Download ManxTT Superbikes

Added to site2002-12-31
Rating91/100
Votes7


manxttsuperbikes.zip (130168 bytes)

namesizecompressed
ManxTT Superbikes.txt 10664 3288
MxCD3Dfx.com 590 460
Manx3Dfx.com 585 461
Manx_CD.com 583 456
Manx_101.com 578 453
FILE_ID.DIZ 474 186
FiX.nfo 2210 1140
.exe 221184 122998

ManxTT Superbikes.txt

Free Information Xchange '97 presents:

ManxTT Superbikes - CD Crack by Static Vengeance

Requirements:
Hex Editor and Full game install

	How I cracked Manx TT Superbikes by SEGA Entertainment with W32Dasm by URSoft.  First off
I'm following the 3Dfx version called Glmanxtt.exe.  The same ideas (and exact same patch) will
work for the "native" version.  If you want to follow along, start by running w32dasm and disassemble
glmanxtt.exe.  When W32Dasm has finished with the disassembly we start off by selecting "Refs" from
the menu bar and choose 'String data references' ... Grab the slider bar and scroll down looking for
"Manx TT CD Must be in to run" (you ran the program once without the CD in to check how it asks
for the CD, right?).  Anyways double click on that string and you're in the middle of the check.  You
should see something like the following (the entire routine):

* Referenced by a CALL at Address:
|:00445AC8   
|
:004489E0 55                      push ebp
:004489E1 89E5                    mov ebp, esp
:004489E3 53                      push ebx
:004489E4 51                      push ecx
:004489E5 52                      push edx
:004489E6 56                      push esi
:004489E7 57                      push edi
:004489E8 81EC10010000            sub esp, 00000110
:004489EE 890424                  mov dword ptr [esp], eax
:004489F1 BAFFFFFFFF              mov edx, FFFFFFFF
:004489F6 6804010000              push 00000104
:004489FB 8B35E8EB4800            mov esi, dword ptr [0048EBE8]
:00448A01 31DB                    xor ebx, ebx
:00448A03 68FCE05400              push 0054E0FC
:00448A08 8915F4DF5400            mov dword ptr [0054DFF4], edx
:00448A0E BA01000000              mov edx, 00000001
:00448A13 56                      push esi
:00448A14 891DF0DF5400            mov dword ptr [0054DFF0], ebx
:00448A1A 66891504E25400          mov word ptr [0054E204], dx

* Reference To: KERNEL32.GetModuleFileNameA, Ord:0008h
                                  |
:00448A21 2EFF156C02AE00          Call dword ptr cs:[00AE026C]
:00448A28 BA5C000000              mov edx, 0000005C
:00448A2D B8FCE05400              mov eax, 0054E0FC
:00448A32 E8AF140100              call 00459EE6
:00448A37 40                      inc eax
:00448A38 C60000                  mov byte ptr [eax], 00
:00448A3B BE04000000              mov esi, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00448B30(C)
|

* Possible StringData Ref from Data Obj ->"A:\"            <-- Many CD checks can be found by searching
                                  |                        <-- for "a:\" or "c:\" from refs in W32Dasm
:00448A40 BA744C4800              mov edx, 00484C74
:00448A45 8D45E0                  lea eax, dword ptr [ebp-20]
:00448A48 E823E6FFFF              call 00447070
:00448A4D 807DE05A                cmp byte ptr [ebp-20], 5A
:00448A51 0F8F9D000000            jg 00448AF4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00448AEE(C)
|
:00448A57 8D45E0                  lea eax, dword ptr [ebp-20]
:00448A5A 50                      push eax

* Reference To: KERNEL32.GetDriveTypeA, Ord:0006h                <-- This call often used in CD checks
                                  |                              <-- Use text string search in W32Dasm
:00448A5B 2EFF156402AE00          Call dword ptr cs:[00AE0264]
:00448A62 83F805                  cmp eax, 00000005              <-- 05 is the value for a CD-ROM drive
:00448A65 0F8578000000            jne 00448AE3
:00448A6B 8D55E0                  lea edx, dword ptr [ebp-20]
:00448A6E 8D85DCFEFFFF            lea eax, dword ptr [ebp+FFFFFEDC]
:00448A74 E8F7E5FFFF              call 00447070
:00448A79 6804010000              push 00000104
:00448A7E 8DBDDCFEFFFF            lea edi, dword ptr [ebp+FFFFFEDC]
:00448A84 29C9                    sub ecx, ecx
:00448A86 49                      dec ecx
:00448A87 31C0                    xor eax, eax
:00448A89 F2                      repnz
:00448A8A AE                      scasb
:00448A8B F7D1                    not ecx
:00448A8D 49                      dec ecx
:00448A8E 8D85DCFEFFFF            lea eax, dword ptr [ebp+FFFFFEDC]
:00448A94 01C8                    add eax, ecx
:00448A96 50                      push eax

