Free Information Xchange presents:
Centipede - CD crack by Static Vengeance - Nov 1st, 1998
REQUIREMENTS:
Full game install and hex editor
W32Dasm from RUSoft
Soft-ice (Win95) from NuMega
Hasbro has taken a classic arcade game and turned it into a 3D modern shooter/arcade game.
Actually Hasbro did take this timeless classic and made it better. Both the arcade and the adventure
portions of the game are much inproved over the original concept. You can even play over the net, with
a modem direct connect or on a split screen. There is one bug Hasbro interduced with this newly upgraded
game. That bug is the need for the original CD to be in the drive when you want to play the game. This
bug must be FiX'ed so we can play any time without digging around for the CD. So get out your tools and
start up W32Dasm and disassemble centi.exe. Using the data string references scroll down the pop-up box
and double click on "Error scanning directory. Is the " this will put you in the middle of one part of
the CD check routine. That routine goes like this:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044D274(C) <-- Gets here via conditional jump
|
:0044D30E E8CD000900 call 004DD3E0
:0044D313 8B10 mov edx, dword ptr [eax]
:0044D315 89E0 mov eax, esp
:0044D317 E87452FBFF call 00402590
:0044D31C 84C0 test al, al
:0044D31E 0F8456FFFFFF je 0044D27A
* Possible StringData Ref from Data Obj ->"Error scanning directory. Is the " <-- Pop-up dialog and REF
->"proper CD in the drive?" <-- that got us here
|
:0044D324 687CD55100 push 0051D57C
:0044D329 E86241FCFF call 00411490
:0044D32E 83C404 add esp, 00000004
:0044D331 E944FFFFFF jmp 0044D27A <-- Jump back near sender
Not a lot of info here, so we'll take a look at the sender. You can see that Centipede gets
here by a conditional jump. Then after it prints the pop-up dialog box it send you back near to the
conditional jump that brought us here in the first place. Okay, checking out the code at 44D274:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044D27C(C) <-- Loop based on a conditinal jump
|
:0044D269 89E0 mov eax, esp
:0044D26B E89C080900 call 004DDB0C <-- Need to make this call
:0044D270 89C7 mov edi, eax <-- Get the returned value into edi
:0044D272 85C0 test eax, eax
:0044D274 0F8494000000 je 0044D30E <-- eax = zero, then ask for the CD!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0044D31E(C), :0044D331(U) <-- After asking for CD return here
|
:0044D27A 85FF test edi, edi
:0044D27C 74EB je 0044D269 <-- The conditional "loop" jump
:0044D27E 0F84C0000000 je 0044D344
:0044D284 31ED xor ebp, ebp <-- Getting here continues the game
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0044D2DC(C), :0044D309(U)
|
:0044D286 89F8 mov eax, edi <-- Put returned value back into eax
:0044D288 E88F080900 call 004DDB1C <-- Continuing game code.
Well after some checking the call to 4DDB0C must be made. Eax has a vital returned value that
gets moved to edi. The value is temporarily stored in edi and then moved back into eax and used for
the call to 4DDB1C (made at 44D288). The question is how do we get the right value for a good CD check.
Then how do we get down to 44D286 with eax still containing the needed value. This is where soft-ice
comes to our rescue! I set soft-ice to break in 44D270, which is right after the call to 4DDB0C. Then
I put the original Centipede CD in the drive and ran the game. Soft-ice popped right up and showed eax
held the value of 00F638A8. That's the value we need to get things going. Now I changed the code to
load the right value and get us down to 44D286. The changes would look like this:
:0044D26B E89C080900 call 004DDB0C <-- Need to make this call
:0044D270 89C7 mov edi, eax <-- Get the returned value into edi
:0044D272 85C0 test eax, eax
:0044D274 B8A838F600 move eax, 00F638A8 <-- The value from a good CD read
:0044D279 90 nop <-- Filler byte
:0044D27A 89C7 mov edi, eax <-- Get the returned value into edi
:0044D27C EB06 jmp 0044D284 <-- Jump down to the "continue" code
:0044D27E 0F84C0000000 je 0044D344
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0044D27C(U)
|
:0044D284 31ED xor ebp, ebp <-- Getting here continues the game
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0044D2DC(C), :0044D309(U)
|
:0044D286 89F8 mov eax, edi <-- Put returned value back into eax
:0044D288 E88F080900 call 004DDB1C <-- Continuing game code.
Alright, Centipede is cracked!, right?? Well, not quite, now when you run Centipede you need
a CD in the CD rom drive. Any CD will work, but you still NEED one in the drive when you try to play
a game. So I looked and searched and looked and searched the code for CD access routines. I found
some calls through mss32.dll that call the _ail_redbook_xxxx (Status, trackinfo, play, pause, ect),
but any changes made in those calls had no effect on Centipede's need for some CD to be online. Well,
if you keep trying and looking around eventually (if it means enough to you) you will find the answer.
I checked the installed files in the Centipede game directory and found a file called fakecd.txt. I
opened the file and it contained the leter of my CD rom drive. Smack in the face comes the answer!
