POD (2 requests)

[Myloch]

Ok. I got Ollydbg (v.2.00.01) from http://www.ollydbg.de/

I was not able to do point 4a (different menu) When I select the two red nops with shift key, rightclick --->edit--->copy to executable.

Then I right click on new opened window and I select save file. I received no errors. Don't know if this method can be correct.

But when I execute the game (using italian language, as I understood only italian part is patched now) a new popup appears: "Impossible to find the disc in the unit. Insert a disc in the unit g:" cancel,retry,continue.

If I press cancel it quits, if I press continue the other popup window appears: insert cdrom pod.

[Cowsheep]

Try Olly 1.10 (as Olly2 does not have a goto offset button) and make screenshot of red nops so i can see if you are at the right place.
Did you made the full installation?

[Myloch]

http://img155.imageshack.us/img155/359/pode.jpg

Yep. Full install. It keeps asking for pod cdrom.
If can be of some help, the intro video run correctly and then it asks for cdrom.

[Cowsheep]

Argh, it got multiple cd checks. After making the nops, right click in Olly. Then Search for -> All intermodular calls. Then type on keyboard getdrivetypa . Then rightclick on one of the lines with kernel32.dll.getdrivetypa and select "Set breakpoint on every call to GetDriveTypeA".
Then press F9 , may wait till intro played and tell me the adress where it stopped. The adress is at the very left and should start with 004...

Sorry, i cant debug it myself because game crashes on my system before reaching a disc check even with original exes and disc. I played POD a lot in the past (when i had Win 98).

[Myloch]

http://img838.imageshack.us/img838/7664/debugh.jpg

Here is a screenshot of where it stopped (after the intro movie), but I had to press F9 several times before the intro movie started.

The address is 004A1F90

ah...and another thing: I had to press F9 a lot of times after that to make the window "insert pod cdrom" appear. The address was always the same (004A1F90), only the registers (fpu) values on the right in olly changed.

[Cowsheep]

Quote:

Originally Posted by Myloch

ah...and another thing: I had to press F9 a lot of times after that to make the window "insert pod cdrom" appear. The address was always the same (004A1F90), only the registers (fpu) values on the right in olly changed.

The amount of times you had to press F9 is the amount of driver letters you have.

Try nop that:
004A2089 . /75 09 JNZ SHORT winpod.004A2094

If that does not work, nop this one:
004A20E9 .^\75 E8 JNZ SHORT winpod.004A20D3

[Myloch]

Kewl! It worked with the first one. If it is not too much I'd like to modify other exes (at least the direct3d, the podmmx and the 3dfx ones) because I have different pcs and some exe work better with some system and worse with other. If you can help me or give me some infos about what to modify in the executables, that would be much appreciated

[Cowsheep]

Search for intermodular calls, type getdrivetypea, breakpoint on all calls to it, run app, and look where it stopps. Inside that function is a JNZ has to be NOPed.
Which one, you figure around by single stepping and compare how it behaves with disc ans without.
That have must be done twice (notice change of adress from getdrivetypea.)

If you dont manage that, tell me .exe name. size, version number under file properties and adress of getdrivetypea.
Then, i tell you the jnz to patch.

[Myloch]

Here are the executables I had time to look until now:

PODMMX.EXE (v.2.2.8.0)
1.317.888 bytes

cdchecks: 004A0F10
004A1655

Wpodd3d.exe
v 2.2.8.1
1.197.568 byte
address: 00467C22 - 0049EFB2

podd3dx.exe
v.2.2.8.1
1.468.416 bytes
address: 004672F2 - 0049E5C2




Update: I catched another cdcheck in winpod.exe. Found at address 004A26D5 (please insert pod cdrom when select ghost mode in the time attack and after winning last race in the normal championship too)
I'm testing but every other mode seems to work correctly.

[Cowsheep]

winpod.exe
004A27F5 . /75 0C JNZ SHORT winpod.004A2803


Podmmx.exe

004A1009 . /75 09 JNZ SHORT PODMMX.004A1014
004A1775 . /75 0C JNZ SHORT PODMMX.004A1783

Wpodd3d.exe
00467CC2 |. /75 19 JNZ SHORT wpodd3d.00467CDD
0049F0CA |. /75 0C JNZ SHORT wpodd3d.0049F0D8


podd3dx.exe
00467392 |. /75 19 JNZ SHORT podd3dx.004673AD
0049E6DA |. /75 0C JNZ SHORT podd3dx.0049E6E8

[Myloch]

here are all the remaining (I hope) cdchecks from:

Winpod: 004A216D
PODMMX: 004A10ED
Wpodd3d: 0049EA06 - 0049FC1C
Podd3dx: 0049E016 - 0049F22C

thank you sincerely for give some of your time for that, you are very kind
I'll check with olly the two remaining exes probably in the weekend (the 3dfx ones).
I don't and can't use ati, s3 and direct3d 5 versions so I will not touch them
The cracked exes so far work perfectly on a win98 machine, a windows xp one and on vista too.
Good job Cowsheep!

A weird and not important thing, I tried to debug the exes running them NOT in admin mode and I found some curious results, weird behaviors:

None of them went to main menu, they all asked for cdrom, obviously with modified exe: some executables gave old already NOP, some even gave
new addresses!
I use the vista pc for testing and debugging, I have the same phenomenon
in the Xp computer, starting the game using windows 95/98 compatibility mode or normal mode affects some previously found addresses (it asks for cdrom at that address even if that has been already edited).

[Cowsheep]

Winpod.exe
004A22D2 . /75 0C JNZ SHORT WINPOD.004A22E0

Podmmx.exe
004A1252 . /75 0C JNZ SHORT PODMMX.004A1260

Wpodd3d.exe
0049EAF4 |. /75 09 JNZ SHORT wpodd3d.0049EAFF
0049EBAC |. /75 0C JNZ SHORT wpodd3d.0049EBBA



podd3dx.exe
0049E104 |. /75 09 JNZ SHORT podd3dx.0049E10F
0049E1BC |. /75 0C JNZ SHORT podd3dx.0049E1CA

Can you send me the files with the saved nops? I cant save any changes.

[Myloch]

Ok I'll send them to you asap.

There is a problem: as I said the files work well in vista, xp and windows 98 os. well...it is not 100% true. There is a cdcheck (the same in all the executables), the cdcheck that comes up when you select ghost car in time attack mode (for example: winpod.exe address 004A26D5) keep asking for cdrom in win98 (I tried and this happens even on winME on virtual pc) unless you put a random cd in cdrom drive. This does not happen in vista or xp computers (and I wonder why).

[Cowsheep]

winpod.exe address 004A26D5

004A27F5 . /75 0C JNZ SHORT WINPOD.004A2803

If that does not help change that line additonally:
004A2736 . /74 51 JE SHORT WINPOD.004A2789

Replace the JE with JMP.

[Myloch]

Hi, unluckily with the jmp it quits to windows without any error.

Olly says process terminated, exit code 0.

I don't know if this can be related: running every exe in windows xp or vista has a common point, game fully cracked with simple nops, sound effect and music volume not changeable in options (even with original exe + pod cdrom) (sounds are hearable and ok however).
In the windows 98 machine the audio volumes can be changed but it asks for cdrom even with nop (as I said in previous post). If I insert a random cdrom (even without audio tracks) it go through the cdcheck perfectly.

I'll send you all the executables when I finished messing with the 3dfx/direct3d5 executables