Professional Documents
Culture Documents
Star Wars Episode 1 Racer - CD crack by Static Vengeance - May 26th, 1999
REQUIREMENTS:
Full game install
W32Dasm & Hex editor
With all the hype about the new Star Wars movie (episode 1) you just kne
w there were going to be
games based on it. Star Wars Episode 1 Racer is just such a game. The game req
uires a 3D accelerator
and makes good use of it as well! With dual voodoo 2 cards the game looks fanta
sic and with all the
options turned on (or on high) runs quit fast. The cut scenes are very good and
the game play is great
so this game is well worth the money to buy. I just have two minor problems wit
h this racer. First, once
you've seen the animations (cut scene movies) you really don't need to seem them
every time you play the
game. Second is a little program bug so commonly found in todays games, and tha
t is the copy protection
used. Why do they always make you have the original CD in the drive just to pla
y the darn game? Like any
game you'll be playing alot you don't want to hunt down the original CD to play
it. Also if you have kids
you'll want to make sure the CD is protected from harm. The best way to do that
is not to have the game
require the CD! With a little effort on your part and a little guidance on my p
art you'll be able to do
that with this game.
If you install the game and run it you'll notice that you'll need to put
the CD in the drive. One
of the reasons this is needed is due to the fact that the music files and all of
the animations are kept on
the CD to keep the game install size down. Fair enough, but what if we kill the
animations and copy the
music files to the hard drive? Then we can track down the CD check and kill tha
t as well. We'll end up with
a cracked copy of the game we can play anytime without the need for the CD to be
in the CD Rom drive. So let's
get started on our quest. Install the game and you'll see two exe files. The f
irst one is basicly a loader,
but it has some very important features. When you first run the game it's the f
ile racer.exe that let's you
choose your 3D card and resolution. Otherwise you're limited the stock 640x480
@ 16 bit color. Hey!, we've
got big monitors and high powered 3D cards and we want to use higher res, right?
So we'll need to kill the
CD check in that file. The other file is of course the main game program called
swep1rcr.exe and we'll need
to track down the CD check in that file as well. So disassemble racer.exe and d
o the usual trick:
Go up to the menu bar and select "Refs" and then "String Data Refs" from the d
rop down menu. When the refs
pop-up box comes up, grab the slider bar and start scrolling down looking for an
ything that looks interesting.
Eventualy, if you're paying attention, you'll find a ref of "/LNCH099/Please ins
ert the CD " Double click on
that and you'll be put in the middle of some routine. However this string comes
up 3 times so you'll have to
look at the surounding code to see which one is the one that is the CD check. S
o checking around a bit with
the second occurrance you'll see some interesting things:
-- Program Code -:00404856 8D95F0FEFFFF
:0040485C 52
:0040485D E8BE7D0000
:00404862 83C408
* Possible StringData Ref from Data Obj ->"Star Wars: Episode I Racer\"
|
:00404865 68ACCC4200
push 0042CCAC
:0040486A 8D85F0FEFFFF
lea eax, dword ptr [ebp+FFFFFEF0]
:00404870 50
push eax
:00404871 E8AA7D0000
call 0040C620
:00404876 83C408
add esp, 00000008
* Possible StringData Ref from Data Obj ->"v1.0"
|
:00404879 68C8CC4200
push 0042CCC8
:0040487E 8D8DF0FEFFFF
lea ecx, dword ptr [ebp+FFFFFEF0]
:00404884 51
push ecx
:00404885 E8967D0000
call 0040C620
:0040488A 83C408
add esp, 00000008
* Referenced by a (U)nconditional
|:004048D5(U)
|
:0040488D 6A00
:0040488F E80F570000
before the CD request
:00404894 83C404
command
:00404897 85C0
:00404899 753C
e asking for the CD!!
:0040489B 6A01
push 00000001
<-- We wan
* Possible StringData Ref from Data Obj ->"/LNCH075/Star Wars: Episode I "
->"Racer"
|
:004048EB 6828CD4200
push 0042CD28
:004048F0 E8F6080000
call 004051EB
-- Continuing Program Code -That's interesting to me, first you have a call then, the code tests eax
for a zero value. If
eax is not zero the code jumps over asking for the CD! However, if eax is zero
then up comes a windows
message box asking for the CD. Then the code checks to see your response and wi
ll either exit to windows
or loop back up to the mystery call! Well, let's take a closer look at that cal
l and see what it's doing:
* Referenced by a CALL at Address:
|:0040488F
<-- Only called once!
