Free Information Xchange '98 presents:
Mastermind - CD crack by Static Vengeance - Sep 11, 1998
Requirements:
Hex editor and full game install
W32Dasm if you wish to follow along
Mastermind is the computerized version of the thinking game by the same name. It has a
classic version and a few variations to keep your interests. However with a complete install you will
still need to have the CD in drive to play the game. So Mastermind has another game for us to play.
The game of producing a working version of Mastermind that'll work without the original CD in the CD-Rom
drive. The tools needed to play this game are a good Win95 disassembler and a hex editor. The programs
I choose to use are W32Dasm by RUSoft and HEdit. To start, disassemble the mastmind.exe program file.
Once done, go up to the menu bar and select Refs, then select String Data References. When the the refs
pop up box appears, grab the slider bar and scroll down looking for references to the C:\ or a path name
on the CD or some other interesting item. Eventually you will a ref to "\MASTMIND.EXE" Double click on
this and you will be put in the middle of this routine:
* Referenced by a CALL at Addresses:
|:004033BB , :00403A23 , :004040E5 , :0040632C , :00406FC6 <-- Called 15 times!!
|:0040AC63 , :0040B833 , :0040EBBC , :0040F8E6 , :004142C1
|:00414977 , :00416218 , :00416C8F , :004195E3 , :0041A5F7
|
:00401FA0 68B8A54400 push 0044A5B8
* Reference To: KERNEL32.SetCurrentDirectoryA, Ord:01EBh <-- Set directory call
|
:00401FA5 FF1574634B00 Call dword ptr [004B6374]
:00401FAB 85C0 test eax, eax
:00401FAD 7503 jne 00401FB2 <-- Jump down to find the game exe
:00401FAF 33C0 xor eax, eax
:00401FB1 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401FAD(C)
|
* Possible StringData Ref from Data Obj ->"\MASTMIND.EXE" <-- Looking for the game exe
|
:00401FB2 68B0764300 push 004376B0
:00401FB7 E884870200 call 0042A740
:00401FBC 83C404 add esp, 00000004
:00401FBF C3 ret
Fifteen routines to check out! Well let's get started and check out all the routines to see
which if any will need to be patched to bypass the CD check. Starting with the first one on the list,
we will look at the code surounding 4033BB:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040336A(C)
|
* Possible StringData Ref from Data Obj ->"MSWHEEL_ROLLMSG"
|
:0040338D 6844784300 push 00437844
* Reference To: USER32.RegisterWindowMessageA, Ord:01B6h
|
:00403392 FF15DC634B00 Call dword ptr [004B63DC]
:00403398 A330704300 mov dword ptr [00437030], eax
:0040339D E8FEEAFFFF call 00401EA0
:004033A2 E879EBFFFF call 00401F20
:004033A7 E8C4DEFFFF call 00401270
:004033AC 803D4470430000 cmp byte ptr [00437044], 00
:004033B3 7443 je 004033F8
* Reference To: USER32.MessageBoxA, Ord:0188h <-- Standard Win95 pop up call
|
:004033B5 8B350C644B00 mov esi, dword ptr [004B640C]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004033F6(C)
|
:004033BB E8E0EBFFFF call 00401FA0
:004033C0 8BF8 mov edi, eax
:004033C2 85FF test edi, edi
:004033C4 7532 jne 004033F8
:004033C6 0FBE0548704300 movsx eax, byte ptr [00437048]
:004033CD 6A01 push 00000001
:004033CF 8BC8 mov ecx, eax
* Possible StringData Ref from Data Obj ->"Mastermind"
|
:004033D1 6854784300 push 00437854
:004033D6 8D1480 lea edx, dword ptr [eax+4*eax]
:004033D9 8D0491 lea eax, dword ptr [ecx+4*edx]
:004033DC 8D0C81 lea ecx, dword ptr [ecx+4*eax]
:004033DF A15C704300 mov eax, dword ptr [0043705C]
:004033E4 8B148D68374400 mov edx, dword ptr [4*ecx+00443768]
:004033EB 52 push edx
:004033EC 50 push eax
:004033ED FFD6 call esi <-- Do the USER32.MessageBoxA call
:004033EF 83F802 cmp eax, 00000002 <-- 02 means you hit cancel
:004033F2 7416 je 0040340A
:004033F4 85FF test edi, edi
:004033F6 74C3 je 004033BB
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004033B3(C), :004033C4(C)
|
:004033F8 E893E3FFFF call 00401790
:004033FD 85C0 test eax, eax
:004033FF 7512 jne 00403413
:00403401 33C0 xor eax, eax
:00403403 5D pop ebp
:00403404 5F pop edi
:00403405 5E pop esi
:00403406 5B pop ebx
:00403407 C21000 ret 0010 <-- Return to the caller
After some checking (starting Mastermind and tring to play a game) I discovered that this
routine is used during partial game installs to ask for the CD with a normal Win95 pop up dialog box.
