-----------------------------------------------------+
These informations are for educational purposes only!|
-----------------------------------------------------+

                                                -= DiABLO =-  
                                                                              

			--- Cracking Need For Speed 3 ---

Info:
*****
Damn, a new tut from me! This time it's about cracking Need For Speed 3, by a
request by v64! And as always, its made to be as easy as I can get it!

Tools Needed:
*************
Hacker's View 6.02 ( Http://DiABLO.Freehosting.Net/Dl/Hview602.Zip )
W32Dasm v8.93      ( Http://DiABLO.Freehosting.Net/Dl/W32d893.Zip  )

The Cracking Begins:
********************
First install Nfs3 (max), then copy the /FEDATA/MOVIES/ & /GAMEDATA/AUDIO/PC/
directories on the cd, to your Nfs3 dir. Why? Because else U don't have the
movies and music etc. Now unzip the install.win file in this zip file, to
your Nfs3 dir. Why? Because else Nfs3 won't find your files! It will look for
some files in the cd-rom!! Now try Nfs3, fuck... it says 'To play Need for
Speed 3 you must have the game cd...' Lets remember this. Make a copy of the
nfs3.exe. Start W32dasm and goto 'String Data References', find the message
'To play Need for...' Did U find it? Not me either, well then press the
Functions|Imports and look for GetDriveTypeA. Why? Because GetDriveTypeA
is the function that programs use to access the cd-rom. We can use it to
find out where it checks for the cd! Doubleclick on it. Tip: If u
doubleclick on it many times, or any other function/string etc. sometimes
it can be on many places, and in our chase, its two places in the exe, but
we only look at the one at 004f9440.
Are U with me now? Now we see:
------------------------------

* Referenced by a CALL at Addresses:
|:004B635B   , :004B63BC   
|
:004F9410 51                      push ecx
:004F9411 52                      push edx
:004F9412 56                      push esi
:004F9413 57                      push edi
:004F9414 83EC04                  sub esp, 00000004
:004F9417 89C2                    mov edx, eax

* Possible StringData Ref from Data Obj ->"A:\"
                                  |
:004F9419 BE30D95400              mov esi, 0054D930
:004F941E 89E7                    mov edi, esp
:004F9420 57                      push edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F9437(C)
|
:004F9421 8A06                    mov al, byte ptr [esi]
:004F9423 8807                    mov byte ptr [edi], al
:004F9425 3C00                    cmp al, 00
:004F9427 7410                    je 004F9439
:004F9429 8A4601                  mov al, byte ptr [esi+01]
:004F942C 83C602                  add esi, 00000002
:004F942F 884701                  mov byte ptr [edi+01], al
:004F9432 83C702                  add edi, 00000002
:004F9435 3C00                    cmp al, 00
:004F9437 75E8                    jne 004F9421

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F9427(C)
|
:004F9439 5F                      pop edi
:004F943A 001424                  add byte ptr [esp], dl
:004F943D 89E0                    mov eax, esp
:004F943F 50                      push eax

* Reference To: KERNEL32.GetDriveTypeA, Ord:0025h
                                  |
:004F9440 2EFF1518455300          Call dword ptr cs:[00534518]
:004F9447 83F805                  cmp eax, 00000005
:004F944A 7515                    jne 004F9461
:004F944C B801000000              mov eax, 00000001
:004F9451 83C404                  add esp, 00000004
:004F9454 5F                      pop edi
:004F9455 5E                      pop esi
:004F9456 5A                      pop edx
:004F9457 59                      pop ecx
:004F9458 8D8000000000            lea eax, dword ptr [eax+00000000]
:004F945E 8BD2                    mov edx, edx
:004F9460 C3                      ret

----------------------------
If we look at the top we see

* Referenced by a CALL at Addresses:
|:004B635B   , :004B63BC 

so lets goto 004B635B and check it out. We see this now:
--------------------------------------------------------

