Download Twisted Metal 2

Free Information Xchange '98 presents:

Twisted Metal 2 - CD crack by Static Vengeance

Requirements:
Hex editor and full game install
W32Dasm if you wish to follow along

	Twisted Metal 2 (TM2) is a fair game to play but has a little bug that needs to be FiX'ed.  That
bug is of course a CD check that occurs before you can play the game.  The pop up dialog box that asks
for the CD is not a standard Win95 dialog box so there is no direct reference to the the string to search
for.  However we can still do a text string search for the KERNEL32 call "GetDriveTypeA"  So get W32Dasm
up and running and disassemble the file tm2.exe and follow along.  Searching for the GetDriveTypeA string
will result in about 5 or 6 occurrances of that string.  However it's the last one we need to look at
closely.  This is the one that deals with checking for the CD in your drive.  The routine looks like this:	

* Referenced by a CALL at Addresses:
|:00463F5B   , :0046591B   , :00465A5B   , :004789DE   , :004A886F   <-- Called from 5 different locations
|
:004995D4 53                      push ebx
:004995D5 51                      push ecx
:004995D6 52                      push edx
:004995D7 56                      push esi
:004995D8 57                      push edi
:004995D9 55                      push ebp
:004995DA 81EC34010000            sub esp, 00000134
:004995E0 89C7                    mov edi, eax
:004995E2 BB41000000              mov ebx, 00000041
:004995E7 31ED                    xor ebp, ebp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00499666(C)
|
:004995E9 53                      push ebx

* Possible StringData Ref from Data Obj ->"%c:\"                     <-- Commonly used in CD checks
                                  |
:004995EA 681B314E00              push 004E311B
:004995EF 8D842438010000          lea eax, dword ptr [esp+00000138]
:004995F6 50                      push eax

* Reference To: USER32.wsprintfA, Ord:0002h
                                  |
:004995F7 2EFF157006C900          Call dword ptr cs:[00C90670]
:004995FE 83C40C                  add esp, 0000000C
:00499601 8D842430010000          lea eax, dword ptr [esp+00000130]
:00499608 50                      push eax

* Reference To: KERNEL32.GetDriveTypeA, Ord:000Ah                   <-- Text string that got us here
                                  |
:00499609 2EFF15E002C900          Call dword ptr cs:[00C902E0]
:00499610 83F805                  cmp eax, 00000005                 <-- 05 is the value for CD-ROM drive
:00499613 0F94C0                  sete al
:00499616 25FF000000              and eax, 000000FF
:0049961B 83F801                  cmp eax, 00000001
:0049961E 7542                    jne 00499662
:00499620 57                      push edi
:00499621 53                      push ebx

* Possible StringData Ref from Data Obj ->"%c:\%s"
                                  |
:00499622 6820314E00              push 004E3120
:00499627 8D44240C                lea eax, dword ptr [esp+0C]
:0049962B 50                      push eax

* Reference To: USER32.wsprintfA, Ord:0002h
                                  |
:0049962C 2EFF157006C900          Call dword ptr cs:[00C90670]
:00499633 83C410                  add esp, 00000010
:00499636 55                      push ebp
:00499637 6880000010              push 10000080
:0049963C 6A03                    push 00000003
:0049963E 55                      push ebp
:0049963F 6A01                    push 00000001
:00499641 6800000080              push 80000000
:00499646 8D442418                lea eax, dword ptr [esp+18]
:0049964A 50                      push eax

* Reference To: KERNEL32.CreateFileA, Ord:0002h                    <-- Create a file on CD?
                                  |
:0049964B 2EFF15C002C900          Call dword ptr cs:[00C902C0]
:00499652 89C6                    mov esi, eax
:00499654 83F8FF                  cmp eax, FFFFFFFF                <-- FF = error, not able to create file
:00499657 7511                    jne 0049966A
:00499659 89AC242C010000          mov dword ptr [esp+0000012C], ebp
:00499660 EB18                    jmp 0049967A

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0049961E(C), :0049967D(C)
|
:00499662 43                      inc ebx
:00499663 83FB5A                  cmp ebx, 0000005A               <-- Try 5Ah times
:00499666 7E81                    jle 004995E9
:00499668 EB1D                    jmp 00499687

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00499657(C)
|
:0049966A 55                      push ebp
:0049966B 50                      push eax

* Reference To: KERNEL32.GetFileSize, Ord:000Ch
                                  |
:0049966C 2EFF15E802C900          Call dword ptr cs:[00C902E8]
:00499673 8984242C010000          mov dword ptr [esp+0000012C], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00499660(U)
|
:0049967A 83FEFF                  cmp esi, FFFFFFFF
:0049967D 74E3                    je 00499662
:0049967F 56                      push esi

* Reference To: KERNEL32.CloseHandle, Ord:0001h
                                  |
:00499680 2EFF15BC02C900          Call dword ptr cs:[00C902BC]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00499668(U)
|
:00499687 83FB5A                  cmp ebx, 0000005A
:0049968A 7E05                    jle 00499691
:0049968C BBFFFFFFFF              mov ebx, FFFFFFFF                 <-- Set up for failed CD check

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049968A(C)
|
:00499691 89D8                    mov eax, ebx                      <-- Get the CD check "result" in eax
:00499693 891DE4A5A300            mov dword ptr [00A3A5E4], ebx
:00499699 81C434010000            add esp, 00000134
:0049969F 5D                      pop ebp
:004996A0 5F                      pop edi
:004996A1 5E                      pop esi
:004996A2 5A                      pop edx
:004996A3 59                      pop ecx
:004996A4 5B                      pop ebx
:004996A5 C3                      ret

