Free Information Xchange '98 presents:
Powerboat Racing - CD crack by Static Vengeance
Requirements:
Full game install and hex editor
W32Dasm if you want to follow along
When I started this crack, the first thing I did was to install the program and run it without
the CD in the drive to see how the program reacted. When I started up Powerboat Racing (PBR) it would
come up but only have a few things to do from the main menu. One of the choises lacking on the main
menu was starting a new game. Well, no pop up dialog box this time so things were going to be a little
bit more involved then just double clicking on a "Insert CD..." string. The first plan of attack is to
do a text string search for "GetDriveTypeA" which is a KERNEL32 call to get the type of drive to work
with. The first occurrance didn't seem to have anything to do with the CD check, so I searched for the
next occurrance and found this routine:
* Referenced by a CALL at Addresses:
|:0040AD1E , :0042B524 , :004531C8 , :0046D35A <-- Called from 4 different places
|
:0040C454 53 push ebx
:0040C455 51 push ecx
:0040C456 52 push edx
:0040C457 56 push esi
:0040C458 57 push edi
:0040C459 55 push ebp
:0040C45A 81EC18010000 sub esp, 00000118
:0040C460 8D842414010000 lea eax, dword ptr [esp+00000114]
:0040C467 50 push eax
:0040C468 683F000F00 push 000F003F
:0040C46D 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Software\Promethean Designs\Powerboat "
->"Racing"
|
:0040C46F 6834CB4900 push 0049CB34
:0040C474 6802000080 push 80000002
* Reference To: ADVAPI32.RegOpenKeyExA, Ord:0005h <-- Getting info from the registry
|
:0040C479 2EFF1568014F00 Call dword ptr cs:[004F0168]
:0040C480 85C0 test eax, eax
:0040C482 0F8526010000 jne 0040C5AE
:0040C488 8D84240C010000 lea eax, dword ptr [esp+0000010C]
:0040C48F 50 push eax
:0040C490 8D842418010000 lea eax, dword ptr [esp+00000118]
:0040C497 50 push eax
:0040C498 6A00 push 00000000
:0040C49A 683F000F00 push 000F003F
:0040C49F 6A00 push 00000000
:0040C4A1 68C4BD4900 push 0049BDC4
:0040C4A6 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Software\Promethean Designs\Powerboat "
->"Racing"
|
:0040C4A8 6864CB4900 push 0049CB64
:0040C4AD 6802000080 push 80000002
* Reference To: ADVAPI32.RegCreateKeyExA, Ord:0003h
|
:0040C4B2 2EFF1560014F00 Call dword ptr cs:[004F0160]
:0040C4B9 85C0 test eax, eax
:0040C4BB 0F85ED000000 jne 0040C5AE
:0040C4C1 8D842410010000 lea eax, dword ptr [esp+00000110]
:0040C4C8 50 push eax
:0040C4C9 8D442404 lea eax, dword ptr [esp+04]
:0040C4CD 50 push eax
:0040C4CE 8D842410010000 lea eax, dword ptr [esp+00000110]
:0040C4D5 50 push eax
:0040C4D6 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Installed From" <-- the registry key for the CD drive letter
|
:0040C4D8 68D8CA4900 push 0049CAD8
:0040C4DD 8B9C2428010000 mov ebx, dword ptr [esp+00000128]
:0040C4E4 BA80000000 mov edx, 00000080
:0040C4E9 53 push ebx
:0040C4EA 89942428010000 mov dword ptr [esp+00000128], edx
* Reference To: ADVAPI32.RegQueryValueExA, Ord:0006h
|
:0040C4F1 2EFF156C014F00 Call dword ptr cs:[004F016C]
:0040C4F8 85C0 test eax, eax
:0040C4FA 740A je 0040C506
* Possible StringData Ref from Data Obj ->"Error reading Installed From registry "
->"value."
