Name : Need for Speed 3
Target : nfs3.exe
Tools : W32Dasm
Hiew
Brain
Cracker : LW2000
Tutorial : No.30
---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---
1. Ok, install the full Installation of NFS3. Try to play without
the CD. *BOOM* error message. Note the text and caption.
Then disassemble nfs3.exe with W32Dasm. Click on the SDR Button
and search for our text. Text not found?
Then search for the caption of the window.
Possible StringData Ref from Data Obj ->"Need for Speed 3"
004B637A 683CFE5300 push 0053FE3C
004B637F 8B5485DC mov edx, dword ptr [ebp+4*eax-24]
004B6383 52 push edx
004B6384 6A00 push 00000000
Reference To: USER32.MessageBoxA, Ord:001Fh
004B6368 2EFF1564475300 call dword ptr cs:[00534764]
004B638D 31C0 xor eax, eax
004B638F E870990200 call 004DFD04
Reference by a (U)nconditional or (C)onditional Jump at Adress:
004B6362(C)
004B6394 E807FFFFFF call 004B62A0
004B6399 85C0 test eax, eax
004B639B 755A jne 004B63F7
004B639D 31D2 xor edx, edx
004B639F EB19 jmp 004B63BA
Reference by a (U)nconditional or (C)onditional Jump at Adress:
004B63C3(C)
004B63A1 88D0 mov al, dl
004B63A3 0441 add al, 41
004B63A5 8845F4 mov byte ptr [ebp-0C], al
004B63A8 8D45F4 lea eax, dword ptr [ebp-0C]
04B63AB E8809F0300 call 004F0330 <<-- cd check call
004B63B0 85C0 test eax, eax <<-- check
004B63B2 7543 jne 004B63F7 <<-- bad boy !!!
Reference by a (U)nconditional or (C)onditional Jump at Adress:
004B63C5(U)
004B63B4 42 inc edx
004B63B5 83FA1A cmp edx, 0000001A
004B63B8 7D0D jge 004B63C7
Reference by a (U)nconditional or (C)onditional Jump at Adress:
004B639F(U)
004B63BA 89DO mov eax, edx
004B63BC E84F300400 call 004F9410
004B63C1 85C0 test eax, eax
004B63C3 75DC jne 004B63A1
004B63C5 EBED jmp 004B63B4
Reference by a (U)nconditional or (C)onditional Jump at Adress:
004B63B8(C)
004B63C7 B906000000 mov ecx, 00000006
004B63CC 8D7DC4 lea edi, dword ptr [ebp-3C]
004B63CF BEAC564B00 mov esi, 004B56AC
004B63D4 6A30 push 00000030
004B63D6 A1503A7A00 mov eax, dword ptr [007A3A50]
004B63DB F3 repz
004B63DC A5 movsd
Possible StringData Ref from Data Obj ->"Need for Speed 3"
004B63DD 683CFE5300 push 0053FE3C
004B63E2 E84F300400 mov ecx, dword ptr [ebp+4*eax-3c]
004B63E6 85C0 push ecx
004B63E7 75DC push 00000000
Reference To: USER32.MessageBoxA, Ord:001Fh
004B63E9 2EFF1564475300 call dword ptr cs:[00534764]
004B63F0 31C0 xor eax, eax
004B63F2 E80D990200 call 004DFD04 <<-- fine ...
Reference by a (U)nconditional or (C)onditional Jump at Adress:
004B639B(C), :004B63B2(C)
004B63F7 89EC mov esp, ebp <<-- here we go if the cd is inside
004B63F9 5D pop ebp
004B63FA 5F pop edi
004B63FB 5E pop esi
004B63FC 5A pop edx
004B63FD 59 pop ecx
004B63FE 5B pop ebx
004B63FF C3 ret
2. Take a close look at all jumps.
mhmm, 004B63B2 7543 jne let's change the jne to jmp.
I think this should be no real problem for you...
Open the exe with hiew and change the 7543 to EB43.
(EB is for JMP).
The CD Check is beaten, but what's this shit?
Abort message:
openhandlea-OPEN FAILED ON D:\GameData\Audio\pc\show(x).map
(x is any number)
No prob, we copy this folder into our nfs3 folder. Copy the files
from the CD Folder GameData\Audio into your
local folder on your HD.
Then open insatll.win (it insiede the nfs3 dir) and change
the path's like this:
.\GameData\
.\GameData\Tracks\
.\GameData\Tracks\Tutor\
.\GameData\CarModel\
.\GameData\Render\pc\
.\GameData\DashHud\
.\GameData\Audio\pc\
.\GameData\Audio\SFX\
.\GameData\Audio\Speech\English\
.\GameData\Audio\Speech\German\
.\GameData\Audio\Speech\French\
.\GameData\Audio\Speech\Spanish\
.\GameData\Audio\Speech\Italian\
.\FeData\art\
.\FeData\text\
.\FeData\text\
.\FeData\save\
.\FeData\stats\
.\FeData\config\
.\FeData\audio\
.\FeData\Art\Slides\
.\FeData\Art\Track\
.\FeData\Art\Showcase\
.\FeData\movies\
.\FeData\stats\prh\
Save your work and try NFS3 without CD.
Congratulation! You have done it!
FINISH! Easy, or?
cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!