HOW TO CRACK:
Fallout 2 v1.02e

Introduction:
The original CD has a hidden folder named 'Laserlock', this folder contains several large files and one of them cannot be read therefore you cannot copy the CD without extreme dificulty and wasting many CDs trying to do so. We are going to look at cracking the CD-check on the patch file v1.02e (English Uk version) so download it from the official site http://www.interplay.com or wherever you can find it. The strange thing about this patch is that you can recopy the CD, missing out the Laserlock folder, and use the new patch file to play the game with the copied CD in the drive. It doesn't check the copy protection part of the CD properly, it just checks to see if you have a CD in with the relevant data on it and that the CD is named Fallout2 - so half the job is already done for us by the developers - thanks guys.

This is an excellent rpg. I don't normally play these type of games but this one really had me hooked even though there are a lot of people that really didn't like the game when it came out - mailny because of the bugs and crashes but these have been fixed with the patch file (well I had no more problems with it anyway). Personally, I think it's the game is really rather good !!

Tools needed: Sotfice, WDASM & a hex editor


The Crack

Ok then, first of do a full installation (A humungous 600MB+) copy the new fallout2.exe and the patch000.dat file into your folder. Now copy the remaining music files that were not copied by the installation from the \data\sound\music\folder into the corresponding folder on your HD. The files being Alarm1.acm and Alarm2.acm. Edit the Fallout2.cfg file and make sure that music_path1 and music_path2 are pointing to the correct location on your HD. Notice a few lines further down that there is a reference to a file pointinmg to your CD drive?............mine is F:\cdlock.dat..........This is the copy protection part, just ignore it. Now try running the game. 'ERROR - Running Fallout2 requires the CD'. You must be kidding - after a massive installation like that?? We'll sharp fix that then wont we?


Load the fallout2.exe into wdasm and wait a while......and don't forget to save the disassembled file. Let's try searching for the file mentioned in the CFG file, 'cdlock.dat'. We find it on line 90865 and here is the surrouding code commented for you to study, it may look like a lot but stick with it and you'll see what's going on. Try setting a breakpoint at 44264C then check out each step when you're brought back into softice.

* Possible StringData Ref from Data Obj ->"cdlock.dat" ------> here's our filename (used in the copy protection)
:0044264C BAB41C5000 mov edx, 00501CB4

:00442651 E858E60A00 call 004F0CAE ---------------------------> do part of the copy protection check?
:00442656 89E0 mov eax, esp
:00442658 E8CBE90A00 call 004F1028
:0044265D 89C1 mov ecx, eax
:0044265F 85C0 test eax, eax
:00442661 7440 je 004426A3 -------------------------------------------> If test fails goto error message
:00442663 BBFFFF0000 mov ebx, 0000FFFF

* Possible StringData Ref from Data Obj ->"master.dat" -->large game data file

:00442668 BEC01C5000 mov esi, 00501CC0
:0044266D 89C7 mov edi, eax

* Possible StringData Ref from Data Obj ->"Fallout2" --> Volume label of CD

:0044266F BACC1C5000 mov edx, 00501CCC
:00442674 89E0 mov eax, esp
:00442676 A5 movsd
:00442677 A5 movsd
:00442678 66A5 movsw
:0044267A A4 movsb
:0044267B E898E5FDFF call 00420C18 ----------------> Call to GetDriveTypeA to determine if a CD is in the drive.
:00442680 85C0 test eax, eax
-----------------------------> If no CD present then eax=0 or 1 if present
:00442682 741F je 004426A3 ------------------------------> If not present jump to error
:00442684 BB04000000 mov ebx, 00000004

* Possible StringData Ref from Data Obj ->"critter.dat" ---> large game data file

:00442689 BED81C5000 mov esi, 00501CD8
:0044268E 89CF mov edi, ecx

* Possible StringData Ref from Data Obj ->"Fallout2" --> Volume label of CD

:00442690 BACC1C5000 mov edx, 00501CCC
:00442695 89E0 mov eax, esp
:00442697 A5 movsd
:00442698 A5 movsd
:00442699 A5 movsd
:0044269A E879E5FDFF call 00420C18
:0044269F 85C0 test eax, eax ----------------------------------> Is the CD in the drive ?
:004426A1 7505 jne 004426A8 ---------------------------------> If not then jump to error message

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
:00442621(C), :00442661(C), :00442682(C)

:004426A3 BD01000000 mov ebp, 00000001 --------> If CD not present then end up here and produce error message

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004426A1(C)

:004426A8 83FD01 cmp ebp, 00000001 ------------------> If ebp=1 then produce error message. If ebp=0 then OK
:004426AB 0F85D1000000 jne 00442782 ---------------> If ebp not=1 then jump to 442782 (start of game)
:004426B1 B840E95800 mov eax, 0058E940
:004426B6 E841240400 call 00484AFC
:004426BB 39E8 cmp eax, ebp
:004426BD 7428 je 004426E7

* Possible StringData Ref from Data Obj ->"Failed on message_init"

:004426BF 68081D5000 push 00501D08
:004426C4 E82F4A0800 call 004C70F8
:004426C9 83C404 add esp, 00000004

* Possible StringData Ref from Data Obj ->"Running Fallout 2 requires the CD!" -------> Our error message.

