home *** CD-ROM | disk | FTP | other *** search
/ Game Cracker (Expanded Edition) / Game Cracker (Expanded Edition).iso / cracks / SV_PPTIM.ZIP / ProPinball - Timeshock!.txt < prev    next >
Encoding:
Text File  |  1998-07-22  |  15.0 KB  |  349 lines
  1.  
  2. Free Information Xchange '98 presents:
  3.  
  4. ProPinball: TimeShock! - CD crack by Static Vengeance
  5.  
  6. Requirements:
  7. hex editor and full install
  8.  
  9.     ProPinball: Timeshock! is a great pinball game that can run in resolutions up to 1600x1200
  10. at 16 bit color.  Which is great becuase so can my video card and monitor.  The game has a nice
  11. look, good sound and good play; however there seems to be that same old bug that pops up with most
  12. games.  I'm talking about the need to have the CD in your drive before you can play the game.  This
  13. is one bug that needs to be FiX'ed and as it turns out isn't all that hard.
  14.     To begin, you will need to disassemble TimeShock!.exe and the program I use for this is
  15. W32Dasm from RUSoft.  When W32Dasm has finished it's job, go up to the main menu bar and select "Refs"
  16. and then select "String Data References" from the drop down menu.  From here, grab the slider bar on
  17. the refs box and scroll down to where it says: "Please insert "Timeshock!" CD ".  Double click on this
  18. ref and you're in the middle of the CD check routine.  TimeShock! uses the Windows Multi-Media (WINMM)
  19. DLL to check for the CD.  The routine looks like this:
  20.  
  21. * Referenced by a CALL at Address:
  22. |:00445963   
  23. |
  24. :0045A090 53                      push ebx
  25. :0045A091 51                      push ecx
  26. :0045A092 52                      push edx
  27. :0045A093 56                      push esi
  28. :0045A094 57                      push edi
  29. :0045A095 55                      push ebp
  30. :0045A096 83EC54                  sub esp, 00000054
  31. :0045A099 833DD0A64700FF          cmp dword ptr [0047A6D0], FFFFFFFF
  32. :0045A0A0 7427                    je 0045A0C9
  33. :0045A0A2 A0D0A64700              mov al, byte ptr [0047A6D0]
  34. :0045A0A7 0441                    add al, 41
  35.  
  36. * Possible StringData Ref from Data Obj ->"?:"
  37.                                   |
  38. :0045A0A9 68E4A64700              push 0047A6E4
  39. :0045A0AE A2E4A64700              mov byte ptr [0047A6E4], al
  40.  
  41. * Reference To: KERNEL32.GetDriveTypeA, Ord:0003h                  <-- Commonly used in CD checks
  42.                                   |
  43. :0045A0B3 2EFF1508824B00          Call dword ptr cs:[004B8208]
  44. :0045A0BA 83F805                  cmp eax, 00000005                <-- Value for a CD-ROM drive
  45. :0045A0BD 740A                    je 0045A0C9
  46. :0045A0BF C705D0A64700FFFFFFFF    mov dword ptr [0047A6D0], FFFFFFFF
  47.  
  48. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
  49. |:0045A0A0(C), :0045A0BD(C)
  50. |
  51. :0045A0C9 BEFFFFFFFF              mov esi, FFFFFFFF
  52. :0045A0CE 3B35D0A64700            cmp esi, dword ptr [0047A6D0]
  53. :0045A0D4 754C                    jne 0045A122
  54. :0045A0D6 31DB                    xor ebx, ebx
  55.  
  56. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  57. |:0045A106(C)
  58. |
  59. :0045A0D8 88D8                    mov al, bl
  60. :0045A0DA 0441                    add al, 41
  61.  
  62. * Possible StringData Ref from Data Obj ->"?:"
  63.                                   |
  64. :0045A0DC 68E4A64700              push 0047A6E4
  65. :0045A0E1 A2E4A64700              mov byte ptr [0047A6E4], al
  66.  
  67. * Reference To: KERNEL32.GetDriveTypeA, Ord:0003h
  68.                                   |
  69. :0045A0E6 2EFF1508824B00          Call dword ptr cs:[004B8208]
  70. :0045A0ED 83F805                  cmp eax, 00000005
  71. :0045A0F0 7510                    jne 0045A102
  72. :0045A0F2 83FEFF                  cmp esi, FFFFFFFF
  73. :0045A0F5 7502                    jne 0045A0F9
  74. :0045A0F7 89DE                    mov esi, ebx
  75.  
