Free Information Xchange '97 presents: Frogger - CD Crack by Static Vengeance Requirements: Hex Editor and Full install Frogger has be revamped and "3D'ed" but like most games now a days has some annoying CD check somewhere. That's unacteptable to me, I want to play the game; not go searching for the CD it came on. So as usual we'll be disassembling this game and looking for the routines responsible for the CD check. Once we find those routines we'll look for a way to defeat it so we end up with a cracked version on the old hard drive. The first thing to do is to run W32Dasm on the frogger.exe and when it's done go up to the title bar and select "Refs" from the menu and drop down to "String data references" from there grab the slider bar and scroll down to the string "Please insert the Frogger CD" Double clicking this string puts us in the middle of CD check routine. Aren't all my tutorials beginning to sound the same? Anyways here's that code: * Referenced by a CALL at Addresses: |:00403681 , :004038DC | :004037E0 81EC00010000 sub esp, 00000100 :004037E6 C6059458490000 mov byte ptr [00495894], 00 * Possible StringData Ref from Data Obj ->"FROGGER" | :004037ED 68ECE24600 push 0046E2EC :004037F2 E8A9660400 call 00449EA0 <-- Gets drive type & volume :004037F7 83C404 add esp, 00000004 :004037FA A294584900 mov byte ptr [00495894], al :004037FF 84C0 test al, al :00403801 7509 jne 0040380C :00403803 33C0 xor eax, eax :00403805 81C400010000 add esp, 00000100 :0040380B C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403801(C) | :0040380C A294584900 mov byte ptr [00495894], al :00403811 84C0 test al, al :00403813 744E je 00403863 :00403815 8D4C2400 lea ecx, dword ptr [esp] * Possible StringData Ref from Data Obj ->":\video\intro.rpl" <-- Intro off the CD | :00403819 68D8E24600 push 0046E2D8 :0040381E 0FBEC0 movsx eax, al :00403821 50 push eax * Possible StringData Ref from Data Obj ->"%c%s" | :00403822 68D0E24600 push 0046E2D0 :00403827 51 push ecx :00403828 E853F80500 call 00463080 :0040382D 8D4C2410 lea ecx, dword ptr [esp+10] :00403831 83C410 add esp, 00000010 :00403834 6800800000 push 00008000 :00403839 51 push ecx :0040383A E8716B0600 call 0046A3B0 :0040383F 83C408 add esp, 00000008 :00403842 83F8FF cmp eax, FFFFFFFF :00403845 7415 je 0040385C :00403847 50 push eax :00403848 E8B3560600 call 00468F00 :0040384D 83C404 add esp, 00000004 :00403850 B801000000 mov eax, 00000001 :00403855 81C400010000 add esp, 00000100 :0040385B C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403845(C) | :0040385C C6059458490000 mov byte ptr [00495894], 00 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403813(C) | :00403863 33C0 xor eax, eax :00403865 81C400010000 add esp, 00000100 :0040386B C3 ret :0040386C CC int 03 :0040386D CC int 03 :0040386E CC int 03 :0040386F CC int 03 :00403870 81EC00010000 sub esp, 00000100 :00403876 53 push ebx * Reference To: KERNEL32.GetUserDefaultLCID, Ord:0148h | :00403877 FF15E4944A00 Call dword ptr [004A94E4] :0040387D 6625FF03 and ax, 03FF :00403881 8B8C240C010000 mov ecx, dword ptr [esp+0000010C] :00403888 81F910010000 cmp ecx, 00000110 :0040388E 742B je 004038BB :00403890 81F911010000 cmp ecx, 00000111 :00403896 740C je 004038A4 :00403898 33C0 xor eax, eax :0040389A 5B pop ebx :0040389B 81C400010000 add esp, 00000100 :004038A1 C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403896(C) | :004038A4 8B8C2410010000 mov ecx, dword ptr [esp+00000110] :004038AB 81E1FFFF0000 and ecx, 0000FFFF :004038B1 83F901 cmp ecx, 00000001 :004038B4 7426 je 004038DC :004038B6 83F902 cmp ecx, 00000002 :004038B9 744A je 00403905 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040388E(C) | * Possible