4 BA80000000              mov edx, 00000080
  79. :0040C4E9 53                      push ebx
  80. :0040C4EA 89942428010000          mov dword ptr [esp+00000128], edx
  81.  
  82. * Reference To: ADVAPI32.RegQueryValueExA, Ord:0006h
  83.                                   |
  84. :0040C4F1 2EFF156C014F00          Call dword ptr cs:[004F016C]
  85. :0040C4F8 85C0                    test eax, eax
  86. :0040C4FA 740A                    je 0040C506
  87.  
  88. * Possible StringData Ref from Data Obj ->"Error reading Installed From registry "
  89.                                         ->"value."
  90.                                   |
  91. :0040C4FC B894CB4900              mov eax, 0049CB94
  92. :0040C501 E84AAB0200              call 00437050
  93.  
  94. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  95. |:0040C4FA(C)
  96. |
  97.  
  98. * Possible StringData Ref from Data Obj ->"PBOAT.EXE"             <-- Search for the main program file
  99.                                   |
  100. :0040C506 BE18CB4900              mov esi, 0049CB18
  101. :0040C50B 89E7                    mov edi, esp
  102.  
  103. * Possible StringData Ref from Data Obj ->"rb"                    <-- "rb" or Read Binary
  104.                                   |
  105. :0040C50D BA24CB4900              mov edx, 0049CB24
  106. :0040C512 57                      push edi
  107. :0040C513 2BC9                    sub ecx, ecx
  108. :0040C515 49                      dec ecx
  109. :0040C516 B000                    mov al, 00
  110. :0040C518 F2                      repnz
  111. :0040C519 AE                      scasb
  112. :0040C51A 4F                      dec edi
  113.  
  114. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  115. |:0040C531(C)
  116. |
  117. :0040C51B 8A06                    mov al, byte ptr [esi]
  118. :0040C51D 8807                    mov byte ptr [edi], al
  119. :0040C51F 3C00                    cmp al, 00
  120. :0040C521 7410                    je 0040C533
  121. :0040C523 8A4601                  mov al, byte ptr [esi+01]
  122. :0040C526 83C602                  add esi, 00000002
  123. :0040C529 884701                  mov byte ptr [edi+01], al
  124. :0040C52C 83C702                  add edi, 00000002
  125. :0040C52F 3C00                    cmp al, 00
  126. :0040C531 75E8                    jne 0040C51B
  127.  
  128. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  129. |:0040C521(C)
  130. |
  131. :0040C533 5F                      pop edi
  132. :0040C534 89E0                    mov eax, esp
  133. :0040C536 B908000000              mov ecx, 00000008
  134. :0040C53B 8DBC2400010000          lea edi, dword ptr [esp+00000100]
  135. :0040C542 E849510800              call 00491690
  136. :0040C547 89C6                    mov esi, eax
  137. :0040C549 89C5                    mov ebp, eax
  138. :0040C54B 31C0                    xor eax, eax
  139. :0040C54D 89E2                    mov edx, esp
  140. :0040C54F 88C4                    mov ah, al
  141. :0040C551 6689C3                  mov bx, ax
  142. :0040C554 C1C010                  rol eax, 10
  143. :0040C557 6689D8                  mov ax, bx
  144. :0040C55A 89CB                    mov ebx, ecx
  145. :0040C55C C1F902                  sar ecx, 02
  146. :0040C55F F3                      repz
  147. :0040C560 AB                      stosd
  148. :0040C561 89D9                    mov ecx, ebx
  149. :0040C563 83E103                  and ecx, 00000003
  150. :0040C566 F3                      repz
  151. :0040C567 AA                      stosb
  152. :0040C568 BB03000000              mov ebx, 00000003
  153. :0040C56D 8D842400010000          lea eax, dword ptr [esp+00000100]
  154. :0040C574 E88D570800              call 00491D06
  155. :0040C579 8D842400010000          lea eax, dword ptr [esp+00000100]
  156. :0040C580 50                      push eax
  157.  