This is easy to see as there are different types of graphical requests for the CD. Now there are only
fourteen more routines to check into. At this point I decided I would make my patch at 401FAB. This
produced a playable game version or Mastermind, however after playing the game for some time it hung
my system. So some of the calls are need for the proper function of the game while others are used
solely for the CD check. So it's back to checking into each of the routines to determine which ones
need to be disabled. Next in line, the code at 403A23:
-- Program code --
:00403A16 6878704300 push 00437078
:00403A1B E8A0E1FFFF call 00401BC0
:00403A20 83C404 add esp, 00000004
:00403A23 E878E5FFFF call 00401FA0 <-- Check for mastmind.exe
:00403A28 A360724300 mov dword ptr [00437260], eax <-- Store returned value in flag
:00403A2D 85C0 test eax, eax <-- 01 in eax is good CD check
:00403A2F 7428 je 00403A59
:00403A31 E8CAE10200 call 00431C00
:00403A36 8BD8 mov ebx, eax
:00403A38 E8C3E10200 call 00431C00
:00403A3D 80E303 and bl, 03
:00403A40 2401 and al, 01
:00403A42 02D8 add bl, al
:00403A44 E8B7E10200 call 00431C00
:00403A49 2401 and al, 01
:00403A4B 02D8 add bl, al
:00403A4D 80C305 add bl, 05
:00403A50 53 push ebx
:00403A51 E82A6D0200 call 0042A780
:00403A56 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403A2F(C)
|
:00403A59 C705C0AA440001000000 mov dword ptr [0044AAC0], 00000001
:00403A63 33DB xor ebx, ebx
:00403A65 881DA0A34400 mov byte ptr [0044A3A0], bl
:00403A6B 385C2413 cmp byte ptr [esp+13], bl
:00403A6F 0F8E8A010000 jle 00403BFF
* Reference To: KERNEL32.ExitProcess, Ord:0062h <-- This reference cought my attention
|
:00403A75 8B3D6C634B00 mov edi, dword ptr [004B636C]
* Reference To: KERNEL32.GetTickCount, Ord:0130h
|
:00403A7B 8B3544634B00 mov esi, dword ptr [004B6344]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403BF9(C)
|
:00403A81 C7057472430001000000 mov dword ptr [00437274], 00000001
:00403A8B E8B0040000 call 00403F40
:00403A90 FFD6 call esi
:00403A92 A38CAB4400 mov dword ptr [0044AB8C], eax
-- Continuing program code --
I changed the call to mov eax, 00000001 and tried to run the game. The classic version of the
game worked! No more asking for the game CD to play Mastermind. So now I went to try another version
of the game. This time Mastermind asked for the game CD. As it turns out, each part of the game has
it's own routine to ask for the CD. In order to make a LONG story short, it turns out that every other
call is a CD check. Almost all of them are very simular to the above code, so as I was checking out
the possible sections responisble for the CD I started seeing the pattern. You will need to change each
call to the different CD checks to mov eax, 00000001. Once again, a bit more involved but still worth
the effort. If not to have a cracked version to play, but atleast in the effort I learned a bit more
about how to defeat CD checks.
