Need for Speed 3 'CD-Check!'
Written by McCodEMaN
Greetings and welcome to the noble art of reverse engineering!
This game was given to me as a gift from a friend that thinks I should play more!
Relaxing and fun at the same time he says, hmmm...I don't have
the time and by the way...nothing is more relaxing than
doing some r.c.e. I usually answers.
OK..OK I'll confess...I have played it once!...but only to see if the cracking was successful!
Hmmm, when I come to think of it...perhaps I played it twice? He He!
If my friend keeps on throwing his used games at me, their might be more game cracking in the future!
W32Dasm v8.93
Hex Workshop v2.54
Step1 Make a full installation of Nfs 3.
Step2 Copy the following folders from the Nfs
CD:
*GAMEDATE\AUDIO\Pc
*FEDATA\MOVIES
and
add them to your installed Nfs dir.
Why?...well we
like to have the music and movies...right!
Step3 Now, take a look at your Nfs dir.
You
should find a file called:
'install.win'
We
will have to change some commands in that file or else Nfs will search the CD
for some
files!
OK!...lets
Rock!!
Open
the file in notepad and change it so it looks like
this:
english
<===Your selected language!
local
.\GameData\
.\GameData\Tracks\
.\GameData\Tracks\Tutor\
.\GameData\CarModel\
.\GameData\Render\pc\
.\GameData\DashHud\
.\GameData\Audio\pc\
.\GameData\Audio\SFX\
.\GameData\Audio\Speech\English\
.\GameData\Audio\Speech\German\
.\GameData\Audio\Speech\French\
.\GameData\Audio\Speech\Spanish\
.\GameData\Audio\Speech\Italian\
.\FeData\art\
.\FeData\text\
.\FeData\text\
.\FeData\save\
.\FeData\stats\
.\FeData\config\
.\FeData\audio\
.\FeData\Art\Slides\
.\FeData\Art\Track\
.\FeData\Art\Showcase\
.\FeData\movies\
.\FeData\stats\prh\
�
Step4 Now it's time to kill that CD-check, so remove your Nfs
CD!!!!!
Next,
you should make a backup of your 'nfs3.exe' in case of something goes wrong.
Start W32Dasm and load nfs3.exe and while you're waiting try to figure out a way to crack this cd check!
Ok, the disassembly is all done...have you found a way?
Well, the easy way would be to hunt down the cd-rom access function and that is done like this:
Step into Functions and then Imports, try to locate KERNEL32.GetDriveTypeA and double click while
standing on it.
This should take you to:
:004F9440 2EFF15184455300 call dword ptr cs: [00534518]
Let's trace backwards and see if we'll find what we're looking for...shall we!
I found this:
*Referenced by a CALL at Addresses:
|:004B635B , :004B63BC
and decided to take a closer look at: 004B635B
* Possible StringData Ref from Data Obj ->"install.win"
|
:004B633B BA30FE5300
mov edx, 0053FE30
:004B6340 8D85C4FEFFFF
lea eax, dword ptr [ebp+FFFFFEC4]
:004B6346 A5
movsd
:004B6347 A5
movsd
:004B6348 66A5
movsw
:004B634A A4
movsb
:004B634B E840300400
call 004F9390
:004B6350 8D85C4FEFFFF
lea eax, dword ptr [ebp+FFFFFEC4]
:004B6356 E895300400
call 004F93F0
:004B635B E8B0300400
call 004F9410 <----Here is that call!
:004B6360 85C0
test eax, eax
:004B6362 7430
je 004B6394 <---Would always like to jump here!
:004B6364 B906000000
mov ecx, 00000006
:004B6369 8D7DDC
lea edi, dword ptr [ebp-24]
:004B636C BE94564B00
mov esi, 004B5694
:004B6371 6A30
push 00000030
:004B6373 A1503A7A00
mov eax, dword ptr [007A3A50]
:004B6378 F3
repz
:004B6379 A5
movsd
Right!...I'm going to follow that je to: 004B6394
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6362(C)
|
:004B6394 E807FFFFFF
call 004B62A0
:004B6399 85C0
test eax, eax
:004B639B 755A
jne 004B63F7 <---Would always like to jump here!
:004B639D 31D2
xor edx, edx
:004B639F EB19
jmp 004B63BA
Well... if you look at the two good jumps you can see that we always like to jump here, but the first one only jumps if equal
and the second if not equal.
So what do we do?...Simple, lets EB them!
EB is Hex for Asm. jmp...in plain english that means jump directly to.
Take a note of the two offsets:
The offset of 004B6362 is: B5762 and for 004B639B it's B579B
All done here...close down W32Dasm and start up Hex Workshop.
Open nfs3.exe and select Goto from the Edit menu. Then select Hex and type in the first
offset, press GO to make the trip!
You should land at the beginning of: 7430
Change 74 to EB then save and close nfs3.exe!
Open nfs3.exe again and goto B579B, change 75 into EB, save and terminate Hex Workshop.
All that's left for me to say is: Run and have fun!!
I would like to thank:
attiTude, tKC, Razzia, MrX, members of TRES2000 and my beloved Jen!
When ever there is a door,
there is an entrance.
And behind an entrance can no secret hide,
when a cracker takes his knowledge for a ride
The information in this essay is for educational purpose only!
You are only allow to crack, reverse engineer, modify code and debugg programs that you legaly bought and
then for personal use only!!
To ignore this warning is a criminell act and can result in lawful actions!
So please note!
I take no responebility for how you use the information in this essay, i take NO responebility for what might
happen to you or your computer!
You use this information on your own risk!!
What i mean is: Please buy the software!
Essay written by McCodEMaN ŠTRES2000. All Rights Reserved.