Free Information Xchange '98 presents: ProPinball: The Web - CD crack by Static Vengeance Requirements: hex editor and full install ProPinball: The Web has many of the same features as TimeShock! and the same bug. Having cracked TimeShock!, I figured this one would be really easy and really quick. Well, it was a bit harder then I thought it would be. First off, all the files are stored on the CD except for a the couple of EXE files it takes to run the game. So my first thought was to copy the sub-directory "pc_dat" to the "web's" sub-directory and see what happens. Well of course the game asks for the CD. So I got W32Dasm up and running and put myself in the middle of the CD check routine. That routine looks like this: * Referenced by a CALL at Address: |:00413EC0 | :00415638 53 push ebx :00415639 51 push ecx :0041563A 52 push edx :0041563B 56 push esi :0041563C 57 push edi :0041563D 55 push ebp :0041563E 83EC20 sub esp, 00000020 :00415641 833DC0CC4200FF cmp dword ptr [0042CCC0], FFFFFFFF :00415648 741F je 00415669 :0041564A A0C0CC4200 mov al, byte ptr [0042CCC0] :0041564F 0441 add al, 41 :00415651 A28CCA4200 mov byte ptr [0042CA8C], al :00415656 E895FFFFFF call 004155F0 :0041565B 85C0 test eax, eax :0041565D 750A jne 00415669 :0041565F C705C0CC4200FFFFFFFF mov dword ptr [0042CCC0], FFFFFFFF * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00415648(C), :0041565D(C) | :00415669 833DC0CC4200FF cmp dword ptr [0042CCC0], FFFFFFFF :00415670 7537 jne 004156A9 :00415672 BA03000000 mov edx, 00000003 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041568D(C) | :00415677 88D0 mov al, dl :00415679 0441 add al, 41 :0041567B A28CCA4200 mov byte ptr [0042CA8C], al :00415680 E86BFFFFFF call 004155F0 :00415685 85C0 test eax, eax :00415687 7506 jne 0041568F :00415689 42 inc edx :0041568A 83FA1A cmp edx, 0000001A :0041568D 7CE8 jl 00415677 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00415687(C) | :0041568F 83FA19 cmp edx, 00000019 :00415692 7E0F jle 004156A3 * Possible StringData Ref from Data Obj ->"Please insert "The Web" CD and " <-- The string that got us ->"try again" <-- to look into the code | :00415694 6898A24200 push 0042A298 :00415699 6A2D push 0000002D :0041569B E8A02B0000 call 00418240 :004156A0 83C408 add esp, 00000008 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00415692(C) | :004156A3 8915C0CC4200 mov dword ptr [0042CCC0], edx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00415670(C) | :004156A9 BB14000000 mov ebx, 00000014 :004156AE 89E0 mov eax, esp :004156B0 BE04020000 mov esi, 00000204 :004156B5 31D2 xor edx, edx * Possible StringData Ref from Data Obj ->"?:" | :004156B7 BF8CCA4200 mov edi, 0042CA8C :004156BC E85FD70000 call 00422E20 :004156C1 89742408 mov dword ptr [esp+08], esi :004156C5 897C240C mov dword ptr [esp+0C], edi * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00415700(C), :00415709(U), :00415717(U) | :004156C9 89E0 mov eax, esp :004156CB 50 push eax :004156CC 6802330000 push 00003302 :004156D1 6803080000 push 00000803 :004156D6 6A00 push 00000000 * Reference To: WINMM.mciSendCommandA, Ord:0001h | :004156D8 2EFF1568914400 Call dword ptr cs:[00449168] :004156DF 85C0 test eax, eax :004156E1 7436 je 00415719 :004156E3 6A02 push 00000002 * Possible StringData Ref from Data Obj ->"Pro Pinball - The Web" | :004156E5 68C4A24200 push 0042A2C4 * Possible StringData Ref from Data Obj ->"Unable to play CD tracks. This " ->"may be because another program " ->"such as CDPLAYER is already using " ->"the drive" | :004156EA 68DCA24200 push 0042A2DC :004156EF 8B1D48474300 mov ebx, dword ptr [00434748] :004156F5 53 push ebx * Reference To: USER32.MessageBoxA, Ord:000Ah | :004156F6 2EFF1534914400 Call dword ptr cs:[00449134] :004156FD 83F803 cmp eax, 00000003 :00415700 72C7 jb 004156C9 :00415702 7607 jbe 0041570B :00415704 83F805 cmp eax, 00000005 :00415707 7449 je 00415752 :00415709 EBBE jmp 004156C9 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00415702(C) | :0041570B 6A02 push 00000002 :0041570D 6A01 push 00000001 :0041570F E82C2B0000 call 00418240 :00415714 83C408 add esp, 00000008 :00415717 EBB0 jmp 004156C9 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004156E1(C) | :00415719 8B442404 mov eax, dword ptr [esp+04] :0041571D A378CA4200 mov dword ptr [0042CA78], eax :00415722 8D442414 lea eax, dword ptr [esp+14] :00415726 50 push eax :00415727 6800040000 push 00000400 :0041572C 680D080000 push 0000080D :00415731 8B442410 mov eax, dword ptr [esp+10] :00415735 BD0A000000 mov ebp, 0000000A :0041573A 50 push eax :0041573B 896C2428 mov dword ptr [esp+28], ebp * Reference To: WINMM.mciSendCommandA, Ord:0001h <-- Calls