
Free Information Xchange presents:

S.C.A.R.S. - CD crack by Static Vengeance - Dec 23th, 1998

Requirements:
hex editor and full install
W32Dasm if you want to follow along

	S.C.A.R.S. is another racer by Ubi Soft based on the pod 3D race engine.  Although this one
seems to be aimed at younger kids judging by the car designs.  As such here is a good example of why
you need to FiX the program bug known as a CD check.  If jr. is going to inserting the CD there's no
telling how careful he'll be or where he'll leave the CD when he's done with it.  Why risk loosing a
game CD over a stupid little thing like a CD check when it can be removed!
	When trying to run the game without the CD in the drive you'll see that a standard windows
pop-up dialog box appears and tells you there's no scars cd in the drive.  That's a good as place
as any to start our cracking adventure.  So load up W32Dasm and disassemble the version you'll want
to crack (in this example it's the 3Dfx version) like ScarsFX.exe.  Once W32Dasm has finished you'll
want to go up to the menu bar and select Refs and then string data references from the drop down menu.
From there, when the pop-up box appears, grab the slider bar and scroll down to "No Scars CD In Drive"
and simply double click.  Check out the info...  Well ok, not exactly what we're looking for so go
back and double click the string ref again and you should see something like this:


  -- Program code --
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010AA(U)                                                         <-- Got here via a jump
|
:0040A7C0 56                      push esi

* Possible StringData Ref from Data Obj ->"..\..\scars\data\sndxtr."  <-- Check for this file
                                  |
:0040A7C1 6884F84900              push 0049F884
:0040A7C6 E8F66AFFFF              call 004012C1
:0040A7CB 83C404                  add esp, 00000004
:0040A7CE 85C0                    test eax, eax
:0040A7D0 741C                    je 0040A7EE                         <-- Didn't find the file jump down
:0040A7D2 A1AC324F00              mov eax, dword ptr [004F32AC]
:0040A7D7 6A10                    push 00000010

* Possible StringData Ref from Data Obj ->"Scars Error"
                                  |
:0040A7D9 6874F84900              push 0049F874

* Possible StringData Ref from Data Obj ->"Scars Install Error"
                                  |
:0040A7DE 6844F84900              push 0049F844
:0040A7E3 50                      push eax

* Reference To: USER32.MessageBoxA, Ord:0195h
                                  |
:0040A7E4 FF15589A7501            Call dword ptr [01759A58]
:0040A7EA 32C0                    xor al, al                           <-- Set up for failed check
:0040A7EC 5E                      pop esi
:0040A7ED C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A7D0(C)
|
:0040A7EE 6800800000              push 00008000
:0040A7F3 6810394F00              push 004F3910
:0040A7F8 E8D3600600              call 004708D0
:0040A7FD 8BF0                    mov esi, eax
:0040A7FF 83C408                  add esp, 00000008
:0040A802 83FEFF                  cmp esi, FFFFFFFF
:0040A805 751D                    jne 0040A824
:0040A807 8B0DAC324F00            mov ecx, dword ptr [004F32AC]
:0040A80D 6A10                    push 00000010

* Possible StringData Ref from Data Obj ->"Scars Error"
                                  |
:0040A80F 6874F84900              push 0049F874

* Possible StringData Ref from Data Obj ->"No Scars CD In Drive"  <-- How & why we got here
                                  |
:0040A814 6828F84900              push 0049F828
:0040A819 51                      push ecx

* Reference To: USER32.MessageBoxA, Ord:0195h
                                  |
:0040A81A FF15589A7501            Call dword ptr [01759A58]
:0040A820 32C0                    xor al, al                      <-- Set up for a failed CD check
:0040A822 5E                      pop esi
:0040A823 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A805(C)
|
:0040A824 56                      push esi
:0040A825 E876D70600              call 00477FA0
:0040A82A 83C404                  add esp, 00000004
:0040A82D 56                      push esi
:0040A82E E85D200600              call 0046C890
:0040A833 83C404                  add esp, 00000004
:0040A836 B001                    mov al, 01                      <-- Set up for passed CD check
:0040A838 5E                      pop esi
:0040A839 C3                      ret

	That was short and simple to follow.  You'll see if things go "bad" (no CD found) al is loaded
with zero.  However, if everything is peachy then al gets loaded with 01 at 40A836.  So if you go back
and look at the caller @ 4010AA you'll see it's part of huge jump table.  A jump table being a list of
jumps to sections of the game with calls or other indirect jumps through the table.  We're lucky here
as you'll see the jump we want to kill is referenced by a simple call instruction.  Part of the jump
table follows:

  -- Small section of a large jump table --
* Referenced by a CALL at Address:
|:0040CBFF   
|
:004010A0 E99B5F0000              jmp 00407040
:004010A5 E986B10000              jmp 0040C230