  76. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  77. |:0045A0F5(C)
  78. |
  79. :0045A0F9 E84AFFFFFF              call 0045A048
  80. :0045A0FE 85C0                    test eax, eax
  81. :0045A100 7506                    jne 0045A108
  82.  
  83. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  84. |:0045A0F0(C)
  85. |
  86. :0045A102 43                      inc ebx
  87. :0045A103 83FB1A                  cmp ebx, 0000001A
  88. :0045A106 7CD0                    jl 0045A0D8
  89.  
  90. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  91. |:0045A100(C)
  92. |
  93. :0045A108 83FB19                  cmp ebx, 00000019
  94. :0045A10B 7E0F                    jle 0045A11C
  95.  
  96. * Possible StringData Ref from Data Obj ->"Please insert "Timeshock!" CD "   <-- How I found this routine
  97.                                         ->"drive and try again"              <-- so quickly
  98.                                   |
  99. :0045A10D 68F8F34600              push 0046F3F8
  100. :0045A112 6A2B                    push 0000002B
  101. :0045A114 E8B37CFFFF              call 00451DCC
  102. :0045A119 83C408                  add esp, 00000008
  103.  
  104. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  105. |:0045A10B(C)
  106. |
  107. :0045A11C 891DD0A64700            mov dword ptr [0047A6D0], ebx
  108.  
  109. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  110. |:0045A0D4(C)
  111. |
  112. :0045A122 BB14000000              mov ebx, 00000014
  113. :0045A127 8D442430                lea eax, dword ptr [esp+30]
  114. :0045A12B BE04020000              mov esi, 00000204
  115. :0045A130 31D2                    xor edx, edx
  116.  
  117. * Possible StringData Ref from Data Obj ->"?:"
  118.                                   |
  119. :0045A132 BFE4A64700              mov edi, 0047A6E4
  120. :0045A137 E824170000              call 0045B860
  121. :0045A13C 89742438                mov dword ptr [esp+38], esi
  122. :0045A140 897C243C                mov dword ptr [esp+3C], edi
  123. :0045A144 BB02000000              mov ebx, 00000002
  124. :0045A149 31F6                    xor esi, esi
  125.  
  126. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
  127. |:0045A19D(C), :0045A1A4(C), :0045A1B8(U)
  128. |
  129. :0045A14B 8D442430                lea eax, dword ptr [esp+30]
  130. :0045A14F 50                      push eax
  131. :0045A150 6802320000              push 00003202
  132. :0045A155 6803080000              push 00000803
  133. :0045A15A 56                      push esi
  134.  
  135. * Reference To: WINMM.mciSendCommandA, Ord:0006h                <-- The check is done through WINMM calls
  136.                                   |
  137. :0045A15B 2EFF1510814B00          Call dword ptr cs:[004B8110]
  138. :0045A162 85C0                    test eax, eax
  139. :0045A164 7454                    je 0045A1BA
  140. :0045A166 8D442430                lea eax, dword ptr [esp+30]
  141. :0045A16A 50                      push eax
  142. :0045A16B 6802330000              push 00003302
  143. :0045A170 6803080000              push 00000803
  144. :0045A175 56                      push esi
  145.  
  146. * Reference To: WINMM.mciSendCommandA, Ord:0006h
  147.                                   |
  148. :0045A176 2EFF1510814B00          Call dword ptr cs:[004B8110]
  149. :0045A17D 85C0                    test eax, eax
  150. :0045A17F 7439                    je 0045A1BA
  151. :0045A181 53                      push ebx
  152.  
  153. * Possible StringData Ref from Data Obj ->"Pro Pinball - Timeshock!"
  154.                                   |
  155. :0045A182 682CF44600              push 0046F42C
  156.  
  157. * Possible StringData Ref from Data Obj ->"Unable to play CD tracks.  This "
  158.                                         ->"may be because another program "
  159.                                         ->"such as CDPLAYER is already using "
  160.                                         ->"the drive"
  161.                                   |
  162. :0045A187 6848F44600              push 0046F448
  163. :0045A18C 8B2D308F4900            mov ebp, dword ptr [00498F30]
  164. :0045A192 55                      push ebp
  165.  