Reference to String Resource ID=00041: "Please insert the Frogger CD" <-- need explaination? | :004038BB B929000000 mov ecx, 00000029 :004038C0 25FFFF0000 and eax, 0000FFFF :004038C5 83E807 sub eax, 00000007 :004038C8 83F809 cmp eax, 00000009 :004038CB 776E ja 0040393B :004038CD 33D2 xor edx, edx :004038CF 8A9090394000 mov dl, byte ptr [eax+00403990] :004038D5 FF24957C394000 jmp dword ptr [4*edx+0040397C] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004038B4(C) | :004038DC E8FFFEFFFF call 004037E0 :004038E1 83F801 cmp eax, 00000001 :004038E4 7510 jne 004038F6 :004038E6 8B842408010000 mov eax, dword ptr [esp+00000108] :004038ED 6A01 push 00000001 :004038EF 50 push eax * Reference To: USER32.EndDialog, Ord:00B4h | :004038F0 FF1558954A00 Call dword ptr [004A9558] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004038E4(C) | :004038F6 B801000000 mov eax, 00000001 :004038FB 5B pop ebx :004038FC 81C400010000 add esp, 00000100 :00403902 C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004038B9(C) | :00403905 8B842408010000 mov eax, dword ptr [esp+00000108] :0040390C 6A00 push 00000000 :0040390E 50 push eax * Reference To: USER32.EndDialog, Ord:00B4h | :0040390F FF1558954A00 Call dword ptr [004A9558] :00403915 33C0 xor eax, eax :00403917 5B pop ebx :00403918 81C400010000 add esp, 00000100 :0040391E C21000 ret 0010 * Possible Reference to String Resource ID=00045: "Bitte die Frogger-CD einlegen" <-- die, frog, die | <-- hahahahahaha :00403921 B92D000000 mov ecx, 0000002D :00403926 EB13 jmp 0040393B * Possible Reference to String Resource ID=00042: "Inserte el CD Frogger" | :00403928 B92A000000 mov ecx, 0000002A :0040392D EB0C jmp 0040393B * Possible Reference to String Resource ID=00044: "Veuillez insérer le CD Frogger" | :0040392F B92C000000 mov ecx, 0000002C :00403934 EB05 jmp 0040393B * Possible Reference to String Resource ID=00043: "Inserire il CD Frogger" | :00403936 B92B000000 mov ecx, 0000002B * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004038CB(C), :00403926(U), :0040392D(U), :00403934(U) | :0040393B 8D442404 lea eax, dword ptr [esp+04] :0040393F 6800010000 push 00000100 :00403944 50 push eax :00403945 51 push ecx :00403946 8B0D5C284800 mov ecx, dword ptr [0048285C] :0040394C 8B11 mov edx, dword ptr [ecx] :0040394E 52 push edx * Reference To: USER32.LoadStringA, Ord:0183h | :0040394F FF155C954A00 Call dword ptr [004A955C] :00403955 8D4C2404 lea ecx, dword ptr [esp+04] :00403959 8B942408010000 mov edx, dword ptr [esp+00000108] :00403960 51 push ecx * Possible Reference to Dialog: DialogID_0078, CONTROL_ID:0409, "" | :00403961 6809040000 push 00000409 :00403966 52 push edx * Reference To: USER32.SetDlgItemTextA, Ord:01F1h | :00403967 FF1554954A00 Call dword ptr [004A9554] :0040396D B801000000 mov eax, 00000001 :00403972 5B pop ebx :00403973 81C400010000 add esp, 00000100 :00403979 C21000 ret 0010 After running through some calls and tracing jumps I went back up to the beginning and traced backwards to calling routines. * Referenced by a CALL at Addresses: |:00402EC1 , :00406731 | :00403680 53 push ebx :00403681 E85A010000 call 004037E0 <-- Find Frogger CD :00403686 85C0 test eax, eax :00403688 7524 jne 004036AE :0040368A 6A00 push 00000000 :0040368C A15C284800 mov eax, dword ptr [0048285C] :00403691 6870384000 push 00403870 :00403696 90 nop :00403697 8B10 mov edx, dword ptr [eax] :00403699 8B4804 mov ecx, dword ptr [eax+04] :0040369C 51 push ecx * Possible Reference to Dialog: DialogID_0078 | :0040369D 6A78 push 00000078 :0040369F 52 push edx * Reference To: USER32.DialogBoxParamA, Ord:008Eh | :004036A0 FF1514954A00 Call dword ptr [004A9514] :004036A6 