Free Information Xchange presents:

HEDZ - CD crack by Static Vengeance - Dec 8th, 1998

Requirements:
Full game install
Hex editor & W32Dasm

	HEDZ is an interesting idea for a game!  Aliens have collected heads for different people all
over the world and throughout time.  Each head has some special powers assosiated with it.  Then you
pick the heads you want to use and go into combat in an arena.  Sounds like fun to me!  However there
is one thing I don't think is fun or funny.  This is having to have the original CD in the CD-Rom drive
to play the game.  Most of the time I only have a minute or two to play around so I don't like wasting
it search for the game CD.  So it's time to FiX HEDZ so you can play it without the CD.
	First, we'll disassemble the game file with W32Dasm and look into what's going on.  When you
get to the refs pop-up box, grab the slider and scroll down looking for interesting things.  Hhmmmm,
to direct referece to inserting the CD text.  However there is the ref "A:\" which is commonly used in
CD checks, along with "C:\"  These string are usually right before a KERNEL32.GetDriveTypeA call.  This
KERNEL32.dll call checks the disk drive and returns values for each type of drive, like floppies, hard
drives, CD-Roms, unknown... ect.  Anyways, to continue, if you double click that ref you'll be in the
middle of this routine:

* Referenced by a CALL at Addresses:
|:004685CC   , :00468606   , :0046EBC2   , :0046EC85   , :0046FEF3   <-- Called 5 times
|
:0046E030 55                      push ebp
:0046E031 8BEC                    mov ebp, esp
:0046E033 B8AC010000              mov eax, 000001AC
:0046E038 E8D3F20300              call 004AD310
:0046E03D 8D85F8FEFFFF            lea eax, dword ptr [ebp+FFFFFEF8]

* Possible StringData Ref from Data Obj ->"A:\"                      <-- Start with A:\ drive
                                  |
:0046E043 6820074D00              push 004D0720
:0046E048 50                      push eax
:0046E049 E8B2FB0300              call 004ADC00
:0046E04E 8A0DE0615D00            mov cl, byte ptr [005D61E0]
:0046E054 83C408                  add esp, 00000008
:0046E057 8D95F8FEFFFF            lea edx, dword ptr [ebp+FFFFFEF8]
:0046E05D 888DF8FEFFFF            mov byte ptr [ebp+FFFFFEF8], cl
:0046E063 52                      push edx

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh                   <-- Get the type of drive
                                  |
:0046E064 FF15A4004C00            Call dword ptr [004C00A4]
:0046E06A 83F805                  cmp eax, 00000005                 <-- 05 is the value for a CD Rom
:0046E06D 7406                    je 0046E075                       <-- Take this jump if we found a CD Rom
:0046E06F B003                    mov al, 03                        <-- Else, move error code into al
:0046E071 8BE5                    mov esp, ebp
:0046E073 5D                      pop ebp
:0046E074 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address: <-- Got here via a conditional jump
|:0046E06D(C)
|
:0046E075 E8A6FFFFFF              call 0046E020
:0046E07A 84C0                    test al, al
:0046E07C 7579                    jne 0046E0F7
:0046E07E 8D8554FEFFFF            lea eax, dword ptr [ebp+FFFFFE54]
:0046E084 C78554FEFFFF94000000    mov dword ptr [ebp+FFFFFE54], 00000094
:0046E08E 50                      push eax

* Reference To: KERNEL32.GetVersionExA, Ord:014Dh
                                  |
:0046E08F FF15E4004C00            Call dword ptr [004C00E4]
:0046E095 83BD64FEFFFF01          cmp dword ptr [ebp+FFFFFE64], 00000001
:0046E09C 7559                    jne 0046E0F7
:0046E09E 6681BD60FEFFFFE803      cmp word ptr [ebp+FFFFFE60], 03E8
:0046E0A7 764E                    jbe 0046E0F7

* Possible StringData Ref from Data Obj ->"KERNEL32"
                                  |
:0046E0A9 6864074D00              push 004D0764

* Reference To: KERNEL32.LoadLibraryA, Ord:0190h
                                  |
:0046E0AE FF15E0004C00            Call dword ptr [004C00E0]

* Possible StringData Ref from Data Obj ->"GetDiskFreeSpaceEx"       <-- Check for free space on CD Rom
                                  |
:0046E0B4 6870074D00              push 004D0770
:0046E0B9 50                      push eax

