
Free Information Xchange '98 presents:

ProPinball: The Web - CD crack by Static Vengeance

Requirements:
hex editor and full install

	ProPinball: The Web has many of the same features as TimeShock! and the same bug.  Having
cracked TimeShock!, I figured this one would be really easy and really quick.  Well, it was a bit
harder then I thought it would be.  First off, all the files are stored on the CD except for a the
couple of EXE files it takes to run the game.  So my first thought was to copy the sub-directory
"pc_dat" to the "web's" sub-directory and see what happens.  Well of course the game asks for the
CD.  So I got W32Dasm up and running and put myself in the middle of the CD check routine.  That
routine looks like this:

* Referenced by a CALL at Address:
|:00413EC0   
|
:00415638 53                      push ebx
:00415639 51                      push ecx
:0041563A 52                      push edx
:0041563B 56                      push esi
:0041563C 57                      push edi
:0041563D 55                      push ebp
:0041563E 83EC20                  sub esp, 00000020
:00415641 833DC0CC4200FF          cmp dword ptr [0042CCC0], FFFFFFFF
:00415648 741F                    je 00415669
:0041564A A0C0CC4200              mov al, byte ptr [0042CCC0]
:0041564F 0441                    add al, 41
:00415651 A28CCA4200              mov byte ptr [0042CA8C], al
:00415656 E895FFFFFF              call 004155F0
:0041565B 85C0                    test eax, eax
:0041565D 750A                    jne 00415669
:0041565F C705C0CC4200FFFFFFFF    mov dword ptr [0042CCC0], FFFFFFFF

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00415648(C), :0041565D(C)
|
:00415669 833DC0CC4200FF          cmp dword ptr [0042CCC0], FFFFFFFF
:00415670 7537                    jne 004156A9
:00415672 BA03000000              mov edx, 00000003

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041568D(C)
|
:00415677 88D0                    mov al, dl
:00415679 0441                    add al, 41
:0041567B A28CCA4200              mov byte ptr [0042CA8C], al
:00415680 E86BFFFFFF              call 004155F0
:00415685 85C0                    test eax, eax
:00415687 7506                    jne 0041568F
:00415689 42                      inc edx
:0041568A 83FA1A                  cmp edx, 0000001A
:0041568D 7CE8                    jl 00415677

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00415687(C)
|
:0041568F 83FA19                  cmp edx, 00000019
:00415692 7E0F                    jle 004156A3

* Possible StringData Ref from Data Obj ->"Please insert "The Web" CD and "  <-- The string that got us
                                        ->"try again"                        <-- to look into the code
                                  |
:00415694 6898A24200              push 0042A298
:00415699 6A2D                    push 0000002D
:0041569B E8A02B0000              call 00418240
:004156A0 83C408                  add esp, 00000008

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00415692(C)
|
:004156A3 8915C0CC4200            mov dword ptr [0042CCC0], edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00415670(C)
|
:004156A9 BB14000000              mov ebx, 00000014
:004156AE 89E0                    mov eax, esp
:004156B0 BE04020000              mov esi, 00000204
:004156B5 31D2                    xor edx, edx

* Possible StringData Ref from Data Obj ->"?:"
                                  |
:004156B7 BF8CCA4200              mov edi, 0042CA8C
:004156BC E85FD70000              call 00422E20
:004156C1 89742408                mov dword ptr [esp+08], esi
:004156C5 897C240C                mov dword ptr [esp+0C], edi

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00415700(C), :00415709(U), :00415717(U)
|
:004156C9 89E0                    mov eax, esp
:004156CB 50                      push eax
:004156CC 6802330000              push 00003302
:004156D1 6803080000              push 00000803
:004156D6 6A00                    push 00000000

* Reference To: WINMM.mciSendCommandA, Ord:0001h
                                  |
:004156D8 2EFF1568914400          Call dword ptr cs:[00449168]
:004156DF 85C0                    test eax, eax
:004156E1 7436                    je 00415719
:004156E3 6A02                    push 00000002

* Possible StringData Ref from Data Obj ->"Pro Pinball - The Web"
                                  |
:004156E5 68C4A24200              push 0042A2C4

* Possible StringData Ref from Data Obj ->"Unable to play CD tracks.  This "
                                        ->"may be because another program "
                                        ->"such as CDPLAYER is already using "
                                        ->"the drive"
                                  |
:004156EA 68DCA24200              push 0042A2DC
:004156EF 8B1D48474300            mov ebx, dword ptr [00434748]
:004156F5 53                      push ebx

* Reference To: USER32.MessageBoxA, Ord:000Ah
                                  |
:004156F6 2EFF1534914400          Call dword ptr cs:[00449134]
:004156FD 83F803                  cmp eax, 00000003
:00415700 72C7                    jb 004156C9
:00415702 7607                    jbe 0041570B
:00415704 83F805                  cmp eax, 00000005
:00415707 7449                    je 00415752
:00415709 EBBE                    jmp 004156C9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00415702(C)
|
:0041570B 6A02                    push 00000002
:0041570D 6A01                    push 00000001
:0041570F E82C2B0000              call 00418240
:00415714 83C408                  add esp, 00000008
:00415717 EBB0                    jmp 004156C9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004156E1(C)
|
:00415719 8B442404                mov eax, dword ptr [esp+04]
:0041571D A378CA4200              mov dword ptr [0042CA78], eax
:00415722 8D442414                lea eax, dword ptr [esp+14]
:00415726 50                      push eax
:00415727 6800040000              push 00000400
:0041572C 680D080000              push 0000080D
:00415731 8B442410                mov eax, dword ptr [esp+10]
:00415735 BD0A000000              mov ebp, 0000000A
:0041573A 50                      push eax
:0041573B 896C2428                mov dword ptr [esp+28], ebp

