home *** CD-ROM | disk | FTP | other *** search
/ Game Cracker (Expanded Edition) / Game Cracker (Expanded Edition).iso / cracks / SV_UNREL.ZIP / Unreal.txt < prev   
Encoding:
Text File  |  1998-09-28  |  13.3 KB  |  283 lines
  1.  
  2. Free Information Xchange '98 presents:
  3.  
  4. Unreal - CD crack by Static Vengeance
  5.  
  6. Requirements:
  7. Hex Editor and Full Install
  8. W32Dasm if you want to follow along
  9.  
  10.     Unreal like it's name is just that as far as graphics for first person shooters!  It's awesome
  11. on my Voodoo2 card.  Just one little problem that needs to be FiX'ed and that is the CD check that
  12. comes up before you can play the game.  So I started up my favorite cracking program for Win95 exe files
  13. by the name of W32Dasm by RUSoft.  I started out by disassembling the unreal.exe... but had no luck, so
  14. I thought I would check out some of the game DLL's.  I first started with the engine.dll but had no luck
  15. there either.  Next (with some sort of logical progression) I tried window.dll.  Sure enough I checked
  16. for a reference for "Please insert.." and came upon this little bit of code:
  17.  
  18. --  Program code  --
  19. * Reference To: Core.?appSprintf@@YAHPADPBDZZ, Ord:033Eh
  20.                                   |
  21. :10B1C3CC FF150CB6B310            Call dword ptr [10B3B60C]
  22. :10B1C3D2 83C40C                  add esp, 0000000C
  23.  
  24. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
  25. |:10B1C405(C), :10B1C41B(U)                                          <-- 2 conditional jumps to here
  26. |
  27. :10B1C3D5 A114B7B310              mov eax, dword ptr [10B3B714]
  28. :10B1C3DA 833800                  cmp dword ptr [eax], 00000000
  29. :10B1C3DD 753E                    jne 10B1C41D                       <-- Use this conditional jump to
  30. :10B1C3DF 8D8DE4F9FFFF            lea ecx, dword ptr [ebp+FFFFF9E4]  <--  jump over the pop up dialog
  31. :10B1C3E5 51                      push ecx
  32. :10B1C3E6 FFD3                    call ebx                           <-- Actual CD check
  33. :10B1C3E8 83C404                  add esp, 00000004
  34. :10B1C3EB 85C0                    test eax, eax                      <-- Test eax for the result
  35. :10B1C3ED 7F2E                    jg 10B1C41D                        <-- Take this jump for passed CD check
  36. :10B1C3EF 6801200000              push 00002001
  37.  
  38. * Possible StringData Ref from Data Obj ->"Cd Required At Startup"            <-- Header to pop up dialog
  39.                                   |
  40. :10B1C3F4 68089DB310              push 10B39D08
  41.  
  42. * Possible StringData Ref from Data Obj ->"Please insert the Unreal CD-Rom "  <-- What got us here
  43.                                         ->"into your drive and press OK to "
  44.                                         ->"continue, or Cancel to exit."
  45.                                   |
  46. :10B1C3F9 68989CB310              push 10B39C98
  47. :10B1C3FE 6A00                    push 00000000
  48. :10B1C400 FFD6                    call esi
  49. :10B1C402 83F802                  cmp eax, 00000002                <-- Did you hit cancel
  50. :10B1C405 75CE                    jne 10B1C3D5                     <-- No, then check again
  51.  
  52. * Reference To: Core.?GIsCriticalError@@3HA, Ord:018Eh
  53.                                   |
  54. :10B1C407 8B1560B7B310            mov edx, dword ptr [10B3B760]
  55. :10B1C40D 6A00                    push 00000000
  56. :10B1C40F C70201000000            mov dword ptr [edx], 00000001
  57.  
  58. * Reference To: KERNEL32.ExitProcess, Ord:006Bh                    <-- Says it all, right?
