home *** CD-ROM | disk | FTP | other *** search
/ Game Cracker (Expanded Edition) / Game Cracker (Expanded Edition).iso / cracks / SV_TPST2.ZIP / Tempest 2000.txt < prev    next >
Encoding:
Text File  |  1998-11-27  |  13.0 KB  |  282 lines
  1.  
  2. Free Information Xchange presents:
  3.  
  4. Tempest 2000 - CD crack by Static Vengeance - Nov 14th, 1998
  5.  
  6. Requirements:
  7. Hex Editor and Full Install
  8. W32Dasm if you want to follow along
  9.  
  10.     Tempest 2000, in theory, should be a great game.  I have always loved the original Tempest from
  11. way back in the olden days in the arcades.  So when I found a copy of Tempest 2000 laying around I wanted
  12. to try it.  I found a few problems with the game.  First there is no native support for the Win95 version,
  13. which seems odd as almost ALL Win95 users have mice.  What was the thinking here?  Didn't the programers
  14. know how to access the mouse from Win95?  Even the MS Arcade version (for Win 3.1) has mouse support!
  15. Anyways there's the CD check that comes up during the game.  That can easily be FiX'ed.  Too bad Electronic
  16. Arts really did a poor job on this game.  I was looking for new version of Tempest that would be fun and
  17. fast to play, no such luck here.  But I will at least show you how to crack this one.
  18.     First disassemble the tempest.exe and go up to the menu bar and select Refs and then select String
  19. Data Refs from there.  When the pop-up box appears, grab the slider bar and scroll down until you see
  20. Cannot find TEMPEST CD"  Now double click this ref and W32Dasm will put you in the middle of this routine:
  21.  
  22.   -- Program Code --
  23. :00404AB0 FF1518B44300            Call dword ptr [0043B418]
  24. :00404AB6 66C705F09243003C00      mov word ptr [004392F0], 003C
  25. :00404ABF 66C705F49243002800      mov word ptr [004392F4], 0028
  26. :00404AC8 66893504934300          mov word ptr [00439304], si
  27.  
  28. * Reference To: USER32.MessageBoxA, Ord:0188h
  29.                                   |
  30. :00404ACF 8B35ACB34300            mov esi, dword ptr [0043B3AC]
  31. :00404AD5 66893D74914300          mov word ptr [00439174], di
  32.  
  33. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  34. |:00404AFC(C)
  35. |
  36. :00404ADC E81FC5FFFF              call 00401000                   <-- Do the CD check
  37. :00404AE1 85C0                    test eax, eax                   <-- Test the returned value in eax
  38. :00404AE3 A1A0904100              mov eax, dword ptr [004190A0]
  39. :00404AE8 7520                    jne 00404B0A                    <-- Take this jump to continue
  40. :00404AEA 6A11                    push 00000011
  41.  
  42. * Possible StringData Ref from Data Obj ->"TEMPEST 2000"
  43.                                   |
  44. :00404AEC 6870A84100              push 0041A870
  45.  
  46. * Possible StringData Ref from Data Obj ->"Cannot find TEMPEST CD"  <-- What got us here
  47.                                   |
  48. :00404AF1 6838A84100              push 0041A838
  49. :00404AF6 50                      push eax
  50. :00404AF7 FFD6                    call esi
  51. :00404AF9 83F801                  cmp eax, 00000001                 <-- 01 means you hit retry
  52. :00404AFC 74DE                    je 00404ADC
  53. :00404AFE 33C0                    xor eax, eax                      <-- Set up for quit to Win95
  54. :00404B00 5D                      pop ebp
  55. :00404B01 5F                      pop edi
  56. :00404B02 5E                      pop esi
  57. :00404B03 5B                      pop ebx
  58. :00404B04 83C41C                  add esp, 0000001C
  59. :00404B07 C21000                  ret 0010
  60.  
  61. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  62. |:00404AE8(C)                                                         <-- Want to get here
  63. |
  64. :00404B0A E8A1D2FFFF              call 00401DB0
  65. :00404B0F 85C0                    test eax, eax
  66. :00404B11 750C                    jne 00404B1F
  67. :00404B13 33C0                    xor eax, eax
  68.   -- Continuing program code --
  69.  
  70.     Alright, that's the section of code that'll ask for the CD if it's not in the drive when
  71. you start the game.  So let's check out the CD check routine at 401000 and see what it does:
  72.  
  73. :00401000 81EC48040000            sub esp, 00000448
  74. :00401006 8D442440                lea eax, dword ptr [esp+40]
  75. :0040100A 53                      push ebx
  76. :0040100B 56                      push esi
  77. :0040100C 57                      push edi
  78. :0040100D 55                      push ebp
  79. :0040100E 50                      push eax
  80. :0040100F 6805040000              push 00000405
  81.  
