
Free Information Xchange presents:

Star Wars: Rogue Squadron 3D, Version 1.0 - CD crack by R!SC - 12/0C/62 (18th Dec 98 !)

REQUIREMENTS:
Hex editor
W32Dasm 8.9x
Regedit.exe ;) (in your windoze directory...)


   Lets get started then. Install the game, no options, just automatically does a 'full' install.
After the games installed, see what files we have to play with, 'rogue.exe' & 'ROGUE SQUADRON.EXE',
the first being a loader and the second being the game. Remove the Game CD and double click 'rogue.exe'.
Click on 'Play RS3D.', win95 messagebox asking for the CD (nice). Click Cancel and double click
'ROGUE SQUADRON.EXE', after a few seconds a black screen appears asking you to insert the CD-ROM...

  OK, stick the CD-ROM in and watch, quick spin of the CD, game carries on loading, intro sequences,
another few spins of the CD then the start screen pops up. Hmmn... Full install eh? Have a look
through your install directory and compare it to the CD and you'll find out two files are missing,
from 'rogue/data', 'bundle.000' & 'bundle.001'. Anyway, lets kill those nasty CD-Checks before we
bother with things like that.

  Copy the two game exe's to a temp directory, load your copy of 'ROGUE SQUADRON.EXE' into Wdasm.
Click Functions/Imports at the top of the screen, and scroll down the list until you get to
'KERNEL32.GetDriveTypeA', double click this and we end up at the CD check routine.


* Referenced by a CALL at Address:
|:004EA475   
|
:004EBD46 55                      push ebp
:004EBD47 8BEC                    mov ebp, esp
:004EBD49 81ECE4020000            sub esp, 000002E4

* Possible StringData Ref from Data Obj ->"Error:  Please reinsert CD-ROM "
                                        ->"into drive then press any key "
                                        ->"to continue."   <-- Nasty message
                                  |
:004EBD4F 68C4406100              push 006140C4
:004EBD54 E8E6720100              call 0050303F            <-- Subroutine to ask for disk 'x', rarely happens
:004EBD59 83C404                  add esp, 00000004          - unless you've been messing around with the code...
:004EBD5C 33C0                    xor eax, eax
:004EBD5E A0843E6100              mov al, byte ptr [00613E84] <-- Is there a CD? flag??
:004EBD63 85C0                    test eax, eax
:004EBD65 0F84B6020000            je 004EC021              <-- A conditional jump just before the CD-Check
:004EBD6B 6A50                    push 00000050              - that skips 2B6 bytes (694ish bytes of CD-Checking Code)
:004EBD6D 8D4DB0                  lea ecx, dword ptr [ebp-50]
:004EBD70 51                      push ecx

* Possible StringData Ref from Data Obj ->"CD Path"
                                  |
:004EBD71 6810416100              push 00614110
:004EBD76 8B15E8F07000            mov edx, dword ptr [0070F0E8]
:004EBD7C FF5214                  call [edx+14]            <-- Get the CD drive letter from the registry??
:004EBD7F 83C40C                  add esp, 0000000C
:004EBD82 85C0                    test eax, eax
:004EBD84 0F8565020000            jne 004EBFEF             <-- Print error if no entry found...
:004EBD8A 8D45B0                  lea eax, dword ptr [ebp-50]
:004EBD8D 50                      push eax

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh
                                  |
:004EBD8E FF15AC705C00            Call dword ptr [005C70AC]
:004EBD94 8945AC                  mov dword ptr [ebp-54], eax
:004EBD97 837DAC05                cmp dword ptr [ebp-54], 00000005 <--05 = CD-ROM, if eax is !=5 then its not a CD-ROM
:004EBD9B 0F853F020000            jne 004EBFE0             <-- 'CD-Path in Reg not a CD-ROM'
:004EBDA1 8D4DB0                  lea ecx, dword ptr [ebp-50]
:004EBDA4 51                      push ecx
:004EBDA5 8D95A4FDFFFF            lea edx, dword ptr [ebp+FFFFFDA4]
:004EBDAB 52                      push edx
:004EBDAC E8CF460B00              call 005A0480
:004EBDB1 83C408                  add esp, 00000008

