
Free Information Xchange '97 presents:

Virtua Fighter 2 - CD Crack by Static Vengeance

Requirements:
Hex Editor and Full game install

	How I cracked Virtua Fighter 2 by SEGA Entertainment with W32Dasm by URSoft.  First off
I'm following the Direct3D patch that was posted on the net.  The same ideas work for the file
on the CD.  So if you're following along don't worry about address that don't match up.  So
run w32dasm and disassemble vf2.exe.  When the program is ready, select "Refs" from the menu bar
and choose 'String data references' ... Grab the slider bar and scroll down a bit looking for
the CD volume name (Virtua Fighter 2) and/or something like "insert..." or "please insert.."
When you do find a likly string, double click on it and w32dasm will take you to that section
of code.  You should see something like the following:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004197E3(C)
|
:00419810 6805000100              push 00010005

* Possible StringData Ref from Data Obj ->"Virtua Fighter 2"           <--- Title in dialog box
                                  |
:00419815 688CCC5400              push 0054CC8C

* Possible StringData Ref from Data Obj ->"Insert the Virtua Fighter 2 CD-ROM "  <--- Need I say anything
                                        ->"in the CD-ROM drive"                  <--- About these lines?
                                  |
:0041981A 68A0CC5400              push 0054CCA0

* Reference To: USER32.GetDesktopWindow, Ord:00F0h
                                  |
:0041981F FF15C8D6F600            Call dword ptr [00F6D6C8]
:00419825 50                      push eax

* Reference To: USER32.MessageBoxA, Ord:019Bh
                                  |
:00419826 FF151CD7F600            Call dword ptr [00F6D71C]
:0041982C 8985FCFEFFFF            mov dword ptr [ebp+FFFFFEFC], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041976F(U), :004197A3(U), :004197D7(U), :0041980B(U)
|
:00419832 83BDFCFEFFFF02          cmp dword ptr [ebp+FFFFFEFC], 00000002
:00419839 0F8507000000            jne 00419846
:0041983F 33C0                    xor eax, eax
:00419841 E905000000              jmp 0041984B

	Okay, so now we found the section that calls for the CD lets trace (list) it
backwards to find the beginning of the routine.  Search backwards by hand (visually)
looking for some RET or RET 00xx....  Listing the program code backwards reveals the
"Insert the Virtua Fighter CD-ROM..." in a couple of different languages... but let's
keep going... going and going backwards you will eventually find:

* Referenced by a CALL at Address:
|:00418FD6   
|
:004196A1 55                      push ebp
:004196A2 8BEC                    mov ebp, esp
:004196A4 81EC04010000            sub esp, 00000104
:004196AA 53                      push ebx
:004196AB 56                      push esi
:004196AC 57                      push edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00419846(U)
|
:004196AD C785FCFEFFFF41000000    mov dword ptr [ebp+FFFFFEFC], 00000041
:004196B7 E906000000              jmp 004196C2

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00419721(U), :0041973B(U)
|
:004196BC FF85FCFEFFFF            inc dword ptr [ebp+FFFFFEFC]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004196B7(U)
|
:004196C2 83BDFCFEFFFF5A          cmp dword ptr [ebp+FFFFFEFC], 0000005A
:004196C9 0F8F71000000            jg 00419740
:004196CF 68ACCA5400              push 0054CAAC
:004196D4 8D8500FFFFFF            lea eax, dword ptr [ebp+FFFFFF00]
:004196DA 50                      push eax
:004196DB E870361000              call 0051CD50
:004196E0 83C408                  add esp, 00000008
:004196E3 8A85FCFEFFFF            mov al, byte ptr [ebp+FFFFFEFC]
:004196E9 888500FFFFFF            mov byte ptr [ebp+FFFFFF00], al
:004196EF 8D8500FFFFFF            lea eax, dword ptr [ebp+FFFFFF00]
:004196F5 50                      push eax

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh              <--- this type of line shouts "CD check" to me
                                  |
:004196F6 FF152CD5F600            Call dword ptr [00F6D52C]
:004196FC 83F805                  cmp eax, 00000005            <-- 05 is the value for a CD-ROM drive
:004196FF 0F8536000000            jne 0041973B

* Possible StringData Ref from Data Obj ->"VF2/VF2.EXE"        <--- and here is the file we need to verify
                                  |
:00419705 68B0CA5400              push 0054CAB0
:0041970A 8D8500FFFFFF            lea eax, dword ptr [ebp+FFFFFF00]
:00419710 50                      push eax
:00419711 E83A010000              call 00419850
:00419716 83C408                  add esp, 00000008
:00419719 85C0                    test eax, eax
:0041971B 0F8505000000            jne 00419726
:00419721 E996FFFFFF              jmp 004196BC

	So now we know this routine starts at 4196A1 and is called from 418FD6.  So lets
take a quick look at that bit of code and we'll find this:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418FC4(C)
|
:00418FD1 E8C5080000              call 0041989B
:00418FD6 E8C6060000              call 004196A1       <--- Call to CD check
:00418FDB 85C0                    test eax, eax       <--- do bit test
:00418FDD 0F850A000000            jne 00418FED        <--- continue with game
:00418FE3 B801000000              mov eax, 00000001
:00418FE8 E9AD060000              jmp 0041969A        <--- exit program to Win95

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418FDD(C)
|

	The call we want to kill is at 418FD6 so search the vf2.exe file for E8 C6 06 00 00
85 C0 0F 85 0A 00 00 00 and change the Call 004196A1 to mov eax 00000001 (B8 01 00 00 00),
this will overwrite the CD check call and set up to force the conditional jump to always be
true (taken), which allows us to play the game without the CD being online.

	With all that in mind, the actual edits to be made are as follows:

CD version edit VF2.exe at offset 80,463
========================================
Search for:E8 FF 07 00 00
Change to :B8 01 00 00 00

For the D3D patches that have been released from Sega Japan:

Initial D3D patch edit VF2.exe at offset 99,286
Dwango D3D patch edit VF2.exe at offset 99,654
==============================================
Search for:E8 C6 06 00 00
Change to :B8 01 00 00 00

or search for: 85 C0 0F 85 0A 00 00 00 and back up 5 bytes and change the "E8 xx xx xx xx " to 
"B8 01 00 00 00"  that will produce a cracked copy of Virtua Fighter 2
	Have fun... with the D3D version and a 3D accelerator card! Once again I hope you learned
something about how to aproch a simple CD check.  That's all for tonight.
	One last thing: To get the "Portrait Mode" to work correctly.  Copy all BMP's from the Virtua
Fighter 2 CD (from x:\Vf2\bmp\  substitue your CD-Rom drive leter for "x") to the \Bmp\ directory where
you installed VF2. While this will add another 35 megs to the install, the result is a complete working
version with all options and features, but will NOT require the original CD in your CD-Rom drive.

So now Virtua Fighter 2 has been completly FiX'ed

Static Vengeance