|
:0040C4FC B894CB4900 mov eax, 0049CB94
:0040C501 E84AAB0200 call 00437050
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C4FA(C)
|
* Possible StringData Ref from Data Obj ->"PBOAT.EXE" <-- Search for the main program file
|
:0040C506 BE18CB4900 mov esi, 0049CB18
:0040C50B 89E7 mov edi, esp
* Possible StringData Ref from Data Obj ->"rb" <-- "rb" or Read Binary
|
:0040C50D BA24CB4900 mov edx, 0049CB24
:0040C512 57 push edi
:0040C513 2BC9 sub ecx, ecx
:0040C515 49 dec ecx
:0040C516 B000 mov al, 00
:0040C518 F2 repnz
:0040C519 AE scasb
:0040C51A 4F dec edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C531(C)
|
:0040C51B 8A06 mov al, byte ptr [esi]
:0040C51D 8807 mov byte ptr [edi], al
:0040C51F 3C00 cmp al, 00
:0040C521 7410 je 0040C533
:0040C523 8A4601 mov al, byte ptr [esi+01]
:0040C526 83C602 add esi, 00000002
:0040C529 884701 mov byte ptr [edi+01], al
:0040C52C 83C702 add edi, 00000002
:0040C52F 3C00 cmp al, 00
:0040C531 75E8 jne 0040C51B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C521(C)
|
:0040C533 5F pop edi
:0040C534 89E0 mov eax, esp
:0040C536 B908000000 mov ecx, 00000008
:0040C53B 8DBC2400010000 lea edi, dword ptr [esp+00000100]
:0040C542 E849510800 call 00491690
:0040C547 89C6 mov esi, eax
:0040C549 89C5 mov ebp, eax
:0040C54B 31C0 xor eax, eax
:0040C54D 89E2 mov edx, esp
:0040C54F 88C4 mov ah, al
:0040C551 6689C3 mov bx, ax
:0040C554 C1C010 rol eax, 10
:0040C557 6689D8 mov ax, bx
:0040C55A 89CB mov ebx, ecx
:0040C55C C1F902 sar ecx, 02
:0040C55F F3 repz
:0040C560 AB stosd
:0040C561 89D9 mov ecx, ebx
:0040C563 83E103 and ecx, 00000003
:0040C566 F3 repz
:0040C567 AA stosb
:0040C568 BB03000000 mov ebx, 00000003
:0040C56D 8D842400010000 lea eax, dword ptr [esp+00000100]
:0040C574 E88D570800 call 00491D06
:0040C579 8D842400010000 lea eax, dword ptr [esp+00000100]
:0040C580 50 push eax
* Reference To: KERNEL32.GetDriveTypeA, Ord:0003h <-- Commonly used in CD checks and how
| <-- we found this routine
:0040C581 2EFF150C024F00 Call dword ptr cs:[004F020C]
:0040C588 89C2 mov edx, eax <-- Drive type value in eax moved to edx
:0040C58A 85F6 test esi, esi
:0040C58C 7407 je 0040C595
:0040C58E 89F0 mov eax, esi
:0040C590 E8AE550800 call 00491B43
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C58C(C)
|
:0040C595 83FA05 cmp edx, 00000005 <-- Compare drive type to CD rom value
:0040C598 7514 jne 0040C5AE <-- Take this jump for non-CD drive
:0040C59A 85ED test ebp, ebp
:0040C59C 7410 je 0040C5AE
:0040C59E E81D000000 call 0040C5C0
:0040C5A3 85C0 test eax, eax
:0040C5A5 7407 je 0040C5AE
:0040C5A7 B801000000 mov eax, 00000001 <-- Set up for passed CD check
:0040C5AC EB02 jmp 0040C5B0 <-- Jump over "set for fail"
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: <-- All fails come to this
|:0040C482(C), :0040C4BB(C), :0040C598(C), :0040C59C(C), :0040C5A5(C) <-- this point!
|
:0040C5AE 31C0 xor eax, eax <-- Set up for failed CD check
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C5AC(U)
|
:0040C5B0 81C418010000 add esp, 00000118 <-- Jump to or fall through to this
:0040C5B6 5D pop ebp <-- exitting section of code
:0040C5B7 5F pop edi
:0040C5B8 5E pop esi
:0040C5B9 5A pop edx
:0040C5BA 59 pop ecx
:0040C5BB 5B pop ebx
:0040C5BC C3 ret
That's the routine that checks for the pboat.exe on the CD which is of course the CD check! So
now we are left with figuring out how to disable it and make it always return good. Or you can back
trace the 4 callers and get the 4 strings to search for and change them to B8 01 00 00 00. I thought
as long as the failed attemps all come down to 40C5AE, why not change the XOR EAX, EAX to JMP 40C5A7.
That way when the CD check fails the code comes to 40C5AE and is redirected up to 40C5A7 which will
load eax with 00000001, the value for a passed CD check. Then it jumps over our rediect jump to the
exit section. This will work out just right as we can use the 8 bit jump which is a 2 byte instruction
and the same length as the xor instruction. Making this edit to the exe file results in a playable
Powerboat Racing that no longer requires you to have the CD online. So search for the following
string: 74 07 B8 01 00 00 00 EB 02 31 C0 81 C4 and change the "31 C0" to "EB F7" The actual edit:
Edit Pboat.exe at offset 47,534
===============================
Search for: 31 C0 81 C4
Change to : EB F7 -- --
Once again a simple CD check (read "program bug") has been FiX'ed
Static Vengeance
PS> After digging around in the disassembled code I found this:
Powerboat Racing CHEATS by Static Vengeance
Enter as PASSWORD
FAN Catamarans in Minnow Class
DIP Catamarans in Pike Class
URN Catamarans in Baracuda Class
PBR Enable slalom racing
PDL Enable secret MINES race course
EPS Enable Championship race
Enter as your name
BIG Infamous Japanese BIG-HEAD mode
POW Big engines
SML Tiny boats (radio control size)
WIN All other racers at half speed so you can WIN
TIP: Just as the anouncer says "one" take off. If you do it right
you get a TURBO launch like in UBISoft's pod