
Free Information Xchange '98 presents:

Daytona USA Deluxe - CD crack by Static Vengeance

Requirements:
Hex editor and full game install
W32Dasm if you wish to follow along

	Daytona USA Deluxe is an updated version of Daytona USA.  Sega even has a Direct3D version you can
download for improved graphics and speed.  Like the first version there is a CD check that needs to be FiX'ed.
Using the regular method of Disassembling with W32Dasm from RUSoft and looking for useful Data String Refs
will not work here.  You will not find any strings like "Please insert the Daytona.." or any other reference
to the word "CD" or even the exe file name.  Instead we'll need to click the ref "%c:\"  Actually this is a
commonly used ref in many CD checks.  I've seen either "%c:\" or "%a:\" used, so if you don't find any real
obvious string refs try double clicking on "%c:\" to see where it'll lead you.  Anyways let's check out the
routine to see what we can find:

* Referenced by a CALL at Address:
|:004327FE                                                             <-- Called once
|
:00418AC5 55                      push ebp
:00418AC6 8BEC                    mov ebp, esp
:00418AC8 81EC10010000            sub esp, 00000110
:00418ACE 53                      push ebx
:00418ACF 56                      push esi
:00418AD0 57                      push edi
:00418AD1 C745FC00000000          mov [ebp-04], 00000000               <-- Preset for a failed read
:00418AD8 837D0800                cmp dword ptr [ebp+08], 00000000
:00418ADC 0F847A000000            je 00418B5C

* Reference To: KERNEL32.GetLogicalDrives, Ord:00FAh                   <-- Commonly used call in CD checks
                                  |
:00418AE2 FF15F0F58900            Call dword ptr [0089F5F0]
:00418AE8 8945F4                  mov dword ptr [ebp-0C], eax
:00418AEB C745F800000000          mov [ebp-08], 00000000               <-- Zero out times through CD check
:00418AF2 E903000000              jmp 00418AFA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418B50(U)
|
:00418AF7 FF45F8                  inc [ebp-08]                         <-- Ran through one time, add it up

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418AF2(U)
|
:00418AFA 837DF820                cmp dword ptr [ebp-08], 00000020     <-- Try 32 times
:00418AFE 0F8D51000000            jnl 00418B55                         <-- Over 32 times, then out
:00418B04 B801000000              mov eax, 00000001
:00418B09 8A4DF8                  mov cl, byte ptr [ebp-08]
:00418B0C D3E0                    shl eax, cl
:00418B0E 8545F4                  test dword ptr [ebp-0C], eax
:00418B11 0F8439000000            je 00418B50
:00418B17 8B45F8                  mov eax, dword ptr [ebp-08]
:00418B1A 83C041                  add eax, 00000041
:00418B1D 50                      push eax

* Possible StringData Ref from Data Obj ->"%c:\"                     <-- Common ref in CD check routines
                                  |
:00418B1E 6840B74B00              push 004BB740
:00418B23 8D85F0FEFFFF            lea eax, dword ptr [ebp+FFFFFEF0]
:00418B29 50                      push eax
:00418B2A E801F30800              call 004A7E30
:00418B2F 83C40C                  add esp, 0000000C
:00418B32 8B450C                  mov eax, dword ptr [ebp+0C]
:00418B35 50                      push eax
:00418B36 8D85F0FEFFFF            lea eax, dword ptr [ebp+FFFFFEF0]
:00418B3C 50                      push eax
:00418B3D FF5508                  call [ebp+08]
:00418B40 83C408                  add esp, 00000008
:00418B43 85C0                    test eax, eax
:00418B45 0F8505000000            jne 00418B50
:00418B4B E905000000              jmp 00418B55

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00418B11(C), :00418B45(C)
|
:00418B50 E9A2FFFFFF              jmp 00418AF7

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00418AFE(C), :00418B4B(U)
|
:00418B55 C745FC01000000          mov [ebp-04], 00000001              <-- Store a pass value

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418ADC(C)
|
:00418B5C 8B45FC                  mov eax, dword ptr [ebp-04]         <-- Load eax with pass/fail flag
:00418B5F E900000000              jmp 00418B64

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418B5F(U)
|
:00418B64 5F                      pop edi
:00418B65 5E                      pop esi
:00418B66 5B                      pop ebx
:00418B67 C9                      leave
:00418B68 C3                      ret

	That's the first section that deals with the CD.  So we'll also need to check the secondary
routine that calls this code.  The call is made from 4327FE and the routine starts at 43273D.  Let's
check out that section of code to see what else we can find out:

* Referenced by a CALL at Addresses:
|:0040C4A5   , :00426AF6   , :0043AEA3   , :0044EB33           <-- Called four different times
|
:0043273D 55                      push ebp
:0043273E 8BEC                    mov ebp, esp
:00432740 81EC58040000            sub esp, 00000458
:00432746 53                      push ebx
:00432747 56                      push esi
:00432748 57                      push edi
:00432749 C745FC00000000          mov [ebp-04], 00000000           <-- Preset flag for failed CD check
:00432750 837D0800                cmp dword ptr [ebp+08], 00000000
:00432754 0F84DD000000            je 00432837
:0043275A 837D1000                cmp dword ptr [ebp+10], 00000000
:0043275E 0F8550000000            jne 004327B4
:00432764 8D85BCFEFFFF            lea eax, dword ptr [ebp+FFFFFEBC]
:0043276A 50                      push eax
:0043276B 8B4508                  mov eax, dword ptr [ebp+08]
:0043276E 50                      push eax