:004426CC B8E41C5000 mov eax, 00501CE4
:004426D1 E8DA5C0900 call 004D83B0


---- -------- ----------- -------------- ----------- data cut out here ----------- ---------- ----------- ------------ ---------- ------------ ---------- ---------

:00442782 E849E6FFFF call 00440DD0 -----------------> We want to end up here if all goes well. (to crack the check)
:00442787 8B84241C010000 mov eax, dword ptr [esp+0000011C]
:0044278E 8B942420010000 mov edx, dword ptr [esp+00000120]
:00442795 8D8C2414010000 lea ecx, dword ptr [esp+00000114]
:0044279C E8E75A0900 call 004D8288
:004427A1 8B842428010000 mov eax, dword ptr [esp+00000128]

 

We can crack this 3 ways:

[1] At 442680 and 44269F we can force eax to =1, or
[2] Force a jump stright to 442782 instead of doing the first part of the protection routine at 442651, or
[3] Simply change the value being placed into ebp at
4426A3 to 0 instead of 1. This is probably the easiest way.

Either method works fine. So lets try it out.

Method [1]:
Ok, you know that eax will=0 if the CD is missing so we want it to =1. So we replace the 'test eax,eax' (85C0 in hex) with 'inc eax' followed by 'nop' (4090 in hex) this will increment the value of eax from 0 to 1 then to fill the remaining byte with a 'no operation' instruction just to pad it out. You will have to do this as the original instruction is 2 bytes (85C0 - 2 bytes) and you have to replace this instruction with different valid instructions otherwise you'll just end up crashing the program. So the code would look like this when we crack it:

:00442680 40 inc eax -----------------------------------> Add 1 to eax to make it =1
:00442681 90 nop ---------------------------------------> No operation (do nothing - just to pad out the instruction)
-------------------- ------ ------ ------ ------ ------ ------------- -------- ----------- ----------- ------------ ----------- ----------- ---------

:0044269F 40 inc eax ----------------------------------> Add 1 to eax value to make it =1
:004426A0 90 nop --------------------------------------> No operation (do nothing - just to pad out the instruction)

 

Method 2:
We want to bypass all the checks and jump straight to the game so we need to jump to 442728 at the start of the code. The best place to put this instruction is where there is a call made at 442651 as the instruction we want to replace it with has the same number of bytes as the original instruction. Replace E858E60A00 with E9D2000000.

:00442651 E9D2000000 jmp 00442728 -----------> Jump stright to the start of the game without doing any checks/tests.



Method 3:
We can simply replace one byte using this method to crack the check. This is where the final test is amde on the CD check, if ebp=1 then BAD, if ebp=0 then GOOD. So we can force ebp to=0 all the time by replacing 'mov ebp, 00000001' with 'mov ebp, 00000000'.

:004426A3 BD00000000 mov ebp, 00000000 --------> Make the value 0, 0=good
:004426A8 83FD01 cmp ebp, 00000001 ---------------> If ebp=1 then produce error message. If ebp=0 then OK

As you see the above line checks to see whether ebp=1. If it is then it jumps to the error, so we make it=0 so it carries on as normal. This is the easiest way to crack the CD-check but either of these methods work just as well as the check is only made once at the start of the game.

 

Now to apply the crack and change the bytes in the file make a note of the offsets of the code you want to change from within wdasm.

Method [1] - offset=32A80 ----- change from 85C0 to 4090.
And offset=32A9F --- change from 85C0 to 4090
Method [2] - offset=32A51 ----- change from E858E60A00 to E9D2000000
Method [3] - offset=32AA3 ---- change from BD01000000 to BD00000000

Apply EITHER one of these three methods and you can play the game without the annoying CD-check after doing a full install - remember to backup your exe file first though.

That's another one done then................




Company : MLS LaserLock International
Protection : LaserLock
Backup Solution : There is no Generic Patch yet. Seperate patches are needed to be able to get around this protection.

Try using the Ignore Read Error setting in Nero, CDRWIN, CD Wizard or DiskJuggler. In some cases it is better to use the CD-Writer as Source CD-Reader as it is usually better able to read unreadable sectors.

Protected : Asghard, Fallout 2, Metro Police, Shogo & SpecOps
Protection Info
Laserlock uses a combination of encryption software and unique laser marking on the CD surface made during the special LaserLock mastering procedure, in order to make copying practically impossible. Every CD-ROM application has a unique locking parameter that provides a complete protection against illegal re-mastering and reproduction. LaserLock offers excellent protection for every application as each application package is characterized by a unique encryption parameter that is specified during LaserLocking procedure.

The LaserLock protection can be recognized by a (hidden) directory called LASERLOCK which is in the root of the CD.