Free Information Xchange '97 presents: TUROK: Dinosaur Hunter - CD Crack by Static Vengeance Requirements: Hex Editor and Full Install Alright, here's a decent game to play, except for that darn CD check before the game. The game is a first person 3D shooter (a'la Doom) by Aklaim that requires a 3D accelerator card. Having a Monster 3D card makes playing this game a ton of fun! Plenty of things to kill and you see some blood here and there. A few nice death spasms thrown in and you have yourslef a nice game to play. But before we can play Turok, we need to "play" a little game with CD check routine. Using my favorite tool to crack Win95 programs, W32Dasm by RUSoft, I was able to find the CD check routine and figure a way around it. So my reward for my efforts was a cracked version of Turok on my hard drive. Running W32Dasm, disassemble Turok.exe and when W32Dasm is finished we use that same old trick to find the references to the CD check dialog. Go up to the title bar and select "Refs" from the menu and drop down to "String data references" from there grab the slider bar and scroll down to the string "Turok requires a CDROM Drive to run!" and double click on it. That will put you in the middle of the routine listed below. I looked at the code at 4113C3 and saw a single call to the routine, but it pushes values on the stack. So that leaves us to patch the check routine itself instead of killing the call to it. So follow along: * Referenced by a CALL at Address: |:004113C3 | :00404560 81EC08010000 sub esp, 00000108 :00404566 53 push ebx :00404567 55 push ebp :00404568 56 push esi :00404569 57 push edi :0040456A 8D442418 lea eax, dword ptr [esp+18] :0040456E 33FF xor edi, edi :00404570 6800010000 push 00000100 :00404575 50 push eax :00404576 897C2418 mov dword ptr [esp+18], edi :0040457A 33ED xor ebp, ebp :0040457C E87FFEFFFF call 00404400 <-- Checks for a CD drive on system :00404581 8B9C2424010000 mov ebx, dword ptr [esp+00000124] :00404588 83C408 add esp, 00000008 :0040458B 3BC7 cmp eax, edi :0040458D 89442414 mov dword ptr [esp+14], eax :00404591 752A jne 004045BD <-- Remember this for later :00404593 39BC2420010000 cmp dword ptr [esp+00000120], edi :0040459A 0F84BD000000 je 0040465D <-- And this too! :004045A0 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"No CDROM Drive Found!" | :004045A2 68D0024900 push 004902D0 * Possible StringData Ref from Data Obj ->"Turok requires a CDROM Drive to " <-- String we searched ->"run!" <-- for is right here | :004045A7 68A8024900 push 004902A8 :004045AC 53 push ebx * Reference To: USER32.MessageBoxA, Ord:0195h | :004045AD FF1588157C00 Call dword ptr [007C1588] :004045B3 6A01 push 00000001 :004045B5 E866B70700 call 0047FD20 :004045BA 83C404 add esp, 00000004 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00404591(C), :0040464A(C) | :004045BD 85ED test ebp, ebp :004045BF 0F858B000000 jne 00404650 :004045C5 8B442414 mov eax, dword ptr [esp+14] :004045C9 33F6 xor esi, esi :004045CB 85C0 test eax, eax :004045CD 7E38 jle 00404607 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404605(C) | :004045CF 85ED test ebp, ebp :004045D1 7534 jne 00404607 :004045D3 8A4C3418 mov cl, byte ptr [esp+esi+18] :004045D7 51 push ecx :004045D8 53 push ebx :004045D9 E8A2FEFFFF call 00404480 <-- WINMM calls to mciSendCommandA :004045DE 8BF8 mov edi, eax :004045E0 83C408 add esp, 00000008 :004045E3 85FF test edi, edi :004045E5 7417 je 004045FE :004045E7 E804FCFFFF call 004041F0 <-- More WINMM calls to mciSendCommandA :004045EC 85C0 test eax, eax :004045EE 7407 je 004045F7 :004045F0 BD01000000 mov ebp, 00000001 :004045F5 EB07 jmp 004045FE * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004045EE(C) | :004045F7 E874000000 call 00404670 <-- More WINMM calls to mciSendCommandA :004045FC 33FF xor edi, edi * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004045E5(C), :004045F5(U) | :004045FE 8B442414 mov eax, dword