85C0 test eax, eax :004036A8 7504 jne 004036AE <-- remember the mov eax, 00000001 :004036AA 33C0 xor eax, eax <-- from the above routine? :004036AC 5B pop ebx :004036AD C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00403688(C), :004036A8(C) | :004036AE B801000000 mov eax, 00000001 :004036B3 5B pop ebx :004036B4 C3 ret Okay, let's back trace it to the calling routines (from 402EC1 & 406731) and check it out there. * Referenced by a CALL at Address: |:00463406 | :00402EB0 83EC10 sub esp, 00000010 :00402EB3 53 push ebx :00402EB4 56 push esi :00402EB5 E806080000 call 004036C0 :00402EBA C6059458490000 mov byte ptr [00495894], 00 :00402EC1 E8BA070000 call 00403680 <-- Call to play into & CD check :00402EC6 85C0 test eax, eax :00402EC8 750F jne 00402ED9 <-- Need to take this to continue :00402ECA E8A1080000 call 00403770 :00402ECF 33C0 xor eax, eax :00402ED1 5E pop esi :00402ED2 5B pop ebx :00402ED3 83C410 add esp, 00000010 :00402ED6 C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402EC8(C) | :00402ED9 A094584900 mov al, byte ptr [00495894] <-- Set up to continue the game :00402EDE 50 push eax :00402EDF E82C090400 call 00443810 :00402EE4 8B442420 mov eax, dword ptr [esp+20] :00402EE8 83C404 add esp, 00000004 :00402EEB 6A00 push 00000000 :00402EED 50 push eax :00402EEE 68E0354000 push 004035E0 :00402EF3 E8E8670400 call 004496E0 :00402EF8 83C40C add esp, 0000000C :00402EFB 85C0 test eax, eax :00402EFD 750F jne 00402F0E :00402EFF E86C080000 call 00403770 :00402F04 33C0 xor eax, eax :00402F06 5E pop esi :00402F07 5B pop ebx :00402F08 83C410 add esp, 00000010 :00402F0B C21000 ret 0010 So if you NOP the call to the CD check and change the conditional jump to jump always you have half of the copy protection removed. Ok, now let's check the other call: * Referenced by a CALL at Address: |:0043CBC4 | :00406730 56 push esi :00406731 E84ACFFFFF call 00403680 <-- Check for the CD :00406736 85C0 test eax, eax :00406738 750C jne 00406746 <-- Need to take this one :0040673A C70550BB4800FFFFFFFF mov dword ptr [0048BB50], FFFFFFFF <-- sets up "quit to win95" :00406744 5E pop esi :00406745 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00406738(C) | :00406746 E8B5C90000 call 00413100 <-- Continue with the game :0040674B 85C0 test eax, eax :0040674D 7420 je 0040676F :0040674F C705904A490001000000 mov dword ptr [00494A90], 00000001 :00406759 C70500E2460000000000 mov dword ptr [0046E200], 00000000 :00406763 C70504E24600FFFFFFFF mov dword ptr [0046E204], FFFFFFFF :0040676D EB0A jmp 00406779 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040674D(C) | :0040676F C705904A490000000000 mov dword ptr [00494A90], 00000000 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040676D(U) | :00406779 C7055854490000000000 mov dword ptr [00495458], 00000000 :00406783 A1984A4900 mov eax, dword ptr [00494A98] :00406788 C1E002 shl eax, 02 -- the rest of the game program -- Changing this call to NOP's and chaning the conditional jump to jump always will completely remove the CD checks and allow you to play Frogger from your hard drive without having to insert the Frogger CD. One nice side effect is you skip the hasbro into video at the start of the game and the short intro in the "attract" mode of the game. However you loose the ending and the credits video when you complete the game. None of these videos are copied to your hard drive during installation. when the program needs them it goes through a routine that plays the right video at 401FD0: * Referenced by a CALL at Addresses: |:0042BC70 , :0043C49C , :0043C4DC , :0043F030 | :00401FD0 81EC40010000 sub esp, 00000140 :00401FD6 53 push ebx :00401FD7 56 