Tomb Raider 4
Title : TOMB RAIDER 4 (GAME)
Version : 1.0
Protection : Cd Check
Producer : http://www.eidosinteractive.com
Tools : W32Dasm, Hiew
Difficulty : Easy
1) Install Tomb 4. Copy the whole Cd to your install dir. Run the game. Cd out. Messagebox appears "Tomb Raider - the last revelation cd". Backup tomb4.exe. Open W32dasm and dissasemble your tomb4 backup. Look for our message at string data references. We have nearly the same message twice - "Tomb Raider -The Last Revelation". Double click on the first one. We are just at the right place.
:0048D89F 881DA5287500 mov byte ptr [007528A5], bl
:0048D8A5 891DBC287500 mov dword ptr [007528BC], ebx
:0048D8AB E8A00B0000 call 0048E450
:0048D8B0 83C40C add esp, 0000000C
:0048D8B3 84C0 test al, al
:0048D8B5 0F8500040000 jne 0048DCBB
:0048D8BB E8F060FEFF call 004739B0
:0048D8C0 84C0 test al, al
:0048D8C2 7525 jne 0048D8E9 -> Good Boy
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048D8E7(C) -> Here we see who call the error message
|
:0048D8C4 6A25 push 00000025
* Possible StringData Ref from Data Obj ->"Tomb Raider"
|
:0048D8C6 6838354B00 push 004B3538
* Possible StringData Ref from Data Obj ->"Tomb Raider - The Last Revelation "
->"CD"
|
:0048D8CB 6810354B00 push 004B3510 -> Here we are at first
:0048D8D0 53 push ebx
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0048D8D1 FF15CC814A00 Call dword ptr [004A81CC]
:0048D8D7 83F802 cmp eax, 00000002
:0048D8DA 0F84DB030000 je 0048DCBB
:0048D8E0 E8CB60FEFF call 004739B0
:0048D8E5 84C0 test al, al
:0048D8E7 74DB je 0048D8C4 -> Bad Boy. If the Cd is not found we have a never ending loop. And if it is found we go to the next line where is Good Boy.
2) Lets observe the code precisely. So lets see who call the cd error message. It is 0048D8E7. Go there. But who call this messagebox. Noone ... we see it is just never ending loop (until the cd is found of course). The easiest way to crack the game here is simply change Bad Boy at 0048D8E7 from je (74) to jne (75). I did not try this but it have to work.
3) The hardest way is to look for good boy and with an intelligent jump to bypass whole cd check routine. So look carefully before the *Referenced by ..... : 0048D8E7 . Lets think for a second. The error message is called by 0048D8E7, but not only from there. We remember that in assembler the processor go line by line. So the message is also called by previous line 0048D8C2. Look at and above it:
:0048D8BB E8F060FEFF call 004739B0
:0048D8C0 84C0 test al, al
:0048D8C2 7525 jne 0048D8E9 -> Good Boy
4) Hmm .. does not we have a perfect check routine here and if the cd is found the processor will jump directly to 0048D8E9. Lets try this. Write the offset of jne 0048D8E9. For me it was 8d8c2. Open hiew and open tomb4.exe. F4 - decode. F5 - Go to the offset 8d8c2 (for me). First change jne (75) to jmps (EB). ! Remember ! It is not enough (in most cases) to only change jne to jmps - you also have to destroy the previous call and test by simply nop(ing) (90) them. So nop the call and test. You do this in this way:
5) First place cursor at the begining of the call function (call 004739B0) then count how many simbols are there. We count EBCB60FEFF - 10 simbols. Now you must remember that every two simbols are 1 byte so we have 5 bytes long line (10 : 2 = 5). You see that nop (90) is just 1 byte (90 - 2 symbols : 2 = 1 byte). So to completely nop whole call (5 bytes long) we have to overwrite it with 5 times 90. We press F3 and start writing 90 (five times). Do not worry if you go on the next line. F9 - to update. Now lets nop also test al,al. I suppose now you can handle this alone but for those of you who did not understand me clearly I will explain it once again briefly. Go to beginning of test al,al. Count simbols 84C0 (we have 4 simbols, so we have 2 bytes). And to nop 2 bytes we have to write 90 (nop) 2 times. Press F3 end write 9090. F9 - update. You are supposed to have something like this :
:0048D8BB 90 nop
:0048D8BC 90 nop
:0048D8BD 90 nop
:0048D8BE 90 nop
:0048D8BF 90 nop
:0048D8C0 90 nop
:0048D8C1 90 nop
:0048D8C2 EB25 jmp 0048D8E9
ESC - quit.
6) Try the game now. It runs just fine.
Second way to crack the game. Good for a game where we cannot find the error message.
1) Open W32dasm and dissasemble your tomb4 backup. Click on search/find text and look for getdrivetypea. GetDriveTypeA is a inbuilt (in kernel32) function for checking if the cd is in your drive (it really does more then this but it is of no interest for us). First we find this:
Addr:000AA992 hint(0104) Name: GetDriveTypeA // just declaration of the function we do not need
The second search is something more valuable :
* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:00473A01 8B3DEC804A00 mov edi, dword ptr [004A80EC]
Lets see what call this we scroll up a bit and see :
* Referenced by a CALL at Addresses:
|:0048D8BB , :0048D8E0 -> we need to go to this adresses and see what is there
|
:004739B0 83EC18 sub esp, 00000018
:004739B3 A1AC174B00 mov eax, dword ptr [004B17AC]
:004739B8 8B0DB0174B00 mov ecx, dword ptr [004B17B0]
:004739BE 8B15B4174B00 mov edx, dword ptr [004B17B4]
:004739C4 53 push ebx
:004739C5 8944240C mov dword ptr [esp+0C], eax
:004739C9 66A1B8174B00 mov ax, word ptr [004B17B8]
:004739CF 56 push esi
:004739D0 57 push edi
:004739D1 894C2418 mov dword ptr [esp+18], ecx
:004739D5 8954241C mov dword ptr [esp+1C], edx
:004739D9 6689442420 mov word ptr [esp+20], ax
So we go to first address. Double click with right mouse button on 0048D8BB. Surprise. We are just at the right place (on the right time :))). You know what to do from here. If not just read again the first method described above.
2) This method is good because many games have inner build error messages and they are not displayed at string data references.