|
:00409FA3 55
push ebp
:00409FA4 8BEC
mov ebp, esp
:00409FA6 81EC10040000
sub esp, 00000410
:00409FAC E82FFFFFFF
call 00409EE0
:00409FB1 8885FCFEFFFF
mov byte ptr [ebp+FFFFFEFC], al
:00409FB7 C685FDFEFFFF00
mov byte ptr [ebp+FFFFFEFD], 00
* Possible StringData Ref from Data Obj ->":\"
<-- Pushes a pointer to "
:\" as in "D:\"
|
:00409FBE 6814ED4200
push 0042ED14
:00409FC3 8D85FCFEFFFF
lea eax, dword ptr [ebp+FFFFFEFC]
:00409FC9 50
push eax
:00409FCA E851260000
call 0040C620
:00409FCF 83C408
add esp, 00000008
:00409FD2 8D8DF4FCFFFF
lea ecx, dword ptr [ebp+FFFFFCF4]
:00409FD8 51
push ecx
:00409FD9
:00409FDE
:00409FE1
:00409FE7
:00409FE8
:00409FEE
:00409FEF
:00409FF4
:00409FF7
:00409FFD
:00409FFE
:0040A004
:0040A005
:0040A00A
:0040A00D
:0040A013
:0040A014
:0040A019
:0040A01C
:0040A01E
:0040A020
:0040A024
:0040A026
:0040A028
:0040A02A
:0040A02C
:0040A02E
:0040A030
:0040A035
:0040A03B
:0040A03C
:0040A042
E8CCFCFFFF
83C404
8D95FCFEFFFF
52
8D85F0FBFFFF
50
E81C260000
83C408
8D8DF4FCFFFF
51
8D95F0FBFFFF
52
E816260000
83C408
8D85F0FBFFFF
50
E866FBFFFF
83C404
85C0
745A
837D0800
744D
6A00
6A00
6A00
6A00
6A00
6804010000
8D8DF8FDFFFF
51
8D95FCFEFFFF
52
call 00409CAA
add esp, 00000004
lea edx, dword ptr [ebp+FFFFFEFC]
push edx
lea eax, dword ptr [ebp+FFFFFBF0]
push eax
call 0040C610
add esp, 00000008
lea ecx, dword ptr [ebp+FFFFFCF4]
push ecx
lea edx, dword ptr [ebp+FFFFFBF0]
push edx
call 0040C620
add esp, 00000008
lea eax, dword ptr [ebp+FFFFFBF0]
push eax
call 00409B7F
add esp, 00000004
test eax, eax
je 0040A07A
cmp dword ptr [ebp+08], 00000000
je 0040A073
push 00000000
push 00000000
push 00000000
push 00000000
push 00000000
push 00000104
lea ecx, dword ptr [ebp+FFFFFDF8]
push ecx
lea edx, dword ptr [ebp+FFFFFEFC]
push edx
the volume
<-- Pointer
<-- Push it
<-- Pointer
<-- Push it
<-- Compare
<-- eax=1 m
<-- Set up
<-- Jump to
|
:0040A06B 33C0
volume comparison
:0040A06D EB0D
exit
<-- Failed
jmp 0040A07C
<-- Jump to
:0042550B
:0042550D
:0042550E
:0042550F
:00425510
:00425511
:00425518
:00425519
:0042551A
:0042551C
:0042551D
:00425522
:00425524
:0042552A
:0042552E
33C0
53
55
56
57
8DBC24AD010000
F3
AB
66AB
AA
A1E4794B00
85C0
0F8467010000
8D442418
50
:0042557B
:0042557D
:00425581
:00425583
:00425585
:00425589
:0042558C
:0042558D
:0042558E
746B
8B442410
33C9
33D2
668B4802
668B10
51
52
8D8424A4020000
je 004255E8
mov eax, dword ptr [esp+10]
xor ecx, ecx
xor edx, edx
mov cx, word ptr [eax+02]
mov dx, word ptr [eax]
push ecx
push edx
lea eax, dword ptr [esp+000002A4]
|
:004255F1 689C554D00
:004255F6 6A50
:004255F8 68C0F2E900
push 004D559C
push 00000050
push 00E9F2C0
<-- Write to
:00425666 68987E4B00
push 004B7E98
* Possible StringData Ref from Data Obj ->"Error: Please reinstall program " <
-- Something we don't ever
->"from CD-ROM."