* Reference To: WINMM.mciSendCommandA, Ord:0001h                    <-- Calls through Windows Multi-Media dll
                                  |
:0041573F 2EFF1568914400          Call dword ptr cs:[00449168]
:00415746 85C0                    test eax, eax
:00415748 7408                    je 00415752
:0041574A 31D2                    xor edx, edx
:0041574C 891578CA4200            mov dword ptr [0042CA78], edx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00415707(C), :00415748(C)
|
:00415752 83C420                  add esp, 00000020
:00415755 5D                      pop ebp
:00415756 5F                      pop edi
:00415757 5E                      pop esi
:00415758 5A                      pop edx
:00415759 59                      pop ecx
:0041575A 5B                      pop ebx
:0041575B C3                      ret

	Simple enough, just trace it backwards and kill the call to the CD check routine.  There are
two files that have a CD check routine in them.  Then menu program which allows you to change some
selections and the actual game called wgame.exe.  I made an edit that killed the call to the CD routine
in wgame.exe and ran it.  Popped up and ran.... until I hit F1 for one player, then I got a black screen
and a pop up dialog box saying "The Web CD is missing" and it let me click "OKAY" and quit back to Win95.
Damn, there is some type of secondary check or flag system in the game.  So now the fun really begins!
This time I ran that game (with the patch) and had the CD in the drive, same thing!  So now it's back to
tracing the routines and checking for flags.  After many sheets of paper and tons of notes and addresses I
thought I would narrow it down to being WINMM releated.  So I starting looking into sections of code that
where making mci (winmm) calls.  Eventually I found this little section that seemed to have possiblities:

* Referenced by a CALL at Addresses:
|:00404796   , :00408E17   , :00408F2D   , :004093C2   , :0040941E   
|:00409763   , :004097F5   , :00409894   , :0040AAC7   , :0040D44A   <-- Too MANY calls to trace, but
|:0040D4B3   , :0040D4DE   , :0040D549   , :0040D56F   , :0040D5EA   <-- it's used alot
|:0040E3DE   , :00410EE3   , :00411E09   , :00411F50   , :00412732   
|
:00415840 53                      push ebx
:00415841 51                      push ecx
:00415842 56                      push esi
:00415843 89C3                    mov ebx, eax
:00415845 89D6                    mov esi, edx
:00415847 8B1578CA4200            mov edx, dword ptr [0042CA78]
:0041584D A384CA4200              mov dword ptr [0042CA84], eax
:00415852 85D2                    test edx, edx
:00415854 7411                    je 00415867
:00415856 6A00                    push 00000000
:00415858 6A00                    push 00000000
:0041585A 6808080000              push 00000808
:0041585F 52                      push edx

* Reference To: WINMM.mciSendCommandA, Ord:0001h                  <-- I was looking for WINMM calls
                                  |
:00415860 2EFF1568914400          Call dword ptr cs:[00449168]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00415854(C)
|
:00415867 89D8                    mov eax, ebx
:00415869 E836FFFFFF              call 004157A4                    <-- what does this call do?
:0041586E 8935541E4300            mov dword ptr [00431E54], esi    <-- Looking for possible flags
:00415874 31F6                    xor esi, esi
:00415876 B801000000              mov eax, 00000001
:0041587B 8935A0CA4200            mov dword ptr [0042CAA0], esi    <-- Looking for possible flags
:00415881 5E                      pop esi
:00415882 59                      pop ecx
:00415883 5B                      pop ebx
:00415884 C3                      ret

	Well I checked out the call and saw it was sending addition mci commands.  So I thought
I would kill the call at 00415869 and see what happens.  Well the game starts up and I can now
play as one player.... but.... no sound at all!  hhmmmmm...  Getting closer.  I thought the
mov eax,ebx was needed for the call to 4157A4, so I changes it to xor esi,esi to zero out esi,
then the mov dword ptr [00431E54], esi would store a zero there.  Tried the game again, still no
sound.  Well then, what if we prevent anything from being stored at ptr [00431E54]?  Well the game
worked (to my delight).  So using the information we have we need to do the following:  Kill the
call to the CD check routine.  Kill the above listed call to 415869 and make sure ptr [00431E54]
is NOT changed.  So looking at the code I thought as long as ESI is getting xor'ed to itself (or
getting zero'ed out) I would change the mov dword ptr [00431E54], esi to mov esi,dword ptr [00431E54]
and that way we only load from there.  Plus itstead of change the "89 35 54 1E 43 00" to all 90's
we'll only have to change the 89 to 8B and that changes the instruction around!  So to crack this
one you'll need to:

1.  Install the game to your hard drive
2.  Copy the PC_DAT directory to the same directory as "The Web"
3.  Make the following edits to the EXE files listed:

Edit wgame.exe
===========================================
Search for: E8 73 17 00 00    offset 78,528
Change to : 90 90 90 90 90

Search for: E8 36 FF FF FF 89 offset 85,097
Chagne to : 90 90 90 90 90 8B


Edit menu.exe
===========================================
Search for: E8 33 1F 00 00    offset 10,576
Change to : 90 90 90 90 90

Search for: E8 36 FF FF FF 89 offset 19,129
Chagne to : 90 90 90 90 90 8B

	Granted, this one was a little bit more work, but it's FiX'ed now!

Static Vengeance