Getting back into W32Dasm I checked for a REF and double clicked on it and found this:
* Referenced by a CALL at Addresses:
|:004378EF , :0044C870 , :0044C88C , :004B5B1F <-- Called by four routines
|
:004B6750 55 push ebp
:004B6751 83EC04 sub esp, 00000004
:004B6754 89C5 mov ebp, eax
:004B6756 8A253C5B6300 mov ah, byte ptr [00635B3C]
:004B675C 84E4 test ah, ah
:004B675E 740A je 004B676A <-- Take this jump for the "fakecd" routine
:004B6760 B8E05A6300 mov eax, 00635AE0
:004B6765 83C404 add esp, 00000004
:004B6768 5D pop ebp
:004B6769 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B675E(C) <-- Got here via above jump
|
:004B676A 57 push edi
:004B676B 56 push esi
:004B676C 52 push edx
:004B676D 51 push ecx
:004B676E B201 mov dl, 01
:004B6770 8825E05A6300 mov byte ptr [00635AE0], ah
* Possible StringData Ref from Data Obj ->"FAKECD" <-- String ref that got me here
|
:004B6776 B8805E5300 mov eax, 00535E80
:004B677B 88153C5B6300 mov byte ptr [00635B3C], dl
:004B6781 E80ACC0300 call 004F3390
:004B6786 85C0 test eax, eax
:004B6788 0F84CC000000 je 004B685A
:004B678E BFE05A6300 mov edi, 00635AE0
:004B6793 89C6 mov esi, eax
:004B6795 57 push edi
-- SNIP uninformative code, but checking other REFs and looking for the exit section --
:004B67F6 5F pop edi
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B67C1(C), :004B67C5(C), :004B67C9(C)
|
:004B67F7 68E05A6300 push 00635AE0
* Possible StringData Ref from Data Obj ->"fakecd env path=%s" <-- Still doing the fakecd thing
|
:004B67FC 68895E5300 push 00535E89
:004B6801 E83AB0F4FF call 00401840
:004B6806 83C408 add esp, 00000008
-- SNIP more code --
:004B6839 5F pop edi
:004B683A 68E05A6300 push 00635AE0
* Possible StringData Ref from Data Obj ->"gtecdpath ret = %s" <-- Still doing the fackcd stuff!
|
:004B683F 68BE5E5300 push 00535EBE
:004B6844 E8F7AFF4FF call 00401840
:004B6849 B8E05A6300 mov eax, 00635AE0
:004B684E 83C408 add esp, 00000008
:004B6851 59 pop ecx
:004B6852 5A pop edx
:004B6853 5E pop esi
:004B6854 5F pop edi
:004B6855 83C404 add esp, 00000004
:004B6858 5D pop ebp
:004B6859 C3 ret <-- Finally the exit
Now, the interesting part is the section of code that actually read the text file, there are no
direct jumps or references to this section. The first reference is to a conditional further down in the code
itself. So I just left the fakecd.txt in the directory.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6788(C)
|
* Possible StringData Ref from Data Obj ->"r" <-- Get ready to read the file
|
:004B685A BA9C5E5300 mov edx, 00535E9C
* Possible StringData Ref from Data Obj ->"fakecd.txt" <-- The file with your CD-rom letter
|
:004B685F B89E5E5300 mov eax, 00535E9E
:004B6864 E80FB0F5FF call 00411878
:004B6869 89442410 mov dword ptr [esp+10], eax
:004B686D 85C0 test eax, eax
:004B686F 7498 je 004B6809
:004B6871 53 push ebx
:004B6872 BA50000000 mov edx, 00000050
:004B6877 89C3 mov ebx, eax
:004B6879 B8E05A6300 mov eax, 00635AE0
:004B687E BEE05A6300 mov esi, 00635AE0
:004B6883 E808B1F5FF call 00411990
:004B6888 B20A mov dl, 0A
-- SNIP uninformative code --
:004B68F5 5F pop edi
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B68C0(C), :004B68C4(C), :004B68C8(C)
|
:004B68F6 68E05A6300 push 00635AE0
* Possible StringData Ref from Data Obj ->"fakecd.txt path=%s"
|
:004B68FB 68AB5E5300 push 00535EAB
:004B6900 E83BAFF4FF call 00401840
:004B6905 83C408 add esp, 00000008
:004B6908 8B442414 mov eax, dword ptr [esp+14]
:004B690C E85FB1F5FF call 00411A70
:004B6911 5B pop ebx
:004B6912 E9F2FEFFFF jmp 004B6809
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B680B(C)
|
* Possible StringData Ref from Data Obj ->"data"
|
:004B6917 BEE0FD5400 mov esi, 0054FDE0
:004B691C BFE05A6300 mov edi, 00635AE0
:004B6921 E9F2FEFFFF jmp 004B6818
:004B6926 00000000000000000000 BYTE 10 DUP(0)
To continue with the tutorial, I put a "ret" as the first instruction (at 4B6750) just to see
if it would have any effect on the game's need for CD. To make a long story short, I got REAL lucky!
That additional edit killed the requirement for a CD to be online. Well I'll take being lucky on this one
and call this tutorial finished. The last thing I did was to check into killing some of the intro and
logo smk (smacker) movies. I have included those edits as well as the edits to FiX Centipede below.
After some testing I found out that my original patch will only function on my machine. So I
changed the first conditional jump to a jump (always) to the continue section. This forces Centipede to
continue loading no matter what the result of the CD check was. This new edit will work on all machines
as I have tested it out on several configurations and several different systems. The corrected patch is
listed below. To make a cracked copy of Centipede follow these instructions:
1. Do a full/max install of the game
2. Make the following edits:
Edit Centi.exe
================================================
Search for: 0F 84 94 00 00 00 at offset 312,948
Change to : 90 E9 0A -- -- --
Search for: 55 83 EC 04 89 C5 at offset 744,272
Change to : C3 -- -- -- -- --
Optional: Kill intro .SMK movies
Search for: 0F 84 C3 05 00 00 at offset 4,890
Change to : -- -- 00 00 -- --
Search for: 0F 84 49 03 00 00 at offset 19,715
Change to : -- -- 00 00 -- --
3. Delete hasbro, intro, llslogo, mondo and opening ".smk" files if you
made the kill intro patch. This saves ~62 megs of h/d space.
Another tutorial comes to an end and another game has been FiX'ed!
Static Vengeance - FiX