push esi :00401FD8 57 push edi :00401FD9 6A00 push 00000000 * Reference To: USER32.ShowCursor, Ord:0228h | :00401FDB FF1508954A00 Call dword ptr [004A9508] :00401FE1 C7051CC2460001000000 mov dword ptr [0046C21C], 00000001 * Possible StringData Ref from Data Obj ->"Starting to Play Stream." | :00401FEB 68BCC54600 push 0046C5BC :00401FF0 BF94584900 mov edi, 00495894 :00401FF5 E8A6050000 call 004025A0 -- snip -- :00402030 F3 repz :00402031 A4 movsb * Possible StringData Ref from Data Obj ->":\video\" <-- pull it off CD | :00402032 BFB0C54600 mov edi, 0046C5B0 :00402037 B9FFFFFFFF mov ecx, FFFFFFFF :0040203C 2BC0 sub eax, eax :0040203E F2 repnz -- snip -- * Possible StringData Ref from Data Obj ->"InitMovie." <-- get ready to play it | :00402094 68A4C54600 push 0046C5A4 :00402099 83E103 and ecx, 00000003 :0040209C F3 repz :0040209D A4 movsb :0040209E E8FD040000 call 004025A0 :004020A3 8D442420 lea eax, dword ptr [esp+20] :004020A7 83C404 add esp, 00000004 :004020AA 6800004000 push 00400000 :004020AF 50 push eax :004020B0 6A00 push 00000000 :004020B2 6A00 push 00000000 :004020B4 68F8C14600 push 0046C1F8 * Reference To: winplay.Player_InitMovie, Ord:002Dh | :004020B9 E8BC160400 Call 0044377A :004020BE 83C414 add esp, 00000014 :004020C1 8BF0 mov esi, eax :004020C3 85F6 test esi, esi :004020C5 740C je 004020D3 :004020C7 33C0 xor eax, eax :004020C9 5F pop edi :004020CA 5E pop esi :004020CB 5B pop ebx :004020CC 81C440010000 add esp, 00000140 :004020D2 C3 ret Anyways, if you kill the two calls I talked about, you end up with a cracked version of Frogger and it will not ask for the Frogger CD when you start. The program has never come up and asked for the CD when trying to play the video clips. Watching the original version run, it would go through the demo a couple of times, then play the short intro video. The cracked program goes through the same steps but never plays the video or "complains" about not being able to load it in... So you just need to make the edits to the frogger.exe file, make your edit by version: v1.001 is off the CD, v1.1e is the froggerpatch1.exe off the net. Frogger v3.0e (and 3.0u) are off the net from the file froggerpatch3.exe For V1.001 from the CD edit Frogger.exe ====================================================== Search for: E8 BA 07 00 00 85 C0 75 0F (offset 8,833) Change to : 90 90 90 90 90 -- -- EB -- Search for: E8 2A D0 FF FF 85 C0 75 0C (offset 23,057) Change to : 90 90 90 90 90 -- -- EB -- For V1.1e from the net edit Frogger.exe ====================================================== Search for: E8 BA 07 00 00 85 C0 75 0F (offset 8,897) Change to : 90 90 90 90 90 -- -- EB -- Search for: E8 4A CF FF FF 85 C0 75 0C (offset 23,345) Change to : 90 90 90 90 90 -- -- EB -- For V3.0e from the net edit Frogger.exe ====================================================== Search for: E8 1A 08 00 00 85 C0 75 0F (offset 140,785) Change to : 90 90 90 90 90 -- -- EB -- Search for: E8 2F 38 FF FF 85 C0 75 0D (offset 194,012) Change to : 90 90 90 90 90 -- -- EB -- For V3.0u from the net edit Frogger.exe ====================================================== Search for: E8 1A 08 00 00 85 C0 75 0F (offset 9,009) Change to : 90 90 90 90 90 -- -- EB -- Search for: E8 3F CF FF FF 85 C0 75 0D (offset 91,122) Change to : 90 90 90 90 90 -- -- EB -- That's it for this one. I hope you are learning something from these tutorials.... If one person out there has learned something from my work, then it's NOT a waste of time for me to write these up and I'll continue to do so. If you can stand my grammer and my spelling - hahahahaha.... I needed a good laugh. I FiX'ed Frogger too! Static Vengeance