  166. * Reference To: USER32.MessageBoxA, Ord:000Bh
  167.                                   |
  168. :0045A193 2EFF15A4814B00          Call dword ptr cs:[004B81A4]
  169. :0045A19A 83F803                  cmp eax, 00000003
  170. :0045A19D 72AC                    jb 0045A14B
  171. :0045A19F 760C                    jbe 0045A1AD
  172. :0045A1A1 83F805                  cmp eax, 00000005
  173. :0045A1A4 75A5                    jne 0045A14B
  174. :0045A1A6 31C0                    xor eax, eax
  175. :0045A1A8 E927010000              jmp 0045A2D4
  176.  
  177. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  178. |:0045A19F(C)
  179. |
  180. :0045A1AD 53                      push ebx
  181. :0045A1AE 6A01                    push 00000001
  182. :0045A1B0 E8177CFFFF              call 00451DCC
  183. :0045A1B5 83C408                  add esp, 00000008
  184. :0045A1B8 EB91                    jmp 0045A14B
  185.  
  186. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
  187. |:0045A164(C), :0045A17F(C)
  188. |
  189. :0045A1BA 8B442434                mov eax, dword ptr [esp+34]
  190. :0045A1BE 31DB                    xor ebx, ebx
  191. :0045A1C0 A3C0A64700              mov dword ptr [0047A6C0], eax
  192.  
  193. * Reference To: WINMM.auxGetNumDevs, Ord:0002h
  194.                                   |
  195. :0045A1C5 2EFF1500814B00          Call dword ptr cs:[004B8100]
  196. :0045A1CC 89C6                    mov esi, eax
  197. :0045A1CE 85C0                    test eax, eax
  198. :0045A1D0 7639                    jbe 0045A20B
  199.  
  200. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  201. |:0045A209(C)
  202. |
  203. :0045A1D2 6A30                    push 00000030
  204. :0045A1D4 8D442404                lea eax, dword ptr [esp+04]
  205. :0045A1D8 50                      push eax
  206. :0045A1D9 53                      push ebx
  207.  
  208. * Reference To: WINMM.auxGetDevCapsA, Ord:0001h
  209.                                   |
  210. :0045A1DA 2EFF15FC804B00          Call dword ptr cs:[004B80FC]
  211. :0045A1E1 85C0                    test eax, eax
  212. :0045A1E3 7521                    jne 0045A206
  213. :0045A1E5 66837C242801            cmp word ptr [esp+28], 0001
  214. :0045A1EB 7519                    jne 0045A206
  215. :0045A1ED F644242C01              test [esp+2C], 01
  216. :0045A1F2 7412                    je 0045A206
  217. :0045A1F4 B801000000              mov eax, 00000001
  218. :0045A1F9 891D4C604A00            mov dword ptr [004A604C], ebx
  219. :0045A1FF A3C4A64700              mov dword ptr [0047A6C4], eax
  220. :0045A204 EB05                    jmp 0045A20B
  221.  
  222. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
  223. |:0045A1E3(C), :0045A1EB(C), :0045A1F2(C)
  224. |
  225. :0045A206 43                      inc ebx
  226. :0045A207 39F3                    cmp ebx, esi
  227. :0045A209 72C7                    jb 0045A1D2
  228.  
  229. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
  230. |:0045A1D0(C), :0045A204(U)
  231. |
  232. :0045A20B 8D442444                lea eax, dword ptr [esp+44]
  233. :0045A20F 50                      push eax
  234. :0045A210 6800040000              push 00000400
  235. :0045A215 680D080000              push 0000080D
  236. :0045A21A 8B1DC0A64700            mov ebx, dword ptr [0047A6C0]
  237. :0045A220 BA0A000000              mov edx, 0000000A
  238. :0045A225 53                      push ebx
  239. :0045A226 89542458                mov dword ptr [esp+58], edx
  240.  
  241. * Reference To: WINMM.mciSendCommandA, Ord:0006h
  242.                                   |
  243. :0045A22A 2EFF1510814B00          Call dword ptr cs:[004B8110]
  244. :0045A231 85C0                    test eax, eax
  245. :0045A233 7414                    je 0045A249
  246. :0045A235 31F6                    xor esi, esi
  247. :0045A237 31C0                    xor eax, eax
  248. :0045A239 8935C0A64700            mov dword ptr [0047A6C0], esi
  249. :0045A23F 83C454                  add esp, 00000054
  250. :0045A242 5D                      pop ebp
  251. :0045A243 5F                      pop edi
  252. :0045A244 5E                      pop esi
  253. :0045A245 5A                      pop edx
  254. :0045A246 59                      pop ecx
  255. :0045A247 5B                      pop ebx
  256. :0045A248 C3                      ret
  257.  