through Windows Multi-Media dll | :0041573F 2EFF1568914400 Call dword ptr cs:[00449168] :00415746 85C0 test eax, eax :00415748 7408 je 00415752 :0041574A 31D2 xor edx, edx :0041574C 891578CA4200 mov dword ptr [0042CA78], edx * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00415707(C), :00415748(C) | :00415752 83C420 add esp, 00000020 :00415755 5D pop ebp :00415756 5F pop edi :00415757 5E pop esi :00415758 5A pop edx :00415759 59 pop ecx :0041575A 5B pop ebx :0041575B C3 ret Simple enough, just trace it backwards and kill the call to the CD check routine. There are two files that have a CD check routine in them. Then menu program which allows you to change some selections and the actual game called wgame.exe. I made an edit that killed the call to the CD routine in wgame.exe and ran it. Popped up and ran.... until I hit F1 for one player, then I got a black screen and a pop up dialog box saying "The Web CD is missing" and it let me click "OKAY" and quit back to Win95. Damn, there is some type of secondary check or flag system in the game. So now the fun really begins! This time I ran that game (with the patch) and had the CD in the drive, same thing! So now it's back to tracing the routines and checking for flags. After many sheets of paper and tons of notes and addresses I thought I would narrow it down to being WINMM releated. So I starting looking into sections of code that where making mci (winmm) calls. Eventually I found this little section that seemed to have possiblities: * Referenced by a CALL at Addresses: |:00404796 , :00408E17 , :00408F2D , :004093C2 , :0040941E |:00409763 , :004097F5 , :00409894 , :0040AAC7 , :0040D44A <-- Too MANY calls to trace, but |:0040D4B3 , :0040D4DE , :0040D549 , :0040D56F , :0040D5EA <-- it's used alot |:0040E3DE , :00410EE3 , :00411E09 , :00411F50 , :00412732 | :00415840 53 push ebx :00415841 51 push ecx :00415842 56 push esi :00415843 89C3 mov ebx, eax :00415845 89D6 mov esi, edx :00415847 8B1578CA4200 mov edx, dword ptr [0042CA78] :0041584D A384CA4200 mov dword ptr [0042CA84], eax :00415852 85D2 test edx, edx :00415854 7411 je 00415867 :00415856 6A00 push 00000000 :00415858 6A00 push 00000000 :0041585A 6808080000 push 00000808 :0041585F 52 push edx * Reference To: WINMM.mciSendCommandA, Ord:0001h <-- I was looking for WINMM calls | :00415860 2EFF1568914400 Call dword ptr cs:[00449168] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00415854(C) | :00415867 89D8 mov eax, ebx :00415869 E836FFFFFF call 004157A4 <-- what does this call do? :0041586E 8935541E4300 mov dword ptr [00431E54], esi <-- Looking for possible flags :00415874 31F6 xor esi, esi :00415876 B801000000 mov eax, 00000001 :0041587B 8935A0CA4200 mov dword ptr [0042CAA0], esi <-- Looking for possible flags :00415881 5E pop esi :00415882 59 pop ecx :00415883 5B pop ebx :00415884 C3 ret Well I checked out the call and saw it was sending addition mci commands. So I thought I would kill the call at 00415869 and see what happens. Well the game starts up and I can now play as one player.... but.... no sound at all! hhmmmmm... Getting closer. I thought the mov eax,ebx was needed for the call to 4157A4, so I changes it to xor esi,esi to zero out esi, then the mov dword ptr [00431E54], esi would store a zero there. Tried the game again, still no sound. Well then, what if we prevent anything from being stored at ptr [00431E54]? Well the game worked (to my delight). So using the information we have we need to do the following: Kill the call to the CD check routine. Kill the above listed call to 415869 and make sure ptr [00431E54] is NOT changed. So looking at the code I thought as long as ESI is getting xor'ed to itself (or getting zero'ed out) I would change the mov dword ptr [00431E54], esi to mov esi,dword ptr [00431E54] and that way we only load from there. Plus itstead of change the "89 35 54 1E 43 00" to all 90's we'll only have to change the 89 to 8B and that changes the instruction around! So to crack this one you'll need to: 1. Install the game to your hard drive 2. Copy the PC_DAT directory to the same directory as "The Web" 3. Make the following edits to the EXE files listed: Edit wgame.exe =========================================== Search for: E8 73 17 00 00 offset 78,528 Change to : 90 90 90 90 90 Search for: E8 36 FF FF FF 89 offset 85,097 Chagne to : 90 90 90 90 90 8B Edit menu.exe =========================================== Search for: E8 33 1F 00 00 offset 10,576 Change to : 90 90 90 90 90 Search for: E8 36 FF FF FF 89 offset 19,129 Chagne to : 90 90 90 90 90 8B Granted, this one was a little bit more work, but it's FiX'ed now! Static Vengeance