HOW TO CRACK:
Thief:The Dark Project

The Crack:

Tools needed: Sotfice, WDASM & a hex editor

Load the thief.exe into WDASM and wait for a while.....................

First of all we should start looking for the GetDriveTypeA function call and disable. Unfortunately this does not work correctly. So after a an hour of setting various breakpoints I stumbled across 2 interesting text strings, 'skip_starting_checks' and 'only_check_path'. Check this out at address 41F8C. Here's what it looks like.


* Possible StringData  Ref from Data Obj ->"skip_starting_checks"
:00414F8C 683C215E00   push 005E213C
:00414F91 E89A3A1300   call 00548A30
:00414F96 83C40C       add esp, 0000000C
:00414F99 84C0         test al, al
:00414F9B 752F         jne 00414FCC   -------> an interesting jump here
:00414F9D 6A23         push 00000023
:00414F9F 6A00         push 00000000
:00414FA1 E8CA3BFFFF   call 00408B70
:00414FA6 83C408       add esp, 00000008
:00414FA9 85C0         test eax, eax
:00414FAB 750B         jne 00414FB8
:00414FAD 50           push eax
:00414FAE 6A01         push 00000001
:00414FB0 E85B7B1100   call 0052CB10
:00414FB5 83C408       add esp, 00000008

* Referenced by a CALL at Address:
|:00414FCC
:0050DAC0 6A00       push 00000000
:0050DAC2 6A00       push 00000000


* Possible StringData        Ref from Data Obj ->"only_check_path"

:0050DAC4 68E0BF6000 push 0060BFE0
:0050DAC9 E862AF0300 call 00548A30
:0050DACE 83C40C     add esp, 0000000C
:0050DAD1 84C0       test al, al
:0050DAD3 7507       jne 0050DADC
:0050DAD5 E8E6FEFFFF call 0050D9C0
:0050DADA EB05       jmp 0050DAE1

Hmmmm, curious I thought - it cannot be that obvious. But it was. If you trace this call you will come to 414FCC. And here it is below. Well, if you don't try you won't learn, so set a breakpoint here to test the theory out. That's the only way to learn - lots of trial and error.


:00414FCC E8EF8A0F00 call 0050DAC0 ---> CD check
:00414FD1 85C0       test eax, eax ---> Is it 0
:00414FD3 750B       jne 00414FE0 ----> If not then OK
:00414FD5 50         push eax
:00414FD6 6A01       push 00000001
:00414FD8 E8337B1100 call 0052CB10
:00414FDD 83C408     add esp, 00000008

As you can see if you traced it further, the call 0050DAC0 is made to the protection routine, a test is made on EAX, If EAX is 0 after returning from the check then the check has failed and you get the 'Missing CD' warning. Therefore, by replacing the call with an instruction that puts the value 1 in EAX we can crack the protection. The instruction 'mov eax, 00000001' will do it and the actual hex value of this instruction is B801000000, which just happens to fit in place of the call. With a hex editor, search for the bytes E8EF8A0F0085C0750B506A01 in the original THIEF.EXE and replace the E8EF8A0F00 with B801000000 (backup the original file first though). And that's how you crack THIEF. This applies to v 1.14 only but v1.33 is just the same but in a different location, try looking around 50E960 onwards. You also need to copy the intrface.crf file into the intrface folder and edit the cfg file to point to it - but you would have found that out anyway wouldn't you?

Now when you run the game, it bypasses the CD check but still uses the CD to play the AVIs. You can also copy the movies to the hard drive and take the CD out of the drive if you really wanted to but the movies take up over 300MB, is it really worth it?.

That's all - hope you learned something, I did.