home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Game Cracker (Expanded Edition)
/
Game Cracker (Expanded Edition).iso
/
cracks
/
SV_SCIFI.ZIP
/
Sci-Fi Pinball.txt
< prev
next >
Wrap
Text File
|
1999-06-03
|
12KB
|
219 lines
Free Information Xchange presents:
Sci-Fi Pinball - CD crack by Static Vengeance - June 2nd, 1999
REQUIREMENTS:
Full game install
W32Dasm & Hex Editor
Fox Interactive has released a new pinball game with a collection of tables based on four of
it's premier licensees. Games based on the Aliens series, the Predator series, The Fly movies and the
TV series Buffy the Vampire Slayer. Each game includes sound clips and "dot-mation" movie clips from
there respective series/story lines. The graphics are pretty good and the game play is fine as far as
pinball games go. However there is one problem with this game and that is the CD check that is run
before you can actually play the game. This is one problem that I can help you FiX with a little help
from W32Dasm and a few comments. If you want to see how to track down the CD check, get W32Dasm up and
running and disassemble the sci-fi pinball.exe file. Once you have done that, it's back to the ever
popular method I've out-lined in so many of my tutorials.
Go up to the menu bar and select REFS then data string refereneces from the drop down menu.
When the pop-up box apears, grab the slider bar and scroll down until you see "Please put the Fox
Arcade: Sci-Fi " which is part of the request dialog for the CD check. Double click this and you're
right in the middle of the CD check, which looks like this:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401BB3(U) <-- Gets here via the jump table
|
:00412940 83EC5C sub esp, 0000005C
:00412943 8D4C2400 lea ecx, dword ptr [esp]
:00412947 53 push ebx
:00412948 33DB xor ebx, ebx
:0041294A 53 push ebx
:0041294B E830EB0100 call 00431480
:00412950 8A442464 mov al, byte ptr [esp+64]
* Possible StringData Ref from Data Obj ->"Gigawatt.bin" <-- File to read/check for
|
:00412954 6820DB4500 push 0045DB20
:00412959 3AC3 cmp al, bl
:0041295B 68E06D4600 push 00466DE0
:00412960 8D4C240C lea ecx, dword ptr [esp+0C]
:00412964 7458 je 004129BE
:00412966 E8C5EE0100 call 00431830 <-- Read file with KERNEL32.ReadFile call
:0041296B 84C0 test al, al <-- Test al for returned result
:0041296D 756F jne 004129DE <-- Jump down to "pass & exit"
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004129A8(C)
|
:0041296F 8D4C2404 lea ecx, dword ptr [esp+04]
:00412973 E848EC0100 call 004315C0
* Possible StringData Ref from Data Obj ->"Please put the Fox Arcade: Sci-Fi " <-- What got us here and
->"Pinball CD in your CD-ROM drive " <-- why we're doing this
->"and press OK. Otherwise press "
->"Cancel to quit the application."
|
:00412978 68A0DE4500 push 0045DEA0
* Possible Reference to String Resource ID=00001: "Gigawatt Studios"
|
:0041297D 6A01 push 00000001
:0041297F 6A30 push 00000030
:00412981 FF151CF64500 call dword ptr [0045F61C]
:00412987 83C40C add esp, 0000000C
:0041298A 83F802 cmp eax, 00000002
:0041298D 741D je 004129AC
* Possible StringData Ref from Data Obj ->"Gigawatt.bin" <-- File to read/check for
|
:0041298F 6820DB4500 push 0045DB20
:00412994 68E06D4600 push 00466DE0
:00412999 8D4C240C lea ecx, dword ptr [esp+0C]
:0041299D 895C2430 mov dword ptr [esp+30], ebx
:004129A1 E88AEE0100 call 00431830 <-- Read file with KERNEL32.ReadFile call
:004129A6 84C0 test al, al
:004129A8 74C5 je 0041296F <-- Tell the user they need the CD
:004129AA EB32 jmp 004129DE <-- Otherwise jump down to "pass & exit"
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041298D(C)
|
:004129AC 8D4C2404 lea ecx, dword ptr [esp+04]
:004129B0 E8DBEB0100 call 00431590
:004129B5 32C0 xor al, al <-- Set up for "failed" CD check
:004129B7 5B pop ebx
:004129B8 83C45C add esp, 0000005C
:004129BB C20400 ret 0004 <-- Return to the caller
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412964(C)
|
:004129BE E86DEE0100 call 00431830 <-- Read file with KERNEL32.ReadFile call
:004129C3 3AC3 cmp al, bl
:004129C5 8D4C2404 lea ecx, dword ptr [esp+04]
:004129C9 750E jne 004129D9
:004129CB E8C0EB0100 call 00431590
:004129D0 32C0 xor al, al <-- Set up for "failed" CD check
:004129D2 5B pop ebx
:004129D3 83C45C add esp, 0000005C
:004129D6 C20400 ret 0004 <-- Return to the caller
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004129C9(C)
|
:004129D9 E8E2EB0100 call 004315C0
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041296D(C), :004129AA(U)
|
:004129DE 8D4C2404 lea ecx, dword ptr [esp+04]
:004129E2 E8A9EB0100 call 00431590
:004129E7 B001 mov al, 01 <-- Set up for "passed" CD check
:004129E9 5B pop ebx
:004129EA 83C45C add esp, 0000005C
:004129ED C20400 ret 0004 <-- Return to the caller
A simple and very short routine to check for the file Gigawatt.bin on the CD. The call to
431830 does a few things and sets up some information and then calls 435BC0 which is the routine that
actually makes two KERNEL32.DLL calls. The first call is a ReadFile followed by a GetLastError which
returns one or zero in eax depending on what happenned with the ReadFile call. To continue, the above
routine will return a pass/fail value in al. A zero means the CD check failed, while a one in al means
the CD check passed. Using this information we can trace back to the caller and bypass this CD check.
