Free Information Xchange presents:
RE-Loaded Win95/PowerVR patch - CD crack by Static Vengeance - Oct 13th, 1998
Requirements:
Hex editor and full install
W32Dasm if you want to follow along
RE-Loaded was originaly a DOS "3D" top down shooter. I didn't really consider looking into this
game until I saw Gremlin had a PowerVR (also Win95) patch for it. Having a PowerVR card i thought it might
be worth trying this game for the updated graphics. Well the graphics were not that great and the game
turns into a mindless shooter. Anyways, there is the ever present copy protection that needs to FiX'ed so
I set out to crack RE-Loaded.
Load up W32Dasm and disassemble reloaded.exe. Looking around at the different refs that the game
uses I found "Please ensure your RELOADED CD " and "Copy Protection" Double clicking on these put me in the
middle of several CD checks. When looking around in the code I found it was easy to text string search and
look for "copy pro" I found 8 different sections that will print the Win95 pop-up box telling me I needed to
have the CD in the CD rom drive. After following some routines you'll see a call to 004AB2F6 comes up right
before conditional jumps that'll lead to the "Please ensure your RELOADED CC..." screen comes up. If you
check into the code at 4AB2F6 will check the attributes via a KERNEL32.GetFileAttributesA call.
With the back ground info out of the way, let's check out the actual code in RE-Loaded:
-- Program code --
:00478176 57 push edi
* Possible StringData Ref from Data Obj ->"%s\GDVS\GREMLIN.GDV" <-- File to load in
|
:00478177 68E82F4D00 push 004D2FE8
:0047817C 8D442408 lea eax, dword ptr [esp+08]
:00478180 50 push eax
:00478181 E8D11F0300 call 004AA157
:00478186 8B2DA8FF9000 mov ebp, dword ptr [0090FFA8]
:0047818C 83C40C add esp, 0000000C
:0047818F 85ED test ebp, ebp
:00478191 754F jne 004781E2
:00478193 89E0 mov eax, esp
:00478195 31D2 xor edx, edx
:00478197 E85A310300 call 004AB2F6 <-- Check file attributes
:0047819C 85C0 test eax, eax
:0047819E 7442 je 004781E2 <-- Take this jump to continue
:004781A0 A1ACFF9000 mov eax, dword ptr [0090FFAC]
:004781A5 50 push eax
* Possible StringData Ref from Data Obj ->"Please ensure your RELOADED CD " <-- What got us here and why
->"is in drive %s whilst playing " <-- I wrote this tutorial
->"the game"
|
:004781A6 68FC2F4D00 push 004D2FFC
:004781AB 8D842408040000 lea eax, dword ptr [esp+00000408]
:004781B2 50 push eax
:004781B3 E89F1F0300 call 004AA157
:004781B8 83C40C add esp, 0000000C
:004781BB 8D942400040000 lea edx, dword ptr [esp+00000400]
* Possible StringData Ref from Data Obj ->"Copy Protection" <-- Text string to search for
|
:004781C2 B843304D00 mov eax, 004D3043
:004781C7 E80C260300 call 004AA7D8
:004781CC E86B6E0300 call 004AF03C
:004781D1 E846A0FFFF call 0047221C
:004781D6 E8811CFAFF call 00419E5C
:004781DB 31C0 xor eax, eax
:004781DD E8B4310300 call 004AB396
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00478191(C), :0047819E(C) <-- Geting here continues with game
|
:004781E2 BA01000000 mov edx, 00000001
:004781E7 B8C8004001 mov eax, 014000C8
:004781EC E8DF29FFFF call 0046ABD0
:004781F1 98 cwde
:004781F2 83F8FF cmp eax, FFFFFFFF
:004781F5 750C jne 00478203
:004781F7 B8C8004001 mov eax, 014000C8
:004781FC 31D2 xor edx, edx
-- Continuing program code --
That was the first CD check and it's slightly different then all the rest. To bypass this one
change the call 004AB2F6 at 478197 to mov eax, 00000000. This allows the following test eax, eax to
clear which means the je that follows is always taken. That is what let's us continue past this check.