* Reference To: KERNEL32.GetProcAddress, Ord:0116h
                                  |
:0046E0BA FF1598004C00            Call dword ptr [004C0098]
:0046E0C0 8D8DE8FEFFFF            lea ecx, dword ptr [ebp+FFFFFEE8]
:0046E0C6 8D55F8                  lea edx, dword ptr [ebp-08]
:0046E0C9 51                      push ecx
:0046E0CA 8D85F0FEFFFF            lea eax, dword ptr [ebp+FFFFFEF0]
:0046E0D0 52                      push edx
:0046E0D1 8D8DF8FEFFFF            lea ecx, dword ptr [ebp+FFFFFEF8]
:0046E0D7 50                      push eax
:0046E0D8 51                      push ecx

* Reference To: KERNEL32.GetDiskFreeSpaceExA, Ord:00DCh
                                  |
:0046E0D9 FF1594004C00            Call dword ptr [004C0094]
:0046E0DF 8B45FC                  mov eax, dword ptr [ebp-04]
:0046E0E2 85C0                    test eax, eax
:0046E0E4 7711                    ja 0046E0F7
:0046E0E6 7209                    jb 0046E0F1
:0046E0E8 817DF800CD5627          cmp dword ptr [ebp-08], 2756CD00
:0046E0EF 7306                    jnb 0046E0F7

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046E0E6(C)
|
:0046E0F1 B003                    mov al, 03                 <-- Move error code into al for error #3
:0046E0F3 8BE5                    mov esp, ebp
:0046E0F5 5D                      pop ebp
:0046E0F6 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0046E07C(C), :0046E09C(C), :0046E0A7(C), :0046E0E4(C), :0046E0EF(C)
|
:0046E0F7 8D95F8FEFFFF            lea edx, dword ptr [ebp+FFFFFEF8]
:0046E0FD 68E0615D00              push 005D61E0
:0046E102 52                      push edx
:0046E103 E8F8FA0300              call 004ADC00
:0046E108 83C408                  add esp, 00000008
:0046E10B 8D85F8FEFFFF            lea eax, dword ptr [ebp+FFFFFEF8]

* Possible StringData Ref from Data Obj ->"test"             <-- File name to "test"
                                  |
:0046E111 68C8074D00              push 004D07C8
:0046E116 50                      push eax
:0046E117 E8F4FA0300              call 004ADC10
:0046E11C 83C408                  add esp, 00000008
:0046E11F 8D8DF8FEFFFF            lea ecx, dword ptr [ebp+FFFFFEF8]

* Possible StringData Ref from Data Obj ->"wb"               <-- Try to Write Binary (wb) to CD
                                  |
:0046E125 68D0074D00              push 004D07D0
:0046E12A 51                      push ecx
:0046E12B E830FE0300              call 004ADF60
:0046E130 83C408                  add esp, 00000008
:0046E133 85C0                    test eax, eax
:0046E135 740F                    je 0046E146
:0046E137 50                      push eax
:0046E138 E8B3FB0300              call 004ADCF0
:0046E13D 83C404                  add esp, 00000004
:0046E140 B001                    mov al, 01                 <-- Move error code into al for error #1
:0046E142 8BE5                    mov esp, ebp
:0046E144 5D                      pop ebp
:0046E145 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046E135(C)
|
:0046E146 8D95F8FEFFFF            lea edx, dword ptr [ebp+FFFFFEF8]
:0046E14C 68E0615D00              push 005D61E0
:0046E151 52                      push edx
:0046E152 E8A9FA0300              call 004ADC00
:0046E157 83C408                  add esp, 00000008
:0046E15A 8D85F8FEFFFF            lea eax, dword ptr [ebp+FFFFFEF8]

* Possible StringData Ref from Data Obj ->"Music\"                    <-- Partial path name on CD
                                  |
:0046E160 6818084D00              push 004D0818
:0046E165 50                      push eax
:0046E166 E8A5FA0300              call 004ADC10
:0046E16B 83C408                  add esp, 00000008
:0046E16E 8D8DF8FEFFFF            lea ecx, dword ptr [ebp+FFFFFEF8]