  258.     That's the important section of the routine.  Although you don't really need to understand
  259. each and every instruction, as long as you can see the general flow of the program you'll get by.
  260. There is just one call to the above CD check and that is made from 445963.
  261.  
  262.  -- Program Code --
  263.  
  264. :00445953 8B1598794700            mov edx, dword ptr [00477998]
  265. :00445959 A154794700              mov eax, dword ptr [00477954]
  266. :0044595E E851FAFFFF              call 004453B4
  267. :00445963 E828470100              call 0045A090                   <-- Call the CD check routine
  268. :00445968 A350794700              mov dword ptr [00477950], eax
  269. :0044596D 85C0                    test eax, eax
  270. :0044596F 7513                    jne 00445984
  271. :00445971 E8E6D20000              call 00452C5C
  272. :00445976 85C0                    test eax, eax
  273. :00445978 7E0A                    jle 00445984
  274. :0044597A B87F000000              mov eax, 0000007F
  275. :0044597F E8E0D20000              call 00452C64
  276.  
  277.  -- Continuing Code --
  278.  
  279.  
  280.     However there is a newer patch on the net for v1.07 of Timeshock!  The copy protection is
  281. almost the same but in a different location.  But there has been a secondary CD check added that
  282. can be found by double clicking the "Insert ..." string twice.  This newly added check looks like
  283. this:
  284.  
  285. * Referenced by a CALL at Addresses:
  286. |:0040D5A1   , :0040F0C0   
  287. |
  288. :0045A0C0 E8B3FFFFFF              call 0045A078                        <-- Check for the CD again
  289. :0045A0C5 85C0                    test eax, eax                        <-- Test the result of the check
  290. :0045A0C7 750F                    jne 0045A0D8                         <-- Take this jump for a good check
  291.  
  292. * Possible StringData Ref from Data Obj ->"Please insert "Timeshock!" CD "  <-- "THE" string for a 2nd time
  293.                                         ->"drive and try again"
  294.                                   |
  295. :0045A0C9 688CF64600              push 0046F68C
  296. :0045A0CE 6A2B                    push 0000002B
  297. :0045A0D0 E8A77CFFFF              call 00451D7C
  298. :0045A0D5 83C408                  add esp, 00000008
  299.  
  300. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  301. |:0045A0C7(C)
  302. |
  303. :0045A0D8 C3                      ret                                   <-- Just need to get here some way
  304.  
  305.  
  306.     From here all you need to do is to prevent the call to the CD check routine and the game
  307. will run just fine without the CD present.  The only flaw I have run into is at the end of the
  308. game the sound "Game Over" is truncated.  Not sure what the reason for this is, but I would suspect
  309. that when the CD is present there is enough time between MCI (winmm) calls to allow you to hear
  310. the entire game over sound.  So I'd rather live with that little problem then with the CD check.
  311.     Anyways, as a good CD check returns a 00000000 in eax and esi I zero'ed them out and used a
  312. nop as a filler for the first CD call.  While for version 1.07 I simply overwrote the CD check call
  313. with mov eax, 00000001 to force the jne to always be true.  Simple enough, here are the actual edits:
  314.  
  315. Edit Timeshock!.exe v1.05 off the CD
  316. ============================================
  317. Search for: E8 28 47 01 00 at offset 281,955
  318. Change to : 31 C0 31 F6 90
  319.  
  320. Edit Timeshock!.exe v1.??
  321. ============================================
  322. Search for: E8 A0 EF 00 00 at offset 311,775
  323. Change to : 31 C0 31 F6 90
  324.  
  325. Search for: E8 DC FC FF FF at offset 373,851
  326. Change to : B8 01 00 00 00
  327.  
  328. Edit Timeshock!.exe v1.07 patch off the net
  329. ============================================
  330. Search for: E8 C4 47 01 00 at offset 281,875
  331. Change to : 31 C0 31 F6 90
  332.  
  333. Search for: E8 B3 FF FF FF at offset 365,760
  334. Change to : B8 01 00 00 00
  335.  
  336.  
  337. Edit Timeshock!.exe v1.09b1 patch off the net
  338. ============================================
  339. Search for: E8 B7 4C 01 00 at offset 278,332
  340. Change to : 31 C0 31 F6 90
  341.  
  342. Search for: E8 A7 FF FF FF at offset 363,484
  343. Change to : B8 01 00 00 00
  344.  
  345.  
  346.     With the edits you have a FiX'ed version of TimeShock! Pro Pinball!
  347.  
  348. Static Vengeance
  349.