Introduction:
OK, you've all played it and you've all found out that it is INCREDIBLY difficult without the option for a savegame. Well the updated version has that option now. However...........the save games are limited. You get 7 on 'Training' and only 3 on 'Realistic' so it's still very very hard. Every time you save a game the number of saves goes down by 1 (obviously) until you get to 0 then the message reads 'No saves left' and you're stuck with you last saved game.
But that's where you come in. This tutorial will show you how to patch the new exe file to give you unlimited save on each level.

Tools needed: Soft-Ice, WDASM & a hex editor.

The Crack: Load the new avp.exe into wdasm and wait a while...............
You could start by trying to search for 'No saves left' but you will not find it. Instead why not take a look at one of the saved games. Open one of them up in your hexeditor and the first thing that you'll notice is the string 'AVPSAVE0'. Experimenting with these save games I found out that the number of saves left is stored at +19h in the savegame file.

The best way to find out what the program does when saving the game is to search for the string in the savegame file. Search for 'AVPSAVE0' and you will find 2 references to it. First reference at 48C8E7 and the second at 48CA2B.
If you look above the second reference you will see calls made to 'readfile' and 'closehandle' so this must be where the savegame is loaded rather than saved. So we will concentrate on the first reference. Here it is below:

* Referenced by a CALL at Address:
:004737F7 -----------------------------------> Routine called from this address
:0048C8CC 53 push ebx
:0048C8CD 51 push ecx
:0048C8CE 52 push edx
:0048C8CF 56 push esi
:0048C8D0 B81C000000 mov eax, 0000001C
:0048C8D5 E8CA6CFEFF call 004735A4
:0048C8DA 89C1 mov ecx, eax
:0048C8DC 89C6 mov esi, eax
:0048C8DE C70000000000 mov dword ptr [eax], 00000000
:0048C8E4 83C008 add eax, 00000008
:0048C8E7 BB08000000 mov ebx, 00000008

* Possible StringData Ref from Data Obj ->"AVPSAVE0" ------> String in savagame header
         

We must find where this reoutine is being called from and it is 4737F7 so lets take a look at that piece of code:

:004737E9 E882FEFFFF              call 00473670 ----> Start of routine
:004737EE 85C0                    test eax, eax ----> Interesting test (suspicious!)
:004737F0 74E3                    je 004737D5 ------> Another suspicious jump here
:004737F2 E849FEFFFF              call 00473640
:004737F7 E8D0900100              call 0048C8CC ----> 'AVPSAVE0' ref called from here.
:004737FC 89E2                    mov edx, esp
:004737FE 8B3548C85600            mov esi, dword ptr [0056C848]
:00473804 E89F0A0000              call 004742A8
:00473809 E896060000              call 00473EA4
:0047380E E8ADFCF9FF              call 004134C0
:00473813 E82C54FBFF              call 00428C44
:00473818 E8370B0000              call 00474354
:0047381D E8BAD4FFFF              call 00470CDC
:00473822 E8218AFDFF              call 0044C248
:00473827 E8F46FFFFF              call 0046A820
:0047382C E8CF70FFFF              call 0046A900
:00473831 E8A271FFFF              call 0046A9D8
:00473836 E8E1FBFEFF              call 0046341C
:0047383B E8E80BFFFF              call 00464428
:00473840 E80B1B0100              call 00485350
:00473845 A160C85600              mov eax, dword ptr [0056C860] -> Position in table
:0047384A E85D900100              call 0048C8AC
:0047384F 6A00                    push 00000000
:00473851 6800000010              push 10000000
:00473856 6A02                    push 00000002
:00473858 6A00                    push 00000000
:0047385A 6A00                    push 00000000
:0047385C 6800000040              push 40000000
:00473861 8D442418                lea eax, dword ptr [esp+18]
:00473865 BFFFFFFFFF              mov edi, FFFFFFFF
:0047386A 50                      push eax
:0047386B 893D60C85600            mov dword ptr [0056C860], edi

Further down from this code you will see references to 'Createfile', 'Writefile' and 'Closehandle' so it looks like we've got the correct section of code to mess with.

Now load the avp.exe ito the Winice loader (loader32.exe) and run it. Set a breakpoint at the start of the routine 4737EE and run the game. Now save the game and you should be back into softice looking at the start of the code above.

NOTE: IF YOU ARE USING A VOODOO CARD TO PLAY THE GAME THEN YOU WILL HAVE TO SET THE GAME VIDEO OPTIONS TO YOUR PRIMARY VIDEO CARD AS YOU WILL NOT SEE SOFTICE WHEN THE BREAKPOINT IS REACHED.

Once inside softice (you may still get a corrupt screen but most of it should be visible - keep trying) step through the code using F10. If you have just saved the game once then the value in EAX at 4737EE should be 01. After you run out of savegames the the value will be 00. Try it and watch what happens. The game still says 'No saves left' and you cannot save anymore games on this level. Ouch!!

So now we have found what we're looking for how do we go about patching the exe file. Well first of all we need the value at 4737EE to always be more than 0 so we could put the instruction INC EAX there. If the value after the CALL immeditely before it at 4737E9 returns with 0 then it will be 01 when reaching the following instruction.

We need to fill 2 bytes at 4737EE. Replacing 85C0 with INC EAX is just 1 byte, 40h. So add a NOP, 90h as well to pad it out.

Find the offset, use WDASM to find it. It is at 72BEE. Open the avp.exe in your hexeditor and put 4090 at the offset value 72BEE and save it.


Now clear all your breakpoints and run the game again and try saving it. It works, unlimited savegames, now you can play the game without cheating anymore!!!


That's it...........enjoy...