<
-- want to see!
|
:0042566B 68447E4B00
push 004B7E44
:00425670 50
push eax
* Reference To: USER32.MessageBoxA, Ord:0195h
|
:00425671 FF15E0C14A00
Call dword ptr [004AC1E0]
* Referenced by a (U)nconditional
|:004257D0(C)
|
:00425677 E854EAFFFF
:0042567C 6A00
:0042567E E88D930700
:00425683 83C404
:00425686 5F
:00425687 5E
:00425688 5D
:00425689 5B
:0042568A 81C48C030000
:00425690 C3
to the caller
* Referenced by a (U)nconditional
|:00425524(C)
|
:00425691 689C554D00
:00425696 68C0F2E900
:0042569B E8B0940700
:004256A0 83C408
:004256A3 33C0
:004256A5 5F
:004256A6 5E
:004256A7 5D
:004256A8 5B
:004256A9 81C48C030000
:004256AF C3
to the caller
call 004240D0
push 00000000
call 0049EA10
add esp, 00000004
pop edi
pop esi
pop ebp
pop ebx
add esp, 0000038C
ret
push 004D559C
push 00E9F2C0
call 0049EB50
add esp, 00000008
xor eax, eax
pop edi
pop esi
pop ebp
pop ebx
add esp, 0000038C
ret
<-- Return
<-- Return
[esp+00000130]
[esp+1C]
[esp+1C]
[esp+0000011C]
<-- Pa
:00425749 68147E4B00
:0042574E 68C0F2E900
|
push 004B7E14
push 00E9F2C0
:004257C9
:004257CA
:004257CB
:004257CD
:004257D0
:004257D6
50
51
FFD3
83F802
0F84A1FEFFFF
E9F8FEFFFF
push eax
push ecx
call ebx
cmp eax, 00000002
je 00425677
jmp 004256D3
<-- Return
This routine, as long as it is, doesn't return any special value in eax
so if you replace the
first instruction with a ret (C3) the CD check is effectively bypassed. Now tha
t the CD checks in both
exe files have been disabled or bypassed, it's time to address another problem w
ith the game.
The other problem with this game is: All the music files and all of the
animation files are
stored on the CD rom. I can live without the all cut scenes, but I like the mus
ic. So I tracked down
the routine that plays the animations and FiX'ed it so the game would skip them.
To do this you'll need
to go back to the refs box and look for a string that has something to do with t
he animation roiutnes
like "\Data\Anims" If you double click on it you'll be in the middle of the rou
tine that plays the
animation files for the game. I will not show this routine as it's simply too l
ong and would provide
little if any knowlegde. However, starting with the ref, search backwards until
you find the start of
the routine. You will eventually see that this LONG routine starts at 4252A0 an
d is called from four
other locations. If you trace it to the end, you'll see like the CD check this
routine doesn't return
any special value either. Replacing the first instruction with a ret code (C3)
will disable all the
animations. Then if you copy the music directory to your hard drive the game wil
l play just fine and
will no longer require you to have the CD online. That is of course, the whole
reason behind our
efforts and this tutorial. The actual steps to crack Star Wars Episode 1 Racer
are:
1. Install the game
2. Copy the "\Music" directory
(from "CD":\Gnome\Data\wavs\ to your install directory in Data\wavs\)
3. Copy the "\Anims" directory <-- Skip if you want to kill anims anyways
(from "CD":\Gnome\Data\ to your install directory in Data\)
4. Make the following edits to the following files:
Edit Racer.exe
=============================================
Search for: E8 0F 57 00 00 at offset 18,575
Change to : B8 01 00 00 00
Edit swep1rcr.exe
=============================================
Search for: 81 EC 8C 03 00 at offset 149,760
Change to : C3 -- -- -- -- Optional: Kill the animation sequences:
Search for: 81 EC 0C 01 00 at offset 149,152
Change to : C3 -- -- -- -For the French version: Edit Racer.exe
=============================================
Search for: E8 79 57 00 00 at offset 18,725
Change to : B8 01 00 00 00
Edit swep1rcr.exe
=============================================
Search for: 81 EC 8C 03 00 at offset 153,216
Change to : C3 -- -- -- -- Optional: Kill the animation sequences:
Search for: 81 EC 0C 01 00 at offset 152,608
Change to : C3 -- -- -- -5. Enjoy the game, graphics and races.
You can always copy both the animation and music files to your hard driv
e, then you'll have a 100%
working copy of SW Episode 1 Racer on your hard drive. The only problem is the