If you keep searching for the "Copy Protection" string we'll find more signs of the copy protection. The
rest of the checks follow this format:
-- Program code --
:00478A47 25FF000000 and eax, 000000FF
:00478A4C 2EFF248560804700 jmp dword ptr cs:[4*eax+00478060]
:00478A54 8B0DACFF9000 mov ecx, dword ptr [0090FFAC]
:00478A5A 51 push ecx
* Possible StringData Ref from Data Obj ->"%s\GDVS\MAGPIE.GDV" <-- After loading file in
|
:00478A5B 684A314D00 push 004D314A
:00478A60 8D442408 lea eax, dword ptr [esp+08]
:00478A64 50 push eax
:00478A65 E8ED160300 call 004AA157
:00478A6A 83C40C add esp, 0000000C
:00478A6D 89DA mov edx, ebx
:00478A6F 89E0 mov eax, esp
:00478A71 E880280300 call 004AB2F6 <-- Check file attributes
:00478A76 85C0 test eax, eax
:00478A78 7526 jne 00478AA0 <-- Well modify this jump
:00478A7A 89E0 mov eax, esp
:00478A7C 89EA mov edx, ebp
:00478A7E E873280300 call 004AB2F6
:00478A83 85C0 test eax, eax
:00478A85 7419 je 00478AA0
:00478A87 A1ACFF9000 mov eax, dword ptr [0090FFAC]
:00478A8C 8A00 mov al, byte ptr [eax]
:00478A8E 25FF000000 and eax, 000000FF
:00478A93 E85C600100 call 0048EAF4
:00478A98 85C0 test eax, eax
:00478A9A 0F8557000000 jne 00478AF7 <-- We'll exit through this jump!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00478A78(C), :00478A85(C)
|
:00478AA0 3A1D88FF9000 cmp bl, byte ptr [0090FF88]
:00478AA6 750C jne 00478AB4
:00478AA8 3B1DA8FF9000 cmp ebx, dword ptr [0090FFA8]
:00478AAE 0F8543000000 jne 00478AF7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00478AA6(C)
|
:00478AB4 8B15ACFF9000 mov edx, dword ptr [0090FFAC]
:00478ABA 52 push edx
* Possible StringData Ref from Data Obj ->"Please ensure your RELOADED CD " <-- What can you say about this?
->"is in drive %s whilst playing "
->"the game"
|
:00478ABB 685D314D00 push 004D315D
:00478AC0 8D842408070000 lea eax, dword ptr [esp+00000708]
:00478AC7 50 push eax
:00478AC8 E88A160300 call 004AA157
:00478ACD 83C40C add esp, 0000000C
:00478AD0 8D942400070000 lea edx, dword ptr [esp+00000700]
* Possible StringData Ref from Data Obj ->"Copy Protection" <-- As blantent as you can get
|
:00478AD7 B8A4314D00 mov eax, 004D31A4
:00478ADC E8F71C0300 call 004AA7D8
:00478AE1 E856650300 call 004AF03C
:00478AE6 E83197FFFF call 0047221C
:00478AEB E86C13FAFF call 00419E5C
-- Continuing program code --
There are 7 sections of code simular to this. I decided I would overwrite the call 004AB2F6 with
mov eax, 00000001 then the following test eax, eax sets not equal status bit in processor status register.
Now we come down to the conditial jump. I changed this to a jump (always) down to a conditional jump that
exits through 478AF7. This will let RE-Loaded continue playing. This same type of edit will work with
each of the remaining 6 checks. To crack RE-Loaded follow these steps:
1. Do a maxium DOS install
2. Download and install the Win95/PowerVR patch
3. Make the following edits:
Edit reloaded.exe
=========================================================
Search for: E8 5A 31 03 00 at offset 427,415
Change to : B8 00 00 00 00
Search for: E8 80 28 03 00 85 C0 75 26 at offset 429,681
Change to : B8 01 00 00 00 -- -- EB 20
Search for: E8 A5 25 03 00 85 C0 75 26 at offset 430,412
Change to : B8 01 00 00 00 -- -- EB 20
Search for: E8 FD 24 03 00 85 C0 75 26 at offset 430,580
Change to : B8 01 00 00 00 -- -- EB 20
Search for: E8 55 24 03 00 85 C0 75 26 at offset 430,748
Change to : B8 01 00 00 00 -- -- EB 20
Search for: E8 AD 23 03 00 85 C0 75 26 at offset 430,916
Change to : B8 01 00 00 00 -- -- EB 20
Search for: E8 05 23 03 00 85 C0 75 26 at offset 431,084
Change to : B8 01 00 00 00 -- -- EB 20
Search for: E8 5D 22 03 00 85 C0 75 26 at offset 431,252
Change to : B8 01 00 00 00 -- -- EB 20
There you go, RE-Loaded has been FiX'ed and freed of the need for the CD to be on line at all times!
Static Vengeance - FiX