This article is taken from the tlzone website from 2000. Original story by The Twilight Zone in 1998. Contact information has been removed to protect privacy.
Copyrights etc…
Hacking Twilight… Thanx to Humanoid & Steel
Hacking menu95.exe written by Mr. G.
Hacking games.00x Written by Steel
Beta-tester : Humanoid
© 1998 The Twilight Zone
Here’s the manual to hack menu95.exe and games.001… I can tell you the exact way of cracking the menu95.exe, but cracking the games.001 is still a tough thing to do… If you are a diehard hacker, read at the bottom of the page for the games.001…You got a usefull util that can do it? Mail it to me..!
Menu95 Instructions
Here are the instructions for menu95.exe…
What you need are the following programs… Some of them are downloads and the others can be found on Twilight…
- TLPACK.ZIP (For hacking games.00x)
- COMPARE.ZIP (Download. Program to compare two files)
- Ultra Edit 32 (Can be found on Twilight .. in the various)
- The release previous of the one you want to crack… So if you want to crack menu95.exe from Twilight 29 you need the crack and menu95.exe from Twilight 28
- A patchengine (For creating TLxxCRK.COM) <— Not available yet, but you still can do the cracking
- Some knowledge about CUT, COPY and PASTE…
- A printer (Device attached to your PC) <– I don’t know what a printer is, but it is supposed to be useful
- And some knowledge of HEX-editing
Got it all..? Let’s go then..!
This example is for cracking release 28
Follow these steps :
- Create a directory TLCRACK
- In the directory TLCRACK, create the following directories :
- – TLOLDNC
- – TLOLDC
- – TLNEWNC
- – TLNEWC
- – BOTH
- – BACKUP
- Copy menu95.exe without a crack from Twilight 27 to TLOLDNC (=Twilight Old Not Cracked)
- Copy menu95.exe with the crack (cracked version) to TLOLDC (=Twilight Old Cracked)
- Rename the cracked menu95.exe to menu95c.exe
- Copy menu95.exe from Twilight 28 to TLNEWNC (=Twilight New Not Cracked)
- Copy AC.EXE to TLCRACK
- Install Ultra Edit 32
When that’s done, you’ve got 6 directory’s within the TLCRACK directory
Now you will have to find the differences between the menu95.exe without a crack, and menu95c.exe with the crack… This is done with the util AC.EXE
So you open the DOS-Prompt and go to TLCRACK (CDTLCRACK)… Once there you type (EXACTLY AS WRITTEN BELOW):
AC C:TLCRACKTLODNCMENU95.EXE C:TLCRACKTLOLDCMENU95C.EXE >RESULT.TXT
Now you see nothing happening (because of the >result.txt)… Now type (Make sure your printer is online):
COPY RESULT.TXT LPT1
A paper with numbers will roll out your printer…
View an example here.
Note : (for assembly guys only)
117(75h) jne changed to 235(EBh) jmps
116(74h) je changed to 235(EBh) jmps
Now with the printed paper in front of you, you open Ultra Edit 32…
In Ultra Edit 32, you open the following files (don’t close one):
C:TLCRACKTLODNCMENU95.EXE (minimize the screen of it)
C:TLCRACKTLOLDCMENU95C.EXE (minimize the screen of it)
C:TLCRACKTLNEWNCMENU95.EXE (put the three of them under eachother)
Now you’ll have to go to the address (offset) of the part from the menu95.exe that’s going to be cracked.
- – Activate the window of menu95.exe fromC:CRACKTLTLOLDNCMENU95.EXE
- – Press CTRL+G and an window with a blinking cursor will appear.
- – Fill in the address (offset) of the first difference : 0x5ef6ah <—-like it stands here
- – You’ll see that you’re going to another section in menu95.exe
- – Now activate the window of menu95c.exe fromC:CRACKTLTLOLDCMENU95.EXE
- – Press CTRL+G and an window with a blinking cursor will appear.
- – Fill in the address (offset) of the first difference : 0x5ef6ah <—-like it stands here
- – MENU95.EXE —–> ..¡¤0F.€8.u}ÆC.. <—– Is the result of menu95.exe
- – MENU95C.EXE –> ..¡¤0F.€8.ë}ÆC.. <—– Is the result of menu95c.exe
- – One character will be marked blue in both windows, that’s the character that must be changed for removing the protection.
- – Mark u}ÆC and press CTRL+INSERT (Copy), because the program won’t paste the ..
- – Now activate the menu95.exe from the Twilight you want to crack. (Twilight 28)
- – Press CTRL+F (Find)
- – Press SHIFT+INSERT (Paste)
- – Make sure the FIND ASCII is selected, or else you won’t find a thing
- – Change the u into an ë
- – The first cracking is done now.
The same thing has to be done for the next address (offset)
- – Activate the window of menu95.exe fromC:CRACKTLTLOLDNCMENU95.EXE
- – Press CTRL+G and an window with a blinking cursor will appear.
- – Fill in the address (offset) of the second difference : 0x5fb3dh <—-like it stands here
- – You’ll see that you’re going to another section in menu95.exe
- – Now activate the window of menu95c.exe fromC:CRACKTLTLOLDCMENU95.EXE
- – Press CTRL+G and an window with a blinking cursor will appear.
