--- Cracking Need For Speed 3 --- Diablo

Damn, a new tut from me! This time it's about cracking Need For Speed 3, by a
request by v64! And as always, its made to be as easy as I can get it!

Tools Needed:
Hacker's View 6.02 ( Http://DiABLO.Freehosting.Net/Dl/Hview602.Zip )
W32Dasm v8.93 ( Http://DiABLO.Freehosting.Net/Dl/W32d893.Zip )

The Cracking Begins:
First install Nfs3 (max), then copy the /FEDATA/MOVIES/ & /GAMEDATA/AUDIO/PC/
directories on the cd, to your Nfs3 dir. Why? Because else U don't have the
movies and music etc. Now unzip the install.win file in this zip file, to
your Nfs3 dir. Why? Because else Nfs3 won't find your files! It will look for
some files in the cd-rom!! Now try Nfs3, fuck... it says 'To play Need for
Speed 3 you must have the game cd...' Lets remember this. Make a copy of the
nfs3.exe. Start W32dasm and goto 'String Data References', find the message
'To play Need for...' Did U find it? Not me either, well then press the
Functions|Imports and look for GetDriveTypeA. Why? Because GetDriveTypeA
is the function that programs use to access the cd-rom. We can use it to
find out where it checks for the cd! Doubleclick on it. Tip: If u
doubleclick on it many times, or any other function/string etc. sometimes
it can be on many places, and in our chase, its two places in the exe, but
we only look at the one at 004f9440.
Are U with me now? Now we see:

* Referenced by a CALL at Addresses:
|:004B635B , :004B63BC 
:004F9410 51 push ecx
:004F9411 52 push edx
:004F9412 56 push esi
:004F9413 57 push edi
:004F9414 83EC04 sub esp, 00000004
:004F9417 89C2 mov edx, eax

* Possible StringData Ref from Data Obj ->"A:\"
:004F9419 BE30D95400 mov esi, 0054D930
:004F941E 89E7 mov edi, esp
:004F9420 57 push edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004F9421 8A06 mov al, byte ptr [esi]
:004F9423 8807 mov byte ptr [edi], al
:004F9425 3C00 cmp al, 00
:004F9427 7410 je 004F9439
:004F9429 8A4601 mov al, byte ptr [esi+01]
:004F942C 83C602 add esi, 00000002
:004F942F 884701 mov byte ptr [edi+01], al
:004F9432 83C702 add edi, 00000002
:004F9435 3C00 cmp al, 00
:004F9437 75E8 jne 004F9421

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004F9439 5F pop edi
:004F943A 001424 add byte ptr [esp], dl
:004F943D 89E0 mov eax, esp
:004F943F 50 push eax

* Reference To: KERNEL32.GetDriveTypeA, Ord:0025h
:004F9440 2EFF1518455300 Call dword ptr cs:[00534518]
:004F9447 83F805 cmp eax, 00000005
:004F944A 7515 jne 004F9461
:004F944C B801000000 mov eax, 00000001
:004F9451 83C404 add esp, 00000004
:004F9454 5F pop edi
:004F9455 5E pop esi
:004F9456 5A pop edx
:004F9457 59 pop ecx
:004F9458 8D8000000000 lea eax, dword ptr [eax+00000000]
:004F945E 8BD2 mov edx, edx
:004F9460 C3 ret

If we look at the top we see

* Referenced by a CALL at Addresses:
|:004B635B , :004B63BC 

so lets goto 004B635B and check it out. We see this now:

* Possible StringData Ref from Data Obj ->"install.win"
:004B633B BA30FE5300 mov edx, 0053FE30
:004B6340 8D85C4FEFFFF lea eax, dword ptr [ebp+FFFFFEC4]
:004B6346 A5 movsd
:004B6347 A5 movsd
:004B6348 66A5 movsw
:004B634A A4 movsb
:004B634B E840300400 call 004F9390
:004B6350 8D85C4FEFFFF lea eax, dword ptr [ebp+FFFFFEC4]
:004B6356 E895300400 call 004F93F0
:004B635B E8B0300400 call 004F9410 <-- HERE IS THE CALL
:004B6360 85C0 test eax, eax
:004B6362 7430 je 004B6394 <-- GOODJUMP!
:004B6364 B906000000 mov ecx, 00000006
:004B6369 8D7DDC lea edi, dword ptr [ebp-24]
:004B636C BE94564B00 mov esi, 004B5694
:004B6371 6A30 push 00000030
:004B6373 A1503A7A00 mov eax, dword ptr [007A3A50]
:004B6378 F3 repz
:004B6379 A5 movsd

* Possible StringData Ref from Data Obj ->"Need For Speed 3"
:004B637A 683CFE5300 push 0053FE3C
:004B637F 8B5485DC mov edx, dword ptr [ebp+4*eax-24]
:004B6383 52 push edx
:004B6384 6A00 push 00000000

* Reference To: USER32.MessageBoxA, Ord:001Fh
:004B6386 2EFF1564475300 Call dword ptr cs:[00534764]
:004B638D 31C0 xor eax, eax
:004B638F E870990200 call 004DFD04

Do U see this line:

:004B6362 7430 je 004B6394

If we don't jump to 004B6394 we will continue down and it looks
like a messagebox will be shown, I don't like that! So we have to
patch it so that it always will jump to 004B6394. We will do that
later. So, where does the jump take us? Lets see...

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004B6394 E807FFFFFF call 004B62A0 <-- IT TAKES US HERE
:004B6399 85C0 test eax, eax
:004B639B 755A jne 004B63F7 <-- GOODJUMP!
:004B639D 31D2 xor edx, edx
:004B639F EB19 jmp 004B63BA <-- BADJUMP!

This line takes will let us continue the game

:004B639B 755A jne 004B63F7

therefore its a GOODJUMP, while this line won't let us continue so
its a BADJUMP!

:004B639F EB19 jmp 004B63BA

We have to make the code at 004B639B to a JMP.
Now we have two things to patch:

:004B6362 7430 je 004B6394
to a jump and
:004B639B 755A jne 004B63F7
to a jump.

To find out the offsets of the lines, select a line and look at the
statusbar, it says @Offset 000B5762 at the line 004B6362 and at the
line 004B639B it says @Offset 000B579B. Write down 000B5762 & 000B579B.
Start Hiew, select the nfs3.exe and press F4 and select DECODE. Press
F5 and enter 000B5762. Now press F3 to edit and write EB, press F9.
Now it says jmps instead of je. Press F5 and enter 000B579B. Now press
F3 to edit and write EB, press F9. Now it says jmps instead of jne.
Press F10 to exit. Try Nfs3 now! It works!!! Congratulations!! U
cracked Need For Speed 3!!!

* If U want to make a crack file for this (or something else) I recommend
Rtd_Patcher. U can download the dos version here:
I use it for every crack file I make!

* If u want to release this crack or something (U have to make one first!)
REMEMBER, U have to do these things:

1. Copy the /FEDATA/MOVIES/ & /GAMEDATA/AUDIO/PC/ directories from the
cd to your nfs3 dir.
2. Copy the Install.win file in this zip file to your nfs3 dir.
3. Patch the nfs3.exe

Ending Info:
I hope U got it to work! If not, try again! If U learned something from
this tut, tell me! Meet me on EFNet in #Cracking4Newbies or #ORiON as

Go to everybody in v64 & ORiON & Cracking4Newbies!! And also every other
cracker that reads this tut!!!