Free Information Xchange '98 presents:

Cyber Gladiators - CD check crack by Static Vengeance

Requirements
Hex editor and full install
W32Dasm if you want to follow along

	Okay, first off.... YES I know it's very old as far as games go!  However a couple of
things come to mind when I chose to do this one.  First, I haven't seen a crack for it anyways,
second it supports my 3Dfx card through Direct3D and lastly it has a CD check.  This way I can
present yet another CD cracking tutorial.  So run W32Dasm and disassemble cyber.exe.  When W32Dasm
has finished disassembling the executable, go up to the title bar and select "Refs" from the menu
and drop down to "String data references" from there grab the slider bar and scroll down to the
string "Please put the CyberGladiators" which is part of the string that tells you to 'Please
put the CyberGladiators CD in the CD drive.'  Double click that string and you're right in the
middle of this routine:

* Referenced by a CALL at Address:
|:00406F25   
|
:004053E5 55                      push ebp
:004053E6 8BEC                    mov ebp, esp

* Reference To: USER32.GetDesktopWindow, Ord:0000h
                                  |
:004053E8 E89D180400              Call 00446C8A
:004053ED 50                      push eax

* Reference To: USER32.GetDC, Ord:0000h
                                  |
:004053EE E89D180400              Call 00446C90
:004053F3 EB21                    jmp 00405416

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040541D(C)
|
* Possible StringData Ref from Data Obj ->"Please put the CyberGladiators "  <-- The string that gets us
                                        ->"CD in the CD drive."              <-- motivated to crack it!
                                  |
:004053F5 B834764400              mov eax, 00447634
:004053FA 6A01                    push 00000001

* Possible StringData Ref from Data Obj ->"CyberGladiators"
                                  |
:004053FC 6868764400              push 00447668
:00405401 50                      push eax
:00405402 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:0000h
                                  |
:00405404 E863180400              Call 00446C6C
:00405409 83F802                  cmp eax, 00000002
:0040540C 7508                    jne 00405416
:0040540E 6A01                    push 00000001
:00405410 E86B080400              call 00445C80
:00405415 59                      pop ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004053F3(U), :0040540C(C)
|
:00405416 E84FFFFFFF              call 0040536A    <-- Checks for actual CD
:0040541B 85C0                    test eax, eax    <-- Test for the outcome
:0040541D 74D6                    je 004053F5      <-- Zero is fail and prints "Insert CD..."
:0040541F 5D                      pop ebp
:00405420 C3                      ret              <-- Anything else and we just return

	For information we'll look at the routine that checks for the CD.  This routine
will give you a few other things to search for should a program not use a pop up window
to ask for the CD.  An example of such a program would be Moto Racer and Time Warrior.
Each uses a graphics screen to ask for the CD.  However the CD checking routine can be
found by looking for things like:

* Referenced by a CALL at Address:
|:00405416   
|
:0040536A 55                      push ebp
:0040536B 8BEC                    mov ebp, esp
:0040536D 81C460FFFFFF            add esp, FFFFFF60
:00405373 53                      push ebx
:00405374 33DB                    xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040539D(C)
|
:00405376 8D4341                  lea eax, dword ptr [ebx+41]
:00405379 50                      push eax

* Possible StringData Ref from Data Obj ->"%c:\"              <--  Strings "c:\" or "a:\"
                                  |
:0040537A 6829764400              push 00447629
:0040537F 8D55B0                  lea edx, dword ptr [ebp-50]
:00405382 52                      push edx
:00405383 E890D10300              call 00442518
:00405388 83C40C                  add esp, 0000000C
:0040538B 8D4DB0                  lea ecx, dword ptr [ebp-50]
:0040538E 51                      push ecx

* Reference To: KERNEL32.GetDriveTypeA, Ord:0000h           <-- A text string search for "GetDriveTypeA"
                                  |                         <-- can put you in the middle of CD check
:0040538F E882170400              Call 00446B16             <-- routines.
:00405394 83F805                  cmp eax, 00000005         <-- 05 is value for CD-ROM drive
:00405397 7406                    je 0040539F
:00405399 43                      inc ebx
:0040539A 83FB1A                  cmp ebx, 0000001A
:0040539D 7CD7                    jl 00405376

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405397(C)
|
:0040539F 33DB                    xor ebx, ebx
:004053A1 6A00                    push 00000000
:004053A3 6A00                    push 00000000
:004053A5 6A00                    push 00000000
:004053A7 6A00                    push 00000000
:004053A9 6A00                    push 00000000
:004053AB 6A50                    push 00000050
:004053AD 8D8560FFFFFF            lea eax, dword ptr [ebp+FFFFFF60]
:004053B3 50                      push eax
:004053B4 8D55B0                  lea edx, dword ptr [ebp-50]
:004053B7 52                      push edx

* Reference To: KERNEL32.GetVolumeInformationA, Ord:0000h     <-- Another text string would be
                                  |                           <-- "GetVolumeInformationA"
:004053B8 E89B170400              Call 00446B58
:004053BD 85C0                    test eax, eax
:004053BF 741D                    je 004053DE

