How To Crack

HOW TO CRACK:
SCARS

Introduction: Scars is a buggy racing game by UbiSoft similar to Rollcage - but nowhere near as good. There are audio tracks on the CD too which play during the game and there are over 130MB of AVIs. So you need the CD in the drive to play the game.............or do you?

Tools needed: WDASM & a hex editor

The Protection: If you remove the CD from the drive and try to play tou get an error message apperaing telling you that the is 'No Scars CD in the drive'. To which you press OK and the game quits

The Crack:
There are two main executables installed, scarsd3d.exe and scarsfx.exe. Load the scarsfx.exe into WDASM and wait a while..............

Now search the string references when the exe is disassembled for the above mentioned string. There are 2 of them but we want the one at the code below.

:0040A73E 6800800000              push 00008000
:0040A743 68F8384F00              push 004F38F8
:0040A748 E8B3600600              call 00470800 ----------------> Do check
:0040A74D 8BF0                    mov esi, eax
:0040A74F 83C408                  add esp, 00000008
:0040A752 83FEFF                  cmp esi, FFFFFFFF ------------> Is value -1
:0040A755 751D                    jne 0040A774 -----------------> If not -1 then OK goto 40A774
:0040A757 8B0D94324F00            mov ecx, dword ptr [004F3294]
:0040A75D 6A10                    push 00000010

* Possible StringData Ref from Data Obj ->"Scars Error"

:0040A75F 6874F84900 push 0049F874

* Possible StringData Ref from Data Obj ->"No Scars CD In Drive" --------------> Here is the error message

:0040A764 6828F84900 push 0049F828
:0040A769 51 push ecx

* Reference To: USER32.MessageBoxA, Ord:0195h

:0040A76A FF15549A7501 Call dword ptr [01759A54]
:0040A770 32C0 xor al, al
:0040A772 5E pop esi
:0040A773 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0040A755(C)

:0040A774 56 push esi ---------------------------------> Continue here normally

As you can see, a test is made on esi being -1 after a call is made - this is the CD check. If you trace into that call you will see that it is looking for a file SNDXTR on the CD and if it isn't there then a value of -1 is returned.

To crack this check is very simple. We can either force a value of 0 before the test is made by replacing the call with the instruction MOV ESI, 0 then replacing the next line with 2 NOPs.

Or we could simply force the program to always jump past the error message by replaceing the JNE with JMP.

I prefer the first method.

So find the offset in wdasm of the line we want to replace, 9B48h, and open your hexeditor and goto that offset in the file and enter the following code BE000000009090. These are the instructions; mov esi, 0 followed by nop nop. So the new code should look like this:

:0040A748 BE00000000 mov esi, 00000000 -----------> Force azero here
:0040A74D 90 nop --------------------------------------------> Do nothing
:0040A74E 90 nop --------------------------------------------> Do nothing
:0040A74F 83C408 add esp, 00000008
:0040A752 83FEFF cmp esi, FFFFFFFF ----------------> Is esi -1? No it's zero now

Do the same for the scarsd3d.exe and run them both. You can copy the rest of the data folder to your hard drive if you want to see the AVIs - it's up to you..................

P.S If you want to know how to find the hex value of an instruction just do a search though a disassembly for it and the hex value is on the left of the screen.