* Possible StringData Ref from Data Obj ->"\Rogue\Data\bundle.000" <-- File to check for.
                                  |
:004EBDB4 6818416100              push 00614118
:004EBDB9 8D85A4FDFFFF            lea eax, dword ptr [ebp+FFFFFDA4]
:004EBDBF 50                      push eax
:004EBDC0 E8CB460B00              call 005A0490
:004EBDC5 83C408                  add esp, 00000008

* Possible StringData Ref from Data Obj ->"w"              <-- means 'write'
                                  |
:004EBDC8 6830416100              push 00614130
:004EBDCD 8D8DA4FDFFFF            lea ecx, dword ptr [ebp+FFFFFDA4]
:004EBDD3 51                      push ecx
:004EBDD4 8B1504F17000            mov edx, dword ptr [0070F104]
:004EBDDA FF12                    call dword ptr [edx]
:004EBDDC 83C408                  add esp, 00000008
:004EBDDF 898524FEFFFF            mov dword ptr [ebp+FFFFFE24], eax
:004EBDE5 83BD24FEFFFF00          cmp dword ptr [ebp+FFFFFE24], 00000000
:004EBDEC 7425                    je 004EBE13
:004EBDEE 8B8524FEFFFF            mov eax, dword ptr [ebp+FFFFFE24]
:004EBDF4 50                      push eax
:004EBDF5 8B0D04F17000            mov ecx, dword ptr [0070F104]
:004EBDFB FF5104                  call [ecx+04]
:004EBDFE 83C404                  add esp, 00000004

* Possible StringData Ref from Data Obj ->"CDERR: The 'CD' is writeable!" <-- Oh No!!
                                  |
:004EBE01 6834416100              push 00614134
:004EBE06 E835C50900              call 00588340
:004EBE0B 83C404                  add esp, 00000004
:004EBE0E E9E9010000              jmp 004EBFFC


OK, we know this is our CD-check because of all the error messages & the call to getdrivetypeA,
see that dodgy conditional jump right at the start of the check? Lets make it always jump and see
what happens...

At 4EBD5E change the A0 to A2 and the code reads:

:004EBD5C 33C0                    xor eax, eax                <-- Zero out eax for our "good" CD check
:004EBD5E A2843E6100              mov byte ptr [00613E84], al <-- zero out CD flag
:004EBD63 85C0                    test eax, eax               <-- Still zero!!!
:004EBD65 0F84B6020000            je 004EC021                 <-- Will always be taken

Highlight 4EBD5E in Wdasm, write down the offset at the bottom of the screen. Load the file in
your game directory into your hex editor, goto the offset and change the 'A0' to a 'A2'. Save the
file and run it. Heh! It passes the CD-Check, but wait, I can't play the damn game, just a black
screen with music playing. Lets have a look at where the jump we forced to happen takes us.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004EBD65(C)                     <-- lol, (U) now!
|
:004EC021 6A50                    push 00000050
:004EC023 8D55B0                  lea edx, dword ptr [ebp-50]
:004EC026 52                      push edx