* Referenced by a CALL at Address:
|:0040D0B9                                             <-- Called just once   
|
:004010AA E911970000              jmp 0040A7C0         <-- Jump to CD check
:004010AF E97C440000              jmp 00405530

* Referenced by a CALL at Addresses:
|:0044F72E   , :0044F826   
|
:004010B4 E9A7DB0000              jmp 0040EC60

* Referenced by a CALL at Address:
|:00406C0A   
|
:004010B9 E932590000              jmp 004069F0
:004010BE E96D990000              jmp 0040AA30
  -- The rest of the jump table --

	Alright, now it's just a matter of checking out the code surounding the caller (40D0B9) and
see what it does and how we'll deal with it.  So go to 40D0B9 and back up a couple of lines to see
what we have:

  -- Program code --
:0040D0B0 6A61                    push 00000061
:0040D0B2 FFD5                    call ebp
:0040D0B4 E81341FFFF              call 004011CC
:0040D0B9 E8EC3FFFFF              call 004010AA          <-- Call jump to CD check
:0040D0BE 84C0                    test al, al            <-- Pass/fail value returned in al
:0040D0C0 750D                    jne 0040D0CF           <-- Anything but zero means passed
:0040D0C2 83C8FF                  or eax, FFFFFFFF
:0040D0C5 5F                      pop edi
:0040D0C6 5E                      pop esi
:0040D0C7 5D                      pop ebp
:0040D0C8 5B                      pop ebx
:0040D0C9 83C448                  add esp, 00000048
:0040D0CC C21000                  ret 0010               <-- Getting here quits the game

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D0C0(C)                                                        <-- Need to get here to play the game
|
* Reference To: KERNEL32.InitializeCriticalSection, Ord:0179h        <-- Continue loading and move on
                                  |
:0040D0CF 8B3538987501            mov esi, dword ptr [01759838]
:0040D0D5 6890324F00              push 004F3290
:0040D0DA FFD6                    call esi
:0040D0DC 68D8344F00              push 004F34D8
:0040D0E1 FFD6                    call esi
:0040D0E3 6848324F00              push 004F3248
:0040D0E8 FFD6                    call esi
:0040D0EA 68007F0000              push 00007F00
:0040D0EF 57                      push edi
:0040D0F0 893DCC753401            mov dword ptr [013475CC], edi

* Reference To: USER32.LoadCursorA, Ord:0172h
                                  |
:0040D0F6 FF15A09A7501            Call dword ptr [01759AA0]
:0040D0FC 6A66                    push 00000066
:0040D0FE 8B742460                mov esi, dword ptr [esp+60]
:0040D102 8944244C                mov dword ptr [esp+4C], eax
  -- Continuing program code --

	No problem here, just change the call to the jump table to mov eax, 00000001 and you have a
cracked version of the game.  Although the game only checks al which is the lowest 8 bits of eax the
jne will pass.  The reason being the CPU sees the 01 as being the value in al, ax or eax.  As you
know eax is "extended ax" and is 32 bits wide, ax is 16 bits and al (ax lower) is only 8 bits wide.
	BTW: Although not needed you can copy the AVI files to the "/Data" subdirectory from the CD
and the game will find and use them.  If not, the game will just continue as though they have already
been played.  There you have it, and now the simple way:

1.  Install the game (only one type of install allowed)
2.  Make the following edits by version:

For the 3Dfx version edit ScarsFX.exe
============================================
Search for: E8 EC 3F FF FF  at offset 50,361
Change to : B8 01 00 00 00

Search for: 74 1E           at offset 39,767
Change to : EB 37

For the Direct3D version edit ScarsD3D.exe
============================================
Search for: E8 20 5C FF FF  at offset 43,161
Change to : B8 01 00 00 00

Search for: 74 1E           at offset 32,967
Change to : EB 37

For the updated internet released patch:

For the 3Dfx version edit ScarsFX.exe
============================================
Search for: E8 6B 3E FF FF  at offset 54,058
Change to : B8 01 00 00 00

Search for: 74 1E           at offset 43,015
Change to : EB 37

Search for: 74 1C           at offset 43,264
Change to : EB 52

For the Direct3D version edit ScarsD3D.exe
============================================
Search for: E8 1C 58 FF FF  at offset 47,498
Change to : B8 01 00 00 00

Search for: 74 1E           at offset 36,823
Change to : EB 37

Search for: 74 1C           at offset 37,072
Change to : EB 52

3.  Option: Copy all the AVI files from the CD into "\Data"
4.  Enjoy the newly cracked version of S.C.A.R.S.

	Yet another copy protection has fallen, because we FiX'ed this one.

Static Vengeance