* Possible Reference to String Resource ID=04004: "gamesnds.rbh"  <-- Check for this file
                                  |
:00448A97 68A40F0000              push 00000FA4
:00448A9C 8B3DE8EB4800            mov edi, dword ptr [0048EBE8]
:00448AA2 57                      push edi

* Reference To: USER32.LoadStringA, Ord:0015h
                                  |
:00448AA3 2EFF158803AE00          Call dword ptr cs:[00AE0388]
:00448AAA 85C0                    test eax, eax
:00448AAC 7426                    je 00448AD4
:00448AAE 8D85DCFEFFFF            lea eax, dword ptr [ebp+FFFFFEDC]
:00448AB4 89F2                    mov edx, esi
:00448AB6 E80C520000              call 0044DCC7
:00448ABB 83F8FF                  cmp eax, FFFFFFFF
:00448ABE 7423                    je 00448AE3
:00448AC0 8D55E0                  lea edx, dword ptr [ebp-20]
:00448AC3 B8F8DF5400              mov eax, 0054DFF8
:00448AC8 BB01000000              mov ebx, 00000001
:00448ACD E89EE5FFFF              call 00447070
:00448AD2 EB20                    jmp 00448AF4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00448AAC(C)
|
:00448AD4 8D55E0                  lea edx, dword ptr [ebp-20]
:00448AD7 B8F8DF5400              mov eax, 0054DFF8
:00448ADC E88FE5FFFF              call 00447070
:00448AE1 EB11                    jmp 00448AF4

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00448A65(C), :00448ABE(C)
|
:00448AE3 8A55E0                  mov dl, byte ptr [ebp-20]
:00448AE6 FEC2                    inc dl
:00448AE8 8855E0                  mov byte ptr [ebp-20], dl
:00448AEB 80FA5A                  cmp dl, 5A
:00448AEE 0F8E63FFFFFF            jle 00448A57

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00448A51(C), :00448AD2(U), :00448AE1(U)
|

* Possible StringData Ref from Data Obj ->"cd_nocheck"   <-- what the hell is this? a pointer
                                  |                      <-- to how to remove the CD check?
:00448AF4 BA784C4800              mov edx, 00484C78
:00448AF9 A104EC4800              mov eax, dword ptr [0048EC04]
:00448AFE E82DE7FFFF              call 00447230          <-- Check for the original CD
:00448B03 85C0                    test eax, eax
:00448B05 7522                    jne 00448B29           <-- Take this jump for a "passed" CD check
:00448B07 85DB                    test ebx, ebx
:00448B09 7523                    jne 00448B2E

* Possible StringData Ref from Data Obj ->"Manx TT CD Must be in to run."  <-- ask for the CD
                                  |
:00448B0B 68844C4800              push 00484C84
:00448B10 A1ECEB4800              mov eax, dword ptr [0048EBEC]
:00448B15 50                      push eax
:00448B16 E8B5D5FFFF              call 004460D0
:00448B1B 83C408                  add esp, 00000008
:00448B1E 85C0                    test eax, eax
:00448B20 750C                    jne 00448B2E
:00448B22 E889CEFFFF              call 004459B0
:00448B27 EB05                    jmp 00448B2E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00448B05(C)
|
:00448B29 BB01000000              mov ebx, 00000001     <-- Critical for the test ebx,ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00448B09(C), :00448B20(C), :00448B27(U)
|
:00448B2E 85DB                    test ebx, ebx         <-- Test ebx
:00448B30 0F840AFFFFFF            je 00448A40           <-- Take this jump and it's do the check again
:00448B36 8D65EC                  lea esp, dword ptr [ebp-14]
:00448B39 5F                      pop edi
:00448B3A 5E                      pop esi
:00448B3B 5A                      pop edx
:00448B3C 59                      pop ecx
:00448B3D 5B                      pop ebx
:00448B3E 5D                      pop ebp
:00448B3F C3                      ret

	So you can see the inportant section is the mov ebx, 00000001 and the test ebx,ebx.
Finally it's the je (jump equal) that says "yea or nay" for the CD check.  Just remember we
do want to get past the point where we load in gamesnds.rbh, so we need to deal with this
section of code

:00448AF4 BA784C4800              mov edx, 00484C78
:00448AF9 A104EC4800              mov eax, dword ptr [0048EC04]
:00448AFE E82DE7FFFF              call 00447230           <-- Check for the original CD
:00448B03 85C0                    test eax, eax
:00448B05 7522                    jne 00448B29            <-- This is where we'll place our edit
:00448B07 85DB                    test ebx, ebx
:00448B09 7523                    jne 00448B2E