	The single most important instruction in the above routine is the mov ebx, FFFFFFFF this is the
instruction that sets up for a failed CD check.  Changing this to mov ebx, 00000000 will result in a
cracked version of Twisted Metal 2.  There are atleast 4 versions of TM2 out there including the the
version on the CD.  To crack future versions search for the following string: 83 FB 5A 7E 05 BB FF FF FF
FF 89 D8 changing the "FF FF FF FF" to "00 00 00 00"  You will need to search for the entire string as
there are strings close to it that will pop up.  Then to kill the title avi, which is on the CD as are
all the movies in the game.  Search for: 72 B8 31 C0 85 C0 75 79 BB 06 and change the "75" to "EB"  I
had 3 versions to look at and found the above listed strings on all of them.  Each time the edit
resulted in a cracked version even in the multi-player version the program will say you have a CD online.
With the latest patch that now supports a VooDoo2 card I killed the first call the to CD check that
prevents you from starting a game, although not needed I thought I'd through it in anyways.

To crack Twisted Metal 2 make the following edits:

Edit TM2.exe, this version is off the CD
==================================================
Search for: 7E 05 BB FF FF FF FF at offset 564,538
change to : 90 90 BB 00 00 00 00

Search for: 75 79 BB 06 00 00 00 at offset 424,104
Chagne to : EB -- -- -- -- -- --

Edit TM2.exe, this version is a patch of the net
==================================================
Search for: 7E 05 BB FF FF FF FF at offset 564,026
change to : 90 90 BB 00 00 00 00

Search for: 75 79 BB 06 00 00 00 at offset 423,607
Chagne to : EB -- -- -- -- -- --

Edit TM2.exe, this is the latest patch off the net
==================================================
Search for: E8 F1 0B 02 00 at offset 429,534
Change to : B8 00 00 00 00

Search for: 7E 05 BB FF FF FF FF at offset 563,850
change to : 90 90 BB 00 00 00 00

Search for: 75 79 BB 06 00 00 00 at offset 423,025
Chagne to : EB -- -- -- -- -- --

	There you have it, Twisted Metal 2 has been FiX'ed.  Keep in mind that all movies (avi files) are
still stored on the CD and will NOT be played.  Also these patches allows you to play multi-player games
as though you have a CD in your CD-ROM drive.

Static Vengeance

----------------------------------------
       Free Information Xchange
         Share the Knowledge!
________________________________________
      ____________    ___
     /  ______/\  \  /  /   FiX  
     \  \_____  \  \/  /
      \_____  \  \    /
     ______/  /   \  /
     \_______/tatic\/engeance
________________________________________
 Tutorial and crack for Twisted Metal 2
     From Sony Interactive Studios
----------------------------------------

       Free Information Xchange  -=|=-  Share the Knowledge!

   Date: [ 04/21/98]        CD crack and tutorial by Static Vengeance ]
Program: [ Twisted Metal 2 by Sony Interactive Studios                ]
    URL: [ ftp://ftp.cdrom.com/pub/3dfiles/patch_archives/tm2setup.exe]
Comment: [ TM2_V2.com is ONLY for the patch at the above listed url   ]
Protect: [ Read the tutorial for complete information                 ]
Contact: [ [email protected]                             ]

   http://www.crackstore.com   Simply the best for game cracks!

 Greets: [ shadowRUNNER  R!SC  esoteric  TonyTOP  Zor                 ]


FiX Tutorials:
Addiction Pinball
Balls of Steel v1.0 - v1.2
Battle Arena Toshinden 2
Centipede 3D
Claw v1.20 & 1.3beta
Cyber Gladiators
CyberTroopers: Virtual-On CD & PowerVR versions
Daytona USA
Daytona USA Deluxe v1.0 & D3D patch
Deathtrap Dungeon
Forsaken
Frogger v1.0 - v3.0u
Get Medieval
Hardcore 4x4
HEDZ v1.0 & updated "old Win95" patch
Hexen II v1.03 - v1.11 OpenGL and DirectX
House of the Dead
Incoming v1.0 - current & OEM bundled
Klingon Honor Guard v1.0
Last Bronx
ManxTT Supperbikes v1.0 & v1.1
Master Mind CD & v7.3
Monopoly StarWars Edition v1.00z & v1.03b
Mortal Kombat 3
Mortal Kombat 4 v1.0 - Patch3
Motocross Madness
Need for Speed 3 CD & net patch1
Pandemonium
Powerboat Racing
Powerslide
ProPinball - The Web
ProPinball - Timeshock! v1.05 - 1.09b
RE-Loaded Win95/PowerVR patch
Sega Rally v1.0 & MMX upgrade
Sega Touring Car Championship v1.0 & v1.03
Shadow Master
Shipwreckers!
Speedboat Attack DirectX & 3Dfx
Star Wars-Rogue Squadron 3D v1.0
SWIV 3D Assualt all versions
Tempest 2000
The Divide
Turok
Twisted Metal 2
Ultim@te Race Pro all upto v1.4
Unreal all versions CD - 2.16
Virtua Figter v1.0 & DirectX3 upgrade
Virtua Figter 2 all versions
Virtua Squad
Virtua Squad 2
Wargods
WipeoutXL D3D & PowerVR
World Wide Soccer v1.0 & D3D patch