--==[
Virtua Fighter cD-RoM cHECK ]==-
[yAtEs][ECL`99]
/ 05/Sept/`99 /
SoftICE,Hex_Workshop,WD32asm.
- I
cracked this game under a minute with SoftICE, but i'll
first
- explain
how to cracked it with W32Dasm then i'll explain about
- the
SoftICE way.
- The aim
of this tutorial is to make the game run from the
harddrive.
- So lets
proceed, first install the game onto your harddrive or
harddisc ;)
- once
installed we have a folder which is about 40Mb, we need
to know if we
- have
everything we need to run the game, this can be hard but
if we look on
- the CD
we see that theres only a drawer with the extact stuff on
our HD +
- some
other install/Dx stuff.
-
- Now
take out your CD and throw it away if you trust me ;)...i
mean it store some
- where
safe incase you ever need it again, once your orginal CD
is safetly liying
- on your
bedroom floor with your other stuff run the game Vfpc.exe
and you'll find
- your be
'greeted' with a message:-
.................
- Open up
WD32asm and goto the Disassembler menu and select Open
File to Disassemble
- select
your Vfpc.exe and the program will begin to disassemble
it, now this is 2.38MB
- file so
it could take some time, if it doesn't then i want to
know what CPU you have :)
- Ok
after several pints you awake to find the program
disassembled we need to find the
- string
ref, so click the 'Strn REF' button second from right
button at the top,
- now the
stringrefs won't be able to display all that msg so look
for the first part
- 'Cannot
find Virtua Fighter(TM) PC CD.'
-
- Ok
after a while searching you'll find 'Cannot find Virtua
Fighter(TM)' so souble click
- it and
after another several pints it will display
- This is
the code for the messaegbox, we can see it Pushes 00B25FD0
which is
- the
text for the title bar and afterwards the text for the
error msg, but thats
- not
really important ;) we need to find were the message box
was called from,
- WD32asm
tells us this if we scroll, you will see :-
- Here it
tells us that the message was called from 00505B32 so
scroll upto
- 00505B32
to see the following :-
- The Red
line being if it jumped and the blue if it didn't jump,
now if we were
- not so
clever we would think right theres the jump lets change
it so it doesn't jump
- to the
error box, not so clever? we if we check whatt happens if
we don't jump,
- just
follow the blue line :) we see that we hit another
message box and we know for
- sure
that there is no message boxes displayed when we start
the game with the CD
- in....so
00505B32 is no good of course trial and error is a great
part in learning
- so you
should have a go at changing the jump and see what
happens. So we still don't
- have
the jump lets look above for the next jump, if you look
above the dorky jump you
- will
see '00505B1C je 00505B6C' this is good because the jump
is jumping to 00505B6C
- is way
past all our messagebox error thingys so lets change it!
-
- Now we
must think for a while....is this je jumping or not?¿?¿?¿
well the answer is its
- not
jumping because we're getting past that jump to the error
code, if it was jumping we
- would
be way ahead into the code somewhere, so from this info
we gather than we need to
- make
this jump, jump all the time so we must change the hex
code, but if we look the
- hex-code
is is long 0F844A000000 normally we see short like 7432
or 7412 the 74 being
- je and
we would change 74 to EB beacuse EB is JMP but in this
case we can't we see
- 0F84xxxxxxxxx
0F84 is je, but we can reverse it jne which is 0F85, so
we must change
- 0F844A000000
to 0F854A000000 this is quiet silly really because this
means the game will
- only
work if the CD isn't in the drive, hehe, but will we fix
that later with SoftICE.
Ok place
your bar over the je line in WD32asm and note down the offset
- Right
click the Vfpc.exe file and select 'Hex Edit' you
will only see this if you have
- Hex
workshop and its shell extentsion installed. Now find
Offset 00104F1C and change
- 0F844A000000
to 0F854A000000. Now alot of people say but i can't find
00104F1C on the
- left
hand side in the list offsets, this diagram should clear
things up :)
- Just
type over that 84 with 85 and save, now run the game and
it works!!! woohoo
- if you
get an File Access error while trying to save changes in
the hex editor,
- make
sure you have closed WD32asm beacause this is still using
the file remember.
-
- Ok so
now i'll explain the SoftICE way very briefly :) make
sure you have your orginal
- exe if
your going to do it this way
- Ok so
when we run the program we get this error box well lets
set a breakpoint on
- Messageboxa
press Crtl+D and enter in BPX MessageBoxA now rerun the
program, SoftICE
- breaks
press F12 to return from the call click ok and back into
SoftICE we go,
- and now
we see Call MessageBoxA if we were to click in the code
window and scroll
- up we
can see two jumps @ 00505B32 jnz 00505B51 and @ 00505B1C
jz 00505B6C and basicly
- through
trial and error we would find out that the one at 00505B32
is no good so we
- would
move up to the next one, first you would type BC * then double
click the
- 00505B1C
jz 00505B6C line which would highlight it and set a bpx
point on it and exit
- SoftICE
with F5 and re run the program because we already know
this is the jump i won't
- explain
about testing it just that now if we type CODE ON we can see
the hex code which
- says 0F844A000000
if we type A then enter in JMP 00505B6C and press
enter twice we can
- see the
instruction turn into a perm jump and is also displays
the hex code which is
- EB4E it
also F#$@s the code below up but this doesn't matter as
we will never execute
- this as
it is the no CD error bit, so change 0F844A000000 to EB4E4A000000
and save, now
- you
have a perm no cd running game thingy cracked program :)
l8zr
-