Free Information Xchange presents:

Wipeout XL - CD crack by Static Vengeance - Dec 5th, 1998

Requirements:
Full game install and Hex editor
W32Dasm if you want to follow along

	WipeoutXL is an updated version of Wipeout2097, which is a futuristic racing game where you can
shoot opponents and collect power-ups.  This newer version has full support for Direct3D and PowerVR (sgl)
native version.  Not bad as far as futuristic racers go, I guess but there is one little problem that
bothers me.  This little "problem" is more of a program BUG.  The bug I'm speaking of is the need to have
the game CD in the CD-ROM drive when you play the game.  As you know, bugs like this can be patched.  So
get out W32Dasm and disassmble wipeout2.exe  From there just go up to the menu bar and select REFS then
data string refereneces from the drop down menu.  When the pop-up box apears, grab the slider bar and
scroll down until you see "Make sure Wipeout XL CD is in " double click this and you're right in the middle
of the CD check, which looks like this:

* Referenced by a CALL at Address:
|:0045EA1D                                                              <-- Called only once
|
:00430C3A 55                      push ebp
:00430C3B 8BEC                    mov ebp, esp
:00430C3D 83EC04                  sub esp, 00000004
:00430C40 53                      push ebx
:00430C41 56                      push esi
:00430C42 57                      push edi
:00430C43 E851FCFFFF              call 00430899                         <-- Check for CD through WINMM.dll calls

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430CA8(U)
|
:00430C48 0FBF05DCDC4800          movsx eax, word ptr [0048DCDC]
:00430C4F 83F801                  cmp eax, 00000001
:00430C52 0F8555000000            jne 00430CAD                          <-- Take this jump for CD found
:00430C58 C7057029490001000000    mov dword ptr [00492970], 00000001
:00430C62 6841200000              push 00002041

* Possible StringData Ref from Data Obj ->"Wipeout XL CD Validator"
                                  |
:00430C67 688CF74800              push 0048F78C

* Possible StringData Ref from Data Obj ->"Make sure Wipeout XL CD is in "  <-- What brought us here
                                        ->"the CD drive."
                                  |
:00430C6C 68A4F74800              push 0048F7A4
:00430C71 A13C244A00              mov eax, dword ptr [004A243C]
:00430C76 50                      push eax

* Reference To: USER32.MessageBoxA, Ord:0195h
                                  |
:00430C77 FF15F814BD00            Call dword ptr [00BD14F8]
:00430C7D 8945FC                  mov dword ptr [ebp-04], eax
:00430C80 C7057029490000000000    mov dword ptr [00492970], 00000000
:00430C8A 837DFC01                cmp dword ptr [ebp-04], 00000001
:00430C8E 0F850A000000            jne 00430C9E                           <-- Take this jump for "retry"
:00430C94 E800FCFFFF              call 00430899                          <-- Check for CD again
:00430C99 E90A000000              jmp 00430CA8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430C8E(C)
|
:00430C9E 6AFF                    push FFFFFFFF
:00430CA0 E87B390400              call 00474620
:00430CA5 83C404                  add esp, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430C99(U)
|
:00430CA8 E99BFFFFFF              jmp 00430C48

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430C52(C)                                                             <-- Getting here exits CD check
|
:00430CAD 684072A600              push 00A67240
:00430CB2 6A01                    push 00000001
:00430CB4 E88EF7FFFF              call 00430447
:00430CB9 83C408                  add esp, 00000008
:00430CBC A344C4A600              mov dword ptr [00A6C444], eax
:00430CC1 5F                      pop edi
:00430CC2 5E                      pop esi
:00430CC3 5B                      pop ebx
:00430CC4 C9                      leave
:00430CC5 C3                      ret

	A small self enclosed routine.  This routine doesn't return any special pass/fail value.  The calls
to 430899 check for the CD and check for specific track information.  A brief look at this code and you'll
see whats going on.  I cut out most of the code but will show you the general flow of the code.  Here, it's
not the important you understand each instruction but "read" the general flow:

* Referenced by a CALL at Addresses:
|:00430C43   , :00430C94                   <-- Called twice from above
|
:00430899 55                      push ebp
:0043089A 8BEC                    mov ebp, esp
:0043089C 81EC70020000            sub esp, 00000270
:004308A2 53                      push ebx
:004308A3 56                      push esi

 -- SNIP non essential code --

:00430966 680D080000              push 0000080D
:0043096B A1FCE29100              mov eax, dword ptr [0091E2FC]
:00430970 50                      push eax