* Possible StringData Ref from Data Obj ->"CYBER"             <-- Searching for the volume name
                                  |                           <-- of the original CD often works
:004053C1 682E764400              push 0044762E
:004053C6 8D8D60FFFFFF            lea ecx, dword ptr [ebp+FFFFFF60]
:004053CC 51                      push ecx
:004053CD E826950300              call 0043E8F8
:004053D2 83C408                  add esp, 00000008
:004053D5 85C0                    test eax, eax
:004053D7 7505                    jne 004053DE
:004053D9 BB01000000              mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004053BF(C), :004053D7(C)
|
:004053DE 8BC3                    mov eax, ebx
:004053E0 5B                      pop ebx
:004053E1 8BE5                    mov esp, ebp
:004053E3 5D                      pop ebp
:004053E4 C3                      ret

	That should give you a few ideas of other things that will lead you to the CD
checking routine.  Back to the task at hand, from the first section of code you see
the routine is called from 00406F25.  So we need to list some code around that area
and see what's going on there:

  -- Program Code --

* Reference To: USER32.SetFocus, Ord:0000h
                                  |
:00406F19 E836FD0300              Call 00446C54
:00406F1E 33C0                    xor eax, eax
:00406F20 E90A040000              jmp 0040732F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406F08(C)
|
:00406F25 E8BBE4FFFF              call 004053E5          <-- Do the CD check
:00406F2A B801000000              mov eax, 00000001
:00406F2F E894DDFFFF              call 00404CC8

  -- More Program Code --

	The simplest thing to do at this point is to NOP the call to the CD check and
test it to see if Cyber Gladiators is cracked.  Well after you make the patch and run
the program you find out that you have indeed just cracked the game.  Now if you copy
the SPLASH.AVI and SPLASH4.AVI to the same directory as you have installed the game
and the exe file (cyber.exe).  You now have a completly functional copy without the
need for the original CD to be in your CD-Rom drive.  The actual edit would be:

Edit Cyber.exe at offset 25,893
===============================
Search for: E8 BB E4 FF FF
Change to : 90 90 90 90 90

	That's it for this one.. it's old but it's another example of how to remove a
CD check from a Win95 game.  Cyber GLadiators has just been FiX'ed

Static Vengeance

       Free Information Xchange  -=|=-  Share the Knowledge!

   Date: [ 01/12/98 ]       CD crack and tutorial by Static Vengeance ]
Program: [ Cyber Gladiators by Sierra                                 ]
    URL: [ No known patches or upgrades                               ]
Comment: [                                                            ]
Protect: [ Read the tutorial for complete information                 ]
Contact: [ [email protected]                             ]

   http://www.crackstore.com   Simply the best for game cracks!

 Greets: [ shadowRUNNER  esoteric  TonyTOP  Zor                       ]

   Lame: [ Hall of Lame Members - "crackers" who have stolen my work:

    Smakker : MK4 patch1
The GODLike : MK4
        BCX : MK4 patch1
      Gonzo : VR Powerboat Racing

Credit where credit is due lamers, otherwise crack it yourself!


FiX Tutorials:
Addiction Pinball
Balls of Steel v1.0 - v1.2
Battle Arena Toshinden 2
Centipede 3D
Claw v1.20 & 1.3beta
Cyber Gladiators
CyberTroopers: Virtual-On
Daytona USA
Daytona USA Deluxe v1.0 & D3D patch
Deathtrap Dungeon
Frogger v1.0 - v3.0u
Get Medieval
Hardcore 4x4
Hexen II v1.03 - v1.11 OpenGL and DirectX
House of the Dead
Incoming v1.0 - current & OEM bundled
Last Bronx
ManxTT Supperbikes v1.0 & v1.1
Master Mind CD & v7.3
Monopoly StarWars Edition v1.00z & v1.03b
Mortal Kombat 3
Mortal Kombat 4 v1.0 - Patch3
Motocross Madness
Need for Speed 3 CD & net patch1
Pandemonium
Powerboat Racing
ProPinball - The Web
ProPinball - Timeshock! v1.05 - 1.09b
RE-Loaded Win95/PowerVR patch
Sega Rally v1.0 & MMX upgrade
Sega Touring Car Championship v1.0 & v1.03
Shadow Master
Shipwreckers!
Speedboat Attack DirectX & 3Dfx
SWIV 3D Assualt all versions
Tempest 2000
The Divide
Turok
Twisted Metal 2
Ultim@te Race Pro all upto v1.4
Unreal all versions CD - 2.16
Virtua Figter v1.0 & DirectX3 upgrade
Virtua Figter 2 all versions
Virtua Squad
Virtua Squad 2
Wargods
World Wide Soccer v1.0 & D3D patch

----------------------------------------
       Free Information Xchange
         Share the Knowledge!
________________________________________
      ____________    ___
     /  ______/\  \  /  /   FiX  
     \  \_____  \  \/  /
      \_____  \  \    /
     ______/  /   \  /
     \_______/tatic\/engeance
________________________________________
Tutorial and crack for Cyber Gladiators
             from Sierra
----------------------------------------