Sports Car GT [US] v1.0  - No CD Cracking.

Hello... reader. This time we're gonna' crack the cd protection for Sports Car GT. It's a nice game I think but it's more nice when we don't need the ISO.

Tools needed: (Get them at my homepage: www.crackingorgasm.cjb.net

HIEW (Hackers View 6.16
WDASM 8.93

You must know how to use WDASM & HIEW!

When you have disassembled the Spcar.exe in WDASM you will see this in the 'String Data References" window:

"         (((((                "
" "
" cC"
"."
"@"
"@pE"
"]"
"]_^["
"`"
"0"
"cube.pal"
"P"
"p"
"P"
"p"
"P"
"P"
"p"
"P"
"p"
"P"
"p"
"P"
"P"
"P"
"p"
"PDT"
"PST"
"USV"
"VUS"
"WVS"
"WVUS"
"WVV3"
"xTO"

Oki, not good..

So we check the imports for KERNEL32.GetDriveTypeA, (handles the drives. 32-bit).
So if we found this we will trace the cd check. So did we find it? Nope, Damn.

Oki, This could be a perfect job for SoftICE but I don't want to re-boot right now. Now we need to check some other imports let's test KERNEL32.GetVolumeInformationA. So find KERNEL32.GetVolumeInformationA in the imports in WDASM. Now doubleclick on it, doubliclick on it agian to see if it's at another place. Nope.. Okey. KERNEL32.GetVolumeInformationA only one spot. Perfect. So what now?

You will see this:

* Reference To: KERNEL32.GetVolumeInformationA, Ord:014Fh       <--- You will be here.
                                  |
:0044C0CB 8B0D60004E00            mov ecx, dword ptr [004E0060]
:0044C0D1 891C24                  mov dword ptr [esp], ebx
:0044C0D4 896C2404                mov dword ptr [esp+04], ebp
:0044C0D8 89442408                mov dword ptr [esp+08], eax
:0044C0DC 8954241C                mov dword ptr [esp+1C], edx
:0044C0E0 89542418                mov dword ptr [esp+18], edx
:0044C0E4 89542414                mov dword ptr [esp+14], edx
:0044C0E8 89542410                mov dword ptr [esp+10], edx
:0044C0EC 8954240C                mov dword ptr [esp+0C], edx
:0044C0F0 FFD1                    call ecx
:0044C0F2 B820645400              mov eax, 00546420
:0044C0F7 BA06000000              mov edx, 00000006
:0044C0FC 89542408                mov dword ptr [esp+08], edx
:0044C100 896C2404                mov dword ptr [esp+04], ebp
:0044C104 890424                  mov dword ptr [esp], eax
:0044C107 E8F4EB0600              call 004BAD00
:0044C10C 85C0                    test eax, eax                 <--- Equal? CD in drive?
:0044C10E 740D                    je 0044C11D                   <--- Jump if cd in drive else error msg.

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0044C03C(C), :0044C09C(C), :0044C0AC(C)
|
:0044C110 81C42C010000            add esp, 0000012C             <--- You will end up here if it didn't
:0044C116 33C0                    xor eax, eax                       find the cd. If you will end up 
:0044C118 5B                      pop ebx                            here the error message:
:0044C119 5D                      pop ebp                            "Please Insert CD ROM" will popup.
:0044C11A 5E                      pop esi
:0044C11B 5F                      pop edi
:0044C11C C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044C10E(C)
|
:0044C11D 81C42C010000            add esp, 0000012C             <--- If it found the cd it would jumped
:0044C123 B801000000              mov eax, 00000001                  here. And the game will run.
:0044C128 5B                      pop ebx
:0044C129 5D                      pop ebp
:0044C12A 5E                      pop esi
:0044C12B 5F                      pop edi
:0044C12C C3                      ret

So we got one clever idea. yeah... we always do.

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0044C03C(C), :0044C09C(C), :0044C0AC(C)
|
:0044C110 81C42C010000            add esp, 0000012C             <--- Change here so it will jump to
:0044C116 33C0                    xor eax, eax                       0044C11D. The place where it would
:0044C118 5B                      pop ebx                            jumped if it found the cd.
:0044C119 5D                      pop ebp
:0044C11A 5E                      pop esi
:0044C11B 5F                      pop edi
:0044C11C C3                      ret



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044C10E(C)
|
:0044C11D 81C42C010000            add esp, 0000012C             <--- 0044C11D. CD in drive. Good boy!
:0044C123 B801000000              mov eax, 00000001
:0044C128 5B                      pop ebx
:0044C129 5D                      pop ebp
:0044C12A 5E                      pop esi
:0044C12B 5F                      pop edi
:0044C12C C3                      ret

So lets patch to this!

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0044C03C(C), :0044C09C(C), :0044C0AC(C)
|
0044C110: E908000000                   jmp      00044C11D       <--- Change to this.
0044C115: 90                           nop                      <--- NOP out the left over byte.
0044C116: 33C0                         xor       eax,eax             If it finds the cd or not it will
0044C118: 5B                           pop       ebx                 always jump to Good Boy! and the
0044C119: 5D                           pop       ebp                 game will run.
0044C11A: 5E                           pop       esi
0044C11B: 5F                           pop       edi
0044C11C: C3                           retn

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044C10E(C)
|
:0044C11D 81C42C010000            add esp, 0000012C             <--- Good boy!
:0044C123 B801000000              mov eax, 00000001
:0044C128 5B                      pop ebx
:0044C129 5D                      pop ebp
:0044C12A 5E                      pop esi
:0044C12B 5F                      pop edi
:0044C12C C3                      ret

Easy! ehh... yeah...

Btw: You can remove the Anim folder in your Sports Car GT folder to remove 25MB movies.

Questions? mail me.

Written by: tAC
Date: 170200

Email: tac_2000@hotmail.com
  www: www.crackingorgasm.cjb.net