  59.                                   |
  60. :10B1C415 FF1580B8B310            Call dword ptr [10B3B880]
  61. :10B1C41B EBB8                    jmp 10B1C3D5                     <-- Jump back up and check again
  62.  
  63. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
  64. |:10B1C3DD(C), :10B1C3ED(C)
  65. |
  66. :10B1C41D A114B7B310              mov eax, dword ptr [10B3B714]    <-- Getting here continues the game!
  67. :10B1C422 833800                  cmp dword ptr [eax], 00000000
  68. :10B1C425 7518                    jne 10B1C43F
  69.  
  70. * Reference To: Engine.?StaticClass@UGameEngine@@2PAVUClass@@A, Ord:04CDh
  71.                                   |
  72. :10B1C427 8B0DF4B7B310            mov ecx, dword ptr [10B3B7F4]
  73. :10B1C42D 6A00                    push 00000000
  74. :10B1C42F 6A05                    push 00000005
  75. :10B1C431 6A00                    push 00000000
  76. :10B1C433 8B11                    mov edx, dword ptr [ecx]
  77.  
  78. * Possible StringData Ref from Data Obj ->"ini:Engine.Engine.GameEngine"
  79.                                   |
  80. :10B1C435 68749CB310              push 10B39C74
  81. :10B1C43A 6A00                    push 00000000
  82. :10B1C43C 52                      push edx
  83. :10B1C43D EB44                    jmp 10B1C483
  84.   -- Continuing game code --
  85.  
  86.     The same code, but from the Cyrix beta 2.02 and the Rush beta 2.03:
  87.  
  88.   --  Program code  --
  89. * Reference To: Core.?appSprintf@@YAHPADPBDZZ, Ord:033Fh
  90.                                   |
  91. :10B1C485 FF1514B6B310            Call dword ptr [10B3B614]
  92. :10B1C48B 83C40C                  add esp, 0000000C
  93.  
  94. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
  95. |:10B1C4D1(C), :10B1C4E6(U)                                          <-- 2 conditional jumps to here
  96. |
  97. :10B1C48E A11CB7B310              mov eax, dword ptr [10B3B71C]
  98. :10B1C493 833800                  cmp dword ptr [eax], 00000000
  99. :10B1C496 7550                    jne 10B1C4E8                       <-- Use this conditional jump for the crack
  100. * Reference To: Core.?GIsClient@@3HA, Ord:018Ch
  101.                                   |
  102. :10B1C498 8B0D48B6B310            mov ecx, dword ptr [10B3B648]
  103. :10B1C49E 833900                  cmp dword ptr [ecx], 00000000
  104. :10B1C4A1 7445                    je 10B1C4E8                        <-- Take this jump for a passed CD check
  105. :10B1C4A3 8D95E4F9FFFF            lea edx, dword ptr [ebp+FFFFF9E4]
  106. :10B1C4A9 52                      push edx
  107.  
  108. * Reference To: Core.?appFSize@@YAHPBD@Z, Ord:0312h                  <-- Call used in the CD check
  109.                                   |
  110. :10B1C4AA FF15E4B6B310            Call dword ptr [10B3B6E4]
  111. :10B1C4B0 83C404                  add esp, 00000004
  112. :10B1C4B3 85C0                    test eax, eax
  113. :10B1C4B5 7F31                    jg 10B1C4E8
  114. :10B1C4B7 6801200000              push 00002001
  115.  
  116. * Possible StringData Ref from Data Obj ->"Cd Required At Startup"            <-- Header to pop up dialog
  117.                                   |
  118. :10B1C4BC 68089DB310              push 10B39D08
  119.  
  120. * Possible StringData Ref from Data Obj ->"Please insert the Unreal CD-Rom "  <-- What got us here
  121.                                         ->"into your drive and press OK to "
  122.                                         ->"continue, or Cancel to exit."
  123.                                   |
  124. :10B1C4C1 68989CB310              push 10B39C98
  125. :10B1C4C6 6A00                    push 00000000
  126.  