* Reference To: WINMM.mciSendCommandA, Ord:0032h                 <-- Check for CD using WINMM.dll calls
                                  |
:00430971 FF152C15BD00            Call dword ptr [00BD152C]
:00430977 898590FDFFFF            mov dword ptr [ebp+FFFFFD90], eax
:0043097D 83BD90FDFFFF00          cmp dword ptr [ebp+FFFFFD90], 00000000
:00430984 0F8433000000            je 004309BD
:0043098A 66C705DCDC48000100      mov word ptr [0048DCDC], 0001
:00430993 6A00                    push 00000000
:00430995 6A00                    push 00000000
:00430997 6804080000              push 00000804
:0043099C A1FCE29100              mov eax, dword ptr [0091E2FC]
:004309A1 50                      push eax

* Reference To: WINMM.mciSendCommandA, Ord:0032h
                                  |
:004309A2 FF152C15BD00            Call dword ptr [00BD152C]
:004309A8 81BD90FDFFFF01010000    cmp dword ptr [ebp+FFFFFD90], 00000101
:004309B2 0F8505000000            jne 004309BD
:004309B8 E8F3F9FFFF              call 004303B0

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00430984(C), :004309B2(C)
|
:004309BD C745F803000000          mov [ebp-08], 00000003
:004309C4 8D45F0                  lea eax, dword ptr [ebp-10]
:004309C7 50                      push eax
:004309C8 6800010000              push 00000100
:004309CD 6814080000              push 00000814
:004309D2 A1FCE29100              mov eax, dword ptr [0091E2FC]
:004309D7 50                      push eax

* Reference To: WINMM.mciSendCommandA, Ord:0032h
                                  |
:004309D8 FF152C15BD00            Call dword ptr [00BD152C]
:004309DE 898590FDFFFF            mov dword ptr [ebp+FFFFFD90], eax

 -- SNIP non essential code --

:00430A4D 6810010000              push 00000110
:00430A52 6814080000              push 00000814
:00430A57 A1FCE29100              mov eax, dword ptr [0091E2FC]
:00430A5C 50                      push eax

* Reference To: WINMM.mciSendCommandA, Ord:0032h                    <-- More WINMM calls
                                  |
:00430A5D FF152C15BD00            Call dword ptr [00BD152C]
:00430A63 898590FDFFFF            mov dword ptr [ebp+FFFFFD90], eax
:00430A69 83BD90FDFFFF00          cmp dword ptr [ebp+FFFFFD90], 00000000
:00430A70 0F840E000000            je 00430A84

 -- SNIP non essential code --

:00430AA0 50                      push eax
:00430AA1 8B8598FDFFFF            mov eax, dword ptr [ebp+FFFFFD98]
:00430AA7 50                      push eax

* Possible StringData Ref from Data Obj ->"Track %2d - %02d:%02d:%02d"  <-- This cought my eye!
                                  |
:00430AA8 6870F74800              push 0048F770
:00430AAD 8D45AC                  lea eax, dword ptr [ebp-54]
:00430AB0 50                      push eax

* Reference To: USER32.wsprintfA, Ord:0262h
                                  |
:00430AB1 FF156014BD00            Call dword ptr [00BD1460]
:00430AB7 83C418                  add esp, 00000018
:00430ABA 8D45AC                  lea eax, dword ptr [ebp-54]
:00430ABD 50                      push eax
:00430ABE 8D859CFDFFFF            lea eax, dword ptr [ebp+FFFFFD9C]
:00430AC4 50                      push eax

* Reference To: KERNEL32.lstrcatA, Ord:028Dh                            <-- Compares string bytes
                                  |
:00430AC5 FF157413BD00            Call dword ptr [00BD1374]
:00430ACB 33C0                    xor eax, eax

 -- SNIP non essential code --

:00430C2E 33C0                    xor eax, eax
:00430C30 E900000000              jmp 00430C35

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430C30(U)
|
:00430C35 5F                      pop edi               <-- The end of this routine!
:00430C36 5E                      pop esi
:00430C37 5B                      pop ebx
:00430C38 C9                      leave
:00430C39 C3                      ret

* Referenced by a CALL at Address:
|:0045EA1D                                              <-- Beginning of first code section I showed you
|
:00430C3A 55                      push ebp
:00430C3B 8BEC                    mov ebp, esp
:00430C3D 83EC04                  sub esp, 00000004

	So as long as you can get the general idea of what's going all you'll be fine.  I can tell that the
code is using the WINMM (Windows MultiMedia) dll to check for the CD.  I would say the line that says "Track
%2d - %02d:%02d:%02d" means the routine is checking for specific info on a certain CD track.  The you have the
string function calls shortly after that.  All this is saying is "look for track x @ time hour:min:sec" and
compare bytes against what we know should be there.  Hey, maybe I'm not 100% right, but I do know it IS a CD
check.  When looking at the first section of code I showed, you'll see that it doesn't return any value.  So
a quick look at the code surounding the caller is in order, just to be sure: 

  -- Program code --
:0045E9F1 8B0D3C244A00            mov ecx, dword ptr [004A243C]
:0045E9F7 51                      push ecx