* Possible StringData Ref from Data Obj ->"1"                        <-- Name of the .mus file to check
                                  |
:0046E174 6820084D00              push 004D0820
:0046E179 51                      push ecx
:0046E17A E891FA0300              call 004ADC10
:0046E17F 83C408                  add esp, 00000008
:0046E182 8D95F8FEFFFF            lea edx, dword ptr [ebp+FFFFFEF8]

* Possible StringData Ref from Data Obj ->".MUS"                     <-- Look for this type of file
                                  |
:0046E188 6824084D00              push 004D0824
:0046E18D 52                      push edx
:0046E18E E87DFA0300              call 004ADC10
:0046E193 83C408                  add esp, 00000008
:0046E196 8D85F8FEFFFF            lea eax, dword ptr [ebp+FFFFFEF8]
:0046E19C 6861066503              push 03650661
:0046E1A1 50                      push eax
:0046E1A2 E819FEFFFF              call 0046DFC0
:0046E1A7 83C408                  add esp, 00000008
:0046E1AA 84C0                    test al, al
:0046E1AC 7506                    jne 0046E1B4
:0046E1AE B002                    mov al, 02                 <-- Move error code into al for error #2
:0046E1B0 8BE5                    mov esp, ebp
:0046E1B2 5D                      pop ebp
:0046E1B3 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046E1AC(C)
|
:0046E1B4 8D8DF8FEFFFF            lea ecx, dword ptr [ebp+FFFFFEF8]
:0046E1BA 68E0615D00              push 005D61E0
:0046E1BF 51                      push ecx
:0046E1C0 E83BFA0300              call 004ADC00
:0046E1C5 83C408                  add esp, 00000008
:0046E1C8 8D95F8FEFFFF            lea edx, dword ptr [ebp+FFFFFEF8]

* Possible StringData Ref from Data Obj ->"Music\"
                                  |
:0046E1CE 682C084D00              push 004D082C
:0046E1D3 52                      push edx

  -- SNIP code:  use near identical code to check for files 2.mus through 6.mus --

:0046E3D2 7506                    jne 0046E3DA
:0046E3D4 B002                    mov al, 02
:0046E3D6 8BE5                    mov esp, ebp
:0046E3D8 5D                      pop ebp
:0046E3D9 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046E3D2(C)
|
:0046E3DA 8D95F8FEFFFF            lea edx, dword ptr [ebp+FFFFFEF8]
:0046E3E0 68E0615D00              push 005D61E0
:0046E3E5 52                      push edx
:0046E3E6 E815F80300              call 004ADC00
:0046E3EB 83C408                  add esp, 00000008
:0046E3EE 8D85F8FEFFFF            lea eax, dword ptr [ebp+FFFFFEF8]

* Possible StringData Ref from Data Obj ->"Music\"
                                  |
:0046E3F4 6890084D00              push 004D0890
:0046E3F9 50                      push eax
:0046E3FA E811F80300              call 004ADC10
:0046E3FF 83C408                  add esp, 00000008
:0046E402 8D8DF8FEFFFF            lea ecx, dword ptr [ebp+FFFFFEF8]

* Possible StringData Ref from Data Obj ->"7"
                                  |
:0046E408 6898084D00              push 004D0898
:0046E40D 51                      push ecx
:0046E40E E8FDF70300              call 004ADC10
:0046E413 83C408                  add esp, 00000008
:0046E416 8D95F8FEFFFF            lea edx, dword ptr [ebp+FFFFFEF8]

* Possible StringData Ref from Data Obj ->".MUS"                    <-- Check for 7.mus file
                                  |
:0046E41C 689C084D00              push 004D089C
:0046E421 52                      push edx
:0046E422 E8E9F70300              call 004ADC10
:0046E427 83C408                  add esp, 00000008
:0046E42A 8D85F8FEFFFF            lea eax, dword ptr [ebp+FFFFFEF8]
:0046E430 685D5A3202              push 02325A5D
:0046E435 50                      push eax
:0046E436 E885FBFFFF              call 0046DFC0
:0046E43B 83C408                  add esp, 00000008
:0046E43E F6D8                    neg al              <-- Invert returned value
:0046E440 1AC0                    sbb al, al
:0046E442 24FE                    and al, FE          <-- If al=00, then al=FE / if al=FF then al=02
:0046E444 0402                    add al, 02          <-- FE+02 equals zero with carry bit set
:0046E446 8BE5                    mov esp, ebp
:0046E448 5D                      pop ebp
:0046E449 C3                      ret