  82. * Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00E5h
  83.                                   |
  84. :00401014 FF1558B34300            Call dword ptr [0043B358]
  85. :0040101A 8BE8                    mov ebp, eax
  86. :0040101C 85ED                    test ebp, ebp
  87. :0040101E 7510                    jne 00401030              <-- Take this jump to do the actual CD check
  88. :00401020 B801000000              mov eax, 00000001
  89. :00401025 5D                      pop ebp
  90. :00401026 5F                      pop edi
  91. :00401027 5E                      pop esi
  92. :00401028 5B                      pop ebx
  93. :00401029 81C448040000            add esp, 00000448
  94. :0040102F C3                      ret
  95.  
  96. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  97. |:0040101E(C)
  98. |
  99. :00401030 32DB                    xor bl, bl
  100. :00401032 85ED                    test ebp, ebp
  101. :00401034 0F849C000000            je 004010D6
  102.  
  103. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  104. |:004010D0(C)
  105. |
  106. :0040103A 33C0                    xor eax, eax
  107. :0040103C 8AC3                    mov al, bl
  108. :0040103E 8D7C0450                lea edi, dword ptr [esp+eax+50]
  109. :00401042 57                      push edi
  110.  
  111. * Reference To: KERNEL32.GetDriveTypeA, Ord:00CEh               <-- Commonly used in CD checks
  112.                                   |
  113. :00401043 FF1554B34300            Call dword ptr [0043B354]
  114. :00401049 85C0                    test eax, eax
  115. :0040104B 7405                    je 00401052
  116. :0040104D 83F805                  cmp eax, 00000005             <-- 05 is the value for a CD Rom drive
  117. :00401050 7575                    jne 004010C7
  118.  
  119. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  120. |:0040104B(C)
  121. |
  122. :00401052 B9FFFFFFFF              mov ecx, FFFFFFFF
  123. :00401057 2BC0                    sub eax, eax
  124. :00401059 F2                      repnz
  125. :0040105A AE                      scasb
  126. :0040105B F7D1                    not ecx
  127. :0040105D 2BF9                    sub edi, ecx
  128. :0040105F 8BC1                    mov eax, ecx
  129. :00401061 C1E902                  shr ecx, 02
  130. :00401064 8BF7                    mov esi, edi
  131. :00401066 8D7C2410                lea edi, dword ptr [esp+10]
  132. :0040106A 6A00                    push 00000000
  133. :0040106C F3                      repz
  134. :0040106D A5                      movsd
  135. :0040106E 8BC8                    mov ecx, eax
  136. :00401070 6880000000              push 00000080
  137. :00401075 83E103                  and ecx, 00000003
  138. :00401078 6A03                    push 00000003
  139. :0040107A F3                      repz
  140. :0040107B A4                      movsb
  141.  
  142. * Possible StringData Ref from Data Obj ->"TEMPEST.EXE"         <-- File the CD check is looking for
  143.                                   |
  144. :0040107C BFD0A44100              mov edi, 0041A4D0
  145. :00401081 B9FFFFFFFF              mov ecx, FFFFFFFF
  146. :00401086 2BC0                    sub eax, eax
  147. :00401088 6A00                    push 00000000
  148. :0040108A F2                      repnz
  149. :0040108B AE                      scasb
  150. :0040108C F7D1                    not ecx
  151. :0040108E 2BF9                    sub edi, ecx
  152. :00401090 8BD1                    mov edx, ecx
  153. :00401092 8BF7                    mov esi, edi
  154. :00401094 B9FFFFFFFF              mov ecx, FFFFFFFF
  155. :00401099 8D7C2420                lea edi, dword ptr [esp+20]
  156. :0040109D 2BC0                    sub eax, eax
  157. :0040109F F2                      repnz
  158. :004010A0 AE                      scasb
  159. :004010A1 4F                      dec edi
  160. :004010A2 8BCA                    mov ecx, edx
  161. :004010A4 C1E902                  shr ecx, 02
  162. :004010A7 6A01                    push 00000001
  163. :004010A9 F3                      repz
  164. :004010AA A5                      movsd
  165. :004010AB 8BCA                    mov ecx, edx
  166. :004010AD 6800000080              push 80000000
  167. :004010B2 83E103                  and ecx, 00000003
  168. :004010B5 F3                      repz
  169. :004010B6 A4                      movsb
  170. :004010B7 8D442428                lea eax, dword ptr [esp+28]
  171. :004010BB 50                      push eax
  172.  
  173. * Reference To: KERNEL32.CreateFileA, Ord:002Bh                   <-- Try to create a file on the CD
  174.                                   |
  175. :004010BC FF1550B34300            Call dword ptr [0043B350]
  176. :004010C2 83F8FF                  cmp eax, FFFFFFFF
  177. :004010C5 751C                    jne 004010E3                    <-- Take this jump to continue
  178.  