- – Fill in the address (offset) of the second difference : 0x5fb3dh <—-like it stands here
- – MENU95.EXE —–> ·À‰Eè¡´/F.ƒ8.tƒ <—– Is the result of menu95.exe
- – MENU95C.EXE –> ·À‰Eè¡´/F.ƒ8.ëƒ <—– Is the result of menu95c.exe
- – One character will be marked blue in both windows, that’s the character that must be changed for removing the protection.
- – Mark ·À‰Eè¡´/F and press CTRL+INSERT (Copy), because the program won’t paste the ..
- – You’ve got to copy this section because the section you want to crack is to less characters. So if you copy the ëƒ and going to search it, it will appear on the wrong places
- – Now activate the menu95.exe from the Twilight you want to crack. (Twilight 28)
- – Press CTRL+F (Find)
- – Press SHIFT+INSERT (Paste)
- – Make sure the FIND ASCII is selected, or else you won’t find a thing
- – This line will appear : ·À‰Eè¡´/F.ƒ8.tƒ
- – Change the t into an ë
- – The second cracking is done.
If the menu still gives errors you’ll probably need to change some addresses (offsets) the same ways as described above.
If you now save your menu95.exe it’ll be cracked and ready to go!
Games.00x
Software you need:
- HIEW for DOS (Hackers View). I have used version 5.15.
- RAR extracter (for example MascaGrabber 1.03)
Download TLPACK.ZIP with:
- HIEW
- MASCAGRABBER 1.03
- HEADER.001
- HEADER.002
- FAKECD
Basic Q and A’s.
Q: How is this large file compiled?
A: Each game is just a regular RAR file wich are seperated by a header.
Q: What is in this header?
A: In this header is information about the size and name of the RAR file.
Q: How does the menu95.exe and games.00x communicate?
A: In the menu95.exe is information about the start byte and size in the RAR file.
Advanced topics (can be read in the hex-editor).
[The exact information in the games.xxx]
First, at the top of the file, there is the word TLCF.
Then four times “00”.
Now the archive name is written.
After this name are 32 minus lenght-archive-name “00”.
The 4 hex-codes now are the total size in bytes of the RAR file. You have to read them from
back to forward and convert them to decimal (hex->dec)
Again four times “00”.
And here the RAR archive starts (recognized by Rar!)
After this first RAR archive the same header starts again from the archive name above.
[The exact information in the menu95.exe]
After an archive name is displayed the following things can be found.
32 minus lenght-archive-name “00”.
The file in which the game is compiled (so games.001 or games.002, can be any name, with this
you can also going to split the TL28 games.001 into games.001 and games.002)
23 times “00”.
The 4 hex-codes now are the start byte of the Rar file (from the Rar! word in games.00x). This
has to be read from back to forward.
The 4 hex-codes now are the total size in bytes of the RAR file. You have to read them from
back to forward and convert them to decimal (hex->dec), same as the games.00x.
After this information the next Rar archive will be displayed and you can restart this.
Because there isn’t a better way to understand this with an example, here it comes:
We take Twilight 28 CD1, and we would like to see the info with Dune2000.
Edit games.001 and search for dune2000.rar
You should see:
dune2000.rar
20 times “00” (32 minus 12 characters of the archive name)
4B 7D B9 03 -> in reverse: 03 B9 7D 4B -> hex to dec (can be done with the Windows calculator): 62487883 this is the exact bytes of the archive.
4 times “00”
Rar!
Edit the menu95.exe and search for dune2000.rar
You should see:
dune2000.rar
20 times “00” (32 minus 12 characters of the archive name)
26 A8 0E 23 -> in reverse: 23 0E A8 26 this is the start byte of the Rar file, from Rar! (check this!)
4B 7D B9 03 -> in reverse: 03 B9 7D 4B -> hex to dec: 62487883 this is the exact bytes of the archive.
after this, the next archive will be documented.
How to recompile your own games.00x
1. Extract all games with for example MascaGrabber
2. Change what you want (for example, remove the music from a stupid game so it will fit on a regular CD)
3. Recompile the games.00x by the following command from DOS-Prompt:
copy /b header.001+game1.rar
+header.002+game2.rar+header.002+game3.rar
+header.002+game4.rar temp1.001
header.001: first header with TLCF
game?.rar: the games
header.002: other headers
when the command line is full, compile it to temp1.001 and after this do the same by:
copy /b temp1.001+header.002+game5.rar
+header.002+game6.rar+header.002
+game7.rar temp2.001
when all games are in the archive rename the temp?.001 to games.001
4. Change the games.001 and menu95.exe with the correct new start bytes and archive-lenghts
5. Use FakeCD to simulate your HDD as CD so you can test your own written games.00x
What can be done with this information:
– You can remove some useless stuff from a RAR file and recompile the complete games.00x so it will fit on a regular CD
– You can split the games.001 (from TL28 and above) into games.001 and games.002 so you can write the complete TL28 on three cd’s.
– You can make the games.00x shorter by trying to compile the archives yourself by turning off the MultiMedia compression (in WinRar). It makes nfs3.rar 5MB shorter. This will take ALOT of time, but maybe it is word trying.
It’s difficult for me to write this info file because I don’t know what you do know and what not.
For me it’s easy stuff, so difficult to explain in simple words.
If you are interested in hacking your own Twilight just practise one.
After this use FAKECD and try to extract all games, are they working?
If there is anything you still don’t understand feel free to Email me
Errors or bugs mail to Mr. G.
I did some reverse engineering on those .001 files and I came up with a perl script to extract the contents you guys might find interesting: https://github.com/casplantje/tlstrip