ptr [esp+14] :00404602 46 inc esi :00404603 3BF0 cmp esi, eax :00404605 7CC8 jl 004045CF * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004045CD(C), :004045D1(C) | :00404607 8BB42420010000 mov esi, dword ptr [esp+00000120] :0040460E 85F6 test esi, esi :00404610 742A je 0040463C :00404612 85ED test ebp, ebp :00404614 7522 jne 00404638 :00404616 6A05 push 00000005 * Possible StringData Ref from Data Obj ->"Turok CD Not Found!" | :00404618 6894024900 push 00490294 * Possible StringData Ref from Data Obj ->"Unable to find Turok CD, Verify " <-- More stuff ->"CD is in drive and no other application " <-- about the CD ->"is using CDROM Drive." | :0040461D 6834024900 push 00490234 :00404622 53 push ebx * Reference To: USER32.MessageBoxA, Ord:0195h | :00404623 FF1588157C00 Call dword ptr [007C1588] :00404629 83F802 cmp eax, 00000002 <-- 00000002 means you hit cancel :0040462C 750A jne 00404638 :0040462E 6A01 push 00000001 :00404630 E8EBB60700 call 0047FD20 :00404635 83C404 add esp, 00000004 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00404614(C), :0040462C(C) | :00404638 85F6 test esi, esi :0040463A 7508 jne 00404644 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404610(C) | :0040463C C744241001000000 mov [esp+10], 00000001 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040463A(C) | :00404644 8B442410 mov eax, dword ptr [esp+10] :00404648 85C0 test eax, eax :0040464A 0F846DFFFFFF je 004045BD * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004045BF(C) | :00404650 8BC7 mov eax, edi :00404652 5F pop edi :00404653 5E pop esi :00404654 5D pop ebp :00404655 5B pop ebx :00404656 81C408010000 add esp, 00000108 :0040465C C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040459A(C) | :0040465D 893DDC3B5100 mov dword ptr [00513BDC], edi :00404663 5F pop edi :00404664 5E pop esi :00404665 5D pop ebp :00404666 33C0 xor eax, eax :00404668 5B pop ebx :00404669 81C408010000 add esp, 00000108 :0040466F C3 ret The CD check is actually through sets of calls to WINMM (WINdows Multi-Media DLL) and when they come back with error codes, the program knows there's no CD in the drive. Also, as you can see there is two sections of code that cleans up and returns to the caller. Remember those two lines at the beginning? Well lets kill the first conditional jump and force the second jump to 0040465D and see what happens. Well... you run the game and it starts right up! No more CD check to worry about, right? Ok, so the edits to the file would be: Edit turok.exe (offset 16,785) ======================================================== Search for: 75 2A 39 BC 24 20 01 00 00 0F 84 BD 00 00 00 Change to : 90 90 -- -- -- -- -- -- -- 90 E9 -- -- -- -- Alright, the first two 90's replace the conditional jump with two NOP's and the second part of the edit changes the conditional jump (long) to a jump (long) but due to the size difference (conditional jump op-codes are two bytes and the unconditional op-code is one byte, plus both have a relative offset) you need to change one byte to NOP and the second to JMP, but the offset remains the same. I hope you understand what I mean by that, an example of this edit would be: :00404591 752A jne 004045BD <-- Do the CD check :00404593 39BC2420010000 cmp dword ptr [esp+00000120], edi :0040459A 0F84BD000000 je 0040465D <-- Jump Equal {continue code} -- Becomes -- :00404591 90 nop <-- Do nothing except go to the next op-code :00404592 90 nop <-- Do nothing except go to the next op-code :00404593 39BC2420010000 cmp dword ptr [esp+00000120], edi :0040459A 90 nop <-- Do nothing except go to the next op-code :0040459B E9BD000000 jmp 0040465D <-- JuMP {continue code} Just one EXE file that uses different DLL's for the different 3D cards out there. Another CD check bytes (bites?) the dust... and another victory for the bad guys -or- the GOOD GUYS depending on your point of view! Turok is now FiX'ed Static Vengeance