Program Name: Future Cop L.A.P.D
Date: 26 - November - 1999
Objective: Run without CD

Written by [yAtEs] - REaP - Reverse Engineering aND Programming - Http://reap.tsx.org / to contact me email , Jamesluton@hotmail.com

heya i'm going to explain how to remove the CD-Check from this game, k lets get
down to work, do a full installation of the game to your HD then remove your CD
and hide it so you have to crack this ;)

 

Ok run the game and you'll be presented with the following msg box

Now by clicking OK several times your find that doesn't work :P, so lets
click cancel, now in SoftICE set a breakpoint on messageboxa like so
BPX MessageBoxA now rerun the game SoftICE pops up now press F12 and then
OK on the messagebox now see this code:-

 

015F:0045AAE8 FFD6 ........CALL ESI
015F:0045AAEA 83F802 ......CMP EAX,02 <- We are Here
015F:0045AAED 0F84A6010000 JZ 0045AC99
015F:0045AAF3 E8C8E9FAFF ..CALL 004094C0
015F:0045AAF8 85C0 ........TEST EAX,EAX
015F:0045AAFA 74DA ........JZ 0045AAD6
015F:0045AAFC 895DFC ......MOV [EBP-04],EBX
015F:0045AAFF E87CAEFAFF ..CALL 00405980
015F:0045AB04 8B0D1CC94800 MOV ECX,[0048C91C]

Ok so we should see if we could exit this call that we maybe in so i
clicked in the code window and looked for a RET but couldn't see one
so i began to trace with F10 and then i noticed a loop when we hit
JZ 0045AAD6 we go backup a few lines, lets look at the loop

015F:0045AAD6 6A01.........PUSH 01 *START LOOP*
015F:0045AAD8 6800694800...PUSH 00486900
015F:0045AADD 6824C94800...PUSH 0048C924
015F:0045AAE2 A154004A00...MOV EAX,[004A0054]
015F:0045AAE7 50 ..........PUSH EAX
015F:0045AAE8 FFD6 ........CALL ESI <- Call MessageBoxA
015F:0045AAEA 83F802 ......CMP EAX,02 <- We are Here
015F:0045AAED 0F84A6010000 JZ 0045AC99
015F:0045AAF3 E8C8E9FAFF ..CALL 004094C0
015F:0045AAF8 85C0 ........TEST EAX,EAX
015F:0045AAFA 74DA ........JZ 0045AAD6 *END LOOP*

So we are stuck what looks like some sorta check loop, hmmm lets think now
what would YOU do now?...good idea lets try and skip over that jump at the
end :), ok now make sure you have the grey bar over the JZ if you look
at the top right of the screen(WR to view window )it says EIP=0045AAFA
which means that this is the next line to execute, lets change that to
the line after, while our grey bar is over the last JZ in the loop type
R EIP=0045AAFC and press enter, now the grey bar jumps over the command
now we are out of the loop! press F5 to exit SoftICE and see what happens :)
Yes! thats right the game runs.
 
So how we go about patching this? well if we nop out that JZ at the end of
the loop the game would work, but it would still call the msg, but we could
nop that out which is the CALL ESI, all that would work but its better to
see what go us into this loop in the first place, lets look above the loop
for some sort of jump that skips the whole loop, i scroll up and this is
what i see
 
015F:0045AACE 752C ........JNZ 0045AAFC <-----------------JUMP OVER LOOP
015F:0045AAD0 8B354C465100 MOV ESI,[USER32!MessageBoxA]
015F:0045AAD6 6A01.........PUSH 01 *START LOOP*
015F:0045AAD8 6800694800...PUSH 00486900
015F:0045AADD 6824C94800...PUSH 0048C924
015F:0045AAE2 A154004A00...MOV EAX,[004A0054]
015F:0045AAE7 50 ..........PUSH EAX
015F:0045AAE8 FFD6 ........CALL ESI <- Call MessageBoxA
015F:0045AAEA 83F802 ......CMP EAX,02 <- We are Here
015F:0045AAED 0F84A6010000 JZ 0045AC99
015F:0045AAF3 E8C8E9FAFF ..CALL 004094C0
015F:0045AAF8 85C0 ........TEST EAX,EAX
015F:0045AAFA 74DA ........JZ 0045AAD6 *END LOOP*
015F:0045AAFC 895DFC ......MOV [EBP-04],EBX <------------END HERE
Well that should explain it all :), as you can see two lines above the start
of our loop there is a conditional jump which might skip the whole loop process
so lets patch this jump to jump always, thats JZ -> JMP.
When we are debugging SI says
-------------------FCOPLAPD!.text00059AE8-------------------
which means we are working in a file called FCOPLAPD and this is the name
of the exe we ran so lets patch that as we know this is the right file.

 

Search for '752C8B354C' the 752C is the JNZ 0045AAFC , theres likey to
be more than one 752C in the exe so we will search for 752C + a little
extra from the next line to ensure we get the correct one, so search for
it and make sure theres no more copies, now change '752C' to 'EB2C' and
save,run,play :D the game works!, 75 was JNZ and EB means JMP, thats all
laterz peepz

[yAtEs]