  179. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  180. |:00401050(C)
  181. |
  182. :004010C7 80C304                  add bl, 04
  183. :004010CA 33C0                    xor eax, eax
  184. :004010CC 8AC3                    mov al, bl
  185. :004010CE 3BC5                    cmp eax, ebp
  186. :004010D0 0F8264FFFFFF            jb 0040103A
  187.  
  188. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  189. |:00401034(C)
  190. |
  191. :004010D6 33C0                    xor eax, eax                  <-- Zero out eax for a failed CD check
  192. :004010D8 5D                      pop ebp
  193. :004010D9 5F                      pop edi
  194. :004010DA 5E                      pop esi
  195. :004010DB 5B                      pop ebx
  196. :004010DC 81C448040000            add esp, 00000448
  197. :004010E2 C3                      ret
  198.  
  199. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  200. |:004010C5(C)
  201. |
  202. :004010E3 50                      push eax
  203.  
  204. * Reference To: KERNEL32.CloseHandle, Ord:0016h
  205.                                   |
  206. :004010E4 FF1560B34300            Call dword ptr [0043B360]
  207. :004010EA B801000000              mov eax, 00000001             <-- 01 means the CD check passed
  208. :004010EF 5D                      pop ebp
  209. :004010F0 5F                      pop edi
  210. :004010F1 5E                      pop esi
  211. :004010F2 5B                      pop ebx
  212. :004010F3 81C448040000            add esp, 00000448
  213. :004010F9 C3                      ret
  214.  
  215.     That's the entire section of code that checks for the CD rom.  Changing the call 00401000 to
  216. mov eax, 00000001 will make the jne at 404AE8 always good.  This will allow Tempest 2000 to continue
  217. so you can play the with or without the CD online.
  218.     The last thing you'll need to do is to kill the calls to the online registration.  This can be
  219. found by a text search for "register" this will lead you to this section of code:
  220.  
  221. :00404A34 68F8924300              push 004392F8
  222. :00404A39 A1A0904100              mov eax, dword ptr [004190A0]
  223. :00404A3E 6828934300              push 00439328
  224. :00404A43 6A05                    push 00000005
  225. :00404A45 6A01                    push 00000001
  226. :00404A47 6A00                    push 00000000
  227. :00404A49 50                      push eax                        <-- Push needed information on stack
  228.  
  229. * Reference To: EREGREG2._RegCard_Register, Ord:0002h
  230.                                   |
  231. :00404A4A E803270100              Call 00417152                   <-- Make the EREG dll call
  232. :00404A4F 83C418                  add esp, 00000018               <-- Fix the stack for the pushed values
  233. :00404A52 A3D4924300              mov dword ptr [004392D4], eax
  234. :00404A57 A1A0904100              mov eax, dword ptr [004190A0]
  235. :00404A5C 50                      push eax
  236. :00404A5D E85ECEFFFF              call 004018C0
  237. :00404A62 83C404                  add esp, 00000004
  238. :00404A65 85C0                    test eax, eax
  239. :00404A67 750C                    jne 00404A75
  240. :00404A69 33C0                    xor eax, eax
  241. :00404A6B 5D                      pop ebp
  242. :00404A6C 5F                      pop edi
  243. :00404A6D 5E                      pop esi
  244. :00404A6E 5B                      pop ebx
  245. :00404A6F 83C41C                  add esp, 0000001C
  246. :00404A72 C21000                  ret 0010
  247.  
  248. * Referenced by a (U)nconditional or (C)onditional Jump at Address:
  249. |:00404A67(C)
  250. |
  251. :00404A75 E8A6F7FFFF              call 00404220
  252. :00404A7A 85C0                    test eax, eax
  253. :00404A7C 750C                    jne 00404A8A
  254. :00404A7E 33C0                    xor eax, eax
  255. :00404A80 5D                      pop ebp
  256. :00404A81 5F                      pop edi
  257. :00404A82 5E                      pop esi
  258. :00404A83 5B                      pop ebx
  259. :00404A84 83C41C                  add esp, 0000001C
  260. :00404A87 C21000                  ret 0010
  261.  
  262.     Kill the call to the EREG by changing the call to a mov eax, 00000001.  There is a second
  263. call to the EREG dll you also need to kill.  This can be found by searching for any other calls to
  264. 417152.  You'll find two, the one listed above and one that's linked to "Register" on the file menu
  265. of Tempest 2000.  The same type of edit will also work for the second call.  After making the three
  266. patches you'll end up with a cracked Tempest 2000.
  267.  
  268. Edit tempest.exe
  269. ============================================
  270. Search for: E8 CD 37 01 00  at offset 11,648
  271. Change to : B8 01 00 00 00
  272.  
  273. Search for: E8 03 27 01 00  at offset 15,946
  274. Chagne to : B8 01 00 00 00
  275.  
  276. Search for: E8 1F C5 FF FF  at offset 16,092
  277. Change to : B8 01 00 00 00
  278.  
  279.     A favorite game of mine wasted, oh well... at least it's been FiX'ed
  280.  
  281. Static Vengeance - FiX
  282.