Cracking Virtua Fighter CD-Check tutor...

	by Xcellent

Yeah!! I've told you we're going fast! Again another
high quality tutor (at least I think, hehe) to bring
you an approach about CD protections. Let's work!

Tools needed:
W32Dasm v8.93 (www.crackstore.com)
Any hexadecimal editor (www.crackstore.com have many!)

Run the game without cd and..."Cannot find Virtua Fighter(TM)
PC CD." Ok don't panic, run W32Dasm and open the VFPC.EXE file,
wait the disassembler work...ok now we must search for the message
that appears when we ran the game without cd, to do this click on
menu Refs - String Data References and search for the message, when
you've found, double click on it. Now you'll see:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049F974(C) <- where it was called
|

* Possible StringData Ref from Data Obj ->"Cannot find Virtua Fighter(TM) "
                                        ->"PC CD."
                                  |
:0049F97D 68C4A3B700              push 00B7A3C4
Ok, now we know that this message was called from the address 49F974,
press SHIFT + F12 and type 49F974 and click ok to go to the address 49F974.
Now you'll see:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049F949(C)
|
:0049F959 E8F22AF6FF              call 00402450 <- call check routine 
:0049F95E 85C0                    test eax, eax <- compare results
:0049F960 742C                    je 0049F98E   <- if equal run

* Reference To: KERNEL32.GetOEMCP, Ord:00F6h
                                  |
:0049F962 FF159483B900            Call dword ptr [00B98394]
:0049F968 6A30                    push 00000030
:0049F96A 3DA4030000              cmp eax, 000003A4

* Possible StringData Ref from Data Obj ->"Virtua Fighter PC"
                                  |
:0049F96F 68C8A2B700              push 00B7A2C8
:0049F974 7507                    jne 0049F97D <- else jump to error msg

* Possible StringData Ref from Data Obj ->"Virtua Fighter(TM) PC "
                                  |
:0049F976 6818A3B700              push 00B7A318
:0049F97B EB05                    jmp 0049F982 <- jump to error msg in other language
Now we know that the jump to the error message is located at the address 49F974,
so we need to search up for a jump..and we found it, at the address 49F960. What
we gonna do now is change the je at the address 49F960 to a jmp, to make the game
run with or without the CD on drive. But we need to know where in file is located
the jump so we can change it. To do this move the green bar to the je 0049F98E and
look at the bottom of the screen and you will see @Offset 0009ED60h. Ok, run your
hexadecimal editor and open VFPC.EXE and search for the offset 9ED60 then change
74 to EB. Doing this will change the je to a jmp.
Save and run the game....*yeah* It's cracked!!

If you have ANY question, suggestion or anything, just send me a mail or contact me by ICQ.
I'll be happy to help you!

Xcellent - The Brazillian crack3er
xcellent@bol.com.br
ICQ#83507510
