|
First of all let me say that this tutorial
is aimed at those beginner with a little knowledge of Soft-Ice/cracking.
So if you've just bought the game and want to take it back after seeing
how many bugs there are in it then this is for you! Or you can just
goto the end of this tutorial to patch it with
a Hex-Editor if you like
Download the official patch v1.1 from www.lucasarts.com
patches page and apply it before going any further. It fixes few problems
with the game. A main one is that the enemy actually try to dive for
cover now rather than standing there like complete twats with targets
on their foreheads shouting 'kill me, kill me !'.
OK then, what you need are the following tools to crack this game: Soft-Ice,
Windows Dissasembler and a Hex-Editor.
Having got all of the tools then read on:
Do a maximum install of 870 MB, remove the
CD from the drive and run the game setup/launcher. Start a new game
or resume an old game and you will be told 'Please insert one of the
product CDs into your CD-ROM drive to proceed.' You can't start a new
game without the original CD in the drive.
With Soft-ice (SI) loaded do the following:
[1] There are a number of ways programs check for the existence of a
CD in the CD-ROM drive. One is a call GetDriveTypeA and another is GetVolumeInformationA.
[2] Load the Jones3D.exe into
the Windows Disassembler (WDASM) and goto the import functions and search
for either of these references. The only one that exists is GetVolumeInformationA
so run the launcher and then CTRL-D into Soft-Ice (SI) before selecting
New Game or Resume Game.
[3] Set a breakpoint on the call, type 'bpx getvolumeinformationa'
(without the quotes) then press enter. Now start a new game and you
will be popped back into SI at the following location below. Try tracing
each step and read the various registers as you go to see what information
is being placed in them and read from them. Everything is commented
below.
NOP refers to the instruction No OPeration which basically means do
nothing/ignore.
------------------------------------------------------------------------------
* Reference To: KERNEL32.GetVolumeInformationA,
Ord:0177h
:00403D67 FF1554C04000 Call dword ptr [0040C054]
-----> We land here.
:00403D6D 85C0 test eax, eax ----------------------------------->
If CD in drive then EAX=1. If not in drive EAX=0.
:00403D6F 7473 je 00403DE4
------------------------------------> Ignore the check by placing
NOP NOP here.
:00403D71 8B4DEC mov ecx, dword ptr [ebp-14] -----------> J3D is
placed in ECX, first 3 letters of the volume name on the CD.
:00403D74 3BCB cmp ecx, ebx ----------------------------------> Does
the name match J3D on the CD?
:00403D76 7405 je 00403D7D -----------------------------------> Ignore
the check by entering NOP NOP here.
:00403D78 8B41F0 mov eax, dword ptr [ecx-10]
:00403D7B EB02 jmp 00403D7F
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00403D76(C)
:00403D7D 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00403D7B(U)
:00403D7F 3BCB cmp ecx, ebx
:00403D81 889C05E0FEFFFF mov byte ptr [ebp+eax-00000120], bl
:00403D88 7405 je 00403D8F
:00403D8A 8B49FC mov ecx, dword ptr [ecx-04]
:00403D8D EB02 jmp 00403D91
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00403D88(C)
:00403D8F 8BCF mov ecx, edi
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00403D8D(U)
:00403D91 8D85E0FEFFFF lea eax, dword ptr [ebp+FFFFFEE0]
:00403D97 50 push eax ------------------------------------------->
Name read from CD
:00403D98 51 push ecx ------------------------------------------->
Name J3D on original
* Reference To: KERNEL32.lstrcmpiA,
Ord:02FFh
:00403D99 FF15A8C04000 Call dword ptr [0040C0A8] -> Compare both
names
:00403D9F 85C0 test
eax, eax ---------------------------------> If matching then EAX=0,
if not EAX= -1
:00403DA1 7541 jne 00403DE4 -------------------------------> Ignore
the check by entering NOP NOP here.
This is as far as we need to go with the tracing as the launcher now
calls the main file in the \resource folder to run the game so the game
is now cracked in memory.
There are other ways of cracking the checks so this is by no means the
only way to do it.
[4] Now quit the game and goto the locations mentioned in WDASM and
write down the offset locations to the code we need to change to NOP
NOP.
|