* Possible StringData Ref from Data Obj ->"Source Dir"
                                  |
:004EC027 6888436100              push 00614388
:004EC02C A1E8F07000              mov eax, dword ptr [0070F0E8]  <-- De-Ja-Vu, see start of CD-Check
:004EC031 FF5014                  call [eax+14]            <-- Get the 'Source Dir' from the registry!
:004EC034 83C40C                  add esp, 0000000C
:004EC037 85C0                    test eax, eax
:004EC039 7521                    jne 004EC05C             <-- So if it cant find the 'Source Dir' in the registry
                                                             - it exits the routine putting a '0' in eax
* Possible StringData Ref from Data Obj ->"Rogue\Data\"    <-- dir off the CD with the missing files in...
                                  |
:004EC03B 6894436100              push 00614394
:004EC040 8D4DB0                  lea ecx, dword ptr [ebp-50]
:004EC043 51                      push ecx
:004EC044 E847440B00              call 005A0490            <-- not really sure about this one ;)
:004EC049 83C408                  add esp, 00000008
:004EC04C 6A00                    push 00000000
:004EC04E 8D55B0                  lea edx, dword ptr [ebp-50]
:004EC051 52                      push edx
:004EC052 6A06                    push 00000006
:004EC054 E8DC1F0300              call 0051E035            <-- Routine to load 'bundle.%03d' i.e. bundle.*
:004EC059 83C40C                  add esp, 0000000C          - we want this to happen...

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004EC039(C)
|
:004EC05C 33C0                    xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004EBF8E(U), :004EC01F(U)
|
:004EC05E 8BE5                    mov esp, ebp
:004EC060 5D                      pop ebp
:004EC061 C3                      ret

OK, lets load regedit.exe and have a little poke around in there. Hit F3 in regedit and type in
'source dir'. Eventually you will find something like this:-

Rogue Squadron\V1.0\ <-- the folder that regedit turns up...

Name              Data
"CD Path          G:"        <-- G is my CD-Rom  !!MUST NOT BE THE SAME LETTER AS INSTALL PATH!!
"Executable       C:\Program Files\LucasArts\ROGUE\Rogue Squadron.EXE"
"Install Path     C:\Program Files\LucasArts\ROGUE"
"Source Dir       G:\Rogue\" <-- edit this one
"Source Path      G:"

Right click the two source ones, select modify and enter your install path/directory,

"Source Dir       C:\Program Files\LucasArts\"  <-- what it should look like after editing (dont forget the '\' on the end)

Close Regedit, and it saves your alterations, copy off the CD from 'rogue/data', 'bundle.000' &
'bundle.001' into 'rogue/data' on your hard drive. (something i forgot to let you know, since it
looks for the directory 'rogue/data' on the CD to find the two files, you have to install the game
into x:\xxxxx\xxxxx\xxxxx\rogue. i.e. the game MUST be installed into a directory/sub directory
called 'ROGUE'!)

Double click 'Rogue Squadron.EXE' again, you get the intro, click the mouse, screen goes black,
dreadful music starts, few more seconds and your in the game starting menu, create a player, click
start, HEH, play with no fucking CD... goes a bit slow when i got a 35mb alf file loaded into my
texteditor & loaded into Wdasm, I ask Santa for more memory for Xmas eh?

Well, thats 'rogue squadron.exe' FiX'ed, what about that loader.. Load your copy of 'rogue.exe'
into wdasm, click string ref's, search for "Please insert the CD" (what it said in our messagebox)
double click on it, and again, it brings us here...(I'll explain later why we miss out the first one)


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040988E(U)
|
:00409789 8D95C0FEFFFF            lea edx, dword ptr [ebp+FFFFFEC0]
:0040978F 52                      push edx
:00409790 E87E230000              call 0040BB13
:00409795 83C404                  add esp, 00000004
:00409798 898544FFFFFF            mov dword ptr [ebp+FFFFFF44], eax
:0040979E 8D854CFFFFFF            lea eax, dword ptr [ebp+FFFFFF4C]
:004097A4 50                      push eax

* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h  <-- common in CD-Checks
                                  |
:004097A5 FF15CC0E4600            Call dword ptr [00460ECC]
:004097AB 8945F0                  mov dword ptr [ebp-10], eax
:004097AE 837DF005                cmp dword ptr [ebp-10], 00000005 <-- 05= CD-ROM
:004097B2 750C                    jne 004097C0  <-- if it don't find one, clear a flag at [ebp+FFFFFEB8]
:004097B4 C785B8FEFFFF01000000    mov dword ptr [ebp+FFFFFEB8], 00000001
:004097BE EB0A                    jmp 004097CA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004097B2(C)
|
:004097C0 C785B8FEFFFF00000000    mov dword ptr [ebp+FFFFFEB8], 00000000 <-- we change this so it sets the flag ;)
                                                                           - mov dword ptr [ebp+FFFFFEB8], 00000001  !!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004097BE(U)
|
:004097CA 83BD44FFFFFF00          cmp dword ptr [ebp+FFFFFF44], 00000000
:004097D1 740E                    je 004097E1                      <-- kill this conditional jump (9090)/(nop nop)
:004097D3 83BDB8FEFFFF00          cmp dword ptr [ebp+FFFFFEB8], 00000000  -^^^don't know what this one does but it goes to the error routine so we kill it..
:004097DA 7405                    je 004097E1                      <-- this one is never taken because of the flag we set
:004097DC E901010000              jmp 004098E2                     <-- so we jump to 4098E3

**snip boring bitz**

**taking the above jmp passes this horrible piece of code**

* Possible StringData Ref from Data Obj ->"/LNCH061/Please insert the CD "
                                        ->"into your CD-ROM player and try "
                                        ->"again."
                                  |
:0040985C 68905E4500              push 00455E90
:00409861 E8B877FFFF              call 0040101E
:00409866 83C404                  add esp, 00000004
:00409869 50                      push eax
:0040986A 6A00                    push 00000000

**and drops us off at this bit**

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004097DC(U), :00409835(U)  <-- the first one is our unconditional jump that we forced it to take
|                              - by faking that flag at [ebp+FFFFFEB8]

:004098E2 C645FC02                mov [ebp-04], 02
:004098E6 8D4DEC                  lea ecx, dword ptr [ebp-14]
:004098E9 E8E0080200              call 0042A1CE
:004098EE C645FC01                mov [ebp-04], 01
:004098F2 8D8DB4FEFFFF            lea ecx, dword ptr [ebp+FFFFFEB4]
:004098F8 E8D1080200              call 0042A1CE
:004098FD C645FC00                mov [ebp-04], 00
:00409901 8D8DBCFEFFFF            lea ecx, dword ptr [ebp+FFFFFEBC]
:00409907 E8C2080200              call 0042A1CE
:0040990C C745FCFFFFFFFF          mov [ebp-04], FFFFFFFF
:00409913 8D8D48FFFFFF            lea ecx, dword ptr [ebp+FFFFFF48]
:00409919 E8B0080200              call 0042A1CE
:0040991E 8B4DF4                  mov ecx, dword ptr [ebp-0C]
:00409921 64890D00000000          mov dword ptr fs:[00000000], ecx
:00409928 8BE5                    mov esp, ebp
:0040992A 5D                      pop ebp
:0040992B C3                      ret                      <-- clean exit with no errors



 Another tutorial comes to an end and another game has been FiX'ed!
 
happy cracking love R!SC -- risc@notme.com


edit ROGUE SQUADRON.EXE (ROGUES~1.EXE) (offsets are in hex)
===========================================================
Search for: 33 C0 A0 84    at offset EB15C
Change to : -- -- A2 --


edit ROGUE.EXE  (offsets are in hex)
====================================
rem Search for: 85 C0 74 4C    at offset 3DDD ;(
rem Change to : -- -- 90 90    ; the first reference to "/LNCH061/Please insert the CD ", further
                               ; examination shows that this bit loads the rogue.doc & rogue.txt
                               ; files off the CD, so we don't bother with this bit anymore...

Search for: FF FF 00 00    at offset 97C4
Change to : -- -- 01 --

Search for: FF 00 74 0E    at offset 97CF
Change to : -- -- 90 90