* Reference To: KERNEL32.FindFirstFileA, Ord:0082h
                                  |
:0043276F FF15C8F58900            Call dword ptr [0089F5C8]
:00432775 8985B8FEFFFF            mov dword ptr [ebp+FFFFFEB8], eax
:0043277B 83BDB8FEFFFFFF          cmp dword ptr [ebp+FFFFFEB8], FFFFFFFF
:00432782 0F842C000000            je 004327B4
:00432788 8B85B8FEFFFF            mov eax, dword ptr [ebp+FFFFFEB8]
:0043278E 50                      push eax

* Reference To: KERNEL32.FindClose, Ord:007Eh
                                  |
:0043278F FF15C0F58900            Call dword ptr [0089F5C0]
:00432795 837D0C00                cmp dword ptr [ebp+0C], 00000000
:00432799 0F840E000000            je 004327AD                         <-- Take this jump if things are okay
:0043279F 8B4508                  mov eax, dword ptr [ebp+08]
:004327A2 50                      push eax
:004327A3 8B450C                  mov eax, dword ptr [ebp+0C]
:004327A6 50                      push eax

* Reference To: KERNEL32.lstrcpyA, Ord:029Bh
                                  |
:004327A7 FF1568F68900            Call dword ptr [0089F668]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00432799(C)
|
:004327AD C745FC01000000          mov [ebp-04], 00000001               <-- Set flag for pass

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0043275E(C), :00432782(C)
|
:004327B4 837DFC00                cmp dword ptr [ebp-04], 00000000     <-- Check against fail value
:004327B8 0F8579000000            jne 00432837                         <-- Take this jump for a passed CD check
:004327BE C785A8FBFFFF05000000    mov dword ptr [ebp+FFFFFBA8], 00000005

* Possible StringData Ref from Data Obj ->"Game\"                      <-- Partial path from the CD
                                  |
:004327C8 68D03D4C00              push 004C3DD0
:004327CD 8D85ACFBFFFF            lea eax, dword ptr [ebp+FFFFFBAC]
:004327D3 50                      push eax

* Reference To: KERNEL32.lstrcpyA, Ord:029Bh
                                  |
:004327D4 FF1568F68900            Call dword ptr [0089F668]
:004327DA 8B4508                  mov eax, dword ptr [ebp+08]
:004327DD 50                      push eax
:004327DE 8D85B0FCFFFF            lea eax, dword ptr [ebp+FFFFFCB0]
:004327E4 50                      push eax

* Reference To: KERNEL32.lstrcpyA, Ord:029Bh
                                  |
:004327E5 FF1568F68900            Call dword ptr [0089F668]
:004327EB C685B4FDFFFF00          mov byte ptr [ebp+FFFFFDB4], 00
:004327F2 8D85A8FBFFFF            lea eax, dword ptr [ebp+FFFFFBA8]
:004327F8 50                      push eax
:004327F9 6844284300              push 00432844
:004327FE E8C262FEFF              call 00418AC5                      <-- Calls the code listed above
:00432803 83C408                  add esp, 00000008
:00432806 0FBE85B4FDFFFF          movsx eax, byte ptr [ebp+FFFFFDB4]
:0043280D 85C0                    test eax, eax
:0043280F 0F8422000000            je 00432837
:00432815 837D0C00                cmp dword ptr [ebp+0C], 00000000
:00432819 0F8411000000            je 00432830
:0043281F 8D85B4FDFFFF            lea eax, dword ptr [ebp+FFFFFDB4]
:00432825 50                      push eax
:00432826 8B450C                  mov eax, dword ptr [ebp+0C]
:00432829 50                      push eax

* Reference To: KERNEL32.lstrcpyA, Ord:029Bh
                                  |
:0043282A FF1568F68900            Call dword ptr [0089F668]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00432819(C)
|
:00432830 C745FC01000000          mov [ebp-04], 00000001         <-- Set flag to CD check passed

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00432754(C), :004327B8(C), :0043280F(C)
|
:00432837 8B45FC                  mov eax, dword ptr [ebp-04]    <-- Load pass/fail value
:0043283A E900000000              jmp 0043283F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043283A(U)
|
:0043283F 5F                      pop edi
:00432840 5E                      pop esi
:00432841 5B                      pop ebx
:00432842 C9                      leave
:00432843 C3                      ret                       <-- Finally return to the caller

	There is one catch with this routine, it MUST be run for the Daytona USA Deluxe to function
properly.  It seems to run through this section of code when closing files after accessing them.
	Alright, the "best" way I can think of to bypass this CD check routine is to force the program
to store 00000001 in the flag location instead of storing a "fail" value.  This is simple enough to do,
just edit both locations from 00 to 01.  With this edit the game will continue on as though the CD was
found.  This same type of edit will work for the CD version, the D3D version and the international version
known as Daytona USA Evolution.  Make the edits by version:

1.  Do a full install of the game
2.  Make the right edit for your version

File from the CD edit Daytona USA Deluxe.exe
make same edit at both locations
at offset 60,665 & 156,865
======================================
Search for: C7 45 FC 00 00 00 00
Change to : -- -- -- 01 -- -- --


For the D3D patch edit Daytona USA Deluxe.exe
make same edit at both locations
same edits work for the "Daytona USA Evolution"
at offset 98,001 & 203,593
======================================
Search for: C7 45 FC 00 00 00 00
Change to : -- -- -- 01 -- -- --

	Enjoy racing around Daytona USA without the CD online, becuase Daytona USA Deluxe has been FiX'ed.

Static Vengeance