* Reference To: USER32.UpdateWindow, Ord:024Fh
                                  |
:0045E9F8 FF15A814BD00            Call dword ptr [00BD14A8]
:0045E9FE C705E8E29100B0E29100    mov dword ptr [0091E2E8], 0091E2B0
:0045EA08 C605B6E2910001          mov byte ptr [0091E2B6], 01
:0045EA0F 53                      push ebx
:0045EA10 684072A600              push 00A67240
:0045EA15 E8A6A6FAFF              call 004090C0
:0045EA1A 83C408                  add esp, 00000008
:0045EA1D E81822FDFF              call 00430C3A              <-- Do the CD check, no special value returned
:0045EA22 68D0AB4B00              push 004BABD0
:0045EA27 E8640FFDFF              call 0042F990
  -- Continuing program code --

	To crack this one, just stop the call to CD check from being made.  The easiest way to do that is to
overwrite the call with mov eax, 00000001.  Same amount of bytes and it harmlessly loads eax with one.  Make
the patch to the exe file and you can race WipeoutXL without the CD in your CD rom drive!  The exact same
technique will work for the PowerVR version.  Both edits are listed below.  To make a cracked copy of this
one and run it from your hard drive follow these steps:

1.  Do a full game install
2.  Make the following patch by version:

For the D3D version edit wipeout2.exe
=============================================
Search for: E8 18 22 FD FF  at offset 384,541
Change to : B8 01 00 00 00

For the PowerVR version edit wipeout2.exe
=============================================
Search for: E8 48 BF 03 00  at offset  88,989
Change to : B8 01 00 00 00

3.  Enjoy the game without the need for the CD!

	Yet another minor programming bug has been FiX'ed

Static Vengeance - FiX

       Free Information Xchange  -=|=-  Share the Knowledge!

   Date: [ 12/05/98 ]       CD crack and tutorial by Static Vengeance ]
Program: [ WipeoutXL D3D & PowerVR versions from Psygnosis Limited    ]
    URL: [ No known patch or upgrade                                  ]
Comment: [ WipotD3D.com = Direct3D / WipotPVR.com = PowerVR           ]
Protect: [ Read the tutorial for complete information                 ]
Contact: [ [email protected]                             ]

   http://www.crackstore.com   Simply the best for game cracks!

 Greets: [ shadowRUNNER  esoteric  TonyTOP  Zor                       ]

   Lame: [ Hall of Lame Members - "crackers" who have stolen my work:

    Smakker : MK4 patch1
The GODLike : MK4
        BCX : MK4 patch1
      Gonzo : VR Powerboat Racing

Credit where credit is due lamers, otherwise crack it yourself!

FiX Tutorials:
Addiction Pinball
Balls of Steel v1.0 - v1.2
Battle Arena Toshinden 2
Centipede 3D
Claw v1.20 & 1.3beta
Cyber Gladiators
CyberTroopers: Virtual-On
Daytona USA
Daytona USA Deluxe v1.0 & D3D patch
Deathtrap Dungeon
Frogger v1.0 - v3.0u
Get Medieval
Hardcore 4x4
Hexen II v1.03 - v1.11 OpenGL and DirectX
House of the Dead
Incoming v1.0 - current & OEM bundled
Last Bronx
ManxTT Supperbikes v1.0 & v1.1
Master Mind CD & v7.3
Monopoly StarWars Edition v1.00z & v1.03b
Mortal Kombat 3
Mortal Kombat 4 v1.0 - Patch3
Motocross Madness
Need for Speed 3 CD & net patch1
Pandemonium
Powerboat Racing
Powerslide
ProPinball - The Web
ProPinball - Timeshock! v1.05 - 1.09b
RE-Loaded Win95/PowerVR patch
Sega Rally v1.0 & MMX upgrade
Sega Touring Car Championship v1.0 & v1.03
Shadow Master
Shipwreckers!
Speedboat Attack DirectX & 3Dfx
SWIV 3D Assualt all versions
Tempest 2000
The Divide
Turok
Twisted Metal 2
Ultim@te Race Pro all upto v1.4
Unreal all versions CD - 2.16
Virtua Figter v1.0 & DirectX3 upgrade
Virtua Figter 2 all versions
Virtua Squad
Virtua Squad 2
Wargods
WipeoutXL D3D & PowerVR
World Wide Soccer v1.0 & D3D patch

----------------------------------------
       Free Information Xchange
         Share the Knowledge!
________________________________________
      ____________    ___
     /  ______/\  \  /  /   FiX  
     \  \_____  \  \/  /
      \_____  \  \    /
     ______/  /   \  /
     \_______/tatic\/engeance
________________________________________
    Tutorial and crack for WipeoutXL
       from Psygnosis Limited
----------------------------------------