	The jne 00448B29 is the jump for a passed CD check.  So I thought I would make my edit there,
as there are 3 other conditional jumps to 448AF4 (the above snipet of code).  Also the continue code
is actually after the condition jump (je 00448A40) at 448B30.  So as long as we need to get to 448B36
anyways I changed the jne 00448B29 to jmp 00448B36.  Also, as long as the CD isn't going to be in the
drive anyways, why check for it?  I killed the call to the CD check by NOP'ing out the call, simple
enough.  The actual edits are the same for both files (glmanxtt.exe and manxtt.exe) just at different
offsets.  The patches to made are as follows:

Edit manxtt.exe USA ver at offset 282,350
upgrade from Sega Japan use offset 283,854
==========================================
Search for:E8 2D E7 FF FF 85 C0 75 22
Change to :90 90 90 90 90 -- -- EB 2F

Edit glmanxtt.exe USA ver at offset 233,214
upgrade from Sega Japan use offset 283,982
==========================================
Search for:E8 2D E7 FF FF 85 C0 75 22
Change to :90 90 90 90 90 -- -- EB 2F

	The 3Dfx version is a much better version to play... and now you can play it without pulling
out your original CD... which also makes the program nicer to play.  Once again I showed you how I
cracked a simple CD check using a very powerful program (in the right hands) called W32Dasm.  Keep in
mind there are always several ways to crack programs and this is just one example of the way I do it...
That doesn't make it "THE" right way or wrong way... just my way  And it's the way I tought myself.

ManxTT needed to be FiX'ed

Static Vengeance


FILE_ID.DIZ

----------------------------------------
       Free Information Xchange
         Share the Knowledge!
________________________________________
      ____________    ___
     /  ______/\  \  /  /   FiX  
     \  \_____  \  \/  /
      \_____  \  \    /
     ______/  /   \  /
     \_______/tatic\/engeance
________________________________________
Tutorial and crack for ManxTT Superbikes
       from Sega Entertainment
----------------------------------------


FiX.nfo

       Free Information Xchange  -=|=-  Share the Knowledge!

   Date: [ 12/26/97 ]       CD crack and tutorial by Static Vengeance ]
Program: [ ManxTT Superbikes from Sega Entertainment                  ]
    URL: [ http://www.sega.co.jp/sega/athome/pc/lib/lib/manxtt.exe    ]
Comment: [                                                            ]
Protect: [ Read the tutorial for complete information                 ]
Contact: [ [email protected]                             ]

   http://www.crackstore.com   Simply the best for game cracks!

 Greets: [ shadowRUNNER  esoteric  TonyTOP  Zor                       ]

   Lame: [ Hall of Lame Members - "crackers" who have stolen my work:

    Smakker : MK4 patch1
The GODLike : MK4
        BCX : MK4 patch1
      Gonzo : VR Powerboat Racing

Credit where credit is due lamers, otherwise crack it yourself!

Manx_101.com = Upgrade from Japan normal
Manx3Dfx.com = Upgrade from Japan 3Dfx native
Manx_CD.com  = CD version normal
MxCD3Dfx.com = CD version 3Dfx native

FiX Tutorials:
Addiction Pinball
Balls of Steel v1.0 - v1.2
Battle Arena Toshinden 2
Centipede 3D
Claw v1.20 & 1.3beta
Cyber Gladiators
CyberTroopers: Virtual-On
Daytona USA
Daytona USA Deluxe v1.0 & D3D patch
Deathtrap Dungeon
Frogger v1.0 - v3.0u
Get Medieval
Hardcore 4x4
Hexen II v1.03 - v1.11 OpenGL and DirectX
House of the Dead
Incoming v1.0 - current & OEM bundled
Last Bronx
ManxTT Supperbikes v1.0 & v1.1
Master Mind CD & v7.3
Monopoly StarWars Edition v1.00z & v1.03b
Mortal Kombat 3
Mortal Kombat 4 v1.0 - Patch3
Motocross Madness
Need for Speed 3 CD & net patch1
Pandemonium
Powerboat Racing
ProPinball - The Web
ProPinball - Timeshock! v1.05 - 1.09b
RE-Loaded Win95/PowerVR patch
Sega Rally v1.0 & MMX upgrade
Sega Touring Car Championship v1.0 & v1.03
Shadow Master
Shipwreckers!
Speedboat Attack DirectX & 3Dfx
SWIV 3D Assualt all versions
Tempest 2000
The Divide
Turok
Twisted Metal 2
Ultim@te Race Pro all upto v1.4
Unreal all versions CD - 2.16
Virtua Figter v1.0 & DirectX3 upgrade
Virtua Figter 2 all versions
Virtua Squad
Virtua Squad 2
Wargods
World Wide Soccer v1.0 & D3D patch


# 0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z