Introduction:
Well it's the game that everyone's been waiting for - and what a disappointment
it is too. The controls are arkward, especially the jumping. Trying to
jump across the big gap from the log in the swamps took ages and the defending
yourself with the lightsabre, well.............................enough
said - let's get on with it.
The Protection:
The game (TPM.EXE) makes a CD-check after
launching from the main interface/menu then runs the WMAIN.EXE which then
loads the levels and accesses a big LAB file from the CD, etc.... Now
i'm not really sure if it's worth
cracking because if you want everything installed then you'll have to
copy the MOVIE folder, the LEVEL folder and the a big VOICE.LAB file and
from the CD to the hard drive and that's an extra 303MB. But if you insist
then let's take a look at it.
Tools needed:
wdasm, hexeditor, filemon
The Crack:
First of all run the program without
the CD in the drive after doing a full install from the CD. As soon as
you select 'Play' you get awarning message about the CD not being in the
drive which you cannot exit unless you either crash out of the program
or instrt the CD in the drive. So...........
Load the TPM.EXE (832296 bytes) into wdasm and wait awhile, not forgetting
to save the disassembled code of course.
So what do atart looking for first? Let's try 'please insert' as this
is the error message we get without the CD in the drive. You find it on
lines, 7186, 11092 and 18960. If you also examine the code surrounding
each of these lines you will notice (hopefully) that there is a reference
to WMAIN.EXE a few pages down from 11092 at line 11194. This is interesting
so let's concern ourselves with the second reference to 'please insert'.
This is the code that surrounds that reference:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0040590F(U)
:004058DB 6A00 push 00000000
:004058DD E8316D0000 call 0040C613 ------------------>
CD-check routine ?
:004058E2 83C404 add esp, 00000004
:004058E5 85C0 test eax, eax ------------------------------->
Is the CD in the drive ?
:004058E7 7528 jne 00405911 ------------------------------->
If it is then jump over the error.
:004058E9 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"/LNCH073/Error"
:004058EB 68347B4500 push 00457B34
:004058F0 E829B7FFFF call 0040101E
:004058F5 83C404 add esp, 00000004
:004058F8 50 push eax
* Possible StringData Ref from Data Obj ->"/LNCH099/Please insert the CD "
:004058F9 68447B4500 push 00457B44
:004058FE E81BB7FFFF call 0040101E
:00405903 83C404 add esp, 00000004
:00405906 50 push eax
:00405907 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:01BEh
:00405909 FF1534624600 Call dword ptr [00466234]
:0040590F EBCA jmp 004058DB ------------------->
jump back to start of routine again.
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
:004058E7(C)
:00405911 E867670000 call 0040C07D --------->
We land here if everything is OK.
:00405916 8985E8FEFFFF mov dword ptr [ebp+FFFFFEE8], eax
--------------------------------------------------------------------------------------
At 4058E5
a test is made to see if eax=0. If it does then
that is BAD, if it=1, for example then that's GOOD. SO we need to either
[1] Force the jump at 4058E7
or place a value of 1 in eax before the test is
made. And it just so happens that my favourite instruction 'mov, eax,
1' fits in place of the call at 4058DD.
The instructiom being 'B801000000'.
So load the TPM.EXE into your hexeditor and goto the offset 58DD and replace
E8316D0000
with B801000000 (making a backup of the original
file of course) and save it again.
Now try to run the game without the CD. Everything is apart from the logo
and the 'big ape' intro screen are missing. Now try to load a saved game...............oops,
you can't the program crashes out and you're back to windows. That's because
we're inside a different file now - WMAIN.EXE.
On further examination it's best if you run filemon filemon (you can get
it from the links page) before starting the game. This program tracks
avery disk/file access that takes place and reports what file was or was
not accessed correctly. So run filemon and make sure that capture is enabled
and then run the game again until it crashes out. Now go back to filemon,
turn off the capture, and scroll up a few pages until you see an entry
that has NOT FOUND or NOT READY beside it. This is the missing file that
caused the crash. You will see that it is a .B3D file. The path should
read (on my machine) F:\gamedata\level\espa.b3d. This will vary according
tho where you have installed the game and what level you're loading of
course. It's looking on the CD drive inside the folders gamedata\level
for a particular file. But where is is getting this information from?
Try loading the wmain.exe into wdasm and searching for 'gamedata'. It's
on line 101992:
----------------- --------------- ---------------- ----------------- -------------------
* Possible StringData Ref from Data Obj ->"CD
Path"
:0043F069 6834EA4A00 push 004AEA34
:0043F06E E8BF740500 call 00496532
:0043F073 83C40C add esp, 0000000C
:0043F076 85C0 test eax, eax
:0043F078 7511 jne 0043F08B
* Possible StringData Ref from
Data Obj ->"Critical registry entry could "
->"not be read: please reinstall "
->"game"
:0043F07A 68F0E94A00 push 004AE9F0
:0043F07F E85F050000 call 0043F5E3
:0043F084 83C404 add esp, 00000004
:0043F087 33C0 xor eax, eax
:0043F089 EB38 jmp 0043F0C3
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:|:0043F078(C)
* Possible StringData Ref from
Data Obj ->"\gamedata\"
A very interesting reference at the start od the
code to CD Path and our reference to 'gamedata' at the bottom. But searching
around the code there is no reference to 'level' anywhere so it must be
getting them from another source. THE REGISTRY - that's where.
Look in the registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\LucasArts
Entertainment Company LLC\The Phantom Menace\v1.0
you will find all the references to the paths for the CD. If you change
all the paths to point to the folder where you installed the game to then
see what happens. You will see (through filemon) that it is still accessing
a folder called 'gamedata'. So load the wmain.exe into you hexeditor and
search for this text.
You find \gamedata\ at offsset AD3E5, now edit the string (in the hex
window) and replace the string except first \ with 00 (zeroes) so it it
simply \ instead of \gamedata\. Now save the file.
Copy the LEVEL folder and the VOICE.LAB from the GOBS folder from the
CD to you game folder and run the game again. Load a saved game and you
will see that it now works - you don't get any video cutscenes because
you also need to copy the VIDEO folder across as well (if you have the
room to spare). But that's basically it. Change 2 bytes in the TPM.EXE,
edit the WMAIN.EXE, and modify the registry to play without the CD.
I was quite
tired when writing this tutor (just cracked the new version of VoodooLights
v1.2.3 for someone who dropped me a mail) so if there are any errors
then let me know and i'll fix them
I hope you're learning................