  127. * Reference To: USER32.MessageBoxA, Ord:0195h
  128.                                   |
  129. :10B1C4C8 FF1568B9B310            Call dword ptr [10B3B968]
  130. :10B1C4CE 83F802                  cmp eax, 00000002                <-- Did you hit cancel
  131. :10B1C4D1 75BB                    jne 10B1C48E                     <-- No, then check again
  132. :10B1C4D3 A170B7B310              mov eax, dword ptr [10B3B770]
  133. :10B1C4D8 6A00                    push 00000000
  134. :10B1C4DA C70001000000            mov dword ptr [eax], 00000001
  135.  
  136. * Reference To: KERNEL32.ExitProcess, Ord:006Bh                    <-- Says it all, right?
  137.                                   |
  138. :10B1C4E0 FF1590B8B310            Call dword ptr [10B3B890]
  139. :10B1C4E6 EBA6                    jmp 10B1C48E                     <-- Jump back up and check again
  140.  
  141. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
  142. |:10B1C496(C), :10B1C4A1(C), :10B1C4B5(C)
  143. |
  144.  
  145. * Reference To: Core.?GIsEditor@@3HA, Ord:018Eh
  146.                                   |
  147. :10B1C4E8 8B0D1CB7B310            mov ecx, dword ptr [10B3B71C]    <-- Getting here continues the game!
  148. :10B1C4EE 833900                  cmp dword ptr [ecx], 00000000
  149. :10B1C4F1 7518                    jne 10B1C50B
  150.  
  151. * Reference To: Engine.?StaticClass@UGameEngine@@2PAVUClass@@A, Ord:04CDh
  152.                                   |
  153. :10B1C4F3 8B1504B8B310            mov edx, dword ptr [10B3B804]
  154. :10B1C4F9 6A00                    push 00000000
  155. :10B1C4FB 6A05                    push 00000005
  156. :10B1C4FD 6A00                    push 00000000
  157. :10B1C4FF 8B02                    mov eax, dword ptr [edx]
  158.  
  159. * Possible StringData Ref from Data Obj ->"ini:Engine.Engine.GameEngine"
  160.                                   |
  161. :10B1C501 68749CB310              push 10B39C74
  162. :10B1C506 6A00                    push 00000000
  163. :10B1C508 50                      push eax
  164. :10B1C509 EB44                    jmp 10B1C54F
  165.   -- Continuing game code --
  166.  
  167.     For the latest betas, the code has changed a bit and has been placed inside the Unreal
  168. exe file, it looks like this:
  169.  
  170.   --  Program code  --
  171. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
  172. |:10902870(C), :10902886(U)
  173. |
  174.  
  175. * Reference To: Core.?GIsEditor@@3HA, Ord:01F7h
  176.                                   |
  177. :10902810 8B0D28619010            mov ecx, dword ptr [10906128]
  178. :10902816 833900                  cmp dword ptr [ecx], 00000000
  179. :10902819 757B                    jne 10902896
  180.  
  181. * Reference To: Core.?GIsClient@@3HA, Ord:01F5h
  182.                                   |
  183. :1090281B 8B1524619010            mov edx, dword ptr [10906124]
  184. :10902821 833A00                  cmp dword ptr [edx], 00000000
  185. :10902824 7470                    je 10902896
  186. :10902826 8D8560FAFFFF            lea eax, dword ptr [ebp+FFFFFA60]
  187. :1090282C 50                      push eax
  188.  
  189. * Reference To: Core.?appFSize@@YAHPBD@Z, Ord:03CDh
  190.                                   |
  191. :1090282D FF15E8609010            Call dword ptr [109060E8]
  192. :10902833 83C404                  add esp, 00000004
  193. :10902836 85C0                    test eax, eax
  194. :10902838 7F5C                    jg 10902896                    <-- This is the jump we'll force
  195. :1090283A 6A00                    push 00000000
  196.  
  197. * Possible StringData Ref from Data Obj ->"Window"
  198.                                   |
  199. :1090283C 68ECA39010              push 1090A3EC
  200.  
