Free Information Xchange '98 presents:
Pandemonium - CD crack by Static Vengeance
Requirements
Hex editor and full install
Pandemonium is a platform jumping game in simular fashion to the mario jumpers in the
nintendo world. It's alright, but what really stands out is the graphics in the 3Dfx version,
it looks awesome! However, as you can see from this article, it does have one problem and it
comes in the form of a CD check. Using my favorite tool to crack Win95 programs, W32Dasm from
URSoft, I'll show you how to defeat that check. There are two versions of the program that
come with the CD. The file called pandy.exe is the standard program, while the file pandy3.exe
is the 3Dfx enhanced version. It's that version I will be using for the code listings, so if
you want to follow along you will need to use pandy3.exe also. I have included the edit for
pandy.exe below.
Start up W32Dasm and disassemble PANDY3.EXE from where ever it is installed. Once
W32Dasm has finished it's process and is ready, go up to the title bar select "Refs" and choose
"String data references". From here grab the slider bar and scroll down looking to the string
"The Pandemonium CD must be in " You did run the program once without the CD in to see how it
asked for it, right? To continue, double click on the string and it puts you in the middle of
the CD check routine. So let's take a look at the code and see what it does:
* Referenced by a CALL at Address:
|:00436015 <-- who made the call
|
:00427C60 A1FCB14600 mov eax, dword ptr [0046B1FC]
:00427C65 85C0 test eax, eax
:00427C67 741C je 00427C85
:00427C69 E8324EFEFF call 0040CAA0
* Possible StringData Ref from Data Obj ->"The Pandemonium CD must be in " <-- Don't want to
->"the CD-ROM drive before you can " <-- ever see this
->"play."
|
:00427C6E 6810CC4600 push 0046CC10
:00427C73 E878000000 call 00427CF0
:00427C78 83C404 add esp, 00000004
:00427C7B 6A00 push 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00427C39(C)
|
:00427C7D E89E3D0300 call 0045BA20
:00427C82 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00427C41(C), :00427C67(C)
|
:00427C85 C3 ret
That's one short and straight forward routine. So let's check the caller, the above
routine is called once from 436015. However that section of code is in a routine short
enough to list out the entire routine. Listing this code reveals:
* Referenced by a CALL at Addresses:
|:00407084 , :004070D7 , :004071F3 , :0040727E , :004072CC
|:00407319 , :004073A5 , :00407E94 , :00407EEC , :00407F6F
|:00408AE4 , :0040F655 , :0040F82B , :0040F8D7 , :00435F31
|:0044154F , :00441567 , :0045151C
|
:00436010 83EC04 sub esp, 00000004
:00436013 53 push ebx
:00436014 56 push esi
:00436015 E8461CFFFF call 00427C60 <-- Prints insert the CD stuff
:0043601A A164E05900 mov eax, dword ptr [0059E064]
:0043601F 85C0 test eax, eax
:00436021 741D je 00436040 <-- Force this jump to contiune
* Reference To: KERNEL32.Sleep, Ord:023Ah <-- This doesn't look good!!!
| <-- We want to skip this part...
:00436023 8B35B8B48100 mov esi, dword ptr [0081B4B8]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043603E(C)
|
:00436029 6A64 push 00000064
:0043602B FFD6 call esi
:0043602D E8AE000000 call 004360E0
:00436032 E8591CFFFF call 00427C90
:00436037 A164E05900 mov eax, dword ptr [0059E064]
:0043603C 85C0 test eax, eax
:0043603E 75E9 jne 00436029
* Referenced by a (U)nconditional or (C)onditional Jump at Address: <-- Getting here continues the game
|:00436021(C)
|
:00436040 8B442410 mov eax, dword ptr [esp+10]
:00436044 8A4C2418 mov cl, byte ptr [esp+18]
:00436048 A35CE05900 mov dword ptr [0059E05C], eax
:0043604D 84C9 test cl, cl
:0043604F 7424 je 00436075
:00436051 8B742414 mov esi, dword ptr [esp+14]
:00436055 56 push esi
:00436056 E8150A0000 call 00436A70
:0043605B C70564E0590000000000 mov dword ptr [0059E064], 00000000
:00436065 83C404 add esp, 00000004
:00436068 83F801 cmp eax, 00000001
:0043606B 1BC0 sbb eax, eax
:0043606D 23C6 and eax, esi
:0043606F 5E pop esi
:00436070 5B pop ebx
:00436071 83C404 add esp, 00000004
:00436074 C3 ret
First off, there are too many calls to this section of code to trace each one and
determine which is/are responsible for the CD check directly. So, instead we'll make our
edit to this section of code. Alright, what do we need to do to make a runnable version
without the CD in the drive? Let's see, first we don't want the call to the "insert CD"
routine to be taken so we'll NOP it out. Next you have to force the conditional jump at
00436021 to always be taken. This is done by changing it from je (jump equal) to jmp
(unconditional jump). Seems fairly simple with a little help, doesn't it? The actual
edits to be made are as follows:
Edit PANDY.EXE (standard version) at offset 189,925
=====================================================
Search for: E8 F6 3B 01 00 A1 D4 2B 59 00 85 C0 74 1D
Change to : 90 90 90 90 90 -- -- -- -- -- -- -- EB --
Edit PANDY3.EXE (3Dfx version) at offset 218,133
=====================================================
Search for: E8 46 1C FF FF A1 64 E0 59 00 85 C0 74 1D
Change to : 90 90 90 90 90 -- -- -- -- -- -- -- EB --
It goes without saying that you loose the CD music, Logos and intros AVI's and when you
finish the game you don't see the finishing AVI (outros.avi). However when the CD is present
the program will make use of it.
Not too hard to FiX Pandemonium was it?
Static Vengeance
Cheat code for 14 ankhs, 8 hearts, any level and special weapon:
------------------------
AOIMFPIJ Fire
AOEMDPIJ Ice
AOMMHPIJ Shrinker