The next thing I wanted to do was to kill the intro video. This will save 12 megs for some
other game. I needed to look for a ref to the video file. I found this: "ANIMS\HASBRO12.FLC" I
double clicked on this and W32Dasm put me in section of Mastermind:
-- Program code --
* Reference To: USER32.GetCursorPos, Ord:00E5h
|
:004034DE FF1594634B00 Call dword ptr [004B6394]
:004034E4 E837E0FFFF call 00401520
:004034E9 E832050200 call 00423A20
:004034EE E86DDFFFFF call 00401460
:004034F3 833D6465440000 cmp dword ptr [00446564], 00000000 <-- This location must = zero
:004034FA 7407 je 00403503 <-- We'll make use of this jump
:004034FC E85FB20200 call 0042E760
:00403501 EB20 jmp 00403523
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004034FA(C)
|
:00403503 6A40 push 00000040
:00403505 6A06 push 00000006
* Possible StringData Ref from Data Obj ->"ANIMS\HASBRO12.FLC" <-- Video file to play
|
:00403507 6860784300 push 00437860
:0040350C E8CF5E0200 call 004293E0
:00403511 83C40C add esp, 0000000C
:00403514 685E010000 push 0000015E
:00403519 6A79 push 00000079
:0040351B E8600A0200 call 00423F80
:00403520 83C408 add esp, 00000008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403501(U)
|
:00403523 833D6465440000 cmp dword ptr [00446564], 00000000 <-- Needs to be zero
* Reference To: KERNEL32.ExitProcess, Ord:0062h <-- Or else it quits
|
:0040352A 8B2D6C634B00 mov ebp, dword ptr [004B636C]
:00403530 7409 je 0040353B
:00403532 C6056CC743000B mov byte ptr [0043C76C], 0B <-- We want this flag = zero
:00403539 EB07 jmp 00403542
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403530(C), :00403929(C)
|
:0040353B C6056CC7430000 mov byte ptr [0043C76C], 00 <-- Need to get here
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403539(U)
|
:00403542 E8B9A70100 call 0041DD00
:00403547 85C0 test eax, eax
:00403549 0F84A5030000 je 004038F4
:0040354F 0FBE058CC84400 movsx eax, byte ptr [0044C88C]
:00403556 48 dec eax
-- More program code --
From here I changed the cmp dword ptr [00446564], 00000000 at 004034F3 to mov byte ptr
[00446564], 00 then the following conditional jump to a jump 0040352A. That gets us down to
40352A. From here we also need to change the conditional jump at 00403530 to a non conditional
jump. This allows Mastermind skip playing the intro, but to continue as though it had.
Anyways, to crack Mastermind and have a playable version on your hard drive you will need
to follow these instructions:
1. Do a full game install
2. Make the following patches to the game file
For version 5.3d off the CD edit Mastmind.exe
=============================================
Search for: E8 78 E5 FF FF at offset 11,811
Change to : B8 01 00 00 00
Search for: E8 6F BC FF FF at offset 22,316
Change to : B8 01 00 00 00
Search for: E8 38 73 FF FF at offset 41,059
Change to : B8 01 00 00 00
Search for: E8 DF 33 FF FF at offset 57,276
Change to : B8 01 00 00 00
Search for: E8 DA DC FE FF at offset 79,553
Change to : B8 01 00 00 00
Search for: E8 83 BD FE FF at offset 87,576
Change to : B8 01 00 00 00
Search for: E8 B8 89 FE FF at offset 100,835
Change to : B8 01 00 00 00
-- Optional: Kill Hasbro intro FLC movie --
Search for: 83 3D 64 65 at offset 10,483
Change to : C6 05 -- --
Search for: 74 07 E8 5F at offset 10,490
Change to : EB 2E -- --
Search for: 74 09 C6 05 at offset 10,544
Change to : EB -- -- --
For version 7.3 off the net edit Mastmind.exe
=============================================
Search for: E8 18 E5 FF FF at offset 12,115
Change to : B8 01 00 00 00
Search for: E8 7F BB FF FF at offset 22,764
Change to : B8 01 00 00 00
Search for: E8 28 71 FF FF at offset 41,795
Change to : B8 01 00 00 00
Search for: E8 EF 30 FF FF at offset 58,236
Change to : B8 01 00 00 00
Search for: E8 CA D8 FE FF at offset 80,801
Change to : B8 01 00 00 00
Search for: E8 23 B9 FE FF at offset 88,904
Change to : B8 01 00 00 00
Search for: E8 98 83 FE FF at offset 102,611
Change to : B8 01 00 00 00
-- Optional: Kill Hasbro intro FLC movie --
Search for: 83 3D BF 02 at offset 10,790
Change to : C6 05 -- --
Search for: 74 07 E8 at offset 10,797
Change to : EB 2E --
Search for: 74 13 C6 05 at offset 10,851
Change to : EB -- -- --
3. Delete the Hasbro12.flc ONLY if you make the kill intro patch
Alright, another game has been added to the list of FiX'ed games.
Static Vengeance