  158. * Reference To: KERNEL32.GetDriveTypeA, Ord:0003h                <-- Commonly used in CD checks and how
  159.                                   |                              <--  we found this routine
  160. :0040C581 2EFF150C024F00          Call dword ptr cs:[004F020C]
  161. :0040C588 89C2                    mov edx, eax                   <-- Drive type value in eax moved to edx
  162. :0040C58A 85F6                    test esi, esi
  163. :0040C58C 7407                    je 0040C595
  164. :0040C58E 89F0                    mov eax, esi
  165. :0040C590 E8AE550800              call 00491B43
  166.  
  167. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  168. |:0040C58C(C)
  169. |
  170. :0040C595 83FA05                  cmp edx, 00000005              <-- Compare drive type to CD rom value
  171. :0040C598 7514                    jne 0040C5AE                   <-- Take this jump for non-CD drive
  172. :0040C59A 85ED                    test ebp, ebp
  173. :0040C59C 7410                    je 0040C5AE
  174. :0040C59E E81D000000              call 0040C5C0
  175. :0040C5A3 85C0                    test eax, eax
  176. :0040C5A5 7407                    je 0040C5AE
  177. :0040C5A7 B801000000              mov eax, 00000001              <-- Set up for passed CD check
  178. :0040C5AC EB02                    jmp 0040C5B0                   <-- Jump over "set for fail"
  179.  
  180. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:   <-- All fails come to this
  181. |:0040C482(C), :0040C4BB(C), :0040C598(C), :0040C59C(C), :0040C5A5(C)   <-- this point!
  182. |
  183. :0040C5AE 31C0                    xor eax, eax                   <-- Set up for failed CD check
  184.  
  185. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  186. |:0040C5AC(U)
  187. |
  188. :0040C5B0 81C418010000            add esp, 00000118              <-- Jump to or fall through to this
  189. :0040C5B6 5D                      pop ebp                        <--  exitting section of code
  190. :0040C5B7 5F                      pop edi
  191. :0040C5B8 5E                      pop esi
  192. :0040C5B9 5A                      pop edx
  193. :0040C5BA 59                      pop ecx
  194. :0040C5BB 5B                      pop ebx
  195. :0040C5BC C3                      ret
  196.  
  197.     That's the routine that checks for the pboat.exe on the CD which is of course the CD check!  So
  198. now we are left with figuring out how to disable it and make it always return good.  Or you can back
  199. trace the 4 callers and get the 4 strings to search for and change them to B8 01 00 00 00.  I thought
  200. as long as the failed attemps all come down to 40C5AE, why not change the XOR EAX, EAX to JMP 40C5A7.
  201. That way when the CD check fails the code comes to 40C5AE and is redirected up to 40C5A7 which will
  202. load eax with 00000001, the value for a passed CD check.  Then it jumps over our rediect jump to the
  203. exit section.  This will work out just right as we can use the 8 bit jump which is a 2 byte instruction
  204. and the same length as the xor instruction.  Making this edit to the exe file results in a playable
  205. Powerboat Racing that no longer requires you to have the CD online.  So search for the following
  206. string: 74 07 B8 01 00 00 00 EB 02 31 C0 81 C4 and change the "31 C0" to "EB F7"  The actual edit:
  207.  
  208. Edit Pboat.exe at offset 47,534
  209. ===============================
  210. Search for: 31 C0 81 C4
  211. Change to : EB F7 -- --
  212.  
  213.     Once again a simple CD check (read "program bug") has been FiX'ed
  214.  
  215. Static Vengeance
  216.  
  217. PS>  After digging around in the disassembled code I found this:
  218.  
  219.   Powerboat Racing CHEATS by Static Vengeance
  220.  
  221.   Enter as PASSWORD
  222.  
  223. FAN  Catamarans in Minnow Class
  224. DIP  Catamarans in Pike Class
  225. URN  Catamarans in Baracuda Class
  226. PBR  Enable slalom racing
  227. PDL  Enable secret MINES race course
  228. EPS  Enable Championship race
  229.  
  230.   Enter as your name
  231.  
  232. BIG  Infamous Japanese BIG-HEAD mode
  233. POW  Big engines
  234. SML  Tiny boats (radio control size)
  235. WIN  All other racers at half speed so you can WIN
  236. BAA  Slow CPU boats
  237. BAD  Fast boats
  238. BIF  Fast boats
  239.  
  240. TIP:  Just as the anouncer says "one" take off.  If you do it right
  241.       you get a TURBO launch like in UBISoft's pod
  242.