	Well there you have the whole routine to check for the CD.  First the routine makes sure it's
checking a CD-Rom via a getdrivetype call.  Once found it proceeds to check for seven music files.  Like
if you didn't find the first one you wouldn't find the other six?  Anyways, if EVERYTHING is found this
routine returns a zero in al.  When I look at how I want to defeat this routine I look back at this:

:0046E06D 7406                    je 0046E075                       <-- Take this jump if we found a CD Rom
:0046E06F B003                    mov al, 03                        <-- Else, move error code into al

	If you zero out the displacement in the conditional jump, then load a zero (istead of 03) into
al the following instuctions just returns to the caller.  This is a quick and dirty way to kill this CD
check.  Now the CD check will make the getdrivetype, but then not jump anyway and al is loaded with a
zero to simulate actually finding the CD on line.  Changing both the 06 and 03 to zeros will kill the
CD check and allow you to play HEDZ without the CD in your CD-Rom drive.  To crack this one just:

1.  Do a full game install
2.  Make the following edits by version:

For the CD version edit HEDZ.exe
==========================================
Search for: 74 06 B0 03  at offset 447,597
Change to : -- 00 -- 00

For updated "old win95" version edit HEDZ.exe
==========================================
Search for: 74 06 B0 03  at offset 447,517
Change to : -- 00 -- 00

	That's it for HEDZ, becuase it's been FiX'ed.

Static Vengeance - FiX

       Free Information Xchange  -=|=-  Share the Knowledge!

   Date: [ 12/08/98 ]       CD crack and tutorial by Static Vengeance ]
Program: [ HEDZ from Hasbro Interactive                               ]
    URL: [ http://www.hasbrointeractive.com/patches/hedz.exe          ]
Comment: [                                                            ]
Protect: [ Read the tutorial for complete information                 ]
Contact: [ [email protected]                             ]

   http://www.crackstore.com   Simply the best for game cracks!

 Greets: [ shadowRUNNER  esoteric  TonyTOP  Zor                       ]


FiX Tutorials:
Addiction Pinball
Balls of Steel v1.0 - v1.2
Battle Arena Toshinden 2
Centipede 3D
Claw v1.20 & 1.3beta
Cyber Gladiators
CyberTroopers: Virtual-On
Daytona USA
Daytona USA Deluxe v1.0 & D3D patch
Deathtrap Dungeon
Forsaken
Frogger v1.0 - v3.0u
Get Medieval
Hardcore 4x4
HEDZ v1.0 & updated "old Win95" patch
Hexen II v1.03 - v1.11 OpenGL and DirectX
House of the Dead
Incoming v1.0 - current & OEM bundled
Klingon Honor Guard v1.0
Last Bronx
ManxTT Supperbikes v1.0 & v1.1
Master Mind CD & v7.3
Monopoly StarWars Edition v1.00z & v1.03b
Mortal Kombat 3
Mortal Kombat 4 v1.0 - Patch3
Motocross Madness
Need for Speed 3 CD & net patch1
Pandemonium
Powerboat Racing
Powerslide
ProPinball - The Web
ProPinball - Timeshock! v1.05 - 1.09b
RE-Loaded Win95/PowerVR patch
Sega Rally v1.0 & MMX upgrade
Sega Touring Car Championship v1.0 & v1.03
Shadow Master
Shipwreckers!
Speedboat Attack DirectX & 3Dfx
Star Wars-Rogue Squadron 3D v1.0
SWIV 3D Assualt all versions
Tempest 2000
The Divide
Turok
Twisted Metal 2
Ultim@te Race Pro all upto v1.4
Unreal all versions CD - 2.16
Virtua Figter v1.0 & DirectX3 upgrade
Virtua Figter 2 all versions
Virtua Squad
Virtua Squad 2
Wargods
WipeoutXL D3D & PowerVR
World Wide Soccer v1.0 & D3D patch

----------------------------------------
       Free Information Xchange
         Share the Knowledge!
________________________________________
      ____________    ___
     /  ______/\  \  /  /   FiX  
     \  \_____  \  \/  /
      \_____  \  \    /
     ______/  /   \  /
     \_______/tatic\/engeance
________________________________________
      Tutorial and crack for HEDZ
        From Hasbro Interactive
----------------------------------------