  201. * Possible StringData Ref from Data Obj ->"InsertCdTitle"        <-- How hard was it to find?
  202.                                   |
  203. :10902841 68E8A19010              push 1090A1E8
  204. :10902846 FFD7                    call edi
  205. :10902848 83C40C                  add esp, 0000000C
  206. :1090284B 8BF0                    mov esi, eax
  207. :1090284D 6A00                    push 00000000
  208.  
  209. * Possible StringData Ref from Data Obj ->"Window"
  210.                                   |
  211. :1090284F 68ECA39010              push 1090A3EC
  212.  
  213. * Possible StringData Ref from Data Obj ->"InsertCdText"         <-- Slight "give away" with this ref
  214.                                   |
  215. :10902854 68D8A19010              push 1090A1D8
  216. :10902859 FFD7                    call edi
  217. :1090285B 83C40C                  add esp, 0000000C
  218. :1090285E 6801200000              push 00002001
  219. :10902863 56                      push esi
  220. :10902864 50                      push eax
  221. :10902865 6A00                    push 00000000
  222.  
  223. * Reference To: USER32.MessageBoxA, Ord:01BEh
  224.                                   |
  225. :10902867 FF1504629010            Call dword ptr [10906204]
  226. :1090286D 83F802                  cmp eax, 00000002
  227. :10902870 759E                    jne 10902810
  228.  
  229. * Reference To: Core.?GIsCriticalError@@3HA, Ord:01F6h
  230.                                   |
  231. :10902872 8B0DF0609010            mov ecx, dword ptr [109060F0]
  232. :10902878 6A00                    push 00000000
  233. :1090287A C70101000000            mov dword ptr [ecx], 00000001
  234.  
  235. * Reference To: KERNEL32.ExitProcess, Ord:007Dh
  236.                                   |
  237. :10902880 FF1598619010            Call dword ptr [10906198]
  238. :10902886 EB88                    jmp 10902810
  239.  
  240. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:  <-- Getting here continues the game!
  241. |:109025BC(C), :109025E6(C), :1090262B(C), :1090267F(C), :109026CF(C)
  242. |
  243. :10902888 8B45D8                  mov eax, dword ptr [ebp-28]
  244. :1090288B 40                      inc eax
  245. :1090288C 8945D8                  mov dword ptr [ebp-28], eax
  246.   -- Continuing game code --
  247.  
  248.     That's it, the routine that will stop you if you don't have the CD in the drive when you start up
  249. Unreal.  If you change that conditional jump I pointed out to jump (always) then the program will start
  250. up with or without the CD present.  For the first two beta upgrades, one called the CyrixBeta202.exe and
  251. the other called RushBeta203.zip, released on the net.  The CD check is almost the same, but just different
  252. enough to through off the search for bytes.  However, starting with beta version 2.09 the copy protection
  253. has moved to the actual Unreal execution file (unreal.exe) and has been changed.  Although the change does
  254. eleminate the direct text refs, it now has ref like "InsertCdText"  Still jast as easy to find.  Figure out
  255. which version of Unreal you are running and go into the "Unreal\System\" directory and make the following
  256. edits by version:
  257.  
  258. For the version off the CD edit window.dll
  259. ===========================================
  260. Search for: 75 3E 8D 8D   at offset 112,605
  261. Change to : EB -- -- --
  262.  
  263. For beta versions 2.02 & 203 edit window.dll
  264. ============================================
  265. Search for: 75 50 8B 0D   at offset 112,790
  266. Change to : EB -- -- --
  267.  
  268. For beta version 2.09 edit Unreal.exe
  269. =====================================
  270. Search for: 7F 4E     at offset 5,214
  271. Change to : EB 4E
  272.  
  273. For beta version 2.16 edit Unreal.exe
  274. =====================================
  275. Search for: 7F 5C    at offset 10,296
  276. Chagne to : EB 5C
  277.  
  278.     That's all it takes to FiX Unreal!
  279.  
  280. Static Vengeance
  281.  
  282.  
  283.