* Possible StringData Ref from Data Obj ->"install.win"
                                  |
:004B633B BA30FE5300              mov edx, 0053FE30
:004B6340 8D85C4FEFFFF            lea eax, dword ptr [ebp+FFFFFEC4]
:004B6346 A5                      movsd
:004B6347 A5                      movsd
:004B6348 66A5                    movsw
:004B634A A4                      movsb
:004B634B E840300400              call 004F9390
:004B6350 8D85C4FEFFFF            lea eax, dword ptr [ebp+FFFFFEC4]
:004B6356 E895300400              call 004F93F0
:004B635B E8B0300400              call 004F9410 <-- HERE IS THE CALL
:004B6360 85C0                    test eax, eax
:004B6362 7430                    je 004B6394   <-- GOODJUMP!
:004B6364 B906000000              mov ecx, 00000006
:004B6369 8D7DDC                  lea edi, dword ptr [ebp-24]
:004B636C BE94564B00              mov esi, 004B5694
:004B6371 6A30                    push 00000030
:004B6373 A1503A7A00              mov eax, dword ptr [007A3A50]
:004B6378 F3                      repz
:004B6379 A5                      movsd

* Possible StringData Ref from Data Obj ->"Need For Speed 3"
                                  |
:004B637A 683CFE5300              push 0053FE3C
:004B637F 8B5485DC                mov edx, dword ptr [ebp+4*eax-24]
:004B6383 52                      push edx
:004B6384 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:001Fh
                                  |
:004B6386 2EFF1564475300          Call dword ptr cs:[00534764]
:004B638D 31C0                    xor eax, eax
:004B638F E870990200              call 004DFD04

-------------------
Do U see this line:

:004B6362 7430                    je 004B6394

If we don't jump to 004B6394 we will continue down and it looks
like a messagebox will be shown, I don't like that! So we have to
patch it so that it always will jump to 004B6394. We will do that
later. So, where does the jump take us? Lets see...
---------------------------------------------------

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6362(C)
|
:004B6394 E807FFFFFF              call 004B62A0 <-- IT TAKES US HERE
:004B6399 85C0                    test eax, eax
:004B639B 755A                    jne 004B63F7 <-- GOODJUMP!
:004B639D 31D2                    xor edx, edx
:004B639F EB19                    jmp 004B63BA <-- BADJUMP!

---------------------------------------------
This line takes will let us continue the game

:004B639B 755A                    jne 004B63F7

therefore its a GOODJUMP, while this line won't let us continue so
its a BADJUMP!

:004B639F EB19                    jmp 004B63BA

We have to make the code at 004B639B to a JMP.
Now we have two things to patch:

:004B6362 7430                    je 004B6394
to a jump and
:004B639B 755A                    jne 004B63F7
to a jump.

To find out the offsets of the lines, select a line and look at the
statusbar, it says @Offset 000B5762 at the line 004B6362 and at the
line 004B639B it says @Offset 000B579B. Write down 000B5762 & 000B579B.
Start Hiew, select the nfs3.exe and press F4 and select DECODE. Press
F5 and enter 000B5762. Now press F3 to edit and write EB, press F9.
Now it says jmps instead of je. Press F5 and enter 000B579B. Now press
F3 to edit and write EB, press F9. Now it says jmps instead of jne.
Press F10 to exit. Try Nfs3 now! It works!!! Congratulations!! U
cracked Need For Speed 3!!!

* If U want to make a crack file for this (or something else) I recommend
  Rtd_Patcher. U can download the dos version here:
  Http://DiABLO.Freehosting.Net/Dl/Rtd_patc.zip
  I use it for every crack file I make!

* If u want to release this crack or something (U have to make one first!)
  REMEMBER, U have to do these things:

  1. Copy the /FEDATA/MOVIES/ & /GAMEDATA/AUDIO/PC/ directories from the
     cd to your nfs3 dir.
  2. Copy the Install.win file in this zip file to your nfs3 dir.
  3. Patch the nfs3.exe

Ending Info:
************
I hope U got it to work! If not, try again! If U learned something from
this tut, tell me! Meet me on EFNet in #Cracking4Newbies or #ORiON as
Da_DiABLO.

Greeting:
*********
Go to everybody in v64 & ORiON & Cracking4Newbies!! And also every other
cracker that reads this tut!!!