If you check the code at and surounding 401BB3 you'll see this:
-- Part of Large Jump Table --
:00401BA9 E9320D0200 jmp 004228E0
:00401BAE E9AD650100 jmp 00418160
* Referenced by a CALL at Address:
|:00412A4B <-- Got here via a single call instruction
|
:00401BB3 E9880D0100 jmp 00412940 <-- Jump to the CD check
* Referenced by a CALL at Addresses:
|:00402F21 , :0041F2F6
|
:00401BB8 E913030100 jmp 00411ED0
:00401BBD E98E2E0100 jmp 00414A50
:00401BC2 E9C9580000 jmp 00407490
-- More of the Jump Table --
A long list of jumps to routines, but we're in luck becuase there is a simple call made to this
jump. So it's just a matter of looking at the code around 412A4B:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004017B2(U) <-- Gets here via the jump table
|
:00412A20 81ECB0000000 sub esp, 000000B0
:00412A26 56 push esi
:00412A27 8BF1 mov esi, ecx
* Possible StringData Ref from Data Obj ->"\FoxPinball\1.0"
|
:00412A29 6898E04500 push 0045E098
:00412A2E 8D4C2474 lea ecx, dword ptr [esp+74]
:00412A32 E869230200 call 00434DA0
:00412A37 8D4C2470 lea ecx, dword ptr [esp+70]
:00412A3B E820240200 call 00434E60
:00412A40 8BCE mov ecx, esi
:00412A42 E829640200 call 00438E70
:00412A47 6A01 push 00000001 <-- Remember this instruction
:00412A49 8BCE mov ecx, esi
:00412A4B E863F1FEFF call 00401BB3 <-- Call the CD check via jump table
:00412A50 84C0 test al, al <-- Test al for result of the CD check
:00412A52 751D jne 00412A71 <-- Take this jump to continue
:00412A54 68030001E0 push E0010003
:00412A59 8BCE mov ecx, esi
:00412A5B E8B03F0200 call 00436A10
:00412A60 8D4C2470 lea ecx, dword ptr [esp+70]
:00412A64 E8C7230200 call 00434E30
:00412A69 5E pop esi
:00412A6A 81C4B0000000 add esp, 000000B0
:00412A70 C3 ret <-- Getting here will quit to Windows 95/98
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412A52(C)
|
:00412A71 57 push edi <-- Getting here will continue with the game
:00412A72 53 push ebx
:00412A73 B9B09F4600 mov ecx, 00469FB0
:00412A78 E8335E0200 call 004388B0
:00412A7D 6A00 push 00000000
:00412A7F B9B09F4600 mov ecx, 00469FB0
-- Continuing Program Code --
Well after a little information you can see the whole protection and CD check hinges on the
jne at 412A52. Changing the call 00401BB3 to mov eax, 00000001 will completly bypass the CD check. If
you make the edit and run the game, it will start up and quit right to windows before anything happens.
We (well... I) missed something. Even after a lot of work and tracing the program code, I couldn't seem
to get the game to run with or without the CD after making the edit. I even started looking for some
type of checksumming routine that might check the exe file to see if it was editted. Nothing worked for
me, so I took a break for a couple of days (got a new program to crack ;-) Then I decided it was time for
another try, so I started over without my notes (you do take notes when you're cracking, right?) and tried
again. I don't know what it was, but that push at 412A47 seemed to hit me between the eyes this time. I
thought to myslef... "Hey, where are they fixing the stack for the push command?" Well they do, but it's
adjusted for in the CD check call. So windows was choking on the fact with my edit an extra 32 bit value
was left on the stack. So I changed the the 6A into a B0, which changes the push 00000001 to a mov al, 01
instruction. Ran the game and it worked just fine without the CD online. All that work and effort becuase
I wasn't paying attention!
Getting back to the tutorial now. The only question left is what will be the final edit. You see
as long as you get down to 412A71 and don't run the CD (or leave extra info on the stack) you can play the
game. So you could change the push 00000001 to a "jump 00412A71" (6A 01 --> EB 28) or make the edits I have
shown. I decided just to stick with my original edits. Once again, we have cracked another game and have
finished another tutorial. The actual steps to crack this new pinball game are:
1. Do a full install of the game
2. Make the following edit:
Edit Sci-Fi Pinball.exe at offset 73,287
========================================
Search for: 6A 01 8B CE E8 63 F1 FE FF
Change to : B0 -- -- -- B8 01 00 00 00
3. Enjoy your newly "CD-Free" Sci-Fi Pinball!
A little lesson for me for future reference, but hey! Sci-Fi Pinball is now FiX'ed
Static Vengeance - FiX
