Target: Autodesk Character Studio R2
File to patch: PHYSIQUE.DLM		BIPED.DLM
File offset:   $887 (2183)		$14EEF (85743)
Code offset:   $10001487		$10015AEF
Limitation: valid serial number required in order to run

Rating: I think this was the easiest piece of software I ever cracked!
Used tools: SoftICE 3.24 for WinNT, for debugging
	    WDASM 8.93, for quick disassembling


Let's have a look to what I have patched:
(today, I'm too lazy to show original values)

-----------------------------PHYSIQUE.DLM-----------------------------
:10001487 B800000000	mov eax, 00000000
:1000148C C3		ret
-------------------------------BIPED.DLC------------------------------
:10015AEF B800000000	mov eax, 00000000
:10015AF4 C3		ret
----------------------------------------------------------------------

Yeah, I thought after successful download of approx. 200 MB - Autodesk
Character Studio R2. I already have 3D Studio MAX 2.5, a well-cracked
release, so it doesn't require the hardware dongle. So I thought the
same of Character Studio R2. After installing it, I started 3D Studio.
A bit playing around, I found two new plug-ins installed, Biped and
Physique. When I wanted to apply one of them to a cube I just created,
this little sort of taste of shiteating wanted to have a serial number.
With lots of respect, I started SoftICE and ran Physique, fearing to
fail due to a heavy dongle protection...

I entered some crap into the input field. Well, a funny message box
appeared telling me that it requires a valid serial number. Fine, let's
have us pluck the quills from the porcupine! By setting a breakpoint
to MessageBoxA in SoftICE: BPX MessageBoxA...
I entered some crap again, SoftICE popped up, I pressed F12 to return
from the call to MessageBoxA. I often scroll a couple of lines back to
see the first conditional jump performed after a compare. YES! I found
it - see it in my SoftICE disassembly listing (adresses are incorrect
because SoftICE is not a "real" disassembler):

001B:03DB58FD	CALL	[USER32!MessageBoxA] <---- breakpoint set to it
001B:03DB5903	JMP	03DB5997    <---- we're here after call returns

	... couple of lines before ...

001B:03DB58A8	CALL	03DB5AEF
001B:03DB58AD	TEST	EAX,EAX  <---- that's the thing I talk about
001B:03DB58AF	JZ	03DB5908

Now, I cleared all breakpoints and set a new breakpoint to 03DB58AD
(thats TEST EAX,EAX). OK. Bye, SoftICE, again entering some crap. OK,
SoftICE popped up again. I looked at EAX in the register window, it had
something other than 0, I think 1. Just simply edit EAX to 0... And let
it run by pressing F9. What do I see? That stupid plug-in accepts my
crap serial number! Now, I launched the plug-in from 3DSMAX again, it
wanted a valid serial number again. Here you are!
SoftICE popped up again. But now I disassembled that called function
at 03DB5AEF. I simply patched it in memory:

	A 03DB5AEF MOV EAX,0
		   RET

Instead of MOV EAX,0 you could also write XOR EAX,EAX. I dunno why I
have not done it this way - maybe just too euphoric about that lame
"protection" of Character Studio R2. Well, I quit SoftICE, cleared my
breakpoints and launched the funny plug-in again. Being patched, this
plug-in just ran and did not ask me a serial number at all.
That means, this routine does also perform a check whether a serial
number has been entered at all and it or its subroutines are called a
couple of times more from other locations in PHYSIQUE.DLM. I also
noticed that in the "plugins" directory of 3DSMAX a small keyfile is
created that contains the entered serial number - as plain text.

Now comes another part - locating of these code snippets in the plug-in
file. For this, I use WDASM, it's just faster than IDA and I like it
for easy access of all string and function references and for showing
the file offset of the current location in disassembled code.
So, I looked through the imported functions until I found "MessageBoxA".
By double-clicking it, WDASM quickly found the first location it is
called. Hmmm, doesn't it look (besides the jumps and calls) like our
code in SoftICE? Just scroll a bit to the code above? Do you see this
call and TEST EAX,EAX? Yes, it is! Now, I just went to that calling
function, noted down its file offset and used this for creation of my
crack.


But the work is not done yet. Another plug-in has to be cracked. This
time it's Biped (BIPED.DLC). Now it's up to you - it's just the same
way, although the code offsets are not the same...


The AntiXryst

         **** Visit CrossOver at http://crossover.tsx.org ****
----------------------------------------------------------------------
Application:     Character Studio R2
Written by:      Autodesk
Cracked by:      The AntiXryst
Crack released:  16th may 1999
Files to patch:  PHYSIQUE.DLM,BIPED.DLC
Kind of patch:   removes registration ID check
----------------------------------------------------------------------

As always, have a backup of the plug-in files (see above).
Place the crack into the directory these files are located in - it's
in the most cases the \plugins subdirectory of your 3D Studio MAX 2
folder. Make sure 3D Studio MAX is not running, the plug-in files are
not write-protected and that you have permissions to access and to
modify it (Windows NT only).
Then, just run CRK_CSTUDIO2.EXE, preferrably from the command line.

In case of errors my crack will inform you what's wrong ;-) and how to
solve the problem.

NOTE: I tested it on a cracked release of 3D Studio MAX 2.5, so I don't
know how the cracked plug-in files will behave on a non-cracked release
(needs hardware dongle) of 3D Studio MAX 2.5.

----------------------------------------------------------------------
Well, if you like Character Studio 2, please obtain it the legal way,
because usage of cracked programs, depending on the country you live
in, is illegal. By obtaining it the legal way, you support the author
and engage him to continue further development of the product.
----------------------------------------------------------------------
         **** Visit CrossOver at http://crossover.tsx.org ****