The Crack:Tools needed: Sotfice, WDASM & a hex editorLoad the thief.exe into WDASM and wait for a while.....................First of all we should start looking for the GetDriveTypeA function call and disable. Unfortunately this does not work correctly. So after a an hour of setting various breakpoints I stumbled across 2 interesting text strings, 'skip_starting_checks' and 'only_check_path'. Check this out at address 41F8C. Here's what it looks like. |
* Possible StringData Ref from Data Obj ->"skip_starting_checks" :00414F8C 683C215E00 push 005E213C :00414F91 E89A3A1300 call 00548A30 :00414F96 83C40C add esp, 0000000C :00414F99 84C0 test al, al :00414F9B 752F jne 00414FCC -------> an interesting jump here :00414F9D 6A23 push 00000023 :00414F9F 6A00 push 00000000 :00414FA1 E8CA3BFFFF call 00408B70 :00414FA6 83C408 add esp, 00000008 :00414FA9 85C0 test eax, eax :00414FAB 750B jne 00414FB8 :00414FAD 50 push eax :00414FAE 6A01 push 00000001 :00414FB0 E85B7B1100 call 0052CB10 :00414FB5 83C408 add esp, 00000008 |
* Referenced by a CALL at Address: |:00414FCC :0050DAC0 6A00 push 00000000 :0050DAC2 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"only_check_path" :0050DAC4 68E0BF6000 push 0060BFE0 :0050DAC9 E862AF0300 call 00548A30 :0050DACE 83C40C add esp, 0000000C :0050DAD1 84C0 test al, al :0050DAD3 7507 jne 0050DADC :0050DAD5 E8E6FEFFFF call 0050D9C0 :0050DADA EB05 jmp 0050DAE1 |
Hmmmm, curious I thought - it cannot be that obvious. But it was. If you trace this call you will come to 414FCC. And here it is below. Well, if you don't try you won't learn, so set a breakpoint here to test the theory out. That's the only way to learn - lots of trial and error. |
:00414FCC E8EF8A0F00 call 0050DAC0 ---> CD check :00414FD1 85C0 test eax, eax ---> Is it 0 :00414FD3 750B jne 00414FE0 ----> If not then OK :00414FD5 50 push eax :00414FD6 6A01 push 00000001 :00414FD8 E8337B1100 call 0052CB10 :00414FDD 83C408 add esp, 00000008 |
As you can see if you traced
it further, the call 0050DAC0 is made to the protection routine, a test
is made on EAX, If EAX is 0 after returning from the check then the check
has failed and you get the 'Missing CD' warning. Therefore, by replacing
the call with an instruction that puts the value 1 in EAX we can crack
the protection. The instruction 'mov eax, 00000001' will do it and the
actual hex value of this instruction is B801000000, which just happens
to fit in place of the call. With a hex editor, search for the bytes E8EF8A0F0085C0750B506A01
in the original THIEF.EXE and replace the E8EF8A0F00 with B801000000 (backup
the original file first though). And that's how you crack THIEF. This
applies to v 1.14 only but v1.33 is just the same but in a different location,
try looking around 50E960 onwards. You also need to copy the intrface.crf
file into the intrface folder and edit the cfg file to point to it - but
you would have found that out anyway wouldn't you?
|